Windows links

Deploying the Tanium Client to Windows endpoints

You can use the installation package files to distribute the Tanium Client to endpoints using standard package distribution software and manual tools and methods. During execution, the Tanium Client installer makes the following changes to the target computer:

  • Creates the Tanium Client folders for the client application files and related content files.
  • Creates the Tanium Client registry key along with an initial set of registry values.
  • Adds the Tanium Client program to the Windows Add/Remove Programs list.
  • Creates the Tanium Client service with a Startup Type set to Automatic.

In addition to the Tanium Client Management and Tanium Discover modules, Tanium supports many common installation practices on Windows.

If you encounter issues when deploying the Tanium Client, examine the Tanium Client Management logs (see Tanium Client Management User Guide: Collect logs), and examine the Tanium Client installation log (see Tanium Client installation log).

Create the Tanium Client installer

Ask your Technical Account Manager (TAM) for a Tanium Client installer file to use for manual installation or installation through third-party software distribution tools. Active Directory (AD) Group Policy Objects (GPO) and System Center Configuration Manager (SCCM) are examples of such tools.

Execute the Tanium Client installer

You can use software distribution tools like GPO or SCCM to distribute the Tanium Client installer packages to endpoints.

EXE

The InstallTanium.exe installer must be executed from an account with Administrator permissions. For manual installations, launch the installer using Run As Admin.

MSI

The msiexec.exe command must also be run from an account with Administrator permissions when using the InstallTanium.msi installer.

The following example uses the client configuration settings defined when the .msi file was generated:

msiexec.exe /i InstallTanium.msi /qn

You can change the default client configuration settings defined within the .msi file using any combination of the following command-line arguments:

  • SERVERADDRESS="<FQDN or IP address>"
  • SERVERPORT="<Server port>"
  • LOGVERBOSITYLEVEL="<integer>"
  • INSTALLDIR="<optional custom install path>"

The following example overrides the settings in the .msi file:

msiexec.exe /i InstallTanium.msi /qn SERVERADDRESS="Tanium.mycompany.net" SERVERPORT="28583" LOGVERBOSITYLEVEL="41" INSTALLDIR="c:\Tanium Client\"

The command-line arguments must be entered in uppercase exactly as shown, with the argument value enclosed in quotes.

Install wizard

You can get a simple Windows installer named SetupClient.exe from your TAM. When launched in the Windows UI environment, the wizard prompts you for the Tanium Server name, port, and public key or initialization file.

  1. Copy the tanium-init.dat (Tanium Client 7.4 or later) or the tanium.pub file (Tanium Client 7.2 or earlier) to a location you can browse to from the target endpoint:  see Tanium Console User Guide: Download infrastructure configuration files (keys).
  2. Copy SetupClient.exe to the target endpoint.
  3. Log into the target endpoint with a local user or domain account with administrative permissions.
  4. Right-click SetupClient.exe and select Run as administrator to start the wizard.
  5. Complete the settings. In the Set Client Configuration page, configure the settings based on the Tanium Client version:
    • Version 7.4 or later: Specify an Initialization File (tanium-init.dat).


    • Version 7.2 or 6.0: Specify a Public Key File (tanium.pub) and TLS Mode.




Command line

The CLI command for installing the Tanium Client uses the following syntax.

SetupClient.exe /ServerAddress={FQDN|IPaddress}[,{FQDN|IPaddress},...] [/ServerPort=PortNumber] [/LogVerbosityLevel=LogLevel] [/KeyPath=Path\[tanium-init.dat|tanium.pub] [/ReportingTLSMode=Value] [/S] [/D=FolderPath]

Table 1:   Tanium Client installation command syntax
Argument Guidance
/ServerAddress FQDN or IP address of the Tanium Servers. Using an internally defined, fully qualified domain name (FQDN) or alias is strongly recommended.

If you specify one value for this option, the command populates the ServerName registry entry. If you specify multiple values, it populates the ServerNameList registry entry.

You must include this parameter when first installing the Tanium Client. You can omit this parameter when reinstalling or upgrading the client.

In Tanium Core Platform 7.2.314.3263 and later, you can optionally set the port that the Tanium Client uses to communicate with the Tanium Server by appending :<port_number> to the /ServerAddress (for example, ts1.local.com:12345). The /ServerAddress port overrides the /ServerPort value (default is 17472).

/ServerPort Port for client communication with the Tanium Server and with peers.

If you omit this option, port 17472 is configured.

/S Execute the command silently. A silent installation suppresses the display of the client installer UI.

If you include this option without specifying the /KeyPath option, you must copy the tanium-init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2 or earlier) to the same directory as SetupClient.exe.

If you omit this option, the installer UI prompts for the installation parameters.

/LogVerbosityLevel

The following decimal values are best practices for specific use cases:

  • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1: This is the best practice value during normal operation.
  • 41: This is the best practice value during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
/KeyPath Identifies the full path and file name for the Tanium Client installer program to locate the tanium-init-dat (Tanium Client 7.4 or later) or tanium.pub (Tanium Client 7.2 or earlier) file and copy it to the Tanium Client installation folder.

No quotation marks are necessary to enclose path or file names with spaces. The KeyPath argument expects a fully qualified path name when the installer runs directly from a command prompt. However, in a batch file, you can use the batch file command variable %~dp0 to expand a relative path before passing the KeyPath value to SetupClient.exe. For example: /KeyPath=%~dp0<My\Relative\Path>\tanium.pub

If you omit this option, you must copy the tanium-init-dat or tanium.pub file to the same directory as SetupClient.exe for silent installations.

/D Sets the destination path for the Tanium Client installation directory. No quotation marks are necessary to enclose path names with spaces. Environment variables are expanded, so the parameter value may include variables in the form: %programfiles%.

If you use this parameter, it must be the last argument value-pair listed on the command line. If you omit this parameter, the installer uses one of the following folders:

  • 32-bit OS\Program Files\Tanium\Tanium Client
  • 64-bit OS\Program Files (x86)\Tanium\Tanium Client
ReportingTLSMode
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

If you plan to use TLS, the best practice is to initially set this option to 2 (optional). When TLS is optional, the Tanium Client tries to connect over TLS. If the TLS connection fails, it tries a non-TLS connection.

The following are examples of using the CLI command to install the Tanium Client.

Table 2:   Tanium Client installation command examples
Example Description
Silent express installation In an express installation, SetupClient.exe installs and configures the Tanium Client using the specified server address and default values. Before starting, copy the Tanium initialization file tanium-init.dat or public key file tanium.pub to the same folder as SetupClient.exe.

SetupClient.exe /ServerAddress=ts1.example.com /S

SetupClient.exe /ServerAddress=192.168.1.10 /S

Specifying multiple Tanium Servers In a high availability (HA) deployment or other environments where you might need to register with multiple Tanium Servers, specify multiple values for ServerAddress to populate the ServerNameList registry entry:

SetupClient.exe /ServerAddress=ts1.example.com,ts2.example.com /S

Silent custom installation The following example of a silent installation specifies non-default values:

SetupClient.exe /ServerAddress=ts1.example.com /ServerPort=63422 /LogVerbosityLevel=1 /S

Silent installation TLS option The following example of a silent installation specifies non-default values:

SetupClient.exe /ServerAddress=ts1.example.com /ServerPort=63422 /LogVerbosityLevel=1 /ReportingTLSMode=1 /S

Batch file format When you execute a batch file, the Windows command interpreter expands the variable %~dp0 to the full drive and path name of the batch file working directory. The following is an example of a batch file instruction that performs a silent installation:

"%~dp0SetupClient.exe" /ServerAddress=ts1.example.com /ServerPort=28583 /S

Manage the Tanium Client service on Windows

On Windows endpoints, you can stop, start, or restart the Tanium Client service through the Windows Services program. Select the service and then select an action in the Action > All Tasks menu.

Figure  1:  Tanium Client service

Uninstall the Tanium Client on Windows

You can use various tools to uninstall the Tanium Client.

Use a Tanium package

You can use the Tanium Core Platform to remove the Tanium Client from targeted computers. The uninst.exe program is in the Tanium Client installation directory.

  1. Access the Tanium Console and go to Administration > Global Settings.
  2. Select allow_process_group_flag_edit, click Edit, set the value to 1, and save the change.
  3. Go to Content > Packages and add a New Package that issues the uninstall command. The following is an example of the command to perform a silent uninstallation:

    cmd.exe /C ..\..\uninst.exe /S

    You must disable the option to Launch this package command in a process group.

  4. Create a scheduled action to distribute the package to targeted computers (see Tanium Core Platform User Guide: Deploying actions).

Because the uninstall program stops the Tanium Client service and removes the application files, the Tanium Client will no longer be present to write Completed to the respective action log. Consequently, do not rely on the final action status reported in the Tanium Console to determine success or failure of the uninstallation action.

Use Add/Remove Programs

A user with Local Administrator rights on the computer can remove the Tanium Client through either the Windows Control Panel Add/Remove Programs or Programs and Features applet.

Uninstall program

Double-click the uninst.exe program icon or execute the program from a command prompt.

The uninstall executable supports the /S command line parameter to perform a silent uninstall from a command prompt, script, package, or bat file:

uninst.exe /S