Upgrading Tanium Clients

The following procedures describe how to upgrade the Tanium Client to a newer version on managed Windows endpoints.

You must manually upgrade non-Windows endpoints using an installer package (available from the Client Management Home page) or use third-party software. Contact Tanium Support for additional guidance.

Best practices

Review the following best practices before upgrading Tanium Clients:

  • When possible, upgrade Windows endpoints through TaaSusing an upgrade content pack or through Client Management (as described in this topic), instead of using third-party software. Contact Tanium Support for the recommended procedures in cases where third-party software is preferable or necessary.
  • Upgrade without uninstalling and reinstalling Tanium Clients. If you uninstall clients, you lose any custom data that is associated with them.
  • Test the upgrade process in a lab environment that resembles the production environment as closely as possible. For example, use a lab environment that has similar Tanium Client versions, operating systems (OSs), and deployed Tanium module tools.
  • Deploy the upgrade in stages, starting with non-essential endpoints.
  • Deploy the upgrade to one OS type at a time.
  • Deploy the upgrade in batches to prevent unforeseen issues from affecting too many endpoints simultaneously.
  • When using an upgrade content pack, consider Consider the following best practices when planning how to schedule the upgrade actions in a way that minimizes the impact on network and endpoint resources:

    • Distribute the actions over time to prevent upgrades from occurring on all the targeted endpoints simultaneously.
    • Reissue actions at different times of day, or even over multiple days, to include endpoints that might be offline when the upgrade action first runs.
    • Set an end date for the actions so that they do not run indefinitely even after you upgrade all the Tanium Clients.

Before you begin

  • Read the release notes for the target version of Tanium Client, as well as all earlier versions that were released since the currently installed version, to understand the enhancements, bug fixes, and known issues that those versions include.
  • If you deploy upgrades to endpoints that have a firewall enabled on macOS 10.14 (Mojave) or later, perform the steps under Manage pop-ups for Tanium Client upgrades.

Assess the impact of upgrading on your environment

To help plan the stages of the upgrade to minimize the impact on your environment, determine the scope of the upgrade and appropriate groups of endpoints to target:

  1. Ask the following question, where <target_client_version> is the version to which you are upgrading:

    Get Tanium Client Version from all machines with Tanium Client Version < <target_client_version>

    The question results indicate the number of endpoints that require upgrades.

  2. If you want to evaluate the impact on specific types of endpoints (such as critical servers), you can apply a drill-down question such as Operating System or Organizational Unit (see Tanium Console User Guide: Drill down into results). Drilling down based on OS also indicates which content packs you need; Windows and non-Windows endpoints require separate upgrade packages.

Upgrade Tanium Clients using Client Management

To upgrade Tanium Clients using Client Management, create a deployment in Client Management configured to upgrade endpoints with an existing Tanium Client. For more information, see Deploying the Tanium Client using Client Management.

Upgrade Tanium Clients on Windows endpoints in TaaS using an upgrade content pack

Import the upgrade content pack for Tanium Clients on Windows endpoints

  1. Access the Tanium Console.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content grid and check the Imported Version and Available Version for the Client Upgrade content pack. Perform the remaining steps only if the Imported Version is blank or is earlier than the Available Version. The Available Version must be the same as the Tanium Client version to which you are upgrading.

    Contact Tanium Support for instructions for importing another content pack version if the Available Version is not the target upgrade version.

  4. Select the Client Upgrade content pack, click Import Solution, review the list of content objects, and click Import.

Import the upgrade content pack for Tanium Clients on non-Windows endpoints

  1. Contact Tanium Support for the ClientUpgradeNonWindows content pack.
  2. Follow the procedures described in Tanium Console User Guide: Authenticating content files to ensure that a public key is in place and digitally sign the content file.
  3. From the Main menu, go to Administration > Configuration > Solutions.
  4. Scroll to the Content section and click Import Import Content.
  5. Click Choose File, select the ClientUpgradeNonWindows content pack, and click Open.
  6. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes conflicts and provides resolution options for each one.

  7. Select resolutions for any conflicts. For guidance, see:

  8. Click Import and click Close when the import finishes.

Deploy the upgrade actions

  1. Ask a question that identifies the endpoints that require Tanium Client upgrades.

    For example, to identify Windows endpoints that require upgrades, from the Main menu, go to Administration > Content > Saved Questions, select the Windows Clients Older Than <version> question, and click Load.

  2. In the Question Results grid, select the results for the endpoints you want to upgrade and click Deploy Action.
  3. Specify Update Tanium Client <client_version> for the Deployment Package. or verify that the auto-populated entry is correct.

    • Windows: Update Tanium Client <client_version>
    • macOS: Update OS Specific Tanium Client (Mac <client_version>)
    • Linux: Update OS Specific Tanium Client (Linux - <Linux_version> <client_version>)

      Using content to upgrade the Tanium Client on Linux restarts the Tanium™ Trace Recorder process if it exists on the endpoint.

    • Solaris: Update OS Specific Tanium Client (Solaris <Solaris_version> <client_version>)
    • AIX: Update OS Specific Tanium Client (AIX <client_version>)
  4. Configure the Schedule Deployment fields based on the Best practices.
  5. Under Targeting Criteria, select an Action Group. Click Show preview to continue and review the targeted endpoints.
  6. Click Deploy Action. If the Estimated Number of affected endpoints is greater than 100 (or the otherwise configured threshold), enter that estimated number. The Tanium ServerTaaS enforces this confirmation step to ensure that you understand the network impact that an action has.

    To change the threshold that controls whether the Tanium Console prompts users for the Estimated Number, edit the prompt_estimate_threshold setting (Administration > Management > Global Settings). Note that changing the value to 0 causes the Tanium Console to prompt users whenever they deploy actions regardless of the number of affected endpoints.

    The page reloads to display the Action Summary.

  7. Review the action status to confirm the expected results. Wait until the action completes for all endpoints before continuing.
  8. Ask the question from Step 1 again to verify that the upgrade succeeded.

    For example, if you ask the Windows Client Older Than <version> question again, the Question Results indicate No machines matched the question to indicate the upgrade succeeded.