Which of the following is a method for configuring clients to use a wsus server?

If you did not install Patch with the Apply All Tanium recommended configurations, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only)You can set the Patch action group to target the No Computers filter group by enabling restricted targeting beforeadding Patch to your Tanium licenseimporting Patch. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Patch action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Patch with automatic configuration, the following default settings are configured:

The following default settings are configured for Patch:

Action group

• Restricted targeting disabled (default): Patch Supported Systems computer group
• Restricted targeting enabled: No Computers computer group

Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Advanced settings

The following advanced setting is configured for optimal delivery of larger payloads:

• ClientCacheLimitInMB = 2048

For more information, see Configure advanced settings

Patch computer groups

Computer groups that Patch requires are imported:

• All Amazon
• All Debian
• All Debian 8
• All Debian 9
• All Debian 10
• All Debian 11
• All CentOS 6
• All CentOS 7
• All CentOS 8
• All Oracle 6
• All Oracle 7
• All Oracle 8
• All Red Hat 6
• All Red Hat 7
• All Red Hat 8
• All OpenSLES 11
• All OpenSLES 12
• All OpenSLES 15
• All SUSE
• All Mac
• All macOS 10.13
• All macOS 10.14
• All macOS 10.15
• All macOS 11
• All macOS 11.0
• All macOS 11.1
• All macOS 11.2
• All macOS 11.3
• All macOS 11.4
• All macOS 11.5
• All macOS 11.6
• All macOS 11.7
• All macOS 12

• All Ubuntu
• All Ubuntu 14.04 - amd64
• All Ubuntu 14.04 - i386
• All Ubuntu 14.04 - arm64
• All Ubuntu 16.04 - amd64
• All Ubuntu 16.04 - i386
• All Ubuntu 16.04 - arm64
• All Ubuntu 18.04 - amd64
• All Ubuntu 18.04 - i386
• All Ubuntu 18.04 - arm64
• All Ubuntu 20.04 - amd64
• All Ubuntu 20.04 - i386
• All Ubuntu 20.04 - arm64
• All Ubuntu 22.04 - amd64
• All Ubuntu 22.04 - i386
• All Ubuntu 22.04 - arm64
• All Windows
• All Windows Servers
• Patch Supported Systems

Patch scans

• Tanium Scan for Windows is configured and synchronized.

• Default scan configurations are created for each operating system and enforced by the recommended computer group.

Tanium Scan does not include any Red Hat repositories because authentication for cdn.redhat.com must first be configured. For more information, see (Red Hat endpoints) Configure Tanium Server to use certificate authentication(Red Hat endpoints) Configure Tanium Cloud to use certificate authentication.

Patch lists

The following patch lists are automatically created:

• [Patch Baseline Deployment] - Windows
• [Tanium Patch Baseline Reporting] - Windows
• [Tanium Patch Baseline Reporting] - Linux
• [Tanium Patch Baseline Reporting] - macOS
• All Patches

• [Tanium Patch Recommended Updates] - Windows

For more information, see Default patch lists.

Patch block lists

• The [Global Block List] - Windows block list is created and targets the Patch Supported Systems computer group. This block list excludes Security Only patches on Windows systems.For more information, see Microsoft update and servicing details.
• Default block lists are created for each supported operating system, but are not targeted.

Patch deployment templates

Default deployment templates are created for each supported operating system.

Patch maintenance windows

• A [Patch Tuesday] - Windows default maintenance window is created for Patch Tuesday and is not enforced on any computer groups.
• Default maintenance windows are created for each supported operating system to block patch installations and reboots without first enabling another maintenance window. These maintenance windows are not enforced to any computer groups.

Configure advanced settings

You can configure the Tanium platform for optimal delivery of larger payloads, which are typically associated with patching activity.

1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
2. To increase the client cache size, click Add Setting, provide the following information, and click Save.
   Setting Type: Client
   Platform Setting Name: ClientCacheLimitInMB
   Value Type: Numeric
   Value : 2048

Changes to platform settings can take up to five hours to propagate to clients.

Install and configureConfigureTanium End-User Notifications

With the Tanium End-User Notifications solution, you can create a notification message with your deployment to notify the user that the system is going to restart, and give the user the option to postpone the restart.

(macOS) Patch installations do not occur until the user clicks Restart Now or the restart is forced at the deadline for patches that require a reboot. This functionality helps end users avoid waiting a long time for an OS upgrade after a manual reboot. Instead, end users can be more aware of larger updates and decide when to restart endpoints.

For more information, see Tanium End-User Notifications User Guide: End-User Notifications overview.

Disable Windows Update restart prompts

The Windows Update Agent automatically prompts users to restart their machine when an update is installed from any user or source. The following Windows Local/Group Policies should be configured to allow Tanium End-User Notifications to control endpoint restarts.

1. In the Windows Local Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
2. Enable the No auto-restart for scheduled Automatic Updates installations parameter.
3. Disable the Re-prompt for restart with scheduled installations parameter.

Install and configureConfigureTanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Patch, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
2. Click Settings
   
   and click the Global tab.
3. Select Enable configuration approvals, and click Save.

For solutions toSolutions cannotperform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turnedon, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global.on. As a best practice, do not turn on action locks.For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

• Creating, updating, or deleting patch lists
• Adding or removing enforcements
• Removing all enforcements
• Updating scan configuration priorities
• Creating deployments
• Stopping deployments
• Adding targets to deployments
• User-initiated actions, such as initializing endpoints, uploading custom field files, enabling Linux

Configure Patch

Configure service account

The service account is a user that runs several background processes for Patch. This user requires the Tanium Administrator or Patch Service Account role.If you enabled configuration approvals in Endpoint Configuration, then by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to the Patch Service Account role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements and Tanium Endpoint Configuration User Guide: Managing approvals.For more information about Patch permissions, see User role requirements.

If you imported Patch with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

1. On the Patch Overview page, click Settings and then click Service Account if needed.
2. Provide a user name and password, and then click Save.

(Optional)Configure the Patch action group

Importing the Patch module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Patch, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Patch, configuring the Patch action group is optional.

Select the computer groups to include in the Patch action group.

Clear the selection for No Computers and makeMakesure that all operating systems that are supported by Patch are included in the Patch action group.

1. From the Main menu, go to Administration > Actions > Action Groups.
2. Click Patch.
3. Select the computer groups that you want to include in the action group and click Save.
   If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Organize computer groups

One way to apply patches and view deployment results is by computer group. Create relevant computer groups to organize your endpoints. Some options include:

• Endpoint type, such as servers or employee workstations
• Endpoint location, such as by country or time zone
• Endpoint priority, such as business-critical machines
• Endpoint configuration needs, such as VDI machines

Manual computer groups are not supported in Patch. For more information, see Tanium Core Platform User Guide: Managing computer groups.

Organize computer groups by operating system generation for useful visibility and scan configuration targeting.

Set up Patch users

You can use the following set of predefined user roles to set up Patch users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Patch Administrator

Assign the Patch Administrator role to users who manage the configuration and deployment of Patch functionality to endpoints.
This role can perform the following tasks:

• Configure all Patch settings
• Manage block lists, deployments, maintenance windows, patch lists, repositories, and scan configurations
• View the Patch statistics logs
• View all configurations, graphs, and reporting data in Patch

Patch Configuration Author

Assign the Patch Configuration Author role to users who manage Patch configurations.
This role can perform the following tasks:

• Manage block lists, maintenance windows, patch lists, and repository snapshots
• View deployments and repositories
• View Patch settings
• View all configurations, graphs, and reporting data in Patch

Patch Deployment Author

Assign the Patch Deployment Author role to users who manage Patch deployments.
This role can perform the following tasks:

• Manage deployments
• View block lists, maintenance windows, and patch lists
• View Patch settings
• View all configurations, graphs, and reporting data in Patch

Patch Endpoint Configuration Approver

Assign the Patch Endpoint Configuration Approver role to a user who approves or rejects Patch configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Patch is installed.

Patch Operator

Assign the Patch Operator role to users who manage the configuration and deployment of Patch functionality to endpoints.
This role can perform the following tasks:

• Manage block lists, deployments, maintenance windows, patchlists, repositories, and scan configurations
• View all configurations, graphs, and reporting data in Patch

Patch Read Only User

Assign the Patch Read Only User role to users who need visibility into Patch data.
This role can view all configurations, graphs, and reporting data in Patch.

Patch Service Account

Assign the Patch Service Account role to the account that configures system settings for Patch.
This role can perform several background processes for Patch.

Patch Super User

Assign the Patch Super User role to users who manage the configuration and deployment of Patch functionality to endpoints.
This role can perform the following tasks:

• Manage block lists, deployments, maintenance windows, patchlists, repositories, and scan configurations
• View all configurations, graphs, and reporting data in Patch

Enable and configureConfigureWindows features

Before you can use certain Patch features for Windows endpoints, you mustenable orconfigure them:

Enable and configure Tanium Scan for Windows

For more information about Tanium Scan for Windows, see Tanium Scan.

1. From the Patch menu, go to Scan Management.
2. Click Tanium Scan for Windows and then click Edit.
3. Select Enable Tanium Scan for Windows and select a scan source.
4. Click Synchronize Now to perform the required initial synchronization.
5. If you want to synchronize after Microsoft releases many significant patches, select Enable Schedule Synchronization.

6. Use the arrows to select products to include in scans.

   Synchronize all products, regardless of which products are present in the environment. Selectively choosing products can cause gaps in critical or important patches.

7. Use the arrows to select update classifications to include in scans.

   Select Critical Updates, Security Updates, Service Packs, and Update Rollups.

8. Click Submit.

   Click Synchronize Now after you make any changes.

Configure Tanium Scan for Windows

1. From the Patch menu, go to Scan Management.
2. Click Tanium Scan for Windows and then click Edit.
3. If you want to synchronize after Microsoft releases many significant patches, select Enable Schedule Synchronization.

4. Use the arrows to select products to include in scans.

   Synchronize all products, regardless of which products are present in the environment. Selectively choosing products can cause gaps in critical or important patches.

5. Use the arrows to select update classifications to include in scans.

   Select Critical Updates, Security Updates, Service Packs, and Update Rollups.

6. Click Submit.

   Click Synchronize Now after you make any changes.

Configure WSUS Scan

1. Add the WSUS Server URL.
   1. On the Patch Overview page, click Settings and then click Configuration Settings if needed.
   2. In the WSUS Server Configuration section, enter the URL and click Submit. A regular expression for the URL is generated and added.
   3. Click View Allowed URLs, or go to Administration > Permissions > Allowed URLs to view the entry that was added.
2. On the WSUS server, change the following settings:
   1. Set the intranet URL for detecting updates and the statistics server to: http://:.
   2. Disable the Configure Automatic Updates setting.

Enable direct patch downloads from Microsoft

For Windows scan configurations, you can enable direct patch downloads from Microsoft to isolated remote endpoints. This option reduces the impact on network resources. If the direct download fails, the endpoint downloads patches from the Tanium Server.

Cautions and considerations

Endpoints must be in a list of virtual private network (VPN) subnets or allowed Zone Servers that you configure. Configure VPN ranges only where clients have a direct path to the Microsoft URLs that are listed in Internet URLs . The following configurations are recommended:

• Define the IP address ranges that are used by endpoints that connect to Tanium over a split-tunnel VPN. Use for split-tunnel VPN ranges with a separate route to download patches from the Internet. Isolated endpoints within the defined ranges attempt to download patches directly from Microsoft.
• Define the public IP addresses or Internet-resolvable fully qualified domain names of Internet-facing Zone Servers. Isolated Tanium Clients that are connected to these Zone Servers attempt to download patches directly from Microsoft.

Do not specify the following VPNs or Zone Servers:

• Split-tunnel VPNs where endpoints still send traffic bound for Microsoft URLs through the internal corporate network
• Full-tunnel VPNs
• Zone Servers that are used in an internal security zone

Clients that use WSUS scan configurations leverage the location that is defined by WSUS. Unless the WSUS server is configured to download patches from Microsoft instead of storing them locally, do not enable direct downloads for a WSUS Scan configuration. For more information about how to specify where updates are stored, see Microsoft article Update storage options.

1. On the Patch Overview page, click Settings and then click Configuration Settings if needed.
2. In the Patch Direct Downloads section, specify network information:
   1. Select VPN Networks, Zone Servers, or both.
   2. Add one or more networks or servers, or, if previously created, choose from the list.
3. Click Save.

To enable remote endpoints to download patches directly from Microsoft, you must also enable direct downloads in each scan configuration. For more information, see Create a scan configuration.

Tracking direct download status

Review current and past patch downloads directly from Microsoft over the Internet.

1. In Interact, ask the Get Patch - Direct Downloads Statuses from all machines question.
2. Choose the time period in hours; for example, downloads in the last three hours.
3. Choose whether to include in-progress downloads in the results.
4. Choose whether to include failed downloads in the results.
5. Click Ask Question.

The results grid shows a row for each download attempt and its status.

Enable and configure Linux features

Before you can use certain Patch features for Linux endpoints, you must enable and configure them:

Migration of OS-based Linux configurations to Enhanced Linux configurations

After you enable support for Enhanced Linux distributions, Patch migrates any existing OS-based Linux configurations (scan configurations, patch lists, block lists, maintenance windows, and deployment templates) for Red Hat, CentOS, Ubuntu, Oracle, and Amazon to use Enhanced Linux distributions.

Targeting for migrated configurations continue to be filtered to the existing OS-based Linux configurations, so that the same endpoints remain targeted after migration. Migration does not add targeting for unenforced objects, nor does it create a configuration that supports multiple operating systems. You must create a configuration that supports multiple operating systems after migration.

Patch does not select a default deployment template for the new Linux platform. If you want to define a default deployment template, you define it after the automated portion of the migration completes.

Linux Endpoint Behavior Changes

Linux endpoint behavior depends on your current configuration:

• If this is a new Patch module installation, Patch enables Enhanced Linux Support by default.

• If this is an existing Patch module installation, where Patch for Linux endpoints has never been enabled, Linux configurations remain disabled until you enable Enhanced Linux Support.

• If this is an existing Patch module installation, where Patch for Linux endpoints has been enabled, your OS-based Linux configurations remain the same until you enable Enhanced Linux Support.

After you migrate to Enhanced Linux Support, Patch no longer separates operating system selections for Linux. Instead, it creates a single category for all Linux operating systems. Scan configurations can have repositories for multiple Linux operating systems. You can add targets to repositories to ensure they are only used with the proper OS/version targets included in the scan configuration targets. If an endpoint does not meet the criteria for any repositories in a scan configuration, Patch continues to the next targeted scan configuration.

Enable Patch for Enhanced Linux configurations

Before you begin, ensure that you meet the prerequisites listed in Core platform dependencies.

If this is a new Patch module installation, no action is required.

If this is an upgraded Patch module installation, complete the following steps:

1. On the Patch Overview page, click Settings .

2. In the Operating Systems tab, select Enhanced Linux Support and click Save.

   After you enable this option, you cannot disable it.

3. Review the Migration of Linux Configurations message and click Acknowledge and Begin Migration.

4. On the confirmation window, click Yes.

5. (Optional) Click Set Default Template to set a default deployment template for Enhanced Linux Support.

Add and target Linux repositories

To patch Linux endpoints, you must first add repositories that apply to those endpoints, and then use the repositories to target computer groups that contain the endpoints. SUSE Linux Enterprise Server (SLES) repositories use URLs that are unique for each customer, so the process for adding those repositories differs from other versions of Linux.

Before you begin patching SLES endpoints, make sure that at least one endpoint for each OS version that you want to support in Patch is registered with SUSE.

1. From the Patch menu, go to Scan Management and then click Repositories.

2. Click Add Repository.

You can also click Edit


to edit existing repositories.

3. Add a name, and then select whether the repository contains RPM or DEB packages.

4. For RPM repositories, specify the following options as needed:
   1. Add a URL for the repository.

      If you are adding a SLES repository, use the following steps to more easily identify the names and URLs for the repositories that your endpoints use.

      1. In a separate browser tab, go to Modules > Interact.

      2. Ask the following question:

         Get Patch - Repositories from all machines with Operating System Generation contains SUSE

         For more information, see Tanium Interact User Guide: Asking questions.

      3. For the repository that you want to add, hover over the Name cell, click Options

         
         , and then click Copy
         
         .

      4. In the original browser tab, in the Add Repository dialog, paste the cell contents into the Name field, and then select RPM from the Type drop-down menu.

      5. In the browser tab with the question results, hover over the Base URL cell, click Options , and then click Copy .

      6. In the original browser tab, in the Add Repository dialog, paste the cell contents into the URL field.

   2. (Optional) Enable GPG Check and Repo GPG Check to confirm authenticity by verifying GPG signatures.

      Red Hat operating systems do not support Repo GPG Check. If you specify that option in a Red Hat repository configuration, Tanium scans will not run.

5. For DEB repositories, specify the following options as needed:
   1. Add a URL for the repository.
   2. Specify the distribution and components for the release. You can add up to five components for the repository.
   3. In the Release file signing section, select InRelease if the release file is signed inline, or select Release.gpg if the release file has an accompanying GPG file.
   4. In the GPG Key section, select an option to confirm package authenticity and then enter additional information as needed.

6. Click Submit.

7. Expand the repository that you just created, and then click Select Computer Groups.

8. Select the computer groups that will use the repository, and then click Save.

9. (Optional) Create snapshots of repositories. For more information, see Manage Linux repository snapshots.

(Red Hat endpoints) Configure Tanium Server to use certificate authentication

(Red Hat endpoints) Configure Tanium Cloud to use certificate authentication

To use Tanium Scan with Red Hat patch content on Red Hat Linux endpoints, you must configurethe Tanium Server (version 7.5.3.1249 and later)Tanium Cloudto use certificate authentication for downloads from the Red Hat Content Delivery Network (CDN) or an internal Red Hat Satellite server. This process involves requesting the certificates and private keys from Red Hat and configuring the certificates in the Tanium Console.

1. Obtain a valid client certificate and private key from the Red Hat Customer Portal or from the Satellite server. For more information about preparing a Red Hat client authentication certificate for use with Tanium, see Tanium Community: Red Hat certificate for Tanium downloads (login required).

2. Use the Downloads Authentication page to configure the certificates that are necessary forTanium Cloudthe Tanium Serverand remote sources to authenticate for Red Hat patching.

   For detailed information about configuring downloads authentication, see Tanium Console User Guide: Managing downloads authentication.

   If you are using Tanium Server version 7.5.2.3552 or earlier, you must configure TDownloader to use certificate authentication.

   In an active-active high availability (HA) cluster, you must configure both Tanium Servers to use Tanium Scan with Red Hat patch content on Red Hat Linux endpoints.

   1. Copy the following Red Hat text and use it to create a master CA certificate file with a .crt extension.
      Click here to view the certificate text.

      -----BEGIN CERTIFICATE-----
      MIIHZDCCBUygAwIBAgIJAOb+QiglyeZeMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
      VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
      Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
      d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
      AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTAwMzE3MTkwMDQ0WhcNMzAw
      MzEyMTkwMDQ0WjCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
      aW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgw
      FgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1h
      c3RlciBDQTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIIC
      IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2Z+mW7OYcBcGxWS+RSKG2GJ2
      csMXiGGfEp36vKVsIvypmNS60SkicKENMYREalbdSjrgfXxPJygZWsVWJ5lHPfBV
      o3WkFrFHTIXd/R6LxnaHD1m8Cx3GwEeuSlE/ASjc1ePtMnsHH7xqZ9wdl85b1C8O
      scgO7fwuM192kvv/veI/BogIqUQugtG6szXpV8dp4ml029LXFoNIy2lfFoa2wKYw
      MiUHwtYgAz7TDY63e8qGhd5PoqTv9XKQogo2ze9sF9y/npZjliNy5qf6bFE+24oW
      E8pGsp3zqz8h5mvw4v+tfIx5uj7dwjDteFrrWD1tcT7UmNrBDWXjKMG81zchq3h4
      etgF0iwMHEuYuixiJWNzKrLNVQbDmcLGNOvyJfq60tM8AUAd72OUQzivBegnWMit
      CLcT5viCT1AIkYXt7l5zc/duQWLeAAR2FmpZFylSukknzzeiZpPclRziYTboDYHq
      revM97eER1xsfoSYp4mJkBHfdlqMnf3CWPcNgru8NbEPeUGMI6+C0YvknPlqDDtU
      ojfl4qNdf6nWL+YNXpR1YGKgWGWgTU6uaG8Sc6qGfAoLHh6oGwbuz102j84OgjAJ
      DGv/S86svmZWSqZ5UoJOIEqFYrONcOSgztZ5tU+gP4fwRIkTRbTEWSgudVREOXhs
      bfN1YGP7HYvS0OiBKZUCAwEAAaOCAX0wggF5MB0GA1UdDgQWBBSIS6ZFxEbsj9bP
      pvYazyY8kMx/FzCB5QYDVR0jBIHdMIHagBSIS6ZFxEbsj9bPpvYazyY8kMx/F6GB
      tqSBszCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
      DgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQL
      DA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBD
      QTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkA5v5CKCXJ
      5l4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEG
      MCAGA1UdEQQZMBeBFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTAgBgNVHRIEGTAXgRVj
      YS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADggIBAJ1hEdNBDTRr
      6kI6W6stoogSUwjuiWPDY8DptwGhdpyIfbCoxvBR7F52DlwyXOpCunogfKMRklnE
      gH1Wt66RYkgNuJcenKHAhR5xgSLoPCOVF9rDjMunyyBuxjIbctM21R7BswVpsEIE
      OpV5nlJ6wkHsrn0/E+Zk5UJdCzM+Fp4hqHtEn/c97nvRspQcpWeDg6oUvaJSZTGM
      8yFpzR90X8ZO4rOgpoERukvYutUfJUzZuDyS3LLc6ysamemH93rZXr52zc4B+C9G
      Em8zemDgIPaH42ce3C3TdVysiq/yk+ir7pxW8toeavFv75l1UojFSjND+Q2AlNQn
      pYkmRznbD5TZ3yDuPFQG2xYKnMPACepGgKZPyErtOIljQKCdgcvb9EqNdZaJFz1+
      /iWKYBL077Y0CKwb+HGIDeYdzrYxbEd95YuVU0aStnf2Yii2tLcpQtK9cC2+DXjL
      Yf3kQs4xzH4ZejhG9wzv8PGXOS8wHYnfVNA3+fclDEQ1mEBKWHHmenGI6QKZUP8f
      g0SQ3PNRnSZu8R+rhABOEuVFIBRlaYijg2Pxe0NgL9FlHsNyRfo6EUrB2QFRKACW
      3Mo6pZyDjQt7O8J7l9B9IIURoJ1niwygf7VSJTMl2w3fFleNJlZTGgdXw0V+5g+9
      Kg6Ay0rrsi4nw1JHue2GvdjdfVOaWSWC
      -----END CERTIFICATE-----

      To avoid confusion, give the file a clear name, such as Red Hat Entitlement Master CA.crt.

   2. From the Main menu, go to Administration > Configuration > Downloads Authentication > Trusted Certificates and click Add Trusted Certificate.

   3. Select the certificate that you created and click Open.
   4. In the Display Name field, enter Red Hat Entitlement Master CA and then click Add.
   5. Click Remote Sources > Add Entry.
   6. Specify the following options:
   1. URI: https://cdn.redhat.com
   2. Display Name: Red Hat CDN
   3. Authentication Type: Select Certificate Authentication.
   4. Authentication Certificate: Click Upload Certificate to locate and upload the entitlement certificate file.
   5. Private Key: Click Upload Private Key to locate and upload the entitlement certificate private key.
   7. Click Save.

   As you configure the Tanium Server, you might be required to provide separate authentication certificates and URLs for different Red Hat products. For example, you might have an authentication certificate associated with Red Hat Server products that you configure for use with https://cdn.redhat.com. However, you might also need a separate authentication certificate for Extended Life Cycle Support add-on for RHEL, and you need to configure it for use with https://cdn.redhat.com/content/els. In this scenario, you can repeat the appropriate steps for each of the products that require an authentication certificate.

Next steps

(Red Hat) Edit the [Tanium Scan] - Linux scan management technique to include the Red Hat repositories. For more information, see Edit a scan configuration.

(Red Hat endpoints) Configure TDownloader to use certificate authentication (Tanium Server version 7.5.2.3552 and earlier)

Click to expand.

To use Tanium Scan with Red Hat's patch content on Red Hat Linux endpoints, you must configure Tanium Downloader (TDownloader) to use certificate authentication for downloads from Red Hat's Content Delivery Network (CDN) or an internal Red Hat Satellite server. Obtain a valid client certificate and private key from the Red Hat Customer Portal or from the Satellite server. After you have acquired the client authentication certificate, complete the appropriate steps to configure the Tanium Server.

Configure TDownloader on Tanium Server (Appliance)

If you are using an internal repository secured by a self-signed or an internal CA-signed certificate, Contact Tanium Support to configure the Tanium Servers to trust this certificate.

In an active-active configuration, you must perform the following steps on both Tanium Servers.

1. Upload the SSL client private key and client certificate to your Tanium Appliance. Use SFTP with the tancopy account and copy the files to the /incoming folder.
2. Using the TanOS menu, verify that the Tanium Server can reach cdn.redhat.com or the Red Hat Satellite server by name:
   1. Enter 3 to go to the Tanium Support menu.
   2. Enter 4 to go to the Run Network Diagnostics menu.
   3. Enter 1 to select the Ping Remote System option.
3. Add the CA root certificate for the Red Hat CDN:
   1. Enter 2 to go to the Tanium Operations menu.
   2. Enter 2 to go to the Tanium Configuration Settings menu.
   3. Enter 13 to go to the Control RedHat CA Cert menu.
   4. Enter 1 to select the redhat-uep.pem option.
   5. Enter 2 to install the redhat-uep.pem certificate.
4. Add the Red Hat Entitlement client certificate and key:
   1. Enter 2 to go to the Tanium Operations menu.
   2. Enter 2 to go to the Tanium Configuration Settings menu.
   3. Enter 4 to select the Add Tanium Server TDL Auth Cert option.
   4. Enter the URL (https://cdn.redhat.com or the Red Hat Satellite server), client certificate file name, and the SSL client private key file name at each prompt.
   5. At the #Line Content display, enter R to return to the previous menu.

For more information, see Tanium Appliance Deployment Guide: Manage authentication certificates for Tanium Patch connections with Red Hat.

Configure TDownloader on Tanium Server (Windows)

1. Copy the SSL client private key, client certificate, and satellite server certificate to your Tanium Server.
2. Ensure that the Tanium Server can reach cdn.redhat.com or the Red Hat Satellite server by name.
   Example:
   ping cdn.redhat.com
   
3. On each Tanium Server, configure TDownloader to use certificate authentication for downloads to the Red Hat Satellite server.
   Example:
   cmd-prompt>TDownloader.exe add-auth-cert --url https://cdn.redhat.com --cert C:\client-certificate.pem --key C:\client-key.pem
   where:
   • https://cdn.redhat.com is the URL prefix for the satellite server download URLs
   • C:\client-certficate.pem is the client certificate
   • C:\client-key.pem is the client certificate private key
4. Check the TDownloader config to see that your certificate has been configured.
   Click here to view the TDownloader config.

   cmd-prompt>TDownloader.exe config list
   Keys:
   - Auth:
       - Auth.0:
         - Auth.0.Certificate: -----BEGIN CERTIFICATE-----
   MIIFPTCCBCWgAwIBAgIIbY/mIdQbgMowDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNV
   BAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWln
   aDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9yZ1VuaXQxKjAoBgNV
   BAMMIXJoZWxwYXRjaHNhdGVsbGl0ZTAxLnByb2RxYS5sb2NhbDAeFw0xODA0MjAw
   NDAwMDBaFw0xOTA0MjAwMzU5NTlaMEYxGTAXBgNVBAoMEHRhbml1bV9wYXRjaF9k
   ZXYxKTAnBgNVBAMTIDBjYjk4NjcyZjBhNTQ0MDJhNzIzYmNjOGI5ODFjYTg3MIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXPySC20fPzMreenmX+4mUhS
   s/cdArQZOeeKliCdXI7Q/ZW0ZrhsgmMZTL+BNbZKUp72e0L3GF3yj0wx/8LWRLVC
   S9AaZdbXmJRK7B5mwpQaLtfuE93bJIkmBbzKA49jiwFdDE0J6v+wj0NgBZ3hr0NH
   V2O1hAwar2xkzz9fCTwyAR6d2I9Dpcfua8nH0ybO5kR8v1Epp70vw9/uMmGM3PCe
   YFX81ll3wxStbHj/DznUzQ/vFE0SZxLXh9LyWy9Nq+obLaFeDxJ0DT7iXotwVqWs
   Qow/upQ60vuYpAT57JM5tkrP+rKcct+TVVJNS/QmJC3yOwZWf8rIISRH4cb+GQID
   AQABo4IB5jCCAeIwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIEsDCBwQYD
   VR0jBIG5MIG2gBRNdbtnITo9NxbcUdarkRIJv464dqGBkqSBjzCBjDELMAkGA1UE
   BhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdo
   MRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEqMCgGA1UE
   AwwhcmhlbHBhdGNoc2F0ZWxsaXRlMDEucHJvZHFhLmxvY2FsggkAx2ndp2OhmcYw
   HQYDVR0OBBYEFHX7IDsUYNAZdI5dBxckm5a8y60aMBMGA1UdJQQMMAoGCCsGAQUF
   BwMCMBIGCSsGAQQBkggJBgQFDAMzLjMwFAYJKwYBBAGSCAkIBAcMBUJhc2ljMIGd
   BgkrBgEEAZIICQcEgY8EgYx42i2MMQrDMBAE9zFukyYgfyJdHmDO8oIEis7cXYz9
   e8ck1UwxjNM2GsbXj1bYsFQP6BpVuzRk7cEeSP8kYYRL3EK1OZ51NrED6f5ASK+f
   97RK5DIt3KAO7mHiGIyN4rwGw/wVsVxwAp4aKvUSzZXb1epTaC96MJ25BX5rmucc
   vyYlbSe9CpomkcWhADANBgkqhkiG9w0BAQUFAAOCAQEAubxqAqH/IQqIODQwaX9x
   NrIuJp3qWIUFjxZ1Vby4lEg2xmwfBtvNKminJBWNwOMZjq40xrEz0C2sxqkr/npv
   cbI4MMdQX1rdxMwsntgUZK8ApRR/pPwyxqAoa8IjahVBHNdFoA4+BBjcLcvzA1PB
   PReiXo0GS2gQQAb8U7d/jBTG1gm3ZpJFBxv7NBM9tEey3DwzP5LWPnZZmstRrlfx
   7sb5J/2zLvWuMG+dMJ5jkgUKTuNdccdBP9PEVrAKiDuoLCl4UqnP0YzMJd+e9Ktx
   FC1QCICFUQLhZ/QVAhh8hIw0jSxIcGN+KVJF52BGdzUxvoidfqtMsjc/8NSTRk+T
   /g==
   -----END CERTIFICATE----- 
   - Auth.0.PrivateKey: (protected)
   - Auth.0.URL: https://rhelpatchsatellite01.prodqa.local
   - LogVerbosityLevel: 41
   - ProxyPassword:
   - ProxyPort:
   - ProxyServer:
   - ProxyType: NONE
   - ProxyUserid:
   - TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt
   - TrustedHostList: localhost,tanium.local,win-2012-r2
   				

5. To configure TDownloader to work with the Red Hat CDN, use a text editor to append the PEM-encoded certificate for cdn.redhat.com to the end of the certificate file as referenced by the TrustedCertPath value from the previous step (Example: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt).
   Click here to view the certificate.

   -----BEGIN CERTIFICATE-----
   MIIG/TCCBOWgAwIBAgIBNzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMx
   FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMu
   MRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50
   aXRsZW1lbnQgT3BlcmF0aW9ucyBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNh
   LXN1cHBvcnRAcmVkaGF0LmNvbTAeFw0xMDEwMDQxMzI3NDhaFw0zMDA5MjkxMzI3
   NDhaMIGuMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAU
   BgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEu
   MCwGA1UEAwwlUmVkIEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEk
   MCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIICIjANBgkqhkiG
   9w0BAQEFAAOCAg8AMIICCgKCAgEA2QurMeAVnCHVsuZNQzciWMdpd4LAVk2eGugN
   0cxmBpzoVI8lIsJOmJkpOAuFOQMX9CBr8RuQyg4r1/OH/rfhm6FgGIw8TGKZoWC/
   1B9teZqTiM85k6/1GRNxdk6dUK77HVO0PMIKtNBHRxIsXcRzJ1q+u5WPBes9pEVG
   nbidTNUkknrSIdynTJcqAI/I0VAsqLqX87XJSzXKvRilE+p/fLHmVTAffl1Cn/Dy
   KULxna7ooyrKKnfqeQ5dK8aMr1ASQ1wphWohLjegly9V0amEi+HHWnOL8toxJy8v
   WUTUzzAvZ4ZTtTV26xGetZZWEaNyv7YCv2AexjcBQ2x+ejrFJrVNo9jizHS06HK8
   UgHVDKhmVcAe2/5yrJCjKDLwg1FJfjKwhzhLYdNVCejpy8CHQndwO0EX1hHv/AfP
   RTAmr5qPhHFD+uuIrYrSLUpgMLmWa9dinJcGeKlA1KJvG5emGMM3k64Xr7dJToXo
   5loGyZ6lvKPIKLmfeXMRW/4+BqyzwbO1i4aIHAZcSPDFGKWwuvF0iVUYUUVxw0nv
   qPZA4roq5+j/YSz0q5XGVgiIt34htlvunLp/ICGYJBR6zEHcB9aZGJdDcJvoYZjw
   7Gphw6lFF6Ta4imoyhGECWKjd1ips3opcN+DlU0yCUrcIXVIXAnkTwu5ocOgAkxr
   f/6FjqcCAwEAAaOCAR8wggEbMB0GA1UdDgQWBBSW/bscQED/QIStsh8LJsHDam/W
   fDCB5QYDVR0jBIHdMIHagBTESXhWRZ0eLGFgw2ZLWAU3LwMie6GBtqSBszCBsDEL
   MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdS
   YWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0
   IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBDQTEkMCIGCSqG
   SIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkAkYrPyoUAAAAwEgYDVR0T
   AQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOCAgEArWBznYWKpY4LqAzhOSop
   t30D2/UlCSr50l33uUCNYD4D4nTr/pyX3AR6P3JcOCz0t22pVCg8D3DZc5VlzY7y
   P5RD3KbLxFNJTloclMG0n6aIN7baA4b8zwkduMQvKZnA/YNR5xE7V7J2WJHCEBBB
   Z+ZFwGpGsoZpPZP4hHLVke3xHm6A5F5SzP1Ug0T9W80VLK4jtgyGs8l1R7rXiOIt
   Nik8317KGq7DU8TI2Rw/9Gc8FKNfUYcVD7uC/MMQXJTRvkADmNLtZM63nhzpg1Hr
   hA6U5YcDCBKsPA43/wsPOONYtrAlToD5hJhU+1Rhmwcw3qvWBO3NkdilqGFOTc2K
   50PQrqoRTCZFS41nv2WqZFfbvSq4dZRJl8xpB4LAHSspsMrbr9WZHX5fbggf6ixw
   S9KDqQbM7asP0FEKBFXJV1rE8P/oSK6yVWQyigTsNcdGR4AUzDsTO9udcwoM2Ed4
   XdakVkF+dXm9ZBwv5UBf5ITSyMXL3qlusIOblJVGUQizumoq0LiSnjwbkxh2XHhd
   XD/B/qax7FnaNg+TfujR/kk3kF1OpqWx/wC/qPR+zho1+35Al31gZOfNIn/sReoM
   tcci9LFHGvijIy4VUDQK8HmGjIxJPrIIe1nB5BkiGyjwn00D5q+BwYVst1C68Rwx
   iRZpyzOZmeineJvhrJZ4Tvs=
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   MIIHZTCCBU2gAwIBAgIJAJGKz8qFAAAAMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
   VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
   Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
   d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
   AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTAwMzE4MTEyNDU0WhcNMzAw
   MzEzMTEyNDU0WjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
   aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
   dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
   dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
   AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
   GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
   /xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
   NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
   v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
   HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
   5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
   tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
   i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
   I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
   dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
   k5G87WpwzcC8y6ePR0vFAgMBAAGjggF9MIIBeTAdBgNVHQ4EFgQUxEl4VkWdHixh
   YMNmS1gFNy8DInswgeUGA1UdIwSB3TCB2oAUiEumRcRG7I/Wz6b2Gs8mPJDMfxeh
   gbakgbMwgbAxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQ
   MA4GA1UEBwwHUmFsZWlnaDEWMBQGA1UECgwNUmVkIEhhdCwgSW5jLjEYMBYGA1UE
   CwwPUmVkIEhhdCBOZXR3b3JrMR4wHAYDVQQDDBVFbnRpdGxlbWVudCBNYXN0ZXIg
   Q0ExJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbYIJAOb+Qigl
   yeZeMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIB
   BjAgBgNVHREEGTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wIAYDVR0SBBkwF4EV
   Y2Etc3VwcG9ydEByZWRoYXQuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQBbTSz+UIXP
   AVIT0ZVL1flCHR113aj2j3UBZkaoDkSxtEfa1nqysmN0llpqh4NVBL3anEFYxokL
   hQ2PB8mmuD5EuWaNxnXTc4Sr5dsOcjkFiU197lybaJK7w4OzQ2Qg/X/t4+R78cfM
   ZK/qHpjuyT3NyHHvCug/WzkvU09pRr2aVHI+fn68u18TRzPJNKvegR4YeA3vsyQW
   BgEc8sU7KrAvikFJ3mCTpAk+6SRgbGFLyZE637Qrzy2DDBw0V020dkTkC6YnEsZg
   HwZWVmLtCgLlnimx6SRft+6zrXVHWZxod1GT/af7vizpmhrXt/Nu5Se7dpOhPayo
   NwYCFNmfZeL4W/foSKNfaizZcc+tiNABRtT+tplfniv/yjr7sBAsFPhJqQB8CfsQ
   8BVvKkHtixygyo+EO+NEotZGw3cn+/7soo9B1bWXk3PFSwEr+KwINACFGv2zcGLI
   oeP4iK6DHZImWEV4tgMrQyXatEyPh2axPWU3SjY/fr1Ub5gEt+WpCtyYIN4ObBaN
   eL3NPfTj79/VFZ22PhUInmGY/VK/ymvl/dkWyWi8zD8Aq55ofZ33FvQ46dcLp1pV
   KWApIVqO27uhL6YxXDFi6n7RXACEIVz6JqDh5fGmOH1F+vfumZKzW78LlVD2QY15
   rmCh0i9+AUCiUsNyYdJbSZDPiFPBwlwUoQ==
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   MIIHZDCCBUygAwIBAgIJAOb+QiglyeZeMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
   VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
   Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
   d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
   AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTAwMzE3MTkwMDQ0WhcNMzAw
   MzEyMTkwMDQ0WjCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
   aW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgw
   FgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1h
   c3RlciBDQTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIIC
   IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2Z+mW7OYcBcGxWS+RSKG2GJ2
   csMXiGGfEp36vKVsIvypmNS60SkicKENMYREalbdSjrgfXxPJygZWsVWJ5lHPfBV
   o3WkFrFHTIXd/R6LxnaHD1m8Cx3GwEeuSlE/ASjc1ePtMnsHH7xqZ9wdl85b1C8O
   scgO7fwuM192kvv/veI/BogIqUQugtG6szXpV8dp4ml029LXFoNIy2lfFoa2wKYw
   MiUHwtYgAz7TDY63e8qGhd5PoqTv9XKQogo2ze9sF9y/npZjliNy5qf6bFE+24oW
   E8pGsp3zqz8h5mvw4v+tfIx5uj7dwjDteFrrWD1tcT7UmNrBDWXjKMG81zchq3h4
   etgF0iwMHEuYuixiJWNzKrLNVQbDmcLGNOvyJfq60tM8AUAd72OUQzivBegnWMit
   CLcT5viCT1AIkYXt7l5zc/duQWLeAAR2FmpZFylSukknzzeiZpPclRziYTboDYHq
   revM97eER1xsfoSYp4mJkBHfdlqMnf3CWPcNgru8NbEPeUGMI6+C0YvknPlqDDtU
   ojfl4qNdf6nWL+YNXpR1YGKgWGWgTU6uaG8Sc6qGfAoLHh6oGwbuz102j84OgjAJ
   DGv/S86svmZWSqZ5UoJOIEqFYrONcOSgztZ5tU+gP4fwRIkTRbTEWSgudVREOXhs
   bfN1YGP7HYvS0OiBKZUCAwEAAaOCAX0wggF5MB0GA1UdDgQWBBSIS6ZFxEbsj9bP
   pvYazyY8kMx/FzCB5QYDVR0jBIHdMIHagBSIS6ZFxEbsj9bPpvYazyY8kMx/F6GB
   tqSBszCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
   DgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQL
   DA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBD
   QTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkA5v5CKCXJ
   5l4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEG
   MCAGA1UdEQQZMBeBFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTAgBgNVHRIEGTAXgRVj
   YS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADggIBAJ1hEdNBDTRr
   6kI6W6stoogSUwjuiWPDY8DptwGhdpyIfbCoxvBR7F52DlwyXOpCunogfKMRklnE
   gH1Wt66RYkgNuJcenKHAhR5xgSLoPCOVF9rDjMunyyBuxjIbctM21R7BswVpsEIE
   OpV5nlJ6wkHsrn0/E+Zk5UJdCzM+Fp4hqHtEn/c97nvRspQcpWeDg6oUvaJSZTGM
   8yFpzR90X8ZO4rOgpoERukvYutUfJUzZuDyS3LLc6ysamemH93rZXr52zc4B+C9G
   Em8zemDgIPaH42ce3C3TdVysiq/yk+ir7pxW8toeavFv75l1UojFSjND+Q2AlNQn
   pYkmRznbD5TZ3yDuPFQG2xYKnMPACepGgKZPyErtOIljQKCdgcvb9EqNdZaJFz1+
   /iWKYBL077Y0CKwb+HGIDeYdzrYxbEd95YuVU0aStnf2Yii2tLcpQtK9cC2+DXjL
   Yf3kQs4xzH4ZejhG9wzv8PGXOS8wHYnfVNA3+fclDEQ1mEBKWHHmenGI6QKZUP8f
   g0SQ3PNRnSZu8R+rhABOEuVFIBRlaYijg2Pxe0NgL9FlHsNyRfo6EUrB2QFRKACW
   3Mo6pZyDjQt7O8J7l9B9IIURoJ1niwygf7VSJTMl2w3fFleNJlZTGgdXw0V+5g+9
   Kg6Ay0rrsi4nw1JHue2GvdjdfVOaWSWC
   -----END CERTIFICATE-----

Next steps

(Red Hat) Edit the [Tanium Scan] - Linux scan management technique to include the Red Hat repositories. For more information, see Edit a scan configuration.

Manage Linux repository snapshots

Repository snapshots have the following requirements:

1. From the Patch menu, go to Scan Management and then click Repositories.
2. To create a snapshot, select a repository and then click Create Snapshot. Name the snapshot and click Confirm.
3. To rename a snapshot, expand a repository and then click Rename Snapshot . Provide a new name and click Confirm.
4. To permanently remove unneeded snapshots, click Delete Snapshot
   
   .
5. To remove failed snapshots across all repositories; for example, those for which the environment was not properly set up, click Delete Failed Snapshots.

Export a Linux repository

You can facilitate the migration of patch content by exporting repositories. The exported file includes all settings and definitions, except for repository snapshots. This is particularly useful in progressive deployment models where patches must be moved from a testing environment to a production environment.

1. From the Patch menu, go to Scan Management, and then click Repositories.

2. Select a repository and then click Export.

The JSON file is available in your downloads folder.

Import a Linux repository

You can import an exported repository into a new environment.

You cannot import a repository with the same name as an existing repository.

1. From the Patch menu, go to Scan Management, and then click Repositories.

2. Click Import Repository and then click Choose File.
3. Browse to the list in .JSON extension and then click Import.

Enable macOS features

Before you use Patch features for macOS endpoints, you must first make sure to enable macOS in the Patch settings.

To enable macOS, complete the following steps:

1. On the Patch Overview page, click Settings .

2. In the Operating Systems tab, select macOS and click Save.

   After you enable this option, you cannot disable it.

Initialize Patch endpoints

Patch installs a set of tools on each endpoint that you have targeted. Initializing or reinitializing Patch is a common troubleshooting step.

Patch does not work on endpoints with action locks turned on. Be sure action locks are turned off on endpoints that you want to target with Patch. See Tanium Console User Guide: Managing action locks.

Which two ways can computers be assigned to groups in WSUS?

Which servers server apps can be used to push Windows updates to client machines?

Which management tools can you use to approve the deployment of Windows updates to computers?

What is the purpose of WSUS quizlet?