Tenable Patch Management 2026 Release Notes

• Unified & Modern: Experience a single, modernized SKU that combines simplicity with depth.

• Streamlined Onboarding: A new 6-step, wizard-based setup covers 80% of customer use cases, significantly reducing configuration time and learning curve.

• Focus on What Matters: Day-to-day operations are now uncluttered. Complex, high-specificity controls (the remaining 20%) are consolidated under Advanced Settings, ensuring power is available without distraction.

• Performance Boost: Both Server and Client engines have been updated to Java 25, resulting in reduced memory usage and improved stability.

A Reimagined User Experience

The user interface has been redesigned to surface metrics that matter most to your daily operations.

• New Dashboards: Replaced Patching Analytics with dedicated Home and Deployments dashboards for better visibility into ongoing rollouts.

• Simplified Navigation: The sidebar now prioritizes day-to-day actions, moving complex configurations out of direct view.

• Smart Interactions: Context menus now feature "smart hover" to prevent accidental closing during navigation.

Streamlined Patching Strategies

Creating deployment plans is now faster and more intuitive.

• Direct Definition: Define deployment steps directly within your Strategy, eliminating the need to configure multiple prerequisite objects beforehand.

• Legacy Support: Existing strategies remain functional as "Legacy Strategies" to ensure no disruption during your transition.

Client-Side Innovations

• User Experience: You can now notify users upon deployment success/failure or alert them if interfering applications are blocking updates.

• Power Management: Windows clients are now prevented from sleeping during active patch deployments.

• Interference Handling: The client can now check for and immediately terminate interfering processes before installation.

Expanded Security & Control

• Granular RBAC: TPM v10 has introduced new built-in roles, including Branch Office Administrator, Architect, and Operator. You can now also author custom roles for precise access control.

• Scoped Access: The Branch Administrator role allows scoped access to specific locations (e.g., branch offices, labs) or read-only access for audits.

• Process Automation: Added wave-based patching processes with configurable gates and approvals.

Navigation Changes (v9 to v10)

To simplify operations, we have reorganized key features.

For a full details on the navigation and user interface changes, refer to the What's New page.

• SaaS Customers: You Saas Tenant console (server) has been automatically upgraded to the new user interface on January 22, 2026 so that you can have immediate access to v10 features. For clients, please follow the instructions here to upgrade your clients to v10. For SaaS customers with Express licenses, you can either contact us for a Zero-Dollar Exchange Order today to move to the new single SKU model, or your subscription transitions to the new single SKU model at your next renewal.

• On-Premise Customers: Customers on Express SKUs may remain on them, but renewals will transition to the single SKU. While you may remain on v9.3, Tenable highly recommends upgrading to enjoy the most powerful and intuitive version of TPM to date. Contact Tenable for a Zero-Dollar Exchange Order to unlock v10 features today.

Server & Architecture

• Java 25: Replaced Java 17 with Java 25 (Zulu 25.0.1) for superior performance.

• Security: Added elliptic curve signing keys for OIDC providers and updated Tomcat ciphers to remove weak options.

• Cloud Storage: Added validation when content publication settings are enabled for cloud storage.

• Fixes: Resolved synchronization issues with Byte Level P2P content and fixed SQL Server Kerberos authentication failures.

Client Performance

• Concurrency: Scans and feed consumption can now execute concurrently if metadata does not conflict.

• Resource Usage: Configured core pool threads to terminate when idle and reduced non-heap memory usage.

• Fixes: Addressed high CPU usage during feed retries and fixed deadlock issues between patch prestaging and policy updates.

Quality Fixes

• Reporting: Fixed issues where assets without agents had vulnerabilities hidden from dashboards.

• Workflows: Resolved infinite spinning in Workflow Designer search and fixed text box visual cut-offs.

• Localization: Improved localization for dates and numbers.

New Features

• Cloud Storage: Added cloud storage validation when content publication settings are enabled for cloud storage.

• Security: Added elliptic curve signing keys for OIDC providers.

• Business Units:

  • Added new Business Units and feed subscription for Oracle Linux.

  • Added phased deployments (1%, 5%, 10%, quarters, and all devices).

  • Allowed Business Units to target Customized Products.

• Maintenance Windows:

  • Added capped maintenance windows.

  • Added product-specific maintenance windows (see Customized Products).

• RBAC: Added new roles for Tenable Patch On-Prem: Patch Super Administrator, Architect, Operator, Reviewer, and Branch Administrator.

  • The Branch Administrator role can be assigned to individual Business Units.

  • New permissions added for all Flex Controls to support RBAC.

• Dashboards: Added patching rollout state dashboard, enabling visibility into approved patches and ongoing deployments.

• Integrations: Added vulnerability management integration folders for Patch Deployment Bots.

• Process Automation: Added multiple wave-based patching processes, with configurable values for wave gates, approvals, and other common activities.

• Workflows: Added LaunchFormPropertyBag start node property to new business workflows.

Improvements

• Changed client auto upgrade schedules to use server time zone.

• Updated tomcat ciphers to remove weak ciphers from being used.

• Updated Hibernate from 3.5.6 to 5.6.15.

• Removed default read permission on Customized Product objects for All Admins.

• Converted all Rollback objects into Rollback To Version objects with no target patch specified.

Bug Fixes

• Fixed synchronization issue where content published as Byte Level P2P could have its associated metadata inconsistent with the structure and offsets of its underlying block files, causing clients to request blobs that do not exist.

• Fixed CommandShellNode to correctly capture exit status of processes.

• Fixed issue where membership updates of Falcon host group scopes would not trigger membership evaluation of the corresponding Business Unit.

• Fixed performance issue when making non-membership related changes to Business Units.

• Fixed an issue where cycle updates when viewing cycles tables would log errors about a null username.

• Fixed override automatic import folder option not actually overriding import folder.

• Fixed issue where SQL Server authentication using Kerberos would fail due to the port erroneously being set to 0.

• Fixed branding in OIDC invite and password reset emails on Tenable servers.

• Fixed [patch].[dp_product product_status] so that the population of product status grids is faster.

• Fixed an issue where the server would stop polling cloud relay for messages.

• Fixed issue where products were occasionally duplicated in patching strategies.

• Fixed issue where the expression on SensorActionExecutionPolicy was limited to 255 characters.

• Fixed an issue in SensorGroupScope manager where a group unregistering for a column could cause the whole group or the whole sensor to lose registration.

• Fixed an issue with TSC integration where assets without an agent had vulnerabilities hidden from Tenable dashboards.

• Fixed issue with search functionality in Workflow Designer infinitely spinning.

New Features

• Updates: Added new Client Setting, WU Allow Access, to enable manual windows updates.

• Maintenance: Added capability to set a limit on the max number of missed maintenance windows before a forced install is performed.

• User Interaction:

  • Added ability in User Interaction Settings to notify the user when a deployment succeeds or fails.

  • Added ability in User Interaction Settings to notify the user when interfering apps are running that prevent patch deployment.

• Reporting: Added reporting of the primary user on Linux and macOS clients.

• Power Management: Added functionality that prevents Windows clients from going to sleep during patch deployments or action executions.

Improvements

• Concurrency: Changed patching client locking behavior so that scans and feed consumption may execute concurrently if the metadata operated on is not conflicting.

• Performance:

  • Configured core pool threads to terminate when idle.

  • Client VM configuration changes to reduce non-heap memory.

  • Updated H2 to 2.2.224.

• Process Management: Check for and terminate interfering processes immediately before software installation.

• Deprecated: The Tenable client on 32-bit operating systems is no longer supported.

Bug Fixes

• Fixed an issue where a maintenance window's dynamic detection workflow would reset when the client service restarted.

• Fixed error when running TenableClientInfo sensor on Mac and Linux clients.

• Fixed issue where byte range transfer would not start if the sender has partial data.

• Fixed an issue where byte range download may not resolve from peer clients for a long time and will timeout.

• Fixed a high CPU usage issue that can occur when feeds need to be retried; limited and made configurable the number of threads used during feed reprocessing.

• Fixed issue between patch prestaging runner and patching policy update that could cause a deadlock.

• Fixed an issue where the client would not trigger reboot until the deployment maintenance window opens.

• Fixed an issue where RDP logout would be blocked by the Windows System Event Notification Service.

• Fixed pre-caching of content files when there is an active content download session by skipping the file.

• Fixed an issue where client's restarting while running a sensor would cause the client and server to get out of sync with respect to the sensor data.

• Fixed an issue where the client would stop polling cloud relay for messages.

• Fixed an issue where client upgrade can fail for Patch if the client has not yet received the risk assessment configuration policy object.

• Fixed a race condition in SensorOfflineCache, where collection of sensor deltas could mark a sensor as reset.

New Features

• Patching Strategies:

  • Added a new and improved, streamlined experience for authoring Patching Strategies.

  • Eliminated the need to configure several prerequisite objects before creating a Strategy.

  • Define your Deployment Plan as a sequence of "steps" directly within your Strategy.

  • The old Patching Strategy paradigm has not yet been removed, and users may still create and manage them as Legacy Strategies.

• Dashboards:

  • Added a new Deployments Dashboard to provide improved visibility into both in-progress and upcoming patch deployments.

  • Added toggle to Tenable dashboards to switch view between Tenable CVE detections with applicable patches and all Tenable detections.

  • Added "smart hover" functionality to context menus to prevent unexpected menu closing as users navigate their cursor to nested menus.

  • Added automatic updates to Patching dashboards when data has changed.

  • Added filtering support to the "Device Activity" timeline on the per-device patching state dashboard.

• Customization:

  • Added ability to specify interfering process handlers on a customized Software Product.

  • Added ability to set a Scan Schedule for a customized product.

  • Added to Approvals the number of pending patch approvals for the logged-in Administrator.

• Scripting: Added new JavaScript APIs (adaptiva.sandbox.context) for persisting in-memory context for user scripting in Web Forms, User Dashboards, etc.

Improvements

• Homepage: Redesigned the homepage of Tenable Patch to surface metrics and actions more useful for day-to-day operations, provide more comprehensive data drill-down, and facilitate more intuitive feature discovery.

• Sidebar: Reorganized the feature sidebar for Tenable Patch to display day-to-day actions and move advanced settings out of direct view.

• Approvals: Approval Requests has been renamed to Approvals.

• Charts: Updated Chart user interface when displaying empty data and errors; charts now display a button when errors are present that allows users to drill into a separate view to read error messages.

• Settings:

  • Moved Time to Wait and Load Leveling Window inputs into "Advanced Settings" for Client Upgrade Settings.

  • Renamed Event Notifications in Settings to SMTP Settings.

  • Split deployment notification settings into starting and completed notifications.

• Removed: Removed the user interface for selecting Active Directory groups for Role membership in Cloud Tenant context.

Bug Fixes

• Fixed Sandbox script execution performance by caching Sandbox tasks.

• Fixed an issue where the Client Settings Policy editor user interface would remove entries that had not been edited.

• Fixed an issue where the error icon in Form and Object Builder labels would become misaligned with longer labels.

• Fixed Licensing Alerter Form password field to be a password input.

• Fixed an issue where scrolling a lengthy signpost dialog would close the dialog instead of scrolling the content.

• Fixed an issue where users were unable to select the Workflow Activity class in various contexts without having first navigated to the Workflow Designer.

• Fixed an issue where property customizers using text boxes were visually cut off in the Workflow Designer.

• Fixed localization for dates and numbers.