Downloading Windows patches in an air-gapped environment

When your Tanium Server is in an air-gapped environment, the server cannot download patches from the internet. Instead, you must configure Patch to install patches from an alternate file location on an authorized local server that is accessible to the endpoints within the air-gapped environment.

Before you begin

If you want to configure a UNC share on a Tanium Appliance, you must add an authentication user for TDownloader as described in the Tanium Appliance User Guide: Add an authentication user for TDownloader.

Configure patches for Windows endpoints

1. From the Patch menu, go to Scan Management and then click Airgap Configuration.

   The Airgap Configuration settings can be used only with the Offline CAB File scan technique. For more information, see Windows scan techniques.

2. Define the alternate location for patch files on the local network.
   1. Select Enable Settings for Airgap - Windows.
   2. Provide an Alternate Patch File Location where all air-gapped files are staged and then click Save.

      • The network location that you specify must be accessible by the Tanium Server. To use a UNC path or a credential-protected URL, configure the settings based on the Tanium Server version and operating system.

        • Tanium Server 7.5.3.3503 and later: You must configure a downloads authentication entry for the UNC path or credential-protected URL. For information about configuring a downloads authentication entry, see Tanium Console User Guide: Managing downloads authentication.
        • (TanOS) Tanium Server earlier than 7.5.3.3503: You must configure credentials in the TanOS Tanium Operations menu. For information, see Tanium Appliance Deployment Guide: Add an authentication user for TDownloader
        • (Windows) Tanium Server earlier than 7.5.3.3503: You must configure the Tanium Server service account to run as a Windows user with sufficient permissions. For information, see Tanium Appliance Deployment Guide: Add an authentication user for TDownloader
      • Tanium does not support hidden or administrative shares.
   3. From the Main menu, go to Administration > Permissions > Allowed URLs to verify that the configured alternate Patch file location is listed.
3. In the Download Airgap Utility section, click Download Utility to download the airgap-downloader.exe utility.

   You must run this utility on a Windows computer that can access the internet.

4. In the Generate Download Manifest section, select the Include CAB File and Include MS-CVEs.dat File options and then use the filters to create a list of patches to use in the air-gapped environment. For example, you can filter on a specific patch list, or you can filter only for Windows patches released during the past month that are applicable and have not been superseded.
5. In the list that you generate, select individual patches to include, or hold the Shift key and then select multiple patches.
6. Click Download Manifest to generate a file that contains a list of URLs for patch files that you will download and use to patch the air-gapped endpoints.

   A urls.txt file is downloaded to your computer. For example:
   

   http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab
   https://content.tanium.com/files/hosted_dats/MS-CVEs.dat
   https://content.tanium.com/files/windows-patch/wsusscn2.json

7. Use the urls.txt file that you generated from the Tanium Server to download files from a computer that is connected to the internet.
   1. Copy the urls.txt and airgap-downloader.exe files to a computer that is connected to the internet and open a command prompt to that directory.
   2. To download the package files from sources contained in urls.txt, run:

      airgap-downloader.exe download_files --no_rename

      If the urls.txt and airgap-downloader.exe files are not in the same directory, you must also include the --urls_source option.

      The command downloads the files in the list and generates a results.zip archive that contains:

      • The downloaded files
      • A manifest results.txt

   3. Extract the contents of the results.zip file to the root of the alternate Patch file location that you defined on the local network.

Verify the configuration

To verify that air gap was configured correctly, you can confirm the following:

1. Verify that the Tanium Server has the staged files:
   1. From the Main menu, go to Administration > Content > Packages.
   2. Select the Patch - External File References - Windows package and click Edit Selected .
   3. In the Files section, click wsusscn2.cab and verify that the SHA-256 field has a non-empty hash value.
   4. Click MS-CVEs.dat and verify that the SHA-256 field has a non-empty hash value.
2. Verify that the Windows endpoints can scan against the staged files:
   1. From the Main menu, go to Modules > Patch.
   2. In the Scan Source Details section, verify that the hash value in the Microsoft Offline CAB File Information matches the value in step 1c.