Downloading Windows patches in an air-gapped environment

For Tanium Cloud, the Tanium Server is not in an air-gapped environment.

When your Tanium Server is in an air-gapped environment, the server cannot download patches from the internet. Instead, you must configure Patch to install patches from an alternate file location on an authorized local server that is accessible to the endpoints within the air-gapped environment.

Before you begin

If you want to configure a UNC share on a Tanium Appliance, you must add an authentication user for TDownloader as described in the Tanium Appliance User Guide: Add an authentication user for TDownloader.

Configure patches for Windows endpoints

  1. From the Patch menu, go to Scan Management and then click Airgap Configuration.

    The Airgap Configuration settings can be used only with the Offline CAB File scan technique. For more information, see Windows scan techniques.

  2. Define the alternate location for patch files on the local network.
    1. Select Enable Settings for Airgap - Windows.
    2. Provide an Alternate Patch File Location where all air-gapped files are staged and then click Save.
    3. From the Main menu, go to Administration > Permissions > Allowed URLs to verify that the configured alternate Patch file location is listed.
  3. In the Download Airgap Utility section, click Download Utility to download the airgap-downloader.exe utility.

    You must run this utility on a Windows computer that can access the internet.

  4. In the Generate Download Manifest section, select the Include CAB File and Include MS-CVEs.dat File options and then use the filters to create a list of patches to use in the air-gapped environment. For example, you can filter on a specific patch list, or you can filter only for Windows patches released during the past month that are applicable and have not been superseded.
  5. In the list that you generate, select individual patches to include, or hold the Shift key and then select multiple patches.
  6. Click Download Manifest to generate a file that contains a list of URLs for patch files that you will download and use to patch the air-gapped endpoints.

    A urls.txt file is downloaded to your computer. For example:

  7. Use the urls.txt file that you generated from the Tanium Server to download files from a computer that is connected to the internet.
    1. Copy the urls.txt and airgap-downloader.exe files to a computer that is connected to the internet and open a command prompt to that directory.
    2. To download the package files from sources contained in urls.txt, run:
      airgap-downloader.exe download_files --no_rename

      If the urls.txt and airgap-downloader.exe files are not in the same directory, you must also include the --urls_source option.

      The command downloads the files in the list and generates a archive that contains:

      • The downloaded files
      • A manifest results.txt
    3. Extract the contents of the file to the root of the alternate Patch file location that you defined on the local network.

Verify the configuration

To verify that air gap was configured correctly, you can confirm the following:

  1. Verify that the Tanium Server has the staged files:
    1. From the Main menu, go to Administration > Content > Packages.
    2. Select the Patch - External File References - Windows package and click Edit Selected .
    3. In the Files section, click and verify that the SHA-256 field has a non-empty hash value.
    4. Click MS-CVEs.dat and verify that the SHA-256 field has a non-empty hash value.
  2. Verify that the Windows endpoints can scan against the staged files:
    1. From the Main menu, go to Modules > Patch.
    2. In the Scan Source Details section, verify that the hash value in the Microsoft Offline CAB File Information matches the value in step 1c.