Patch requirements
Review the requirements before you install and use Patch.
Tanium dependencies
In addition to a license for Patch, make sure that your environment also meets the following requirements.
| Component | Requirement |
|---|---|
| Platform | 7.0.314.6085 or later
Enhanced functionality is available with version 7.0.314.6319 and later. Installing Taniumâ„¢ Interact is also suggested. For role-based access control (RBAC), you must have Tanium Platform 7.1.314.3037 or later. To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Installation Guide: Smart card authentication. Patch 2.2 supports Red Hat and CentOS Linux endpoints as a Limited Availability feature with Tanium Platform 7.2.314.3235 and later. For more information, |
| Tanium Client |
Patch is supported on Windows endpoints. Use Tanium Client 1540 and later. Patch 2.2 supports Red Hat and CentOS Linux endpoints as a Limited Availability feature with Tanium Client 6.0.314.1554 and later. For more information, |
| Tanium End-User Notifications |
1.2.0.004 or later (optional for Windows endpoints). Not supported for Linux endpoints. |
Tanium Server and Module Server computer resources
Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server download bytes and download limit settings (DownloadBytesPerSecondLimit) for your environment. Contact your Technical Account Manager (TAM) for details.
Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. Adequate disk space is required on the Tanium Server. Manual routine cleanup of old patch files is required prior to Tanium Server 7.2. Contact your TAM for details.
For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.
Endpoint resource requirements
In the Tanium Console Global Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the Hot cache (HotCachePercentage) to 80%. For more information, see Tanium Platform User Guide: Managing Global Settings.
If VDI is used in your environment, see the Tanium Client Deployment Guide: VDI.
Third-party software
Patch requires that endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB313861. If you are controlling all patch deployments through Tanium, we suggest disabling the Windows Update Agent automatic functions at the domain level.
Host and network security requirements
Specific processes and URLs are needed to run Patch.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
| Target device | Process |
|---|---|
| Module Server | node.exe
or "<Tanium Module Server>\services\patch\node.exe" service.js |
| Endpoint computers | <Tanium>\Tanium End User Notification Tools\bin\client-ui.exe (if Tanium End-User Notifications is installed)
<Tanium Client>\Patch\tanium-Patch.min.vbs <Tanium Client>\Patch\scans\wsusscn2.cab Exclude the following directories from on-access or real-time scans:
|
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URLs.
- http://download.windowsupdate.com/
-
http://go.microsoft.com/fwlink/?linkid=74689
Console role requirements
Tanium Server 7.0
Different role types have varying privileges within Patch. Administrators can perform all functions; however, other role types are limited.
| Privilege | Content Administrator |
Action/Sensor Authors or Action Authors |
|---|---|---|
| View workbench |
|
|
| Initialize Patch service |
|
|
| Create, modify, or delete scan configurations and enforce against computer groups |
|
|
| Create, modify, or delete patch lists and blacklists |
|
|
| Create, modify, or delete deployments and target computer groups |
|
|
| Create, modify, or delete maintenance windows and enforce against computer groups |
|
|
Tanium Server 7.1 or later
For Tanium Platform version 7.1.314.3071 or later, Patch 2.0.9 introduces role-based access control (RBAC) permissions that control access to the Patch workbench. The three predefined roles are Patch Admin, Patch User, and Patch Read Only User.
| Privilege | Patch Administrator | Patch User | Patch Read Only User |
|---|---|---|---|
|
Patch Module Read Read access to the Patch module |
|
|
|
|
Patch Module Write Write access to the Patch module |
|
|
|
|
Patch Settings Write Write access to global settings in the Patch module |
|
|
|
Last updated: 8/9/2018 12:06 PM | Feedback