Managing End-User Self Service for Windows endpoints

With the Self Service Client application, you can publish patches to Windows endpoints so that users can start a patch deployment early or completely control when patches are installed. For example, you might deploy the Self Service Client application to a manufacturing endpoint that can be patched only between manufacturing runs or an endpoint in an operating room that must be patched between surgeries. To use the Self Service Client application on your Windows endpoints, you must create a self service deployment in Patch version 3.12 or later.

Before you begin

Create an End-User Notifications configuration that enables End-User Self Service and specifies other options, such as logo, title, greeting text, additional language support, and shortcut options. For more information, see End-User Notifications User Guide: Customizing the End-User Self Service interface.

Create a Self Service deployment to install patches

  1. From the Client Management menu, go to Deployments and click Create Deployment > Create Install Deployment.

  2. In the Deployment Overview section, accept the default name or provide a name for the deployment, add an optional description, select the Windows platform, and select a content set. For more information, see Tanium Console User Guide: Managing content sets.

  3. In the Deployment Details section, add one or more patch lists, including version, or add patches manually.

  4. In the Endpoints to target section, add targeting criteria for endpoints.

    Select the following targeting methods and complete the fields as needed:

    • Computer Groups provides a list of dynamic computer groups. You can later use these groups to refine patch applicability results, as needed.
    • Question Criteria filters on all endpoints with a specific set of criteria and within the limiting groups selected from the list of available groups. Limiting groups are available after you add question criteria. For example, you can type Operating System contains win in the Filter Bar or use the Filter Builder to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • Computer Names lets you use exact names, such as the fully qualified domain name (FQDN) registered with Tanium. Use the Manual Names field to manually type in computer names, separated by commas. To upload as a CSV file, click Names by CSV File and then click Upload Names. Then filter within the limiting groups selected from the list of available groups. Limiting groups are available after you add computer names.

      Target fewer than 100 computer names to reduce the impact on the All Computers group.

  5. In the Deployment type and schedule section, click Edit to make changes as needed.

    1. Select the Self Service deployment type.

    2. If you want the endpoints to download the patch content before the installation time, select the option for Download Immediately.

      Select this option for future deployments. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

    3. If you want to ignore patching restrictions, select Override Block Lists.

    4. Select whether to restart the endpoint.

  6. If you enabled endpoint restarts, you can enable end user notifications about the restarts. If necessary, click Edit and then select Notify User After Deployment Activity to configure the following settings. For more information, see Endpoint restarts.

    • (Optional) Configure settings that allow the end user to postpone the restart.
    • Specify the Message Content that informs the user about the restart.
    • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages. To view the preview in additional languages, toggle the language drop-down menu in the preview. You can also use the drop-down menu to preview the notification in light or dark theme.




    Ensure that the Duration of Notification Period value is less than a few days. To decrease the endpoints missing critical or important patches metric, the optimal value for this setting depends on your patching cycle. For best results, set the Duration of Notification Period value to less than three days.

  7. Click Preview to Continue.
  8. Review the deployment details, and then click Deploy.

Create a Self Service deployment to uninstall patches

  1. From the Client Management menu, go to Deployments and then click Create Deployment > Create Uninstall Deployment.
  2. Review the Deployment Overview section and click Edit to make changes as needed. Accept the default name or provide a name for the deployment, add an optional description, select the Windows platform, and select a content set. For more information, see Tanium Console User Guide: Managing content sets.

  3. In the Content to deploy section, expand the Add Patches Manually section and add one or more patches.

    The applicability count in the grid is for endpoints that do not have the patch installed.

  4. In the Endpoints to target section, add targeting criteria for endpoints.

    Select the following targeting methods and complete the fields as needed:

    • Computer Groups provides a list of dynamic computer groups. You can later use these groups to refine patch applicability results, as needed.
    • Question Criteria filters on all endpoints with a specific set of criteria and within the limiting groups selected from the list of available groups. Limiting groups are available after you add question criteria. For example, you can type Operating System contains win in the Filter Bar or use the Filter Builder to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • Computer Names lets you use exact names, such as the fully qualified domain name (FQDN) registered with Tanium. Use the Manual Names field to manually type in computer names, separated by commas. To upload as a CSV file, click Names by CSV File and then click Upload Names. Then filter within the limiting groups selected from the list of available groups. Limiting groups are available after you add computer names.

      Target fewer than 100 computer names to reduce the impact on the All Computers group.

  5. Review the Deployment type and schedule section and click Edit to make changes as needed.

    1. Select the Self Service deployment type.

    2. If you want the endpoints to download the patch content before the installation time, select the option for Download Immediately.

      Select this option for future deployments. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

    3. If you want to ignore patching restrictions, select Override Maintenance Windows or Override Block Lists.

    4. Select whether to restart the endpoint.

  6. If you enabled endpoint restarts, you can enable end user notifications about the restarts. If necessary, click Edit and then select Notify User After Deployment Activity to configure the following settings. For more information, see Endpoint restarts.

    • (Optional) Configure settings that allow the end user to postpone the restart.
    • Specify the Message Content that informs the user about the restart.
    • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages. To view the preview in additional languages, toggle the language drop-down menu in the preview. You can also use the drop-down menu to preview the notification in light or dark theme.




    Ensure that the Duration of Notification Period value is less than a few days. To decrease the endpoints missing critical or important patches metric, the optimal value for this setting depends on your patching cycle. For best results, set the Duration of Notification Period value to less than three days.

  7. Click Preview to Continue.
  8. Review the deployment details, and then click Deploy.

Use the Self Service Client application on endpoints

The Self Service Client application lets users install, update, or remove patches on endpoints.

The Self Service Client application displays only patches that are applicable on an endpoint. For example, if a deployment uses a patch list that includes patches released 30 or more days ago, the Self Service Client application displays patches when they become available.

The Self Service Client application includes the following tabs:

Catalog

On the Catalog tab, you can perform the following actions:

  • See a list of all available deployments in the catalog. You can filter to show deployments to install, remove, or update, or to show only the deployments available to the endpoint. You can also select a gallery or list view and that view automatically adjusts based on the resolution set on the endpoint.

  • See all active deployments, until the install, update, or removal is complete.

  • Select additional languages that you have enabled in the End User Notifications settings. For more information, see Tanium End User Notifications User Guide: Customizing the End-User Self Service interface.

  • See additional details about each available deployment. Hover your mouse over the information icon to see the list of patches included in the deployment.

Updates

On the Updates tab, you can see updates that are available for installed patches.

History

On the History tab, you can see any completed activities that occurred on the system, as well as who initiated the activity. You can filter results by deployment type, as well as by time period.

Activity

On the Activity tab, you can see current and upcoming deployment activity. You can also select Install to start the deployment before its scheduled start time.