Enforcing scan configurations

The list of available patches comes from scanning the endpoints in your network. The scan configuration determines a scanning technique and frequency. A scan configuration is enforced by targeting computer groups.

For Windows endpoints, the available scanning techniques include the offline CAB file (recommended), online Microsoft Windows Update, Windows Server Update Services (WSUS) Scan, and Tanium Scan.

For Windows scan configurations, you can enable isolated endpoints to download patch files directly from Microsoft instead of the Tanium Server to free network resources. An isolated endpoint is a Tanium Client that has no peer Tanium Clients. To download directly from Microsoft, an isolated endpoint must be connected to a user-configured list of Tanium Zone Servers or IP address ranges for split-tunnel VPN clients. For more information, see Enable direct patch downloads from Microsoft.

For Linux endpoints, the available scanning techniques include Repository Scan and Tanium Scan.

Windows scan techniques

Offline CAB file

The CAB file is stored locally by the Tanium Client and contains cumulative security and quality patches for all products in the Microsoft Update Catalog, including Windows and Office. On the Patch Home page, the latest status of the offline CAB file is available. The active CAB file is the most recent, verified file published by Microsoft. Patch uses only the active CAB file for scan configurations. A rejected CAB is not pushed to a computer group. Patch checks for an updated CAB file every hour. You can click Update CAB to force a new download outside of the normal schedule.

Figure  1:  Example CAB file status

If enabled in Configuration Settings, this scan technique supports direct download of patches from Microsoft to isolated endpoints. For more information, see Enable direct patch downloads from Microsoft.

Online to Microsoft Windows Update

This option creates additional network traffic between the Tanium Client and Microsoft and is for Windows operating system updates only. The full range of patches are available for the Windows operating system:

  • Critical patches
  • Cumulative security and quality patches
  • Non-security and optional updates

Offline CAB file includes only Security Updates, Service Packs, and Update Rollups updates. Because other scan methods include more updates than Offline CAB file includes, if you change the scan configuration technique on an active deployment from Offline CAB file to another technique, additional patches might be installed on endpoints.

If enabled in Configuration Settings, this scan technique supports direct download of patches from Microsoft to isolated endpoints. For more information, see Enable direct patch downloads from Microsoft.

Tanium Scan

If you are using a WSUS server or other WSUS-like server to patch your Windows endpoints, consult your TAM for best practices on implementing Tanium Scan for Windows.

Tanium Scan for Windows allows Patch to assess all Microsoft Products (excluding Microsoft Office 365 Client) and Update Classifications (excluding Drivers, Definition Updates, and Upgrades) on supported Windows 7 or later endpoints. The Patch service on the Module Server is configured to synchronize update metadata and detection rules from Microsoft Update or a Microsoft WSUS server.

After the update metadata and detection rules are synchronized, the Patch service distributes portions of this data (in a client database file) to applicable machines on the network. The Windows Update Agent performs the scan against selected products and classifications and return data in the form of applicable and not applicable patches.

Tanium Scan for Windows is much less resource intensive than the offline CAB file scan method and provides more robust scan results. Tanium Scan does not rely on each endpoint having network access to Microsoft Update or a local WSUS server. For more information about Tanium Client requirements, see Requirements.

If enabled in Configuration Settings, this scan technique supports direct download of patches from Microsoft to isolated endpoints. For more information, see Enable direct patch downloads from Microsoft.

Enable Tanium Scan for Windows

  1. From the Patch Home page, click Settings .
  2. In the Tanium Scan for Windows tab, select Enable Tanium Scan for Windows and click Save.
  3. Click Perform Initial Synchronization to perform the required initial synchronization.
  4. Select products to include in scans or select Available Products to select all current and future products.

    Synchronize all products, regardless of which products are present in the environment. Selectively choosing products can cause gaps in patch visibility.

  5. Select update classifications or select Available Classifications to select all classifications.

    Select Critical Updates, Security Updates, Service Packs, and Update Rollups.

  6. Select Enable Daily Synchronization if you want to synchronize daily and click Save.

    Click Synchronize Now after you save any changes.

WSUS Scan

Using WSUS servers for patching activities gives the option for the full range of patch types for all products in the Microsoft Update Catalog, including Windows and Office. However, some additional configuration is required. The Tanium Client must be able to contact the WSUS server, and patches must be approved before they can be downloaded.

The guidelines about how many clients a WSUS server can support are similar to the Microsoft guidelines for SCCM: up to 150,000 clients per WSUS server. See Microsoft Docs: Size and scale numbers for System Center Configuration Manager.

If enabled in Configuration Settings, this scan technique supports direct download of patches from Microsoft to isolated endpoints. For more information, see Enable direct patch downloads from Microsoft.

Configure WSUS Scan

  1. Add the WSUS Server URL to the whitelist.
    1. From the Patch Home page, go to Settings .
    2. In the Configuration Settings tab, WSUS Server Configuration section, enter the URL and click Submit.
    3. A regular expression for the URL is generated and added to the whitelist. Click View Whitelisted URLs, or go to Administration > Whitelisted URLs to view the entry that was added.
  2. On the WSUS server, change the following settings:
    • Set the intranet URL for detecting updates and the statistics server to: http://<WSUS server URL>:<port>.
    • We recommend disabling the Configure Automatic Updates setting.

Enable direct patch downloads from Microsoft

For Windows scan configurations, you can enable direct patch downloads from Microsoft to isolated remote endpoints. This option reduces the impact on network resources. If the direct download fails, the endpoint downloads patches from the Tanium Server.

Cautions and considerations

Endpoints must be in a list of virtual private network (VPN) subnets or allowed Zone Servers that you configure. Only configure VPN ranges where clients have a direct path to the Microsoft URLs that are listed in Internet URLs . The following are recommended configurations:

  • Define the IP address ranges that are used by endpoints that connect to Tanium over a split-tunnel VPN. Use for split-tunnel VPN ranges with a separate route to download patches from the Internet. Isolated endpoints within the defined ranges attempt to download patches directly from Microsoft.
  • Define the public IP addresses or Internet-resolvable fully qualified domain names of Internet-facing Zone Servers. Isolated Tanium Clients that are connected to these Zone Servers attempt to download patches directly from Microsoft.

Do not specify the following VPNs or Zone Servers:

  • Split-tunnel VPNs where endpoints still send traffic bound for Microsoft URLs through the internal corporate network.
  • Full-tunnel VPNs.
  • Zone Servers that are used in an internal security zone.

Clients that use WSUS Scan configuration leverage the location that is defined by WSUS. Unless the WSUS server is configured to download patches from Microsoft instead of storing them locally, do not enable direct downloads for a WSUS Scan configuration. For more information about how to specify where updates are stored, see Microsoft article Update storage options.

  1. From the Patch Home page, click Settings .
  2. Click the Configuration Settings tab, and in the Patch Direct Downloads section, specify network information:
    1. Click VPN Networks, Zone Servers, or both.
    2. Add one or more networks or servers, or, if previously created, choose from the list.
  3. Click Save.
  4. If prompted, provide your credentials, and confirm the action.

Tracking direct download status

Review current and past patch downloads directly from Microsoft over the Internet.

  1. In Interact, ask the Get Patch - Direct downloads statuses from all machines question.
  2. Choose the time period in hours; for example, downloads in the last three hours.
  3. Choose whether to include in-progress downloads in the results.
  4. Choose whether to include failed downloads in the results.
  5. Click Go.

The results grid displays a row for each download attempt and its status.

Linux scan techniques

Repository Scan

Using Yum repositories for patching activities gives the option for the full range of patch types for all updates in the Yum repositories. However, you must configure one or more Yum repositories, and updates must be maintained in the Yum repositories. The Tanium Client must be able to contact the Yum repositories for scanning as well as patch downloads.

Tanium Scan

Tanium Scan for Linux can use both internal or external Yum repositories, and only the Tanium Server needs connectivity to the Yum repositories. The Tanium Client stores the repository scanning logic locally.

Tanium Scan supports Red Hat, CentOS, and Oracle Linux distributions. With Tanium Scan for Linux, you can create and use Yum repository snapshots for deployments. For more information, see Repository snapshots.

Create a scan configuration (Windows and Linux scan techniques)

You can create multiple scan configurations and add computer group enforcements as needed.

Any endpoint that is supported by Patch should be targeted by at least one scan configuration.

  1. In the Patch menu, click Scan Management.
  2. Click Create Configuration, provide a name, and select an operating system.
  3. Choose the configuration options.
    1. Select a Configuration Technique and applicable options.
      (Windows) If you choose Offline CAB File, select Download and scan immediately upon new CAB release to ensure that the endpoints are scanned whenever a new CAB file is published. Selecting this setting overrides the frequency settings when a new CAB file is detected, but scans still wait for the scan window if configured.
      • (Windows) Choose Tanium Scan. If you use other products that use WSUS technology on the same endpoints, such as SCCM, select Enable Managed WSUS Compatibility to enable an additional scan to ensure compatibility.
      • (Linux) To use repository snapshots for Linux deployments, choose Tanium Scan.
    2. In the Frequency field, enter a number and a time parameter.

      Set this value to less than three days to improve the Patch coverage metric.

    3. (Optional) Enable Random Scan Delay and enter a time to distribute the network activity.

      The default is 120 minutes.

      For VDI environments, set a longer scan delay, such as 480 minutes or higher, depending on the density and hardware performance of your VDI environment, to reduce the impact of the scan on the host system.

    4. (Optional) Enable Limit Scan Times to define the scan window options, such as browser time or local time on the endpoint, how often the window repeats, and override options. For more information, see Scan windows.

      The scan window specifies when a scan can start. If you enabled Random Scan Delay, scans can potentially start as late as the specified delay after the end of the scan window. For example, if a scan attempts to start one minute before the end of the scan window, but receives the full random scan delay of 120 minutes, the scan does not start until after that 120 minutes and continues to run until completion, even though the scan window is already closed.

    5. (Optional, Linux) To use repository snapshots for Linux deployments, select Deployment Snapshots and choose the repository name and the snapshot in the Repositories section.
    6. (Optional, Windows) To enable remote endpoints to download patches directly from Microsoft, select Direct Download. For more information, see Enable direct patch downloads from Microsoft.
  4. Click Save.
  5. On the Scan Configuration Details page, add one or more computer groups.
    1. Click Add Computer Group.

      Enabling the patch applicability results provides a refined aggregation for the specific computer group.

    2. Click Add, provide your credentials, and click Confirm.

The list of available patches might be displayed within 15-30 minutes. Longer scan delays might result in patches appearing slowly. If no data appears after the scan delay, contact your TAM. If an endpoint cannot be scanned, for example if it is offline, it is scanned at the earliest opportunity.

Scan windows

You can set a scan window to restrict scans to a certain time of day or day of the week. For example, you can create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. Additionally, if some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours or days.

Scan windows are optional. If you decide to use them, the Override option should be set to less than two days to increase the Patch coverage metric.

  1. In the Scan Configuration Options section, enable Limit Scan Times.
  2. In the Scan Window section, configure your preferences
    1. Select between your browser time or local time on the endpoint.
    2. Choose whether to repeat the scan window daily or weekly and specify a start date and time and how often the scan window repeats.
    3. (Optional) Enable the Override option and specify how many hours or days can elapse before triggering an immediate scan.

      Set this value to less than two days.

Manage Linux repository snapshots

You can manage snapshots from a scan configuration. For more information about snapshots, see Repository snapshots.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, click Manage Linux Snapshots.
  3. To create a snapshot, select a repository and then click Create Snapshot. Name the snapshot and click Create.
  4. To rename a snapshot, select the snapshot and click Rename Snapshot. Type a new name and click Rename.
  5. To permanently remove unneeded snapshots, select the snapshots, and click Delete Snapshots.
  6. To remove failed snapshots across all repositories; for example, those for which the environment was not properly set up, click Delete Failed Snapshots

View enforcement status

By reviewing a scan configuration, you can see which endpoints in the computer group contain the enforced configuration.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, select a configuration.
  3. Expand the computer group to see more details about the scan status.

    Investigate endpoints with scan errors that have scan results older than two days and resolve the errors for each endpoint. For more information, see Troubleshoot scan errors.

  4. Click Interact to open the question results for each endpoint.

    The Interact results grid shows the endpoint status and the reason, if it is not enforced.

Prioritize scan configurations

You can create multiple scan configurations with multiple computer groups. The order of the configuration in the Scan Configurations list decides its priority. If an endpoint is in multiple computer groups with conflicting configurations, only the highest priority configuration in the list is applied to the endpoint.

The highest priority configuration has a Conflict Resolution Order of 1.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, click Prioritize.
  3. Move the scan configuration by dragging and dropping it or entering a number into the Conflict Resolution Order field and pressing Enter.
  4. Click Save.

Edit a scan configuration

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, select a configuration.
  3. Click Edit.

    You cannot edit a scan configuration if the Allow Scan Configuration Editing option is disabled in the Patch settings.

  4. Make your changes.
  5. Preview the changes.
  6. Click Save.

Remove a scan enforcement

Removing a computer group from a scan configuration removes the enforcement.

  1. In the Patch menu, click Scan Management.
  2. On theScan Configurations tab, select a configuration.
  3. Delete the computer group.

Delete a scan configuration

After the enforcements are removed, you can delete a scan configuration.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, select a configuration.
  3. If the scan configuration is enforced against Computer Groups, remove all groups.
  4. In the upper right, click Delete.
  5. Confirm the deletion.