Tenable Patch Management 2026 Release Notes

• Linux ARM Support: The Tenable Patch Management client is now fully supported on Linux ARM architectures.

• Expanded OS Coverage: Support has been added for modern Amazon Linux (AL2023), Fedora versions (42 and 43), OpenSUSE (15.6 and 16.0), and various SUSE Enterprise Linux variants.

• Automated Hardware Updates: This release enables extremely fast scanning and patching for BIOS and drivers from major vendors including Dell, Lenovo, and HP.

• Optimized System Performance: By moving applicable threads to Java 25 virtual threads, the system significantly lowers memory usage and improves overall performance for both servers and clients.

• Critical Security Updates: This update includes security hardening via OpenSSL 3.6.1, Log4j 2.25.3, and a fix for CVE 2025-53864 regarding Microsoft Graph dependencies.

• Editor Reliability: Resolved systemic issues where Patch Filter conditions (such as VPR) and previews were failing to return valid results.

• Deployment Stability: Fixed critical failures in Windows Update deployments when the pre-staging option was enabled.

• ARM Architecture: Linux ARM support

  • Agent Support: Tenable Patch Management client is now supported on Linux ARM

• OS Expansion: More Linux variants supported

  • Amazon Linux: Amazon Linux 2023

  • OpenSUSE: OpenSUSE 15.6 and 16.0

  • SLES 15: SUSE Linux Enterprise Server 15 SP 7

  • SLES 16: SUSE Linux Enterprise Server 16 (SLES 16)

  • SLED 15: SUSE Linux Enterprise Desktop 15 SP 7

  • Fedora 42: Fedora Linux 42

  • Fedora 43: Fedora Linux 43

• Hardware Support: BIOS and Driver Updates

  • Fast Patching: Extremely fast scanning and patching for BIOS and drivers from Dell, Lenovo, and HP

• Bug fixes to known UI/UX Issues (see the following changelog for details).

New Features

• Workflow Forms: Added UpdateServerSetting workflow now takes a Web Form and has preconfigured system config properties available to change.

• Email Transparency: Added list of patches to approval request notification emails.

• Disk Sensors: Added new cross platform disk drives sensor.

• BU Endpoints: Added a new endpoint to retrieve a filtered set of business unit children.

• Enhanced Telemetry: Added sensor for Linux and macOS that can return:

  • User Identification: Usernames

  • Login History: Last Login timestamp

  • Activity Tracking: Logged in status

• Dashboard Speed: Added separate timer task for executing materialization of views for Patching rollout dashboard.

• Configurable Timings: Task timings are configurable from system configs with prefix: patching.rollout_sql_maintenance_.

• Interval Controls: Added a new max_interval system config setting for Patch Rollup and Patch Rollout Dashboard SQL maintenance tasks.

• UX Improvements: Added user-friendly error messages for validation errors resulting from modifications to Intent Schema objects.

• Strategy Security: Added validations to prevent DeploymentWaves, PatchDeploymentBot, and ApprovalChain objects created from simple strategies from being referenced by anything other than the simple strategy system.

• SMTP Port: Added optional input field SmtpPort to the SMTPMail Workflow Activity.

• Feed Performance: Added persistent state to speed up Tenable plugin feed updates consumption time.

• Request Maintenance: Added component to clean up approval requests created from deleted intent schema objects, and delete old approval requests based on patching.approval_request_purging_days config.

• Reminder Frequency: Added minimum duration enforcement of eight hours for approval request reminder notifications.

• Upgrade Resilience: Added upgrade handling so invalid deployed workflows get their data cleared instead of failing upgrade.

Improvements

• Automatic Purging: Enable Sensor Offline Cache purging deleted data by default and set the age of purged data to 365 days.

• Settings Retention: If the purge settings were previously changed, they will not be updated.

• Overlay Expansion: Changed the Patching Overlay to include Compliant Clients without having to expand the content.

• Battery Sensor: Changed battery sensor with new fields and cross-platform capabilities. This replaces the WMI battery sensor.

• Chassis Sensor: Changed chassis type sensor with new fields and cross-platform capabilities. This replaces the WMI chassis type sensor.

• AD Safety: Changed functionality around query for Active Directory group membership to be read-only and will no longer inadvertently create Administrator objects.

• Compliance Labels: Changed Success and Partial Success labels to Compliant and Partially Compliant in cycle deployment status charts and tables.

• Column Cleanup: Changed the Active column to be hidden from the Devices Desired State Summary dashboard.

• Distro Presentation: Changed the database to display Linux distro names as they are officially presented.

• Property Uniqueness: Changed the field NAME in CustomMetadataProperties so it was unique, and added a migration to update existing non-unique entries.

• Maintenance Defaults: Changed defaults for Patch SQL maintenance task delays (Rollup and Rollout Dashboard maintenance). Defaults are as follows: BaseInterval=3min, ClientInterval=1min, ClientScale=2500, MaxInterval=15min.

• Linear Scaling: Delays also now scale linearly based on the # of clients (e.g., 1250 clients adds 30sec to the delay).

• Readable Folders: Changed message for deleting folders that contain built-in objects more human readable.

• Readable Duplicates: Changed message for duplicate name detected upon new item saving more human readable.

• Service Stability: Changed TenablePatchServer service after running Setup to not be disabled if HTTP connection validation fails.

• S3 Library: Changed the s3 library to 2.41.1.

• Selenium Library: Changed Selenium library to 4.39.0.

• Log Reduction: Changed unnecessary logging at the INFO level that can appear in Patching.log when starting a Patching Cycle.

Bug Fixes

• Pre-staging Bug: Fixed a critical issue where Windows Update deployments would fail to start if the "pre-staging" option was enabled.

• Table Accuracy: Fixed issue where Deployment Status Summary Last 30 Days table would only show successful deployment results.

• Uninstallation Logic: Fixed issue where feed uninstallation was blocked due to existing exceptions for metadata being deleted.

• Metric Drift: Fixed issue where count of cycles from deployment dashboard Patches Installed Last X Days overlay would mismatch drilldown table count due to missing desired state property filtering.

• CVE Alignment: Fixed mismatched drilldown counts for path Tenable Overview > Patch Remediations > Detected CVE Count > Remediation Patches.

• Superuser Fix: Fixed server upgrade failure case involving ApprovalChains when the superuser password is changed during setup.

• Patch Removal: Fixed issue of Patching Process Cycle creation failure when a patch was removed from the metadata feed.

• Client Calculation: Fixed incorrect applicable clients count in approval request per-approval context UI for Rollback and Uninstall desired states.

• Sort Logic: Fixed issue where POJOSupporter and PatchApprovalsSupporter did not sort string values alphabetically.

• Upgrade Fix: Fixed Patch upgrade failure case involving PerUserApprovalStateSqlView.

• Startup Stability: Fixed issue causing a race condition impacting server startup when Blocklisted Patch is deleted causing metadata deletion.

• Legacy BU Fix: Fixed issue with upgrades from pre-10.0.971 that might fail if Business Units existed with specific duplicate names.

• Renaming Protocol: Now, after upgrade, Business Units with duplicate names will be renamed to create a new unique constraint on Business Unit names.

• Object Use: Fixed issue where simple strategy-generated intent objects cloned through Save As could not be used in Advanced intent objects.

• Cycle Termination: Fixed issue when in-progress cycles have no more approvals. Cycles will now be terminated.

• Support Links: Fixed issue where User Dashboard Subscription emails have a default support link that is invalid due to a trailing &#10.

• Deadlock Fix: Fixed issue where server could deadlock when Deployment Waves are being modified while Patch Approvals are loaded in the UI.

• Wave Persistence: Fixed issue where DeploymentWaves would lose wave entry if set to child inclusion behavior that does not include the wave entry's target Business Unit.

• Wave Saving: Fixed validation process for DeploymentWaves to avoid saving when a wave has no wave entries.

• Dashboard Mismatch: Fixed mismatch between deployments dashboard cycle metrics patches installed in last X days count and its drilldown.

• Strategy History: Fixed issue where disabling a Simplified Patching Strategy would inadvertently remove associated Patching Cycles from history.

• Setup Stability: Fixed OBEX import errors during setup, including numerous assertion errors that filled up error logs during setup.

• Save Obstacles: Fixed issue where name collisions between PatchingExceptions and RollbackTo objects would block object save.

• Sync Logic: Fixed users or host group sync happening when data sync is disabled.

• Search Errors: Fixed Hibernate runtime errors when using MappedProperty to search tables.

• Patch Counts: Fixed miss-matched installed patches count.

• License Stability: Fixed issue where products may not disable if license expires while server is offline.

• Memory Pipeline: Fixed error opening Memory Pipeline with a newly-created, unpublished Tenable Patch Management Package.

• Pause State: Fixed issue where cycles, products, and patches were not being automatically cleaned from patch pause state on deletion.

• Table Rows: Fixed issue when sorting object tables by a mapped property would inadvertently reduce the number of rows in the object table.

• Log Privacy: Fixed issue where passwords from Web Forms were being logged in workflow logs.

• VM Bot Fix: Fixed issue where _ExploitExists, _ExploitDoesNotExist, and _Detected Patch Enterprise VM bots would return no desired state for their approvals.

• SaaS Upgrade: Fixed issue where Patching Strategies for Patch Express would become disabled after upgrade on SaaS.

• Pagination Fix: Fixed pagination error logs related to patching Home Page dashboard.

• Preview Logic: Fixed runtime errors when using the Any operator in Preview Targeted Patches.

• Exclusion Logic: Fixed issue where Preview Targeted Patches with certain products excluded would still show patches belonging to the excluded products.

• Dashboard Filters: Fixed issue where Patches Consumed count would change in Patches dashboard when BU filters are applied.

• BU Cleanup: Fixed removal of paused status when BU is deleted.

• Policy Content: Fixed issue causing Rollbacks to be omitted from Patching Policies.

• View Maintenance: Fixed SQL performance issues when maintaining views for deployments and cycle dashboards.

• Build 968 Fix: Fixed failure when servers upgrade from build versions before 968 where a legacy Data Provider exists without the propertyValidationClass column being set.

• Strategy Naming: Fixed errors from simple strategy approval requests when simple strategies have a " in their name.

• Runtime Stability: Fixed non-descriptive runtime errors occurring when Business Units are deleted when referencing a SimplifiedPatching Strategy.

• SMTP Port Fix: Fixed issue with the SMTPMail Workflow Activity which caused port 587 to be used even when it was not asked for.

• Wave Persistence: Fixed issue when enabling an Advanced Patching Strategy would fail if its Deployment Waves contained deleted Business Units.

• Excel Accuracy: Fixed issue with exports to .xlsx (Excel) for certain dashboards would fail to export all widgets selected for export.

• Strategy Control: Fixed issue that prevented being able to start and pause from the Strategy Operations dashboard.

• Approval Removal: Fixed issue where approvals for cycles deleted from strategy patching process changes are not removed from clients.

• Remediation Count: Fixed issue where Tenable overview dashboard CVEs table Remediation Patches drilldown would mismatch the top-level count.

• Constraint Error: Fixed issue where multiple calls to tenable.dp_overview_detected_cves in quick succession would result in a pk_constraint_violation.

• Unlicensing Fix: Fixed issue where unlicensing Tenable Patch Enterprise would fail when a user-created Patching Exceptions object existed.

• Local Roles: Fixed issue where users removed via the Falcon Portal were not removed from their respective Tenable Patch Management roles on update.

• Patch Duplicates: Fixed issue where duplicate blocked patch names were previously created impacting upgrades.

• Name Validation: Fixed issue allowing blocked patch names to be saved with the same name.

• OBEX Import: Fixed OBEX import failure case involving shallow-exported User Dashboard OBEXes.

• Summary Logic: Fixed issue where the list of Business Units aggregated by Deployment Waves under cycle summaries may be truncated.

• Runtime Sync: Fixed issue with Business Unit removals from Deployment Waves not being reflected in an existing Patching Strategy's Deployment Bot Runtimes.

• Export Fix: Fixed issue where Workflow Actions would export without the associated Workflow.

• Provider Logic: Fixed issue that caused Workflow Data Providers to fail to execute.

• Workflow Sensors: Fixed issue where Workflow Sensors would export without the associated Workflow.

• Dataset Restore: Fixed dataset queries to restore support for WorkspaceONE dashboards.

• WSUS Fix: Fixes issue where WSUS patch content prestage requests are added to patching policy with surrounding " characters.

• Connector Logic: Fixed issue with GP setup component to make it dependent on ConfigMgr connector component.

• Status Accuracy: Fixed issue with counts not being correct in the Device Status tables.

• Persistence Bug: Fixed incremental transaction log database persistence table creation bug.

• Object Manager: Fixed issue where recompute of VM metadata properties could deadlock with object manager.

• SaaS SQL: Fixed Postgres SQL syntax error for Falcon Business Unit Group Scope (SaaS only).

• Deadlock Logic: Fixes deadlock between OM and OOM from metadata object and intent schema history manager operations.

Removed

• BU Cleanup: Removed SUSE Desktop 15.7 BU and renamed other SUSE enterprise BUs.

• Bot Migration: Built-in Patch Deployment Bots and Patch Notification Bots are migrated to use Risk.SecurityExposure.

Security

• Access Scopes: Add and check a scope to the session access tokens.

New Features

• Error Logs: Added a new log file hs_err_pid.log written to the logs folder for Windows client and server services when Java encounters an internal error.

• Virtual Threads: Moved applicable threads to Java 25 virtual threads to assist with active thread count and lowering memory usage.

• Thread Dumps: Added new system config setting, slm.logthreadstates_v.

• Disk Efficiency: Older logs generated with this method are compressed (.gz) to save disk space.

• Deployment Safeguards: Added safeguards to prevent Illegal execution time runtime errors during patch deployment.

• AVX Flag: Added the -XX:UseAVX=2 flag to JVM startup arguments to prevent crashes on systems supporting AVX-512.

• Linux Builds: Added libatomic as a dependency on debian/ubuntu builds.

• BitLocker Info: Added a sensor that collects BitLocker information on each drive.

• macOS Software: Added a sensor to report on macOS installed software using the system_profiler application.

• Silent Validation: Added the VALIDATE property to the P2P MSI installer for post-silent install validations.

• Sparse Status: Added component to send sparse patching status from client to server when metadata is deleted on client.

• Modern Linux: Added support for modern Fedora versions and OpenSUSE and SUSE Enterprise Linux.

• Download Timeouts: Added several system config properties to configure Windows Update download timeout behavior:

  • Initial Timeout: patching_client_system.windows_download_initial_timeout_millis

  • Extend Timeout: patching_client_system.windows_download_extend_timeout_millis

  • Retry Delay: patching_client_system.windows_download_retry_delay_seconds

• Cache Cleanup: Added brp2p.delete_all_sparse_files_on_startup config to delete current sparse files on startup.

Improvements

• System Performance: Changed use of virtual threads to lower memory usage and improve performance for both the Server and Client components.

• Database Access: Changed default MSSQL socket timeout to 60 minutes from 6 minutes on new installations.

• Disruptor Update: Updated disruptor from 3.4.4 to 4.0.0.

• Transitive Dependency: Upgraded Microsoft Graph core gson to 2.13.2 to address CVE 2025-53864.

• Library Maintenance: Updated msal4j library, adding nimbusds libraries.

• OpenSSL: Updated OpenSSL to 3.6.1.

• Log4j Update: Updated log4j to 2.25.3 on Tenable Patch Management Server and Client.

• Interface Transition: Workbench has stopped receiving code updates; please use Web UI for all functions.

Bug Fixes

• Object Deadlock: Fixed potential for ObjectManager to deadlock under heavy read load.

• Windows UI: Fixed icon in Windows Add/Remove Programs entry.

• Cache Logic: Fixed issue when deleting cached content to ensure directories are deleted correctly.

• Role Logic: Fixed Role Save As operation to copy all permissions from source role.

• Admin Protection: The Save As operation is prevented on super admin, all-admin, and read-only-admin roles.

• Cache Pinning: Fixed issue where content cache pinning was not respected on Windows clients.

• H2 Migration: Fixed issue with upgrade failure path from 970 involving H2 migration.

• Process Freeze: Fixed issue where a client could freeze if a process is terminated externally.

• Package Deadlock: Fixed issue where a deadlock could occur if the package manager was output to stderr.

• Async Logging: Stderr is now stored for logging asynchronously.

• Linux Identity: Fixed issue where the primary user was not being computed on Linux clients.

• Absolute Paths: Fixed issue with package managers to now use the absolute path instead of relying on PATH.

• Search Order: Client will look for the package manager in specified directories in a set order.

• Push Logic: Fixed issue where there was a NPE being thrown from removal of patch content prestage push requests.

• Status Override: Fixed issue where patch status would be overridden for in-progress or failed deployments.

• Notification Timeout: Fixed issue where reboot notifications could inadvertently interpret a timeout as a user Dismiss click.

• WMI Leaks: Fixed memory leaks that occurred when WMI queries are executed often.

• WSUS Prestage: Fixed issues where a deadlock scenario may occur during WSUS patch content prestaging.

• Download Race: Fixed issue where race conditions created access denied errors when downloading Windows Updates.

• Transfer Integrity: Added adler32 checksum validation for each byte range p2p transfer.

Removed

• DHCP Compatibility: Client setup no longer fails if UDP port 67 is bound.

New Features

• Patch Blocking: Added a menu option to directly block a patch on patching dashboards.

• BU Search: Added business unit searching to the business unit browser.

• Linux Selectors: Added missing linux distributions to the patching strategy supported platforms selectors.

• Asset Menus: Added product-specific menu items to table rows under Assets > Devices:

  • Patching View: View Patching Dashboard

  • Inventory View: View Inventory Dashboard

• Platform Filters: Added support for filtering sensors by Supported Platforms through advanced search.

• Parent View: Added button in tenant view to open parent company.

• Override Checkboxes: Added checkboxes for the patching overrides card drilldowns.

Improvements

• Framework Update: Changed UI from Angular version 19 to 21.

• Filter Richness: Changed what to patch and bot filtering to provide rich filter selection information.

• Table Layout: Changed tables to automatically size columns to their content and scroll horizontally.

• Filter Relevance: Changed Patching Bot Editors and Strategy filters to only show properties relevant for filtering.

• Navigation Logic: Changed object tables to provide hyperlinks instead of responding to row-level clicks.

• Session Stability: Changed how the UI mitigates clock skew to reduce unexpected logouts.

• Menu Logic: Changed All Requests to hide table menu buttons when no items are available.

Bug Fixes

• Save As API: Resolved a REST API error that occurred when using the "Save As" feature on an existing strategy template.

• Filter Preview: Resolved a bug where multiple filter categories in the Strategy Editor (e.g., Tenable.Vpr, risk.cvssscores) failed to return results when using the "Preview Filtered Software" function.

• Simple Preview: Fixed an issue in the Simple Strategy Editor where the "Preview Targeted Patches" button returned empty results for products with a SoftwareProduct parent, including all Windows OS, Linux, and Driver patches.

• Character Limits: Increased the character limit for User Interaction settings text fields (specifically the HTTP POST Message field) to prevent data truncation and database errors.

• Overlay Error: Fixed issue that caused an error overlay when submitting no selections in Target Business Units.

• Validation Fix: Fixed issue with the Add Patch overlay window to highlight missing information.

• Session Logic: Fixed an issue that made Data Provider session timeouts more likely in UI dashboards.

• Card Display: Fixed issue where full screen-maximizing content would not display their full content.

• Drilldown Headers: Fixed table header menu in the Total Patch Count drilldown.

• Object Security: Fixed issue allowing read-only objects to be able to be deleted / moved.

• Drilldown Table: Fixed issue with Tenable remediation patches > detected devices drilldown showing broken table.

Removed

• Row Behavior: Removed behavior where clicking anywhere on a Location table row opened the client list.

• Access Logic: The client list is now accessible only through the row-level context menu.

• Scrolling Update: Removed resizable table columns in favor of horizontal scrolling.

• Improved SaaS Reliability: Resolves "502 Bad Gateway" errors and database deadlocks by optimizing connection pooling and PostgreSQL-specific T-SQL ports.

• Strategy Integrity: Fixes a critical defect where simplified patching strategies could become corrupted or fail to load "How to Patch" configurations.

• Precision Reporting: Corrects compliance percentage variables to eliminate "over 100%" reporting errors.

• Platform Modernization: Full integration of Java 25 and log4j 2.25.3 for enhanced security and performance.

New Features

• Policy Synchronization: Added automated handling during upgrades to synchronize target groups for full scans and risk assessment policies with patch licensing policies.

• Cloud Endpoint Selection: Support for choosing between Tenable's commercial and FedRAMP cloud endpoints.

• SaaS Deployment Procedure: Fixed the "get clients" procedure to ensure successful fresh installations for new SaaS tenants.

Improvements

• Administrator Security: Updated password reset functionality to use case-insensitive string processing.

• REST API Consistency: retrieving Global Pause state now correctly returns "No Content" instead of a default value when no cycles are active.

• WSUS Intelligence: Optimized scanning logic to mark patches as "Not Applicable" if a newer superseding patch is already present on the system.

• General Performance: Implementation of various quality fixes to resolve high CPU usage during dashboard queries.

Bug Fixes

• 502 Bad Gateway Errors / Scale Issues: Resolved SQL database connection pool exhaustion and primary key violations for Mac address values in SaaS environments.

• Strategies Not Loading / Session Failed: Fixed a bug causing simplified patching strategies to become corrupted or fail to load when saved.

• Database Integrity: Resolved issues where product exceptions applied to patching policies failed to persist in the database.

• Upgrade Stability: Fixed failures caused by H2 database migration consuming excessive RAM and resolved issues with missing IDs during parent/child Business Unit upgrades.

• Reboot Status Not Displayed: PostgreSQL Parity: Included the missing fix for "Reboot Pending" status display that was previously omitted during the PostgreSQL SaaS port.

• Execution Time Rollup: Fixed missing "finished execution time" data in SaaS patch rollup tables.

New Features

• Expanded Product Support: Added Microsoft Defender product SKUs to the supported SaaS catalog.

• P2P Configuration: New brp2p.minimum_viable_volunteer_count setting to manage peer-to-peer download sources.

Improvements

• Windows Update Visibility: Clients now log active download progress and automatically extend timeouts based on reported activity.

• Transfer Efficiency: Peer-to-peer (Byte Range) transfers now automatically discard bytes received after a peer timeout to prevent data corruption.

• Security Standards: Full upgrade to log4j v2.25.3 and JRE 25.0.2 (Zulu 25.32.17).

Bug Fixes

• Compliance Accuracy: Fixed a logic error where compliance could report values exceeding 100% (e.g., 125%) due to incorrect variable referencing.

• Installation Support: Fixed client setup failures occurring when UDP port 67 was bound, enabling deployment on DHCP servers.

• Process Management: Resolved a race condition where interfering processes could terminate before the notification deadline.

• Network Detection: Added logic to prevent macOS clients from incorrectly identifying Zscaler IP addresses as the primary system IP.

Improvements

• UI Cleanup: Unified all product naming to "Patch Management" and removed legacy Tool Foundry access for SaaS tenants.

• Interactive Menus: Added "smart hover" to context menus to prevent accidental closing during navigation.

Bug Fixes

• Blank Strategy Configuration: Fixed a cosmetic defect where the "How to Patch" configuration appeared blank when accessed via the strategy ellipsis menu.

• Patch Filter Conditions Not Working: Updated Patch Filter UI and Tenable.Vpr filter handling. Added a dropdown for true/false boolean fields and updated VPR filters to require the Tenable.VprInteger format.

• JAMF Cloud Install Script Failure: Fixed a bug where the cloud install script (.sh) failed when copied into a JAMF script payload.

• Session Management: Resolved "failed to start list server session" errors and API internal exceptions when navigating to Strategy Operations.

• Visual Persistence: Fixed the Global Pause alert banner persisting after user logout.

• Navigation Context: Ensured Business Unit query parameters persist correctly when navigating between filtered pages.

• Unified & Modern: Experience a single, modernized SKU that combines simplicity with depth.

• Streamlined Onboarding: A new 6-step, wizard-based setup covers 80% of customer use cases, significantly reducing configuration time and learning curve.

• Focus on What Matters: Day-to-day operations are now uncluttered. Complex, high-specificity controls (the remaining 20%) are consolidated under Advanced Settings, ensuring power is available without distraction.

• Performance Boost: Both Server and Client engines have been updated to Java 25, resulting in reduced memory usage and improved stability.

A Reimagined User Experience

The user interface has been redesigned to surface metrics that matter most to your daily operations.

• New Dashboards: Replaced Patching Analytics with dedicated Home and Deployments dashboards for better visibility into ongoing rollouts.

• Simplified Navigation: The sidebar now prioritizes day-to-day actions, moving complex configurations out of direct view.

• Smart Interactions: Context menus now feature "smart hover" to prevent accidental closing during navigation.

Streamlined Patching Strategies

Creating deployment plans is now faster and more intuitive.

• Direct Definition: Define deployment steps directly within your Strategy, eliminating the need to configure multiple prerequisite objects beforehand.

• Legacy Support: Existing strategies remain functional as "Legacy Strategies" to ensure no disruption during your transition.

Client-Side Innovations

• User Experience: You can now notify users upon deployment success/failure or alert them if interfering applications are blocking updates.

• Power Management: Windows clients are now prevented from sleeping during active patch deployments.

• Interference Handling: The client can now check for and immediately terminate interfering processes before installation.

Expanded Security & Control

• Granular RBAC: TPM v10 has introduced new built-in roles, including Branch Office Administrator, Architect, and Operator. You can now also author custom roles for precise access control.

• Scoped Access: The Branch Administrator role allows scoped access to specific locations (e.g., branch offices, labs) or read-only access for audits.

• Process Automation: Added wave-based patching processes with configurable gates and approvals.

Navigation Changes (v9 to v10)

To simplify operations, we have reorganized key features.

For a full details on the navigation and user interface changes, refer to the What's New page.

• SaaS Customers: You Saas Tenant console (server) has been automatically upgraded to the new user interface on January 22, 2026 so that you can have immediate access to v10 features. For clients, please follow the instructions here to upgrade your clients to v10. For SaaS customers with Express licenses, you can either contact us for a Zero-Dollar Exchange Order today to move to the new single SKU model, or your subscription transitions to the new single SKU model at your next renewal.

• On-Premise Customers: Customers on Express SKUs may remain on them, but renewals will transition to the single SKU. While you may remain on v9.3, Tenable highly recommends upgrading to enjoy the most powerful and intuitive version of TPM to date. Contact Tenable for a Zero-Dollar Exchange Order to unlock v10 features today.

Server & Architecture

• Java 25: Replaced Java 17 with Java 25 (Zulu 25.0.1) for superior performance.

• Security: Added elliptic curve signing keys for OIDC providers and updated Tomcat ciphers to remove weak options.

• Cloud Storage: Added validation when content publication settings are enabled for cloud storage.

• Fixes: Resolved synchronization issues with Byte Level P2P content and fixed SQL Server Kerberos authentication failures.

Client Performance

• Concurrency: Scans and feed consumption can now execute concurrently if metadata does not conflict.

• Resource Usage: Configured core pool threads to terminate when idle and reduced non-heap memory usage.

• Fixes: Addressed high CPU usage during feed retries and fixed deadlock issues between patch prestaging and policy updates.

Quality Fixes

• Reporting: Fixed issues where assets without agents had vulnerabilities hidden from dashboards.

• Workflows: Resolved infinite spinning in Workflow Designer search and fixed text box visual cut-offs.

• Localization: Improved localization for dates and numbers.

New Features

• Cloud Storage: Added cloud storage validation when content publication settings are enabled for cloud storage.

• Security: Added elliptic curve signing keys for OIDC providers.

• Business Units:

  • Added new Business Units and feed subscription for Oracle Linux.

  • Added phased deployments (1%, 5%, 10%, quarters, and all devices).

  • Allowed Business Units to target Customized Products.

• Maintenance Windows:

  • Added capped maintenance windows.

  • Added product-specific maintenance windows (see Customized Products).

• RBAC: Added new roles for Tenable Patch On-Prem: Patch Super Administrator, Architect, Operator, Reviewer, and Branch Administrator.

  • The Branch Administrator role can be assigned to individual Business Units.

  • New permissions added for all Flex Controls to support RBAC.

• Dashboards: Added patching rollout state dashboard, enabling visibility into approved patches and ongoing deployments.

• Integrations: Added vulnerability management integration folders for Patch Deployment Bots.

• Process Automation: Added multiple wave-based patching processes, with configurable values for wave gates, approvals, and other common activities.

• Workflows: Added LaunchFormPropertyBag start node property to new business workflows.

Improvements

• Changed client auto upgrade schedules to use server time zone.

• Updated tomcat ciphers to remove weak ciphers from being used.

• Updated Hibernate from 3.5.6 to 5.6.15.

• Removed default read permission on Customized Product objects for All Admins.

• Converted all Rollback objects into Rollback To Version objects with no target patch specified.

Bug Fixes

• Fixed synchronization issue where content published as Byte Level P2P could have its associated metadata inconsistent with the structure and offsets of its underlying block files, causing clients to request blobs that do not exist.

• Fixed CommandShellNode to correctly capture exit status of processes.

• Fixed issue where membership updates of Falcon host group scopes would not trigger membership evaluation of the corresponding Business Unit.

• Fixed performance issue when making non-membership related changes to Business Units.

• Fixed an issue where cycle updates when viewing cycles tables would log errors about a null username.

• Fixed override automatic import folder option not actually overriding import folder.

• Fixed issue where SQL Server authentication using Kerberos would fail due to the port erroneously being set to 0.

• Fixed branding in OIDC invite and password reset emails on Tenable servers.

• Fixed [patch].[dp_product product_status] so that the population of product status grids is faster.

• Fixed an issue where the server would stop polling cloud relay for messages.

• Fixed issue where products were occasionally duplicated in patching strategies.

• Fixed issue where the expression on SensorActionExecutionPolicy was limited to 255 characters.

• Fixed an issue in SensorGroupScope manager where a group unregistering for a column could cause the whole group or the whole sensor to lose registration.

• Fixed an issue with TSC integration where assets without an agent had vulnerabilities hidden from Tenable dashboards.

• Fixed issue with search functionality in Workflow Designer infinitely spinning.

New Features

• Updates: Added new Client Setting, WU Allow Access, to enable manual windows updates.

• Maintenance: Added capability to set a limit on the max number of missed maintenance windows before a forced install is performed.

• User Interaction:

  • Added ability in User Interaction Settings to notify the user when a deployment succeeds or fails.

  • Added ability in User Interaction Settings to notify the user when interfering apps are running that prevent patch deployment.

• Reporting: Added reporting of the primary user on Linux and macOS clients.

• Power Management: Added functionality that prevents Windows clients from going to sleep during patch deployments or action executions.

Improvements

• Concurrency: Changed patching client locking behavior so that scans and feed consumption may execute concurrently if the metadata operated on is not conflicting.

• Performance:

  • Configured core pool threads to terminate when idle.

  • Client VM configuration changes to reduce non-heap memory.

  • Updated H2 to 2.2.224.

• Process Management: Check for and terminate interfering processes immediately before software installation.

• Deprecated: The Tenable client on 32-bit operating systems is no longer supported.

Bug Fixes

• Fixed an issue where a maintenance window's dynamic detection workflow would reset when the client service restarted.

• Fixed error when running TenableClientInfo sensor on Mac and Linux clients.

• Fixed issue where byte range transfer would not start if the sender has partial data.

• Fixed an issue where byte range download may not resolve from peer clients for a long time and will timeout.

• Fixed a high CPU usage issue that can occur when feeds need to be retried; limited and made configurable the number of threads used during feed reprocessing.

• Fixed issue between patch prestaging runner and patching policy update that could cause a deadlock.

• Fixed an issue where the client would not trigger reboot until the deployment maintenance window opens.

• Fixed an issue where RDP logout would be blocked by the Windows System Event Notification Service.

• Fixed pre-caching of content files when there is an active content download session by skipping the file.

• Fixed an issue where client's restarting while running a sensor would cause the client and server to get out of sync with respect to the sensor data.

• Fixed an issue where the client would stop polling cloud relay for messages.

• Fixed an issue where client upgrade can fail for Patch if the client has not yet received the risk assessment configuration policy object.

• Fixed a race condition in SensorOfflineCache, where collection of sensor deltas could mark a sensor as reset.

New Features

• Patching Strategies:

  • Added a new and improved, streamlined experience for authoring Patching Strategies.

  • Eliminated the need to configure several prerequisite objects before creating a Strategy.

  • Define your Deployment Plan as a sequence of "steps" directly within your Strategy.

  • The old Patching Strategy paradigm has not yet been removed, and users may still create and manage them as Legacy Strategies.

• Dashboards:

  • Added a new Deployments Dashboard to provide improved visibility into both in-progress and upcoming patch deployments.

  • Added toggle to Tenable dashboards to switch view between Tenable CVE detections with applicable patches and all Tenable detections.

  • Added "smart hover" functionality to context menus to prevent unexpected menu closing as users navigate their cursor to nested menus.

  • Added automatic updates to Patching dashboards when data has changed.

  • Added filtering support to the "Device Activity" timeline on the per-device patching state dashboard.

• Customization:

  • Added ability to specify interfering process handlers on a customized Software Product.

  • Added ability to set a Scan Schedule for a customized product.

  • Added to Approvals the number of pending patch approvals for the logged-in Administrator.

• Scripting: Added new JavaScript APIs (adaptiva.sandbox.context) for persisting in-memory context for user scripting in Web Forms, User Dashboards, etc.

Improvements

• Homepage: Redesigned the homepage of Tenable Patch to surface metrics and actions more useful for day-to-day operations, provide more comprehensive data drill-down, and facilitate more intuitive feature discovery.

• Sidebar: Reorganized the feature sidebar for Tenable Patch to display day-to-day actions and move advanced settings out of direct view.

• Approvals: Approval Requests has been renamed to Approvals.

• Charts: Updated Chart user interface when displaying empty data and errors; charts now display a button when errors are present that allows users to drill into a separate view to read error messages.

• Settings:

  • Moved Time to Wait and Load Leveling Window inputs into "Advanced Settings" for Client Upgrade Settings.

  • Renamed Event Notifications in Settings to SMTP Settings.

  • Split deployment notification settings into starting and completed notifications.

• Removed: Removed the user interface for selecting Active Directory groups for Role membership in Cloud Tenant context.

Bug Fixes

• Fixed Sandbox script execution performance by caching Sandbox tasks.

• Fixed an issue where the Client Settings Policy editor user interface would remove entries that had not been edited.

• Fixed an issue where the error icon in Form and Object Builder labels would become misaligned with longer labels.

• Fixed Licensing Alerter Form password field to be a password input.

• Fixed an issue where scrolling a lengthy signpost dialog would close the dialog instead of scrolling the content.

• Fixed an issue where users were unable to select the Workflow Activity class in various contexts without having first navigated to the Workflow Designer.

• Fixed an issue where property customizers using text boxes were visually cut off in the Workflow Designer.

• Fixed localization for dates and numbers.