General Configuration

Maintenance Windows

Verify the maintenance window is set correctly.

Maintenance Window configuration in Tanium Patch

Action Lock Status

If Action Lock is ON, patches do not apply. Check Patch module config.

Get Action Lock Status from all machines
Interact results showing Action Lock status for patching

Deployment

Patch List

Build the patch list (severity, products, OS). Validate exclusions. Pilot first.

Deployment

Create the deployment. Set window and reboot behavior. Monitor rollout.

Deployment Status

Installed Status

Get Patch - Installation State[KB Articles contains KB] from all machines
Patch installation state query filtered by KB article
Get Patch - Installation State[Installed Only] from all machines
Patch installation state query showing installed updates

Deployment Results

Get Patch - Deployment Results from all machines
Patch deployment results in Interact

Installation Source (Tanium / Windows Update)

Get Patch Installation History[30,0,1,1,1,1,0] from all machines
Patch installation history showing the installation source

Patch Installation History

Get Patch Installation History[30,0,1,1,1,1,0] from all machines
Patch installation history results in Tanium

Deployment Status

Get Computer Name and Operating System and Patch - Deployment Statuses from all machines
Patch deployment status by computer and operating system

Troubleshooting

Needs Attention – Where to Check

In each deployment you will see Needs Attention and Errors. Needs Attention is a status – you must find the root cause.

Patch deployment view showing endpoints in Needs Attention
  • Scan Age: use Interact – Patch Scan Age to find endpoints with old scans.
  • Scan Error: check Patch UI – Scan Management – Scan Errors.
  • Deployment Error: open the deployment and review Needs Attention and Errors buckets.
Patch deployment buckets showing Needs Attention and Errors

Interact -> Get Patch – Supported Scan Types -> no results

  • Check the Log File

Check local logs on the endpoint. Review sensor-history0.txt for this sensor.

Reviewing sensor-history0.txt isolates the crash.

Root cause: locale mismatch. The system is en-US but the decimal separator is ,. CDBL expects . in en-US, so the script fails.

Interact -> Patch – Deployment Statuses -> no results

  • Check the Log File

Check local logs on the endpoint. Review sensor-history0.txt.

Search for “Patch – Deployment Statuses”. Look for an XmlReader parse error like this:

{"name":"Patch - Deployment Statuses","time_ms":584,"what_hash":145487854561,"definition_id":8754,"error":"Error: XmlReader: Failed to parse XML from C:\\xxxxxxxxxxxxxxx\\deployments\\configurations\\deployment-7.xml.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.invalid.
  • Apply the Fix

Run a package with this PowerShell cleanup. It deletes .tmp and .invalid under Patch.

Package option: Manny – Patch cleanup invalid files (deploy action).

# -----------------------------------------------------------
# Tanium Package Script - Patch Cleanup
# -----------------------------------------------------------

$TargetPaths = @(
    "C:\Systools\tanium\Patch",
    "C:\Program Files (x86)\Tanium\Tanium Client\Patch",
    "C:\Program Files\Tanium\Tanium Client\Patch"
)

# Extensions (include .invalid and .invalide)
$Extensions = @("*.tmp", "*.temp", "*.invalid", "*.invalide")

foreach ($Path in $TargetPaths) {
    # 1. Check folder exists (avoid errors if path is missing)
    if (Test-Path -LiteralPath $Path) {
        
        # 2. Recursive delete
        # -Recurse: search subfolders
        # -Force: include hidden and remove read-only
        # -ErrorAction SilentlyContinue: ignore locked files
        
        Get-ChildItem -Path $Path -Include $Extensions -Recurse -File -Force -ErrorAction SilentlyContinue | 
        Remove-Item -Force -ErrorAction SilentlyContinue
    }
}

# 3. Explicit exit code for Tanium (0 = success)
exit 0

Reports -> Patch – Coverage Status Details

Coverage Status Details report for Patch

Interact -> Patch Scan Age -> > 1 day

Get Patch - Scan Age from all machines
Patch Scan Age results in Interact

Identify computers with a patch scan older than 1 day.

Interact -> Get Patch – Is Process Running

Get Patch - Is Process Running from all machines
Patch Is Process Running sensor results

Interact -> Get Endpoint Configuration – Tools Status

Get Endpoint Configuration - Tools Status from all machines
Endpoint Configuration Tools Status results for Patch troubleshooting

Scan Error – Scan Management

Patch UI -> Modules -> Patch -> Scan Management -> Scan Errors

Patch Scan Management page showing scan errors
Scan Error returned by Tanium PatchSuggested First RemediationComment
Unable to load PatchLibUninstall the TPTPatch Tools engine library is corrupted.
Failed to start the Tanium Scan update serviceUninstall the TPTPatchScanUpdate service no longer starts.
Windows Update Error Code 7 – “Out of memory”Check the page file -> minimum 16 GB or open a ticket to adjust the batch sizeCommon on low-RAM VMs.
-2147023293 ERROR_INSTALL_FAILEDReset the WUA ClientGeneric install failure from Windows Update Agent.
-2145124338 WU_E_XML_INVALIDReset the WUA ClientCorrupted catalog XML.
-2145116147 WU_E_UH_NEEDANOTHERDOWNLOADReset the WUA ClientWUA requests a new download.
Failed to Parse XMLDelete the listed XML file (harmless).Usually a partial or temp file.
WU_E_NO_INTERACTIVE_USERBlock Patch distribution -> manual installation only.Device without an interactive session.
PatchManager – error changing WUA service state (timeout)Fully rebuild the WUA service or run SFC/DISM scans.WUA service stuck or system files corrupted.


Link : Troubleshooting Patch

Tanium Server Checks

Sync Tanium Scan for Windows database

Patch support page used to initialize endpoints
  • Patch UI: Modules -> Patch -> Overview -> Help -> Support -> Initialize Endpoints
Initialize Endpoints action in Tanium Patch
  • Click Initialize Endpoints.
Patch overview after initializing endpoints
  • Patch UI: Modules -> Patch -> Scan Management -> Tanium Scan for Windows
Tanium Scan for Windows page in Patch Scan Management

Solutions

Agent-Level Repair Options

Tip: Before repair, capture an EMG in case you need a support case.

  1. Remove Patch Tools manually. Deploy action Endpoint Configuration – Uninstall Tool [Windows]. In the tool, clear all checks except Remove unreferenced dependencies.
  2. Reset CX-Core (destructive, similar to reinstall TC). Deploy action Endpoint Configuration – Reset Components [Windows] with operation Remove All CX. Then push bootstrap package Client Configuration and Support [Windows]. Then push manifest package Endpoint Configuration – Manifest [Windows] (v. XXXX).
  3. Reinstall the Tanium Client. Uninstall from Add/Remove Programs. Delete leftover folders and files. Reinstall TC.
  4. Open a case with Tanium Global Support Center and upload the EMG.
Endpoint Configuration reset or repair options for Patch troubleshooting

Reinstall Patch tools

Use package Endpoint Configuration – Reinstall Tools.

Endpoint Configuration Reinstall Tools package for Patch

Reset Windows update agent

-2145124323 WU_E_INVALID_UPDATE
-2145124321 WU_E_NO_CONNECTION
-2147023293 ERROR_INSTALL_FAILED
-2145124338 WU_E_XML_INVALID
-2145116147 WU_E_UH_NEEDANOTHERDOWNLOAD

Patch package used to reset the Windows Update client

Use package Patch – Reset Windows Update Client.

Reset Windows Update Client package in Tanium Patch

Windows Update Agent Fixes

Apply in order. Stop if the issue is fixed.

  1. Fix 1 – Light reset: Deploy action Patch – Reset Windows Update Client. This stops WU service and clears WUA cache and DB.
  2. Fix 2 – Clear SoftwareDistribution: Stop WU services, rename SoftwareDistribution and catroot2, then start services.
net stop wuauserv
net stop cryptsvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptsvc
net start bits
net start msiserver
  1. Fix 3 – Full reset/rebuild: Follow the Microsoft reset/rebuild steps for the Windows Update Agent. Skip the netsh winsock reset step.
  2. Fix 4 – Reinstall latest SSU/CU: Install latest SSU/CU, reboot, then run Fix 1 again.
Windows Update Agent remediation workflow for Patch

Force Scan

Packages you can use (may already exist in your catalog):

  • Manny – Patch Force new Scan (preferred): Triggers a new scan, respects RSD, clears latest-errors.
  • Manny – Patch Force new Scan (no RSD): Triggers a new scan and ignores RSD (use with care).
Packages used to force a new patch scan

Option 1 (preferred)

  • Create a package with command Patch – Delete patch-scan-results.
cmd.exe /d /c del /f /q ..\..\Patch\scans\patch-scan-results.txt
Package that deletes patch-scan-results.txt to trigger a new scan

Option 2

  • Create a package with command Patch – Create Scan-Now.
cmd.exe /d /c echo Scan invoked on %DATE% %TIME% from package >> ..\..\Patch\scans\scan-now.txt

General Information

SSU

Since Feb 2021, SSU is in the CU, except out-of-band SSU.

Classification

Security Update severity levels:

  • Critical: RCE -> patch now
  • Important: CIA impact -> patch ASAP
  • Moderate: Risk mitigated by config
  • Low: Minimal impact
  • None: No security risk (except .NET Framework)
Patch classifications and severity levels in Tanium

Command line

Install CAB -> DISM /Online /Add-Package /PackagePath:"C:\Path\file.cab"

Install MSU -> wusa C:\Path\file.msu /quiet /norestart

Operating System Logs

C:\Windows\Logs\CBS\CBS.log

C:\Windows\WindowsUpdate.log (generate via PowerShell Get-WindowsUpdateLog)

C:\Windows\SoftwareDistribution\ReportingEvents.log

External Links

Reference pages and tools:

Tanium Patch external reference page example
Windows Update error reference example
Decimal to hex converter example for Patch error codes

David Wuibaille

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.