Enforcing scan configurations for Windows and Linux endpoints

The list of available Windows and Linux patches comes from scanning the endpoints in your network. The scan configuration determines a scanning technique and frequency. A scan configuration is enforced by targeting computer groups.

For Windows endpoints, the available scanning techniques include the offline CAB file, online Microsoft Windows Update, Windows Server Update Services (WSUS) Scan, and Tanium Scan.

For Windows scan configurations, you can enable isolated endpoints to download patch files directly from Microsoft instead of the Tanium Server to free network resources. An isolated endpoint is a Tanium Client that has no peer Tanium Clients. To download patches directly from Microsoft, an isolated endpoint must be connected to a user-configured list of Tanium Zone Servers or IP address ranges for split-tunnel VPN clients. For more information, see Enable direct patch downloads from Microsoft.

For Linux endpoints, the available scanning techniques include Repository Scan and Tanium Scan.

Windows scan techniques

Offline CAB File

The CAB file is stored locally by the Tanium Client and contains security updates, update rollups, and service packs for all products in the Microsoft Update Catalog, including Windows and Office. On the Client Management Overview page, the latest status of the offline CAB file is available. The active CAB file is the most recent, verified file published by Microsoft. Patch uses only the active CAB file for scan configurations. A rejected CAB is not pushed to a computer group. Patch checks for an updated CAB file every 15 minutes. You can click Update CAB to force a new download outside of the normal schedule.

Offline CAB File includes only Security Updates, Service Packs, and Update Rollups updates. Because other scan methods include more updates than Offline CAB File includes, if you change the scan configuration technique on an active deployment from Offline CAB File to another technique, additional patches might be installed on endpoints.

Online Microsoft Windows Update

This option creates additional network traffic between the Tanium Client and Microsoft and is for Microsoft updates in Windows operating systems only. The full range of patches are available for scanning in the Windows operating system:

• Critical patches

• Cumulative security and quality patches

  The Microsoft online APIs do not always provide the required URLs to download and install cumulative update patches. Use this option in situations where Tanium Patch is being used only for auditing patch compliance.

• Non-security and optional updates

If enabled in Configuration Settings, this scan technique supports direct download of patches from Microsoft to isolated endpoints. For more information, see Enable direct patch downloads from Microsoft.

Tanium Scan

If you are using Tanium Scan for Windows with a local WSUS server, you must approve updates on the WSUS server.

Tanium Scan for Windows allows Client Management to assess all Microsoft Products (excluding Microsoft 365 Apps, Office 2019, and Office LTSC) and Update Classifications (excluding Drivers, Definition Updates, and Upgrades) on supported Windows 7 or later endpoints. The Client Management service on the Module Server is configured to synchronize update metadata and detection rules directly from Microsoft. Alternatively, it can be configured to synchronize from WSUS in airgap scenarios where WSUS is available and already has approved and downloaded patches.

After the update metadata and detection rules are synchronized, the Client Management service distributes portions of this data (in a client database file) to applicable machines on the network. The Windows Update Agent performs the scan against selected products and classifications and return data in the form of applicable and not applicable patches.

Tanium Scan for Windows is much less resource intensive than the offline CAB file scan method and provides more robust scan results. Tanium Scan does not rely on each endpoint having network access to Microsoft Update or a local WSUS server. For more information about Tanium Client requirements, see Core platform dependencies.

To enable and configure Tanium Scan for Windows, see Enable and configure Tanium Scan for WindowsConfigure Tanium Scan for Windows.

If enabled in Configuration Settings, this scan technique supports direct download of patches from Microsoft to isolated endpoints. For more information, see Enable direct patch downloads from Microsoft.

Linux scan techniques

To simplify Linux scanning, enable Enhanced Linux Support in the Client Management Configuration Settings. This setting lets you create a single scan technique that applies to multiple Linux distributions, instead of having to create separate OS-based scan techniques. For more information, see Enable Patch for Enhanced Linux configurations.

Repository Scan

Using repositories for patching activities gives the option for the full range of patch types for all updates in the repositories. However, you must configure one or more repositories, and updates must be maintained in the repositories. The Tanium Client must be able to contact the repositories for scanning as well as patch downloads.

For the Repository Scan technique, you can use all repositories from which an endpoint can pull.

Tanium Scan

For best results, create a single scan configuration for Tanium Scan for Linux targeting the Patch Supported Systems computer group with each included repository targeted to the proper operating systems. For more information, see Red Hat Linux endpoints stuck in Waiting for Initial Scan status.

Tanium Scan for Linux can use both internal oruses external repositories, but only the Tanium Server needs connectivity to the repositories. The Tanium Client stores the repository scanning logic in the local Tanium Client directory. Package managers (for example, Yum, DNF, Zypper, and Apt) cache repository data in the /var partition. In most cases, the cache does not exceed 500 MB. If you use lean partitioning or have a high count of configured repositories, evaluate the available disk space and partition configurations to ensure /var has sufficient free space.

Tanium Scan supports CentOS, Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu distributions. With Tanium Scan for Linux, you can create and use repository snapshots for deployments. For more information, see Linux repository snapshots.

When using the Tanium Scan technique with Red Hat distributions, you must use Red Hat Content Delivery Network, Red Hat Satellite 6 or later, or custom repositories. For more information, see (Red Hat endpoints) Configure Tanium Server to use certificate authentication.

Tanium Scan incompatibility with LibZypp Services Plugins

Tanium Scan for Linux is not compatible with LibZypp Service Plugins, such as Spacewalk. LibZypp Service Plugins provide a client a list of repositories. This method conflicts with Tanium Scan being the sole source of repositories.

If a LibZypp Service Plugin is in use when attempting to run Tanium Scan, Patch displays scan and deployment error messages as this configuration is unsupported.

To determine if there are any LibZypp Service Plugins on an endpoint, review the /usr/lib/zypp/plugins/services directory, where all LibZypp Service Plugins are listed. If the /usr/lib/zypp/plugins/services directory is not empty, Tanium Scan is not supported.

You cannot disable LibZypp Service Plugins during a Tanium Scan. If possible, uninstall the plugin and create repositories using Tanium. If the plugin package cannot be uninstalled, use Repository Scan instead of Tanium Scan.

Create a scan configuration

You can create multiple scan configurations and add computer group enforcements as needed.

Any endpoint that is supported by Patch should be targeted by at least one scan configuration.

1. From the Client Management menu, go to Scan Management and then click Create Scan Configuration.
2. Provide a name, an optional description, and select an operating system.
3. Choose the scan configuration options.
1. (Windows and Linux) Select a Configuration Technique and applicable options.

   For Red Hat, Ubuntu, and SUSE Linux Enterprise Server (SLES) endpoints, if you choose Repository Scan, you must also select Use repositories configured on endpoint.

   (Windows) If you choose Offline CAB File, select Download and scan immediately upon new CAB release to ensure that the endpoints are scanned when a new CAB file is published. Similarly, if you choose Tanium Scan, select Scan when new patches are available to ensure that the endpoints are scanned when a new patch is released. Selecting either of these settings overrides the frequency settings, but scans still wait for the scan window, if configured.
   
   • (Windows endpoints) Choose Tanium Scan. If you use other products that use WSUS technology on the same endpoints, such as SCCM, select Enable Managed Compatibility to enable an additional scan to ensure compatibility.
   • (CentOS, Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu endpoints) To use repository snapshots for Linux deployments, choose Tanium Scan.
   • (Amazon endpoints) You must use Repository Scan.

   (Optional, Windows) If you choose WSUS, select Enable audit only mode if you want Tanium to scan for all patches synchronized in WSUS, including patches that are not available to be installed because they are unapproved. This setting lets you use a WSUS server to audit systems for missing patches. If you do not select this option, then Tanium will scan only for approved patches.

2. In the Frequency field, enter a number and a time parameter.

   Set this value to less than three days to improve the Patch coverage metric.

3. (Optional) Select Enable Random Scan Delay and enter a time to distribute the network activity.

   The default is 120 minutes.

   For VDI environments, set a longer scan delay, such as 480 minutes or higher, depending on the density and hardware performance of your VDI environment, to reduce the impact of the scan on the host system.

4. (Optional, Windows) To enable remote endpoints to download patches directly from Microsoft, select Enable Patch direct downloads from Microsoft.

   • To download patches directly from Microsoft, you must also enable direct downloads in the Client Management Configuration Settings. Click View Settings for Direct Download to access those settings. For more information, see Enable direct patch downloads from Microsoft.

   • The Enable Patch direct downloads from Microsoft option will not appear if your administrator has disabled it.

5. (Optional, Linux) To use repository snapshots for Linux deployments, select Deployment Snapshots and choose the repository name and the snapshot in the Repositories section.

4. (Optional) Select Scan only within defined window to define the scan window options, such as browser time or local time on the endpoint, how often the window repeats, and override options. For more information, see Scan windows.

   The scan window specifies when a scan can start. If you enabled Random Scan Delay, scans can potentially start as late as the specified delay after the end of the scan window. For example, if a scan attempts to start one minute before the end of the scan window, but receives the full random scan delay of 120 minutes, the scan does not start until after that 120 minutes and continues to run until completion, even though the scan window is already closed.

5. Click Create Scan Configuration.

6. In the Targeting section, click Select Computer Groups to add one or more computer groups.
   Enabling the patch applicability results provides a refined aggregation for the specific computer group.

The list of available patches might appear within 15-30 minutes. Longer scan delays might result in patches appearing slowly. If no data appears after the scan delay, Contact Tanium Support. If an endpoint cannot be scanned, for example if it is offline, it is scanned at the earliest opportunity.

Scan windows

You can set a scan window to restrict scans to a certain time of day or day of the week. For example, you can create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. Additionally, if some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours or days.

Scan windows are optional. If you decide to use them, the Override option should be set to less than two days to increase the Patch coverage metric.

1. In the Scan Window section, select Scan only within defined window.
2. Configure your preferences:
   1. (Optional) Choose whether to repeat the scan window daily or weekly.
   2. Set additional frequency options.
   3. Select between the local time on the endpoint or UTC time.
   4. Use the date and time pickers to set the start time of the window.
   5. Set the duration of the scan window.
   6. (Optional) Select Scan immediately if scan age is older than defined threshold and specify how many hours or days can elapse before triggering an immediate scan.

      This setting overrides the Scan Window settings and can control the timing of scans on endpoints depending on the Scan Override Threshold and Scan Configuration Options Frequency values. For example, an endpoint does not complete a scan during a daily four-hour scan window, the Scan Configuration Options Frequency is 24 hours and the Scan Override Threshold value is 25 hours. After 25 hours, the Scan Override Threshold value forces a scan on the endpoint. During the next daily four-hour scan window, the endpoint does not scan because it has scanned within 24 hours. After 25 hours, the Scan Override Threshold value forces a scan again.

      Set this value to less than two days.

View enforcement status

By reviewing a scan configuration, you can see which endpoints in the computer group contain the enforced configuration.

1. From the Client Management menu, go to Scan Management and then click the name of a scan configuration.
2. In the Enforcements section, click the links for any of the enforcement statuses to open the question results for each endpoint.

   The Interact results grid shows the endpoint status and the reason, if it is not enforced.

   Investigate endpoints with scan errors that have scan results older than two days and resolve the errors for each endpoint. For more information, see Troubleshoot scan errors on Windows and Linux endpoints.

Prioritize scan configurations

You can create multiple scan configurations with multiple computer groups. The order of the configuration in the Scan Configurations list decides its priority. If an endpoint is in multiple computer groups with conflicting configurations, only the highest priority configuration in the list is applied to the endpoint.

The highest priority configuration has a Priority of 1.

1. From the Client Management menu, go to Scan Management.
2. On the Scan Configurations tab, click Prioritize.
3. Move the scan configuration by dragging and dropping it into the order that you want and then click Confirm.

Edit a scan configuration

1. From the Client Management menu, go to Scan Management and then click the name of a scan configuration.
2. Click Edit and make your changes.

   You cannot edit a scan configuration if the Allow Scan Configuration Editing option is disabled in the Patch Settings.

3. Click Update Scan Configuration.

Remove a scan enforcement

Removing a computer group from a scan configuration removes the enforcement.

1. From the Client Management menu, go to Scan Management and then click the name of a scan configuration.
2. In the Targeting section, delete the computer group.

Delete a scan configuration

After the enforcements are removed, you can delete a scan configuration.

1. From the Client Management menu, go to Scan Management and then click the name of a scan configuration.
2. If the scan configuration is enforced against Computer Groups, remove all groups.
3. Click Delete .