Upgrading Tanium Clients

The following procedures describe how to upgrade the Tanium Client to a newer version on managed Windows endpoints.

You must manually upgrade non-Windows endpoints using an installer package (available from the Client Management Home page) or use third-party software. For more information, see Deploying the Tanium Client using an installer or package file.

Best practices

Review the following best practices before upgrading Tanium Clients:

  • When possible, upgrade Windows endpoints through TaaSusing an upgrade content pack or through Client Management (as described in this topic), instead of using third-party software. Contact Tanium Support for the recommended procedures in cases where third-party software is preferable or necessary.
  • Upgrade without uninstalling and reinstalling Tanium Clients. If you uninstall clients, you lose any custom data that is associated with them.
  • Test the upgrade process in a lab environment that resembles the production environment as closely as possible. For example, use a lab environment that has similar Tanium Client versions, operating systems (OSs), and deployed Tanium module tools.
  • Deploy the upgrade in stages, starting with non-essential endpoints.
  • Deploy the upgrade to one OS type at a time.
  • Deploy the upgrade in batches to prevent unforeseen issues from affecting too many endpoints simultaneously.
  • When using an upgrade content pack, consider Consider the following best practices when planning how to schedule the upgrade actions in a way that minimizes the impact on network and endpoint resources:

    • Distribute the actions over time to prevent upgrades from occurring on all the targeted endpoints simultaneously.
    • Reissue actions at different times of day, or even over multiple days, to include endpoints that might be offline when the upgrade action first runs.
    • Set an end date for the actions so that they do not run indefinitely even after you upgrade all the Tanium Clients.

Before you begin

  • Read the release notes for the target version of Tanium Client, as well as all earlier versions that were released since the currently installed version, to understand the enhancements, bug fixes, and known issues that those versions include.
  • If you deploy upgrades to endpoints that have a firewall enabled on macOS 10.14 (Mojave) or later, perform the steps under Manage pop-ups for Tanium Client upgrades.

Assess the impact of upgrading on your environment

To help plan the stages of the upgrade to minimize the impact on your environment, determine the scope of the upgrade and appropriate groups of endpoints to target:

  1. Ask the following question, where <target_client_version> is the version to which you are upgrading:

    Get Tanium Client Version from all machines with Tanium Client Version < <target_client_version>

    The question results indicate the number of endpoints that require upgrades.

  2. If you want to evaluate the impact on specific types of endpoints (such as critical servers), you can apply a drill-down question such as Operating System or Organizational Unit (see Tanium Console User Guide: Drill down into results). Drilling down based on OS also indicates which content packs you need; Windows and non-Windows endpoints require separate upgrade packages.






Upgrade Tanium Clients using Client Management

To upgrade Tanium Clients using Client Management, create a deployment in Client Management configured to upgrade endpoints with an existing Tanium Client. For more information, see Deploying the Tanium Client using Client Management.

Upgrade Tanium Clients on Windows endpoints in TaaS using an upgrade content pack

Import the upgrade content pack for Tanium Clients on Windows endpoints

  1. Access the Tanium Console.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content grid and check the Imported Version and Available Version for the Client Upgrade content pack. Perform the remaining steps only if the Imported Version is blank or is earlier than the Available Version. The Available Version must be the same as the Tanium Client version to which you are upgrading.

    Contact Tanium Support for instructions for importing another content pack version if the Available Version is not the target upgrade version.

  4. Select the Client Upgrade content pack, click Import Solution, review the list of content objects, and click Import.

Import the upgrade content pack for Tanium Clients on non-Windows endpoints

  1. Contact Tanium Support for the ClientUpgradeNonWindows content pack.
  2. Follow the procedures described in Tanium Console User Guide: Authenticating content files to ensure that a public key is in place and digitally sign the content file.
  3. From the Main menu, go to Administration > Configuration > Solutions.
  4. Scroll to the Content section and click Import Import Content.
  5. Click Choose File, select the ClientUpgradeNonWindows content pack, and click Open.
  6. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes conflicts and provides resolution options for each one.

  7. Select resolutions for any conflicts. For guidance, see:

  8. Click Import and click Close when the import finishes.

Enable the scheduled action for manifest distribution to non-Windows endpoints

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.

  2. Select the Distribute Client Update Non-Windows Manifest action, and click More > Enable Action(s).

    Enabling the action initiates it immediately. If the action is already enabled, but it needs to be initiated to prepare for a new upgrade, select it and click Reissue.

  3. From the Actions menu, go to Action History, select Distribute Client Update Non-Windows Manifest, and click Show Status to view the status of the action. Wait until the action completes for all endpoints before deploying an upgrade action.
  4. To verify successful distribution, from the Main menu, go to Administration > Content > Saved Questions, select the Non-Windows Client Update Manifest Distribution question, and click Load

    The Question Results display a True entry for endpoints where the distribution succeeded.

Deploy the upgrade actions

  1. From the Main menu, go to Administration > Content > Saved Questions, select one of the following questions, the Windows Clients Older Than <version> For Targeting question, and click Load.

    • Windows: Windows Clients Older Than <version> For Targeting
    • Non-Windows: Non-Windows Tanium Client Update Versions
  2. In the Question Results grid, select Target (Windows) or the results for operating systems and Tanium Client versions that you want to upgrade (non-Windows) and click Deploy Action.
  3. Verify that Update Tanium Client <client_version>is selected for the Deployment Package.the selected Deployment Package is correct.

    • Windows: Update Tanium Client <client_version>
    • Non-Windows: Update Tanium Client (Non-Windows)
  4. Configure the Schedule Deployment fields based on the Best practices.
  5. Under Targeting Criteria, select an Action Group. Click Show preview to continue and review the targeted endpoints.
  6. Click Deploy Action. If the Estimated Number of affected endpoints is greater than 100 (or the otherwise configured threshold), enter that estimated number. The Tanium ServerTaaS enforces this confirmation step to ensure that you understand the network impact that an action has.

    To change the threshold that controls whether the Tanium Console prompts users for the Estimated Number, edit the prompt_estimate_threshold setting (Administration > Configuration > Platform Settings). Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.

    The page reloads to display the Action Status.

  7. Review the action status to confirm the expected results. Wait until the action completes for all endpoints before continuing.
  8. Ask the question from Step 1 again to verify that the upgrade succeeded.

    Upgraded clients do not appear in the results. The question results display No results if all Windows endpoints have the upgraded client installed.

    • Windows: Upgraded clients do not appear in the results. The question results display No results if all Windows endpoints have the upgraded client installed.
    • Non-Windows: Upgraded clients display the upgraded Tanium Client Version.

(Optional, non-Windows only) Clean up temporary files

  1. From the Main menu, go to Administration > Content > Saved Questions, select the Tanium Client (Non-Windows) Upgrade Progress question, and click Load.

  2. In the Question Results grid, select the rows in which the Tanium Client Upgrade Progress (Non-Windows) column displays COMPLETED, and click Deploy Action.
  3. Verify that Update Tanium Client (Non-Windows) - Post-Update Cleanup is selected for the Deployment Package.

  4. Click Show preview to continue and review the targeted endpoints.
  5. Click Deploy Action. If the Estimated Number of affected endpoints is greater than 100 (or the otherwise configured threshold), enter that estimated number. The Tanium Server enforces this confirmation step to ensure that you understand the network impact that an action has.

    To change the threshold that controls whether the Tanium Console prompts users for the Estimated Number, edit the prompt_estimate_threshold setting (Administration > Configuration > Platform Settings). Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.

    The page reloads to display the Action Status.

  6. Review the action status to confirm the expected results.