Windows links

Deploying the Tanium Client to Windows endpoints

You can use the installation package files to distribute the Tanium Client to endpoints using standard package distribution software and manual tools and methods. During execution, the Tanium Client installer makes the following changes to the target computer:

  • Creates the Tanium Client folders for the client application files and related content files.
  • Creates the Tanium Client registry key along with an initial set of registry values.
  • Adds the Tanium Client program to the Windows Add/Remove Programs list.
  • Creates the Tanium Client service with a Startup Type set to Automatic.

In addition to Tanium Discover and the Tanium Client Deployment Tool (CDT), Tanium supports many common installation practices on Windows.

If you encounter issues when deploying the Tanium Client, examine the CDT debug logs (see Client Deployment Tool logs) and Tanium Client installation log (see Tanium Client installation log).

Create the Tanium Client installer

The Tanium CDT can generate an EXE or MSI file containing the Tanium public key file and client configuration settings to support manual installation or installation through other software distribution tools such as an AD Group Policy Objects (GPO) or System Center Configuration Manager (SCCM).

To create the installer:

  1. Launch the CDT and set values for the following fields:
    • (file location)
    • Server Name (comma-separated list of one or more Tanium Servers and/or Zone Servers)
    • Port
    • Log Verbosity Level
    • Target Folder (optional)
  2. From the menu bar, select Clients > Generate Windows MSI or EXE, select Create .EXE or Create .MSI, and click OK.

After the process completes, a message box appears to confirm that the installer file has been created. The file path is \\CDTinstall\Clients\InstallTanium.msi or InstallTanium.exe.

Execute the Tanium Client installer

You can use software distribution tools like GPO or SCCM to distribute the packages to endpoints.


The InstallTanium.exe installer must be executed from an account with Administrator permissions. For manual installations, launch the installer using Run As Admin.


The msiexec.exe command must also be run from an account with Administrator permissions when using the InstallTanium.msi installer.

The following example uses the client configuration settings defined when the .msi file was generated:

msiexec.exe /i InstallTanium.msi /qn

You can change the default client configuration settings defined within the .msi file using any combination of the following command-line arguments:

  • SERVERADDRESS="<FQDN or IP address>"
  • SERVERPORT="<Server port>"
  • INSTALLDIR="<optional custom install path>"

The following example overrides the settings in the .msi file:

msiexec.exe /i InstallTanium.msi /qn SERVERADDRESS="" SERVERPORT="28583" LOGVERBOSITYLEVEL="41" INSTALLDIR="c:\Tanium Client\"

The command-line arguments must be entered in uppercase exactly as shown, with the argument value enclosed in quotes.

Install wizard

The \\CDTinstall\Clients\InstallTanium.msi folder also includes a simple Windows installer named SetupClient.exe. You might find this program useful when installing only a few Tanium Clients—typically at the beginning of a pilot or later for one-off deployments. When launched in the Windows UI environment, the wizard prompts you for the Tanium Server name, port, and public key file.

  1. Copy the key file to a location you can browse to from the target host computer.
  2. Copy SetupClient.exe to the target host computer.
  3. Log into the target host computer with a local user or domain account with administrative permissions.
  4. Right-click SetupClient.exe and select Run as administrator to start the wizard.
  5. Complete the settings.

Command line

The CLI command for installing the Tanium Client uses the following syntax.

SetupClient.exe /ServerAddress={FQDN|IPaddress}[,{FQDN|IPaddress},...] [/ServerPort=PortNumber] [/LogVerbosityLevel=LogLevel] [/KeyPath=Path\] [/ReportingTLSMode=Value] [/S] [/D=FolderPath]

Table 1:   Tanium Client installation command syntax
Argument Guidance
/ServerAddress FQDN or IP address of the Tanium Servers. Using an internally defined, fully qualified domain name (FQDN) or alias is strongly recommended.

If you specify one value for this option, the command populates the ServerName registry entry. If you specify multiple values, it populates the ServerNameList registry entry.

You must include this parameter when first installing the Tanium Client. You can omit this parameter when reinstalling or upgrading the client.

In Tanium Core Platform 7.2.314.3263 and later, you can optionally set the port that the Tanium Client uses to communicate with the Tanium Server by appending :<port_number> to the /ServerAddress (for example, The /ServerAddress port overrides the /ServerPort value (default is 17472).

/ServerPort Port for client communication with the Tanium Server and with peers.

If you omit this option, port 17472 is configured.

/S Execute the command silently. A silent installation suppresses the display of the client installer UI.

If you include this option without specifying the /KeyPath option, then you must copy the public key file to the same directory as SetupClient.exe.

If you omit this option, the installer UI prompts for the installation parameters.


The following decimal values are best practices for specific use cases:

  • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1: This is the best practice value during normal operation.
  • 41: This is the best practice value during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
/KeyPath Identifies the full path and file name for the client installer program to locate the Tanium Server public key and copy it to the Tanium Client installation folder.

No quotation marks are necessary to enclose path or file names with spaces. The KeyPath argument expects a fully qualified path name when the installer runs directly from a command prompt. In a batch file, however, you can use the batch file command variable %~dp0 to expand a relative path before passing the KeyPath value-key pair to SetupClient.exe For example:


If you omit this option, you must copy the public key file to the same directory as SetupClient.exe for silent installations.

/D Sets the destination path for the Tanium Client installation directory. No quotation marks are necessary to enclose path names with spaces. Environment variables are expanded, so the parameter value may include variables in the form: %programfiles%.

If you use this parameter, it must be the last argument value-pair listed on the command line. If you omit this parameter, the installer uses one of the following folders:

  • \Program Files\Tanium\Tanium Client\ (32-bit OS )
  • \Program Files (x86)\Tanium\Tanium Client\ (64-bit OS)
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

If you plan to use TLS, the best practice is to initially set this option to 2 (optional). When TLS is optional, the Tanium Client tries to connect over TLS. If the TLS connection fails, it tries a non-TLS connection.

The following are examples of using the CLI command to install the Tanium Client.

Table 2:   Tanium Client installation command examples
Example Description
Silent express installation In an express installation, SetupClient.exe installs and configures the Tanium Client using the specified server address and default values. Before starting, copy the Tanium public key file to the same folder as SetupClient.exe.

SetupClient.exe / /S

SetupClient.exe /ServerAddress= /S

Specifying multiple Tanium Servers In a high availability (HA) deployment or other environments where you might need to register with multiple Tanium Servers, specify multiple values for ServerAddress to populate the ServerNameList registry entry:

SetupClient.exe /, /S

Silent custom installation The following example of a silent installation specifies non-default values:

SetupClient.exe / /ServerPort=63422 /LogVerbosityLevel=1 /S

Silent installation TLS option The following example of a silent installation specifies non-default values:

SetupClient.exe / /ServerPort=63422 /LogVerbosityLevel=1 /ReportingTLS=1 /S

Batch file format When you execute a batch file, the Windows command interpreter expands the variable %~dp0 to the full drive and path name of the batch file working directory. The following is an example of a batch file instruction that performs a silent installation:

"%~dp0SetupClient.exe" / /ServerPort=28583 /S

Manage the Tanium Client service on Windows

On Windows endpoints, you can stop, start, or restart the Tanium Client service through the Windows Services program. Select the service and then select an action in the Action > All Tasks menu.

Figure  1:  Tanium Client service

Example: Use advanced CDT options

The CDT has advanced options for generating a Tanium Client installer that creates a subregistry in the Windows registry and populates it with name-value pairs. The following example procedure creates registry entries that are compatible with Custom Tagging content. It creates the subregistry Sensor Data\Tags and the registry key Lab. You can then use the Tags registry entries in Tanium workflows. In this example, you create a computer group based on results from the Custom Tags sensor.

The CDT advanced options tags shown in this example create the same Windows registry entries that the Custom Tagging - Add Tags package can create. You can use the CDT advanced options tags to create other subregistries and keys and use the registry content. However, in most cases, using Custom Tagging content is the best practice. For more information on Custom Tagging content, see the Tanium Support Knowledge Base article on Custom Tags (login required).

Step 1: Create a special installer

  1. Launch the CDT and specify values for the following fields:
    • (file location)
    • Server Name (comma-separated list of one or more Tanium Servers and Zone Servers)
    • Port
    • Log Verbosity Level
    • Target Folder (optional)
  2. From the menu bar, select Clients > Generate Windows MSI or EXE and then select Create .EXE or Create .MSI.
  3. Select Create with custom tags, populate the Registry Key Name with the subregistry Sensor Data\Tags, and specify one or more tag name-value pairs (such as Lab/True). The Custom Tags sensor does not use the values, so they can be anything except null.
  4. Click OK.

After the process completes, a message box confirms that the installer file was created. The file path is similar to the following:

Step 2: Use the special installer to install the Tanium Client on host computers

  1. Copy the installer (such as ts1,ts2.17472.7.2.314.3518.exe) and the Tanium public key file ( to a temporary location on the target host computer.
  2. Right-click the installer and select Run as administrator.

    The installer completes without further interaction.

  3. Go to the Tanium Client Windows Registry and verify that the tags are present.
  4. In the Tanium Console, ask a question that uses the Custom Tags sensor to verify that the tag is present on the target computer. For example: Get Computer Name and Custom Tags from all machines.
  5. Create a computer group based on the tag: go to Administration > Computer Groups, click New Group, and configure the settings. In this example, you populate the Filter Bar with the tag-based filter Custom Tags contains Lab.

Uninstall the Tanium Client on Windows

You can use various tools to uninstall the Tanium Client.

Use a Tanium package

You can use the Tanium Core Platform to remove the Tanium Client from targeted computers. The uninst.exe program is in the Tanium Client installation directory.

  1. Access the Tanium Console and go to Administration > Global Settings.
  2. Select allow_process_group_flag_edit, click Edit, set the value to 1, and save the change.
  3. Go to Content > Packages and add a New Package that issues the uninstall command. The following is an example of the command to perform a silent uninstallation:

    cmd.exe /C ..\..\uninst.exe /S

    You must disable the option to Launch this package command in a process group.

  4. Create a scheduled action to distribute the package to targeted computers (see Tanium Core Platform User Guide: Deploying actions).

Because the uninstall program stops the Tanium Client service and removes the application files, the Tanium Client will no longer be present to write Completed to the respective action log. Consequently, do not rely on the final action status reported in the Tanium Console to determine success or failure of the uninstallation action.

Use Add/Remove Programs

A user with Local Administrator rights on the computer can remove the Tanium Client through either the Windows Control Panel Add/Remove Programs or Programs and Features applet.

Uninstall program

Double-click the uninst.exe program icon or execute the program from a command prompt.

The uninstall executable supports the /S command line parameter to perform a silent uninstall from a command prompt, script, package, or bat file:

uninst.exe /S

Last updated: 11/13/2019 8:40 AM | Feedback