Windows links

Deploying the Tanium Client to Windows endpoints

You can use the installation package files to distribute the Tanium Client to endpoints using standard package distribution software and manual tools and methods. During execution, the Tanium Client installer makes the following changes to the target computer:

  • Creates the Tanium Client folders for the client application files and related content files.
  • Creates the Tanium Client registry key along with an initial set of registry values.
  • Adds the Tanium Client program to the Windows Add/Remove Programs list.
  • Creates the Tanium Client service with a Startup Type set to Automatic.

In addition to Tanium Discover and the Tanium Client Deployment Tool (CDT), Tanium supports many common installation practices on Windows.

If you encounter issues when deploying the Tanium Client, examine the CDT debug logs (see Client Deployment Tool logs) and Tanium Client installation log (see Tanium Client installation log).

Step 1: Create the Tanium Client installer

The Tanium CDT can generate an EXE or MSI file containing the Tanium public key file and client configuration settings to support manual installation or installation through other software distribution tools such as an AD Group Policy Objects (GPO) or System Center Configuration Manager (SCCM).

To create the installer:

  1. Launch the CDT and set values for the following fields:
    • (file location)
    • Server Name (comma-separated list of one or more Tanium Servers and/or Zone Servers)
    • Port
    • Log Verbosity Level
    • Target Folder (optional)
  2. From the menu bar, select Clients > Generate Windows MSI or EXE, select Create .EXE or Create .MSI, and click OK.

After the process completes, a message box appears to confirm that the installer file has been created. The filepath is \\CDTinstall\Clients\InstallTanium.msi or InstallTanium.exe.

Step 2: Execute the Tanium Client installer

You can use software distribution tools like GPO or SCCM to distribute the packages to endpoints.


The InstallTanium.exe installer must be executed from an account with Administrator privileges. For manual installations, launch the installer using Run As Admin.


The msiexec.exe command must also be run from an account with Administrator privileges when using the InstallTanium.msi installer.

The following example uses the client configuration settings defined when the .msi file was generated:

msiexec.exe /i InstallTanium.msi /qn

You can change the default client configuration settings defined within the .msi file using any combination of the following command-line arguments:

  • SERVERADDRESS="<FQDN or IP address>"
  • SERVERPORT="<Server port>"
  • INSTALLDIR="<optional custom install path>"

The following example overrides the settings in the .msi file:

msiexec.exe /i InstallTanium.msi /qn SERVERADDRESS="" SERVERPORT="28583" LOGVERBOSITYLEVEL="41" INSTALLDIR="c:\Tanium Client\"

The command-line arguments must be entered in uppercase exactly as shown, with the argument value enclosed in quotes.

Install wizard

The \\CDTinstall\Clients\InstallTanium.msi folder also includes a simple Windows installer named SetupClient.exe. You might find this program useful when installing only a few Tanium Clients—typically at the beginning of a pilot or later for one-off deployments. When launched in the Windows UI environment, the wizard prompts you for the Tanium Server name, port, and public key file.

  1. Copy the key file to a location you can browse to from the target host computer.
  2. Copy SetupClient.exe to the target host computer.
  3. Log into the target host computer with a local user or domain account with administrative privileges.
  4. Right-click SetupClient.exe and select Run as administrator to start the wizard.
  5. Complete the settings.

Command line

SetupClient.exe /ServerAddress={FQDN|IPaddress}[,{FQDN|IPaddress},...] [/ServerPort=PortNumber] [/LogVerbosityLevel=LogLevel] [/KeyPath=Path\] [/ReportingTLSMode=Value] [/S] [/D=FolderPath]

/ServerAddress FQDN or IP address of the Tanium Server(s). Using an internally defined, fully qualified domain name (FQDN) or alias is strongly recommended.

If you specify one value for this option, the command populates the ServerName registry entry. If you specify multiple values, it populates the ServerNameList registry entry.

You must include this parameter to install the client initially.

You can omit this parameter when reinstalling or upgrading the client.

In Tanium Core Platform 7.2.314.3263 and later, you can optionally set the port that the Tanium Client uses to communicate with the Tanium Server by appending :<port_number> to the /ServerAddress (for example, The /ServerAddress port overrides the /ServerPort value (default is 17472).

/ServerPort Port for client communication with the Tanium Server and with peers.

If you omit this option, port 17472 is configured.

/S Execute the command silently. A silent installation suppresses the display of the client installer UI.

If you include this option without specifying the /KeyPath option, then you must copy the public key file to the same directory as SetupClient.exe.

If you omit this option, the installer UI prompts for the installation parameters.


The following decimal values are best practices for specific use cases:

  • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1: This is the best practice value during normal operation.
  • 41: This is the best practice value during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
/KeyPath Identifies the full path and file name for the client installer program to locate the Tanium Server public key and copy it to the Tanium Client installation folder.

No quotation marks are necessary to enclose path or file names with spaces.

The KeyPath argument expects a fully qualified path name when the installer runs directly from a command prompt. In a batch file, however, you can use the batch file command variable %~dp0 to expand a relative path before passing the KeyPath value-key pair to SetupClient.exe For example:


If you omit this option, you must copy the public key file to the same directory as SetupClient.exe for silent installations.

/D Sets the destination path for the Tanium Client installation directory.

If you use this parameter, it must be the last argument value-pair listed on the command line.

No quotation marks are necessary to enclose path names with spaces.

Environment variables are expanded, so the parameter value may include variables in the form: %programfiles%.

If you omit this parameter, the installer uses one of the following folders:

  • \Program Files\Tanium\Tanium Client\ (32-bit OS )
  • \Program Files (x86)\Tanium\Tanium Client\ (64-bit OS)
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

If you plan to use TLS, we recommend you initially set this option to 2 (optional). When TLS is optional, the client attempts to connect over TLS. If the TLS connection fails, it attempts a non-TLS connection.

Example: Silent "Express" installation

In an "Express" installation, SetupClient.exe installs and configures the Tanium Client using the specified server address and default values. Before you begin, the public key file must be copied to the same folder as SetupClient.exe.

SetupClient.exe / /S

SetupClient.exe /ServerAddress= /S

Example: Specifying Multiple Tanium Server Names

In an HA deployment or other environments where you may need to register with multiple Tanium Servers, you can specify multiple values for ServerAddress to populate the ServerNameList registry entry:

SetupClient.exe /, /S

Example: Silent "Custom" installation

The following example of a silent install specifies non-default values:

SetupClient.exe / /ServerPort=63422 /LogVerbosityLevel=1 /S

Example: Silent installation TLS Option

The following example of a silent install specifies non-default values:

SetupClient.exe / /ServerPort=63422 /LogVerbosityLevel=1 /ReportingTLSMode=1 /S

Example: Batch file format

When you execute a batch file, the Windows command interpreter expands the variable %~dp0 to the full drive and path name of the batch file working directory. The following is an example of a batch file instruction that performs a silent installation:

"%~dp0SetupClient.exe" / /ServerPort=28583 /S

Example: Use advanced CDT options

The CDT has advanced options you can use to generate a Tanium Client installer that creates a subregistry and populates it with name-value pairs. This example creates registry entries that are compatible with Custom Tagging content. It creates the subregistry Sensor Data\Tags and the registry key Lab.

Figure  1:  Tags subregistry

You can then use the Tags registry entries in Tanium workflows. For example, you can create Computer Groups derived from results from the Custom Tags sensor.

Figure  2:  Using Custom Tags to define a Computer Group
The CDT advanced options tags shown in this example create the same Windows registry entries that the Custom Tagging - Add Tags package creates. You could use the CDT advanced options tags to create other subregistries and keys and use the Registry content. However, we recommend you use Custom Tagging content in most cases.

For more information on Custom Tagging content, see the Tanium Support Knowledge Base article on Custom Tags (login required).

Step 1: Create a special installer

  1. Launch the CDT and set values for the following fields:
    • (file location)
    • Server Name (comma-separated list of one or more Tanium Servers and/or Zone Servers)
    • Port
    • Log Verbosity Level
    • Target Folder (optional)
  2. From the menu bar, select Clients > Generate Windows MSI or EXE and then select Create .EXE or Create .MSI.
  3. Select Create with custom tags, specify the subregistry name Sensor Data\Tags, and specify a tag name and value. The value is not used by the Custom Tags sensor, so it can be anything but it cannot be null.
  4. Click OK.

After the process completes, a message box appears to confirm that the installer file has been created. The filepath is similar to the following:


Step 2: Use the special installer to install the Tanium Client on host computers

  1. Copy the installer and the tanium public key file to a temporary location on the target host computer.
  2. Right-click the EXE file and select Run as administrator.

    The special installer completes without further interaction.

  3. Go to the Tanium Client Windows Registry and verify expected results.
  4. In the Tanium Console, ask a question that uses the Custom Tags sensor or create a Computer Group that selects computers based on it, as shown in Figure  2.

Uninstall the Tanium Client on Windows

You can use various tools to uninstall the Tanium Client.

Use a Tanium package

You can use the Tanium Core Platform to remove the Tanium Client from targeted computers. The uninst.exe program is in the Tanium Client installation directory.

  1. Access the Tanium Console and go to Administration > Global Settings.
  2. Select allow_process_group_flag_edit, click Edit, set the value to 1, and save the change.
  3. Go to Content > Packages and add a New Package that issues the uninstall command. The following is an example of the command to perform a silent uninstallation:
    cmd.exe /C ..\..\uninst.exe /S

    You must disable the option to Launch this package command in a process group.

  4. Create a scheduled action to distribute the package to targeted computers (see Tanium Core Platform User Guide: Deploying actions).

Because the uninstall program stops the Tanium Client service and removes the application files, the Tanium Client will no longer be present to write Completed to the respective action log. Consequently, do not rely on the final action status reported in the Tanium Console to determine success or failure of the uninstallation action.

Use Add/Remove Programs

A user with Local Administrator rights on the computer can remove the Tanium Client through either the Windows Control Panel Add/Remove Programs or Programs and Features applet.

Uninstall program

Double-click the uninst.exe program icon or execute the program from a command prompt.

The uninstall executable supports the /S command line parameter to perform a silent uninstall from a command prompt, script, package, or bat file:

uninst.exe /S

Last updated: 6/4/2019 4:22 PM | Feedback