Patch requirements

Review the requirements before you install and use Patch.

Tanium dependencies

In addition to a license for Patch, make sure that your environment also meets the following requirements.

Component Requirement
Platform 7.0.314.6085 or later.

Enhanced functionality is available with version 7.0.314.6319 and later. Installing Taniumâ„¢ Interact is also suggested.

For role-based access control (RBAC), you must have Tanium Platform 7.1.314.3071 or later.

To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Installation Guide: Smart card authentication.

Patch 2.2 supports Red Hat and CentOS Linux endpoints as a Limited Availability feature with Tanium Platform 7.2.314.3235 and later. For more information, see Configuring TDownloader for Linux endpoints.

Tanium Client

Patch is supported on Windows endpoints. Use Tanium Client 1540 and later.

Patch 2.2 supports Red Hat and CentOS Linux endpoints as a Limited Availability feature with Tanium Client 6.0.314.1554 and later. For more information, see Configuring TDownloader for Linux endpoints.

Tanium End-User Notifications

1.2.0.004 or later (optional for Windows endpoints).

Not supported for Linux endpoints.

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server download bytes and download limit settings (DownloadBytesPerSecondLimit) for your environment. Contact your Technical Account Manager (TAM) for details.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. Adequate disk space is required on the Tanium Server. Manual routine cleanup of old patch files is required prior to Tanium Server 7.2. Contact your TAM for details.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoint resource requirements

In the Tanium Console Global Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the Hot cache (HotCachePercentage) to 80%. For more information, see Tanium Platform User Guide: Managing Global Settings.

If VDI is used in your environment, see the Tanium Client Deployment Guide: VDI.

Third-party software

Patch requires that endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB313861. If you are controlling all patch deployments through Tanium, we suggest disabling the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific processes and URLs are needed to run Patch.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Target device Process
Module Server node.exe

or

"<Tanium Module Server>\services\patch\node.exe" service.js

Endpoint computers <Tanium>\Tanium End User Notification Tools\bin\client-ui.exe (if Tanium End-User Notifications is installed)

<Tanium Client>\Patch\tanium-Patch.min.vbs

<Tanium Client>\Patch\scans\wsusscn2.cab

Exclude the following directories from on-access or real-time scans:

  • <Tanium>\Tanium End User Notification Tools\ (if Tanium End-User Notifications is installed)
  • <Tanium Client>

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URLs.

  • http://download.windowsupdate.com/
  • http://go.microsoft.com/fwlink/?linkid=74689

User role requirements

Tanium Server 7.0

Different role types have varying privileges within Patch. Administrators can perform all functions; however, other role types are limited.

Table 1:   Tanium 7.0 Patch console role requirements
Privilege Content Administrator

Action/Sensor Authors or Action Authors

View workbench
Initialize Patch service
Create, modify, or delete scan configurations and enforce against computer groups
Create, modify, or delete patch lists and blacklists
Create, modify, or delete deployments and target computer groups
Create, modify, or delete maintenance windows and enforce against computer groups

Tanium Server 7.1 or later

For Tanium Platform version 7.1.314.3071 or later, Patch 2.0.9 introduces role-based access control (RBAC) permissions that control access to the Patch workbench. The three predefined roles are Patch Admin, Patch User, and Patch Read Only User.

Table 2:   Patch user role privileges for Tanium 7.1.314.3071 or later
Privilege Patch Administrator Patch User Patch Read Only User

Show Patch

View the Patch workbench


1

1

1

Patch Use API

Perform Patch operations using the API


1

1

1

Patch Module Read

Read access to the Patch module





Patch Module Write

Write access to the Patch module





Patch Settings Write

Write access to global settings in the Patch module




1 Denotes a provided permission.

 

Table 3:   Provided Patch Micro Admin and Advanced user role permissions for Tanium 7.1.314.3071 or later
Permission Role Type Content Set for Permission Patch Administrator Patch User Patch Read Only User
Read User Group Micro Admin  
Read Computer Group Micro Admin  
Ask Dynamic Questions Advanced  
Read Sensor Advanced Base
Read Sensor Advanced Reserved
Read Sensor Advanced Default
Read Sensor Advanced Patch Content Set
Read Action Advanced Patch Content Set
Read Package Advanced Patch Content Set
Execute Plugin Advanced Patch Content Set
Write Package Advanced Patch Content Set
Write Saved Question Advanced Patch Content Set
Write Action Advanced Patch Content Set
Approve Action Advanced Patch Content Set

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

Last updated: 11/13/2018 3:06 PM | Feedback