Tenable Patch Management Server Installation

Tenable provides the installation files in a compressed (.zip) file. The compressed file includes three folders: Documentation, Installers and Tools folder. The Patch Management installation requires two files from the Installer/Windows folder:

  • tenable-patch-server-<version>-windows.exe

  • tenable-patch-client-<version>-windows.exe

The <version> placeholder refers to the downloaded version of the executable. All components require local administrator privileges to install.

Verify connectivity

Refer to the Communication and Network Requirements document (# TPM server port configuration) and ensure your server has proper communication with cloud services. In the case of a SQL Server Express Edition installation, your server needs to connect to *.adaptivacdn.cloud to download SQL Express.

Verify user permissions

When using an existing SQL Server installation, the user performing the server installation MUST have sysadmin permissions in the SQL Server that hosts the Adaptiva database. These permissions are only required for the setup and can be reduced after successful installation. You can review the Accounts and Permissions section of the Planning guide for additional information.

Installation Types

Select one of the following options:

Option 1: Quick Install

This is the best option for most environments. Quick Install automatically downloads and configures SQL Server 2022 Express Edition and then install the TPM server with default options and a self-signed certificate. You also need to pre-create an account used for reporting access on the Adaptiva SQL database.

Option 2: Advanced Install

If you are using an existing SQL Server Standard / Enterprise Edition or need to use a CA-based certificate, then perform an advanced install. This will allow you to customize all server installation settings.

Answer File

If you need to create an Answer File to automate a later new installation, refer to Create Silent Installation Answer File.

The Quick Install option installs the TPM server using default settings and SQL Server Express Edition. Configure your installation settings and add your license key to begin the Tenable Patch Management server installation.

  1. Right-click tenable-patch-server-<version>-windows.exe, and then select Run as administrator.

  2. Change the drive letter of the installation folder to a drive other than C.

  3. Click Browse to navigate to and select the installation folder.

    Caution: Do not install Adaptiva Server on the Operating System (OS) C: drive. The OneSite product log files and the Adaptiva Content Library installed with the Adaptiva Server grow over time, which impacts storage and performance on the OS C: drive. The installer will prompt you to change the destination drive if you continue to install on the boot drive..

  4. If you continue with installation on the C: drive, you will see a warning dialog. Click Yes to ignore this warning.

  5. Configure your Superadmin Login ID and Password. You can:

    Use Custom Login: This option allows you to supply an email address and password to create a server login. The email address is a username and does not need to be a valid email address.

    Use Windows Login: This option will use either your current logged in account or one that you specify. This account is added to the superadmin role.

  6. Enter your license key, this is required to install Tenable Patch Management.

    The following items are checked by default:

    • Create an Add/Remove Programs Entry: The TPM Server Installer will create an entry for Tenable Patch Management in Settings > Apps.

    • Add a Windows Firewall Exception for Server Application: The TPM Server Installer adds local exceptions in the Windows firewall for the default server ports (See Appendix B: Communication Ports).

    Caution: Review any existing domain-based group policies (GPO) that configure or restrict Windows firewall rules or rule creation as they can prevent or override these Adaptiva-created firewall exceptions.

  7. Click Quick Install.

  8. The wizard downloads and installs SQL Server 2022 Express Edition. SQL Express is installed and configured to use a SQL native reporting account. The TPM server is installed with default options using port 443 and a self-signed certificate for access to the Admin Portal.

  9. When the installation is completed, click Next.

    The wizard performs a series of Post-Installation Verifications to validate the installation. The installation skips some checks when not integrated with Microsoft Configuration Manager.

  10. Click Done.

After the installation of the Tenable Patch Management server, you must install the TPM client on this machine as well. Continue with Client Installation on the Server.

The advanced install option will allow you to customize the installation options for Tenable Patch Management (TPM), including using an existing SQL Server instance.

Configure Installation settings

Configure your installation settings and add your license key to begin the TPM server setup process.

  1. Right click tenable-patch-server-<version>-windows.exe, and then select Run as administrator.

  2. Change the drive letter of the installation folder to a drive other than C. Click Browse to navigate to and select the installation folder.

    Caution: Do not install Adaptiva Server on the Operating System (OS) C: drive. The OneSite product log files and the Adaptiva Content Library installed with the Adaptiva Server grow over time, which impacts storage and performance on the OS C: drive. The installer will prompt you to change the destination drive if you continue to install on the boot drive.

  3. If you continue with installation on the C: drive, you will see a warning dialog. Click Yes to ignore this warning.

  4. Configure your Superadmin Login ID and Password. You can:

    Use Custom Login: This option allows you to supply an email address and password to create a server login. The email address is a username and does not need to be a valid email address.

    Use Windows Login: This option will use either your current logged in account or one that you specify. This account is added to the superadmin role.

  5. Enter your license key, this is required to install Tenable Patch Management.

    The following items are checked by default:

    • Create an Add/Remove Programs Entry: The TPM Server Installer will create an entry for Tenable Patch Management in Settings > Apps.

    • Add a Windows Firewall Exception for Server Application: The TPM Server Installer adds local exceptions in the Windows firewall for the default server ports (See Appendix B: Communication Ports).

    Caution: Review any existing domain-based group policies (GPO) that configure or restrict Windows firewall rules or rule creation as they can prevent or override these Adaptiva-created firewall exceptions.

  6. Click Advanced Install.

TLS Security Settings are used to secure the Admin Portal. The Deployment Planning Installation Guide provides details about Certificates.

  1. Select one of the following TLS security settings:

    • TLS Using A Certificate Authority (CA): use a certificate you exported from a Certificate Authority:

      1. Click to select Install A CA-Issued X.509 Certificate.

      2. Click Browse and navigate to the location of the exported Certificate PEM File.

      3. Click Browse and navigate to the location of the exported Private Key PEM File.

    • TLS Using Self-signed Certificate (default): use a self-signed certificate.

      1. Click to select Install A CA-Issued X.509 Certificate.

        Enter the names or IP address associated with the Adaptiva server that will host the Adaptiva Admin Portal. Include any server details for NETBIOS, FQDN, DNS Alias or IP Address. Separate each entry with a comma.

  2. Set the Web UI Port used by the TPM Admin Portal. This defaults to port 443, but if other services are using that port, we suggest that you use port 9678.

    Note: Be sure to share this port with all TPM Administrators. It is required to access the Admin Portal.

    Optional: Configure HTTP Proxy Configuration

    1. If you are using an HTTP Proxy to route internet traffic, click HTTP Proxy Configuration.

    2. Select your proxy configuration.

      • Don’t Use an HTTP Proxy: No proxy settings are configured.

      • Prefer User Proxy Configured on the System: A locally configured proxy is configured.

      • User a Proxy Auto-Configuration (PAC) File: Supply the URL to your PAC file.

      • Use an HTTP Proxy Server: Supply the protocol, FQDN/IP of the proxy server, the port configured and a bypass list of semi-colon separated host names or IP addresses.

    3. Click OK.

      Note: Expected Client Count - The Expected Total Number of Clients is determined by your license. The Memory Data Maximum Buffer Size For Server (In MB) is calculated based on the total number of licensed clients. You do not need to configure these values.

  3. Click Next.

You can choose to install the SQL database on a new instance of SQL Express or an existing instance on a SQL 2017 or later server.

Option 1: SQL Express Installation

  1. Select Download And Install Free Microsoft SQL Express And Auto-create Database.

  2. Click Next.

  3. At the SQL Express Settings screen, enter where the SQL Server Express installer should be downloaded to and where you want SQL Server Express to be installed.

    • Download Folder: The folder where the SQLExpr_x64_ENU.exe is downloaded to.

    • Installation Folder: The folder where SQL Server 2022 Express Edition is installed to. Change the drive letter of the Installation Folder to a drive other than C.

      Note: Tenable recommends to not install SQL Server 2022 Express Edition on the C drive. Log files and database files can have high I/O and may cause performance issues if installed on the Operating System drive.

    Once the setup wizard is completed, the installer will download and install SQL Express.

  4. Click Next.

  5. Continue with Read-Only SQL Login For Reporting.

Option 2: Existing SQL Server

  1. Select Create The Adaptiva Database In An Existing SQL Server Instance.

  2. Click Next.

  3. You are prompted to confirm that your system meets the SQL Server pre-requisites:

  4. Click Continue.

  5. On the Database Information page, enter your SQL Server information.

    Database Information

    • If the SQL Server Instance is using encryption select SQL Instance Is Encrypted.

    • If the Default SQL Instance is not used, uncheck the box and enter the SQL Instance name.

    • If the Default SQL Port is not used, uncheck the box and enter the SQL Port.

  6. SQL Login

    Enter the SQL Server Machine Name FQDN

  7. Select or enter a SQL account.

    • (Recommended) Select Use Adaptiva Server’s Local System Account.

    • If you choose not to use the Local System Account, enter the NETBIOS Domain name, User Name and Password of the account with sysadmin permission in the SQL Server that will host the Adaptiva database.

    • If the account specified is a SQL account, uncheck Use Windows Authentication.

  8. Click Next.

  9. If the account specified is different from the login account used for the service SQL Server (MSSQLSERVER | InstanceName) a dialog box prompts you to verify the account used by the SQL Service.

    If the settings are correct, click Yes, otherwise, click No and update the settings.

  10. At the Windows Authentication Protocol for SQL dialog, select the authentication method used to connect to the SQL database.

    • NTLM v2 is selected by default

    • If you require additional security, you can select Kerberos (Requires SQL SPN). To support Kerberos authentication, Service Principal Names (SPNs) must be created and delegated properly in Active Directory.

  11. Click Ok.

Provide a SQL login for reporting.

  1. Enter the account information to be used for reporting:

    • Domain Name: Enter the NETBIOS domain name used for the reporting account.

    • User Name: Enter the account name created for use as the reporting account.

    • Password: Enter the password for the reporting account.

    • Confirm Password: Confirm the password that you entered above.

  2. Click Next.

  1. The installation begins.

  2. When the installation is complete, click Next.

    The wizard performs a series of Post-Installation Verifications to validate the installation. The installation will skip some checks when not integrated with Microsoft Configuration Manager.

    Note: There is a known issue when the Kerberos authentication protocol is selected for the Adaptiva database: The Read-Only Account Write Access Denied reports Failed. This can be ignored.

  3. Click Done.

  1. After the Tenable Patch Management Server is installed, the Tenable Patch Management Client must be installed on the server. At the Launch Tenable Patch Management Client Installer dialog, the Client Installer Path is displayed based on the relative path the server component was installed from.

  2. Click Launch.

  3. At the Tenable Patch Management Client Installer dialog, complete the following:

    • Client Install Path: Update the path as required. We recommend installing the TPM client in the same parent folder as the TPM Server (<drive>:\Program Files\Tenable\PatchClient).

    • Server Host Name or IP Address: Enter the FQDN or IP Address of the TPM Server.

    • Server GUID: Enter the Server GUID from the Admin Portal, under Settings | Server Activation.

  4. Click Install.

  5. When the installation completes, the Client Validation Checks application will confirm the connectivity requirements for the TPM client.

    The Client to Client check is not applicable for a server installation.

  6. Click OK.

Server Installation Logs

In the case where an administrator needs to troubleshoot an Adaptiva Server installation, the following table contains the installation log locations. Other logs exist in the installation folder.

Function Log Location and Name
Server Installation Logs

%windir%\AdaptivaSetupLogs\Server\AdaptivaServerSetup.log

<path>:\Adaptiva\AdaptivaServer\logs\Adaptiva*.log
Client Installation Log %windir%\AdaptivaSetupLogs\Client\AdaptivaClientSetup.log <path>:\Adaptiva\AdaptivaClient\logs\*.log

An answer file can be created to automate the installation of the Tenable Patch Management server. The executable must be run with administrative privileges. The answer file can only be created when the TPM Server has not been previously installed.

After the Tenable Patch Management Server is installed, the Tenable Patch Management Client must be installed on the server. At the Launch Tenable Patch Management Client Installer dialog, the Client Installer Path is displayed based on the relative path the server component was installed from.

  1. Right-click tenable-patch-server-<version>-windows.exe.

  2. Select Run as administrator.

  3. Change the drive letter of the installation folder to a drive other than C.

  4. Click Browse to navigate to and select the installation folder.

    Note: Do not install Tenable Patch Management Server on the Operating System (OS) C: drive. The Tenable Patch Management product log files and the Tenable Patch Management Content Library installed with the Tenable Patch Management Server grow over time, which impacts storage and performance on the OS C: drive. The installer will prompt you to change the destination drive if you continue to install on the boot drive.

  5. Configure your Superadmin Login ID and Password. You can:

    • Use Windows Login: This option uses either your current logged in account or one that you specify. This account is added to the superadmin role.

    • Use Custom Login: This option allows you to supply an email address and password to create a server login. The email address is a username and does not need to be a valid email address.

  6. Enter your license key. This is required to install Tenable Patch Management.

  7. Click Answer File.

  8. At the Generate Installation Answer File dialog, enter or Browse to a location where you create the file.

    The installation screens will proceed as described in the Server Installation section. Each answer is saved in the Answer file. The installation does not install the product. Use the following Server Installation section to learn about each screen during the installation process.

  9. Click OK.

    The answer file is named AdaptivaAnswerFile.txtin the folder selected.

    When all the prompting screens are complete the answer file is created.

  10. Click OK.

    The installation process ends.

    Note: If passwords were entered for the SuperAdmin ID or Service accounts, these passwords are stored in clear text in the Answer File. Delete or secure the answer file after the installation has been completed.

If you have created an answer file, follow these steps to use the answer file to install the Tenable Patch Management Server.

  1. Open a Command Prompt as Administrator.

  2. Navigate to the installation source folder.

  3. Run the following command:

    tenable-patch-server-<version>-windows.exe -InstallOrUpgrade <path>:\<AnswerFileName>

    There is no progress bar during the installation. The installation can be monitored using the Task Manager, monitoring the tenable-patch-server.exe process and by monitoring the log file C:\Windows\AdaptivaSetupLogs\Server\AdaptivaServerSetup.log.

    Upon successful installation the tenable-patch-server-<version>-windows.exe process is replaced with AdaptivaServerService and the AdaptivaServerSetup.log shows:

    ~performSilentServerInstall(): 2C58: Line: 160: Server installation was successful

    Note: The server installation normally launches tenable-patch-client-<version>-windows.exe to install the Patch Client. The silent installation does not do this. Be sure to install the Patch Client on the server as well.

Add certificate to the root store

If a self-signed certificate was selected, you should import the certificate into the Trusted Root Certification Authorities container on every device where the Tenable Patch Management (TPM) Admin Portal is accessed. Each TPM Administrator who uses the Admin Portal from a remote device needs to import the certificate. Alternatively, the certificate can be deployed using a GPO or Intune policy.

Download and install the certificate:

  1. In your browser, navigate to your TPM server name with optional :port - https://servername[:port].

    The message Your connection isn't private appears.

  2. Click the text Not secure next to the Address URL.

  3. Click Your connection to this site isn't secure.

  4. Click the certificate icon to view the certificate.

  5. Select the Details tab.

  6. Click Export.

  7. Select a destination (your Downloads folder). Leave the default filename of adaptiva.crt.

  8. Close your browser.

  9. In File Explorer, browse to the saved certificate and double-click it.

  10. Select Install Certificate.

  11. Select Local Machine (recommended).

  12. Click Next.

  13. Select Place all certificates in the following store.

  14. Click Browse, select Trusted Root Certification Authorities.

  15. Click OK.

  16. Click Next.

  17. Click Finish.

Alternatively:

  1. The certificate is stored in the registry at hklm\SOFTWARE\Adaptiva\server\certificates.cloudui_public_cert .

  2. The data can be saved into a UTF-8 formatted text file with a .crt extension.

  3. Run the following command:

    Certutil.exe -addstore root "<path>\adaptiva.crt"

Test the certificate:

  • In your browser, enter the TPM server name with optional :port. For example: https://adaptivaservername[:port]

    The Tenable Patch Management Login Page appears with a lock icon next to the URL in your browser.