General Configuration

Maintenance Windows

Verify the maintenance window is set correctly.

Action Lock Status: ON

If Action Lock is ON, patches do not apply. Check Patch module config.

Get Action Lock Status from all machines

Deployment

Patch List

Build the patch list (severity, products, OS). Validate exclusions. Pilot first.

Deployment

Create the deployment. Set window and reboot behavior. Monitor rollout.

Deployment Status

Installed Status

Get Patch - Installation State[KB Articles contains KB] from all machines

Get Patch - Installation State[Installed Only] from all machines

Deployment Results

Get Patch - Deployment Results from all machines

Installation Source (Tanium / Windows Update)

Get Patch Installation History[30,0,1,1,1,1,0] from all machines

Patch Installation History

Get Patch Installation History[30,0,1,1,1,1,0] from all machines

Deployment Status

Get Computer Name and Operating System and Patch - Deployment Statuses from all machines

Troubleshooting

Needs Attention – Where to Check

In each deployment you will see Needs Attention and Errors. Needs Attention is a status – you must find the root cause.

• Scan Age: use Interact – Patch Scan Age to find endpoints with old scans.
• Scan Error: check Patch UI – Scan Management – Scan Errors.
• Deployment Error: open the deployment and review Needs Attention and Errors buckets.

Interact -> Get Patch – Supported Scan Types -> no results

• Check the Log File

Check local logs on the endpoint. Review sensor-history0.txt for this sensor.

Reviewing sensor-history0.txt isolates the crash.

Root cause: locale mismatch. System is en-US but decimal separator is forced to ,. CDBL expects . in en-US, so the script crashes.

Interact -> Patch – Deployment Statuses -> no results

• Check the Log File

Check local logs on the endpoint. Review sensor-history0.txt.

Search for “Patch – Deployment Statuses”. Look for an XmlReader parse error like this:

{"name":"Patch - Deployment Statuses","time_ms":584,"what_hash":145487854561,"definition_id":8754,"error":"Error: XmlReader: Failed to parse XML from C:\\xxxxxxxxxxxxxxx\\deployments\\configurations\\deployment-7.xml.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.

• Apply the Fix

Run a package with this PowerShell cleanup. It deletes .tmp and .invalid under Patch.

Package option: Manny – Patch cleanup invalid files (deploy action).

# -----------------------------------------------------------
# Tanium Package Script - Patch Cleanup
# -----------------------------------------------------------

$TargetPaths = @(
    "C:\Systools\tanium\Patch",
    "C:\Program Files (x86)\Tanium\Tanium Client\Patch",
    "C:\Program Files\Tanium\Tanium Client\Patch"
)

# Extensions (include .invalid and .invalide)
$Extensions = @("*.tmp", "*.temp", "*.invalid", "*.invalide")

foreach ($Path in $TargetPaths) {
    # 1. Check folder exists (avoid errors if path is missing)
    if (Test-Path -LiteralPath $Path) {
        
        # 2. Recursive delete
        # -Recurse: search subfolders
        # -Force: include hidden and remove read-only
        # -ErrorAction SilentlyContinue: ignore locked files
        
        Get-ChildItem -Path $Path -Include $Extensions -Recurse -File -Force -ErrorAction SilentlyContinue | 
        Remove-Item -Force -ErrorAction SilentlyContinue
    }
}

# 3. Explicit exit code for Tanium (0 = success)
exit 0

Reports -> Patch – Coverage Status Details

Interact -> Patch Scan Age -> > 1 day

Get Patch - Scan Age from all machines

Identify computers with a patch scan older than 1 day.

Interact -> Get Patch – Is Process Running

Get Patch - Is Process Running from all machines

Interact -> Get Endpoint Configuration – Tools Status

Get Endpoint Configuration - Tools Status from all machines

Scan Error – Scan Management

Patch UI -> Modules -> Patch -> Scan Management -> Scan Errors

Link : Troubleshooting Patch

Tanium Server Checks

Sync Tanium Scan for Windows database

• Patch UI: Modules -> Patch -> Overview -> Help -> Support -> Initialize Endpoints

• Click Initialize Endpoints.

• Patch UI: Modules -> Patch -> Scan Management -> Tanium Scan for Windows

Solutions

Agent-Level Repair Options

Tip: Before repair, capture an EMG in case you need a support case.

1. Remove Patch Tools manually. Deploy action Endpoint Configuration – Uninstall Tool [Windows]. In the tool, clear all checks except Remove unreferenced dependencies.
2. Reset CX-Core (destructive, similar to reinstall TC). Deploy action Endpoint Configuration – Reset Components [Windows] with operation Remove All CX. Then push bootstrap package Client Configuration and Support [Windows]. Then push manifest package Endpoint Configuration – Manifest [Windows] (v. XXXX).
3. Reinstall the Tanium Client. Uninstall from Add/Remove Programs. Delete leftover folders and files. Reinstall TC.
4. Open a case with Tanium Global Support Center and upload the EMG.

Reinstall Patch tools

Use package Endpoint Configuration – Reinstall Tools.

Reset Windows update agent

-2145124323 WU_E_INVALID_UPDATE
-2145124321 WU_E_NO_CONNECTION
-2147023293 ERROR_INSTALL_FAILED
-2145124338 WU_E_XML_INVALID
-2145116147 WU_E_UH_NEEDANOTHERDOWNLOAD

Use package Patch – Reset Windows Update Client.

Windows Update Agent Fixes

Apply in order. Stop if the issue is fixed.

1. Fix 1 – Light reset: Deploy action Patch – Reset Windows Update Client. This stops WU service and clears WUA cache and DB.
2. Fix 2 – Clear SoftwareDistribution: Stop WU services, rename SoftwareDistribution and catroot2, then start services.

net stop wuauserv
net stop cryptsvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptsvc
net start bits
net start msiserver

3. Fix 3 – Full reset/rebuild: Follow the Microsoft reset/rebuild steps for the Windows Update Agent. Skip the netsh winsock reset step.
4. Fix 4 – Reinstall latest SSU/CU: Install latest SSU/CU, reboot, then run Fix 1 again.

Force Scan

Packages you can use (may already exist in your catalog):

• Manny – Patch Force new Scan (preferred): Triggers a new scan, respects RSD, clears latest-errors.
• Manny – Patch Force new Scan (no RSD): Triggers a new scan and ignores RSD (use with care).

Option 1 (preferred)

• Create a package with command Patch – Delete patch-scan-results.

cmd.exe /d /c del /f /q ..\..\Patch\scans\patch-scan-results.txt

Option 2

• Create a package with command Patch – Create Scan-Now.

cmd.exe /d /c echo Scan invoked on %DATE% %TIME% from package >> ..\..\Patch\scans\scan-now.txt

General Information

SSU

Since Feb 2021, SSU is in the CU, except out-of-band SSU.

Classification

Security Update severity levels:

• Critical: RCE -> patch now
• Important: CIA impact -> patch ASAP
• Moderate: Risk mitigated by config
• Low: Minimal impact
• None: No security risk (except .NET Framework)

Command line

Install CAB -> DISM /Online /Add-Package /PackagePath:"C:\Path\file.cab"

Install MSU -> wusa C:\Path\file.msu /quiet /norestart

Operating System Logs

C:\Windows\Logs\CBS\CBS.log

C:\Windows\WindowsUpdate.log (generate via PowerShell Get-WindowsUpdateLog)

C:\Windows\SoftwareDistribution\ReportingEvents.log

External Links

Reference pages and tools:

• Tanium Patch error reference
• Decimal to hex converter (for error codes)
• Windows Update error reference