Endpoint Configuration overview

Use Endpoint Configuration to deliver configuration information to endpoints consistently for all Tanium solutions that are available in an environment. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration adds solution-specific configurations to a configuration manifest and uses one consistent action to distribute it to all endpoints. All the configuration data that reaches the endpoint is then sensitive to changes that affect the endpoint. For example, the configuration is not applied to an endpoint if the endpoint is no longer a member of the relevant targeting group.

Endpoint Tools

Other Tanium solutions use Endpoint Configuration to install client extensions and any other needed tools on endpoints. You can review installed endpoint tools in Endpoint Configuration, and you can use the packages provided by Endpoint Configuration to restart, uninstall, reinstall, block, or unblock endpoint tools as necessary.


Configurations combine solution-specific data and targeting information—for example, a computer group or the results of a sensor. Examples of configurations could be a change to a Tanium Threat Response profile that targets one or more computer groups, or an updated Tanium Patch scan configuration that targets one or more endpoints that match the results of a sensor. If configuration approval is enabled in Endpoint Configuration, the configuration change appears in Endpoint Configuration for approval for deployment to endpoints that the configuration targets when configuration changes are made in a Tanium solution.

Solution administrators can evaluate and configure the priority for configuration items to address specific scenarios. For example, consider a patching scenario where all Windows endpoints must receive all patches but Windows servers must receive only security related patches. Since a Windows Server target is more specific than a Windows Endpoint target, a solution administrator can configure that setting as having higher priority.

Because a service account that is managed by the System User service distributes the configuration changes, these changes automatically bypass action approval at the Tanium Platform level if it is enabled. To require approval for these changes, use Endpoint Configuration approvals.


When configuration approval is enabled, Endpoint Configuration creates an approval for each configuration that is a candidate for deployment to targeted endpoints. When an approval appears in Endpoint Configuration, a configuration approver with appropriate credentials can approve or reject the approval. Each approval displays the domain (the Tanium solution to which it applies), a category for that domain, and a description of the configuration change that would be deployed to the targeted endpoints if approved. To show the effect that deploying the configuration change to the targeted endpoints would have, each approval also displays a before-and-after comparison of the configuration change that would be made.

Interoperability with other Tanium products

Tanium™ Connect

You can use Endpoint Configuration audit logs as a connection source. For more information, see Reviewing and exporting the audit log.

Other Tanium solutions

The following table lists solutions for which Endpoint Configuration manages configuration changes, approvals, and tool deployment.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

Tanium Solution Configuration Changes and Approvals Tool Deployment
Tanium™ Asset
Tanium™ Benchmark
Tanium™ Comply
Tanium™ Deploy
Tanium™ Direct Connect
Tanium™ Discover
Tanium™ Enforce
Tanium™ Engage
Tanium™ Impact
Tanium™ Integrity Monitor
Tanium™ Map
Tanium™ Patch
Tanium™ Performance
Tanium™ Reveal
Tanium™ Risk
Tanium™ Threat Response

Content-only Tanium Solutions

Additionally Endpoint Configuration manages tool deployment for content-only solutions that provide content but do not have a service or workbench. For more information, see View and manage content-only solutions.