Requirements

Review the requirements before you install and use Patch.

Tanium dependencies

In addition to a license for Patch, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform

7.2 or later (Windows endpoints).

7.2.314.3235 or later (Red Hat 6 or 7 and CentOS 6 or 7 Linux endpoints with Patch 2.3.5 or later). For more information, see Configuring TDownloader for Linux endpoints.

Installing Tanium™ Interact is also suggested.

To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Tanium Client

6.0.314.1540 or later (Windows 7 Service Pack 1 or later, and Windows Server 2008 R2 Service Pack 1 or later).

7.2.314.3211 or later (Windows 7 Service Pack 1 or later, and Windows Server 2008 R2 Service Pack 1 or later with Patch 2.3.8 or later to use Tanium Scan for Windows).

6.0.314.1554 or later (Red Hat 6 or 7 and CentOS 6 or 7 Linux endpoints with Patch 2.3.5 or later).

7.4 or later (requires Patch 2.3.12 or later).

Tanium End-User Notifications

1.2.0.004 or later (optional for Windows endpoints).

Not supported for Linux endpoints.

Tanium products If you clicked the Install with Recommended Configurations button when you installed Patch, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Patch requires to function, as described under Tanium Console User Guide: Manage Tanium modules. Patch requires Tanium End-User Notifications version 1.2.0.004 or later (optional for Windows endpoints).
Computer groups When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Patch requires: All Computers.

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server download bytes and download limit settings (DownloadBytesPerSecondLimit) for your environment. Contact your Technical Account Manager (TAM) for details.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. Adequate disk space is required on the Tanium Server. Contact your TAM for details.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using.

Operating System OS Version
Windows Version depends on Tanium Client version. For specific requirements, see Tanium dependencies.
Linux

Red Hat Enterprise Linux 6.x, 7.x

CentOS 6.x, 7.x

For specific requirements, see Tanium dependencies.

Resource requirements

In the Tanium Console Global Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the Hot cache (HotCachePercentage) to 80%. For more information, see Tanium Platform User Guide: Managing Global Settings.

If VDI is used in your environment, see the Tanium Client User Guide: VDI.

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB313861. If you are controlling all patch deployments through Tanium, we suggest disabling the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific processes and URLs are needed to run Patch.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

Table 1:   Patch security exclusions
Target device Process
Module Server <Module Server>\services\patch-service\node.exe
Windows Endpoints <Tanium Client>\Patch\tanium-patch.min.vbs
<Tanium Client>\Patch\scans\Wsusscn2.cab
<Tanium Client>\Patch\tools\active-user-sessions.exe
<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
<Tanium Client>\Patch\tools\TaniumFileInfo.exe
<Tanium Client>\Python27\TPython.exe (7.2.x clients)
<Tanium Client>\Python38\TPython.exe (7.4.x clients)
<Tanium Client>\Python38\*.dll (7.4.x clients)
<Tanium Client> (exclude from on-access or real-time scans)
Linux Endpoints <Tanium Client>/python27/python (7.2.x clients)
<Tanium Client>/python38/python (7.4.x clients)

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URLs.

  • *.delivery.mp.microsoft.com
  • *.prod.do.dsp.mp.microsoft.com
  • *.update.microsoft.com
  • *.windowsupdate.com
  • *.windowsupdate.microsoft.com
  • http://crl.microsoft.com
  • http://go.microsoft.com/fwlink/?linkid=74689
  • http://ntservicepack.microsoft.com
  • http://windowsupdate.microsoft.com
  • http://wustat.windows.com
  • https://download.microsoft.com
  • https://sws.update.microsoft.com

User role requirements

Patch 2.0.9 introduces role-based access control (RBAC) permissions that control access to the Patch workbench. The three predefined roles are Patch Admin, Patch User, and Patch Read Only User.

Table 2:   Patch user role permissions
Permission Patch Administrator Patch User Patch Read Only User

Show Patch

View the Patch workbench


1

1

1

Patch Use API

Perform Patch operations using the API


1

1

1

Patch Module Read

Read access to the Patch module





Patch Module Write

Write access to the Patch module





Patch Settings Write

Write access to global settings in the Patch module




1 Denotes a provided permission.

 

Table 3:   Provided Patch Micro Admin and Advanced user role permissions
Permission Role Type Content Set for Permission Patch Administrator Patch User Patch Read Only User
Read User Group Micro Admin  
Read Computer Group Micro Admin  
Ask Dynamic Questions Advanced  
Read Sensor Advanced Base
Read Sensor Advanced Reserved
Read Sensor Advanced Default
Read Sensor Advanced Patch Content Set
Read Action Advanced Patch Content Set
Read Package Advanced Patch Content Set
Execute Plugin Advanced Patch Content Set
Write Package Advanced Patch Content Set
Write Saved Question Advanced Patch Content Set
Write Action Advanced Patch Content Set
Approve Action Advanced Patch Content Set

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.