Deploying patches for Windows and Linux endpoints

Use deployments to download and install Windows and Linux patches on a set of target computers. You can also use deployments to uninstall Windows patches. Deployments can run once, be ongoing to maintain operational hygiene for computers that come online after being offline, or be managed by end users with the End-User Self Service Client application.

  • Use ongoing deployments for general patch management and manual deployments for exigent circumstances.
  • Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.

Before you begin

Organize the available patches into lists. See Create a patch list.

Create a deployment template

You can create an install or uninstall deployment template. This template saves basic settings for a deployment that you can issue repeatedly. You can either create a deployment template from the Deployment Templates menu item, or you can select an option when you create a deployment to save the options as a template.

  1. From the Patch menu, go to Deployment Templates.
  2. Click either Create Deployment Template > Create Install Template or Create Deployment Template > Create Uninstall Template.
  3. Name the deployment template, select an operating system, and select a content set. For more information, see Tanium Console User Guide: Managing content sets.
  4. Select deployment options.

    1. Specify a deployment frequency. You can do an ongoing deployment that does not have an end time, a single deployment with a specific start and end time, or a self service deployment to allow end users to manage the deployment in the Self Service Client application.

      After patch installation starts, it continues even if you stop the deployment, the deployment ends, or the maintenance window closes.

      After the deployment ends or the maintenance window closes, restarts do not occur and End-User Notification messages do not appear.

    2. Select Use endpoint local time to use the local time on the endpoint for the deployment. If you do not select this option, then you can specify the UTC time when you create a deployment from the template.

    3. If you select an ongoing or single deployment, configure the Self Service settings.

      • Select Hide from Self Service Client to hide this deployment from the Self Service Client application, including the Activity and History sections.
      • Select Make available before Start Time to allow the end user to start this deployment in the Self Service Client application before the scheduled Start Time and outside of maintenance windows.

    4. If you want the endpoints to download the patch content before the installation time, select the option for Download Immediately.

      Select this option for future deployments. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

    5. If you select an ongoing or single deployment, you can protect shared resources by selecting Enabled for the Distribute Over Time option and indicating an amount of time. The value you indicate for Distribute Over Time must be less than the deployment duration.

      Distribute Over Time randomizes the deployment start time on each endpoint by an amount of time up to the value configured. This option reduces concurrent consumption of shared compute resources in a virtual environment, network bandwidth and the WSUS server when using WSUS scan configuration technique, and network bandwidth and the repository server when using the Repository Scan scan configuration technique.

      Specify a Distribute Over Time value that is at least two hours less than the length of the deployment window and any maintenance windows. If the value exceeds deployment and maintenance windows, some endpoints will not be able to run the deployment or will install the patches outside of the maintenance window.

    6. If you want to ignore patching restrictions, select Override Maintenance Windows or Override Block Lists.

    7. Select whether to restart the endpoint.

      Windows endpoints restart when this option is configured, regardless of which patches are installed. Linux endpoints restart only when installing patches that require restart, such as Linux kernel updates.

    8. (Windows endpoints only) If you enabled endpoint restarts, you can enable end user notifications about the restarts. Select Notify User After Deployment Activity and configure the following settings. For more information, see Endpoint restarts.

      • (Optional) Configure settings that allow the end user to postpone the restart.
      • Specify the Message Content that informs the user about the restart.
      • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages. To view the preview in additional languages, toggle the language drop-down menu in the preview. You can also use the drop-down menu to preview the notification in light or dark theme.



      Ensure that the Duration of Notification Period value is less than a few days. To decrease the endpoints missing critical or important patches metric, the optimal value for this setting depends on your patching cycle. For best results, set the Duration of Notification Period value to less than three days.

  5. Click Save.

Set the default deployment template

The default deployment template is applied when you create new deployments. Importing Patch with automatic configuration creates a default installation deployment template for each supported operating system. You can change the default installation template. After you create an uninstallation deployment template, you can set it as the default template.

  1. From the Patch menu, go to Deployment Templates.
  2. To set a default deployment template, select a deployment template and then click Set as Default.
  3. To remove the default designation, select a deployment template and then click Remove as Default.

Create a deployment to install patches

  • Use single deployments with a defined start and end time instead of continuously creating new deployments and manually stopping them after the patch window ends.
  • Avoid creating multiple deployments with the same patches to the same or overlapping endpoints.
  • Start with older patches first.

  1. From the Patch menu, go to Deployments and then click Create Deployment > Create Install Deployment.

    You can also create a deployment from the Patches page or from the Patch Lists page. From the Patches page, select a group of patches and click Install; from the Patch Lists page, select a patch list and click Install. If you use either of these methods to create a deployment, then the patches or patch list that you select will already be populated in the Deployment Details section.

  2. (Optional) Click Apply Deployment Template to select an existing template upon which to base this deployment.
  3. In the Deployment Overview section, accept the default name or provide a name for the deployment, add an optional description, select an operating system, and select a content set. For more information, see Tanium Console User Guide: Managing content sets.

  4. In the Deployment Details section, complete the following steps as needed for the operating system of the deployment:

    • (Windows) Add one or more patch lists, including version, or add patches manually.

    • (Linux) Select whether you want to Install All Updates; Install All Security Updates; Choose Patch List, including version; or Manually Select Patches.

      Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

  5. In the Endpoints to target section, add targeting criteria for endpoints.

    Select the following targeting methods and complete the fields as needed:

    • Computer Groups provides a list of dynamic computer groups. You can later use these groups to refine patch applicability results, as needed.
    • Question Criteria filters on all endpoints with a specific set of criteria and within the limiting groups selected from the list of available groups. Limiting groups are available after you add question criteria. For example, you can type Operating System contains win in the Filter Bar or use the Filter Builder to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • Computer Names lets you use exact names, such as the fully qualified domain name (FQDN) registered with Tanium. Use the Manual Names field to manually type in computer names, separated by commas. To upload as a CSV file, click Names by CSV File and then click Upload Names. Then filter within the limiting groups selected from the list of available groups. Limiting groups are available after you add computer names.

      Target fewer than 100 computer names to reduce the impact on the All Computers group.

  6. Review the Deployment type and schedule section and click Edit to make changes as needed.

    1. Specify a deployment frequency. You can do an ongoing deployment that does not have an end time, a single deployment with a specific start and end time, or a self service deployment to allow end users to manage the deployment in the Self Service Client application.

      After patch installation starts, it continues even if you stop the deployment, the deployment ends, or the maintenance window closes.

      After the deployment ends or the maintenance window closes, restarts do not occur and End-User Notification messages do not appear.

    2. Designate the deployment time zone.

      Choose the local time on the endpoint or UTC time.

    3. Specify the window of time during which the deployment will be effective.

    4. If you select an ongoing or single deployment, you can protect shared resources by selecting Enabled for the Distribute Over Time option and indicating an amount of time. The value you indicate for Distribute Over Time must be less than the deployment duration.

      Distribute Over Time randomizes the deployment start time on each endpoint by an amount of time up to the value configured. This option reduces concurrent consumption of shared compute resources in a virtual environment, network bandwidth and the WSUS server when using WSUS scan configuration technique, and network bandwidth and the repository server when using the Repository Scan scan configuration technique.

      Specify a Distribute Over Time value that is at least two hours less than the length of the deployment window and any maintenance windows. If the value exceeds deployment and maintenance windows, some endpoints will not be able to run the deployment or will install the patches outside of the maintenance window.

    5. If you want the endpoints to download the patch content before the installation time, select the option for Download Immediately.

      Select this option for future deployments. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

    6. If you want to ignore patching restrictions, select Override Maintenance Windows or Override Block Lists.

    7. If you select an ongoing or single deployment, configure the End-User Self Service settings.

      • Select Hide from Self Service Client to hide this deployment from the Self Service Client application, including the Activity and History sections.
      • Select Make available before Start Time to allow the end user to start this deployment in the Self Service Client application before the scheduled Start Time and outside of maintenance windows.

    8. Select whether to restart the endpoint.

      Windows endpoints restart when this option is configured, regardless of which patches are installed. Linux endpoints restart only when installing patches that require restart, such as Linux kernel updates.

  7. (Windows endpoints) If you enabled endpoint restarts, you can enable end user notifications about the restarts. If necessary, click Edit and then select Notify User After Deployment Activity to configure the following settings. For more information, see Endpoint restarts.

    • (Optional) Configure settings that allow the end user to postpone the restart.
    • Specify the Message Content that informs the user about the restart.
    • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages. To view the preview in additional languages, toggle the language drop-down menu in the preview. You can also use the drop-down menu to preview the notification in light or dark theme.



    Ensure that the Duration of Notification Period value is less than a few days. To decrease the endpoints missing critical or important patches metric, the optimal value for this setting depends on your patching cycle. For best results, set the Duration of Notification Period value to less than three days.

  8. (Optional) To create a new template based on this deployment, click Save Settings as New Template, specify a name for the template, and then click Save. For more information, see Create a deployment template.
  9. Click Preview to Continue.
  10. Review the deployment details, and then click Deploy.

To change the number of retries for each phase of a deployment, see Adjust the deployment retries.

Endpoint restarts

Patch can trigger a restart of any system after updates have been installed. You can choose between the following options for the restart:

  • (Windows and Linux endpoints) Restart silently and immediately after deployment. This option is typically used for servers and production machines in conjunction with maintenance windows and change control processes.
  • (Windows endpoints) Notify the system user about the pending restart and give the system user the option to hide the notification for a specified amount of time. Configure the following options:

    Final Countdown to Deadline

    Specify the amount of time in minutes, hours, or days to show the final notification before restarting the endpoint. This notification also shows a countdown until restart. If end users dismiss the notification and a restart is required, the notification will reappear in the last minute of the final countdown to deadline before the computer restarts. Set a low value because this option is meant to signal a forced restart that cannot be postponed.

    Allow User to Postpone

    If you want to give the user an option to hide the notification for a specified amount of time, select this option. A user cannot postpone beyond the deadline.

    Duration of Notification Period

    Specify the amount of time in minutes, hours, or days before the endpoint must be restarted. The deadline is calculated by adding this value to the time the deployment completed for each endpoint.

    User Postponement Options

    Specify the amount of time in minutes, hours, or days that a user can hide the notification.

    Message Content

    Specify the title and body of the notification message. Upload optional icon and body images for branding to avoid confusing users and to limit support calls. Enable additional languages and provide translated title and body text. By default, the notification displays content in the system language on the endpoints. If you enable additional languages, the user can select other languages to display.

End user notifications can be added to existing deployments by stopping, reconfiguring, and reissuing the deployment.

If your deployment is configured for a notification, but the endpoint does NOT have the End User Notifications Tools installed, the endpoint installs the updates, but does NOT restart. A status message is displayed in the Patch workbench about the missing tools.

If no user is logged into an endpoint, the endpoint restarts immediately after a deployment completion even if the deployment is configured for a notification.

Create a deployment to install patches on a single endpoint

You can quickly create a deployment to install patches on a single endpoint through the Endpoint Details page in Tanium Reporting. To create a deployment, you must have the Patch Deployment write permission.

You can also install a patch on a single endpoint by following the steps in Create a deployment to install patches.

  1. Open the Endpoint Details page for the endpoint that requires a deployment. See Tanium Reporting User Guide: View endpoint details.

  2. Select the Endpoint Management tab.

  3. In the OS Patch Applicability section, select up to 50 patches, click Install, and complete the deployment.

Windows: Create a deployment to uninstall patches

You can uninstall patches that appear in scan results; however, operating system limitations prevent some patches from being uninstalled.

  1. From the Patch menu, go to Deployments and then click Create Deployment > Create Uninstall Deployment.
  2. (Optional) Click Apply Deployment Template to select an existing template upon which to base this deployment.
  3. Review the Deployment Overview section and click Edit to make changes as needed. Accept the default name or provide a name for the deployment, add an optional description, and select a content set. For more information, see Tanium Console User Guide: Managing content sets.

  4. In the Content to deploy section, expand the Add Patches Manually section and add one or more patches.

    The applicability count in the grid is for endpoints that do not have the patch installed.

  5. In the Endpoints to target section, add targeting criteria for endpoints.

    Select the following targeting methods and complete the fields as needed:

    • Computer Groups provides a list of dynamic computer groups. You can later use these groups to refine patch applicability results, as needed.
    • Question Criteria filters on all endpoints with a specific set of criteria and within the limiting groups selected from the list of available groups. Limiting groups are available after you add question criteria. For example, you can type Operating System contains win in the Filter Bar or use the Filter Builder to target all Windows endpoints within those groups. The deployment is applied to all endpoints that meet the criteria. Individual rows cannot be selected. If you define multiple limiting groups, they are evaluated with an OR operator.
    • Computer Names lets you use exact names, such as the fully qualified domain name (FQDN) registered with Tanium. Use the Manual Names field to manually type in computer names, separated by commas. To upload as a CSV file, click Names by CSV File and then click Upload Names. Then filter within the limiting groups selected from the list of available groups. Limiting groups are available after you add computer names.

      Target fewer than 100 computer names to reduce the impact on the All Computers group.

  6. Review the Deployment type and schedule section and click Edit to make changes as needed.

    1. Specify a deployment frequency. You can do an ongoing deployment that does not have an end time, a single deployment with a specific start and end time, or a self service deployment to allow end users to manage the deployment in the Self Service Client application.

      After patch uninstallation starts, it continues even if you stop the deployment, the deployment ends, or the maintenance window closes.

      After the deployment ends or the maintenance window closes, restarts do not occur and End-User Notification messages do not appear.

    2. Designate the deployment time zone.

      Choose the local time on the endpoint or UTC time.

    3. Specify the window of time during which the deployment will be effective.

    4. If you select an ongoing or single deployment, you can protect shared resources by selecting Enabled for the Distribute Over Time option and indicating an amount of time. The value you indicate for Distribute Over Time must be less than the deployment duration.

      Distribute Over Time randomizes the deployment start time on each endpoint by an amount of time up to the value configured. This option reduces concurrent consumption of shared compute resources in a virtual environment, network bandwidth and the WSUS server when using WSUS scan configuration technique, and network bandwidth and the repository server when using the Repository Scan scan configuration technique.

      Specify a Distribute Over Time value that is at least two hours less than the length of the deployment window and any maintenance windows. If the value exceeds deployment and maintenance windows, some endpoints will not be able to run the deployment or will install the patches outside of the maintenance window.

    5. If you want the endpoints to download the patch content before the installation time, select the option for Download Immediately.

      Select this option for future deployments. If you find that endpoints are not completing patch installations within the specified windows, schedule the deployments even further in advance.

    6. If you want to ignore patching restrictions, select Override Maintenance Windows or Override Block Lists.

    7. If you select an ongoing or single deployment, configure the End-User Self Service settings.

      • Select Hide from Self Service Client to hide this deployment from the Self Service Client application, including the Activity and History sections.
      • Select Make available before Start Time to allow the end user to start this deployment in the Self Service Client application before the scheduled Start Time and outside of maintenance windows.

    8. Select whether to restart the endpoint.

      Linux endpoints will restart only when patches that require restart are installed.

  7. (Windows endpoints) If you enabled endpoint restarts, you can enable end user notifications about the restarts. If necessary, click Edit and then select Notify User After Deployment Activity to configure the following settings. For more information, see Endpoint restarts.

    • (Optional) Configure settings that allow the end user to postpone the restart.
    • Specify the Message Content that informs the user about the restart.
    • (Optional) Select additional languages and provide translated title and body text for endpoints that are configured for other languages. To view the preview in additional languages, toggle the language drop-down menu in the preview. You can also use the drop-down menu to preview the notification in light or dark theme.



    Ensure that the Duration of Notification Period value is less than a few days. To decrease the endpoints missing critical or important patches metric, the optimal value for this setting depends on your patching cycle. For best results, set the Duration of Notification Period value to less than three days.

  8. (Optional) To create a new deployment template based on this template, click Save Settings as New Template, specify a name for the template, and then click Save. For more information, see Create a deployment template.
  9. Click Preview to Continue.
  10. Review the deployment details, and then click Deploy.

Review deployment summary

You can get the deployment results by status, any error messages, and the deployment configuration details.

  1. From the Patch menu, go to Deployments.

  2. Select the Active, Inactive, or Self Service tab.

    Expand the sections to see summary information about the deployment, such as targeted groups and schedule.

  3. Click the deployment name. The Status section shows the status and substatus, links to deployment results, OS, online endpoints, information about the last time the status or initialization was updated, and any error messages.
  4. In the Deployment Details area, expand the section you want to see, or click Expand All to expand all sections.
    • Content to deploy provides all the configuration information, including installation details, execution information, installation workflow and notifications, patch lists, and patches.
    • Endpoints to target lists the targeted endpoints for the deployment.
    • Deployment type and schedule shows the deployment frequency, time zone, and schedule.
    • User notifications has the information about any end user notifications associated with the deployment.

Add targets to an existing deployment

You can add more targets to a deployment. For example, you can limit patch testing to a select computer group and then roll it out to more groups after it has been validated. All other deployment options remain the same and deployment results from the previous installation deployments are preserved.

  1. From the Patch menu, go to Deployments.
  2. Click the deployment name and then click Edit.
  3. In the Endpoints to target section, click Computer Groups, Question Criteria, or Computer Names.

    You cannot remove targets from active deployments. To remove a target from a deployment, you must stop the deployment and create a new deployment without that target.

  4. Click Preview to Continue.
  5. Review the deployment details, and then click Deploy.

Stop a deployment

You can stop a patch deployment. Stopping changes the deployment end time to now. It does not remove patches that have already completed installation.

  1. From the Patch menu, go to Deployments.
  2. Click the deployment name and then click Stop.
  3. Go to the Inactive tab and click the deployment name to verify the status.


Reissue a deployment

You can restart a stopped deployment or reissue a one-time deployment. Reissuing a deployment creates a new deployment with the same configuration and targets.

  1. From the Patch menu, go to Deployments and then click Inactive.
  2. Click the deployment name and then click Reissue.
  3. (Optional) Make any necessary changes.
  4. Click Preview to Continue.
  5. Review the deployment details, and then click Deploy.

Adjust the deployment retries

You can change how many times Patch attempts a deployment status within a specified time period. For example, with the default of five retries and 24 hours, Patch tries to download patches five times before stopping for 24 hours. Patch then tries again five times in the next 24 hours, as long as there is an active or ongoing deployment and an active maintenance window.

  1. On the Patch Overview page, click Settings and then click Configuration Settings if needed.
  2. In the Deployment Retry Settings section, select the number of retries from the Retry Limit drop-down menu.
  3. In the Reset Frequency field, type in the number of hours and then click Save.

Reference: Patch status

Deployment status

The following is a list of all possible deployment status groups and the sub-statuses.

If there has been more than one attempt, the status might be appended with - Retry #, for example Downloading - Retry 2. Patch attempts five retries for a deployment status, stops for 24 hours, retries five times, and so on, as long as there is an active or ongoing deployment and an active maintenance window. For more information on retries, see Adjust the deployment retries.

Status group Sub-status
Not Applicable
  • Not Applicable1,2,3
  • Not Targeted2,3
Waiting
  • Waiting for Deployment Start Time
  • Waiting for Maintenance Window
  • Waiting for Deployment Configuration File
  • Waiting for Scan Configuration File
  • Waiting for Block List Configuration File
  • Waiting for User Input
Downloading
  • Downloading
  • Download Complete, Waiting for Deployment Start Time
  • Download Complete, Waiting for Maintenance Window
  • Download Complete, Waiting for Block List Configuration File
  • Download Complete, Waiting for Maintenance Window Configuration File
  • Download Complete, Waiting for User Input
  • Download Complete, Awaiting User Acceptance (this includes user-postponed restarts)
  • Unable to Download
Installing
  • Pre-Install Random Delay
  • Pre-Install Scan
  • Installing
  • Pending Restart, Waiting for Maintenance Window
  • Pending Restart, Waiting for Maintenance Window Configuration File
  • Pending Restart, Awaiting User Acceptance (this includes user has postponed)3
  • Pending Restart, Missing End-User Notification Tools
  • Pending Restart, End-User Notification Unsupported
  • Post-Install Scan
Uninstalling
  • Pre-Uninstall Random Delay
  • Uninstalling
  • Pending Restart, Waiting for Maintenance Window
  • Pending Restart, Waiting for Maintenance Window Configuration File
  • Pending Restart, Awaiting User Acceptance (this includes user has postponed)
  • Pending Restart, Missing End-User Notification Tools
  • Pending Restart, End-User Notification Unsupported
  • Post-Uninstall Scan
Complete
  • Complete, All Patches Applied
  • Complete, Some Patches Applied (if you have exhausted your retries)
  • Error, No Patches Applied
  • Complete, All Patches Removed
  • Complete, Some Patches Removed (if you have exhausted your retries)
  • Error, No Patches Removed
  • Error, Install Aborted
  • Error, Uninstall Aborted
  • Error, Deployment Ended Before Any Action Was Taken

1 Windows endpoints return deployment statuses only for targeted endpoints. If a Windows endpoint returns the Not Applicable status, then the deployment is targeted to the endpoint and has no applicable patches.

2 Linux endpoints return the Not Applicable status when the deployment has no applicable patches for that endpoint. If a Linux endpoint returns the Not Targeted status, then the endpoint is not targeted by the deployment.

3 macOS endpoints return the Not Applicable status when the deployment has no applicable patches for that endpoint. If a macOS endpoint returns the Not Targeted status, then the endpoint is not targeted by the deployment. Patches that require a reboot will not install and will return the Pending Restart, Awaiting User Acceptance status until the end user restarts the endpoint.

Enforcement status

Status group Sub-status
Block lists and maintenance windows
  • Enforced
  • Unenforced
Scan configurations
  • Unenforced
  • Waiting For Initial Scan
  • Complete, Waiting For Next Scan
  • Downloading
  • Scanning