Windows links

Deploying the Tanium Client to Windows endpoints

You can deploy the Tanium Client to Windows endpoints using the Tanium Client Management service (see Tanium Client Management User Guide), Installation wizard, client Command-line interface (CLI), or third-party software distribution tools. Contact Tanium Support for details on using third-party tools such as System Center Configuration Manager (SCCM).

If you encounter issues when deploying the Tanium Client, examine the Tanium Client installation log.

All these deployment methods use the Tanium Client installer SetupClient.exe, which makes the following changes to the target endpoints:

  • Creates the Tanium Client installation directories for the client application files and related content files.
  • Creates the Tanium Client Windows registry key along with an initial set of registry values.
  • Adds the Tanium Client program to the Windows Add/Remove Programs list.
  • Creates the Tanium Client service with a Startup Type set to Automatic.

Install the Tanium Client on Windows

Prepare for installation

  1. Ensure that the Windows endpoint meets the basic requirements for the Tanium Client.
  2. Sign into the Windows endpoint with a local user or domain account that has administrative permissions.
  3. Use the Tanium Client Management service to download the client installer bundle (windows-client-bundle.zip) to the Windows endpoint. The download link is available on the Client Management Overview page.For the procedure, see Tanium Client Management Guide: Download and deploy the installer bundle.

    The bundle contains the following files:

    • SetupClient.exe
    • tanium‑init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)
    • install.bat

    You can also download tanium‑init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)) and request SetupClient.exe from Tanium Support (see Contact Tanium Support). However, the installation process for Tanium Client 7.4 or later requires fewer manual configuration steps if you download tanium‑init.dat through Client Management.

  4. Copy the installer bundle to a temporary directory on the Windows endpoint and unzip the bundle.

Installation wizard

  1. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.
  2. Right-click SetupClient.exe and select Run as administrator to start the wizard.
  3. Respond to the wizard prompts. The values that you enter depend on the client version and the source of the installation files:

    • Tanium Client 7.4: If you used Client Management to download tanium‑init.dat and the file is in the same directory as SetupClient.exe, the wizard prompts you to accept the license agreement and select an installation directory, and then automatically configures the remaining settings with default values. Otherwise, you must manually specify the Initialization File (tanium‑init.dat) and other settings.

      To configure custom values instead of default values, move tanium‑init.dat to a different directory than SetupClient.exe before starting the wizard. The wizard then prompts you to specify the settings.

    • Tanium Client 7.2: Specify the Public Key File (tanium.pub), TLS Mode, and other settings.


    Respond to the wizard prompts. If you used Client Management to download tanium‑init.dat and the file is in the same directory as SetupClient.exe, the wizard prompts you to accept the license agreement and select an installation directory, and then automatically configures the remaining settings with default values. Otherwise, you must manually specify the Initialization File (tanium‑init.dat) and other settings.

    To configure custom values instead of default values, move tanium‑init.dat to a different directory than SetupClient.exe before starting the wizard. The wizard then prompts you to specify the settings.

  4. (Optional) Use the CLI on Windows endpoints to configure additional Tanium Client settings that you did not set through the installation wizard.

Command-line interface (CLI)

You can use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on Windows endpoints.

  1. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.
  2. Access the endpoint CLI.
  3. Navigate to the directory where the Tanium Client installer resides.
  4. Use the following command to run the Tanium Client installer.

    SetupClient.exe /ServerAddress={<FQDN|IPaddress>}[,{<FQDN|IPaddress>},...] [/ServerPort=<PortNumber>] [/LogVerbosityLevel=<LogLevel>] [/KeyPath=<Path>\[tanium‑init.dat|tanium.pub] [/ReportingTLSMode=[0|1|2]] [/ProxyAutoConfigAddress=<URL/filename.pac>] [/ProxyServers=<FQDN|IPaddress:PortNumber>] [/S] [/D=<DirectoryPath>]

    Table 1 describes the arguments for the SetupClient.exe command.

    Before running the installer, determine which installation type to use based on whether the Tanium Client requires default or custom settings:

    • Express: The installer uses default values for all settings except ServerNameList and requires only the following arguments:
      • /ServerAddress sets the ServerNameList and is required for Tanium Client 7.2. It is required for Tanum Client 7.4 only if tanium‑init.dat does not specify ServerNameList. By default, the tanium‑init.dat that you download through Client Management specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not.
      • /KeyPath is required only if tanium‑init.dat or tanium.pub are not in the same directory as SetupClient.exe.
      • /S specifies silent installation and is required for express installation of any Tanium Client version.
    • Custom: Specify the arguments for settings that require custom values instead of default values. If you omit the /S argument, the Tanium Client Installation wizard opens and prompts you to configure the settings.

    Table 2 shows examples of how to use the CLI for express and custom installations.

To configure settings beyond those that Table 1 describes, see Tanium Client settings.

 Table 1: Tanium Client installation command syntax
Argument Guidance
/ServerAddress Fully qualified domain names (FQDNs) or IP addresses of the TaaS instances with which the client can connect Tanium Servers. In a deployment with Zone Servers, add their FQDNs or IP addresses. Using internally defined FQDNs or aliases is strongly recommended. Use a comma to separate the entry for each instanceserver.

If you specify one value for this option, it populates the ServerName registry entry. If you specify multiple values, they populate the ServerNameList registry entry.

For Tanium Client 7.4 or later, omitOmit /ServerAddress during the initial installation if the tanium‑init.dat file specifies the ServerNameList (see the client installation types). If tanium‑init.dat does not specify the ServerNameList, or you are installing Tanium Client 7.2, you must include /ServerAddress during installation. You can omit this argument when reinstalling or upgrading any version of the client.

In Tanium Core Platform 7.2.314.3263 and later, yYou can optionally set the port that the Tanium Client uses to communicate with TaaS the Tanium Server by appending :<port_number> to the server address (for example, taas-example1-zs.cloud.tanium.com:12345ts1.local.com:12345). The /ServerAddress port overrides the /ServerPort value.

/ServerPort The port that the Tanium Client uses for communication with TaaS the Tanium Server and with peers. You must specify port 17472. If you omit this argument, the Tanium Client uses the default port, 17472. For details, see ServerPort.
/LogVerbosityLevel The level of logging on the endpoint. The following values are best practices for specific use cases:
  • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1 (default): This is the best practice value during normal operation.
  • 41: This is the best practice value during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
/KeyPath The full path and file name that the Tanium Client installer program uses to locate the tanium‑init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2) and copy it to the Tanium Client installation directory.

No quotation marks are necessary to enclose path or file names with spaces. The KeyPath argument requires a fully qualified path name when the installer runs directly from a command prompt. However, in a batch file, you can use the batch file command variable %~dp0 to expand a relative path before passing the KeyPath value to SetupClient.exe. For example: /KeyPath=%~dp0<My\Relative\Path>\tanium‑init.dat

If you omit the KeyPath argument for silent installations (/S argument), the tanium‑init.dat or tanium.pub file must be in the same directory as SetupClient.exe.

/S Run the installation command silently, which means the Tanium Client installation wizard does not open and prompt you to configure settings.

If you include this argument without specifying the /KeyPath argument, tanium‑init.dat (Tanium Client 7.4 or later) or tanium.pub (Tanium Client 7.2) must be in the same directory as SetupClient.exe.

For examples of how to run silent installations, see Table 2.

/D Sets the destination path for the Tanium Client installation directory. No quotation marks are necessary to enclose path names with spaces. Because environment variables are expanded, the argument value can include path variables, such as %programfiles%.

If you use this argument, it must be the last argument value-pair listed on the command line. If you omit this argument, the installer uses a default directory based on the endpoint operating system (OS):

  • 32-bit OS\Program Files\Tanium\Tanium Client
  • 64-bit OS\Program Files (x86)\Tanium\Tanium Client
/ReportingTLSMode TaaS automatically manages all TLS settings for the Tanium Client. This setting applies only to Tanium Client 7.2. The possible values are:
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

If you plan to use TLS, initially set this option to 2 (optional). When TLS is optional, the Tanium Client tries to connect over TLS. If the TLS connection fails, the client tries a non-TLS connection.

/ProxyAutoConfigAddress Include this setting if the Tanium Client connects to TaaS the Tanium Server or Zone Server through a Hypertext Transfer Protocol Secure (HTTPS) proxy server. The setting specifies the URL and file name of a proxy auto configuration (PAC) file that the client can access. Specify the value in the format http[s]://<URL>/<file name>.pac. The client downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular TaaS instanceserver. If no proxy is available, the client falls back to connecting directly with TaaS the Tanium Server or Zone Server. For details, see Configure proxy connections with a PAC file.
/ProxyServers Include this setting if the Tanium Client connects to TaaS the Tanium Server or Zone Server through an HTTPS proxy server but cannot access a PAC file. The setting specifies the IP address or FQDN, and port number, of the HTTPS proxy server. You can specify multiple proxies as a comma-separated list in the format "<proxy1>:<port>,...,<proxyN>:<port>". The client tries to connect to the proxies in the order that you list them. After any single connection succeeds, the client stops trying to connect with more proxies. If no proxy is available, the client falls back to connecting directly with TaaS the Tanium Server or Zone Server. For details, see Configure proxy connections without a PAC file.

The following are examples of using the CLI command to install the Tanium Client.

For Tanium Client 7.4 or later, omit Omit the /ServerAddress argument if the tanium‑init.dat file specifies the ServerNameList. For details, see the client installation types.

 Table 2: Tanium Client installation command examples
Example Description
Silent express installation In an express installation, SetupClient.exe installs and configures the Tanium Client using default values for all the arguments except /ServerAddress. Before starting, ensure that the Tanium initialization file tanium‑init.dat or public key file tanium.pub is in the same directory as SetupClient.exe.

SetupClient.exe /ServerAddress=taas-example1-zs.cloud.tanium.comts1.example.com /S

SetupClient.exe /ServerAddress=192.168.1.10 /S

In a deployment with Zone Servers or multiple TaaS instances Tanium Servers, specify each instanceserver in /ServerAddress:

SetupClient.exe /ServerAddress=taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com,zs1.example.com /S

Silent custom installation The following example specifies non-default values in a silent installation:

SetupClient.exe /ServerAddress=taas-example1-zs.cloud.tanium.comts1.example.com /ServerPort=63422 /LogVerbosityLevel=1 /S

Silent installation TLS option The following example specifies non-default values for a silent installation of Tanium Client 7.2:

SetupClient.exe /ServerAddress=ts1.example.com /ServerPort=63422 /LogVerbosityLevel=0 /ReportingTLSMode=1 /S

Batch file format When you execute a batch file, the Windows command interpreter expands the variable %~dp0 to the full drive and path name of the batch file working directory. The following example of a batch file instruction performs a silent installation:

"%~dp0SetupClient.exe" /ServerAddress=taas-example1-zs.cloud.tanium.comts1.example.com /ServerPort=28583 /S

Verify the Tanium Client installation

After you install the Tanium Client, perform the following steps to verify that the client installed correctly and can communicate with TaaS the Tanium Server or Zone Server.

  1. Wait a few minutes after installation for the Tanium Client to register with TaaS the Tanium Server or Zone Server and then, from the Main menu, go to Administration > Management > Client Status.
  2. Verify that the grid lists the client that you installed.

    To find a specific Tanium Client, enter a text string in the Filter items field above the grid to filter it by Host Name or Network Location (IP address).


Manage the Tanium Client service on Windows

On Windows endpoints, you can stop, start, or restart the Tanium Client service through the Windows Services program. Select the service and then select an action in the Action > All Tasks menu.

Figure  1:  Tanium Client service

Uninstall the Tanium Client on Windows

You can use various tools to uninstall the Tanium Client.

Use a Tanium package

You can use the Tanium Core Platform to remove the Tanium Client from targeted endpoints. The uninst.exe program is in the Tanium Client installation directory.

  1. Access the Tanium Console.
  2. From the Main menu, go to Administration > Management > Global Settings.
  3. Select allow_process_group_flag_edit, click Edit, set the value to 1, and save the change.
  4. From the Main menu, go to Administration > Content > Packages and add a New Package that issues the uninstall command. The following is an example of the command to perform a silent uninstallation:

    cmd.exe /C ..\..\uninst.exe /S

    You must disable the option to Launch this package command in a process group.

  5. Create a scheduled action to distribute the package to targeted computers: see Tanium Console User Guide: Deploying actions.

Because the uninstall program stops the Tanium Client service and removes the application files, the Tanium Client will no longer be present to write Completed to the respective action log. Consequently, do not rely on the final action status reported in the Tanium Console to determine success or failure of the uninstallation action.

Use Add/Remove Programs

A user with Local Administrator rights on the endpoint can remove the Tanium Client through either the Windows Control Panel Add/Remove Programs or Programs and Features applet.

Uninstall program

Double-click the uninst.exe program icon or execute the program from a command prompt.

The uninstall executable supports the /S command line parameter to perform a silent uninstall from a command prompt, script, package, or BAT file: uninst.exe /S