Succeeding with Patch

Follow these best practices to achieve maximum value and success with Tanium Patch. These steps align with the key benchmark metrics: increasing patch coverage and reducing visibility and mean time to patch.

Figure  1:  Steps to succeed with Patch

Step 1: Gain organizational effectiveness

Develop a dedicated Change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional Organizational alignment.

Track Operational metrics.

Step 2: Configure global settings

Increase the client cache size to accommodate the maximum CAB file size (2 GB).

Increase the Hot cache percentage to 80%.

If you install Patch using the Apply Tanium recommended configurations option, the global settings are configured automatically.

See Configure global settings.

Step 3: Install Tanium modules

Install Tanium End-User Notifications. See Tanium End-User Notifications User Guide: Installing End-User Notifications.

Disable Windows Update restart prompts.

Install Tanium Patch. See Installing Patch.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Import the Patch board from Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery. If you installed Trends using the Apply Tanium recommended configurations option, the Patch board is automatically imported after the Patch service account is configured.

Step 4: Organize computer groups and set the Patch action group

Create computer groups. See Tanium Console User Guide: Create computer groups.

Additional computer groups might be required to fulfill the requirements of your organization. See Organize computer groups.

Add computer groups to Patch action group.

Ensure all operating systems that are supported by Patch are included in the Patch action group.

Step 5: Enable Patch features and initialize endpoints

Enable Patch for Linux endpoints.

Enable Tanium Scan for Windows.

Initialize Patch endpoints.

Step 6: Create scan configurations

Create a scan configuration for each of the supported operating systems in your environment.

(Windows) Use the Tanium Scan technique. If you use other products that use WSUS technology on the same endpoints, such as SCCM, select Enable Managed WSUS Compatibility to enable an additional scan to ensure compatibility.

(Linux) Use the Tanium Scan technique.

Set the Frequency value to less than three days for all scan configurations.

Ensure that every endpoint that is supported by Patch is targeted by at least one scan configuration.

See Create a scan configuration (Windows and Linux scan techniques).

Step 7: Create patch lists

Create a patch list for each of the supported operating systems in your environment.

Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

Include patches for the current month.

Expand endpoint diversity in patch testing groups to increase the chances of identifying newly-released problematic patches prior to deploying them to production environments.

See Create a patch list.

Step 8: Create maintenance windows

Create a maintenance window for each of the supported operating systems in your environment.

Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.

See Setting maintenance windows.

Step 9: Create deployments

Create a deployment to install patches for each of the supported operating systems in your environment.

Ensure that deployment windows are at least four hours and properly overlap with maintenance window times.

Use the Restart option.

Use the Notify User option and set the Deadline for restart value to less than a few days. To decrease both the Patch visibility and the mean time to patch metrics, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Deadline for restart value to less than three days is optimal. (Window endpoints only).

Begin the process of testing new monthly patches the day they are released, typically Patch Tuesday (second Tuesday of each month).

Avoid waiting longer than two weeks after a patch release to start patching production systems. The longer you wait to start patching production systems, the more aggressive the subsequent deployments need to be to complete the patching cycle in a reasonable time.

Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.

For deployments that are scheduled in the future, select the Download immediately option. If you find that endpoints are still not completing patch installations within the specified windows, schedule the deployments even further in advance.

See Deploying patches.

Step 10: Monitor Patch metrics

From the Trends menu, click Boards and then click Patch to view the Patch Coverage, Patch Visibility, Workstations - Mean Time to Patch, and Servers - Mean Time to Patch panels.

Monitor and troubleshoot Patch coverage.

Monitor and troubleshoot Patch visibility.

Monitor and troubleshoot mean time to patch.