Upgrade Tenable Patch Clients Using Automatic Deployments

After version 9.3, Tenable Patch clients will automatically upgrade to the matching version deployed on their Tenable Patch server. Anytime you upgrade your Tenable Patch server, devices will begin to upgrade to the new Tenable Patch client version in waves. The Client Upgrade settings in the Tenable Patch Admin Portal control the configuration of client upgrades in your organization.

Clients are upgraded across four deployment waves, each wave targeting a group of devices. The default upgrade settings will stagger deployment waves every seven days with a deployment window of seven days for each wave, completing after 35 days.

You can customize the device groups and timing of each wave in the Admin Portal, under Client Upgrade Settings.

Wave deployment groups

The default deployment groups for each wave will select a percentage of the devices in your organization and map those to a deployment wave.

Clients are selected for membership in each group randomly. Client's membership in these default groups cannot be modified, but you can remove these default groups from the deployment waves and replace them with ones you have configured.

Planning deployment groups

You can select your own device groups to customize the deployment of client upgrades. For example, you can target pre-production devices in Wave 1 for testing. You can then configure the remaining waves to deploy to production after your initial testing. You can also pause deployments if you discover unwanted client behavior after an upgrade.

Configure client upgrade settings

In the Tenable Patch Admin Portal, in the upper-right corner, click the gear icon | Settings | Client Upgrade.

Client Upgrade is enabled by default. You will see the default waves configured and reporting dashboards displaying deployment progress.

Each deployment wave is displayed with a deployment status, scheduled start time and deployment progress.

Deployment Status – the overall status of the deployment wave: Completed, In Progress, or Not Scheduled.

Scheduled Start Time – the start time of wave 1 is based on the time of the server upgrade plus the Time to Wait value. Proceeding waves will begin to deploy based on the previous wave’s start time plus the Time to Wait value.

Deployment Progress – number and percentage of clients that have successfully upgraded.

Create a custom deployment schedule

You can configure a custom deployment schedule by selecting the Deploy in a schedule wave radio button under Deployment Schedule. You can configure both the Time to Wait and Load Leveling Window times to customize your deployment for clients across waves.

Time to Wait - determines the time until the wave begins deployment, from the start of the previous wave.

Load Leveling Window - determines the duration of the upgrade, distributing clients in the targeted group across this time window.

You can configure the start time of each wave by setting a Time to Wait. You configure the deployment window for all clients in that wave by setting a Load Leveling Window. The default time for these settings is seven days, but you can configure it for as low as one hour.

After configuring the Deployment Schedule, click Save.

You can start the deployment of a wave by selecting the Deploy immediately radio button. This will ignore the Time to Wait and Load Leveling Window values and upgrade all clients in the wave immediately.

Select custom deployment groups

You can select custom deployment groups to align client upgrades to your organizational structure. For example, you can target clients in a lab environment for faster deployment in wave 1.

To configure custom groups for your deployment, perform the following:

  1. On a wave card, click Configure Groups to select a custom deployment group.

  2. In the Select Group pane, under Target Groups, click Browse and select one or more groups. Click OK.

  3. Click the Affected Devices tab to show the devices targeted by the selected groups.

  4. Click Set to confirm your selection.

  5. On the Client Upgrade Settings page, click Save.

Monitor deployment progress

You can monitor the deployment progress of your devices using the built-in dashboards on the Client Upgrade Settings page.

In the Devices by Version panel, you can view all device version for client reporting to the Tenable Patch server. When you select a section of the donut chart, it filters the All Devices Table to your selection. You can use this report to evaluate devices not upgraded to the latest version and diagnose any blockers to your upgrade rollout.

In the Deployment Progress by Wave panel, you can view the deployment progress for each wave. When you select a section of the bar chart, it filters the All Devices Table to show the devices in that deployment wave.

Pause client upgrade

You can pause the automatic rollout of the Tenable Patch client by clicking the Pause Deployment button and then clicking Save.

When you pause the client upgrade, all deployments immediately stop. The pause time and date will display to the left of the button. The button will update to Resume Deployment.

Once you resume automatic upgrades, each deployment wave will resume based on the initial scheduled execution time. For example, if each wave is scheduled to start every five days, and the deployment is then paused for one month, all waves will immediately start upgrading.

Troubleshoot deployment issues

In the Devices by Version panel, select the devices reporting an older version to filters= the All Devices Table.

You can then investigate the state of each device in Assets | Devices.

Additional Considerations

The Client Upgrade feature is only applicable to clients on version 9.3 or later. To upgrade older client versions, do the following:

Upgrade legacy clients to use the Client Upgrade feature

The Client Upgrade feature only supports Tenable Patch client version 9.3 or higher. If you have devices using Tenable Patch client versions 9.2, 9.1, or earlier, you need to upgrade the Tenable Patch client to 9.3 by using the Legacy Client Upgrade (Windows) feature. See the Legacy Client Upgrade (Windows) for specific instructions.

Since the Legacy Client Upgrade (Windows) feature only supports Windows devices, any Linux or macOS devices will need to be upgraded manually or an unattended installation using a software distribution tool. See the Client Installation for specific instructions.

Once you have upgraded all devices to the 9.3 Tenable Patch client, you can disable the Legacy Client Upgrade (Windows) feature. This will allow you to use the automatic Client Upgrade feature moving forward.