Patch overview

Use Patch to manage operating system patching across your enterprise at the speed and scale of Tanium™. For Windows and Linux endpoints, you can deploy a single patch to a computer group immediately. You can also perform more complex tasks, such as using advanced rule sets and maintenance windows to deliver groups of patches across your environment at specified times. For macOS endpoints, you can deploy updates to mobile device groups at specified start times.

For Windows and Linux endpoints, you can define custom workflows and schedule patches based on rules or exceptions built around patch lists, block lists, and maintenance windows. For example, you might always apply critical Microsoft patches to all machines except for datacenter servers, or always exclude .NET patches, or install patches during non-working hours.

Patch generates reports and returns current patch applicability results from every endpoint. For any patch or patch list deployment, the following details are provided:

  • (Windows and Linux) The patch details, such as severity, release date, applicable Common Vulnerabilities and Exposures (CVE), files, and links to knowledge base articles
  • (Windows and Linux) The status of the patch, split out by computer group
  • (Windows and Linux) The assigned patch lists or block lists for the patch
  • (macOS) The update details, criticality, and if a restart is required
  • (macOS) The enforcements that include the updates

The Patch Overview page provides Summary and Health charts to monitor compliance. Unlike earlier versions of Patch, these charts currently only support Windows and Linux endpoints.

Patch scanning options for Windows and Linux endpoints

You can choose from several scan methods for Windows and Linux endpoints to determine the installed and missing patches across your network. Scan configurations define a scan method, scan frequency, and the computer groups that are being scanned, known as an enforcement. One scan configuration is applied to an endpoint. If an endpoint is included in multiple computer groups, the highest priority scan configuration is applied. For more information, see Enforcing scan configurations for Windows and Linux endpoints.

Review the following lists of scanning options for Windows and Linux endpoints to decide the best method to use for each computer group.

Available Patch scan methods for Windows endpoints

  Tanium Scan1 Offline CAB File2 Online Microsoft Windows Update WSUS (Windows Server Update Services)1,3
Platform OS Windows Windows Windows Windows
Updates included

Scanning and installing:

  • Critical Updates
  • Feature Packs
  • Security Updates
  • Service Packs
  • Tools
  • Update Rollups
  • Updates

Scanning and installing:

  • Security Updates
  • Service Packs
  • Update Rollups

Scanning:

  • Critical Updates

  • Definition Updates

  • Drivers

  • Feature Packs

  • Security Updates

  • Service Packs

  • Tools

  • Update Rollups

  • Updates

  • Upgrades

Installing:

  • Critical Updates

  • Feature Packs

  • Security Updates

  • Service Packs

  • Tools

  • Update Rollups

  • Updates

Scanning:

  • Critical Updates
  • Definition Updates
  • Drivers
  • Feature Packs
  • Security Updates
  • Service Packs
  • Tools
  • Update Rollups
  • Updates
  • Upgrades

Installing:

  • Critical Updates

  • Feature Packs

  • Security Updates

  • Service Packs

  • Tools

  • Update Rollups

  • Updates
Client impact
  • Initial scan: Moderate
  • Subsequent scans: Low
 Initial and subsequent scans: Moderate
  • Initial scan: Moderate
  • Subsequent scans: Low
 Initial and subsequent scans: Low
Connectivity
  • A client database file is stored locally by the Tanium Client.
  • With the direct download option for isolated endpoints, the endpoint contacts Microsoft directly.
  • The CAB file is stored locally by the Tanium Client.
  • With the direct download option for isolated endpoints, the endpoint contacts Microsoft directly.
  • The Tanium Client must contact Microsoft directly.
  • With the direct download option for isolated endpoints, the endpoint contacts Microsoft directly.
  • The Tanium Client must contact the WSUS server.
  • With the direct download option for isolated endpoints, the endpoint contacts the location that is defined by the WSUS server directly. Depending on WSUS server configuration, the location is the WSUS server or Microsoft.
Support for direct download of patches on isolated endpoints Yes Yes Yes Yes
Details
  • The Client Management service on the Module Server is configured to synchronize update metadata and detection rules directly from Microsoft. Alternatively, it can be configured to synchronize from WSUS in airgap scenarios where WSUS is available and already has approved and downloaded patches.
  • Supports direct patch downloads from Microsoft to isolated endpoints.
  • Requires 600+ MB download of CAB file.
  • Does not include non-security updates, out-of-band fixes, hotfixes, and enhancements that are included with WSUS or Online to Microsoft scan methods.
  • Supports direct patch downloads from Microsoft to isolated endpoints.
  • Requires additional network traffic to Microsoft directly.
  • Driver updates should be blocked for installation.
  • Supports direct patch downloads from Microsoft to isolated endpoints.
  • Must deploy and configure one or more WSUS servers.
  • Updates must be approved in WSUS prior to scanning or deployment.
  • Driver updates should be blocked for installation.
  • Supports direct patch downloads from Microsoft or the WSUS server to isolated endpoints.

1 Windows 10 Home does not support specifying a WSUS intranet server and will not work with the Tanium Scan or WSUS scan methods.

2 Offline CAB File includes only Security Updates, Service Packs, and Update Rollups updates. Because other scan methods include more updates than Offline CAB File includes, if you change the scan configuration technique on an active deployment from Offline CAB File to another technique, additional patches might be installed on endpoints.

3 If you are using Microsoft System Center Configuration Manager (SCCM) with your WSUS server, do not use Tanium for WSUS scanning with the same server.

For more information, see Windows scan techniques.

Available Patch scan methods for Linux endpoints

  Tanium Scan1 Repository Scan
Platform OS
  • Red Hat
  • CentOS
  • Oracle Linux
  • SUSE2
  • Ubuntu
  • Debian
  • Red Hat
  • CentOS
  • Oracle Linux
  • Amazon Linux
  • SUSE2
  • Ubuntu
  • Debian
Updates included

All updates in the repositories3

All updates in the repositories3
Client impact

Initial and subsequent scans: Moderate

Initial and subsequent scans: Moderate
Connectivity

The Tanium Client stores the repository scanning logic locally.

The Tanium Client must contact the repositories for scanning and patch downloads.
Support for direct download of patches on isolated endpoints No Yes
Details
  • Internal or external repositories can be used.
  • Only the Tanium™ Server needs connectivity to the repositories.
  • Must deploy and configure one or more repositories.
  • Updates must be maintained in the repositories.

1Tanium Scan for Linux is not compatible with LibZypp Service Plugins. Tanium Scan will scan repositories provided by the plugin, but will not have access to the metadata in these repositories, which leads to scan results with incomplete metadata. Patch list applicability reports packages with incomplete metadata, but Patch cannot install them. If possible, uninstall the plugin and create repositories using Tanium.

2SUSE 11.x Service Pack 3 support is limited to scanning only.

3When installing package dependencies for patches on Debian and Ubuntu endpoints, Tanium Client Management includes only packages that are required dependencies. Recommended dependencies are not included.

For more information, see Core platform dependencies, Linux scan techniques, and Tanium Scan incompatibility with LibZypp Services Plugins.

Patch lists and block lists for Windows and Linux endpoints

A patch list contains patches that can be applied to Windows and Linux endpoints. A block list contains patches that must be excluded from Windows and Linux endpoints. Patch provides a baseline reporting patch list for Windows and Linux. You can also create patch lists and block lists. These lists can be determined by any detail included in the patch information.

For example, you could

  • Create lists based on severity, prioritize the most critical and most recent updates first.
  • Focus only on CVE issues.
  • Create lists based on the month or a specific release date.

As new patches come out, you can use dynamic rules to automatically assess and populate patches to the appropriate lists. You can iteratively develop these lists by creating new versions. You can deploy any version of the list as needed. For more information, see Managing patches for Windows and Linux endpoints.

Superseded and superseding patches for Windows and Linux endpoints

Each patch for Windows and Linux endpoints includes a column that indicates if the patch has been superseded, or effectively replaced by a newer patch. A patch is marked as superseded when a single endpoint reports that the patch is superseded. Including superseded patches in patch lists can be useful when you want to find or install a specific patch that was superseded. For example, you might need to find or install superseded patches when they are referenced in a security advisory recommendation. Superseded patches are automatically included in block lists.

For disk space and bandwidth efficiencies, if a deployment contains both a superseded patch and the patch that supersedes it, then Patch downloads only the superseding patch (the newer patch). If a superseding patch is included in multiple deployments, Patch downloads the patch only one time. After a deployment completes, Patch removes patch files that are no longer required by any deployment on the endpoint.

For more information, see Exclude patches with block lists.

Microsoft update and servicing details

Microsoft provides software patch updates in different ways depending on the operating system of the endpoint. Microsoft changes these terms occasionally, and it is important to understand how these policies affect your patching processes.

  • Windows 10, Windows Server 2016, and Windows Server 2019
    • Feature Updates: Feature builds are essentially a new build of Windows 10. These upgrades are published twice a year with a target of March and September of each year (for example 1709, 1803, 1809, 1902, 1909). Consider the following Tanium capabilities when you select a solution for Windows feature updates.
    • 2019-XX Cumulative Update: Released monthly, a cumulative update supersedes any previous cumulative update for Windows 10. Contains all security and non-security fixes for the month and all previous months.
  • Windows 7, 8.1, 2008, 2008R2, 2012, 2012R2
    • 2019-XX Security Monthly Quality Rollup: Package is a cumulative update for current and all previous months. Only the current month will be applicable. All previous versions are superseded.
    • 2019-XX Security Only Quality Update: Security updates for the specified month only. Does not include updates from any previous month. Previous monthly updates will still be applicable and needed.
    Do not deploy both the Security Monthly Quality Rollup and the Security Only Quality Update for the same month at the same time. If both updates are targeted to an endpoint, the Windows Update Agent installs the Security Monthly Quality Rollup, and the Security Only update is ignored. The download size increases without any benefit.

Deployments for Windows and Linux endpoints

Deployments compile patches, typically from lists, and then distribute Patch packages to the target Windows and Linux computers. You can configure deployment options to set when and how patches are installed or uninstalled, including allowing Windows endpoint users to manage patches using the Self Service Client application.

For example, you might want to restart an endpoint after patches are installed to apply the changes. If a patch comes out that would normally be blocked but is needed for some reason, you can override the block list for that specific deployment rather than making a new version the block list. In urgent situations, you can even override a closed maintenance window.

You can choose whether to restart the endpoint after patch installation, to inform the user about the restart, and to allow the user to postpone the restart. For more information, see Deploying patches for Windows and Linux endpoints.

Deployment templates can be used to save settings for a deployment that you can issue repeatedly. For more information, see Create a deployment template.

Maintenance windows for Windows and Linux endpoints

Maintenance windows for Windows and Linux endpoints designate the permitted times that the targeted computer groups are open for patches to be installed or uninstalled. You can have multiple maintenance windows, even with overlapping times. Maintenance windows do not interfere with each other. For a patch deployment to take effect, the deployment and maintenance window times must be met.

Consider establishing a maintenance cycle that keeps your endpoints as up-to-date as possible. You can avoid many security risks with good operational hygiene. Some considerations might include coordinating with the Microsoft Patch Tuesday releases, on weekends, or outside the core work hours for your network.

For more information, see Setting maintenance windows for Windows and Linux endpoints.

Linux repository snapshots

A repository snapshot captures point-in-time metadata that determine patch versions and their dependencies, and provide control over dependencies for Linux endpoint patches. Using a repository snapshot can help ensure that your production systems are installing the same patches as your testing systems, which reduces deployments of untested patches on production systems.

Repository snapshots are not recommended for the official CentOS mirrors. Those mirrors might not have all of the required dependencies that a snapshot lists after a certain amount of time. For best results with CentOS, create and maintain a metadata source repository and manage packages. Snapshots are not supported for Amazon Linux.

For more information, see Manage Linux repository snapshots.

macOS patching

Patch uses Apple MDM commands to manage updates on macOS endpoints. You create enforcements that include Install action MDM commands. Patch sends the enforcements to the Tanium Mac Device Enrollment shared service, which then communicates with the Tanium MDM Cloud, Apple Business Manager, and the endpoints. For more information on this communication flow, see Tanium Mac Device Enrollment User Guide: Mac Device Enrollment overview.

Patch scanning on macOS endpoints uses the Apple automatic check-in process to identify available updates. Each hour, the Tanium MDM Cloud issues the AvailableOSUpdates command to the endpoints included in mobile device groups in Mac Device Enrollment. The endpoints respond with the available updates and this information appears in the Patch > Mac Patching > Updates page. This process can take up to an hour. You then create enforcements to deploy the necessary updates.

For more information, see Managing macOS endpoints.

Self Service Client application for Windows endpoints

With the Self Service Client application, you can publish patches to Windows endpoints so that users can start a patch deployment early or completely control when patches are installed. For example, you might deploy the Self Service Client application to a manufacturing endpoint that can be patched only between manufacturing runs or an endpoint in an operating room that must be patched between surgeries.

Client Management self-service deployments and the Self Service Client application are used in conjunction with End-User Notification configurations in Tanium™ End-User Notifications 1.11.38 or later. The Self Service Client application is installed on endpoints targeted in the End-User Notification configuration.

For more information, see Managing End-User Self Service for Windows endpoints.

Interoperability with other Tanium products

Client Management works with other Tanium products to provide additional features and reporting.

Tanium™ Comply

From Comply vulnerability report results, you can open Patch to view details about the patch that resolves a reported vulnerability. You can also quickly install the patch to endpoints directly from the patch details page. For more information, see vulnerability report results in Tanium Comply User Guide: Working with reports.

Tanium™ End-User Notifications

With the Tanium End-User Notifications solution, you can notify users about deployments to Windows endpoints and configure End-User Self Service capabilities. You can create a notification message with your deployment to notify the user that the system is going to restart, and give the user the option to postpone the restart. For more information, see Tanium End-User Notifications User Guide.

Tanium™ Endpoint Configuration

With the Tanium Endpoint Configuration solution, you can enable approvals for endpoint configuration changes. For more information, see Tanium Endpoint Configuration User Guide.

Tanium™ Enforce

With Tanium™ Enforce, you can create an MDM policy with the required settings to patch macOS endpoints. For more information, see Tanium Enforce User Guide.

Tanium™ Mac Device Enrollment

With the Tanium Mac Device Enrollment solution, you can manage patching for macOS endpoints. For more information, see Tanium Mac Device Enrollment User Guide.

Tanium™ Reporting

If you have Tanium Reporting 1.12 or later, Patch uses Tanium Reporting to create the charts on the Patch Overview page. For more information, see Tanium Reporting.

Tanium™ Trends

Client Management has built in integration with Trends for additional reporting of patch data for Windows and Linux endpoints. The Patch board shows information about missing patches, service-level-agreement (SLA) based compliance reports, time between a patch release and its installation, endpoint status, and scan errors. The following sections and panels are in the Patch board:

  • Summary
    • Patch Coverage
    • Endpoints Missing Critical or Important Patches Released Over 30 Days Ago
    • Workstations - Mean Time to Patch
    • Servers - Mean Time to Patch
  • Missing Patches
    • Missing Critical/Important Patches per Year
    • Operating Systems Missing Critical/Important Patches
    • Missing Patches by Severity - Latest
    • Missing Patches by Severity - Last 90 Days
  • SLA Based Compliance Reporting
    • Online Endpoints - Patch Compliance
    • Historical - Patch Compliance
    • Online Endpoints - 30 Day SLA Compliance
    • Historical - 30 Day SLA Compliance
  • Endpoint Status
    • Days Since Last Patch Scan
  • Errors
    • Scan Errors - Last 7 Days

For more information, see Tanium Trends User Guide: Importing the initial gallery.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.