Succeeding with Patch

Download Checklist
Download Checklist

Follow these best practices to achieve maximum value and success with Tanium Patch. Some steps are applicable for only specific endpoint operating systems.

These steps align with the key benchmark metrics for Windows and Linux endpoints: increasing patch coverage and reducing the number of endpoints that are missing critical or important patches and mean time to patch.

steps to succeeding with patch steps to succeed with patch

Step 1: Gain organizational effectiveness

Complete the key organizational governance steps to maximize Patch value. For more information about each task, see Gaining organizational effectiveness.

Develop a dedicated change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional organizational alignment.

(Windows and Linux) Track operational metrics.

Step 2: (Windows and Linux) Configure platform settings

Increase the client cache size to accommodate the maximum CAB file size (2 GB).

See Configure advanced settings.

If you install Patch using the Tanium Recommended Installation workflow, the platform settings are configured automatically.

Step 3: Install and configure Tanium modules

Step 2: (macOS) Configure Tanium solutions

Install Tanium End-User Notifications. See Tanium End-User Notifications User Guide: Installing End-User Notifications.

Disable Windows Update restart prompts.

Install Tanium Patch. See Installing Patch.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Install Tanium Client Management, which provides Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing Client Management.

Configure Tanium Mac Device Enrollment, which provides the ability to manage macOS endpoints. See Tanium Mac Device Enrollment User Guide: Getting started with macOS Device Enrollment.

Install and configure Tanium Mac Device Enrollment, which provides the ability to manage macOS endpoints. See Tanium Mac Device Enrollment User Guide: Getting started with macOS Device Enrollment.

Import the IT Operations Metrics board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery.

If you installed Trends using the Apply All Tanium recommended configurations option, the IT Operations Metrics board is automatically imported.

Step 4: (macOS) Configure MDM settings

Step 3: (macOS) Configure MDM settings

As a best practice, to prevent end users from disabling updates, configure an MDM policy with AutomaticCheckEnabled set to true using Tanium Enforce. For more information, see Tanium Enforce User Guide: Create a macOS device configuration profile.

Assign the Patch MDM Enforcement Author and Patch MDM Enforcement Viewer roles to users who manage macOS endpoints. See Set up Patch users.

Step 5: (Windows and Linux) Organize computer groups and set the Patch action group

Step 4: (Windows and Linux) Organize computer groups and set the Patch action group

Create computer groups. See Tanium Console User Guide: Create a computer group.

Additional computer groups might be required to fulfill the requirements of your organization. See Organize computer groups for Windows and Linux endpoints.

Configuring Patch.

Ensure that all operating systems that are supported by Patch are included in the Patch action group.

If you installed Patch using the Apply All Tanium recommended configurations option, the The Patch Supported Systems group is automatically created and included in the Patch action group. In addition, the following default computer groups are imported: Patch Supported Systems group is automatically created and included in the Patch action group. If you want to import computer groups for common supported operating systems, go to Configuration > Solutions, choose Default Computer Groups, then click Upgrade Selected. Default computer groups include:
  • All Alma Linux 8
  • All Amazon
  • All Debian
  • All Debian 8
  • All Debian 9
  • All Debian 10
  • All Debian 11
  • All CentOS 6
  • All CentOS 7
  • All CentOS 8
  • All OpenSUSE 15
  • All Oracle 6
  • All Oracle 7
  • All Oracle 8
  • All Red Hat 6
  • All Red Hat 7
  • All Red Hat 8
  • All Red Hat 9
  • All Rocky Linux 8
  • All SLES 11
  • All SLES 12
  • All SLES 15
  • All SUSE
  • All Ubuntu 14.04 - amd64
  • All Ubuntu 14.04 - i386
  • All Ubuntu 14.04 - arm64
  • All Ubuntu 16.04 - amd64
  • All Ubuntu 16.04 - i386
  • All Ubuntu 16.04 - arm64
  • All Ubuntu 18.04 - amd64
  • All Ubuntu 18.04 - i386
  • All Ubuntu 18.04 - arm64
  • All Ubuntu 20.04 - amd64
  • All Ubuntu 20.04 - i386
  • All Ubuntu 20.04 - arm64
  • All Ubuntu 22.04 - amd64
  • All Ubuntu 22.04 - i386
  • All Ubuntu 22.04 - arm64
  • All Windows
  • All Windows Servers
  • Patch Supported Systems

Step 6: (Windows and Linux) Enable Patch features and initialize endpoints

Step 5: (Windows and Linux) Initialize endpoints

Configuring Patch.

If you installed Patch using the Apply All Tanium recommended configurations option, Patch automatically enables itself for Linux endpoints.

Enable and configure Tanium Scan for Windows.

If you install Patch using the Apply All Tanium recommended configurations option, Tanium Scan for Windows is automatically enabled.

Initialize Patch on Windows and Linux endpoints .

Step 7: (Windows and Linux) Create scan configurations

Step 6: (Windows and Linux) Create scan configurations

Create a scan configuration for each of the supported operating systems in your environment.

If you installed Patch using the Apply All Tanium recommended configurations option, default Default scan configurations are automatically created for each operating system and enforced by the recommended computer group.

(Windows) Use the Tanium Scan technique. If you use other products that use WSUS technology on the same endpoints, such as SCCM, select Enable Managed WSUS Compatibility to enable an additional scan to ensure compatibility.

(Linux) Use the Tanium Scan or Repository Scan technique. For information about available Patch scan methods for Linux endpoints, see Patch scanning options for Windows and Linux endpoints.

For Red Hat endpoints, you must configure Tanium ServerTanium Cloud to use certificate authentication. For more information, see (Red Hat endpoints) Configure Tanium Server to use certificate authentication(Red Hat endpoints) Configure Tanium Cloud to use certificate authentication.

Set the Frequency value to less than three days for all scan configurations.

Ensure that every endpoint that is supported by Patch is targeted by at least one scan configuration.

See Create a scan configuration.

Step 8: (Windows and Linux) Create patch lists

Step 7: (Windows and Linux) Create patch lists

Create patch lists for the Windows and Linux operating systems in your environment.

If you installed Patch using the Apply All Tanium recommended configurations option, a A default baseline deployment patch lists is automatically created for Windows endpoints.

Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

Include patches for the current month.

Expand endpoint diversity in patch testing groups to increase the chances of identifying newly-released problematic patches prior to deploying them to production environments.

See Create a patch list.

Step 9: (Windows and Linux) Create maintenance windows

Step 8: (Windows and Linux) Create maintenance windows

Create maintenance windows for the Windows and Linux operating systems in your environment.

If you installed Patch using the Apply All Tanium recommended configurations option, default Default maintenance windows are automatically created for each operating system to block patch installations and reboots without first enabling another maintenance window.

Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.

See Setting maintenance windows for Windows and Linux endpoints.

Step 10: (Windows and Linux) Create deployments

Step 9: (Windows and Linux) Create deployments

Create deployments to install patches for the Windows and Linux operating systems in your environment.

Ensure that deployment windows are at least four hours and properly overlap with maintenance window times.

Use the Restart option.

(Windows) Use the Notify User After Installing option and set the Duration of Notification Period value to less than a few days. To decrease both the endpoints missing critical or important patches and the mean time to patch metrics, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Duration of Notification Period value to less than three days is optimal.

Begin the process of testing new monthly patches the day they are released, typically Patch Tuesday (second Tuesday of each month).

Avoid waiting longer than two weeks after a patch release to start patching production systems. The longer you wait to start patching production systems, the more aggressive the subsequent deployments need to be to complete the patching cycle in a reasonable time.

Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.

For deployments that are scheduled in the future, select the option for Download Immediately. If you find that endpoints are still not completing patch installations within the specified windows, schedule the deployments even further in advance.

See Deploying patches for Windows and Linux endpoints.

Step 11: Manage macOS endpoints

Step 10: Manage macOS endpoints

Create enforcements to install updates on macOS endpoints.

Monitor the Applicable count on the Updates page to track coverage.

See Managing macOS endpoints.

Step 12: (Windows and Linux) Monitor Patch metrics

Step 11: (Windows and Linux) Monitor Patch metrics

From the Trends menu, go to Boards and then click IT Operations Metrics to view the Patch Coverage, Endpoints Missing Critical or Important Patches Released Over 30 Days Ago, Workstations - Mean Time to Patch, and Servers - Mean Time to Patch panels in the Patch section.

Monitor and troubleshoot Patch coverage.

Monitor and troubleshoot endpoints missing critical or important patches.

Monitor and troubleshoot mean time to patch.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.