Using action lock content

When you want to prevent the Tanium Client from running Tanium package scripts on certain endpoints, you can deploy an action lock. An action lock prevents any actions from running except those with packages that have the Ignore action lock option enabled (see Create a package). The Initial Content - Base content pack includes action lock packages for Windows and non-Windows endpoints. This content pack also includes a sensor named Action Lock Status and saved questions that use this sensor, which enable you to track Tanium Clients that have the action lock turned on.

Turn on action lock

  1. Ask a targeting question, such as Get Computer Name and Action Lock Status from all machines.
  2. Select the result rows for endpoints that require the action lock, and click Deploy Action.
  3. Select the Tanium Client - Set Action Lock On package and select the appropriate Action Group.
  4. Click Show Preview to Continue and then Deploy Action. The Action Status page opens.
  5. Monitor the action status. If you want to test the action lock, record the Action ID and wait for the action to complete.

Test the action lock

  1. Issue the saved question Clients That Cannot Take Actions - Action Lock On.
  2. Log into an endpoint that is included in the question results, and review the settings. Turning on the action lock creates an ActionLockFlag setting on endpoints and sets the value to 1. On Windows endpoints, this setting is a registry key.
  3. On the endpoint, open the associated action log and look for a message that indicates the action lock is on. Action logs are in the <Tanium_Client_installation_directory>/Downloads folder. You can identify the log for a specific action by the log filename (Action_<ID>.txt), which contains the Action ID displayed in the Action Status page or Actions > Action History page.
  4. Deploy an action to the endpoint (see Deploy an action). After the Action Status page opens, the action eventually times out and its status changes to Expired. The Action History page shows the Status as Closed after the action expires.

Turn off action lock

  1. Issue the saved question Clients That Cannot Take Actions - Action Lock On.
  2. Select the result rows for endpoints that require the action lock turned off, and click Deploy Action.
  3. Select the Tanium Client - Set Action Lock Off package and select the appropriate Action Group.
  4. Click Show Preview to Continue and then Deploy Action. The Action Status page opens.
  5. Monitor the status and wait for the action to complete.

Verify that action lock is off

  1. Issue the saved question Clients That Cannot Take Actions - Action Lock On, and verify that the results do not include the endpoints for which you turned off the action lock.
  2. Log into an endpoint that is not included in the question results, and review the settings. Turning off the action lock removes the ActionLockFlag setting on endpoints.
  3. On the endpoint, open the associated action log and look for a message that indicates the action lock is off. Action logs are in the <Tanium_Client_installation_directory>/Downloads folder. You can identify the log for a specific action by the log filename (Action_<ID>.txt), which contains the Action ID displayed in the Action Status page or Actions > Action History page.

Last updated: 5/3/2019 8:37 AM | Feedback