Windows links

Deploying the Tanium Client to Windows endpoints

You can use installation package files to distribute the Tanium Client to Windows endpoints through standard package distribution software or manual tools. The Tanium Client installer makes the following changes to the target endpoints:

  • Creates the Tanium Client folders for the client application files and related content files.
  • Creates the Tanium Client registry key along with an initial set of registry values.
  • Adds the Tanium Client program to the Windows Add/Remove Programs list.
  • Creates the Tanium Client service with a Startup Type set to Automatic.

Install the Tanium Client on Windows

In addition to the Tanium Client Management service, you can use the following methods to install the Tanium Client:

  • Third-party software distribution tools: Ask your Technical Account Manager (TAM) for an InstallTanium.exe or InstallTanium.msi installer file to use with tools such as System Center Configuration Manager (SCCM) or Active Directory (AD) Group Policy Objects (GPO).
  • Installation wizard: Ask your TAM for the SetupClient.exe installer file.

If you encounter issues when deploying the Tanium Client, examine the Tanium Client installation log (see Tanium Client installation log).

EXE installer

You must execute the InstallTanium.exe installer using an account with Administrator permissions. For manual installations, launch the installer using Run As Admin.

MSI installer

You must run the msiexec.exe command using an account with Administrator permissions when using the InstallTanium.msi installer. The following example command uses the Tanium Client configuration settings that were defined when the .msi file was generated:

msiexec.exe /i InstallTanium.msi /qn

You can change the default client configuration settings defined within the .msi file using any combination of the following command-line arguments:

  • SERVERADDRESS="<Tanium Server FQDN or IP address>"
  • SERVERPORT="<Tanium Server port>"
  • LOGVERBOSITYLEVEL="<integer>"
  • INSTALLDIR="<optional custom installation path>"

The following example overrides the settings in the .msi file:

msiexec.exe /i InstallTanium.msi /qn SERVERADDRESS="Tanium.mycompany.net" SERVERPORT="28583" LOGVERBOSITYLEVEL="41" INSTALLDIR="c:\Tanium Client\"

You must enter the command-line arguments in uppercase exactly as shown, with the argument values enclosed in quotes.

Installation wizard

When you launch the SetupClient.exe installer in a Windows UI environment, the wizard prompts you for the Tanium Server name, port, and public key or initialization file.

  1. Copy SetupClient.exe to the Windows endpoint.
  2. Copy the tanium-init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2 or earlier) from the Tanium Server to the Windows endpoint. For the steps to download tanium-init.dat or tanium.pub, see Tanium Console User Guide: Download infrastructure configuration files (keys).
  3. Log into the Windows endpoint with a local user or domain account that has administrative permissions.
  4. Right-click SetupClient.exe and select Run as administrator to start the wizard.
  5. Respond to the prompts that the wizard presents. In the Set Client Configuration page, configure the settings based on the Tanium Client version:
    • Version 7.4 or later: Specify the Initialization File (tanium-init.dat).


    • Version 7.2 or 6.0: Specify the Public Key File (tanium.pub) and TLS Mode.




Command line

The CLI command for installing the Tanium Client uses the following syntax. For details on using the CLI, see CLI on Non-Windows endpoints.

SetupClient.exe /ServerAddress={FQDN|IPaddress}[,{FQDN|IPaddress},...] [/ServerPort=PortNumber] [/LogVerbosityLevel=LogLevel] [/KeyPath=Path\[tanium-init.dat|tanium.pub] [/ReportingTLSMode=Value] [/S] [/D=FolderPath]

Table 1:   Tanium Client installation command syntax
Argument Guidance
/ServerAddress Fully qualified domain names (FQDNs) or IP addresses of the Tanium Servers. In a deployment with Tanium Zone Servers, add the Zone Server FQDNs or IP addresses. Using internally defined FQDNs or aliases is strongly recommended. Use a comma to separate the entries for each server.

If you specify one value for this option, the command populates the ServerName registry entry. If you specify multiple values, they populate the ServerNameList registry entry.

You must include this parameter when first installing the Tanium Client. You can omit this parameter when reinstalling or upgrading the client.

In Tanium Core Platform 7.2.314.3263 and later, you can optionally set the port that the Tanium Client uses to communicate with the Tanium Server by appending :<port_number> to the /ServerAddress (for example, ts1.local.com:12345). The /ServerAddress port overrides the /ServerPort value (default is 17472).

/ServerPort Port for client communication with the Tanium Server and with peers.

If you omit this option, port 17472 is configured.

/S Execute the command silently. A silent installation suppresses the display of the client installer UI.

If you include this option without specifying the /KeyPath option, you must copy the tanium-init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2 or earlier) to the same directory as SetupClient.exe.

If you omit this option, the installer UI prompts for the installation parameters.

/LogVerbosityLevel The following decimal values are best practices for specific use cases:
  • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1: This is the best practice value during normal operation.
  • 41: This is the best practice value during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
/KeyPath Identifies the full path and file name for the Tanium Client installer program to locate the tanium-init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2 or earlier) and copy it to the Tanium Client installation folder. For the steps to download tanium-init.dat or tanium.pub from the Tanium Server, see Tanium Console User Guide: Download infrastructure configuration files (keys).

No quotation marks are necessary to enclose path or file names with spaces. The KeyPath argument expects a fully qualified path name when the installer runs directly from a command prompt. However, in a batch file, you can use the batch file command variable %~dp0 to expand a relative path before passing the KeyPath value to SetupClient.exe. For example: /KeyPath=%~dp0<My\Relative\Path>\tanium-init.dat

If you omit this option, you must copy the tanium-init.dat or tanium.pub file to the same directory as SetupClient.exe for silent installations.

/D Sets the destination path for the Tanium Client installation directory. No quotation marks are necessary to enclose path names with spaces. Environment variables are expanded, so the parameter value may include variables in the form: %programfiles%.

If you use this parameter, it must be the last argument value-pair listed on the command line. If you omit this parameter, the installer uses one of the following folders:

  • 32-bit OS\Program Files\Tanium\Tanium Client
  • 64-bit OS\Program Files (x86)\Tanium\Tanium Client
ReportingTLSMode This setting applies only to Tanium Client 7.2. The possible values are:
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

If you plan to use TLS, the best practice is to initially set this option to 2 (optional). When TLS is optional, the Tanium Client tries to connect over TLS. If the TLS connection fails, it tries a non-TLS connection.

The following are examples of using the CLI command to install the Tanium Client.

Table 2:   Tanium Client installation command examples
Example Description
Silent express installation In an express installation, SetupClient.exe installs and configures the Tanium Client using the specified server address and default values. Before starting, copy the Tanium initialization file tanium-init.dat or public key file tanium.pub to the same folder as SetupClient.exe.

SetupClient.exe /ServerAddress=ts1.example.com /S

SetupClient.exe /ServerAddress=192.168.1.10 /S

Specifying multiple Tanium Servers and Zone Servers In a high availability (HA) deployment or other environments where Tanium Clients might need to register with multiple Tanium Servers and Zone Servers, specify multiple values for ServerAddress to populate the ServerNameList registry entry:

SetupClient.exe /ServerAddress=ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com /S

Silent custom installation The following example of a silent installation specifies non-default values:

SetupClient.exe /ServerAddress=ts1.example.com /ServerPort=63422 /LogVerbosityLevel=1 /S

Silent installation TLS option The following example of a silent installation specifies non-default values:

SetupClient.exe /ServerAddress=ts1.example.com /ServerPort=63422 /LogVerbosityLevel=1 /ReportingTLSMode=1 /S

Batch file format When you execute a batch file, the Windows command interpreter expands the variable %~dp0 to the full drive and path name of the batch file working directory. The following is an example of a batch file instruction that performs a silent installation:

"%~dp0SetupClient.exe" /ServerAddress=ts1.example.com /ServerPort=28583 /S

Verify the Tanium Client installation

After you use any method to install the Tanium Client, perform the following steps to verify that the client installed correctly and can communicate with the Tanium Server.

  1. Wait a few minutes after installation for the Tanium Client to register with the Tanium Server, and then go to the Main menu and select Console > Administration > System Status.
  2. Verify that the grid lists the client that you installed.

    To find a specific Tanium Client, enter a text string in the Show Rows Containing field above the grid to filter it by Host Name or IP address.


Manage the Tanium Client service on Windows

On Windows endpoints, you can stop, start, or restart the Tanium Client service through the Windows Services program. Select the service and then select an action in the Action > All Tasks menu.

Figure  1:  Tanium Client service

Uninstall the Tanium Client on Windows

You can use various tools to uninstall the Tanium Client.

Use a Tanium package

You can use the Tanium Core Platform to remove the Tanium Client from targeted computers. The uninst.exe program is in the Tanium Client installation directory.

  1. Access the Tanium Console.
  2. From the Main menu, select Console > Administration > Global Settings.
  3. Select allow_process_group_flag_edit, click Edit, set the value to 1, and save the change.
  4. From the Main menu, select Console > Content > Packages and add a New Package that issues the uninstall command. The following is an example of the command to perform a silent uninstallation:

    cmd.exe /C ..\..\uninst.exe /S

    You must disable the option to Launch this package command in a process group.

  5. Create a scheduled action to distribute the package to targeted computers (see Tanium Core Platform User Guide: Deploying actions).

Because the uninstall program stops the Tanium Client service and removes the application files, the Tanium Client will no longer be present to write Completed to the respective action log. Consequently, do not rely on the final action status reported in the Tanium Console to determine success or failure of the uninstallation action.

Use Add/Remove Programs

A user with Local Administrator rights on the computer can remove the Tanium Client through either the Windows Control Panel Add/Remove Programs or Programs and Features applet.

Uninstall program

Double-click the uninst.exe program icon or execute the program from a command prompt.

The uninstall executable supports the /S command line parameter to perform a silent uninstall from a command prompt, script, package, or bat file:

uninst.exe /S