Succeeding with Patch
Follow these best practices to achieve maximum value and success with Tanium Patch. Some steps are applicable for only specific endpoint operating systems.
These steps align with the key benchmark metrics for Windows and Linux endpoints: increasing patch coverage and reducing the number of endpoints that are missing critical or important patches and mean time to patch.
Complete the key organizational governance steps to maximize Patch value. For more information about each task, see Gaining organizational effectiveness.
Develop a dedicated change management process.
Define distinct roles and responsibilities in a RACI chart.
Validate cross-functional organizational alignment.
(Windows and Linux) Track operational metrics.
Increase the client cache size to accommodate the maximum CAB file size (2 GB).
If you install Patch using the Tanium Recommended Installation workflow, the platform settings are configured automatically.
Install Tanium End-User Notifications. See Tanium End-User Notifications User Guide: Installing End-User Notifications.
Install Tanium Patch. See Installing Patch.
Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.
Install Tanium Client Management, which provides Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing Client Management.
Configure Tanium Mac Device Enrollment, which provides the ability to manage macOS endpoints. See Tanium Mac Device Enrollment User Guide: Getting started with macOS Device Enrollment.
Install and configure Tanium Mac Device Enrollment, which provides the ability to manage macOS endpoints. See Tanium Mac Device Enrollment User Guide: Getting started with macOS Device Enrollment.
Import the IT Operations Metrics board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery.
If you installed Trends using the Apply All Tanium recommended configurations option, the IT Operations Metrics board is automatically imported.
As a best practice, to prevent end users from disabling updates, configure an MDM policy with AutomaticCheckEnabled set to true using Tanium Enforce. For more information, see Tanium Enforce User Guide: Create a macOS device configuration profile.
Assign the Patch MDM Enforcement Author and Patch MDM Enforcement Viewer roles to users who manage macOS endpoints. See Set up Patch users.
Create computer groups. See Tanium Console User Guide: Create a computer group.
Additional computer groups might be required to fulfill the requirements of your organization. See Organize computer groups for Windows and Linux endpoints.
Ensure that all operating systems that are supported by Patch are included in the Patch action group.
- All Alma Linux 8
- All Amazon
- All Debian
- All Debian 8
- All Debian 9
- All Debian 10
- All Debian 11
- All CentOS 6
- All CentOS 7
- All CentOS 8
- All OpenSUSE 15
- All Oracle 6
- All Oracle 7
- All Oracle 8
- All Red Hat 6
- All Red Hat 7
- All Red Hat 8
- All Red Hat 9
- All Rocky Linux 8
- All SLES 11
- All SLES 12
- All SLES 15
- All SUSE
- All Ubuntu 14.04 - amd64
- All Ubuntu 14.04 - i386
- All Ubuntu 14.04 - arm64
- All Ubuntu 16.04 - amd64
- All Ubuntu 16.04 - i386
- All Ubuntu 16.04 - arm64
- All Ubuntu 18.04 - amd64
- All Ubuntu 18.04 - i386
- All Ubuntu 18.04 - arm64
- All Ubuntu 20.04 - amd64
- All Ubuntu 20.04 - i386
- All Ubuntu 20.04 - arm64
- All Ubuntu 22.04 - amd64
- All Ubuntu 22.04 - i386
- All Ubuntu 22.04 - arm64
- All Windows
- All Windows Servers
- Patch Supported Systems
If you installed Patch using the Apply All Tanium recommended configurations option, Patch automatically enables itself for Linux endpoints.
If you install Patch using the Apply All Tanium recommended configurations option, Tanium Scan for Windows is automatically enabled.
Create a scan configuration for each of the supported operating systems in your environment.
(Windows) Use the Tanium Scan technique. If you use other products that use WSUS technology on the same endpoints, such as SCCM, select Enable Managed WSUS Compatibility to enable an additional scan to ensure compatibility.
(Linux) Use the Tanium Scan or Repository Scan technique. For information about available Patch scan methods for Linux endpoints, see Patch scanning options for Windows and Linux endpoints.
For Red Hat endpoints, you must configure
Set the Frequency value to less than three days for all scan configurations.
Ensure that every endpoint that is supported by Patch is targeted by at least one scan configuration.
Create patch lists for the Windows and Linux operating systems in your environment.
Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.
Include patches for the current month.
Expand endpoint diversity in patch testing groups to increase the chances of identifying newly-released problematic patches prior to deploying them to production environments.
See Create a patch list.
Create maintenance windows for the Windows and Linux operating systems in your environment.
Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.
Create deployments to install patches for the Windows and Linux operating systems in your environment.
Ensure that deployment windows are at least four hours and properly overlap with maintenance window times.
Use the Restart option.
(Windows) Use the Notify User After Installing option and set the Duration of Notification Period value to less than a few days. To decrease both the endpoints missing critical or important patches and the mean time to patch metrics, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Duration of Notification Period value to less than three days is optimal.
Begin the process of testing new monthly patches the day they are released, typically Patch Tuesday (second Tuesday of each month).
Avoid waiting longer than two weeks after a patch release to start patching production systems. The longer you wait to start patching production systems, the more aggressive the subsequent deployments need to be to complete the patching cycle in a reasonable time.
Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.
For deployments that are scheduled in the future, select the option for Download Immediately. If you find that endpoints are still not completing patch installations within the specified windows, schedule the deployments even further in advance.
Create enforcements to install updates on macOS endpoints.
Monitor the Applicable count on the Updates page to track coverage.
From the Trends menu, go to Boards and then click IT Operations Metrics to view the Patch Coverage, Endpoints Missing Critical or Important Patches Released Over 30 Days Ago, Workstations - Mean Time to Patch, and Servers - Mean Time to Patch panels in the Patch section.
Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.
Last updated: 9/11/2023 9:27 AM | Feedback