Tanium Patch™ is a powerful tool for managing Windows operating system patching across your enterprise at the speed and scale of Tanium. Patch provides a straightforward workflow to deploy a single patch to a Computer Group immediately or perform more complex tasks, such as using advanced rule sets and maintenance windows to deliver groups of patches across your environment at the times you want.
Advertisement
Advertisement
Version 2.0.4
May 09, 2017
The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc.
has been advised of the possibility of such damages.
Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Please visit https://docs.tanium.com for the most current Tanium product documentation.
Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners.
© 2017 Tanium Inc. All rights reserved.
© 2017 Tanium Inc. All Rights Reserved Page 2
Tanium Server and Module Server computer resources
Endpoint resource requirements
Host and network security requirements
© 2017 Tanium Inc. All Rights Reserved
Page 3
Prioritize Scan Configurations
Exclude patches with blacklists
Create lists from the Patches view
Create a deployment to install patches
Create a deployment to uninstall patches
Create deployments from the Patches view
Add targets to an existing deployment
© 2017 Tanium Inc. All Rights Reserved
Page 4
Example 1: Automatically deploy key 2016 patches
Example 2: Create a Blacklist that excludes .NET patches
Example 3: Stagger patch deployment to a worldwide network
Change the Endpoint Status Report Setting
Change the patch visibility aggregation
Check and update the Windows Update Agent
Collect a troubleshooting package
© 2017 Tanium Inc. All Rights Reserved Page 5
Tanium Patch™ (Patch) is a powerful tool for managing Windows operating system patching across your enterprise at the speed and scale of Tanium. Patch provides a straightforward workflow to deploy a single patch to a Computer Group immediately or perform more complex tasks, such as using advanced rule sets and maintenance windows to deliver groups of patches across your environment at the times you want.
Patch generates in-depth reports and returns current patch applicability results from every endpoint. Patch can summarize the deployment status for any patch or Patch List, providing the following information: l
The patch details, such as severity, release date, applicable Common Vulnerabilities and Exposures (CVE), files, and links to knowledge base articles.
l
The status of the patch, split out by Computer Group.
l
The assigned Patch Lists or Blacklists for the patch.
You can also define custom workflows and schedule patches based on rules or exceptions built around Patch Lists, Blacklists, and Maintenance Windows. For example, Patch can be configured to always apply critical Microsoft patches to all machines except for datacenter servers, or to always exclude .NET patches, or to install patches during non-working hours.
Patch has several ways to scan your endpoints to determine the installed and missing patches across your network. Patch can maintain multiple scan configurations which allow you to use any scan method that you need, set the frequency of the scan, and apply the configuration to Computer Groups, known as an enforcement. Only one scan configuration can be used for an endpoint, if the endpoint is included in multiple Computer Groups, the highest priority scan configuration is applied.
Review the following list of scanning options to decide the best method to use for each
Computer Group.
© 2017 Tanium Inc. All Rights Reserved Page 6
Table 1: Available patch scanning options
Scan method Updates included Client impact
Offline CAB file Cumulative security and quality patches only
Online to
Microsoft
Windows Server
Update Services
(WSUS) Scan l l l
Critical patches
Cumulative security and quality patches
Non-security and optional updates l l l
Critical patches
Cumulative security and quality patches
Non-security and optional updates
Connectivity Details
Moderate, during scanning activity
The CAB file is stored locally by the Tanium
Client l l
Moderate, during first scan
Low, subsequent
The Client must contact
Microsoft directly
Low The Client must contact the WSUS server
Requires 200+MB download of
CAB file l l
Typically not allowed by company policy
Additional network traffic to
Microsoft l l
Must deploy and configure one or more
WSUS servers
Updates must be approved in
WSUS prior to scanning or deployment.
Note: If you are using Microsoft System Center Configuration Manager (SCCM) with your WSUS server, do not use Tanium for WSUS scanning with the same server.
You can group patches into those that can be applied, known as Patch Lists, and the patches that must be excluded into Blacklists. These lists can be determined by any detail included in the patch information. For example, you could: l
Create lists based on severity, prioritize the most critical and most recent updates first.
© 2017 Tanium Inc. All Rights Reserved Page 7
l
Focus only on CVE issues.
l
Create lists based on the month or a specific release date.
As new patches come out, you can use dynamic rules to automatically assess and populate patches to the appropriate lists. Lists can be iteratively developed, with each set of your changes creating a new version of the list. Then you can deploy based on the list and whichever version you need.
In October 2016, Microsoft changed the way they provide software patch updates to include three patch types. As security patches in the Security Only Updates and Quality Rollups are the same, we recommend blacklisting patches with either the Title containing "Quality
Rollup" or the Title containing "Security Only". This prevents pushing the patches twice and prevents endpoints from running the patch install twice. In addition, there are now
Preview Rollups for early adoption of quality-related updates. For more information, see the Microsoft article on Simplified Servicing .
Deployments compile patches, typically from lists, and then distribute Patch packages to the target computers using the Tanium file distribution mechanism. You can configure deployment options to set when and how patches are installed or uninstalled. For example, you might want to restart an endpoint after patches have been installed to apply the changes. If a patch comes out that would normally be blacklisted but is needed for some reason, you can override the blacklist for that specific deployment rather than making a new version the blacklist. In urgent situations, you can even override a closed Maintenance
Window.
Maintenance windows designate the permitted times that the targeted Computer Groups are open for patches to be installed or uninstalled. You can have multiple Maintenance
Windows, even with overlapping times, as these windows do not interfere with each other.
For a patch deployment to take effect, the deployment and Maintenance Window times must be met.
We recommend establishing a maintenance cycle that keeps your endpoints as up-to-date as possible. Many security risks can be avoided with good operational hygiene. Some considerations might include coordinating with the Microsoft Patch Tuesday releases, on weekends, or outside the core work hours for your network.
© 2017 Tanium Inc. All Rights Reserved Page 8
1. Install the Patch module by following the steps outlined in
.
If you are upgrading your version of Patch, see
Upgrade the Patch version on page
.
2. Create a Scan Configuration and add enforcements, see
Enforcing Scan configurations on page 15
.
3. Organize the available patches, see
4. Install patches on endpoints, see
.
5. Create patch restrictions, see
Exclude patches with blacklists on page 20
or
Maintenance Windows on page 32
.
© 2017 Tanium Inc. All Rights Reserved Page 9
Review the requirements before you install and use Patch.
In addition to a license for the Patch product module, make sure that your environment also meets the following requirements.
Component Requirement
Platform
Tanium
Client
6.5.314.4380 or later
Enhanced functionality is available with version 7.0.314.6319 and later. As part of this, we recommend installing Tanium Interact™ (Interact).
For more information, see Tanium Core Platform Installation Guide: Installing
Tanium Server .
Patch is supported on Windows endpoints. We recommend using the Tanium Client
1540 and later.
For more information, see Tanium Client Deployment Guide: Prerequisites .
Patch is installed and runs as a service on the Module Server host computer. The impact on
Module Server is minimal and depends on usage. For more information, see Tanium Core
Platform Installation Guide: Host computer sizing . You might need to tune the Tanium
Server download bytes and download limit settings (DownloadBytesPerSecondLimit) for your environment. Contact your Technical Account Manager (TAM) for details.
Under the Tanium Console Global Settings, set the Tanium Client cache limit
(ClientCacheLimitInMB) to 2048MB and set the Hot cache (HotCachePercentage) to 80%.
For more information, see Tanium Client Deployment Guide: Managing Global Settings .
If VDI is used in your environment, see the Tanium Client Deployment Guide: VDI .
© 2017 Tanium Inc. All Rights Reserved Page 10
Patch requires that endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version
7.6.7601.19161 and later. See Microsoft KB313861 . If you are controlling all patch deployments through Tanium, we suggest disabling the Windows Update Agent automatic functions at the domain level.
Specific processes and URLs are needed to run Patch.
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
Target device Process
Module Server node.exe
or
"<Tanium Module Server directory>\services\patch\node.exe" service.js
Endpoint computers tanium-Patch.min.vbs
wsusscn2.cab
If security software is deployed in the environment to monitor and block unknown URLS, your security administrator must whitelist the following URLs.
l http://download.windowsupdate.com/ l http://go.microsoft.com/fwlink/?linkid=74689
Different role types have varying privileges within Patch. Administrators can perform all functions; however, other role types are limited.
© 2017 Tanium Inc. All Rights Reserved Page 11
Table 2: Console Role Requirements
Role Type Patch Privileges
Content
Administrators
Action/Sensor
Authors or
Action Authors l l l l l
Initialize Patch service
Create, modify, or delete Scan Configurations and enforce against
Computer Groups
Create, modify, or delete Patch Lists and Blacklists
Create, modify, or delete deployments and target Computer Groups
Create, modify, or delete Maintenance Windows and enforce against
Computer Groups l l l l
Create, modify, or delete Scan Configurations and enforce against
Computer Groups
Create, modify, or delete Patch Lists and Blacklists
Create, modify, or delete deployments and target Computer Groups
Create, modify, or delete Maintenance Windows and enforce against
Computer Groups
© 2017 Tanium Inc. All Rights Reserved Page 12
You can install Patch from the Tanium Console where you can import the module, set the service credentials, and organize your computer groups.
Install Patch by importing it from the Tanium Console.
Note: Installing Patch 2.0 or later disables the Tanium Windows Security Patch content. There is no need to have both solutions.
1. From main navigation menu, click Tanium Solutions.
2. Under Patch, click Import.
A progress bar is displayed as the installation package is downloaded.
3. Click Continue.
The Import Solution window opens with a list of all changes and import options.
4. Click Proceed with Import and enter your password.
The Tanium Patch installation and configuration process begins.
5. Click Close.
6. To confirm the installation, return to the Tanium Solutions page and check the
Installed version for Patch.
Tip: If you do not see the Patch module in the console, refresh your browser.
The Patch module must be initialized by a Tanium User with Administrator or Content
Administrator permissions to allow recurring maintenance activities. This is a one-time step, no other credentials need to be added.
1. From the Patch home page under the Required Setup Steps, click the Service
Credential link.
2. In the Tanium Patch Initial Setup window, enter your Tanium credentials.
3. Click Initialize.
© 2017 Tanium Inc. All Rights Reserved Page 13
One way to apply Patches and view deployment results is by Computer Group. We recommend creating relevant Computer Groups to organize your endpoints. Some options include: l
Endpoint type, such as servers or employee work stations l
Endpoint location, such as by country or time zone l
Endpoint priority, such as business-critical machines l
Endpoint configuration needs, such as VDI machines
For more information, see Tanium Core Platform User Guide: Managing Computer Groups .
You can upgrade Patch to the latest version from the Tanium Console.
IMPORTANT: Patch 1.x must be uninstalled prior to installing Patch 2.x. This includes removing the Tanium Patch folder on the Tanium Module Server. Contact your TAM for assistance.
1. From the main navigation menu, click Tanium Solutions.
2. Locate Patch and click Upgrade version.
A progress bar is displayed as the installation package is downloaded.
When the download completes, the Content Import Review window opens. The contents of the installation package are shown in the Overview section of the window. The contents include Saved Actions that Trace uses to distribute client tools as well as Sensors used to gather information from network endpoints.
3. Click Continue.
4. Enter your password to start the upgrade.
5. To confirm the upgrade, return to the Tanium Solutions page and check the
Installed version for Patch.
Tip: If the Patch version has not updated in the console, refresh your browser.
© 2017 Tanium Inc. All Rights Reserved Page 14
The list of available patches comes from scanning the endpoints in your network. You can select a scanning technique and specify how often the source is scanned, known as Scan
Configurations. A Scan Configuration is enforced by targeting Computer Groups.
The available scanning techniques include: l
Offline CAB file (recommended) l
Online Microsoft Windows Update l
Windows Server Update Services (WSUS) Scan
IMPORTANT: If you are using a WSUS server, the WSUS Server URL must be whitelisted on the Tanium Server as a regular expression, following this format: http:\/\/wsusservername\.domain\.com\:port\/.*
. Patches on the
WSUS server must be approved before they can be downloaded.
On the Patch home page, the latest status of the offline CAB file is available. The active CAB file is the most recent, verified file published by Microsoft. Patch uses only the active CAB file for Scan Configurations, a rejected CAB would not be pushed to a Computer Group.
Figure 1: Example CAB file status
You can create multiple Scan Configurations and add Computer Group enforcements as needed to suit your environment.
1. In the left navigation pane, click Scan Management.
2. Click Create Configuration.
© 2017 Tanium Inc. All Rights Reserved Page 15
3. Name the configuration.
4. Choose the configuration options.
a. Select a Configuration Technique.
b. In the Frequency field, enter a number and a time parameter from the dropdown menu.
We recommend scanning once a day or longer between scans.
c. (Optional) Override the frequency by enabling Scan upon new CAB file.
This ensures that the endpoints are scanned whenever a CAB file is published.
d. (Optional) Enable Random Scan Delay and enter a time to distribute the network activity.
The default is 120 minutes.
Tip: For VDI environments, we recommend a longer delay to reduce the impact of the scan on the host system.
5. Click Save.
6. On the Scan Configuration Details page, add one or more Computer Groups.
a. Select Computer Groups from the drop-down menu.
Enabling the patch applicability results provides a refined aggregation for the specific Computer Group.
b. Click Add and enter your password.
c. Enter your password and click Confirm.
The list of available patches might appear within 15-30 minutes. Longer scan delays might result in patches appearing slowly. If no data appears after the scan delay, contact your
TAM. If an endpoint is unable to participate in the scan, for example if it was offline, it will be scanned at the earliest opportunity.
You can change existing Scan Configurations.
1. In the left navigation pane, click Scan Management.
2. On the Scan Configurations tab, select a configuration.
3. To change configuration options, click Edit.
4. Click Save and enter your password.
© 2017 Tanium Inc. All Rights Reserved Page 16
5. To change the Targeted Computer Groups, click Add Computer Group or the appropriate Delete icon.
You can quickly review a Scan Configuration to see which endpoints in each computer group that the configuration has been enforced against.
1. In the left navigation pane, click Scan Management.
2. On the Scan Configurations tab, select a configuration.
3. Expand the Computer Group to see more details about the scan status.
4. Click the Interact icon to be taken to the Question results for each endpoint.
The Interact results grid shows the endpoint status and the reason, if it is not enforced.
You can create multiple Scan Configurations with multiple Computer Groups. The order of the configuration decides its priority. If an endpoint is a member of multiple Computer
Groups with conflicting configurations, only the highest priority configuration is applied to the endpoint.
1. In the left navigation pane, click Scan Management.
2. On the Scan Configurations tab, click Prioritize.
3. Move the Scan Configurations by dragging and dropping or entering a number into the Conflict Resolution Order field and pressing Enter.
4. Click Save and enter your password.
Removing a Computer Group from a Scan Configuration removes the enforcement.
1. In the left navigation pane, click Scan Management.
2. On the Scan Configurations tab, select a configuration.
3. Delete the Computer group.
4. When prompted, enter your password and click Confirm.
After the enforcements are removed, you can delete a Scan Configuration.
© 2017 Tanium Inc. All Rights Reserved Page 17
1. In the left navigation pane, click Scan Management.
2. On the Scan Configurations tab, select a configuration.
3. If the Scan Configuration is enforced against Computer Groups, remove all groups.
4. In the upper right, click Delete.
5. Confirm the deletion.
© 2017 Tanium Inc. All Rights Reserved Page 18
You can manage patches using Patch Lists and Blacklists. Patch Lists are groups of patches that are allowed to be applied on the targeted Computer Groups. Blacklists are groups of patches that are specifically excluded from being downloaded or deployed to the targeted
Computer Groups.
Though you can manually select patches to include in a Patch List, it is more efficient to use
rules to dynamically populate lists of patches. As patches are added to the Available Patches list, Tanium assesses those patches for inclusion on a list by comparing them to rules. You can create rules from customized conditions that define which part of the patch description to examine. Build conditions using one option from each condition field:
Table 3: Rule condition options
Condition Available options
Column
Type
Expression l l l l l l
Title
Severity
Release Date
Bulletins
KB Articles
CVE l l l l l
Contains
Equals
Does Not Contain
Release Date on or After
Release date on or Before
The search criteria used in the expression.
IMPORTANT: When a rule has more than one condition, the conditions are connected with the AND operand. Patches must meet both conditions to be included.
When a list has multiple rules, the rules are connected with the OR operand, so patches that meet either rule are included on the list.
© 2017 Tanium Inc. All Rights Reserved Page 19
You can sort patches into manageable Patch Lists for use in deployments. You can add individual patches to the list or populate the list dynamically with rules.
1. In the left navigation pane, click Patch Lists.
2. Click Create Patch List.
3. Name the list.
4. Add patches.
Adding patches dynamically Add patches manually
a.
Click
Add Rule
b.
Name the rule.
c.
Select a
Comparison Column
and
Comparison Type
.
d.
Type in the expression to search against.
Searches are case-insensitive.
a.
Click
Add Patches Manually
b.
Select the patches that you want.
c.
(Optional) Click the patch title to see the details in a new browser tab.
You can get details about the patch, visibility into the results by Computer Group, and the associated lists.
5. Preview the changes.
6. Click Create.
To distribute the patches to endpoints, you must
Create a deployment to install patches on page 27 .
A Blacklist is a collection of patches that are prohibited from downloading or deploying to the targeted Computer Groups. You can add individual patches to the list or populate the list dynamically with rules. Unlike Patch Lists, you do not need to create a deployment to enforce a Blacklist.
Tip: We recommend blacklisting patches with the Title containing either "Quality
Rollup" or "Security Only" to avoid redundant patch deployments. For more information, see
Working with lists of patches on page 7 .
1. In the left navigation pane, click Blacklists.
2. Click Create Blacklist.
© 2017 Tanium Inc. All Rights Reserved Page 20
3. Name the list.
4. Add patches.
Adding patches dynamically Adding patches manually
a.
Click
Add Rule
b.
Name the rule.
c.
Select a
Comparison Column
and
Comparison Type
.
d.
Type in the expression to search against.
Searches are case-insensitive.
a.
Click
Add Patches Manually
b.
Select the patches that you want.
c.
(Optional) Click the patch title to see the details in a new browser tab.
You can get details about the patch, visibility into the results by Computer Group, and the associated lists.
5. Preview the changes.
6. Click Create.
7. On the Blacklist Details page, scroll down and select the targeted Computer groups.
The Blacklist is distributed to the selected endpoints and those patches are blocked.
Note: If an endpoint is brought online with a patch already installed that is blacklisted, the patch remains until it is uninstalled.
In addition to creating a list from the Patch Lists or Blacklists page, you can also select individual patches to build them.
1. In the left navigation pane, click Patches.
2. Select one or more patches.
3. From the More drop-down menu, select the list type.
4. Complete the list.
When a Tanium User changes an existing list, the changes become a new version of the list.
By doing some basic changes, such as adding a rule for each new month, you can refine your patch testing and roll up changes without creating a new list.
© 2017 Tanium Inc. All Rights Reserved Page 21
1. In the left navigation pane, click Patch Lists or Blacklists.
2. Click the list name.
3. Click Edit.
4. Make your changes.
5. Preview the changes.
6. Click Save.
You can get details about the patch, the installation results by Computer Group, and the associated lists.
1. In the left navigation pane, click Patches.
2. (Optional) Under Patches, click Applicable to see the patches that are not installed.
3. Click the patch name.
4. Expand the section you want to see.
l
Patch Summary shows the severity and the associated lists.
l
Patch Details has release date, KB numbers, files, size, URLs, and a link to
Microsoft support.
© 2017 Tanium Inc. All Rights Reserved Page 22
l
Visibility splits out the patch results by Computer Group. Hovering over the name shows the Interact icon to see the results by endpoint.
l
Patch Lists and Blacklists are a summary, by list, that includes the number of patches on the list, rules, version, and creation details.
You can facilitate the migration of patch content by exporting lists. The exported file includes rules manually added patches. This is particularly useful in a progressive deployment models where patches must be moved from a testing to a production environment.
1. In the left navigation pane, click Patch Lists or Blacklists.
2. Click the list name.
3. (Optional) Select the version.
4. Click Export .
The JSON file is available in your downloads folder. The file name is the list identifier, the actual list name appears after import.
Exported lists can be imported into a new environment. The import contains the latest version of the list and the version is set to 1 in the new environment.
Note: You cannot import a list with the same name as an existing list.
© 2017 Tanium Inc. All Rights Reserved Page 23
1. In the left navigation pane, click Patch Lists or Blacklists.
IMPORTANT: Take care to only import the list as the right type.
2. Click Import .
3. Browse to the list JSON file.
4. Click Import.
Deleting a list does not delete patches, it only deletes the assembled list and any previous versions.
Note: Remove Computer Group enforcements from a Blacklist before deleting it.
1. In the left navigation pane, click Patch Lists or Blacklists.
2. Select the list name.
3. Click Delete.
4. On the confirmation window, click Delete.
© 2017 Tanium Inc. All Rights Reserved Page 24
After you have organized the available patches into lists, you must deploy the lists to the target endpoints. These deployments can install or uninstall patches, to help you can make sweeping changes to maintain operational hygiene. They can run a single time or be ongoing to maintain operational hygiene for computers that come online after being offline.
The deployment results are available in two different formats, an overview comparing all deployments and a detailed view of the specific deployment.
The overview summarizes the status of the deployment as a whole. You can expand the results to see the number of Computer Groups targeted, Patch Lists, and further details about who created the deployment and when.
Figure 2: Deployment overview results
From the deployment details page, the Results section shows the endpoint count per status group. Expanding a status group provides a further breakdown and the Interact icon to pivot to the endpoint list.
Figure 3: Installation results for the deployment
© 2017 Tanium Inc. All Rights Reserved Page 25
The following is a list of all possible deployment status groups and the sub-statuses. If there has been more than one attempt, the status might be appended with - Retry #, for example "Downloading - Retry 2."
Status group
Waiting
Downloading
Installing
Complete
Sub-status
l l
Waiting for Deployment Start Time
Waiting for Maintenance Window l l l l l
Downloading
Downloading
Download Complete Waiting
Download Complete, Waiting for Deployment Start Time
Download Complete, Waiting for Maintenance Window l l l l
Pre-Install Scan
Installing
Pending Restart
Post-Install Scan l l l l
Complete, All Patches Applied / Removed
Complete, Some Patches Applied / Removed
Error, No Patches Applied / Removed
Error, Install / Uninstall Aborted
Further down, Patch returns relevant, actionable information about why the deployment was not successful on specific endpoints. Each type of error includes the Patch List or
Blacklist number, a brief description, the error number, the count of affected machines, and the Interact icon to drill down. If no list number is provided, it indicates a general issue.
© 2017 Tanium Inc. All Rights Reserved Page 26
Figure 4: Patching errors example
With Install deployments, you can download and install patches to target Computer
Groups. Create a single deployment or set up ongoing deployments to ensure that offline endpoints are addressed when the come online.
1. In the left navigation pane, go to Deployments > Installs.
2. Click New.
3. Name the deployment.
4. Select the deployment options you need.
a. Designate the deployment times and repetition pattern.
You can choose from your browser time or local time on the endpoint.
b. If you want the endpoints to download the patch content before the installation time, select Download immediately.
c. To reduce the network load, select Distribute over time and the time.
d. If you want to ignore patching restrictions, select Override Blacklists or
Override Maintenance Windows.
e. Select whether the endpoint must restart.
IMPORTANT: There is no end user notification.
5. Add one or more Patch Lists and select their version or add patches manually.
© 2017 Tanium Inc. All Rights Reserved Page 27
6. Select your targets.
You can add endpoints with both or either of the following methods: l
Add Computer Group provides a drop-down list of all filter-based Computer
Groups. These groups can be included or excluded from patch applicability results, as needed.
l
Add Targeting Question filters on all endpoints with a specific set of criteria.
For example, you can type
Computer Name containing win to target all
Windows endpoints. The deployment is applied to all endpoints that meet the criteria, individual rows cannot be selected.
7. Preview the changes.
8. Click Deploy.
9. Enter your password and click Confirm.
Tip: If you want to reboot separately, you can create a deployment without patches that includes the restart setting.
To change the number of retries for each phase of a deployment, see
for more information.
You can uninstall any patch deployment that was started from Tanium Patch.
1. In the left navigation pane, go to Deployments > Uninstalls.
2. Click New.
3. Name the deployment.
4. Select the deployment options you need.
a. Designate the deployment times.
You can choose from your browser time or local time on the endpoint.
b. To reduce the network load, select Distribute over time and the time.
c. If you want to ignore patching restrictions, select Override Maintenance
Windows.
d. Select whether the endpoint must restart.
IMPORTANT: There is no end user notification.
© 2017 Tanium Inc. All Rights Reserved Page 28
5. Add one or more patches.
Note: The applicability count in the grid is for endpoints that do not have the patch installed.
6. Select your targets.
You can add endpoints with both or either of the following methods: l
Add Computer Group provides a drop-down list of all filter-based Computer
Groups.
l
Add Targeting Question filters on all endpoints with a specific set of criteria.
For example, you can type
Computer Name containing win to target all
Windows endpoints. The deployment is applied to all endpoints that meet the criteria, individual rows cannot be selected.
7. Preview the changes.
8. Click Deploy.
9. Enter your password and click Confirm.
In addition to deploying patches from the Deployments page, you can also select individual patches to build them.
1. In the left navigation pane, click Patches.
2. Select one or more patches.
3. Select Install or Uninstall.
4. Complete the deployment.
You can get the deployment results by status, any error messages, and the deployment configuration details.
1. In the left navigation pane, click Deployments.
2. Select Installs or Uninstalls.
3. Select either the Active or Inactive tab.
Clicking the caret icon displays additional summary information about the deployment, such as the number of targets, lists, issue details. For inactive
© 2017 Tanium Inc. All Rights Reserved Page 29
deployments, it includes either expired or stopped.
4. Click the deployment name.
5. Expand the section you want to see.
l
Summary shows the list count, number of patches, and number of targeted
Computer Groups.
l
Results has the install status, number of online endpoints. The results are split out by status, expanding a status provides more information and the Interact icon to see the results by endpoint.
l
Error Messages displays any problems that the deployment had.
l
Deployment Details provides all the configuration information and the targeted Computer Groups.
You can add more targets to a deployment. For example, you can limit patch testing to a select Computer Group and then roll it out to more groups after it has been validated. All other deployment options remain the same and deployment results from the previous
Install deployments are preserved.
1. In the left navigation pane, click Deployments.
2. Select Installs or Uninstalls.
3. Click the deployment name.
4. Under the Install Summary, click Add.
5. From the drop-down menu, select a Computer Group.
6. Click Add.
7. Enter your password and click Confirm.
You can restart a stopped deployment or reissue a one-time deployment. Reissuing a deployment creates a new deployment with the same configuration and targets.
1. In the left navigation pane, click Deployments.
2. On the Active tab, click the deployment name.
3. Click Reissue.
© 2017 Tanium Inc. All Rights Reserved Page 30
4. (Optional) Make any necessary changes.
5. Preview the changes.
6. Click Deploy.
7. Enter your password and click Confirm.
You can stop a patch deployment. Stopping changes the deployment end time to now. It does not remove patches that have already completed installation.
1. In the left navigation pane, click Deployments.
2. On the Active tab, click the deployment name.
3. Click Stop.
4. Enter your password and click Confirm.
5. Go to the Inactive tab and click the deployment name to verify the status.
© 2017 Tanium Inc. All Rights Reserved Page 31
Maintenance Windows control when patches can be applied to a Computer Group. A
Maintenance Window is separate from the deployment start and end time. To install a patch, the Maintenance Window must be open and it must be during the configured the deployment time.
You can configure Maintenance Windows for the times that are best for your environment.
Apply Maintenance Windows by enforcing them against Computer Groups. Multiple windows can affect a Computer Group, creating several times that patch activity is permitted.
If you want . . .
A one-time window
A window that repeats every few days
A window that repeats on the same days of the week
A window that repeats on the same date each month
A window that repeats on the same day each month
A window that repeats on the same day of the year
After the date and time, select . . .
Does Not Repeat
Daily
and the number of days between windows
Weekly
, the number of weeks between windows, and which days of the week it opens on
Monthly
, the number of months between windows, and
Day of the Month
Monthly
, the number of months between windows, and
Day of the Week
Yearly
and the number of years between windows
IMPORTANT: If a Maintenance Window does not repeat and it is the only one enforced against a Computer Group, patches cannot be applied after the window closes.
You can open multiple Maintenance Windows to customize when patches are applied to your endpoints. For example, you can create windows that allow deployments to install
© 2017 Tanium Inc. All Rights Reserved Page 32
patches during periods of low network activity or outside of core working hours.
1. In the left navigation pane, click Maintenance Windows.
2. Click Create Window.
3. Name the window.
4. Choose from your browser time or local time on the endpoint.
5. Use the date and time pickers to set the start and end time of the window.
6. Configure the window repetition.
a. Select the repetition time frame.
Note: If a Maintenance Window repeats, it does not have an end date.
You must remove the enforcement against the target Computer Groups to stop the Maintenance Window.
b. Set additional options, such as day of the week, day of the month, and how often the window repeats.
© 2017 Tanium Inc. All Rights Reserved Page 33
For example, to account for Patch Tuesday, you could use these settings for the
Wednesday a week after patch updates are typically released by Microsoft.
7. Click Create.
8. Add one or more target Computer Groups.
9. Enter your password and click Confirm.
Maintenance windows can be edited at any time.
1. In the left navigation pane, click Maintenance Windows.
2. Click the window name.
© 2017 Tanium Inc. All Rights Reserved Page 34
3. Click Edit.
4. Make your changes.
5. Click Save.
6. Enter your password and click Confirm.
7. (Optional) Add one or more target Computer Groups.
After the enforcements have been removed, you can delete a Maintenance Window.
1. In the left navigation pane, click Maintenance Windows.
2. Select a window.
3. If the window is enforced against Computer Groups, remove all groups.
4. In the upper right, click Delete.
5. Confirm the deletion.
© 2017 Tanium Inc. All Rights Reserved Page 35
You can create a Patch List that identifies all important and critical 2016 patches. A Patch
List like this is useful for targeting groups of endpoints even if you have already achieved a high level of patch compliance. Many organizations want newly added endpoints in an enterprise network to automatically receive patches. This helps achieve patch security compliance automatically and avoids compliance issues caused by out-of-date endpoints that appear on the network between patch audit reporting cycles.
1. Create a Patch List with these settings: a. In the Rules section, create two rules with these conditions: l
Rule A conditions l
Release Date, On or After, 01/01/2016 l
Release Date, On or Before,
12/31/2016 l
Patch Severity, Contains, critical
.
l
Rule B conditions l
Release Date, On or After,
01/01/2016 l
Release Date, On or Before,
12/31/2016 l
Patch Severity, Contains, important .
© 2017 Tanium Inc. All Rights Reserved Page 36
b. Target the applicable Computer Groups.
2. Install the patches with an ongoing deployment using the Patch List.
Any patches matching rule 1 or 2 are applied to the targeted Computer Groups. A catch-all
Patch List for previously released important and critical patches ensures that if a machine is brought online, even after a period of inactivity, that the policy is automatically applied.
For detailed steps, see
and
Create a deployment to install patches
.
Assume you have several servers in the “Application Servers” Computer Group that run business critical applications. Since .NET patches can change the underlying framework of an endpoint, you want to make sure these servers do not receive a patch that could adversely affect the running applications.
Create a Blacklist for .NET Patches with these settings:
1. Create a rule with the conditions of Patch Title, Contains, .NET
.
2. Target the Application Servers.
© 2017 Tanium Inc. All Rights Reserved Page 37
A Blacklist allows you to specifically prevent patches from downloading or installing on an endpoint.
For detailed steps, see
Exclude patches with a Blacklist
.
Assume that you have a network that spans multiple time zones and you can only patch endpoints during certain times to avoid interfering with core work hours.
1. If you want to monitor the results by time zone, create a Computer Group for each.
For example, you can use the Question
Time Zone containing "EST" to create a filter-based Computer Group.
2. Create one Maintenance Window. Set it to Tanium Client local time, such as 1-4 A.M.
and how often it should repeat.
3. Add the Computer Groups you want to target.
4. Create a deployment to install the patches and target the same Computer Groups.
The endpoints install the patches at the designated times when employees are not working.
The deployment results are split out by time zone to get a global view of the installation success.
For detailed steps, see Tanium Core Platform User Guide: Managing Computer Groups ,
Create a Maintenance Window , and
Create a deployment to install patches
© 2017 Tanium Inc. All Rights Reserved Page 38
If Patch is not performing as expected, you might need to do some troubleshooting or change settings. For assistance, you can also contact your TAM.
If you are having difficulty getting patches to appear, diagnose the issue with this workflow.
1. Verify that the Patch - Is Process Running Sensor is running on your endpoints.
2. Check the Scheduled Actions for Patch.
a. From the Tanium console, go to Actions > Scheduled Actions.
b. In the Action Groups pane, click Patch.
c. Review the issue details of the Patch - Ensure Patch Process and Patch -
Distribute Deployment # (name) Actions.
3. Check the endpoint log at \Tanium Client\Patch\patch0.log.
4. For offline CAB file scan configurations, check that a CAB file is available at \Tanium
Client\Patch\Scans\Wsusscn2.cab
.
5. For WSUS or Microsoft Online scan configurations, check the c:\Windows\WindowsUpdate.log for details.
6. In the Scan Configuration, change the Random Scan Delay setting.
If you are troubleshooting or testing and need to capture up-to-date information, you can increase how often the endpoints are polled for their status.
CAUTION: Do not use this setting in a normal production environment. This setting can affect the performance of the servers if used for long periods.
1. On the home page, click Settings.
2. From the Checking Profile drop-down menu, select the setting.
l
Production: The Saved Question cache expiration is normal and the endpoints are polled every 10 minutes.
© 2017 Tanium Inc. All Rights Reserved Page 39
l
Aggressive: The cache expiration is short and the endpoints are polled every 10 seconds.
3. Click Save.
Note: Only Tanium Users with the Administrator role can make changes to
Patch settings.
4. Enter your password and click Confirm.
When a Configuration Scan is enforced against Computer Group, a Saved Question is sent to the endpoints to check if a patch is applicable. This returns as an aggregate count in the
Patch Visibility section. If you need to reduce the load on the Tanium Service or Client, you can limit which Computer Groups are included in the aggregation. Patch actions are still performed on all targeted endpoints; however, the applicability counts only include the selected Computer Groups.
1. On the home page, click Settings.
2. From the Computer Groups for Patch Visibility grid, select the Computer Groups you want.
The All Computers group is targeted by default, resulting in a single Saved Question that is necessary for Patch to function. Each additional Computer Group creates an additional Saved Question.
3. Click Save.
Note: Only Tanium Users with the Administrator role can make changes to
Patch settings.
4. Enter your password and click Confirm.
Note: Patch actions are still performed on all targeted endpoints; however, the applicability Saved Questions only include the selected Computer Groups.
You can change how many times Patch attempts each stage of a deployment. For example, with the default of five times, Patch tries to download the patches five times, install five times, etc.
© 2017 Tanium Inc. All Rights Reserved Page 40
1. On the home page, click Settings.
2. From the Retry Limit drop-down menu, select the number of retries.
The default is five.
3. In the Reset Frequency field, type in the number of hours.
4. Click Save.
5. Enter your password and click Confirm.
You can use Tanium to check which Windows Update Agent versions are installed on your
Windows endpoints.
1. In Interact, ask the
Get WUA Version from all machines
Saved Question.
2. Update any below 6.1.0022.4. See the Microsoft article Updating the Windows Update
Agent .
For your own review or to assist support, you can compile Patch logs and files that are relevant for troubleshooting.
1. Get the Patch log.
a. On the home page, click Help.
b. Click Collect Troubleshooting Package.
The log zip file might take a few moments to download. The files have a timestamp with a Patch-YYYY-MM-DDTHH-MM-SS.mmmZ format.
2. (Optional) On the endpoint, copy the Tanium\Tanium Client\Patch\scans folder, excluding the CAB file.
In certain situations, you might need to remove Patch from the Tanium Module Server for troubleshooting purposes.
1. From the main navigation menu, select Tanium Solutions.
2. Locate Patch, and then click Uninstall.
The Uninstall window opens, showing the list of contents to be removed.
3. Click Proceed with Uninstall.
© 2017 Tanium Inc. All Rights Reserved Page 41
4. Enter your password to start the uninstall process.
A progress bar is displayed as Patch is removed.
5. Click Close.
6. Delete the Actions, Saved Questions, Sensors, and Packages for Patch.
7. To confirm the uninstall, return to the Tanium Solutions page and verify that the
Import button is available.
If the Patch module has not updated in the console, refresh your browser.
© 2017 Tanium Inc. All Rights Reserved Page 42
The public link to your chat has been updated. You may view and manage your chat links after registration here.
Advertisement
Manage Windows Operating System Patching
Deploy patches at scale
Advanced rule sets to manage deployment
Maintenance windows to schedule patches
In-depth reports
Patch applicability results from every endpoint
Custom workflows for patch deployment
Group patches into lists
Exclude patches with blacklists
Deploy patches based on rules or exceptions
Patch requires a license for the Patch product module, Tanium Server 6.5.314.4380 or later, Tanium Client 1540 and later, and Windows Update Agent version 6.1.0022.4 or later.
You can install Patch by importing it from the Tanium Console. The installation process involves importing the module, setting the service credentials, and organizing your computer groups.
You can create multiple Scan Configurations to determine the available patches by scanning your endpoints. You can select a scanning technique, specify the scan frequency, and target Computer Groups with the configuration.
Patch Lists are groups of patches that are allowed to be applied to target Computer Groups. Blacklists are collections of patches that are specifically excluded from downloading or deploying to the target Computer Groups.
You can create deployments to download and install patches to target Computer Groups. You can specify the deployment time, repetition pattern, and whether to download patches immediately or distribute them over time.
How to reboot the server using Tanium Patch?
You can configure patch deployment to automatically restart the endpoint after installation. Alternatively, create a deployment without patches but include the restart setting for a controlled reboot. To configure a deployment to include a restart: 1. Navigate to Deployments > Installs (or Uninstalls). 2. Click "New" to create a new deployment. 3. Choose "Select whether the endpoint must restart." 4. Proceed with targets and deploy.
Login to continue
