Planning the Tanium Client deployment

Deploying the Tanium Client to your enterprise computers, and integrating the deployment into your standard IT processes, involves multiple phases. Each phase involves various tools and options. Discuss these options with your Technical Account Manager (TAM).

The following are Tanium recommendations for each phase.


The Tanium Client Deployment Tool (CDT) is a free and simple tool you can use to deploy the Tanium Client to target computers during your pilot deployment. Pilots usually target fewer than 5,000 endpoints. The CDT supports deployment in batches of 250 to 500 endpoints. The endpoints must be currently joined in an Active Directory domain (Windows only) or currently connected to the network and match an IP address range that you specify (Windows, Linux, and macOS). For details, see Using the Tanium Client Deployment Tool.

As a best practice during your pilot, test deploying the Tanium Client with the standard software package deployment tool of your organization. Some standard tools include Active Directory (AD) Group Policy Objects (GPO),  System Center Configuration Manager (SCCM), Altiris, LANDESK, Puppet, and Casper. You can also use custom scripts. You can use the Tanium CDT to prepare .exe, .msi, .iso, .rpm, .deb, and .pkg installation package files for these standard methods. For details, see:

Initial deployment

After the pilot, an initial deployment into your enterprise might target 500,000 endpoints or more, and the deployment might reach across data center, headquarter, and branch locations. As a best practice, use the standard software distribution methods that your IT organization and end users are already familiar with for the initial rollout. If your organization does not have an existing software package distribution solution, you can use the Tanium CDT. The CDT supports deployment in batches of 250 to 500 endpoints.

Onboarding new computers

Plan to integrate the Tanium Client installation into your standard build processes for new computers, such as Microsoft Deployment Toolkit task sequences. You can install the client within the reference OS images that are used to provision new computers and virtual desktop infrastructure (VDI) instances. When a new computer boots for the first time, the Tanium Client starts and then tries to register with the Tanium Server. For details, see Preparing the Tanium Client on OS images.

Continuous hygiene

After the initial rollout, put policies and procedures in place to enforce the use of Tanium Client on the endpoints in your enterprise network. Many organizations have used AD computer startup scripts to ensure Tanium Client is installed and the Tanium Client service is started (contact your TAM for details). Use Tanium Discover to scan for previously unmanaged and even previously unknown endpoints (see the Tanium Discover User Guide for details).

Last updated: 11/13/2019 8:40 AM | Feedback