Preparing OS bundle content

Before you begin

You must obtain the following content before you complete the Provision setup.

Windows

  • Windows image file: You can use the install.wim file from the standard Windows media ISOs, or a custom WIM file captured after the OS was sysprepped using Microsoft Deployment Toolkit (MDT). For more information about how to acquire the WIM file from the Windows media, see Microsoft Documentation: Create a Windows 10 reference image. For more information about how to capture a custom Windows image, see Capture a Windows OS image.
  • Windows ADK: You can download the latest Windows 11 or Windows 10 ADK files from Microsoft Documentation: Download and install the Windows ADK to use with Tanium Provision. Both the Windows ADK and the WinPE add-on must be installed. For the ADK installation, the deployment tools and User State Migration Tool (USMT) components must be installed on any supported Windows endpoint, such as Windows 10, Windows 11, or Windows Server.
  • Tanium Client installer package: Create a client configuration for Windows using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.Download the Windows client installer bundle from the Tanium Client Management Overview page. For more information, see Tanium Client Management User Guide: Download installation packages for the Tanium Client.
  • Custom scripts: (Optional) You can specify a ZIP file that contains scripts and any other required files to configure the OS. For more information, see Include custom scripts.
  • Drivers for the models of computers that you are deploying: Each computer model needs different driver packages, which can include INF, catalog, driver, or other files. Copy these drivers and create separate ZIP or CAB files for each model, where the file name indicates the model with which the drivers use. For example, drivers_SurfaceBook.zip or drivers_SurfaceBook.cab. For more information, see Microsoft Documentation: Components of a Driver Package.
  • Patches: (Optional) You can specify one or more OS updates or patches to inject into the OS offline, before booting into the OS for the first time.

    Use Tanium Patch to install patches after the endpoint is provisioned to save deployment time in Provision.

Linux

  • Cloud-init file: To support customizing and configuring the Linux image, Provision uses the cloud-init configuration tool. For more information, see the cloud-init website. The cloud-init tool must be installed in the Linux OS using the appropriate method for the specific OS that you want to deploy. For example:
    • AlmaLinux, Centos, RedHat, and Rocky Linux: yum install cloud-init
    • Debian and Ubuntu: apt install cloud-init
    Two cloud-init template files are also provided in the utility.zip file that you can download from the File Downloads tab of the Provision Settings . You can use either of these files as-is, or customize them by adding any additional configuration.
    • user-data.yaml: configures the admin password and installs the Tanium Client
    • redhat.yaml: configures the admin password, installs the Tanium Client, and refreshes the RedHat subscription
  • Tanium Client installer package: Create a client configuration for Linux using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.Download the Linux client installer bundle from the Tanium Client Management Overview page. For more information, see Tanium Client Management User Guide: Download installation packages for the Tanium Client.
  • Custom scripts: (Optional) You can specify a ZIP file that contains scripts and any other required files to configure the OS. For more information, see Include custom scripts.

Download provided files for Provision

Provision includes two ZIP files that are used to Generate the Windows ADK content for Windows OS bundles and Include custom scripts.

  1. From the Provision Overview page, click Settings and then click File Downloads.
  2. (Optional) Click scripts.zip to download the optional custom content files.

    Download this file only if you need to make modifications to the included Provision scripts.

  3. Click utility.zip to download the required scripts and related files.

Configure a Windows OS bundle

Deploying a Windows operating system using Tanium Provision requires some files from the Windows Assessment and Deployment Kit (ADK).

Generate the Windows ADK content

Ensure that you install both the Windows ADK and WinPE add-on to the computer that you are using to generate the Windows ADK content. For more information, see Before you begin: Windows.

  1. Extract the contents of the previously downloaded utility.zip file to a folder, such as C:\Users\Administrator\Documents.
  2. Open an elevated PowerShell command.
    1. Ensure that the execution of scripts is allowed by entering the following command:

      Set-ExecutionPolicy bypass

    2. Navigate to the folder that contains the ADKPrep.ps1 script by entering the following command:

      cd C:\Users\Administrator\Documents\utility\ADKPrep

    3. (Optional) If any additional mass storage drivers are required for Windows PE, put them in an architecture-specific folder, such as C:\Users\Administrator\Documents\utility\ADKPrep\amd64\Drivers.
      These files are automatically injected into Windows PE as part of the ADKPrep.ps1 script execution.
    4. Generate the ADK zip files for the architecture that you need by entering the following command:

      .\ADKPrep.ps1 -Architecture amd64

    You can alternatively open a command prompt and enter the following command from C:\Users\Administrator\Documents\utility\ADKPrep:

    Powershell.exe -ExecutionPolicy Bypass -File .\ADKPrep.ps1 -Architecture amd64

  3. Ensure that no errors were generated.
  4. Copy the generated ADK_<architecture>.zip files to a convenient location that is easy to remember, such as C:\ProvisionFiles.

The utility.zip file also includes an Unattend folder with unattend_<architecture>.xml template files that are required to create an OS bundle. You can copy them to C:\ProvisionFiles to use in Create a Windows OS bundle.

Capture a Windows OS image

If you want to use a custom OS image instead of one that is provided by Microsoft, you can use Provision to capture an image. Provision always captures the first NTFS volume.

After you configure your Windows OS and generalize it with sysprep, you can use Provision to capture the OS into an image file. To generalize the OS, open the Command Prompt as administrator and enter the following command:

%WINDIR%\System32\Sysprep\sysprep.exe /generalize /oobe /shutdown

  1. Boot the computer, using either the media or PXE options, into the Tanium Provision boot image.
  2. After connecting to a network, click Capture.
  3. Enter an Image name.

    If the specified WIM file already exists, a different image name causes a new image to be added to that WIM file. You can have multiple OS images within one WIM file.

  4. Enter a File name with a .wim file extension.
  5. Enter the UNC (SMB/CIFS) path where you want the image file to be created.
  6. Enter the User name and Password credentials to establish a connection with the SMB path and then click CAPTURE.
  7. After the capture process completes, you can reboot the computer back into the OS, which is not modified during the capture process.

Create a Windows OS bundle

To specify the details of the OS that you want to deploy, create a Windows OS bundle.

  1. From the Provision menu, click OS Bundles and then click Create Bundle.

    You can also click Create OS Bundle from the Quick Links section of the Provision Overview page.

  2. In the Details section, provide identifying details for the bundle.
    1. Enter a name and optional description.
    2. For Platform, select Windows.
    3. Select an Operating System and Architecture.
  3. In the Files section, add required or optional files.
    1. In the OS Image WIM section, select an image index and click Browse for File to select the install.wim file that you previously downloaded in Before you begin: Windows or created in Capture a Windows OS image.

      For the default image, select the Image Index of 3 for Windows 10 Enterprise.

    2. In the ADK Files section, click Browse for File to select the ADK_<architecture>.zip file that you previously generated in Generate the Windows ADK content.

      This previously generated ADK_<architecture>.zip contains the Windows PE, boot, and USMT files.

    3. In the Unattended XML section, click Browse for File to select the appropriate unattend_<architecture>.xml file that you previously extracted from the utility.zip file.
    4. In the Tanium Client Installation Files section, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    5. (Optional) For Script and Other Files, click Browse for File to select the custom ZIP file that you previously created in Include custom scripts.
  4. (Optional) In the Drivers and Patches section, add driver and patch files.
    1. For Drivers, click Browse for File to select each drivers_<model>.zip or drivers_<model>.cab file that you previously created in Before you begin: Windows.
      Driver files are downloaded and used only when they match the following regular expression:
      drivers.(zip|cab)|drivers_%Model%.(zip|cab)|drivers_%ModelAlias%.(zip|cab)|drivers_%Version%.(zip|cab)

      where Model is the computer model, ModelAlias is the first four characters of Lenovo model IDs, and Version is generally a descriptive model string, such as Lenovo ThinkPad X1 Carbon gen 2.

      Any spaces in the Model or Version strings are removed prior to checking against the regular expression.

      To get the Model, ModelAlias, and Version strings, you can run the following PowerShell commands:

      Model

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Replace(" ","")

      ModelAlias

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Substring(0,4)

      Version

      (Get-WmiObject -Class Win32_ComputerSystemProduct| Select-Object -ExpandProperty Version).Replace(" ","")

    2. For Patches, click Browse for File to select each .msu file name extension for the patches that you previously gathered in Before you begin: Windows.
  5. (Optional) In the Key Value Entries section, click Add Key Value Pair to add key value pairs. For more information about the available key value pairs, see Provision key value pair options.
  6. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.

Configure a Linux OS bundle

Deploying a Linux operating system using Tanium Provision requires capturing an image of a complete Linux installation.

The following Linux distributions and versions are supported by Provision:

  • AlmaLinux 8.6, 9
  • CentOS 7, 8, 9, Stream
  • Debian 11
  • RHEL 8.4, 8.5, 8.6, 9
  • Rocky Linux 8.6, 9
  • Ubuntu 22.04

The following Linux distributions are not supported by Provision:

  • Amazon Linux
  • IBM AIX
  • Oracle Solaris
  • SUSE (SLES)

Linux OS bundles can be used to perform bare-metal Linux provisioning or to refresh Windows endpoints to Linux. Re-imaging a Linux endpoint with a Linux OS bundle is not supported.

Capture a Linux OS image

Provision supports the default disk layouts for each OS that is captured and deployed:

  • AlmaLinux, CentOS, RedHat, and Rocky Linux: LVM and XFS file systems
  • Debian and Ubuntu: single Ext4 partition contains the entire OS

If you capture a Linux image with a swap file enabled, deploying that image might fail because the swap file is no longer available. Before you capture the image, disable the swap file. For example, on AlmaLinux, CentOS, RedHat, and Rocky Linux, use the swapoff -a command.

After you configure your Linux OS, you can use Provision to capture the OS into an image file.

Ensure that the capture image disk size is at least 55 GB.

  1. Boot the computer, using either the media or PXE options, into the Tanium Provision boot image.
  2. After connecting to a network, click Capture.
  3. Enter a File name with a .fsa file extension.
  4. Enter the UNC (SMB/CIFS) path where you want the image file to be created.
  5. Enter the User name and Password credentials to establish a connection with the SMB path and then click CAPTURE.
  6. After the capture process completes, you can reboot the computer back into the OS, which is not modified during the capture process.

Create a Linux OS bundle

To specify the details of the OS that you want to deploy, create a Linux OS bundle.

  1. From the Provision menu, click OS Bundles and then click Create Bundle.

    You can also click Create OS Bundle from the Quick Links section of the Provision Overview page.

  2. In the Details section, provide identifying details for the bundle.
    1. Enter a name and optional description.
    2. For Platform, select Linux.
    3. Select an Operating System and Architecture.
  3. In the Files section, add required or optional files.
    1. In the OS Image FSA section, click Browse for File to select the FSA file that you previously created in Capture a Linux OS image.
    2. In the Cloud-init section, click Browse for File to select the cloud-init file that you previously prepared in Before you begin: Linux.
    3. In the Tanium Client Installation Files section, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    4. (Optional) For Script and Other Files, click Browse for File to select the custom ZIP file that you previously created in Include custom scripts.
  4. (Optional) In the Key Value Entries section, click Add Key Value Pair to add key value pairs. For more information about the available key value pairs, see Provision key value pair options.
  5. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.

Manage OS bundles

You can manage OS bundles from the Provision OS Bundles page.

Edit an OS bundle

To edit an OS bundle, select a bundle and then click Edit .

View OS bundle details

To view OS bundle details on the OS Bundles page, click Additional Data next to the OS bundle.

Additionally, you can download any of the bundle files from this view by clicking Download next to available file names.

Until the bundle has a Ready status, the download icon is grayed out and inactive. You can view the status of a bundle from the OS Bundles page.

Clone an OS bundle

To make a copy of an existing OS bundle, select an OS bundle, click More , and then click Duplicate. The OS bundle name is automatically prepended with Clone:, but you can make any changes before you click Save.

Delete an OS bundle

To delete an OS bundle, select one or more OS bundles and click Delete .

You cannot delete the last OS bundle that is assigned to a Provision endpoint.