Blocklists

The difference between a patch exception and the blocklist is the scope. Patch exceptions apply granularly to business units. The blocklist is global.

Just like patch exceptions, a common workflow is adding a patch to the blocklist to prevent the risk of downtime, requesting a risk acceptance, then accepting the risk in Tenable Vulnerability Management or Tenable Security Center after the appropriate executive signs off on the risk acceptance.

By default, several updates are prepopulated on the blocklist. Windows 11 upgrades are on the list to prevent Windows 10 systems from upgrading automatically. Tenable’s OEM partner will also blocklist the occasional updates they have learned to be problematic. If you see fairly new updates in Tenable Vulnerability Management or Tenable Security Center that aren’t updating, look in Tenable Patch Management to see if those updates are on the blocklist.

To add an update to the blocklist:

1. Navigate to Flex Controls > Blocklisting > Blocklisted Patches from the menu on the left.

2. Click New.

3. Select the patch you want to prevent from deploying.