Maintaining Patch for Windows and Linux endpoints

Perform regular maintenance tasks to ensure that Patch successfully performs scheduled activities on all the targeted Windows and Linux endpoints and does not overuse endpoint or network resources. If Patch is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting Patch for related procedures.

Perform monthly maintenance

Review Patch coverage, scan configurations, deployments, and maintenance windows. Update the configurations if necessary.

Review and remediate Patch coverage

  1. From the Main menu, go to Modules > Patch > Overview.

  2. Scroll to the Health dashboard to verify that the Patch process is running on all endpoints.

  3. To investigate endpoints that are not running the process, click the number above No or Error in the Running Patch panel. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Patch process status for the affected endpoints.

  4. To investigate Patch coverage issues, click the number above Needs Attention in the Patch Coverage panel. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Patch coverage status details for the affected endpoints.

    You can also see this information in the predefined Patch Coverage Status report, which is available in the Tanium Reporting workbench.

  5. To troubleshoot issues related to the Patch process or coverage, see Monitor and troubleshoot Patch coverage.

Review and update scan configurations

  1. From the Patch menu, go to Scan Management.

  2. Review the Scan Configurations for each operating system (OS) to verify that they conform to the practices of your organization.
  3. Select the Tanium Scan for Windows tab and click Edit.
  4. Review the Products to Include in Scan, add any products that you want to include, and click Submit.

  5. From the Main menu, go to Modules > Trends > Boards and click the Patch board.

  6. Review the Days Since Last Patch Scan and Scan Errors - Last 7 Days panels for any errors. Click a panel name to see more details.
  7. Troubleshoot scan errors if necessary. See Troubleshooting Patch.
  8. Edit scan configurations if necessary to resolve errors. See Edit a scan configuration.
  9. Delete scan configurations if any are no longer useful. See Delete a scan configuration.

Review and update deployments

  1. From the Patch menu, go to Deployments.

  2. Review the deployments to determine if any are misconfigured, no longer useful, or do not comply with the practices of your organization.

    For example, if the number of targeted endpoints is low relative to the number of deployments, you might be able to make the patching process more efficient by configuring fewer deployments to target more endpoints.

  3. Check the deployment summaries for error messages. See Review deployment summary.

  4. From the Main menu, go to Modules > Trends > Boards and click the Patch board.

  5. Review the panels in the Summary, Missing Patches, and SLA Based Compliance Reporting sections for any errors. Click a panel name to see more details.
  6. Troubleshoot deployments if necessary. See Troubleshooting Patch.
  7. Add targets to the deployments if necessary to resolve errors. See Add targets to an existing deployment.

    For an existing deployment, you cannot perform edits other than adding targets.

  8. Stop any deployments that are no longer useful. See Stop a deployment.

Review and update maintenance windows

  1. From the Patch menu, go to Deployments.

  2. Review the maintenance windows to determine if any are misconfigured or no longer useful.

    For example, maintenance windows that have end dates in the past are useful only as blocking maintenance windows. See Setting maintenance windows for Windows and Linux endpoints.

    Deployments can run anytime if no maintenance windows are configured. PatchIf you imported Patch with default settings, it provides predefined maintenance windows that are not enforced on any computer groups. See Configuring Patch.

  3. From the Main menu, go to Modules > Trends > Boards and click the Patch board.

  4. If the Endpoints Missing Critical or Important Patches Released Over 30 Days Ago panel shows a higher than expected number, check whether maintenance windows are a contributing factor. See Monitor and troubleshoot mean time to patch.
  5. Edit maintenance windows if necessary to resolve issues. See Setting maintenance windows for Windows and Linux endpoints.
  6. Remove any maintenance windows that are no longer useful. See Delete a maintenance window.

Perform quarterly maintenance

If you install Patch with default settings, it includes the Patch action group, to which the Patch Supported Systems computer group is assigned. If you changed computer group assignments for the Patch action group, or if you created custom action groups for Patch, review those action groups and, if necessary, update them. For example, if you discover that the Patch process is not starting on all the necessary endpoints, you might have to change the computer group assignments in the action group that is specified for Patch - Start Patch Process actions.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Use the filters to list only the groups that are for Patch operations. See Tanium Console User Guide: View action groups.

    For example, if the custom action groups all have the string "Patch" in their names, enter Patch in the Filter items field.

  3. Edit, create, or delete action groups if necessary to ensure Patch targets the correct computer groups. See Tanium Console User Guide: Managing action groups.

Perform as-needed maintenance

Review Patch block lists and, if necessary, update them:

  1. Go to Modules > Patch > Block Lists and review the block lists.
  2. Expand Expand each block list that has one or more Targets (computer groups) and verify that the list is Enforced. If a list is Unenforced on endpoints or some endpoints have an Old Version, click the percentage (number) of affected endpoints to analyze the data in Interact.
  3. Edit, create, or delete block lists if necessary to resolve issues. See Managing patches for Windows and Linux endpoints.

Check and update the Windows Update Agent

You can use Tanium to check which Windows Update Agent versions are installed on your Windows endpoints.

  1. In Interact, ask the Get File Version["C:\Windows\System32\wuaueng.dll"] from all machines question.
  2. Update any endpoints that have a version earlier than 6.1.0022.4. See the Microsoft article Updating the Windows Update Agent.

Check patch history on Windows endpoints

Use the following resources to check patch history on  Windows endpoints:

  1. Ask questions in Interact using the Tanium sensors, specifically the Patch Installation History sensor. The Patch Installation History sensor returns a list of patches that were installed along with the date and the tool that installed them. AV Definition updates and Windows Store updates are excluded.

    The Patch Installation History sensor queries and returns the data in C:\Windows\SoftwareDistribution\ReportingEvents.log. Be aware that if you have modified or deleted ReportingEvents.log or the SoftwareDistribution folder (for example, for troubleshooting), this sensor does not return comprehensive patch history on the endpoint.

  2. Use the Powershell Get-Hotfix cmdlet, which returns the hotfixes that are installed on local or remote computers.

    Get-Hotfix is supplied by the Component Based Servicing Win32_QuickFixEngineering WMI class. Updates supplied by the Microsoft Windows Installer (MSI) or the Windows update site are not returned by Get-Hotfix. For more information, see Microsoft Ignite: Get-Hotfix not returning all installed KBs.

Monitor and troubleshoot Patch coverage

The following table lists contributing factors into why the Patch coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.

Contributing factorCorrective action
Gaps in Patch action group membershipEnsure all operating systems that are supported by Patch are included in the Patch action group.
Gaps in scan configuration coverage

Review each scan configuration and which computer groups are targeted by each configuration.

Ensure that every endpoint that is supported by Patch is targeted by at least one scan configuration.

Scan frequency value is set too highReview each scan configuration to ensure that the Frequency value is set to less than three days for all scan configurations.
Scan windows are too restrictiveScan windows are optional. If you decide to use them, the Override option should be set to less than two days.
Unmitigated scan failures

Investigate endpoints with scan errors in scan results that are older than two days.

Remediate the error conditions on each endpoint. See Maintaining Patch for Windows and Linux endpoints.

Patch process is not runningEnsure that there are no conditions that could prevent the Patch process from running on endpoints that are included in the Patch action group.

Monitor and troubleshoot endpoints missing critical or important patches

The following table lists contributing factors into why the endpoints missing critical or important patches metric might be higher than expected, and corrective actions you can make.

Contributing factorCorrective action
Selective patching as a practiceAvoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.
Patches are deployed only for the current monthUse dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.
Having an n-1 patching policy

Include patches for the current month.

Expand endpoint diversity in patch testing groups to increase the changes of identifying newly-released problematic patches for deploying patches to production.

Not enforcing post-deployment restarts

Use the Restart option within deployments.

(Windows) Use the Notify User option and set the Deadline for restart value to less than a few days. To decrease both the endpoints missing critical or important patches and the mean time to patch metrics, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Deadline for restart value to less than three days is optimal.

Monitor and troubleshoot mean time to patch

The following table lists contributing factors into why the mean time to patch metric might be higher than expected for endpoints and corrective actions you can make.

Contributing factorCorrective action
Delayed testing cycleBegin the process of testing new monthly patches the day they are released, typically Patch Tuesday (second Tuesday of each month).
Delayed start of production cycleAvoid waiting longer than two weeks after a patch release to start patching production systems. The longer you wait to start patching production systems, the more aggressive the subsequent deployments need to be to complete the patching cycle in a reasonable time.
Staggering deployments to distribute the load on the network

Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage.

For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.

Staggering deployments to distribute the load on the Tanium Server or PatchDo not stagger deployments in an attempt to distribute the load on your network or Tanium.
Endpoints do not have enough time to install patches

Ensure that deployment windows are at least four hours and properly overlap with maintenance window times.

Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.

For deployments that are scheduled for the future, select the Download immediately option. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

Attempting to minimize disruption to users with maintenance windowsUse Tanium End-User Notifications instead of restrictive maintenance windows.
Not enforcing post-deployment restarts

Use the Restart option within deployments.

(Windows) Use the Notify User option and set the Deadline for restart value to less than a few days. To decrease both the endpoints missing critical or important patches and the mean time to patch metrics, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Deadline for restart value to less than three days is optimal.

Unmitigated installation failures

Identify endpoints with patch installation failures.

Investigate the specific error codes.

Remediate the conditions that caused the failures.

Endpoint health issuesEnsure that endpoints have at least 5 GB of free space, a healthy Windows Update Agent, and an up-time of less than 90 days.