Troubleshooting Deploy

Review troubleshooting tasks for common problems.

If Deploy is not performing as expected, you might need to do some troubleshooting or change settings.

For more comprehensive troubleshooting information, registered Tanium customers can sign in to view the Tanium Community: Deploy Troubleshooting Guide.

Collect a troubleshooting package

For your own review or to assist support, you can compile Deploy logs and files that are relevant for troubleshooting.

  1. Get the Deploy log.
    1. From the Deploy Overview page, click Help .
    2. Click the Support tab and click Collect.
    3. When the Status: is updated, click Download.

    The log zip file might take a few moments to download. The files have a timestamp with a deploy-support-YYYY-MM-DDTHH-MM-SS.mmmZ  format.

  2. (Optional) On the endpoint, copy the Tanium\Tanium Client\Tools\SoftwareManagement folder.
  3. (Optional) View status and logs for recent Deploy service jobs.
    1. On the Support tab, click View Job Status.
    2. In the Job Detail window, click Download Logs to download a job-logs.txt file with more details about recent jobs.

End user notifications are not displayed

End user notifications are supported for Windows and macOS endpoints only. If end user notifications are not being displayed on the endpoints:

  1. Verify that the Tanium End-User Notifications solution is installed. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.
  2. Ask the question: Get End-User Notifications - Has Tools from all machines to check if your endpoints have the end user notification tools.
  3. Verify Contact Tanium Support to verify that any security software exclusions include the \Tanium\Tanium End User Notification Tools directory. For more information, see Security exclusions.

Deployment fails with EUN error on endpoint

If your deployment is configured for a pre-notification, but the endpoint does not have the End-User Notifications tools installed, the deployment fails and triggers the following error: EunIncompatible: EUN is not installed or the version installed is too old. If you receive this error, ensure that the endpoint has a supported configuration and has the End-User Notifications tools installed. For more information, see Tanium End-User Notifications User Guide: Configuring End-User Notifications.

No applicability information for software packages

Software package applicability is calculated on the endpoints by using the applicability rules in the package definition, which is stored in the software package catalog and distributed to the endpoints.

If the applicability information for software packages is not available:

  1. Verify that the Deploy process is running on the target endpoint.
    1. Ask the question: Get Deploy - Is Process Running from all machines
    2. Check locally for the \Tanium\Tanium Client\python27\TPython.exe file on the endpoint.
  2. Compare the current and cached results of the Deploy - Software Packages Applicability sensor
    1. In Interact, ask the question: Get Deploy - Software Package Applicability[1,100000] from all machines
    2. Toggle between Current and Cached to ensure that the results match.

      If you do not see Current and Cached, ensure that the Deploy - Software Packages Applicability sensor is registered for collection in the Registration & Collection tab of the Interact Settings for the specific parameter values. For more information, see Tanium Console User Guide: Display sensor collection registration details.

    3. If you see any discrepancies, go to the Interact Settings and click Collect Now.

No software in the Predefined Package Gallery

After you import Deploy 1.1 or later, you must configure the service account and initialize the endpoints again. After the endpoints are initialized, it might take up to one hour to see the software in the Predefined Package Gallery page. You can also restart the Tanium Deploy service to reduce this time constraint.

If you still do not see any software in the Predefined Package Gallery page:

  1. From the Main menu, go to Administration > Content > Packages.
  2. Search for the Deploy - Software Package Gallery package.
  3. Verify that this package is cached.
    1. Verify that the Size column does not list Pending.
    2. If the size stays at Pending for more than one hour, Contact Tanium Support for assistance.
  4. Check to see if the Tanium Deploy service is attempting to gather the Deploy Predefined Package Gallery file.
    1. Collect a troubleshooting package.
    2. Open the downloaded support bundle and open the deploy-files\logs\Deploy.log file.
    3. Search for Ensuring software package gallery zip package.
    4. If the Deploy.log file does not have that text, Configure service account again, wait 10-15 minutes, and then repeat the previous steps to recheck the log file.
  5. If you still do not see any software in the Predefined Package Gallery page after completing the previous steps, Contact Tanium Support for assistance.

Monitor and troubleshoot Deploy coverage

The following table lists contributing factors into why the Deploy coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.

Contributing factor Corrective action
Gaps in Deploy action group membership Ensure that all endpoints that have a supported configuration for Deploy have the Deploy tools installed. These endpoints should be added to computer groups that can be members of the Deploy action group.
Gaps in End-User Notifications tools installations

Users cannot receive notifications for actions that are about to happen or configure the Self Service Client application.

Ensure that all endpoints that have a supported configuration have the End-User Notifications tools installed.

Ensure that any endpoint that is using the Self Service Client application has a properly configured and targeted End User Notification customization profile.

Ensure that all other endpoints have a default fallback profile configured in case the tools need to be accessed.

Gaps in Trends metric reports Ensure that all computer groups that are part of the Deploy action group are also part of the End-User Notifications action group.

Monitor and troubleshoot endpoints missing software updates released over 30 days

The following table lists contributing factors into why the endpoints missing software updates released over 30 days metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Gaps in maintenance window coverage

Verify that the Computers with Enforced Maintenance Windows chart in the Health section of the Deploy Overview page shows 100% enforcement.

Ensure that endpoints have enough time to download and perform the installation.

Use the Download immediately option for future deployments so that endpoints are ready when the deployment start time begins.

If your business needs require a hard stop, set your maintenance window to end 30 minutes prior to that hard stop to ensure that deployments complete in time to adhere to business needs.

Software is not installing due to maintenance windows being too restrictive

Ensure that maintenance windows properly overlap with deployment times and change control process timelines.

Use End-User Notifications to provide users with options to postpone actions, such as installations or updates.

Use the Make Available Before Start Time option for self service deployments that are set for the future.

Software hits a timeout or does not install properly

Ensure that you have a supported silent installation command-line option that is supported by the vendor.

Consult with the vendor or developer of the software for the best practices to install the software.

The installer does not have a silent installation option

Use a third-party repackaging solution, such as AdminStudio or InstallShield, that offer the ability to assist in making a custom installer.

Request that the vendor create a proper silent installer for larger deployments.

Monitor and troubleshoot mean time to deploy software

The following table lists contributing factors into why the mean time to deploy software metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Files are not uploading to a package properly

(Windows) Ensure that the permissions are properly set to remote Windows file servers.

(Appliance) Ensure that you set up the Module Server TDL to access the shares. For more information, see Tanium Appliance User Guide: Add an authentication user for TDownloader.

Packages are not downloading from the Predefined Package Gallery

Ensure that the Tanium Server can download the packages from the remote URL.

Check any proxies, firewalls, or network connectivity.

Ensure that your TDL settings are correct.

For more information, see No software in the Predefined Package Gallery.

It takes too long to test the software and get it ready for production

Reevaluate your process for software testing:

  • Are there any gaps or delays in the process?
  • Are there too many points of contact for reporting issues?
  • Are endpoints being tested that may not be relevant for the deployment?

Evaluate conditions that surround problem resolution and retesting.

Hold people accountable to timelines.

For endpoints that might exhibit compatibility or testing issues, consider a shared solution, such as Terminal, Remote Desktop Server, Citrix XenApp, or App-V.

Monitor and troubleshoot software installed by self service user request

The following table lists contributing factors into why the software installed by self service user request metric might be different than expected, and corrective actions you can make.

Contributing factor Corrective action
Help desk spends too much time installing software for users

Use self service options for software that is pre-approved, to ease the load on your help desk.

Applications that make the best candidates for self service are:

  • Freeware (example: Chrome or Firefox)
  • Software that is available for all systems, but are discretionary by business needs (example: Zoom, Notepad++, or specific line of business applications)

Users install unapproved software

Use self service options, but limit the applications that the user has access to, by default.

Consider locking down administrative permissions on the endpoints, if available.

For software that might require additional approvals, such as software that requires a purchased license, target only endpoints that are approved to install that software.

Uninstall Deploy

Use only this procedure to uninstall Deploy.

If you need to uninstall Deploy, first clean up the Deploy artifacts on the endpoint, then uninstall Deploy from the server, and then remove Deploy data directories and files from the server.

Remove Deploy artifacts from endpoints

To remove Deploy from endpoints, use the following options in the Endpoint Configuration - Uninstall package for Deploy to block reinstallation, perform a soft uninstall, and then remove unreferenced dependencies. For more information, see Remove Deploy tools from endpoints.

  1. Block reinstallation: This option prevents Tanium Endpoint Configuration from reinstalling Deploy. Select this option only if you want to remove Deploy from the endpoint indefinitely.
  2. Soft uninstall: This option removes Deploy but preserves databases and logs that might be needed for troubleshooting on the endpoint.
  3. Remove unreferenced dependencies: This option removes tools that are Deploy dependencies, but it does not remove dependencies for other solutions.

Remove Deploy from the Tanium Module Server

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the check box in the Deploy section, then click Uninstall and follow the process.
  3. Return to the Solutions page and verify that the Import button is available for Deploy.

If the Deploy module has not updated in the console, refresh your browser.

Remove packages

  1. From the Main menu, go to Administration > Content > Packages.
  2. In the Content Set column, filter on values that contain Deploy.
  3. Retain the Deploy - Remove Tools packages, and select and delete all of the other packages.

(Optional) Remove data directories and files

To permanently remove all Deploy data from the Tanium Module Server, manually delete the following directories and files. If you later import the Deploy solution, the previous data is not restored.


  • \Program Files\Tanium\Tanium Module Server\services\deploy-files\
  • \Program Files\Tanium\Tanium Module Server\services\deploy-service\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-service\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-service-invoker\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-service-proxy\
  • \Program Files\Tanium\Tanium Module Server\temp\deploy-*.bak


This action requires access to the unrestricted shell. For more information, including how to request a shell key, see Tanium Appliance Deployment Guide: Examine OS processes and files.

  • /opt/Tanium/TaniumModuleServer/deploy-files
  • /opt/Tanium/TaniumModuleServer/deploy-service
  • /opt/Tanium/TaniumModuleServer/temp/deploy-*.bak

Remove Deploy tools from endpoints

You can deploy an action to remove Deploy tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
  2. In the results, select the row for Deploy, drill down as necessary, and select the targets from which you want to remove Deploy tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Deploy.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Deploy to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Deploy databases and logs from the endpoints, clear the selection for Soft uninstall.

    When you perform a hard uninstallation of some tools, such as Recorder or Index, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data, such as recorded events (in the case of Recorder) or file indexes (in the case of Index). If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool. To help determine what data a tool stores on endpoints, go to and review the documentation for the tool or for the Tanium solution that installed it , and contact Tanium Support for additional help.

  8. To also remove any tools that were dependencies of the Deploy tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

    If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

  10. Click Show preview to continue.
  11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Contact Tanium Support

To contact Tanium Support for help, sign in to