Using the Tanium Client Deployment Tool

The Tanium™ Client Deployment Tool (CDT) is a free and simple utility that enables you to deploy the Tanium Client. The endpoints must be reachable from the computer on which the tool is installed. As a best practice, target endpoints in batches. You can target 250-500 endpoints per batch.


You can use the following methods to discover endpoints on which to deploy the Tanium Client:

  • Active Directory (AD)

    Use in conjunction with domain-connected computers running a Microsoft Windows operating system (OS) only.

  • Computer List

    Discover assets based on a list of computer host names and IP addresses. This method does not depend on AD and you can use it for all supported OSs.

Before you begin

  • You can install and execute the Tanium CDT on any computer running a Microsoft Windows OS with Microsoft .NET Framework 3.5 and Microsoft .NET Framework 4.5 installed (you must have both).
  • Contact your Tanium Technical Account Manager (TAM) for the instructions to download the Tanium CDT.
  • Copy the Tanium Server public key file ( from the Tanium Server installation directory to the host computer from which you will run the tool. You select this file when you configure the installation package to deploy to clients.
  • Work with your network security administrator to ensure the ports used by the Tanium Client are not blocked. Tanium Clients send and receive data from the Tanium Server and other Tanium Clients over TCP port 17472.
  • When deploying to Linux, macOS, or UNIX endpoints:
    • You can configure password-based or SSH key-based authentication. You should configure whatever type of authentication is expected by the endpoint. Amazon Linux, for example, requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account that you use to make the connection from the CDT. This ensures that the key and not a password is used to elevate the admin privileges of the user so that the user can install the Tanium Client and start the service.
    • Allow traffic from the deployment tool to endpoints on TCP port 22 (SSH port; configurable).
    • Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH.

    • If you are using the root account to install, make sure the sshd_config allows root login.

    • Verify that you can log in to the remote system with SSH, using the same credentials you are planning to use for the Tanium Client deployment.

  • When deploying to Windows endpoints:
    • Enable Windows File and Print Sharing and RPC on the target endpoints. This is required only for installation and can be disabled after installation is complete.
    • Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation initiated through RPC.
    • Allow TCP traffic on ports 135 and 445 from the Tanium CDT host computer to the endpoints on which you want to deploy the Tanium Client.
    • Verify that you can log in to the remote system with PSEXEC or WMIC command line utilities with the same credentials that you will use for the Tanium Client deployment. For example:

      psexec \\ -u Administrator cmd /c dir C:\Users\Administrator\Documents

      wmic /node:"" /user:"Administrator" useraccount list brief

Windows credential handling during logon events might expose user name and password in command line arguments on the source system that is initiating the deployment, and in memory on the remotely accessed endpoints. To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Install the Client Deployment Tool

  1. Right-click the TaniumClientDeploymentToolSetup.exe file and select Run as administrator.

    The installation wizard prompts you for one value—the installation directory. The default is C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool.

  2. In Windows, select Start > Tanium Client Deployment Tool to open the tool.

    Upon initialization, the tool prompts you to download the latest endpoint software from secure Tanium download servers.

  3. Click OK to download the latest endpoint software.

    The software is downloaded to C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool\clients\.

  4. If you plan to use Microsoft PSExec to push Tanium Client to endpoints:
    1. When prompted, follow the link to download PSTools from the Microsoft download site.
    2. Unzip the package and copy the PsExec.exe file to the CDT installation directory.
    3. Restart the Tanium CDT.

Deploy the Tanium Client

  1. Start the Tanium CDT.
  2. In the Settings section, specify:
    Tanium pub fileType or browse to the Tanium Server public key file. The default installation location is C:\Program Files\Tanium\Tanium Server\ The Tanium Server public key you specify here is included in the client installation.
    Server Name

    The FQDN of the Tanium Server. For example, The Tanium Client registers with the Tanium Server you specify here.

    In HA deployments and deployments with Zone Servers, you can send a server list. Enter the FDQN for all servers, separated by a comma. For example:,,

    PortPort used by Tanium Clients to communicate with the Tanium Server and with their designated peers. The default is 17472.
    Log Verbosity Level

    Sets the Tanium Client log levels.

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.
  3. (Windows endpoints) Click the Windows tab and specify:
    UsernameLocal or domain user with administrative privileges on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer.
    PasswordThe corresponding password.
    Target Folder Override Specify an installation folder if you do not want to use the default. On Windows, the default is C:\Program Files (x86)\Tanium\Tanium Client.
    Execution MethodFor Windows endpoints, specify which Windows operating system command line utility the tool uses to analyze target computers and perform the remote installation of the client:
    • PSEXEC: Recommended because it is faster.
    • WMIC: Recommended if analysis using PSEXEC returns endpoints with OS Unknown and status Processing.
    Impersonate UserSelect this option to use the PSEXEC user impersonation option. The credentials specified in the Settings section are used to connect to endpoint using a PSEXEC process that is run under those credentials on the Client Deployment tool host computer. Those credentials are also used to install the client.
  4. (Linux or macOS endpoints) Click the Linux/Mac tab. You can use password authentication or SSH key-based authentication.

    For password authentication, specify:

    Username Local or domain user with administrative privileges on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer.
    Password or Key-Based Authentication Select Password Authentication.
    Password The corresponding password.

    sudo or

    su -

    The deployment tool attempts to connect to the target endpoints using the values provided in the Username and Password fields and then elevates to root privileges by using the sudo or su - commands. Select Use sudo when preferred or root is not a valid user. Select Use su - when preferred and root is a valid user. If you use su -, you must specify the root password.
    SSH Port The default is the standard port number (22). If endpoints in your network listen for SSH on a different port, you can specify it here.

    For SSH key-based authentication, specify:


    Local or domain user with administrative privileges to log in and install software on targeted endpoints.

    For Amazon Linux, the user name is ec2-user. Specify the username in the form expected for an SSH connection to the Amazon hosted Linux instance: user_name@public_dns_name.

    For example: [email protected]

    Password or Key-Based Authentication Select Key Based Authentication.
    Key Type Browse and select the private key file that pairs with the public key file that has been added to the authorized_keys file on the endpoint:
    • OpenSSH

      The private key file is a .pem file.

    • PuTTy

      The private key file is a .ppk file.

    SSH Port The default is the standard port number (22). If endpoints in your network listen for SSH on a different port, you can specify it here.
  5. Click the Computer List tab (Linux or Windows) or the Active Directory tab (Windows only) to search for the target endpoints.

    For Computer List:

    1. Specify a list of computer names, IP addresses, IP address ranges, and subnet addresses in the text box. One item per line.
    2. Click Analyze to query the list and populate the results table.

    For Active Directory:

    1. Domain: Specify the Active Directory domain to which the targeted endpoints belong. For example,
    2. Connect using credentials: Select this option to use the administrator credentials specified in Settings instead of the logged in user credentials.
    3. Include computers in child containers: When this option is unchecked, computer names from endpoints within only the first level are included in the target list, not computers contained in child containers. When checked, all computers within an Organizational Unit or container and all child Organization Units or containers are included in the list.
    4. Click Analyze to query the AD tree and populate the results table. Click Retry Bind if necessary in the event the AD query fails.
  6. Select one or more rows in the results table and click Install.

    The status table has information about the installation attempt. Review the information to confirm deployment. Click Clear Completed or Clear All to clear status table entries.

  7. Access the Tanium Console.
  8. Use the Interact Ask a Question field to verify that the endpoints respond to the following query:

    Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines

  9. Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.
  10. (Optional) Go to the Administration > System Status page to review recent client registration details.

If you encounter issues when deploying the Tanium Client, examine the CDT debug logs (see Client Deployment Tool logs) and Tanium Client installation log (see Tanium Client installation log).

Check for Tanium Client updates

  1. Start the Tanium Client CDT.
  2. Select Clients > Check for Updates.

    The CDT reads available versions from and populates the Clients selection box. The most recent version for a platform is selected by default.

  3. Select the versions you want to download and click OK.

    Any new client software is downloaded to C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool\clients\. If no new client software exists, the CDT displays a message indicating this.

Generate package files

You can use the CDT to generate packages in the following formats:

  • Windows EXE or MSI: In the CDT, select Clients > Generate Windows MSI or EXE, select Create .EXE or Create .MSI, and click OK.
  • ISO, TAR.GZ, and ZIP: In the CDT, select Clients > Generate Archive, select the package format (Create .ISO, Create .TAR.GZ, or Create .MSI), select a Platform, optionally click Add to include other files (such as a TaniumClient.ini file), and click OK.

Packages include the installer package, file, and any files that you manually add, such as a TaniumClient.ini file. The non-Windows installers for Tanium Client 7.2 or later migrate settings found in a TaniumClient.ini file to the equivalent settings in the Tanium Client 7.2 or later database.

SSH timeout, proxy server, and other advanced settings

You must be able to connect to to download the client manifest JSON file and the client software files. If necessary, you can use the advanced settings file to change the SSH timeout and to configure proxy server settings.

Open a text editor as administrator and edit the TaniumClientDeploy.exe.config file in the \Program Files (x86)\Tanium\Tanium Client Deployment Tool\ directory.

Specify the IP address and port as the value for the proxyAddress key. Specify username and password with the proxyUsername and proxyPassword keys only if the proxy server requires authentication.

The following example TaniumClientDeploy.exe.config file highlights these settings:

<appSettings file="">
<add key="removeWinInstallDir" value="true"/>
<add key="removeWinInstallDirDelayInSeconds" value="20"/>
<add key="sshTimeoutSeconds" value="120"/>
<add key="agents value=""/>
<add key="currrentProcessLimit" value="100"/>
<add key="soapProxyUseDefault" value="false"/>
<add key="soapProxyAddress" value=""/>
<add key="soapProxyDomain" value=""/>
<add key="soapProxyUsername" value=""/>
<add key="soapProxyPassword" value=""/>
<add key="proxyAddress" value=""/>
<add key="proxyDomain" value=""/>
<add key="proxyUsername" value=""/>
<add key="proxyPassword" value=""/>
<add key="logReadTimeout" value="30"/>
<add key="psexecTimeout" value="30"/>
<add key="bypassPsExecWarning" value="false"/>
<add key="sudoCommand" value="sudo"/>

Consult with your TAM before changing values other than sshTimeoutSeconds and proxy server settings.

Last updated: 6/4/2019 4:22 PM | Feedback