Installing Patch

Tanium as a Service automatically handles module installations and upgrades.

Use the Tanium Solutions page to install Patch and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Patch is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For more information about the automatic configuration for Patch, see Import and configure Patch with default settings.
  • Manual configuration with custom settings: After installing Patch, you must manually configure required settings. Select this option only if Patch requires settings that differ from the recommended default settings. For more information, see Import and configure Patch with custom settings.

Before you begin

Import and configure Patch with default settings

When you import Patch with automatic configuration, the following default settings are configured:

  • The Patch service account is set to the account that you used to import the module.
  • Computer groups that Patch requires are imported:
    • All Amazon
    • All CentOS 6
    • All CentOS 7
    • All Oracle 6
    • All Oracle 7
    • All Red Hat 6
    • All Red Hat 7
    • All Windows
    • All Windows Servers
  • The Patch action group target is set to the following computer groups using the OR operator:
    • All Amazon
    • All CentOS 6
    • All CentOS 7
    • All Oracle 6
    • All Oracle 7
    • All Red Hat 6
    • All Red Hat 7
    • All Windows
  • The following global settings are configured for optimal delivery of larger payloads:
    • ClientCacheLimitInMB = 2048
    • HotCachePercentage = 80
  • Tanium Scan for Windows is configured and synchronized.
  • A [Patch Baseline Deployment] - Windows default baseline deployment patch list is created for Windows endpoints.
  • Default reporting patch lists are created for each supported operating system.
  • The [Global Blacklist] - Windows blacklist is created and targets the All Windows computer group. This blacklist excludes Security Only patches on Windows systems. For more information, see Microsoft update and servicing details.
  • Default blacklists are created for each supported operating system, but are not targeted.
  • Default deployment templates are created for each supported operating system.
  • Default scan configurations are created for each operating system and enforced by the recommended computer group.
  • A [Patch Tuesday] - Windows default maintenance window is created for Patch Tuesday and is not enforced to any computer groups.
  • Default maintenance windows are created for each supported operating system to block patch installations and reboots without first enabling another maintenance window. These maintenance windows are not enforced to any computer groups.

To import Patch and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Patch version.

Import and configure Patch with custom settings

To import Patch without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Patch version.

Configure service account

The service account is a user that runs several background processes for Patch. This user requires the Tanium Administrator or Patch Service Account role. For more information about Patch permissions, see User role requirements.

Organize computer groups

One way to apply patches and view deployment results is by computer group. Create relevant computer groups to organize your endpoints. Some options include:

  • Endpoint type, such as servers or employee workstations
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical machines
  • Endpoint configuration needs, such as VDI machines

Manual computer groups are not supported in Patch. For more information, see Tanium Core Platform User Guide: Managing computer groups.

Organize computer groups by operating system generation for useful visibility and scan configuration targeting.

Computer group Filter Purpose
All Windows1 Is Windows equals True
  • Visibility
  • Patch action group
All Windows Servers1 Windows OS Type equals Windows Server
  • Visibility
  • Scan configuration targeting
All Windows Servers - Physical Windows OS Type contains windows and Is Virual equals no Scan configuration targeting
All Windows Servers - Virtual Windows OS Type contains windows and Is Virual equals yes Scan configuration targeting
All Windows Workstations Windows OS Type equals Windows Workstation Scan configuration targeting
All Windows Workstations - Physical Windows OS Type contains windows workstation and Is Virtual equals no Scan configuration targeting
All Windows Workstations - Virtual Windows OS Type contains windows workstation and Is Virtual equals yes Scan configuration targeting
All CentOS 61 Operating System Generation equals CentOS 6
  • Visibility
  • Scan configuration targeting
All CentOS 71 Operating System Generation equals CentOS 7
  • Visibility
  • Scan configuration targeting
All Red Hat 61 Operating System Generation equals Red Hat Enterprise Linux 6
  • Visibility
  • Scan configuration targeting
All Red Hat 71 Operating System Generation equals Red Hat Enterprise Linux 7
  • Visibility
  • Scan configuration targeting
All Oracle 61 Operating System Generation equals Oracle Linux Server 6
  • Visibility
  • Scan configuration targeting
All Oracle 71 Operating System Generation equals Oracle Linux Server 7
  • Visibility
  • Scan configuration targeting
All Amazon1 Operating System Generation equals Amazon Linux
  • Visibility
  • Scan configuration targeting
All Amazon Linux 1 Operating System Generation equals Amazon Linux 1
  • Visibility
  • Scan configuration targeting
All Amazon Linux 2 Operating System Generation equals Amazon Linux 2
  • Visibility
  • Scan configuration targeting
Tanium Scan Supported Windows Windows OS Major Version > 6.0 and Tanium Client Version >= 7.2.314.3211
  • Visibility
  • Scan configuration targeting
All Supported Linux Operating System Generation matches "(Amazon Linux(1|2)|(Oracle Linux Server (6|7))|(Red Hat Enterprise Linux.*(6|7))|(CentOS (6|7))"
  • Visibility
  • Patch action group
1 Patch creates this computer group if you select the Apply Tanium recommended configurations option during installation on Tanium Core Platform 7.4.2 or later.

Add computer groups to Patch action group

Importing the Patch module automatically creates an action group to target specific endpoints. Select the computer groups to include in the Patch action group. By default, Patch targets No Computers.

Deselect No Computers and ensure that all operating systems that are supported by Patch are included in the Patch action group.

  1. From the Patch Home page, in the Configure Patch section, click the Select Computer Groups step and click Configure Action Group.

    If the Configure Patch section is not visible in the Patch Home page, click Manage Home Page, select Configure Patch, and click Save.

  2. Select the computer groups that you want to include in the action group. If you select multiple computer groups, choose an operand (AND or OR) to combine the groups.
  3. (Optional) In the All machines currently included in this action group section, review the included endpoints.

    These results might take a few moments to populate.

  4. Click Save.

Upgrade Patch

For the steps to upgrade Patch, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Patch version.

Verify Patch version

After you import or upgrade Patch, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Patch to open the Patch Home page.
  3. To display version information, click Info Info.