General Configuration

Maintenance Windows

Check that the Maintenance Window is configured correctly

Action Lock Status: ON

If Action Lock is ON, no patches will be applied (see Patch module configuration)

Get Action Lock Status from all machines

Deployment

Patch list

Deployment

Debug

Interact => Get Patch – Supported Scan Types => no result

• Check the Log File

The first step is to investigate the local logs on the affected endpoint. specifically, you need to check the sensor-history0.txt file for this sensor

By analyzing the sensor-history0.txt log file on the endpoint, I was able to isolate the crash

The script failed because the machine was configured with US English (en-US) but was forced to use a comma (,) as the decimal separator. The CDBL function expects a dot (.) when in a US context, causing the crash.

Interact => Patch – Deployment Statuses => no result

• Check the Log File

The first step is to investigate the local logs on the affected endpoint. specifically, you need to check the sensor-history0.txt file.

Open the log file and search for “Patch – Deployment Statuses”. You want to see if you have an error entry that looks like this:

{"name":"Patch - Deployment Statuses","time_ms":584,"what_hash":145487854561,"definition_id":8754,"error":"Error: XmlReader: Failed to parse XML from C:\\xxxxxxxxxxxxxxx\\deployments\\configurations\\deployment-7.xml.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.

• Apply the Fix

Create a package that runs the following PowerShell script. This will recursively find and force-delete any .tmp or .invalid files in the Patch directory:

# -----------------------------------------------------------
# Tanium Package Script - Patch Cleanup
# -----------------------------------------------------------

$TargetPaths = @(
    "C:\Systools\tanium\Patch",
    "C:\Program Files (x86)\Tanium\Tanium Client\Patch",
    "C:\Program Files\Tanium\Tanium Client\Patch"
)

# Liste des extensions (inclus .invalid et .invalide)
$Extensions = @("*.tmp", "*.temp", "*.invalid", "*.invalide")

foreach ($Path in $TargetPaths) {
    # 1. Vérification de l'existence du dossier (évite les erreurs rouges si le chemin n'existe pas)
    if (Test-Path -LiteralPath $Path) {
        
        # 2. Suppression récursive
        # -Recurse : Cherche dans les sous-dossiers
        # -Force : Inclut les fichiers cachés et supprime les fichiers en lecture seule
        # -ErrorAction SilentlyContinue : Ignore les fichiers verrouillés par le système sans planter le script
        
        Get-ChildItem -Path $Path -Include $Extensions -Recurse -File -Force -ErrorAction SilentlyContinue | 
        Remove-Item -Force -ErrorAction SilentlyContinue
    }
}

# 3. Code de sortie explicite pour Tanium (0 = Succès)
exit 0

On Reports => Patch – Coverage Status Details

Interact => Patch Scan Age => >1day

Get Patch – Scan Age from all machines

Identify all computers with a patch scan older than 1 day

Interact => Get Patch – Is Process Running

Get Patch - Is Process Running from all machines

Interact => Get Endpoint Configuration – Tools Status

Get Endpoint Configuration - Tools Status from all machines

Scan Error – Scan Management

Patch UI => Modules > Patch > Scan Management > Scan Errors

Link : Troubleshooting Patch

Deployment Status

Installed status

Get Patch – Installation State[“”] having Patch – Installation State:KB Articles contains KB from all machines

Get Patch - Installation State[Installed Only] from all machines

Deployment result

Get Patch - Deployment Results from all machines

Installation source (Tanium / Windows update)

Get Patch Installation History[30,0,1,1,1,1,0] from all machines

Patch Installation History

Get Patch Installation History[30,0,1,1,1,1,0] from all machines

Deployment status

Get Computer Name and Operating System and Patch - Deployment Statuses from all machines

Check Tanium Server

Sync tanium scan for Windows database

• Patch UI : Modules › Patch › Overview › (?) Help › Support › Initialize Endpoints

• Click on “Initialize Endpoints”

• Patch UI : Modules > Patch > Scan Management > Tanium Scan for Windows

Solution

Reinstall Patch tools

Use action (package) – Endpoint Configuration -Reinstall Tools

Reset Windows update agent

-2145124323 WU_E_INVALID_UPDATE
-2145124321 WU_E_NO_CONNECTION
-2147023293 ERROR_INSTALL_FAILED
-2145124338 WU_E_XML_INVALID
-2145116147 WU_E_UH_NEEDANOTHERDOWNLOAD

Use package “Patch – Reset Windows Update Client“

Force Scan

Option 1 (prefered)

• Create a package “with command”Patch – Delete patch-scan-results”

cmd.exe /d /c del /f /q ..\..\Patch\scans\patch-scan-results.txt

Option 2

• Create a package “with command”Patch – Create Scan-Now”

cmd.exe /d /c echo Scan invoked on %DATE% %TIME% from package >> ..\..\Patch\scans\scan-now.txt

General Information

SSU

Since February 2021, the SSU is included in the Cumulative Update — except in out-of-band SSU cases.

Classification

The “Security Update” classification can have the following severity levels:

• Critical: Remote Code Execution → patch immediately
• Important: Compromise of Confidentiality, Integrity, or Availability (CIA) → patch as soon as possible
• Moderate: Risk mitigated by configuration
• Low: Minimal impact
• None: No security risk (except .net framework )

Command line

Install CAB –> DISM /Online /Add-Package /PackagePath:"C:\Path\file.cab"

Install MSU –> wusa C:\Path\file.msu /quiet /norestart

Operating System Logs

C:\Windows\Logs\CBS\CBS.log

External link

C:\Windows\WindowsUpdate.log (generate via PowerShell Get-WindowsUpdateLog)

C:\windows\SoftwareDistribution\ReportingEvents.log

• https://help.tanium.com/bundle/ug_patch_cloud/page/patch/ref_errors.html

https://www.rapidtables.com/convert/number/decimal-to-hex.html?x=-2145124329

https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference