Other versions

Using action lock content

In some cases, it might be desirable to prevent the Tanium Client from running Tanium package scripts. You can deploy an "action lock" to the endpoint. When the action lock is deployed, the only actions that are allowed to run are packages that are explicitly configured with the Ignore action lock option.

The Initial Content - Base content pack includes action lock packages for Windows and non-Windows endpoints. This content pack also includes a sensor named Action Lock status and saved questions that use this sensor so you can track Tanium Clients that have the action lock turned on.

Turn action lock on

  1. Ask a targeting question, such as Get Computer Name and Action Lock Status from all machines.
  2. Select one or more result rows and click Deploy Action.
  3. Select the Tanium Client - Set Action Lock On package and select the appropriate computer group from the Action Group drop-down list.
  4. Click Show Preview to Continue and then Deploy Action.
  5. Follow the status and note the action is completed.

Test that action lock is working as expected

  1. Issue the saved question Clients That Cannot Take Actions - Action Lock On.
  2. Log into the endpoint and review the settings. For example, on Windows, a registry entry ActionLockFlag is created and set to 1. Likewise, the analogous ActionLockFlag setting is created on non-Windows.
  3. Log into the endpoint and check the action history log file.
  4. Deploy an action to the endpoint and then track its status:
    • The Action Status does not complete.
    • On the Action History page, the action is closed when it expires (after the action timeout period).

Turn action lock off

  1. Issue the saved question Clients That Cannot Take Actions - Action Lock On.
  2. Select one or more result rows and click Deploy Action.
  3. Select the Tanium Client - Set Action Lock Off package and select the appropriate computer group from the Action Group drop-down list.
  4. Click Show Preview to Continue and then Deploy Action.
  5. Follow the status and note the action is completed.

Verify that action lock has been turned off

  1. Issue the saved question Clients That Cannot Take Actions - Action Lock On and make sure the endpoint is not in the list.
  2. Log into the endpoint and review the settings. For example, on Windows, the registry entry ActionLockFlag is removed. Likewise, on non-Windows, the analogous ActionLockFlag setting is removed.
  3. Log into the endpoint and check the action history log file.

Last updated: 3/19/2018 10:42 AM | Feedback