Use Patch to manage operating system patching across your enterprise at the speed and scale of Tanium. You can deploy a single patch to a computer group immediately. You can also perform more complex tasks, such as using advanced rule sets and maintenance windows to deliver groups of patches across your environment at specified times.
You can define custom workflows and schedule patches based on rules or exceptions built around patch lists, blacklists, and maintenance windows. For example, you might always apply critical Microsoft patches to all machines except for datacenter servers, or always exclude .NET patches, or install patches during non-working hours.
Patch generates in-depth reports and returns current patch applicability results from every endpoint. For any patch or patch list deployment, the following details are provided:
- The patch details, such as severity, release date, applicable Common Vulnerabilities and Exposures (CVE), files, and links to knowledge base articles.
- The status of the patch, split out by computer group.
- The assigned patch lists or blacklists for the patch.
You can choose from several scan methods to determine the installed and missing patches across your network. Scan configurations define a scan method, scan frequency, and the computer groups that are being scanned, known as an enforcement. One scan configuration is applied to an endpoint. If an endpoint is included in multiple computer groups, the highest priority scan configuration is applied.
Review the following list of scanning options to decide the best method to use for each computer group.
|Scan method||Platform OS||Updates included||Client impact||Connectivity||Details|
|Offline CAB file||Windows||
||Moderate, during scanning activity||The CAB file is stored locally by the Tanium Client.||
|Online to Microsoft||Windows||
||The Tanium Client must contact Microsoft directly.||
|Tanium Scan1||Windows 7 or later||
||A client database file is stored locally by the Tanium Client.||The Patch service is configured to synchronize update metadata and detection rules from Microsoft Update or a Microsoft WSUS server.|
|Windows Server Update Services (WSUS) Scan||Windows||
||Low||The Tanium Client must contact the WSUS server.||
||All updates in the YUM repositories||Moderate, during scanning activity||The Tanium Client must contact the YUM repositories for scanning as well as patch downloads.||
||All updates in the YUM repositories||Moderate, during scanning activity||The Tanium Client stores the repository scanning logic locally.||
1 Tanium Scan for Windows is a limited availability feature in Patch 2.3.8. For more information, see Tanium Scan.
2 Patch 2.3.5 or later supports Red Hat 6 or 7 and CentOS 6 or 7 Linux endpoints with Tanium Client 6.0.314.1554 and later. For more information, see Linux scan techniques.
If you are using Microsoft System Center Configuration Manager (SCCM) with your WSUS server, do not use Tanium for WSUS scanning with the same server.
Group patches that can be applied into patch lists. Group patches that must be excluded into blacklists. These lists can be determined by any detail included in the patch information. For example, you could:
- Create lists based on severity, prioritize the most critical and most recent updates first.
- Focus only on CVE issues.
- Create lists based on the month or a specific release date.
As new patches come out, you can use dynamic rules to automatically assess and populate patches to the appropriate lists. You can iteratively develop these lists by creating new versions. You can deploy any version of the list as needed.
Each patch includes a column that indicates if the patch has been superseded, or effectively replaced by a newer patch. A patch is marked as superseded when a single endpoint reports that the patch is superseded. Including superseded patches in patch lists can be useful when you want to find or install a specific patch that was superseded. For example, you might need to find or install superseded patches when they are referenced in a security advisory recommendation. Superseded patches are automatically included in blacklists.
In October 2016, Microsoft changed the way they provide software patch updates, based on the operating system of the endpoint. Though these terms are subject to change, it is important to be aware of how they affect your network.
- Windows 10 and Windows 2016
- Feature Upgrades: Feature builds are essentially a new build of Windows 10 (for example 1511, 1607, 1703). These upgrades are published every 3-4 months. Currently, Windows 10 build upgrades can be completed with a standard package deployed by Tanium.
- 2017-XX Cumulative Update: Released monthly, a cumulative update supersedes any previous cumulative update for Windows 10. Contains all security and non-security fixes for the month and all previous months.
- Windows 7, 8.1, 2008, 2008R2, 2012, 2012R2
- 2017-XX Security Monthly Quality Rollup: Package is a cumulative update for current and all previous months. Only the current month will be applicable. All previous versions are superseded.
- 2017-XX Security Only Quality Update: Security updates for the specified month only. Does not include updates from any previous month. Previous monthly updates will still be applicable and needed.
Deployments compile patches, typically from lists, and then distribute Patch packages to the target computers. You can configure deployment options to set when and how patches are installed or uninstalled.
For example, you might want to restart an endpoint after patches are installed to apply the changes. If a patch comes out that would normally be blacklisted but is needed for some reason, you can override the blacklist for that specific deployment rather than making a new version the blacklist. In urgent situations, you can even override a closed maintenance window.
You can choose whether to restart the endpoint after patch installation, to inform the user about the restart, and to allow the user to postpone the restart.
Maintenance windows designate the permitted times that the targeted computer groups are open for patches to be installed or uninstalled. You can have multiple maintenance windows, even with overlapping times. Maintenance windows do not interfere with each other. For a patch deployment to take effect, the deployment and maintenance window times must be met.
Consider establishing a maintenance cycle that keeps your endpoints as up-to-date as possible. You can avoid many security risks with good operational hygiene. Some considerations might include coordinating with the Microsoft Patch Tuesday releases, on weekends, or outside the core work hours for your network.
This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium.
Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights.
Last updated: 9/13/2019 2:20 PM | Feedback