Installing Patch

Tanium Cloud automatically handles module installations and upgrades.

For information about configuring Patch for Tanium Cloud, see Configuring Patch.

Use the Solutions page to install Patch and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Patch is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For more information about the automatic configuration for Patch, see Import Patch with default settings.
  • Manual configuration with custom settings: After installing Patch, you must manually configure required settings. Select this option only if Patch requires settings that differ from the recommended default settings. For more information, see Import Patch with custom settings.

Before you begin

Import Patch with default settings

(Tanium Core Platform 7.4.5 or later only) You can set the Patch action group to target the No Computers filter group by enabling restricted targeting before adding Patch to your Tanium licenseimporting Patch. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Patch action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Patch with automatic configuration, the following default settings are configured:

The following default settings are configured for Patch:

Setting Default value
Action group
  • Restricted targeting disabled (default): Patch Supported Systems computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Advanced settings

The following advanced setting is configured for optimal delivery of larger payloads:

  • ClientCacheLimitInMB = 2048

For more information, see Configure advanced settings

Patch computer groups

Computer groups that Patch requires are imported:

  • All Amazon
  • All Debian
  • All Debian 8
  • All Debian 9
  • All Debian 10
  • All Debian 11
  • All CentOS 6
  • All CentOS 7
  • All CentOS 8
  • All Oracle 6
  • All Oracle 7
  • All Oracle 8
  • All Red Hat 6
  • All Red Hat 7
  • All Red Hat 8
  • All OpenSLES 11
  • All OpenSLES 12
  • All OpenSLES 15
  • All SUSE
  • All Mac
  • All macOS 10.13
  • All macOS 10.14
  • All macOS 10.15
  • All macOS 11
  • All macOS 11.0
  • All macOS 11.1
  • All macOS 11.2
  • All macOS 11.3
  • All macOS 11.4
  • All macOS 11.5
  • All macOS 11.6
  • All macOS 11.7
  • All macOS 12

  • All Ubuntu
  • All Ubuntu 14.04 - amd64
  • All Ubuntu 14.04 - i386
  • All Ubuntu 14.04 - arm64
  • All Ubuntu 16.04 - amd64
  • All Ubuntu 16.04 - i386
  • All Ubuntu 16.04 - arm64
  • All Ubuntu 18.04 - amd64
  • All Ubuntu 18.04 - i386
  • All Ubuntu 18.04 - arm64
  • All Ubuntu 20.04 - amd64
  • All Ubuntu 20.04 - i386
  • All Ubuntu 20.04 - arm64
  • All Ubuntu 22.04 - amd64
  • All Ubuntu 22.04 - i386
  • All Ubuntu 22.04 - arm64
  • All Windows
  • All Windows Servers
  • Patch Supported Systems
Patch scans
  • Tanium Scan for Windows is configured and synchronized.

  • Default scan configurations are created for each operating system and enforced by the recommended computer group.

Tanium Scan does not include any Red Hat repositories because authentication for cdn.redhat.com must first be configured. For more information, see (Red Hat endpoints) Configure Tanium Server to use certificate authentication(Red Hat endpoints) Configure Tanium Cloud to use certificate authentication.

Patch lists

The following patch lists are automatically created:

  • [Patch Baseline Deployment] - Windows
  • [Tanium Patch Baseline Reporting] - Windows
  • [Tanium Patch Baseline Reporting] - Linux
  • [Tanium Patch Baseline Reporting] - macOS
  • All Patches
  • [Tanium Patch Recommended Updates] - Windows

For more information, see Default patch lists.

Patch block lists
  • The [Global Block List] - Windows block list is created and targets the All Windows computer group. This block list excludes Security Only patches on Windows systems. For more information, see Microsoft update and servicing details.
  • Default block lists are created for each supported operating system, but are not targeted.
Patch deployment templates

Default deployment templates are created for each supported operating system.

Patch maintenance windows
  • A [Patch Tuesday] - Windows default maintenance window is created for Patch Tuesday and is not enforced on any computer groups.
  • Default maintenance windows are created for each supported operating system to block patch installations and reboots without first enabling another maintenance window. These maintenance windows are not enforced to any computer groups.

To import Patch and configure default settings, be sure to select the Apply All Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Import all modules and services. After the import, verify that the correct version is installed: see Verify Patch version.

Import Patch with custom settings

To import Patch without automatically configuring default settings, be sure to clear the Apply All Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Import, re-import, or update specific solutions. After the import, verify that the correct version is installed: see Verify Patch version.

To configure the service account, see Configure service account.

To organize computer groups, see Organize computer groups.

To configure the Patch action group, see Configuring Patch.

Manage solution dependencies

Other Tanium solutions are required for Patch to function (required dependencies) or for specific Patch features to work (feature-specific dependencies). See Solution dependencies.

Upgrade Patch

For the steps to upgrade Patch, see Tanium Console User Guide: Import all modules and services. After the upgrade, verify that the correct version is installed: see Verify Patch version.

Verify Patch version

After you import or upgrade Patch, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Patch to open the Patch Overview page.
  3. To display version information, click Info Info.