Deploying patches

Use deployments to install or uninstall patches on a set of target computers. Deployments can run once, or be ongoing to maintain operational hygiene for computers that come online after being offline.

Before you begin

Create a deployment to install patches

Deployments download and install or uninstall patches on target computers. You can create a single deployment or set up ongoing deployments to ensure that offline endpoints are patched when they come online.

  1. In the Patch menu, go to Deployments > Installs. Click New and name the deployment.

    You can also create a deployment from the Patches view. Select a group of patches and click Install.

  2. Select deployment options.
    1. Designate the deployment times and repetition pattern.

      You can choose from your browser time or local time on the endpoint.

    2. Choose whether you want to base this deployment on a deployment template. To create a new deployment template based on this template, select Create Deployment Template. For more information, see Create a deployment template.
    3. Specify a deployment type. You can either do a single deployment with a specific start and end time, or an ongoing deployment that does not have an end time.
    4. If you want the endpoints to download the patch content before the installation time, select Download immediately.
    5. To reduce the network load, select Distribute over time and indicate the time.

    6. If you want to ignore patching restrictions, select Override Blacklists or Override Maintenance Windows.
    7. Select whether to restart the endpoint. For more information, see Endpoint restarts.
    8. If you enabled endpoint restarts, you can enable end user notifications about the restarts. Select Notify User. You can then configure settings that allow the user to postpone the restart. You also must configure the Message Content that informs the user about the restart. To preview the window that displays the message and postponement options, click Show Preview.
  3. Add one or more patch lists, including version, or add patches manually.
  4. Add targets.
  5. Select any or all of the following targeting methods. Click Add Target, and complete the fields as needed:

    • By Computer Group provides a drop-down list of all filter-based computer groups. These groups can be included or excluded from patch applicability results, as needed.

      Computer group targeting is not available for manually created groups.

    • By Targeting Question filters on all endpoints with a specific set of criteria and within the limiting groups selected from the drop-down menu of available groups. For example, you can type Computer Name containing win to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • By Computer Names uses the exact name, such as the FQDN, registered with Tanium. Typed in manually, separated by commas, or uploaded as a CSV file, targeting should be limited to 100 names or less to reduce the impact on the All Computers group. Use for single deployments only.

  6. Preview the changes.
  7. Click Deploy.

To change the number of retries for each phase of a deployment, see Troubleshooting Patch.

Endpoint restarts

Patch can trigger a restart of any system after updates have been installed. You can choose between the following options for the restart: 

  • Restart silently and immediately after deployment. This option is typically used for servers and production machines in conjunction with maintenance windows and change control processes.
  • Notify the system user about the pending restart and give the system user the option to defer the restart for a specified amount of time. Configure the following options:

    Deadline for restart

    Specify the amount of time in minutes, hours, or days before the endpoint must be restarted. The deadline is calculated by adding this value to the time the deployment completed for each endpoint.

    Countdown to deadline

    Specify the amount of time in minutes, hours, or days to show the final notification before restarting the endpoint.

    Allow User to Postpone

    If you want to give the user an option to defer the restart for a specified amount of time, select this option. A user cannot postpone beyond the deadline.

    User Postponement Options

    Specify the amount of time in minutes, hours, or days that a user can postpone the restart.

    Message Content

    Specify the title and body of the notification message. Upload optional icon and body images for branding to avoid confusing users and limiting support calls. Click Show Preview to preview the notifications.
    This message is configurable, and might look like the following example:

    After the deadline for restart passes, the user gets a message that they cannot postpone:

If no user is logged into an endpoint, the endpoint will restart immediately after a deployment completion even if the deployment is configured for a notification.

End user notifications can be added to existing deployments by stopping, reconfiguring, and reissuing the deployment.

If your deployment is configured for a notification, but the client does NOT have the End User Notifications Tools installed, the endpoint will install the updates, but will NOT restart. You will see a status message in the Patch workbench about the missing tools.

Create a deployment to uninstall patches

You can uninstall any patch deployment that was started from Tanium Patch.

  1. In the Patch menu, go to Deployments > Uninstalls. Click New and name the deployment.
  2. Select the deployment options.
    1. Designate the deployment times.

      You can choose from your browser time or local time on the endpoint.

    2. Choose whether you want to base this deployment on a deployment template. To create a new deployment template based on this template, select Create Deployment Template. For more information, see Create a deployment template.
    3. To reduce the network load, select Distribute over time and the time.
    4. If you want to ignore patching restrictions, select Override Maintenance Windows.
    5. Select whether the endpoint must restart. For more information, see Endpoint restarts.
    6. If you enabled endpoint restarts, you can enable end user notifications about the restarts. Select Notify User. You can then configure settings that allow the user to postpone the restart. You also must configure the Message Content that informs the user about the restart. To preview the window that displays the message and postponement options, click Show Preview.
  3. Add one or more patches.

    The applicability count in the grid is for endpoints that do not have the patch installed.

  4. Add targets.
  5. Select any or all of the following targeting methods. Click Add Target, and complete the fields as needed:

    • By Computer Group provides a drop-down list of all filter-based computer groups. These groups can be included or excluded from patch applicability results, as needed.

      Computer group targeting is not available for manually created groups.

    • By Targeting Question filters on all endpoints with a specific set of criteria and within the limiting groups selected from the drop-down menu of available groups. For example, you can type Computer Name containing win to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • By Computer Names uses the exact name, such as the FQDN, registered with Tanium. Typed in manually, separated by commas, or uploaded as a CSV file, targeting should be limited to 100 names or less to reduce the impact on the All Computers group. Use for single deployments only.

  6. Preview the changes.
  7. Click Deploy.

Review deployment summary

You can get the deployment results by status, any error messages, and the deployment configuration details.

  1. In the Patch menu, click Deployments.
  2. Select Installs or Uninstalls.
  3. Select either the Active or Inactive tab.

    Expand the sections to see summary information about the deployment, such as the number of targets, lists, issue details. For inactive deployments, it includes either expired or stopped.

  4. Click the deployment name.
  5. Expand the section you want to see.
    • Summary shows the list count, number of patches, and number of targeted Computer Groups.
    • Install Status has the install status, number of online endpoints. The results are split out by status, expanding a status provides more information and the Interact icon to see the results by endpoint.
    • Error Messages include the patch list or blacklist number, a brief description, the error number, the count of affected machines, and the Interact icon to drill down. If no list number is provided, it indicates a general issue.
    • Deployment Details provides all the configuration information.
    • Computer Groups lists the targeted computer groups for the deployment.

Add targets to an existing deployment

You can add more targets to a deployment. For example, you can limit patch testing to a select computer group and then roll it out to more groups after it has been validated. All other deployment options remain the same and deployment results from the previous Install deployments are preserved.

  1. From the Patch menu, click Deployments.
  2. Select Installs or Uninstalls.
  3. Click the deployment name.
  4. Under the Install Summary, click Add.
  5. From the drop-down menu, select a computer group.
  6. Click Add.

Reissue a deployment

You can restart a stopped deployment or reissue a one-time deployment. Reissuing a deployment creates a new deployment with the same configuration and targets.

  1. From the Patch menu, click Deployments.
  2. On the Active tab, click the deployment name.
  3. Click Reissue.
  4. (Optional) Make any necessary changes.
  5. Preview the changes.
  6. Click Deploy.

Stop a deployment

You can stop a patch deployment. Stopping changes the deployment end time to now. It does not remove patches that have already completed installation.

  1. In the Patch menu, click Deployments.
  2. On the Active tab, click the deployment name.
  3. Click Stop.
  4. Go to the Inactive tab and click the deployment name to verify the status.



Adjust the deployment retries

You can change how many times Patch attempts each stage of a deployment. For example, with the default of five times, Patch tries to download the patches five times, install five times, and so on.

  1. From the Patch home page, click Settings .
  2. From the Retry Limit drop-down menu, select the number of retries.

    The default is five.

  3. In the Reset Frequency field, type in the number of hours.
  4. Click Save.

Create a deployment template

You can create an install or uninstall deployment template. This template saves settings for a deployment that you can issue repeatedly. You can either create a deployment template from the Deployment Templates menu item, or you can select an option when you create a deployment to save the options as a template.

  1. From the Patch menu, click Deployment Templates. Then, click either Install Template or Uninstall Template.
  2. Click Create Template.
  3. Specify a name for your deployment template.
  4. Select deployment options. These options are the same as the options you can configure in an individual deployment.
  5. Click Save.
  6. You can use this template when you create a deployment.

Reference: Patch status

Deployment status

The following is a list of all possible deployment status groups and the sub-statuses. If there has been more than one attempt, the status might be appended with - Retry #, for example Downloading - Retry 2.

Status group Sub-status
Waiting
  • Waiting for Deployment Configuration File
  • Waiting for Deployment Start Time
  • Waiting for Maintenance Window
  • Waiting for Scan Configuration File
Downloading
  • Downloading
  • Downloading - Retry
  • Download Complete, Waiting for Deployment Start Time

  • Download Complete, Waiting for Maintenance Window Configuration File

  • Download Complete, Waiting for Blacklist Configuration File

  • Download Complete, Waiting for Maintenance Window

  • Download Complete, Awaiting User Acceptance (this includes user-postponed restarts)

Installing
  • Pre-Install Random Delay
  • Pre-Install Scan
  • Installing
  • Pending Restart, Waiting for Maintenance Window
  • Pending Restart, Waiting for Maintenance Window Configuration File
  • Pending Restart, Awaiting User Acceptance [this includes user has postponed]
  • Pending Restart, Missing End-User Notification Tools
  • Pending Restart, End-User Notification Unsupported
  • Post-Install Scan
Complete
  • Complete, All Patches Applied / Complete, All Patches Removed

  • Complete, Some Patches Applied / Complete, Some Patches Removed (if you have exhausted your retries)

  • Error, No Patches Applied / Error, No Patches Removed

  • Error, Install Aborted / Error, Uninstall Aborted

  • Error, Deployment Ended Before Any Action Was Taken

Enforcement status

Status group Sub-status
Blacklists and maintenance windows
  • Enforced
  • Unenforced
Scan configurations
  • Unenforced

  • Waiting For Initial Scan

  • Complete, Waiting For Scan Interval

  • Downloading

  • Scanning

Last updated: 5/24/2018 9:03 AM | Feedback