Which of the following is a method for configuring clients to use a wsus server?
If you did not install Patch with the Apply All Tanium recommended configurations, you must enable and configure certain features. Show
(Tanium Core Platform 7.4.5 or later only)You can set the Patch action group to target the No Computers filter group by enabling restricted targeting beforeadding Patch to your Tanium licenseimporting Patch. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Patch action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment. When you import Patch with automatic configuration, the following default settings are configured: The following default settings are configured for Patch: Action group
The service account is set to the account that you used to import the module. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account. Advanced settingsThe following advanced setting is configured for optimal delivery of larger payloads:
For more information, see Configure advanced settings Patch computer groupsComputer groups that Patch requires are imported:
Tanium Scan does not include any Red Hat repositories because authentication for cdn.redhat.com must first be configured. For more information, see (Red Hat endpoints) Configure Tanium Server to use certificate authentication(Red Hat endpoints) Configure Tanium Cloud to use certificate authentication. Patch listsThe following patch lists are automatically created:
For more information, see Default patch lists. Patch block lists
Default deployment templates are created for each supported operating system. Patch maintenance windows
Configure advanced settingsYou can configure the Tanium platform for optimal delivery of larger payloads, which are typically associated with patching activity.
Changes to platform settings can take up to five hours to propagate to clients. Install and configureConfigureTanium End-User NotificationsWith the Tanium End-User Notifications solution, you can create a notification message with your deployment to notify the user that the system is going to restart, and give the user the option to postpone the restart. (macOS) Patch installations do not occur until the user clicks Restart Now or the restart is forced at the deadline for patches that require a reboot. This functionality helps end users avoid waiting a long time for an OS upgrade after a manual reboot. Instead, end users can be more aware of larger updates and decide when to restart endpoints. For more information, see Tanium End-User Notifications User Guide: End-User Notifications overview. Disable Windows Update restart promptsThe Windows Update Agent automatically prompts users to restart their machine when an update is installed from any user or source. The following Windows Local/Group Policies should be configured to allow Tanium End-User Notifications to control endpoint restarts.
Install and configureConfigureTanium Endpoint ConfigurationManage solution configurations with Tanium Endpoint ConfigurationTanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints. Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management. Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Patch, see User role requirements. To use Endpoint Configuration to manage approvals, you must enable configuration approvals.
For solutions toSolutions cannotperform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turnedon, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global.on. As a best practice, do not turn on action locks.For more information about action locks, see Tanium Console User Guide: Managing action locks. For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide. If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:
Configure PatchConfigure service accountThe service account is a user that runs several background processes for Patch. This user requires the Tanium Administrator or Patch Service Account role.If you enabled configuration approvals in Endpoint Configuration, then by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to the Patch Service Account role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements and Tanium Endpoint Configuration User Guide: Managing approvals.For more information about Patch permissions, see User role requirements. If you imported Patch with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.
(Optional)Configure the Patch action groupImporting the Patch module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Patch, the action group targets No Computers. If you used automatic configuration and restricted targeting was disabled when you imported Patch, configuring the Patch action group is optional. Select the computer groups to include in the Patch action group. Clear the selection for No Computers and makeMakesure that all operating systems that are supported by Patch are included in the Patch action group.
Organize computer groupsOne way to apply patches and view deployment results is by computer group. Create relevant computer groups to organize your endpoints. Some options include:
Manual computer groups are not supported in Patch. For more information, see Tanium Core Platform User Guide: Managing computer groups. Organize computer groups by operating system generation for useful visibility and scan configuration targeting. Set up Patch usersYou can use the following set of predefined user roles to set up Patch users. To review specific permissions for each role, see User role requirements. For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user. Patch Administrator Assign the Patch Administrator role to users who manage the configuration and deployment of Patch functionality to endpoints.
Patch Configuration Author Assign the Patch Configuration Author role to users who manage Patch configurations.
Patch Deployment Author Assign the Patch Deployment Author role to users who manage Patch deployments.
Patch Endpoint Configuration Approver Assign the Patch Endpoint Configuration Approver role to a user who approves or rejects Patch configuration items in Tanium Endpoint Configuration. Patch Operator Assign the Patch Operator role to users who manage the configuration and deployment of Patch functionality to endpoints.
Patch Read Only User Assign the Patch Read Only User role to users who need visibility into Patch data. Patch Service Account Assign the Patch Service Account role to the account that configures system settings for Patch. Patch Super User Assign the Patch Super User role to users who manage the configuration and deployment of Patch functionality to endpoints.
Enable and configureConfigureWindows featuresBefore you can use certain Patch features for Windows endpoints, you mustenable orconfigure them: Enable and configure Tanium Scan for WindowsFor more information about Tanium Scan for Windows, see Tanium Scan.
Configure Tanium Scan for Windows
Configure WSUS Scan
Enable direct patch downloads from MicrosoftFor Windows scan configurations, you can enable direct patch downloads from Microsoft to isolated remote endpoints. This option reduces the impact on network resources. If the direct download fails, the endpoint downloads patches from the Tanium Server. Cautions and considerationsEndpoints must be in a list of virtual private network (VPN) subnets or allowed Zone Servers that you configure. Configure VPN ranges only where clients have a direct path to the Microsoft URLs that are listed in Internet URLs . The following configurations are recommended:
Do not specify the following VPNs or Zone Servers:
Clients that use WSUS scan configurations leverage the location that is defined by WSUS. Unless the WSUS server is configured to download patches from Microsoft instead of storing them locally, do not enable direct downloads for a WSUS Scan configuration. For more information about how to specify where updates are stored, see Microsoft article Update storage options.
To enable remote endpoints to download patches directly from Microsoft, you must also enable direct downloads in each scan configuration. For more information, see Create a scan configuration. Tracking direct download statusReview current and past patch downloads directly from Microsoft over the Internet.
The results grid shows a row for each download attempt and its status. Enable and configure Linux featuresBefore you can use certain Patch features for Linux endpoints, you must enable and configure them: Migration of OS-based Linux configurations to Enhanced Linux configurationsAfter you enable support for Enhanced Linux distributions, Patch migrates any existing OS-based Linux configurations (scan configurations, patch lists, block lists, maintenance windows, and deployment templates) for Red Hat, CentOS, Ubuntu, Oracle, and Amazon to use Enhanced Linux distributions. Targeting for migrated configurations continue to be filtered to the existing OS-based Linux configurations, so that the same endpoints remain targeted after migration. Migration does not add targeting for unenforced objects, nor does it create a configuration that supports multiple operating systems. You must create a configuration that supports multiple operating systems after migration. Patch does not select a default deployment template for the new Linux platform. If you want to define a default deployment template, you define it after the automated portion of the migration completes. Linux Endpoint Behavior ChangesLinux endpoint behavior depends on your current configuration:
After you migrate to Enhanced Linux Support, Patch no longer separates operating system selections for Linux. Instead, it creates a single category for all Linux operating systems. Scan configurations can have repositories for multiple Linux operating systems. You can add targets to repositories to ensure they are only used with the proper OS/version targets included in the scan configuration targets. If an endpoint does not meet the criteria for any repositories in a scan configuration, Patch continues to the next targeted scan configuration. Enable Patch for Enhanced Linux configurationsBefore you begin, ensure that you meet the prerequisites listed in Core platform dependencies. If this is a new Patch module installation, no action is required. If this is an upgraded Patch module installation, complete the following steps:
Add and target Linux repositoriesTo patch Linux endpoints, you must first add repositories that apply to those endpoints, and then use the repositories to target computer groups that contain the endpoints. SUSE Linux Enterprise Server (SLES) repositories use URLs that are unique for each customer, so the process for adding those repositories differs from other versions of Linux. Before you begin patching SLES endpoints, make sure that at least one endpoint for each OS version that you want to support in Patch is registered with SUSE.
You can also click Edit to edit existing repositories.(Red Hat endpoints) Configure Tanium Server to use certificate authentication(Red Hat endpoints) Configure Tanium Cloud to use certificate authenticationTo use Tanium Scan with Red Hat patch content on Red Hat Linux endpoints, you must configurethe Tanium Server (version 7.5.3.1249 and later)Tanium Cloudto use certificate authentication for downloads from the Red Hat Content Delivery Network (CDN) or an internal Red Hat Satellite server. This process involves requesting the certificates and private keys from Red Hat and configuring the certificates in the Tanium Console.
Next steps(Red Hat) Edit the [Tanium Scan] - Linux scan management technique to include the Red Hat repositories. For more information, see Edit a scan configuration. (Red Hat endpoints) Configure TDownloader to use certificate authentication (Tanium Server version 7.5.2.3552 and earlier)Click to expand.To use Tanium Scan with Red Hat's patch content on Red Hat Linux endpoints, you must configure Tanium Downloader (TDownloader) to use certificate authentication for downloads from Red Hat's Content Delivery Network (CDN) or an internal Red Hat Satellite server. Obtain a valid client certificate and private key from the Red Hat Customer Portal or from the Satellite server. After you have acquired the client authentication certificate, complete the appropriate steps to configure the Tanium Server. Configure TDownloader on Tanium Server (Appliance)If you are using an internal repository secured by a self-signed or an internal CA-signed certificate, Contact Tanium Support to configure the Tanium Servers to trust this certificate. In an active-active configuration, you must perform the following steps on both Tanium Servers.
For more information, see Tanium Appliance Deployment Guide: Manage authentication certificates for Tanium Patch connections with Red Hat. Configure TDownloader on Tanium Server (Windows)
Next steps(Red Hat) Edit the [Tanium Scan] - Linux scan management technique to include the Red Hat repositories. For more information, see Edit a scan configuration. Manage Linux repository snapshotsRepository snapshots have the following requirements:
Export a Linux repositoryYou can facilitate the migration of patch content by exporting repositories. The exported file includes all settings and definitions, except for repository snapshots. This is particularly useful in progressive deployment models where patches must be moved from a testing environment to a production environment.
The JSON file is available in your downloads folder. Import a Linux repositoryYou can import an exported repository into a new environment. You cannot import a repository with the same name as an existing repository.
Enable macOS featuresBefore you use Patch features for macOS endpoints, you must first make sure to enable macOS in the Patch settings. To enable macOS, complete the following steps:
Initialize Patch endpointsPatch installs a set of tools on each endpoint that you have targeted. Initializing or reinitializing Patch is a common troubleshooting step. Patch does not work on endpoints with action locks turned on. Be sure action locks are turned off on endpoints that you want to target with Patch. See Tanium Console User Guide: Managing action locks. Which two ways can computers be assigned to groups in WSUS?You can assign computers to computer groups by using one of two methods, server-side targeting or client-side targeting.
Which servers server apps can be used to push Windows updates to client machines?Windows Server Update Services (WSUS) is a Windows server role that can plan, manage and deploy updates, patches and hotfixes for Windows servers, client operating systems (OSes) and other Microsoft software.
Which management tools can you use to approve the deployment of Windows updates to computers?You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network.
What is the purpose of WSUS quizlet?WSUS server downloads the correct updates based on the Windows versions operating in your network. WSUS is synchronizing any new versions of Windows you have recently added with Microsoft Update servers.
|