Deploying patches

Use deployments to install or uninstall patches on a set of target computers. Deployments can run once, or be ongoing to maintain operational hygiene for computers that come online after being offline.

  • Use ongoing deployments for general patch management and manual deployments for exigent circumstances.
  • Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.

Before you begin

Organize the available patches into lists. See Create a patch list.

Create a deployment template

You can create an install or uninstall deployment template. This template saves settings for a deployment that you can issue repeatedly. You can either create a deployment template from the Deployment Templates menu item, or you can select an option when you create a deployment to save the options as a template.

  1. From the Patch menu, go to Deployment Templates.
  2. Click either Create Deployment Template > Create Install Template or Create Deployment Template > Create Uninstall Template.
  3. Name the deployment template, and select an operating system.
  4. Select deployment options and click Save.
    These options are the same as the options that you can configure in an individual deployment.

Set the default deployment template

The default deployment template is applied when you create new deployments. Importing Patch with automatic configuration creates a default installation deployment template for each supported operating system. You can change the default installation template. After you create an uninstallation deployment template, you can set it as the default template.

  1. From the Patch menu, go to Deployment Templates.
  2. To set a default deployment template, select a deployment template and then click Set as Default.
  3. To remove the default designation, select a deployment template and then click Remove as Default.

Create a deployment to install patches

Deployments download and install or uninstall patches on target computers. You can create a single deployment or set up ongoing deployments to ensure that offline endpoints are patched when they come online.

  • Use single deployments with a defined start and end time instead of continuously creating new deployments and manually stopping them after the patch window ends.
  • Avoid creating multiple deployments with the same patches to the same or overlapping endpoints.
  • Start with older patches first.
  1. From the Patch menu, go to Deployments and then click Create Deployment > Create Install Deployment.

    You can also create a deployment from the Patches view. Select a group of patches and click Install.

  2. Accept the default name or provide a name for the deployment, and select an operating system.
  3. (Windows) Add one or more patch lists, including version, or add patches manually.

    Offline CAB File includes only Security Updates, Service Packs, and Update Rollups updates. Because other scan methods include more updates than Offline CAB File includes, if you change the scan configuration technique on an active deployment from Offline CAB File to another technique, additional patches might be installed on endpoints.

    (Linux) Select whether you want to Install All Updates, Install All Security Updates, Choose Patch List, including version, or Manually Select Patches.

    Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

  4. Add targets.

    Select either of the following targeting methods and complete the fields as needed:

    • Select Computer Groups provides a drop-down list of dynamic computer groups. These groups can be included or excluded from patch applicability results, as needed.

      Computer group targeting is not available for manual groups.

    • Set Targeting Criteria filters on all endpoints with a specific set of criteria and within the limiting groups selected from the drop-down menu of available groups. For example, you can type Operating System contains win in the Filter Bar or use the Filter Builder to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator. To use the exact name, such as the FQDN, registered with Tanium, click Manual Names to manually type in computer names, separated by commas. To upload as a CSV file, click Names by CSV File and then click Upload Names.

      Target fewer than 100 computer names to reduce the impact on the All Computers group.

  5. Select deployment options.
    1. Choose whether to base this deployment on a deployment template. To create a new deployment template based on this template, select Save Deployment Options as template. For more information, see Create a deployment template.
    2. Specify a deployment frequency. You can do an ongoing deployment that does not have an end time, or a single deployment with a specific start and end time.
    3. Designate the deployment time.

      Choose the local time on the endpoint or UTC time.

    4. If you want the endpoints to download the patch content before the installation time, select the option for Download Immediately.

      Select this option for future deployments. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

    5. To minimize concurrent CPU utilization and disk input/output, select Enabled for the Distribute Over Time option and indicate a time.
    6. If you want to ignore patching restrictions, select Override Maintenance Windows or Override Block Lists.
    7. Select whether to restart the endpoint.
    8. (Windows endpoints only) If you enabled endpoint restarts, you can enable end user notifications about the restarts. Select Notify User After Installing and configure the following settings. For more information, see Endpoint restarts.

      • (Optional) Configure settings that allow the end user to postpone the restart.
      • Specify the Message Content that informs the user about the restart.
      • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages. To view the preview in additional languages, toggle the language drop-down menu in the preview.


      Ensure that the Duration of Notification Period value is less than a few days. To decrease the endpoints missing critical or important patches metric, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Duration of Notification Period value to less than three days is optimal.

  6. Preview the changes and then click Deploy.

To change the number of retries for each phase of a deployment, see Adjust the deployment retries.

Endpoint restarts

Patch can trigger a restart of any system after updates have been installed. You can choose between the following options for the restart:

  • Restart silently and immediately after deployment. This option is typically used for servers and production machines in conjunction with maintenance windows and change control processes.
  • (Windows endpoints) Notify the system user about the pending restart and give the system user the option to defer the restart for a specified amount of time. Configure the following options:

    Final Countdown to Deadline

    Specify the amount of time in minutes, hours, or days to show the final notification before restarting the endpoint. This notification also shows a countdown until restart. If this notification is dismissed, it will reappear after one minute. Set a low value because this option is meant to signal a forced restart that cannot be postponed.

    Allow User to Postpone

    If you want to give the user an option to defer the restart for a specified amount of time, select this option. A user cannot postpone beyond the deadline.

    Duration of Notification Period

    Specify the amount of time in minutes, hours, or days before the endpoint must be restarted. The deadline is calculated by adding this value to the time the deployment completed for each endpoint.

    User Postponement Options

    Specify the amount of time in minutes, hours, or days that a user can postpone the restart.

    Message Content

    Specify the title and body of the notification message. Upload optional icon and body images for branding to avoid confusing users and to limit support calls. Enable additional languages and provide translated title and body text. Enabling additional languages requires End-User Notifications 1.6 or later and Patch 2.4.1 or later. By default, the notification displays content in the system language on the endpoints. If you enable additional languages, the user can select other languages to display.

    Show Countdown

    Select this option if you want the notification to show the amount of time that remains.

End user notifications can be added to existing deployments by stopping, reconfiguring, and reissuing the deployment.

If your deployment is configured for a notification, but the endpoint does NOT have the End User Notifications Tools installed, the endpoint installs the updates, but does NOT restart. A status message is displayed in the Patch workbench about the missing tools.

If no user is logged into an endpoint, the endpoint restarts immediately after a deployment completion even if the deployment is configured for a notification.

Create a deployment to uninstall patches

You can uninstall any patch deployment that was started from Tanium Patch.

  1. From the Patch menu, go to Deployments and then click Create Deployment > Create Uninstall Deployment.
  2. Accept the default name or provide a name for the deployment, and select an operating system.
  3. Add one or more patches.

    The applicability count in the grid is for endpoints that do not have the patch installed.

  4. Add targets.

    Select either of the following targeting methods and complete the fields as needed:

    • Select Computer Groups provides a drop-down list of dynamic computer groups. These groups can be included or excluded from patch applicability results, as needed.

      Computer group targeting is not available for manual groups.

    • Set Targeting Criteria filters on all endpoints with a specific set of criteria and within the limiting groups selected from the drop-down menu of available groups. For example, you can type Operating System contains win in the Filter Bar or use the Filter Builder to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator. To use the exact name, such as the FQDN, registered with Tanium, click Manual Names to manually type in computer names, separated by commas. To upload as a CSV file, click Names by CSV File and then click Upload Names.

      Target fewer than 100 computer names to reduce the impact on the All Computers group.

  5. Select the deployment options.
    1. Choose whether to base this deployment on a deployment template. To create a new deployment template based on this template, select Save Deployment Options as template. For more information, see Create a deployment template.
    2. Specify a deployment frequency. You can do an ongoing deployment that does not have an end time, or a single deployment with a specific start and end time.
    3. Designate the deployment time.

      Choose from the local time on the endpoint or UTC time.

    4. To minimize concurrent CPU utilization and disk input/output, select Enabled for the Distribute Over Time option and indicate a time.
    5. If you want to ignore patching restrictions, select Override Maintenance Windows.
    6. Select whether to restart the endpoint.
    7. (Windows endpoints only) If you enabled endpoint restarts, you can enable end user notifications about the restarts. Select Notify User After Installing and configure the following settings. For more information, see Endpoint restarts.

      • (Optional) Configure settings that allow the end user to postpone the restart.
      • Specify the Message Content that informs the user about the restart.
      • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages. To view the preview in additional languages, toggle the language drop-down menu in the preview.


      Ensure that the Duration of Notification Period value is less than a few days. To decrease the endpoints missing critical or important patches metric, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Duration of Notification Period value to less than three days is optimal.

  6. Preview the changes and then click Deploy.

Review deployment summary

You can get the deployment results by status, any error messages, and the deployment configuration details.

  1. From the Patch menu, go to Deployments.
  2. Select either the Active or Inactive tab.

    Expand the sections to see summary information about the deployment, such as applicability and targeted groups.

  3. Click the deployment name.
  4. Expand the section you want to see.
    • Summary shows the status, link to deployment results, OS, online endpoints, and information about the last time the status or initialization was updated.
    • Error Messages include any error messages.
    • Target lists the targeted computer groups for the deployment.
    • Deployment Details provides all the configuration information, including installation details, execution information, installation workflow and notifications, patch lists, and patches.
    • Install or Uninstall Workflow and Notifications has the information about the installation or uninstallation workflow. You can click Show to preview the restart notification.
    • Patch Lists in this Deployment lists any patch lists.
    • Patches (Manual and Rule Based) shows the list of patches.

Add targets to an existing deployment

You can add more targets to a deployment. For example, you can limit patch testing to a select computer group and then roll it out to more groups after it has been validated. All other deployment options remain the same and deployment results from the previous installation deployments are preserved.

  1. From the Patch menu, go to Deployments.
  2. Click the deployment name.
  3. In the Target section, click either Set Computer Groups or Set Targeting Criteria.

You cannot remove targets from active deployments. To remove a target from a deployment, you must stop the deployment and create a new deployment without that target.

Stop a deployment

You can stop a patch deployment. Stopping changes the deployment end time to now. It does not remove patches that have already completed installation.

  1. From the Patch menu, go to Deployments.
  2. Click the deployment name and then click Stop.
  3. Go to the Inactive tab and click the deployment name to verify the status.

Reissue a deployment

You can restart a stopped deployment or reissue a one-time deployment. Reissuing a deployment creates a new deployment with the same configuration and targets.

  1. From the Patch menu, go to Deployments and then click Inactive.
  2. Click the deployment name and then click Reissue.
  3. (Optional) Make any necessary changes.
  4. Preview the changes and then click Deploy.

Adjust the deployment retries

You can change how many times Patch attempts each stage of a deployment. For example, with the default of five times, Patch tries to download the patches five times, install five times, and so on.

  1. On the Patch Overview page, click Settings and then click Configuration Settings if needed.
  2. In the Deployment Retry Settings section, select the number of retries from the Retry Limit drop-down menu.
  3. In the Reset Frequency field, type in the number of hours and then click Save.

Reference: Patch status

Deployment status

The following is a list of all possible deployment status groups and the sub-statuses. If there has been more than one attempt, the status might be appended with - Retry #, for example Downloading - Retry 2.

Status group Sub-status
Not Applicable
  • Not Applicable1,2
  • Not Targeted2
Waiting
  • Waiting for Deployment Start Time
  • Waiting for Maintenance Window
  • Waiting for Deployment Configuration File
  • Waiting for Scan Configuration File
  • Waiting for Block List Configuration File
Downloading
  • Downloading
  • Download Complete, Waiting for Deployment Start Time
  • Download Complete, Waiting for Maintenance Window
  • Download Complete, Waiting for Block List Configuration File
  • Download Complete, Waiting for Maintenance Window Configuration File
  • Download Complete, Awaiting User Acceptance (this includes user-postponed restarts)
  • Unable to Download
Installing
  • Pre-Install Random Delay
  • Pre-Install Scan
  • Installing
  • Pending Restart, Waiting for Maintenance Window
  • Pending Restart, Waiting for Maintenance Window Configuration File
  • Pending Restart, Awaiting User Acceptance (this includes user has postponed)
  • Pending Restart, Missing End-User Notification Tools
  • Pending Restart, End-User Notification Unsupported
  • Post-Install Scan
Uninstalling
  • Pre-Uninstall Random Delay
  • Uninstalling
  • Pending Restart, Waiting for Maintenance Window
  • Pending Restart, Waiting for Maintenance Window Configuration File
  • Pending Restart, Awaiting User Acceptance (this includes user has postponed)
  • Pending Restart, Missing End-User Notification Tools
  • Pending Restart, End-User Notification Unsupported
  • Post-Uninstall Scan
Complete
  • Complete, All Patches Applied
  • Complete, Some Patches Applied (if you have exhausted your retries)
  • Error, No Patches Applied
  • Complete, All Patches Removed
  • Complete, Some Patches Removed (if you have exhausted your retries)
  • Error, No Patches Removed
  • Error, Install Aborted
  • Error, Uninstall Aborted
  • Error, Deployment Ended Before Any Action Was Taken

1 Windows endpoints return deployment statuses only for targeted endpoints. If a Windows endpoint returns the Not Applicable status, then the deployment is targeted to the endpoint and has no applicable patches.

2 Linux endpoints return the Not Applicable status when the deployment has no applicable patches for that endpoint. If a Linux endpoint returns the Not Targeted status, then the endpoint is not targeted by the deployment.

Enforcement status

Status group Sub-status
Block lists and maintenance windows
  • Enforced
  • Unenforced
Scan configurations
  • Unenforced
  • Waiting For Initial Scan
  • Complete, Waiting For Next Scan
  • Downloading
  • Scanning