Deploying patches

Use deployments to install or uninstall patches on a set of target computers. Deployments can run once, or be ongoing to maintain operational hygiene for computers that come online after being offline.

  • Use ongoing deployments for general patch management and manual deployments for exigent circumstances.
  • Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.

Before you begin

Organize the available patches into lists. See Create a patch list.

Create a deployment to install patches

Deployments download and install or uninstall patches on target computers. You can create a single deployment or set up ongoing deployments to ensure that offline endpoints are patched when they come online.

  • Use single deployments with a defined start and end time instead of continuously creating new deployments and manually stopping them after the patch window ends.
  • Avoid creating multiple deployments with the same patches to the same or overlapping endpoints.
  • Start with older patches first.
  1. In the Patch menu, go to Deployments > Installs and click New.

    You can also create a deployment from the Patches view. Select a group of patches and click Install.

  2. Accept the default name or provide a name for the deployment, and select an operating system.
  3. Select deployment options.
    1. Designate the deployment times and repetition pattern.

      Choose your browser time or the local time on the endpoint.

    2. Choose whether to base this deployment on a deployment template. To create a new deployment template based on this template, select Create Deployment Template. For more information, see Create a deployment template.
    3. Specify a deployment type. You can do a single deployment with a specific start and end time, or an ongoing deployment that does not have an end time.
    4. If you want the endpoints to download the patch content before the installation time, select Download immediately.

      Select this option for future deployments. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

    5. To minimize concurrent CPU utilization and disk input/output, select Distribute over time and indicate the time.
    6. If you want to ignore patching restrictions, select Override Blacklists or Override Maintenance Windows.
    7. Select whether to restart the endpoint.
    8. (Windows endpoints only) If you enabled endpoint restarts, you can enable end user notifications about the restarts. Select Notify User and configure the following settings. For more information, see Endpoint restarts.

      • (Optional) Configure settings that allow the end user to postpone the restart.
      • Specify the Message Content that informs the user about the restart.
      • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages.
      • To preview the window that displays the message and postponement options, click Show Preview.






      Ensure that the Deadline for restart value is less than a few days. To decrease the Patch visibility metric, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Deadline for restart value to less than three days is optimal.

  4. (Windows) Add one or more patch lists, including version, or add patches manually.

    Offline CAB File includes only Security Updates, Service Packs, and Update Rollups updates. Because other scan methods include more updates than Offline CAB File includes, if you change the scan configuration technique on an active deployment from Offline CAB File to another technique, additional patches might be installed on endpoints.

    (Linux) Select whether you want to install All updates, All security updates, Patch lists, including version, or Individual patches.

    Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

  5. Add targets.
  6. Select any or all of the following targeting methods. Click Add Target, and complete the fields as needed:

    • By Computer Group provides a drop-down list of dynamic computer groups. These groups can be included or excluded from patch applicability results, as needed.

      Computer group targeting is not available for manual groups.

    • By Targeting Question filters on all endpoints with a specific set of criteria and within the limiting groups selected from the drop-down menu of available groups. For example, you can type Operating System contains win to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • By Computer Names uses the exact name, such as the FQDN, registered with Tanium. Typed in manually, separated by commas, or uploaded as a CSV file, targeting should be limited to 100 names or less to reduce the impact on the All Computers group.
  7. Preview the changes and then click Deploy.

To change the number of retries for each phase of a deployment, see Adjust the deployment retries.

Endpoint restarts

Patch can trigger a restart of any system after updates have been installed. You can choose between the following options for the restart:

  • Restart silently and immediately after deployment. This option is typically used for servers and production machines in conjunction with maintenance windows and change control processes.
  • (Windows endpoints) Notify the system user about the pending restart and give the system user the option to defer the restart for a specified amount of time. Configure the following options:

    Deadline for restart

    Specify the amount of time in minutes, hours, or days before the endpoint must be restarted. The deadline is calculated by adding this value to the time the deployment completed for each endpoint.

    Countdown to deadline

    Specify the amount of time in minutes to show the final notification before restarting the endpoint. This notification also shows a countdown until restart. If this notification is dismissed, it will reappear after one minute. Set a low value because this option is meant to signal a forced restart that cannot be postponed.

    Allow User to Postpone

    If you want to give the user an option to defer the restart for a specified amount of time, select this option. A user cannot postpone beyond the deadline.

    User Postponement Options

    Specify the amount of time in minutes, hours, or days that a user can postpone the restart.

    Message Content

    Specify the title and body of the notification message. Upload optional icon and body images for branding to avoid confusing users and to limit support calls. Enable additional languages and provide translated title and body text. Enabling additional languages requires End-User Notifications 1.6 or later and Patch 2.4.1 or later. By default, the notification displays content in the system language on the endpoints. If you enable additional languages, the user can select other languages to display. Click Show Preview to preview the notifications.
    This message is configurable, and might look like the following example:

    After the deadline for restart passes, the user gets a message that they cannot postpone:

End user notifications can be added to existing deployments by stopping, reconfiguring, and reissuing the deployment.

If your deployment is configured for a notification, but the endpoint does NOT have the End User Notifications Tools installed, the endpoint installs the updates, but does NOT restart. A status message is displayed in the Patch workbench about the missing tools.

If no user is logged into an endpoint, the endpoint restarts immediately after a deployment completion even if the deployment is configured for a notification.

Create a deployment to uninstall patches

You can uninstall any patch deployment that was started from Tanium Patch.

  1. In the Patch menu, go to Deployments > Uninstalls and click New.
  2. Accept the default name or provide a name for the deployment, and select an operating system.
  3. Select the deployment options.
    1. Designate the deployment times.

      Choose from your browser time or local time on the endpoint.

    2. Choose whether to base this deployment on a deployment template. To create a new deployment template based on this template, select Create Deployment Template. For more information, see Create a deployment template.
    3. To minimize concurrent CPU utilization and disk input/output, select Distribute over time and indicate the time.
    4. If you want to ignore patching restrictions, select Override Maintenance Windows.
    5. Select whether the endpoint must restart.
    6. (Windows endpoints only) If you enabled endpoint restarts, you can enable end user notifications about the restarts. Select Notify User and configure the following settings. For more information, see Endpoint restarts.

      • (Optional) Configure settings that allow the end user to postpone the restart.
      • Specify the Message Content that informs the user about the restart.
      • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages.
      • To preview the window that displays the message and postponement options, click Show Preview.






      Ensure that the Deadline for restart value is less than a few days. To decrease the Patch visibility metric, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Deadline for restart value to less than three days is optimal.

  4. Add one or more patches.

    The applicability count in the grid is for endpoints that do not have the patch installed.

  5. Add targets.
  6. Select any or all of the following targeting methods. Click Add Target, and complete the fields as needed:

    • By Computer Group provides a drop-down list of dynamic computer groups. These groups can be included or excluded from patch applicability results, as needed.

      Computer group targeting is not available for manual groups.

    • By Targeting Question filters on all endpoints with a specific set of criteria and within the limiting groups selected from the drop-down menu of available groups. For example, you can type Operating System contains win to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • By Computer Names uses the exact name, such as the FQDN, registered with Tanium. Typed in manually, separated by commas, or uploaded as a CSV file, targeting should be limited to 100 names or less to reduce the impact on the All Computers group.
  7. Preview the changes and then click Deploy.

Review deployment summary

You can get the deployment results by status, any error messages, and the deployment configuration details.

  1. In the Patch menu, click Deployments.
  2. Select Installs or Uninstalls.
  3. Select either the Active or Inactive tab.

    Expand the sections to see summary information about the deployment, such as the number of targets, lists, issue details. For inactive deployments, it includes either expired or stopped.

  4. Click the deployment name.
  5. Expand the section you want to see.
    • Install Summary shows the OS, list count, number of patches, and number of targeted computer groups. You can click on any of the numbers to jump to the corresponding sections.
    • Install Status has the install status, number of online endpoints, and the date and time of the last status update. The results are split out by status, expanding a status provides more information and the Interact icon to see the results by endpoint. You can also click Re-Initialize to rebuild the packages and actions that are required to ensure that the deployment is properly distributed to endpoints.
    • Error Messages include the patch list or blacklist number, a brief description, the error number, the count of affected machines, and the Interact icon to drill down. If no list number is provided, it indicates a general issue.
    • Deployment Details provides all the configuration information, including installation details, execution information, installation workflow and notifications, patch lists, and patches.
    • Targeted Computer Groups lists the targeted computer groups for the deployment.

Add targets to an existing deployment

You can add more targets to a deployment. For example, you can limit patch testing to a select computer group and then roll it out to more groups after it has been validated. All other deployment options remain the same and deployment results from the previous Install deployments are preserved.

  1. From the Patch menu, click Deployments.
  2. Select Installs or Uninstalls.
  3. Click the deployment name.
  4. Under the Install Summary, click Add.
  5. From the drop-down menu, select a computer group.
  6. Click Add.

Reissue a deployment

You can restart a stopped deployment or reissue a one-time deployment. Reissuing a deployment creates a new deployment with the same configuration and targets.

  1. From the Patch menu, click Deployments.
  2. On the Active tab, click the deployment name.
  3. Click Reissue.
  4. (Optional) Make any necessary changes.
  5. Preview the changes.
  6. Click Deploy.

Stop a deployment

You can stop a patch deployment. Stopping changes the deployment end time to now. It does not remove patches that have already completed installation.

  1. In the Patch menu, click Deployments.
  2. On the Active tab, click the deployment name.
  3. Click Stop.
  4. Go to the Inactive tab and click the deployment name to verify the status.



Adjust the deployment retries

You can change how many times Patch attempts each stage of a deployment. For example, with the default of five times, Patch tries to download the patches five times, install five times, and so on.

  1. From the Patch Home page, click Settings and then click Configuration Settings if needed.
  2. From the Retry Limit drop-down menu in the Deployment Retry Settings section, select the number of retries.
  3. In the Reset Frequency field, type in the number of hours.
  4. Click Save.

Create a deployment template

You can create an install or uninstall deployment template. This template saves settings for a deployment that you can issue repeatedly. You can either create a deployment template from the Deployment Templates menu item, or you can select an option when you create a deployment to save the options as a template.

  1. From the Patch menu, click Deployment Templates.
  2. Click either Install Template or Uninstall Template.
  3. Click Create Template, name the deployment template, and select an operating system.
  4. Select deployment options. These options are the same as the options you can configure in an individual deployment.
  5. Click Save.

Set the default deployment template

The default deployment template is applied when you create new deployments. Importing Patch with automatic configuration creates a default install deployment template for each supported operating system. You can change the default install template. After you create an uninstall deployment template, you can set it as the default template.

  1. From the Patch menu, click Deployment Templates.
  2. Click either Install Template or Uninstall Template.
  3. Click Set Default and select a template.
  4. Click Save.

Reference: Patch status

Deployment status

The following is a list of all possible deployment status groups and the sub-statuses. If there has been more than one attempt, the status might be appended with - Retry #, for example Downloading - Retry 2.

Status group Sub-status
Waiting
  • Waiting for Deployment Configuration File
  • Waiting for Deployment Start Time
  • Waiting for Maintenance Window
  • Waiting for Scan Configuration File
Downloading
  • Downloading
  • Downloading - Retry
  • Download Complete, Waiting for Deployment Start Time

  • Download Complete, Waiting for Maintenance Window Configuration File

  • Download Complete, Waiting for Blacklist Configuration File

  • Download Complete, Waiting for Maintenance Window

  • Download Complete, Awaiting User Acceptance (this includes user-postponed restarts)

Installing
  • Pre-Install Random Delay
  • Pre-Install Scan
  • Installing
  • Pending Restart, Waiting for Maintenance Window
  • Pending Restart, Waiting for Maintenance Window Configuration File
  • Pending Restart, Awaiting User Acceptance [this includes user has postponed]
  • Pending Restart, Missing End-User Notification Tools
  • Pending Restart, End-User Notification Unsupported
  • Post-Install Scan
Complete
  • Complete, All Patches Applied / Complete, All Patches Removed

  • Complete, Some Patches Applied / Complete, Some Patches Removed (if you have exhausted your retries)

  • Error, No Patches Applied / Error, No Patches Removed

  • Error, Install Aborted / Error, Uninstall Aborted

  • Error, Deployment Ended Before Any Action Was Taken

Enforcement status

Status group Sub-status
Blacklists and maintenance windows
  • Enforced
  • Unenforced
Scan configurations
  • Unenforced

  • Waiting For Initial Scan

  • Complete, Waiting For Next Scan

  • Downloading

  • Scanning