Enforcing scan configurations

The list of available patches comes from scanning the endpoints in your network. The scan configuration determines a scanning technique and frequency. A scan configuration is enforced by targeting computer groups.

The available scanning techniques include the offline CAB file (recommended), online Microsoft Windows Update, and Windows Server Update Services (WSUS) Scan.

Offline CAB file

The CAB file is stored locally by the Tanium Client and contains cumulative security and quality patches for all products in the Microsoft Update Catalog, including Windows and Office. On the Patch home page, the latest status of the offline CAB file is available. The active CAB file is the most recent, verified file published by Microsoft. Patch uses only the active CAB file for scan configurations. A rejected CAB is not pushed to a computer group. Patch checks for an updated CAB file every hour. You can click Update CAB to force a new download outside of the normal schedule.

Figure  1:  Example CAB file status

Online to Microsoft Windows Update

This option creates additional network traffic between the Tanium Client and Microsoft and is for Windows operating system updates only. The full range of patches are available for the Windows operating system:

  • Critical patches
  • Cumulative security and quality patches
  • Non-security and optional updates


Using WSUS servers for patching activities gives the option for the full range of patch types for all products in the Microsoft Update Catalog, including Windows and Office. However, some additional configuration is required. The Tanium Client must be able to contact the WSUS server, and patches must be approved before they can be downloaded.

The guidelines about how many clients a WSUS server can support are similar to the Microsoft guidelines for SCCM: up to 150,000 clients per WSUS server. See Microsoft Docs: Size and scale numbers for System Center Configuration Manager.

Configure WSUS Scan

  1. Add the WSUS Server URL to the whitelist.
    1. From the Patch home page, go to Settings .
    2. In the WSUS Server Configuration section, enter the URL and click Submit.
    3. A regular expression for the URL is generated and added to the whitelist. Click View Whitelisted URLs, or go to Administration > Whitelisted URLs to view the entry that was added.
  2. On the WSUS server, change the following settings:
    • Set the intranet URL for detecting updates and the statistics server to: http://<WSUS server URL>:<port>.
    • We recommend disabling the Configure Automatic Updates setting.

Create a scan configuration

You can create multiple scan configurations and add computer group enforcements as needed.

  1. In the Patch menu, click Scan Management.
  2. Click Create Configuration, provide a name, and select an operating system.
  3. Choose the configuration options.
    1. Select a Configuration Technique.
      If you choose Offline CAB File, you can select Download and scan immediately upon new CAB release to ensure that the endpoints are scanned whenever a new CAB file is published. Selecting this setting overrides the frequency settings when a new CAB file is detected, but scans still wait for the scan window if configured.
    2. In the Frequency field, enter a number and a time parameter.

      We recommend scanning once a day or longer between scans.

    3. (Optional) Enable Random Scan Delay and enter a time to distribute the network activity.

      The default is 120 minutes.

      For VDI environments, set a longer delay to reduce the impact of the scan on the host system.

    4. (Optional) Enable Limit Scan Times to define the scan window options, such as browser time or local time on the endpoint, how often the window repeats, and override options. For more information, see Scan windows.

      The scan window specifies when a scan can start. If you enabled Random Scan Delay, scans can potentially start as late as the specified delay after the end of the scan window. For example, if a scan attempts to start one minute before the end of the scan window, but receives the full random scan delay of 120 minutes, the scan does not start until after that 120 minutes and continues to run until completion, even though the scan window is already closed.

  4. Click Save.
  5. On the scan configuration details page, add one or more computer groups.
    1. Click Add Computer Group.

      Enabling the patch applicability results provides a refined aggregation for the specific computer group.

    2. Click Add and provide your credentials. Click Confirm.

The list of available patches might be displayed within 15-30 minutes. Longer scan delays might result in patches appearing slowly. If no data appears after the scan delay, contact your TAM. If an endpoint cannot be scanned, for example if it is offline, it is scanned at the earliest opportunity.

Scan windows

You can set a scan window to restrict scans to a certain time of day or day of the week. For example, you can create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. Additionally, if some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours or days.

  1. In the Scan Configuration Options section, enable Limit Scan Times.
  2. In the Scan Window section, configure your preferences.
    1. Select between your browser time or local time on the endpoint.
    2. Choose whether to repeat the scan window daily or weekly and specify a start date and time and how often the scan window repeats.
    3. (Optional) Enable the Override option and specify how many hours or days can elapse before triggering an immediate scan.

View enforcement status

By reviewing a scan configuration, you can see which endpoints in the computer group contain the enforced configuration.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, select a configuration.
  3. Expand the computer group to see more details about the scan status.
  4. Click Interact to open the question results for each endpoint.

    The Interact results grid shows the endpoint status and the reason, if it is not enforced.

Prioritize scan configurations

You can create multiple scan configurations with multiple computer groups. The order of the configuration decides its priority. If an endpoint is in multiple computer groups with conflicting configurations, only the highest priority configuration is applied to the endpoint.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, click Prioritize.
  3. Move the Scan Configurations by dragging and dropping or entering a number into the Conflict Resolution Order field and pressing Enter.
  4. Click Save.

Edit a scan configuration

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, select a configuration.
  3. Click Edit.

    You cannot edit a scan configuration if the Allow Scan Configuration Editing option is disabled in the Patch settings.

  4. Make your changes.
  5. Preview the changes.
  6. Click Save.

Remove a scan enforcement

Removing a computer group from a scan configuration removes the enforcement.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, select a configuration.
  3. Delete the computer group.

Delete a scan configuration

After the enforcements are removed, you can delete a scan configuration.

  1. In the Patch menu, click Scan Management.
  2. On the Scan Configurations tab, select a configuration.
  3. If the scan configuration is enforced against Computer Groups, remove all groups.
  4. In the upper right, click Delete.
  5. Confirm the deletion.

Last updated: 7/11/2019 11:57 AM | Feedback