Patch requirements

Review the requirements before you install and use Patch.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium license that includes Patch
Tanium™ Core Platform servers: 7.4.3.1204 or later
To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Deployment Reference Guide: Smart card authentication.
Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server, the server Tanium™ Cloud automatically imports the computer groups that Patch requires for managing Windows and Linux endpoints:

All Alma Linux 8
All Amazon
All Debian
All Debian 8
All Debian 9
All Debian 10
All Debian 11
All CentOS 6
All CentOS 7
All CentOS 8
All OpenSUSE 15
All Oracle 6
All Oracle 7
All Oracle 8
All Red Hat 6
All Red Hat 7
All Red Hat 8
All Red Hat 9
All Rocky Linux 8
All SLES 11
All SLES 12
All SLES 15
All SUSE
All Ubuntu 14.04 - amd64
All Ubuntu 14.04 - i386
All Ubuntu 14.04 - arm64
All Ubuntu 16.04 - amd64
All Ubuntu 16.04 - i386
All Ubuntu 16.04 - arm64
All Ubuntu 18.04 - amd64
All Ubuntu 18.04 - i386
All Ubuntu 18.04 - arm64
All Ubuntu 20.04 - amd64
All Ubuntu 20.04 - i386
All Ubuntu 20.04 - arm64
All Ubuntu 22.04 - amd64
All Ubuntu 22.04 - i386
All Ubuntu 22.04 - arm64
All Windows
All Windows Servers
Patch Supported Systems

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Patch to function (required dependencies) or for specific Patch features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Patch dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Patch requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Patch, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Patch to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Patch, the server automatically updates those dependencies to the latest available versions.

If you select only Patch to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Patch has the following required dependencies at the specified minimum versions:

Tanium™ Endpoint Configuration 1.7.202 or later
Tanium™ Interact 2.4.74 or later (use the latest version of Interact for best results)

Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later
Tanium™ Trends 3.6.323 or later
Tanium™ End-User Notifications 1.14.49 or later
Tanium™ System User Service 1.0.77 or later

Feature-specific dependencies

If you select only Patch to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Patch has the following feature-specific dependencies at the specified minimum versions:

Tanium Mac Device Enrollment 1.2.10 or later. Manage patching for macOS endpoints.
Tanium™ Reporting 1.16.58 or later. Review charts on the Overview page. If Reporting is not installed, Trends creates the charts.
- Tanium™ Blob Service 1.0.6 or later
- Reporting Content 1.0.24 or later

Client extensions

Tanium Endpoint Configuration installs client extensions for Patch on Windows and Linux endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Patch functions:

Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
Software Manager CX - Provides a catalog of all installed software on an endpoint. Tanium Asset or Tanium Patch installs this client extension.

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server to set bandwidth limits for your environment. You can configure global throttles from Administration > Configuration > Bandwidth Throttles.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. An additional 500 GB of disk space is required on the Tanium Server.

For more information, see Tanium Core Platform Deployment for Windows: Host system sizing guidelines and Tanium Appliance Deployment Guide: Reference: Tanium Appliance Specifications.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using. For more information about Tanium Client versions, see Tanium Client Management User Guide: Client version and host system requirements.

Operating System	Version	Notes
Microsoft Windows Server	Windows Server 2012 or later	Windows Server Core not supported for End-User Notifications functionality. Windows Server 2012 R2 requires Microsoft KB2919394 or KB2919355 for End-User Self Service functionality.
Microsoft Windows Workstation	Windows 10 or later	Patch does not support Arm-based Windows endpoints. For information about Windows 10 Home support, see Available Patch scan methods for Windows endpoints.
Microsoft Windows Server (Legacy)	Windows Server 2008 R2 Service Pack 1	Windows Server Core not supported for End-User Notifications functionality. Windows Server 2008 R2 Service Pack 1 requires Microsoft KB2758857. Windows Server 2012 R2 requires Microsoft KB2919394 or KB2919355 for End-User Self Service functionality. Microsoft support for Windows Server 2008 R2 ended January 14, 2023. Tanium cannot guarantee functionality of Tanium Patch on Windows Server 2008 R2.
Microsoft Windows Workstation (Legacy)	Windows 7 Service Pack 1 Windows 8.1	Windows 7 Service Pack 1 requires Microsoft KB2758857. Windows 8.1 requires Microsoft KB2919394 or KB2919355 for End-User Self Service functionality. Microsoft support for Windows 7 and Windows 8.1 ended January 14, 2023. Tanium cannot guarantee functionality of Tanium Patch on Windows 7 and Windows 8.1.
Linux	AlmaLinux 8.x
	Amazon Linux 1, 2	Requires Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.
	CentOS 6.x, 7.x, 8.x	CentOS 6.x and 7.x require Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions. Cent OS 8.x requires DNF.
	openSUSE Linux 11.x Service Pack 3 or later, 12.x, 15.x	Requires Zypper. SUSE 11.x Service Pack 3 support is limited to scanning only. Repository snapshots are not supported.
	Oracle Linux 6.x, 7.x, 8.x	Oracle Linux 6.x and 7.x require Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions. Oracle Linux 8.x requires DNF.
	Red Hat Enterprise Linux 6.x, 7.x, 8.x, 9.x	Red Hat Enterprise Linux 6.x and 7.x require Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions. Red Hat Enterprise Linux 8.x and 9.x requires DNF. Requires Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.
	Rocky Linux 8.x
	SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x	Requires Zypper. Repository snapshots are not supported.
	Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04	Requires APT.
	Debian 8.x, 9.x, 10.x, 11.x	Requires APT.
macOS	macOS 11, 12, 13

Resource requirements

The utilities that Patch uses for scanning use increased RAM for up to several minutes during endpoint scans. If an endpoint must also run other processes that use significant RAM during Patch scans, it might require more RAM than the minimum 2 GB. For more information, see Tanium Client Management User Guide: Hardware requirements.
On the Tanium Console Administration > Configuration > Settings > Advanced Settings page, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB. For more information, see Configure advanced settings and Tanium Platform User Guide: Managing Core Platform Settings.
If VDI is used in your environment, see the Tanium Client Management User Guide: Preparing the Tanium Client on a virtual desktop infrastructure (VDI) instance.

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB3138612. If you are controlling all patch deployments through Tanium, disable the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific ports, processes, and URLs are needed to run Patch.

Ports

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

The following ports are required for Patch communication.

Source	Destination	Port	Protocol	Purpose
Module Server	Module Server (loopback)	17454	TCP	Internal purposes; not externally accessible

No additional ports are required.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Patch security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device	Notes	Exclusion Type	Exclusion
Module Server		Process	<Module Server>\services\patch-service\node.exe
Module Server	required when Endpoint Configuration is installed	Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows (KB822158).

Patch security exclusions for endpoints
Endpoint OS	Notes	Exclusion Type	Exclusion
Windows		Process	<Tanium Client>\TaniumCX.exe
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
		File	<Tanium Client>\Patch\tanium-patch.min.vbs
		File	<Tanium Client>\Patch\scans\Wsusscn2.cab
		Process	<Tanium Client>\Patch\tools\active-user-sessions.exe
		File	<Tanium Client>\Patch\tools\run-patch-manager.min.vbs
		Process	<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
		Process	<Tanium Client>\Patch\tools\TaniumFileInfo.exe
		Process	<Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
	7.4.x clients	Process	<Tanium Client>\Python38\TPython.exe
	7.4.x clients	Folder	<Tanium Client>\Python38
		Process	<Tanium Client>\Tools\Patch\7za.exe
		Process	<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
		File	<Tanium Client>\extensions\TaniumSoftwareManager.dll
		File	<Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
	exclude from on-access or real-time scans	Folder	<Tanium Client>
Linux		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
	7.4.x clients	Process	<Tanium Client>/python38/bin/pybin
		Process	<Tanium Client>/python38/python
		Folder	<Tanium Client>/python38
		File	<Tanium Client>/extensions/libTaniumSoftwareManager.so
		File	<Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
macOS		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
	7.4.x clients	Process	<Tanium Client>/python38/bin/pybin
		Process	<Tanium Client>/python38/python
		Folder	<Tanium Client>/python38
		File	<Tanium Client>/extensions/libTaniumSoftwareManager.dylib
		File	<Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow access to Internet URLs on the Tanium Server, Tanium Module Server, or endpoints, depending on the operating system of the endpoints and your Patch configuration. The complete list might vary based on your environment.

Windows endpoints:
- The Tanium Server needs access to the URLs if Patch is scanning Windows endpoints. See Windows scan techniques.
- The Tanium Module Server needs access to www.microsoft.com when Patch uses the Tanium Scan technique. See Windows scan techniques.
- The Windows endpoints need access to the URLs if you are using direct patch downloads. See Enable direct patch downloads from Microsoft.
Linux endpoints:
- The Tanium Server needs access to the URLs used by a scan configuration that uses the Tanium Scan technique. See Linux scan techniques.
- The Linux endpoints need access to the URLs used by a scan configuration that uses the Repository Scan technique. See Linux scan techniques.
For a complete list of URLs needed in your environment, in Interact ask the question Get Patch - Repositories from all machines with Is Linux equals True. Review the URLs listed in the Base URL column.
macOS endpoints: The Tanium Server and macOS endpoints need access to the URLs if Patch is scanning endpoints. See Enforcing scan configurations for Windows and Linux endpoints.

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow access to Internet URLs on Windows and Linux endpoints, depending on your Patch configuration:

Windows:
The Windows endpoints need access to the URLs if you are using direct patch downloads. See Enable direct patch downloads from Microsoft.
Linux: The Linux endpoints need access to the URLs used by a scan configuration that uses the Repository Scan technique. See Linux scan techniques.

Internet URLs to allow
Operating System	URL
Windows	*.delivery.mp.microsoft.com
	*.prod.do.dsp.mp.microsoft.com
	*.update.microsoft.com
	*.windowsupdate.com
	*.windowsupdate.microsoft.com
	http://crl.microsoft.com
	http://emdl.ws.microsoft.com
	http://go.microsoft.com/fwlink/?linkid=74689
	http://ntservicepack.microsoft.com
	http://windowsupdate.microsoft.com
	http://wustat.windows.com
	https://download.microsoft.com
	https://sws.update.microsoft.com
Linux	http://vault.centos.org/
	http://mirror.centos.org
	http://yum.oracle.com
	https://cdn.redhat.com
	http://download.opensuse.org
	http://deb.debian.org
	http://security.debian.org
	http://archive.ubuntu.com
	http://ports.ubuntu.com
	http://security.ubuntu.com
	http://dl.rockylinux.org
	https://repo.almalinux.org

User role requirements

The following tables list the role permissions required to use Patch. To review a summary of the predefined roles, see Set up Patch users.

Do not assign the Patch Service Account and Patch Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Patch user role permissions
Permission	Patch Administrator^1,2,3,7	Patch Configuration Author^1,2,3,7	Patch Deployment Author^1,2,3,7	Patch Endpoint Configuration Approver¹	Patch Operator^1,2,3,7	Patch Read Only User^2,3,7	Patch Super User^1,2,3,6,7	Patch MDM Enforcement Author^2,3,4,5,6,7	Patch MDM Enforcement Viewer^2,3,4,5,6,7
Linux Patch Access to the Linux Patch content	USER	USER	USER		USER	USER	USER
Patch INITIALIZE: Set up Patch activities for the granted content sets SHOW: View the Patch workbench	INITIALIZE SHOW	SHOW	SHOW		INITIALIZE SHOW	SHOW	INITIALIZE⁴ SHOW	SHOW	SHOW
Patch Block List Create, modify, and delete block lists for the granted content sets	^4,5 READ WRITE EXECUTE DELETE	⁴ READ WRITE DELETE	⁴ READ		⁴ READ WRITE EXECUTE DELETE	⁴ READ	⁴ READ WRITE EXECUTE DELETE
Patch Deployment Create, modify, and delete deployments for the granted content sets	^4,5 READ WRITE EXECUTE DELETE	⁴ READ	⁴ READ WRITE EXECUTE DELETE		⁴ READ WRITE EXECUTE DELETE	⁴ READ	⁴ READ WRITE EXECUTE DELETE
Patch Endpoint Configuration Approve changes to Patch endpoint configurations				APPROVER
Patch Maintenance Window Create, modify, and delete enforcements in maintenance windows for the granted content sets	^4,5 READ WRITE EXECUTE DELETE	⁴ READ WRITE DELETE	⁴ READ		⁴ READ WRITE EXECUTE DELETE	⁴ READ	⁴ READ WRITE EXECUTE DELETE
Patch MDM Enforcement Create, modify, and delete MDM enforcements	READ WRITE DELETE						READ WRITE DELETE	READ WRITE DELETE	READ
Patch Operator Settings Write access to a subset of platform settings in the Patch module	WRITE				WRITE
Patch Patchlist Create, modify, and delete enforcements in patch lists for the granted content sets	^4,5 READ WRITE EXECUTE DELETE	⁴ READ WRITE EXECUTE DELETE	⁴ READ		⁴ READ WRITE EXECUTE DELETE	⁴ READ	⁴ READ WRITE EXECUTE DELETE
Patch Profile Create, modify, and delete profiles	READ WRITE EXECUTE DELETE				WRITE EXECUTE DELETE	READ	WRITE EXECUTE DELETE
Patch Repository Create, modify, and delete repositories	READ WRITE EXECUTE DELETE	READ			READ WRITE EXECUTE DELETE	READ	READ EXECUTE
Patch Repository Snapshot Create, edit, and delete repository snapshots	READ WRITE DELETE	READ WRITE DELETE			READ WRITE DELETE	READ	READ WRITE DELETE
Patch Scan Configuration Create, modify, and delete scan configurations	READ WRITE EXECUTE DELETE	READ WRITE DELETE			READ WRITE EXECUTE DELETE	READ	READ WRITE EXECUTE DELETE
Patch Settings Write access to all Patch settings	READ WRITE	READ	READ		READ	READ	READ	READ	READ
Patch Solution Install or uninstall Patch	UPGRADE
Patch Statistics Access to the Patch statistics logs	LOGS
Windows Patch Access to the Windows Patch content	USER	USER	USER		USER	USER	USER
¹ This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ² This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. ³ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ⁴ Grants access to content in the Patch Content Set content set. ⁵ Grants access to content in the Patch Service Objects content set. ⁶ This role provides module permissions for Tanium Mac Device Enrollment. You can view which Mac Device Enrollment permissions are granted to this role in the Tanium Console. For more information, see Tanium Mac Device Enrollment User Guide: User role requirements. ⁷ This role provides module permissions for Tanium Reporting. You can view which Reporting permissions are granted to this role in the Tanium Console. For more information, see Tanium Reporting User Guide: User role requirements.

Provided Patch administration and platform content permissions
Permission	Permission Type	Patch Administrator^1,2,4	Patch Configuration Author^1,2,3,4	Patch Deployment Author^1,2,3,4	Patch Operator^1,2,4	Patch Read Only User^1,2,4	Patch Super User^1,2,4	Patch MDM Enforcement Author^2,3,4	Patch MDM Enforcement Viewer^2,3,4
Action Group	Administration	READ	READ	READ	READ	READ	READ	READ	READ
Allowed Urls	Administration	READ WRITE
Action	Platform Content	READ WRITE	WRITE	WRITE	READ WRITE		READ WRITE
Filter Group	Platform Content	READ	READ	READ	READ	READ	READ	READ	READ
Own Action	Platform Content	READ	READ	READ	READ		READ
Package	Platform Content	READ WRITE	READ	READ	READ WRITE		READ WRITE
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ WRITE	READ	READ	READ WRITE	READ	READ WRITE	READ	READ
Sensor	Platform Content	READ	READ	READ	READ	READ	READ	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. ¹ This role provides content set permissions for Tanium Interact. You can view which Interact content sets are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. ² This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ³ This role provides content set permissions for Mobile Device Management. You can view which Mobile Device Management content sets are granted to this role in the Tanium Console. For more information, see Tanium Mac Device Enrollment User Guide: User role requirements. ⁴ This role provides module permissions for Tanium Reporting. You can view which Reporting permissions are granted to this role in the Tanium Console. For more information, see Tanium Reporting User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.