Installing Patch

Tanium as a Service automatically handles module installations and upgrades.

Use the Tanium Solutions page to install Patch and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Patch is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For more information about the automatic configuration for Patch, see Import and configure Patch with default settings.
  • Manual configuration with custom settings: After installing Patch, you must manually configure required settings. Select this option only if Patch requires settings that differ from the recommended default settings. For more information, see Import and configure Patch with custom settings.

Before you begin

Import and configure Patch with default settings

When you import Patch with automatic configuration, the following default settings are configured:

  • The Patch service account is set to the account that you used to import the module.
  • Computer groups that Patch requires are imported:
    • All Amazon
    • All CentOS 6
    • All CentOS 7
    • All Oracle 6
    • All Oracle 7
    • All Red Hat 6
    • All Red Hat 7
    • All Windows
    • All Windows Servers
  • The Patch action group target is set to the following computer groups using the OR operator:
    • All Amazon
    • All CentOS 6
    • All CentOS 7
    • All Oracle 6
    • All Oracle 7
    • All Red Hat 6
    • All Red Hat 7
    • All Windows
  • The following global settings are configured for optimal delivery of larger payloads:
    • ClientCacheLimitInMB = 2048
    • HotCachePercentage = 80
  • Tanium Scan for Windows is configured and synchronized.
  • A [Patch Baseline Deployment] - Windows default baseline deployment patch list is created for Windows endpoints.
  • Default reporting patch lists are created for each supported operating system.
  • The [Global Block List] - Windows block list is created and targets the All Windows computer group. This block list excludes Security Only patches on Windows systems. For more information, see Microsoft update and servicing details.
  • Default block lists are created for each supported operating system, but are not targeted.
  • Default deployment templates are created for each supported operating system.
  • Default scan configurations are created for each operating system and enforced by the recommended computer group.
  • A [Patch Tuesday] - Windows default maintenance window is created for Patch Tuesday and is not enforced to any computer groups.
  • Default maintenance windows are created for each supported operating system to block patch installations and reboots without first enabling another maintenance window. These maintenance windows are not enforced to any computer groups.

To import Patch and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Patch version.

Import and configure Patch with custom settings

To import Patch without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Patch version.

To configure the service account, see Configure service account.

To organize computer groups, see Organize computer groups.

To configure the Patch action group, see Add computer groups to Patch action group.

Manage dependencies for Tanium solutions

When you start the Patch workbench for the first time, the Tanium console ensures that all of the required dependencies for Patch are installed at the required version. You must install all required Tanium dependencies before the Patch workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the required solutions, click Import Selected, and then click Begin Import. When the import is complete, you are returned to the Tanium Solutions page.
  3. From the Main menu, go to Modules > Patch to open the Patch Overview page after you import all of the required Tanium dependencies.

Upgrade Patch

For the steps to upgrade Patch, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Patch version.

Verify Patch version

After you import or upgrade Patch, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Patch to open the Patch Overview page.
  3. To display version information, click Info Info.