Changelog

What's new in TridentStack Control

Product updates, improvements, and fixes as they ship.

Even compliance refresh across mixed Windows, Linux, and macOS fleets

Fixed

  • Fixed a scheduling issue that could let compliance evaluations for Windows endpoints fall behind in environments running many Linux endpoints. Compliance results now refresh evenly across Windows, Linux, and macOS regardless of fleet mix.
ImprovedFixed

Bulk license management, Linux update health, and fleet-wide endpoint actions

Improved

  • Update Health now covers Linux endpoints - Linux endpoints report disk space (root and /boot) and pending restarts, so the Update Health column shows real readiness, including a "Restart pending" badge when a restart is needed to finish applying updates.
  • Bulk license management - The License Management page (Settings > Licensing) now lets you select multiple endpoints at once and license or unlicense them in a single action, on a refreshed, searchable, sortable table that no longer jumps when you click a row. If you try to license more endpoints than you have free slots, it licenses as many as it can (oldest endpoints first) and tells you how many more licenses you would need.

Fixed

  • License management links now go where you expect - The "Manage licenses" link in the over-cap banner now opens your License Management page directly instead of the general settings page, and the "Add Licenses" button now takes you straight to billing to add endpoints.
  • Endpoint Online and Offline counts now reflect your whole fleet - The Online and Offline totals at the top of the Endpoints page now count every endpoint, not just the ones currently scrolled into view.
  • Select All on the Endpoints page now covers your whole fleet - The "Select All" button selects every endpoint across all pages (not just the ones scrolled into view), so a bulk action can target your entire fleet in one go. The checkbox at the top of the list selects the endpoints shown at the top as a quick batch, and its state stays in sync with what you have selected.
  • Deployment ring notifications now open the Rollouts page - Clicking an in-app notification that a deployment ring is halted or awaiting approval now takes you straight to the Rollouts page, where you can un-halt or approve, instead of dropping you on the dashboard.
ImprovedFixed

Faster bulk tagging, sortable update health, and reliability fixes

Improved

  • You can now sort the endpoints list by Update Health, bringing the endpoints whose updates are blocked or need attention to the top in one click (sort runs across your whole fleet, not just the endpoints currently on screen).
  • Applying tag changes to many endpoints at once is now near-instant. Selecting a large group of endpoints and updating their tags previously could take several minutes to finish; it now completes in about a second. Only the tags you actually changed are updated, so tags already in place on some of the selected endpoints are left untouched.
  • The Rollouts page now shows when the next batch of endpoints will be picked up while a maintenance window is open, so a rollout that just advanced to its next group no longer looks idle for a few minutes between batches.

Fixed

  • Application updates no longer restart an endpoint while other updates are still installing. Previously, updating certain applications that were open at the time could trigger an unexpected restart partway through an update batch, interrupting the remaining updates. Those applications now close and reopen cleanly during the update without an unplanned restart, and the rest of the batch completes as scheduled.
  • Phased rollouts no longer stall when an endpoint is safely skipped by a pre-update safety check (for example, low free disk space before a large update). The skipped endpoint is now shown as a neutral "blocked" state instead of a failure, and the rollout continues to its remaining endpoints on schedule and retries the skipped endpoint in its next window.
  • Fixed an issue where certain Windows updates for optional server tools could be listed as pending on endpoints that did not have those tools installed, causing the update to repeatedly retry and fail each maintenance window. Updates that do not apply to an endpoint are now correctly excluded from its pending list.
  • Fixed a case where an endpoint that restarted while installing updates during a rollout could show as stuck "in progress" for up to a day. The interrupted update is now marked as interrupted right away, and the endpoint is retried in its next maintenance window.
  • The Linux agent now installs and runs across the full range of supported Linux releases. Installs on older but supported releases (including Ubuntu 20.04, Red Hat Enterprise Linux / Rocky Linux / AlmaLinux 8, and Amazon Linux 2) that could previously fail to start now complete and run normally. The installer also gives a clear, specific message if a system is older than the supported minimum, and a failed upgrade now keeps the previously working agent in place instead of leaving the endpoint without one.
  • A brief black command window no longer flashes on a Windows endpoint's desktop. When a user signed in to or reconnected to a managed endpoint, and during certain application installs that run in a signed-in user's session, a console window could momentarily appear and disappear on screen. These background steps now run silently, with no visible window.
  • On Linux and macOS endpoints, the pending system updates shown on the endpoint's page now list only the updates your assigned update policy will actually install, matching how Windows endpoints already work. Previously the list could include updates your policy intentionally leaves out (for example, non-security package updates under a security-focused policy), which made an endpoint look out of date when it was already current for its policy. The manual install options on these endpoints now match as well, offering only policy-approved updates.
ImprovedFixed

More reliable deployment rollouts and clearer update history

Improved

  • Saving a deployment rollout now flags a phase whose wait time is longer than its maintenance window, instead of silently accepting a configuration that would leave the rollout unable to advance.

Fixed

  • Application updates installed through automatic update rollouts now show the correct application name and the full step-by-step timeline (Compatibility Check, Download, Install) in an endpoint's update history. Previously these installs could appear as "Unknown" with parts of the timeline missing.
  • The Next Window time on the Update Management rollouts view now shows the exact scheduled window start and holds steady, instead of creeping forward minute by minute and reading a few minutes later than the real start time.
  • Editing a rollout phase's wait time or success criteria now takes effect on an in-progress rollout. Previously a phase that was already running kept using the settings it had when it started, so lowering a phase's wait had no effect until the rollout moved on, which in some cases prevented it from advancing at all.
  • A rollout that is briefly held between phases while a canary group is still installing now reads "waiting on … canary" instead of the alarming "… canary failing." A healthy, in-progress rollout with zero failures no longer looks like a failure.
  • For updates installed through an automatic rollout, the Download step in an endpoint's update history now reads "Pre-staged" when the file was downloaded ahead of the maintenance window, instead of showing a blank row. (Manually triggered installs continue to show the live download with progress.)
  • Windows update titles now show the architecture that matches the endpoint. For example, an x64 PC no longer displays a .NET update labeled "ARM64 Client." The correct update was always installed; only the displayed label was wrong.
ImprovedFixed

Policy list insights, flexible notification recipients, and reliability fixes

Improved

  • The System Update Policies and Application Update Policies lists now show an Assigned Tags column, so you can see at a glance which tags route endpoints to each policy without opening it.
  • Expanding a policy on either list now shows its assigned tags, and you can click a tag, status, or schedule to instantly filter the list to (or exclude) policies with that value. Active filters appear as removable chips above the table.
  • Both lists now include a Deployment Ring column showing the rollout ring assigned to each policy, and you can filter either list by deployment ring from a policy's expanded details.
  • Administrators can now add any email address as a notification recipient, not just members of your team. In Settings, Notifications, type a shared inbox or distribution list address for any event category and add it alongside the team members you select.
  • Installing the TridentStack Control agent on older Windows systems (Windows Server 2016 and 2012 R2) is now reliable. The Agent Installers screen has a new "Older Windows" toggle that adjusts the one-line install command so it connects on systems that previously failed with a secure-connection (TLS) error. Modern Windows keeps the cleaner, shorter command by default.
  • On endpoints running an operating system past its end-of-support date, the vulnerabilities filter now separates the two kinds of fixes: a Fixable toggle for updates you can apply today, and a separate ESU only toggle for fixes that require an Extended Security Update (ESU) license. Endpoints that do not need ESU are unchanged, with a single Fixable toggle.
  • Status page timestamps now display in your local time instead of UTC.
  • Returning to the console after the browser has been idle is now snappier: the first page you open after stepping away loads right away, instead of briefly pausing on an empty screen.

Fixed

  • When an endpoint goes offline while updates are being downloaded ahead of their scheduled window, that download now shows in the endpoint's history as deferred and is retried automatically, instead of being recorded as a failed task. A laptop going to sleep mid-download no longer looks like something went wrong.
  • An endpoint's Application Updates list no longer shows an "Updates blocked" warning that only applies to operating system updates. The system readiness checks behind that warning (such as available disk space and recovery partition sizing) gate system updates only, so they no longer appear on application updates, which install through a separate path.
  • A small Windows recovery partition no longer blocks an endpoint's updates and is no longer flagged as a critical problem. A too-small recovery partition only affects the Windows recovery environment, not regular or feature updates, so it now appears as advisory guidance with the correct resize steps instead of holding back updates.
  • Opening a Linux endpoint's details now loads the Pending System Updates list almost instantly. On endpoints whose update policy automatically approves updates, this list could previously take around 30 seconds to appear.
  • Saving changes in Settings, Notifications now works reliably. Turning the in-app channel on or off, and choosing which channels deliver each type of event, now save correctly. Previously these changes could appear to save but silently fail to take effect.
  • When you have unsaved changes on a Settings page and switch to another section, the prompt to save or discard now appears before the page changes, instead of switching first and then warning.
  • The status page now waits for several minutes of continuous downtime before reporting an incident, so brief, self-resolving blips no longer show up as incidents.
NewImprovedFixed

Update health at a glance, smarter deployment ring rollouts, and reliability fixes

New

  • Linux system update policies now include an option to install all available updates, so a deployment ring can automatically apply every pending Linux package update, not only those tied to a published security advisory.
  • Update Health column on the endpoints list - see at a glance which endpoints have issues that will block or fail update installs (such as low disk space and other pre-flight checks), and filter the list to just the blocked ones. Add it from the endpoints column menu.

Improved

  • Update Health now covers macOS endpoints - macOS endpoints report startup-volume disk space, so the Update Health column shows real readiness (Healthy, Action recommended, or Blocked) instead of a dash.
  • Pending Application Updates now shows when a per-user app update is already scheduled to install at the user's next sign-in, and clearly marks per-user installs with the account they apply to.
  • System updates that report success but remain applicable are now detected and automatically re-attempted a few times before being flagged, so a transient install that did not fully take effect recovers on its own instead of lingering. The deployment ring status for an endpoint now shows when this is happening, including when automatic retries did not resolve it and the update needs attention. An endpoint's activity history now flags a past update install that still applies after reporting success, so you can see exactly which update needs attention right where the install was recorded.
  • Rollout status and the deployment calendar now have their own Rollouts page in the sidebar, so the Deployment Rings page stays focused on configuration.
  • Your Vendor Access Log now records every time TridentStack Control support staff view your environment, and your Support Access setting governs that access across all of TridentStack Control's support tools, giving you complete visibility into and control over when staff can view your data.
  • Deployment ring canary phases now validate each kind of update on its own. When a ring's early phase happens to include endpoints needing different update types (for example application updates on one endpoint and system updates on another), the rollout confirms each type succeeds before widening, and it holds the rollout for any update type that is failing its early validation instead of letting other successful updates mask the failure. Within the same phase size, early-phase endpoint selection now also prefers a mix that exercises each pending update type when the endpoints to do so are available.
  • The sidebar now shows a count badge on Rollouts when a deployment ring is halted or waiting for your approval to continue, so the rings that need your attention are visible at a glance without opening the notifications panel. The badge moves up to the Update Management menu when that section or the sidebar is collapsed, and appears on mobile as well. These deployment ring alerts now reach everyone with permission to approve updates, in both the sidebar badge and the notifications panel.
  • On the Rollouts Status view, a deployment ring that is halted or waiting for your approval is now highlighted in its row, so the ring that needs your attention stands out at a glance from the rest.

Fixed

  • Bulk and automatic application updates now show the same detailed per-app progress (compatibility check, download, install) and nested follow-up steps as manually triggered updates.
  • The projected rollout timeline on a deployment ring now anchors each phase to its deployment window's scheduled start time, so the preview no longer drifts to the current time when you open it while a window is already active.
  • The deployment ring rollout status now shows the next phase advancing at its deployment window's scheduled start, instead of when the phase's wait period simply elapses, so the time reflects when the rollout will actually progress rather than implying it could advance while the window is closed.
  • Applications that are already current no longer appear as if they were re-installed; they now show a clear "Up to date" state instead of a misleading version change.
  • A vulnerability scan that was canceled or did not finish no longer shows a duration timer that keeps counting up forever, and no longer reports a misleading "no vulnerabilities detected" result. Interrupted scans now clearly indicate that the scan did not complete, and any earlier scans affected by this display issue are corrected automatically.
  • Endpoints no longer run extra redundant vulnerability scans once they have already been scanned, so an endpoint's activity history reflects the scans that actually matter instead of repeated near-duplicate entries.
  • Your System Audit log now shows your full activity history with smooth continuous scrolling, instead of appearing limited to the 50 most recent entries.
  • When TridentStack Control support staff view your environment, your System Audit log now records each support session as a single clear entry instead of many repeated entries.
  • Approving a system update for a policy now updates the affected endpoints right away, instead of waiting for the next scheduled refresh, so newly approved updates become available to those endpoints promptly.
  • Windows feature updates that are downloaded and staged ahead of time through a deployment ring now reliably complete their final install step, instead of staying staged without finishing.
NewImprovedFixed

Deployment ring controls, instant onboarding, and a public CVE catalog

New

  • A new public CVE and CISA-KEV catalog at tridentstack.com/cve. Search and filter the full vulnerability catalog by severity, exploit-prediction score (EPSS), active-exploitation (CISA Known Exploited Vulnerabilities) status, ransomware association, and year, then open any CVE for its full record, including CVSS, references, and remediation context. Anyone can browse it directly from the website.
  • New organizations are ready to manage updates the moment they are created. A new TridentStack Control organization now starts with a default system update policy, a default application update policy covering more than 30 common business applications, and an "all endpoints" tag that newly enrolled devices join automatically. As soon as you enroll your first endpoint, applicable operating system and application updates begin appearing, with no manual setup. Updates are surfaced and pre-approved for review; to start installing them, you create and assign a deployment ring.
  • Tag automation rules can now match every endpoint in your organization with a single "Match all endpoints" option, with no conditions to build.
  • Tag automation rules can now assign more than one tag. When you build a rule, pick any number of target tags, and every endpoint the rule matches receives all of them. Existing rules that assign a single tag keep working unchanged.
  • See at a glance which update policies govern each endpoint. The endpoint list has two new optional columns, System Update Policy and Application Update Policy, showing the policy each device effectively follows. Enable them from the column menu, sort by them, and filter the list to a specific policy using the plus and minus buttons in any expanded endpoint row. The search box now also matches tag names and policy names, so you can type part of a tag or policy and instantly narrow the list.
  • Target a deployment ring stage by tag, not just by percentage. Point a stage at one or more tags and it deploys to exactly the endpoints carrying those tags, giving you a stable, predictable set of devices in each wave of a rollout. Percentage-based stages still work the same way, and existing rings continue to roll out by percentage exactly as before.

Improved

  • Vulnerabilities now appear within moments of enrolling a new endpoint. Newly onboarded devices are scanned as soon as their software inventory is received, instead of after a delay.
  • New endpoints now show their setup progress live. A freshly enrolled device stays in an "Onboarding" state, and each section of its detail page shows a clear "Collecting…" indicator while its software inventory, system state, vulnerabilities, and update applicability are gathered, switching to the data the moment each one arrives, so you can see at a glance that everything is being fetched and computed.
  • A refreshed getting-started tour reflects the new ready-made setup, guiding you to review your default update policies and create a deployment ring when you are ready to begin installing updates.
  • More complete vulnerability detection for installed Python. Known issues affecting older Python builds are now surfaced more reliably, so out-of-date Python installs no longer appear cleaner than they are.
  • More complete operating system vulnerability detection for Windows and Windows Server. Recent security issues are now surfaced in full on systems with long update histories, where lower-severity findings could previously be left out.
  • More complete vulnerability severity scoring. Many recently published CVEs carry only a newer-format (CVSS v4.0) score, which was previously not read, so those vulnerabilities appeared unscored and could be deprioritized or left out of severity views. They now show their severity and score and are prioritized like any other vulnerability, across the endpoint vulnerability views and the public CVE catalog.
  • More accurate third-party software vulnerability detection. Vulnerabilities in installed device and chipset drivers, such as Intel chipset software, are now detected, so out-of-date drivers no longer appear up to date. Separately, when a vendor publishes a lightweight monitoring agent and a full server product under one shared set of vulnerability identifiers, findings that only affect the server component are no longer shown on endpoints that run just the agent, removing false alerts (including some high-severity ones) from those endpoints' vulnerability lists.
  • Endpoints that cannot install Windows updates because of a problem on the device (most often low free disk space) now show a clear amber "Updates blocked" indicator on the endpoint's System State view, instead of appearing idle. Select it to see exactly what is blocking updates and how to fix it. The indicator clears on its own once the underlying issue is resolved.
  • A new "Hide ESU" filter on the Vulnerabilities page lets you hide vulnerabilities whose only fix requires an Extended Security Update (ESU) license. If your organization does not hold an ESU license, you can clear these unactionable findings from the list and focus on the vulnerabilities you can remediate today.
  • More accurate fix guidance for vulnerabilities that are patched in a different version on each release line. When a vulnerability has a separate fix per major version line (for example, one fixed version on the 12.x line and another on the 13.x line), an endpoint's remediation details now list the correct fixed version for each line and mark the line your endpoint is on, instead of implying that any higher version number is safe. This prevents updating to a build that is numerically newer but still affected.
  • Mark your most-used tags as favorites so they stay at the top of the tag picker. When you assign tags to an update policy, deployment ring, or compliance baseline, select the star next to a tag to pin it. Favorited tags appear first wherever you pick tags, and favorites are shared across your organization, so the tags your team reaches for most are always within reach.
  • An automation rule's "Apply Rule" button now stays disabled until your edits are saved, so a rule is never applied with changes you have not saved yet. Save first, then apply, and what runs always matches what you see.
  • The Vulnerabilities page is now easier to use on a phone. The All Vulnerabilities and By Agent views show each vulnerability or endpoint as a tap-friendly card instead of a wide table you have to scroll sideways, with search, filtering, and sorting all within reach.
  • Filter auto-approved system updates by name: add an "Update Name / Title" condition with */? wildcards to include or exclude updates by title (for example, exclude *Preview*).
  • New tag automation rules now start enabled. Once you set a rule's conditions and target tags, it takes effect right away, instead of having to switch the rule on as a separate step. You can still disable any rule at any time.
  • Endpoint enrollments now appear on the System Audit log. When a device enrolls and begins onboarding, the platform records a System event for it, so you can see exactly when each endpoint joined your organization, filter the log for these events, and include them in your audit exports for change management and compliance.
  • See exactly when each endpoint's next deployment window opens. The endpoint list's Next Window column now shows a specific date and time alongside the relative time (such as "in 1 day"), so you can tell at a glance precisely when scheduled updates are due to begin.
  • The Moderate deployment ring preset now waits a full day at its second stage before widening to a full rollout. New rings created from the Moderate preset give the early-adopter group a longer soak so issues can surface on a smaller set of endpoints first. Existing rings keep their current settings, and you can still adjust any stage's wait time yourself.
  • The health score dial on an endpoint's Health view now opens its breakdown when you tap or click it, showing how the overall score is weighted across vulnerabilities, compliance, pending updates, and network exposure. The breakdown was previously available only by hovering, so it is now reachable on phones and tablets too.
  • Choose your agent-update pilot group by tag, not just by individual device. In the Agent Updates settings, add one or more tags to your Pilot Group and every endpoint carrying a selected tag automatically becomes a pilot, receiving a new agent version first before the rest of your fleet. You can still select individual devices, and combine devices and tags in the same pilot group.
  • Deployment windows are simpler to set up. Instead of building separate day-of-week and time-of-day rules, you pick a start time and a duration, for example "Wednesday 10:00 PM for 6 hours". Windows that run past midnight are handled correctly, so an overnight maintenance window covers exactly the hours you intend. Your existing deployment windows are carried over automatically and keep running on the same schedule.
  • See exactly how a deployment ring will roll out before you save. A ring widens to its next stage as soon as that stage's wait time and success criteria are met, and installs happen during your next deployment window, so a rollout flows on its own observation schedule while still respecting your maintenance windows. A new Projected Timeline shows the specific date and time each stage is expected to begin and when the rollout will finish, updating as you adjust the schedule, stages, and wait times and staying current as time passes.
  • A deployment ring's final stage is locked at 100% and always sits last in the pipeline, so a rollout always finishes by covering every targeted endpoint. This makes the stage editor clearer and removes the chance of saving a ring that never reaches your whole fleet.
  • For deployment rings that run around the clock with no schedule, settings that only apply to scheduled windows, such as pre-staging, automatic safety halt, and per-window execution limits, are now clearly shown as unavailable with a short explanation, so it is obvious which controls apply to your ring.

Fixed

  • Offline endpoints no longer record repeated failed pre-staging download attempts. Update pre-staging now targets only endpoints that are online or recently connected, keeping endpoint history clean and accurate.
  • Assigning a tag now works reliably wherever you are on the page. When you add a tag to a policy, deployment ring, or compliance baseline, the tag picker stays fully on screen, opening upward or scrolling within itself when space is tight, instead of opening partly below the bottom of the window. It also stays anchored to the button as you scroll.
  • The endpoint Vulnerabilities tab no longer shows an occasional "Failed to load" error when a brief network interruption happens while the page is loading. Data views now retry automatically and recover on their own, instead of leaving you to refresh by hand.
  • Confirming a sensitive change with a passkey now works on the first try. Passkeys created with Windows Hello, or saved to your device or password manager, are now reliably accepted when you verify a sensitive action, instead of sometimes needing to be set up again.
  • An endpoint's activity history now reliably records system and application update refresh activity. Some of these refreshes could previously be left out of an endpoint's history; they now appear consistently.
  • Software inventory refresh activity is now recorded for every endpoint, including devices that have an unusual character in an installed application's name.
  • The search box on the Vulnerabilities page no longer loses focus while you type. Previously, once your search narrowed to no matches, the field would deselect itself and drop the keystrokes that followed; you can now type a full CVE search without interruption.
  • Installing the Windows agent now works on older Windows and PowerShell versions. On some older systems, the quick-install command or the downloaded install script could fail to download the agent with a secure-connection (TLS) error; the installer now enables the required TLS version automatically, so the agent installs without manual workarounds.
  • Large fleet rollouts now enroll without interruption. Adding many endpoints in quick succession from the same network location no longer pauses enrollment partway through, so you can bring an entire fleet online in one go.
  • The "By Agent" view on the Vulnerabilities page can now be filtered. Its search box and "Has Critical" toggle now narrow the list of endpoints as you would expect, instead of having no effect.
  • Sorting the automation rules list now works. Selecting a column header, such as Name, re-sorts the list as expected, instead of having no effect.
  • You can now page through every vulnerability on the Vulnerabilities page. Previously the All Vulnerabilities and By Agent views showed only the first page of results with no way to reach the rest; page navigation now appears and works whenever there is more than one page.
  • Opening an endpoint's details page is now smoother. The page no longer briefly flashes a "not found" message while it is still loading, and a momentary hiccup loading one part of the page no longer replaces the whole page with an error.
  • Staged deployment ring rollouts now honor the full wait time you configure at each stage. A stage's wait timer now starts when that stage actually begins deploying during its maintenance window, so a stage set to wait one day reliably waits a full day of real deployment before widening to the next group, instead of sometimes advancing early. The notification you receive when a stage advances also now names the correct previous and next stage and shows that stage's true success rate.
  • Deployment ring stage cards now display at a consistent size. The final stage card, which has no wait time, previously rendered slightly shorter than the others; every stage in a ring's rollout now lines up evenly.
  • Endpoint health scores now stay up to date on their own. The platform refreshes each endpoint's health score automatically in the background as its condition changes, so the score you see stays current even for devices you have not opened recently.
ImprovedFixed

Simpler endpoint install scripts and reliability fixes

Improved

  • The install script you download from the Agent Installers page (Windows, macOS, and Linux) now comes pre-filled with your enrollment token, so an endpoint installs and registers correctly even when you run the downloaded script by hand. The page is also simpler: each platform shows a single Download Script button, with the advanced and manual install commands grouped together under Other Install Options.

Fixed

  • On the Endpoints list, every endpoint row is now the same height, regardless of how many tags an endpoint has or how long it has been running, so the list is easier to scan.
  • On phones, the Endpoints screen header no longer crowds the endpoint count, Add Agent button, and auto-refresh control into a single cramped row, so each control is easy to read and tap.
  • On phones, save and confirmation dialogs (such as when saving a deployment ring) now keep their action buttons fully visible above the bottom navigation bar, so the Save and Confirm buttons are always reachable.
  • Leaving a settings page that has unsaved changes (for example a deployment ring) using your browser or phone's Back button now prompts you to confirm before leaving, so edits are no longer discarded silently.
  • A deployment ring whose rollout phases were edited after it was created could quietly stop sending scheduled updates to its endpoints, showing an idle schedule even when updates were pending. Affected rings now automatically resume deploying on their next scheduled window.
  • A configuration policy whose settings are all set to "Disabled" is now correctly applied to your Windows endpoints. Previously such a policy was skipped and its settings were never enforced, even though it showed as assigned.
  • Adding a Windows endpoint to a tag that has configuration policies now applies those policies to the endpoint right away, instead of only after the endpoint next restarts or reconnects. This also applies to tags assigned automatically by tag rules.
  • Linux endpoints that are fully up to date no longer show a large list of operating-system vulnerabilities that have no available fix. The vulnerability list now reflects only the security updates that actually apply to the installed Linux kernel, so it matches the endpoint's update status.
  • Adding a Linux endpoint to a tag that carries a system-update policy no longer makes it briefly show "System is up to date" while it actually has pending operating-system updates. The pending-update count for Linux endpoints now stays accurate through tag and policy changes.

Configuration policy changes now reach your endpoints instantly

Fixed

  • Configuration policy changes now take effect on a Windows endpoint right away: assigning a policy applies it immediately, and removing an assignment removes it immediately, instead of waiting for the endpoint's next reconnect. The endpoint's Policies screen also now lists every assigned policy, where before it could show only the most recently applied one.
NewImprovedFixed

A built-in Windows security hardening catalog, clearer vulnerabilities, and deployment ring fixes

New

  • Configuration Policies now include a built-in catalog of well-known Windows security hardening settings, including Certificate Padding enforcement, SMB v1 controls, credential protection, and a range of network-hardening options (the Microsoft Security Guide and MSS recommendations). They appear under Administrative Templates in a policy, are searchable, and show the recommended value for each, so you can apply trusted endpoint hardening without tracking down each setting yourself.

Improved

  • The Vulnerabilities list now has an Affected Software column, so you can see which product each vulnerability affects (for example Google Chrome, Mozilla Firefox, 7-Zip, or a specific Windows edition) at a glance without opening each one. The affected software also appears in your vulnerability reports, and you can now search the list by software name.
  • Expanded the opt-in Usage Analytics signals to include anonymized interaction and error diagnostics (counts and patterns only) so we can find and fix friction and bugs faster. No field values or identifiers are collected, and turning Usage Analytics off stops all of it. (Settings > Privacy)
  • When a deployment ring has no schedule rules and runs around the clock, the ring editor now explains how the Pre-Staging, Safety Controls, and Execution Limits sections behave in that mode, so it is clear what each setting does when there is no maintenance window.

Fixed

  • Fixed the Fix Available and KEV Only filters and the search box on the Vulnerabilities list, which previously had no effect. They now correctly narrow the list (including searching by affected software name), so you can focus on, for example, only the vulnerabilities that already have a fix available.
  • Fixed an error that could occur when editing a setting you had just added to a Configuration Policy but had not saved yet. Adding, editing, and saving settings in Configuration Policies now works reliably whether the setting is new or already saved.
  • Fixed an intermittent "Invalid or expired sign-in, please try again" error that could appear when signing in with Microsoft or Google, most often on phones and on privacy-focused browsers. Sign-in now completes reliably on the first try.
  • The sign-in screen now offers a "Use a different account" option for Microsoft and Google, so you can choose or switch which account to use whenever you need to. Routine sign-in stays seamless: when your session expires, TridentStack Control reconnects you with your existing Microsoft or Google session instead of making you sign in again.
  • Configuration Policy settings that accept a list of values, such as antivirus path, process, and file-type exclusions, now apply every value you enter. You can add and remove individual entries, and all of them take effect on your endpoints.
  • Duplicating a deployment ring now copies all of its settings, including restart behavior and restart verification, per-window execution limits, and the Linux and macOS restart and service options. Previously some of these sections quietly reverted to their defaults on the copy, so a duplicate did not fully match the original.
  • Fixed an issue where a deployment ring running around the clock (with no schedule rules) could permanently stop applying updates to an endpoint once it reached the per-window execution limit. The limit now resets on a rolling 24-hour basis, so endpoints keep receiving approved updates.
  • Creating, importing, or duplicating a deployment ring through the API now works the same as it does in the dashboard. Previously these requests could fail when made with an API key.
  • Deleting a Configuration Policy now reliably removes its settings from the endpoints it was applied to. Previously, settings from a deleted policy could remain in place on a device; they are now cleaned up automatically on the next check-in.

Reliable security policy editing, plus sign-in and update fixes

Fixed

  • Editing an already-configured security setting in a configuration policy now shows its current values instead of opening a blank editor. Reopening a configured setting loads exactly what is currently set.
  • The same sign-in method no longer appears more than once under Linked Sign-in Methods in user settings. Each linked sign-in method now appears only once.
  • A large Windows feature update that has finished preparing and is waiting to be finalized is no longer incorrectly reported as failed shortly after it stages. Prepared feature updates now stay ready to complete as expected.
ImprovedFixed

Configuration policy improvements and Windows update fixes

Improved

  • The security settings catalog in Configuration Policies now includes the full set of Windows audit and security policy settings, including the complete Advanced Audit Policy Configuration subcategories (such as Kerberos authentication, process termination, and filtering platform auditing). Settings that were previously unavailable can now be found in search and configured.

Fixed

  • Audit policy settings no longer revert to "No Auditing" while you are editing them, and the recommended-baseline indicator now correctly reflects whether audit policy and user rights settings match their recommended values.
  • After saving a policy, audit policy and user rights settings now show their configured value (such as Success, Failure, or the assigned accounts) instead of appearing enabled but blank. The values were always saved correctly; this corrects a display issue in the editor.
  • Windows 11 feature updates (for example, version 24H2 to 25H2) now apply correctly on a broader range of device configurations. A pre-installation compatibility check was stricter than necessary and could prevent eligible devices from receiving an in-place feature update. This improvement is rolling out to Windows agents now.
  • Fixed an error that prevented saving certain restart settings, such as the maximum number of restarts allowed per maintenance window, when editing a policy.
  • A scheduled update install that is skipped because another update is already running on the same device is no longer reported as a failure. It is now marked as superseded and retried in the next maintenance window.
ImprovedFixed

Easier navigation and clearer descriptions for security settings

Improved

  • Security settings in Configuration Policies now show their category directly in the catalog, so settings that share a name (such as the two "Audit directory service access" settings) are easy to tell apart at a glance.
  • Many more Windows security settings now include a plain-language description of what the setting controls, shown when you expand a setting in the catalog or open it to configure.

Fixed

  • Advanced Audit Policy settings under the DS Access and Object Access folders now appear under those folders in the Configuration Policy editor's settings tree, matching the Windows layout, instead of only being reachable from the top level or from search.

Clearer status for Windows feature updates awaiting a restart

Fixed

  • Windows feature updates that finish installing but still need a restart to take effect now show as "Pending Restart" instead of incorrectly reporting as "Failed." The update is already staged and completes automatically the next time the device restarts.
NewImproved

Preview a policy's impact before you apply it

New

  • Preview the impact of a configuration policy before you apply it. For Windows configuration policies, you can now run a Preview Impact check against any group of endpoints (selected by tag or individually) and see, endpoint by endpoint, exactly which settings the policy would change and where it would conflict with another policy already in effect. A fleet summary shows how many endpoints would change and how many have conflicts, so you can catch surprises before anything is enforced. Open it from a policy's detail page or from the actions menu on the policy list.

Improved

  • More control over how agent updates reach your fleet. Choose a pilot group that receives new agent versions first, and optionally hold updates for a set delay window before rolling out to everyone else. These controls now apply to your own fleet and reflect its real update status.
  • Application icons load faster throughout the package catalog, including on large policy and application pages.
ImprovedFixed

Update policies now cover the right platforms automatically

Improved

  • New update policies now default to targeting every operating system present in your fleet, so a policy can't be created that accidentally covers none of your endpoints.
  • Endpoints now show a clear notice when no active policy targets their operating system, making it obvious why an endpoint is not receiving updates.
  • Linux endpoints now display their available update counts and policy coverage details in the updates view, matching the Windows experience.

Fixed

  • API keys can now be used to create update policies and configurations. These requests previously returned an error.
NewImprovedFixed

Faster console performance, Reporting fixes, and a public changelog

New

  • You can now follow TridentStack Control updates on our public changelog at tridentstack.com/changelog, including an RSS feed for your reader of choice.

Improved

  • The dashboard now loads noticeably faster and picks up where you left off instantly while refreshing data in the background.
  • Vulnerability lists on agent pages load significantly faster.
  • Pages that poll for updates now skip downloading data that has not changed, reducing background data transfer throughout the console.
  • The Reporting page loads much faster on first visit.

Fixed

  • Raw SQL report queries ending with a semicolon are now accepted instead of being rejected.
  • When a report query fails, the error message now remains visible instead of leaving the results area blank.
NewImprovedFixed

Group Policy import and agent 1.1.57

New

  • Import your existing Group Policy configuration: upload a Group Policy backup from the Policy Objects page, preview which settings TridentStack Control recognizes, and import them as policy objects. Imported policies arrive disabled so you can review them before enabling enforcement.

Improved

  • Agent 1.1.57 began rolling out with stronger pre-installation checks for application updates, reducing failed installs.
  • Windows feature upgrades now verify available disk space before starting, and report clearly when an endpoint does not have enough free space to upgrade.

Fixed

  • Fixed an issue where some macOS application updates could fail to download.
NewImprovedFixedSecurity

Entra ID group sync, EPSS scores, and faster vulnerability scanning

New

  • Microsoft Entra ID group sync: connect your Entra tenant under Settings, map groups to endpoint tags, and group membership stays in sync automatically every hour. Tag-based policies follow your directory without manual upkeep.
  • EPSS exploit-prediction scores on vulnerabilities: both vulnerability views now show each CVE's likelihood of real-world exploitation alongside CVSS severity, with sorting and a minimum-EPSS filter to focus on what is most likely to be attacked.
  • A guided setup experience for new tenants walks through enrolling your first endpoint, creating update policies, and organizing endpoints with tags. Replay or turn it off any time from User Settings.

Improved

  • Vulnerability scanning is now incremental: endpoints are rescanned when their software actually changes instead of on every cycle, so results appear faster and fleet-wide scans finish sooner.
  • The endpoints list refreshes automatically in the background, with a toggle to turn this off.

Fixed

  • Notifications for newly detected critical vulnerabilities are now delivered reliably.

Security

  • Ongoing security hardening across the platform as part of our regular security review process.
NewImprovedFixed

Public status page and clearer vulnerability remediation

New

  • A public status page is available at tridentstack.com/status, covering the application, agent connectivity, documentation, and website with uptime history.

Improved

  • Vulnerability remediation status is clearer: when a fix has been installed but the endpoint has not been rescanned yet, the vulnerability now shows "Update installed, refresh on next scan" with a one-click Re-scan now button, instead of an ambiguous state.
  • After remediating a vulnerability on an endpoint, a follow-up scan runs automatically so the result reflects the fix without waiting for the next scheduled scan.

Fixed

  • Vulnerabilities that only affect the mobile edition of an application are no longer flagged against the desktop edition installed on your endpoints.
NewSecurity

macOS agent enrollment

New

  • macOS endpoints can now enroll in TridentStack Control. Manage Apple devices alongside your Windows and Linux fleet, including software inventory, update visibility, and policy assignment.

Security

  • The macOS and Linux agent installers now verify the integrity and authenticity of the installation package before installing, protecting against tampered downloads.

Billing and per-endpoint licensing

New

  • Billing is now live. Your first 200 endpoints remain free forever; beyond that, endpoints are $5 per month each, with an annual option that saves two months.
  • Manage your payment method, view invoices, and track license usage directly from the dashboard.
  • Licenses are assigned automatically as endpoints enroll, so there is nothing to provision by hand.
NewImproved

Windows hotpatch visibility and compliance template risk summaries

New

  • Windows hotpatch updates are now identified in the update catalog with a dedicated badge, so you can see at a glance which updates install without requiring a restart. Endpoint detail views show whether each device is hotpatch ready, with a guide for enabling hotpatching in your environment.
  • Compliance templates now show a risk summary before you apply them: how many controls could affect connectivity or sign-in behavior, with the highest-risk controls called out for review.

Improved

  • Hotpatch releases carry full severity information and link to Microsoft's release documentation from the update detail view.
  • Policies created from compliance templates record which framework they came from, so you can trace a setting back to its CIS or DISA STIG source.

TridentStack Control is live

New

  • TridentStack Control is now generally available and serving production customers. One platform for patch management, third-party application updates, vulnerability detection, compliance tracking, and policy management.
  • Native OS update management for Windows and Linux endpoints, with approval workflows, deployment rings for phased rollouts, and supersedence tracking.
  • Third-party application updates with version targeting, silent installation, and per-group configuration profiles.
  • Automatic vulnerability detection from your software inventory, with CVSS severity prioritization and exception management.
  • Compliance framework tracking for CIS Benchmarks, DISA STIGs, Microsoft Security Baselines, and NIST controls, with automated scoring.
  • Policy management with a web-based settings catalog that works with or without Active Directory.
  • Your first 200 endpoints are free forever, with every feature included.