Installing Patch

Use the Tanium Solutions page to install Patch and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Patch is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For more information about the automatic configuration for Patch, see Import and configure Patch with default settings.
  • Manual configuration with custom settings: After installing Patch, you must manually configure required settings. Select this option only if Patch requires settings that differ from the recommended default settings. For more information, see Import and configure Patch with custom settings.

Before you begin

Import and configure Patch with default settings

When you import Patch with automatic configuration, the following default settings are configured:

  • The Patch service account is set to the account that you used to import the module.
  • The Patch action group is set to the computer group All Computers.
  • Applicability scanning is enabled only on action locked machines.
  • An Always On maintenance window is created, but is not enforced.
  • The End-User Notifications tools are distributed to endpoints.

To import Patch and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Patch version.

Import and configure Patch with custom settings

To import Patch without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Patch version.

Configure service account

The service account is a user that runs several background processes for Patch. This user requires the Patch Administrator role. For more information about Patch permissions, see User role requirements.

Enable Patch for Linux endpoints

Before you begin, ensure that you meet the following prerequisites:

  • Tanium Core Platform 7.2.314.3235 or later.
  • Red Hat 6 or 7 Linux endpoints with Tanium Client 6.0.314.1554 or later.
  • Patch 2.3.5 or later. To use repository snapshots, Patch 2.4.0 or later.
  1. From the Patch Home page, click Settings .
  2. In the Operating Systems tab, select RedHat/CentOS Linux and click Save.

    This option is required to use Linux repository snapshots. After you enable this option, you cannot disable it.

  3. (Optional) If you want Linux deployments of patches to install a package at the version that is listed in a patch instead of the latest available version, select Enforce Package Version and click Save. Required package dependencies without specific versions are still installed at the latest available version.
    Patch 2.3.8 introduces package version enforcement as a limited availability feature. Consult your TAM prior to enabling this feature.
  4. In the Configuration Settings tab, set the Patch List Applicability Bin Count value in the Saved Question Settings section to 10, and click Save. For more information about how to fine-tune this setting, consult your TAM.
  5. (Optional) In the Yum Repositories tab, add any custom Yum repositories.
  6. (Optional) In the Yum Repositories tab, create snapshots of Yum repositories. Snapshots capture point-in-time metadata that determine patch versions and their dependencies. You can use snapshots for Linux endpoint patch deployments when you use the Tanium Scan method. For more information about snapshots, see Tanium Scan.

Organize computer groups

One way to apply patches and view deployment results is by computer group. Create relevant computer groups to organize your endpoints. Some options include:

  • Endpoint type, such as servers or employee workstations
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical machines
  • Endpoint configuration needs, such as VDI machines

Manual computer groups are not supported in Patch. For more information, see Tanium Core Platform User Guide: Managing computer groups.

Add computer groups to Patch action group

Importing the Patch module automatically creates an action group to target specific endpoints. Select the computer groups to include in the Patch action group. By default, Patch targets No Computers.

  1. From the Patch Home page, in the Configure Patch section, click the Select Computer Groups step and click Configure Action Group.

    If the Configure Patch section is not visible in the Patch Home page, click Manage Home Page, select Configure Patch, and click Save.

  2. Select the computer groups that you want to include in the action group. If you select multiple computer groups, choose an operand (AND or OR) to combine the groups.
  3. (Optional) In the All machines currently included in this action group section, review the included endpoints.

    These results might take a few moments to populate.

  4. Click Save.

Initialize Patch

Patch installs a set of tools on each endpoint that you have targeted.

  1. From the Patch Home page, in the Configure Patch section, click the Initialize Endpoints step and click Initialize Endpoints to start the Patch service and begin distributing these tools to your endpoints.

    If the Configure Patch section is not visible in the Patch Home page, click Manage Home Page, select Configure Patch, and click Save.

  2. Enter the Tanium credentials and click Confirm.

Install the Tanium End-User Notifications solution

By installing the Tanium End-User Notifications solution, you can create a notification message with your deployment to notify the user that the system is going to restart, and gives the user the option to postpone the restart.

For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.

To check if your endpoints have the end user notification tools, ask the question: Get Has End User Notification Tools from all machines with Is Windows = "true"

Disable Windows Update restart prompts

The Windows Update Agent automatically prompts users to restart their machine when an update is installed from any user or source. The following Local/Group Policies should be configured to allow Tanium End-User Notifications to control endpoint restarts.

  1. In the Local Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update.

  2. Enable the No auto-restart for scheduled Automatic Updates installations parameter.

  3. Disable the Re-prompt for restart with scheduled installations parameter.

Upgrade Patch

For the steps to upgrade Patch, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Patch version.

Verify Patch version

After you import or upgrade Patch, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, click Patch to open the Patch Home page.
  3. To display version information, click Info Info.

What to do next

See Getting started with Patch for more information about using Patch.