Skip to content

Release Notes - v6.9.1

  • Version: 6.9.1
  • Build number: 14601
  • Release date: 2026-03-03 (general availability)
  • Server version: nanitor-6.9.1.14601-17532-master
  • Agent version: No agent update in this release
  • Collector version: No collector update in this release

Nanitor v6.9.1 is a server-only fix release that adds AI governance controls, hardens AI feature permissions, and resolves benchmark assignment and scoring issues across Windows and Linux platforms. No agent or collector update is required.

New Features

AI Governance Toggles

Administrators now have granular control over AI-powered features (Remediation Insights and Root Cause Analysis):

  • System-wide toggle - System administrators can enable or disable all AI features across the entire Nanitor instance from System Management. When disabled, no data is sent to external AI services and all AI UI elements are hidden.

  • Per-organization toggle - Organization administrators can enable or disable AI features for their specific organization. This is particularly useful for MSPs managing multiple tenants with different compliance requirements. The setting is inheritable, so disabling AI on a parent organization cascades to all sub-organizations.

System-wide AI toggle in System Management Security Settings
System Management - Enable or disable AI features for the entire instance.
Per-organization AI toggle in Organization Management
Organization Management - Enable or disable AI features per organization. The setting is inheritable.

The system-wide setting takes precedence: if AI is disabled at the system level, per-organization settings have no effect. Both toggles default to enabled, preserving existing behavior for current deployments. For details on what data AI features process and how it is handled, see AI Data Handling and Privacy.

Improvements

  • AI RCA: Permission enforcement and user-initiated analysis. Root Cause Analysis now requires explicit user action via an "Analyze with AI" button instead of auto-triggering on page view. Proper permission checks have been added to all RCA endpoints. Users with view-only permissions can see existing results but cannot trigger new analysis. RCA is also now restricted to relevant issue types (vulnerability, misconfiguration, patch, software policy).

  • AI Remediation Insights: Permission tightening. Generating AI remediation advice now requires Manage Issues permission instead of View Issues. Users without Manage Issues can still view existing AI-generated advice but cannot trigger new generation.

Benchmarks & Feed Updates

This release includes new benchmark content and fixes for Windows and Linux platforms. Benchmark updates ship via the compliance feed independently of product releases and are fetched automatically. See the Benchmark Changelog for feed publication status.

  • New: CIS Windows Server 2025 Standalone v1.0.0. New benchmark for non-domain-joined Windows Server 2025 devices. Automatically assigns to standalone Server 2025 systems alongside the existing domain-joined benchmark.

  • Ubuntu 24.04 LTS: False failures in multiple checks. Fixed false failure results in crontab, UFW, and rsyslog checks on the CIS Ubuntu 24.04 LTS benchmark.

  • Windows Server 2019/2022: Guest account rename check. Fixed a false negative where the "Rename guest account" check was incorrectly passing. The rule now uses SID-based lookup instead of username enumeration, which could miss the disabled Guest account.

  • Windows 11 Intune: Defender rule false positives. Fixed 3 Defender rules (Allow Behavior Monitoring, Allow Full Scan Removable Drive Scanning, Allow scanning of downloaded files) that were checking Group Policy registry paths instead of the Intune/MDM Policy Manager paths. Devices correctly configured via Intune were being flagged as non-compliant.

  • Print Spooler false positive across 6 Windows benchmarks. Fixed a false positive on the Print Spooler service check affecting Windows 10, 11 Intune, Server 2012 R2, 2022, 2025, and 2025 Standalone benchmarks. When the Spooler service is not installed (common on Server Core), the check now correctly reports compliant instead of failing.

Bug Fixes

  • Windows Server 2022: Benchmark auto-assignment. Fixed an issue where new Windows Server 2022 devices were not being auto-assigned the correct benchmark. The root cause was a missing CPE requirement flag in a prior benchmark revision, causing stale CPE data in the database. A new revision forces CPE re-processing, restoring correct assignment for newly onboarded devices.

  • Windows Server 2025: Duplicate benchmark assignment. Fixed an issue where Windows Server 2025 devices could be assigned both the domain-joined and standalone benchmarks simultaneously.

  • AI RCA: Token limit exceeded on large issues. Fixed an error where Root Cause Analysis failed on issues with very large forensic datasets (e.g., identity issues with tens of thousands of match records). The RCA context is now limited to up to 10 detection matches per device, up to 20 affected devices per issue, and an overall character limit on the total context with truncation if exceeded.

  • Software Title Details: Incorrect issue count. Fixed an issue where the Issues tab on the Software Title Details page displayed an inflated count that only corrected when the tab was clicked. The underlying query was missing an organization filter, causing it to count issues across tenants.

Thank you for using Nanitor! For more in-depth documentation, visit the Nanitor User Guide or our Knowledgebase.