Succeeding with Patch

Follow these best practices to achieve maximum value and success with Tanium Patch. These steps align with the key benchmark metrics: increasing patch coverage and reducing visibility and mean time to patch.

Step 1: Gain organizational effectiveness

Develop a dedicated Change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional Organizational alignment.

Track Operational metrics.

Step 2: Configure global settings

Increase the client cache size to accommodate the maximum CAB file size (2 GB).

Increase the hot cache percentage to 80%.

See Configure global settings.

If you install Patch using the Apply Tanium recommended configurations option, the global settings are configured automatically.

Step 3: Install Tanium modules

Install Tanium End-User Notifications. See Tanium End-User Notifications User Guide: Installing End-User Notifications.

Disable Windows Update restart prompts.

Install Tanium Patch. See Installing Patch.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Import the Patch board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery.

If you installed Trends using the Apply Tanium recommended configurations option, the Patch board is automatically imported after the Patch service account is configured.

Step 4: Step 2: Organize computer groups and set the Patch action group

Create computer groups. See Tanium Console User Guide: Create computer groups.

Additional computer groups might be required to fulfill the requirements of your organization. See Organize computer groups.

Add computer groups to Patch action group.

Ensure that all operating systems that are supported by Patch are included in the Patch action group.

If you installed Patch using the Apply Tanium recommended configurations option, the The following computer groups are automatically created and included in the Patch action group:
  • All Amazon
  • All CentOS 6
  • All Centos 7
  • All Oracle 6
  • All Oracle 7
  • All Red Hat 6
  • All Red Hat 7
  • All Windows

To add computer groups to the Patch action group, click Console > Scheduled Actions from the Main menu. Then click Patch in the Action Groups section and click Edit.

Step 5: Enable Patch features and initialize Step 3: Initialize endpoints

Configuring Patch.

If you installed Patch using the Apply Tanium recommended configurations option, Patch automatically enables itself for Linux endpoints.

Enable and configure Tanium Scan for Windows.

If you install Patch using the Apply Tanium recommended configurations option, Tanium Scan for Windows is automatically enabled.

Initialize Patch endpoints.

Step 6: Step 4: Create scan configurations

Create a scan configuration for each of the supported operating systems in your environment.

If you installed Patch using the Apply Tanium recommended configurations option, default Default scan configurations are automatically created for each operating system and enforced by the recommended computer group.

(Windows) Use the Tanium Scan technique. If you use other products that use WSUS technology on the same endpoints, such as SCCM, select Enable Managed WSUS Compatibility to enable an additional scan to ensure compatibility.

(Red Hat, Oracle, or CentOS) Use the Tanium Scan technique.

For Red Hat endpoints, you must contact your technical account manager (TAM) to configure TDownloader to use certificate authentication for downloads from the Red Hat Satellite server.

(Amazon) Use the Repository Scan technique.

Set the Frequency value to less than three days for all scan configurations.

Ensure that every endpoint that is supported by Patch is targeted by at least one scan configuration.

See Create a scan configuration.

Step 7: Step 5: Create patch lists

Create a patch list for each of the supported operating systems in your environment.

If you installed Patch using the Apply Tanium recommended configurations option, a A default baseline deployment patch lists is automatically created for Windows endpoints.

Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

Include patches for the current month.

Expand endpoint diversity in patch testing groups to increase the chances of identifying newly-released problematic patches prior to deploying them to production environments.

See Create a patch list.

Step 8: Step 6: Create maintenance windows

Create a maintenance window for each of the supported operating systems in your environment.

If you installed Patch using the Apply Tanium recommended configurations option, default Default maintenance windows are automatically created for each operating system to block patch installations and reboots without first enabling another maintenance window.

Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.

See Setting maintenance windows.

Step 9: Step 7: Create deployments

Create a deployment to install patches for each of the supported operating systems in your environment.

Ensure that deployment windows are at least four hours and properly overlap with maintenance window times.

Use the Restart option.

Use the Notify User option and set the Deadline for restart value to less than a few days. To decrease both the Patch visibility and the mean time to patch metrics, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Deadline for restart value to less than three days is optimal. (Window endpoints only).

Begin the process of testing new monthly patches the day they are released, typically Patch Tuesday (second Tuesday of each month).

Avoid waiting longer than two weeks after a patch release to start patching production systems. The longer you wait to start patching production systems, the more aggressive the subsequent deployments need to be to complete the patching cycle in a reasonable time.

Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.

For deployments that are scheduled in the future, select the Download immediately option. If you find that endpoints are still not completing patch installations within the specified windows, schedule the deployments even further in advance.

See Deploying patches.

Step 10: Step 8: Monitor Patch metrics

From the Trends menu, click Boards and then click Patch to view the Patch Coverage, Patch Visibility, Workstations - Mean Time to Patch, and Servers - Mean Time to Patch panels.

Monitor and troubleshoot Patch coverage.

Monitor and troubleshoot Patch visibility.

Monitor and troubleshoot mean time to patch.