Maintaining Tanium Clients

Perform regular maintenance tasks to ensure that Tanium Clients are connected in good health, so that Tanium successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Tanium Clients are not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting Tanium Clients and Client Management for related procedures.

For information about general management of Tanium Clients, see Managing Tanium Clients.

Perform as-needed maintenance

Audit and remediate disconnected Tanium Clients

In some cases, users with local administrative rights might be able to uninstall the Tanium Client, stop the Tanium Client service, or tamper with Tanium Client files. Use Tanium Discover to regularly audit endpoints to which you have deployed the Tanium Client, and automatically redeploy the Tanium Client to previously managed endpoints that have become unmanaged.

1. Configure a profile in Discover that scans endpoints to which you have deployed the Tanium Client. For more information, see Tanium Discover User Guide: Scan types.

2. Configure an automatic label in Discover (such as Disconnected) with conditions that identify endpoints on which you expect the Tanium Client to be installed. For more information, see Tanium Discover User Guide: Automatically label interfaces.

   Discover labels must have the following settings to be used with Client Management:

   • Type: Automatic
   • Activity: Retain
   • Retain Activity: Label
3. Regularly review the label you created in Discover. Optionally, configure a Connect destination to alert you of newly unmanaged endpoints that the label identifies. For more information, see Tanium Discover User Guide: Export interface data to a Connect destination.
4. When the label identifies newly unmanaged endpoints, redeploy the Tanium Client to those endpoints.

If redeploying the Tanium Client does not successfully reconnect the endpoint, other issues might be preventing the Tanium Client from connecting or registering. For troubleshooting information, see Troubleshoot issues with connection and registration.

To reduce the likelihood of casual tampering by users with local administrator rights on Windows, you can take measures to harden the Tanium Client on Windows. For more information, see (Optional) Harden the Tanium Client on Windows. Performing regular audits of unmanaged assets is a best practice regardless of whether you have hardened the Tanium Client on Windows.

Perform weekly maintenance

Check the endpoint count

The number of managed endpoints might fluctuate as endpoints join or leave your network. View the number of managed endpoints to check for potential anomalies and to ensure compliance with your Tanium license:

• Go to the Tanium Home page to check the Total Endpoints. This field displays the most accurate tally of online and offline managed endpoints that have registered with Tanium™ Cloud within the retention period (default is 30 days). For details, see Tanium Console User Guide: View environment status.

  If the endpoint count is lower than expected, investigate whether network disruptions or misconfigurations prevent endpoints from registering. If the count is higher than expected, verify that the new endpoints are authorized to join your network.

  You can configure an automatic Discover label and a Connect destination to alert you when endpoints become unmanaged. See .

• Go to Administration > Configuration > Client Status to check the endpoint count as it relates to your Tanium license, regardless of whether it matches the Total Endpoints value on the Tanium Home page. For details, see Tanium Console User Guide: View managed endpoints count for license compliance.

  Track changes in the weekly endpoint count to project future growth. to update your license for a higher number of maximum managed endpoints if necessary.

Review and update tags

If you use computer groups for which membership is based on custom tags or enhanced tags, review which endpoints have which tags. Deploy changes to the tags and configure new computer groups if necessary.

Review and update enhanced tags

For the steps to review and update enhanced tags, sign in to the Tanium™ Knowledge Base and see the Enhanced Tags Documentation.

Review and update custom tags

1. Determine which endpoints have which tags. See Tanium Console User Guide: Review custom tags.
2. Add or remove custom tags if necessary. See Tanium Console User Guide: Manage custom tags for computer groups.
3. Create or delete computer groups with tag-based membership if necessary. See Tanium Console User Guide: Managing computer groups.

   You cannot change the membership definition of existing computer groups. You must delete existing groups and recreate them with the correct definition.

4. Add or edit action groups to target tag-based computer groups if necessary. See Tanium Console User Guide: Managing action groups.

Perform monthly maintenance

Perform the following tasks to review the state of the Tanium Clients running on endpoints, as well as client communication and registration with Tanium Cloud. If you observe client issues that require resolution, see .

Review and remediate Tanium Client health and client extension issues

1. From the Main menu, go to Administration > Shared Services > Client Management.

2. From the Client Management menu, select Client Health and click the Deployment tab to review the Health Failures panel. This panel shows failures associated with Tanium™ Client Extensions. Perform the remaining steps if you need to troubleshoot client extension issues.

3. Click Interact in the Health Failures panel to display the question results that provide the panel data.

4. Retrieve any additional details from endpoints that you need to diagnose client extension issues. See Tanium Console User Guide: Managing question results.

5. To resolve client extension failures, see the following sections:

   • To resolve Client Index Extension failures, see Tanium Client Index Extension User Guide: Reference: Common health check issues.
   • To resolve Client Recorder Extension failures, see Tanium Client Recorder Extension User Guide: Troubleshooting the Client Recorder Extension.
   • To resolve failures associated with client extensions for other Tanium solutions, see Tanium Console User Guide: Troubleshoot solution-specific issues and Tanium Endpoint Configuration User Guide: Identify and resolve issues with endpoint tools or client extensions.

Review and adjust the distribution of Tanium Client registration traffic

Tanium Clients must register with a Tanium™ Cloud Client Edge for the client hosts to function as managed endpoints. As clients and client subnets are added to or removed from your network, you might have to update connections to Client Edge URLs to optimize registration traffic.

Each Tanium Client connects to only one Tanium Cloud Client Edge at a time. However, to avoid a single point of failure, you can configure the ServerNameList setting with a list of Client Edge URLs to which the client can attempt a connection. The Client Edge URLs are available in the Tanium™ Cloud Management Portal (CMP). For more information, see Tanium Cloud Deployment Guide: Getting started with Tanium Cloud.

For details about Client Edge URLs, see .

To determine which Client Edges are processing client registrations and, if necessary, to rebalance registration traffic among them:

1. From the Main menu, go to Administration > Shared Services > Client Management.
2. From the Client Management menu, select Client Health and click the Settings tab.
3. Scroll to the ServerNameList setting to determine whether clients are connecting to the correct Client Edges and that the list is the same for all clients.
4. Review the ServerName setting to verify that client connections are balanced among Client Edges.
5. Deploy actions with packages that reset the ServerNameList settings if necessary to ensure that all clients target the same, correct list of Client Edge URLs. See . To verify that clients can connect to Client Edges, see Tanium Cloud Deployment Guide: Step 5: Deploy Tanium Client.

Review and update Tanium Client logging levels

Tanium Clients generate logs that can help you troubleshoot issues. Higher logging levels record more details about events on clients but also consume more client resources. The default logging level is 1. Review client logging levels and adjust them if necessary to ensure new endpoints that join your network have optimal logging levels.

Set the logging level to 0 (logging disabled) for clients that run on sensitive endpoints, endpoints with limited resources, or virtual desktop infrastructure (VDI) endpoints.

1. From the Client Management menu, go to Client Health and click the Settings tab.

   If the logging level is set to a value other than the default 1 on any clients, the LogVerbosityLevel setting displays the Count of clients for each value. If all clients have the default value, the page does not display the setting.

   To verify that the logging level is set to the best practice value 0 for clients on VDI endpoints, select All Virtual Machines in the Computer Group drop-down.

2. To update the logging level on clients, see .

Review and update Tanium Client settings

1. From the Client Management menu, go to Client Health and click the Settings tab.
2. Verify that the setting values are correct and that the Count column indicates they apply to the expected number of clients.

3. To update settings, see .

Review and upgrade Tanium Client versions

The best practice is to run the latest Tanium Client version on all endpoints. However, in certain cases, temporarily running earlier client versions might be acceptable for some endpoints. For example, if you are rolling out client upgrades in phases, one group of endpoints at a time, you might want to finish testing the upgrade for the first phase before upgrading more endpoints in the next phase. Endpoints might also run an earlier client version if the upgrade process failed.

For details about client versions, see .

Determine which endpoints are running a client that is not at the latest version and decide whether to accept the earlier versions or upgrade the clients:

1. From the Main menu, go to Administration > Client Management.

2. Scroll to the Health dashboard to see the Client Version panel.

3. If any endpoints are running an earlier client version, click the Client Version title and then click Interact in the Client Version panel to display the question results that provide the panel data.

4. Retrieve any details from endpoints that you need to determine whether the versions are appropriate, or upgrades are required, or upgrades failed.

   For example, select a Filter by Computer Group option (such as All Windows) or issue a drill-down question. For the steps to retrieve additional details, see Tanium Console User Guide: Managing question results.

5. Upgrade the client on any endpoints that require the latest version. See .
6. Troubleshoot client upgrade issues if necessary. See .

Review and update Tanium Client subnets

Separated subnets, intentional subnets, and isolated subnets provide methods for modifying the default peering behavior of Tanium Clients. Default peering settings define the boundaries of client subnets in the Tanium linear chain architecture. As subnets are added to or removed from your network, you might have to update the client subnet configurations. For example, add isolated subnets for any new virtual private networks (VPNs).

For details about client peering and subnets, see .

Review and update isolated subnets

Configure isolated subnets for Tanium Clients that are in VPNs. VPN clients have local IP addresses in a special VPN address block, but their host endpoints are actually not close to each other. If VPN clients are not isolated, they use WAN links for peering and latency is significantly greater than for client-to-server connections.

1. Go to Administration > Configuration > Subnets and review the Isolated Subnets. If necessary, consult your networking team to determine if the configurations require updates.
2. Update isolated subnet configurations if necessary. See .

Review and update separated subnets

Configure separated subnet configurations to apply more granular subnet boundaries for Tanium linear chains than the default boundaries.

1. Go to Administration > Configuration > Subnets and review the Separated Subnets. If necessary, consult your networking team to determine if the configurations require updates.
2. Update separated subnet configurations if necessary. See .

Review and update intentional subnets

In a network configuration that uses network address translation (NAT), you might have to configure intentional subnets to ensure that clients in the same subnet can peer with each other.

1. From the Main menu, go to Administration > Configuration > Client Status.

   The Network Location (from client) values indicate which clients are in the same subnet based on the setting. See .

   The Network Location (from server) column indicates the NAT IP addresses of clients.

2. Select the endpoints that are in the same subnet but are not peering because their NAT IP addresses differ.

3. Click Export , set the Format to List of Clients - CSV, and click Export.
4. Go to Administration > Configuration > Subnets and compare the Intentional Subnets configurations to the exported list of clients.
5. Update the intentional subnet configurations if necessary to enable peering among clients in the same subnets. See .