Preparing OS bundle content

Deploying a Windows operating system using Tanium Provision requires some files from the Windows Assessment and Deployment Kit (ADK).

Before you begin

You must obtain the following content before you complete the Provision setup.

  • Windows ADK: You can download the latest Windows 11 or Windows 10 ADK files from Microsoft Documentation: Download and install the Windows ADK to use with Tanium Provision. Both the Windows ADK and the WinPE add-on must be installed. For the ADK installation, the deployment tools and User State Migration Tool (USMT) components must be installed on any supported Windows endpoint, such as Windows 10, Windows 11, or Windows Server.
  • Windows image file: You can use the install.wim file from the standard Windows media ISOs, or a custom WIM file captured after the OS was sysprepped using Microsoft Deployment Toolkit (MDT). For more information about how to acquire the WIM file from the Windows media, see Microsoft Documentation: Create a Windows 10 reference image.
  • Tanium Client installer package: Create a client configuration for Windows using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.
  • Drivers for the models of computers that you are deploying: Each computer model needs different driver packages, which can include INF, catalog, driver, or other files. Copy these drivers and create separate ZIP or CAB files for each model, where the file name indicates the model with which the drivers use. For example, drivers_SurfaceBook.zip or drivers_SurfaceBook.cab. For more information, see Microsoft Documentation: Components of a Driver Package.
  • Patches: (Optional) You can specify one or more OS updates or patches to inject into the OS offline, before booting into the OS for the first time.

    Use Tanium Patch to install patches after the endpoint is provisioned to save deployment time in Provision.

Download provided files for Provision

Provision includes two ZIP files that are used to Generate the Windows ADK content and Create custom content for OS bundles.

  1. From the Provision Overview page, click Settings  and then click File Downloads.
  2. (Optional) Click scripts.zip to download the optional custom content files.

    Download this file only if you need to make modifications to the included Provision scripts.

  3. Click utility.zip to download the required scripts and related files.

Generate the Windows ADK content

  1. Extract the contents of the previously downloaded utility.zip file to a folder, such as C:\Users\Administrator\Documents.
  2. Open an elevated PowerShell command.
    1. Ensure that the execution of scripts is allowed by entering the following command:

      Set-ExecutionPolicy bypass

    2. Navigate to the folder that contains the ADKPrep.ps1 script by entering the following command:

      cd C:\Users\Administrator\Documents\utility\ADKPrep

    3. (Optional) If any additional mass storage drivers are required for Windows PE, put them in an architecture-specific folder, such as C:\Users\Administrator\Documents\utility\ADKPrep\amd64\Drivers.
      These files are automatically injected into Windows PE as part of the ADKPrep.ps1 script execution.
    4. Generate the ADK zip files for the architecture that you need by entering the following command:

      .\ADKPrep.ps1 -Architecture amd64

  3. Ensure that no errors were generated.
  4. Copy the generated ADK_<architecture>.zip files to a convenient location that is easy to remember, such as C:\ProvisionFiles.

The utility.zip file also includes an Unattend folder with unattend_<architecture>.xml template files that are required to create an OS bundle. You can copy them to C:\ProvisionFiles to use in Configure an OS bundle.

Create custom content

You can create a ZIP file that contains at least a Customer.ps1 PowerShell script file for any custom content that you want to include. The main Provision scripts download and extract the contents of the ZIP file (if specified in the OS bundle) into the C:\_t folder, and then automatically run the Customer.ps1 PowerShell script, if found.

Do not name your custom ZIP file scripts.zip. If your Customer.ps1 script requires additional files, you can include those files in your custom ZIP file.

Any files in this custom ZIP file can overwrite any of the standard scripts from Tanium Provision.

Configure an OS bundle

To specify the details of the OS that you want to deploy, create an OS bundle.

  1. From the Provision menu, click OS Bundles, and then click Create OS Bundle.
  2. In the Details section, provide a name, optional description, and select a Bundle Architecture.
  3. In the OS Image File section, click Browse for File to select the install.wim file that you previously downloaded in Before you begin and select an image index if needed.

    For the default image, select the Image Index of 3 for Windows 10 Enterprise.

  4. In the ADK Files section, click Browse for File to select the ADK_<architecture>.zip file that you previously generated in Generate the Windows ADK content.
  5. In the Additional Files section, add unattended answer, Tanium Client installation, and script files.
    1. For Unattended XML File, click Browse for File to select the appropriate unattend_<architecture>.xml file that you previously extracted from the utility.zip file.
    2. For Tanium Client Installation Files, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    3. (Optional) For Script and Other Files, click Browse for File to select the custom ZIP file that you previously created in Create custom content.
  6. (Optional) In the Drivers and Patches section, add driver and patch files.
    1. For Driver Files, click Browse for File to select each drivers_<model>.zip or drivers_<model>.cab file that you previously created in Before you begin.
      Driver files are downloaded and used only when they match the following regular expression:
      drivers.(zip|cab)|drivers_%Model%.(zip|cab)|drivers_%ModelAlias%.(zip|cab)|drivers_%Version%.(zip|cab)

      where Model is the computer model, ModelAlias is the first four characters of Lenovo model IDs, and Version is generally a descriptive model string, such as Lenovo ThinkPad X1 Carbon gen 2.

      Any spaces in the Model or Version strings are removed prior to checking against the regular expression.

      To get the Model, ModelAlias, and Version strings, you can run the following PowerShell commands:

      Model

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Replace(" ","")

      ModelAlias

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Substring(0,4)

      Version

      (Get-WmiObject -Class Win32_ComputerSystemProduct| Select-Object -ExpandProperty Version).Replace(" ","")

    2. For Patches, click Browse for File to select each .msu file name extension for the patches that you previously gathered in Before you begin.
  7. (Optional) In the Key Value Entries section, click Add Key Value Pair to add the following key/value pairs.
    KeyDescription
    AdminPassword

    The password for the local Administrator account password.

    If a value is not specified, the password is randomized.

    -%serialnumber% is automatically appended to the end of the password.

    BitLocker

    A value to enable BitLocker drive encryption during pre-provisioning, prior to the OS image being applied. If the value XTS-AES-256 is specified, the encryption level is set to that value before initializing BitLocker encryption on the device. Any other value encrypts the drive using the default XTS-AES-128 encryption.

    If a value is not specified, BitLocker pre-provisioning is not performed and the drive is unencrypted.

    BundleID

    The bundle to be selected by default.

    For more information, see Change the display order of bundles in the PXE boot menu.

    BundleTimeout

    The number of seconds before the currently-selected bundle is automatically chosen.

    For more information, see Change the display order of bundles in the PXE boot menu.

    ComputerName

    The computer name is set to the value that you specify. ComputerName also supports variable substitution, such as TAN-%RAND:10% to generate a name with ten random digits, or more complex names like A-%Manufacturer:3%-%SERIAL% to generate a name where the first three characters of the manufacturer are inserted with the complete serial number.

    Do not use this format for virtual machines.

    If a value is not specified, the computer name is randomly generated.

    DirectDownload

    A JSON string of properties to download Windows system OS image files directly from Microsoft.

    For more information, see Download files directly from Microsoft.

    DomainNameIf an ODJService value is specified, specify the domain to join.
    MigrateFor an OS refresh, specify no to skip the USMT capture/restore.
    ODJService

    The URL of the ODJ service, such as https://myServer.myDomain.com:myPort/getblob.

    If a value is not specified, domain join is not performed.

    OUIf an ODJService value is specified, specify the OU where you want the device to be created, such as OU=MyComputerOU,DC=myDomain,DC=com.
    SortByThe bundle sort order used in a global bundle. Manually specify this key with a value of Name, ID, or Description. The default value is Name.

    For more information, see Change the display order of bundles in the PXE boot menu.

    Tags

    A comma-delimited list of tags to be added to the Tanium Client during the deployment process.

    If a value is not specified, only an OSD tag is added.

    TimezoneA Windows time zone string, such as Eastern Standard Time to be set on the endpoint.
    UseTaniumClient

    For OS refresh bundles, manually specify this key with a value of Yes to download files with the Tanium Client instead of from the PXE endpoint.

    For more information, see Download OS refresh files with the Tanium Client.

    WaitFor

    A path or file to wait for that path or file to exist, such as C:\Program Files\PuTTY.

    Specify CX to wait for the Tanium Deploy and Tanium Patch CX files to be installed.

    Specify JSON strings if you want to prompt for values during the deployment process. These JSON strings support simple text input, checkboxes, and dropdown lists.

    Examples include:

    { "parameterType": "com.tanium.components.parameters::TextInputParameter", "label": "Computer Name", "helpString": "Specify the name to assign to the computer." }
    { "parameterType": "com.tanium.components.parameters::TextInputParameter", "label": "Admin Password", "helpString": "Specify the password to be assigned to the Windows local Administrator account." }
    { "parameterType": "com.tanium.components.parameters::DropDownParameter", "label": "Time Zone", "helpString": "Specify the time zone that should be configured.", "values": ["Eastern Standard Time", "Pacific Standard Time"] }
    { "parameterType": "com.tanium.components.parameters::CheckBoxParameter", "label": "Debug" }

  8. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.

Download files directly from Microsoft

For bare metal deployments, the content for that deployment is downloaded from the Tanium PXE service, which runs on a corporate network. For deployments over the internet or in situations where the connection to the internet is faster than the connection to the Tanium PXE service, you can alternatively configure Provision to download the Windows OS system image file directly from the Microsoft Windows Update servers.

Tanium Provision 1.3 or later is required, along with an updated ADK_<architecture>.zip file that was generated using the ADKPrep.ps1 script from that version.

You must use an updated ADK_<architecture>.zip file that was generated using the latest ADKPrep.ps1 script.

To configure direct download, modify or Configure an OS bundle and specify the properties that tell Provision which OS image to download and apply.

  1. In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair and select DirectDownload from the Key drop-down list.
  2. For the Value field, enter the example JSON string:
    {"build":"<build>","arch":"<architecture>","lang":"<language>","edition":"<edition>"}
    where:
    • build specifies the Windows build number (example: 19044 is Windows 10 21H2 or 22000 is Windows 11 21H2)
    • arch specifies the machine architecture (x64, x86, or a64)
    • lang specifies one of the available Windows language codes (example: en-us)
    • edition specifies the edition from the downloaded image file (example: Pro, Enterprise, or Education)

For example, {"build":"22000","arch":"x64","lang":"en-us","edition":"Enterprise"} tells Provision to automatically download the most recent image that matches the build, architecture, and language. The edition is then used to find the appropriate image index within that image: 64-bit Windows 11 21H2 Enterprise for English CPUs.

To verify which image was downloaded, check the download.log file after the deployment is complete. To verify which image index was selected, check the provision-pe.log file. If any errors occurred while attempting to find a direct download image, Provision automatically uses the image that is specified in the OS bundle.

Download OS refresh files with the Tanium Client

During OS refresh deployments, you can configure endpoints to use the Tanium Client to download the files instead of downloading them directly from the PXE endpoint.

Tanium Provision 1.3 or later is required.

To configure endpoints to use the Tanium Client for downloads, modify or Configure an OS bundle and specify the UseTaniumClient key value pair.

  1. In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair.
  2. For the Key field, manually enter UseTaniumClient.
  3. For the Value field, enter Yes.

Clone an OS bundle

To make a copy of an existing OS bundle, select an OS bundle and click Clone Selected . Clone: is automatically prepended to the OS bundle name, but you can make any changes before you click Save.

Change the display order of bundles in the PXE boot menu

By default, OS bundles are listed in alphabetical order by bundle name in the PXE boot menu. To change the default sort order, you can create a global bundle.

  1. From the Provision menu, click OS Bundles, and then click Create OS Bundle.
  2. In the Details section, enter @global for the name, provide an optional description, and select a Bundle Architecture.
  3. In the OS Image File, ADK Files, and Additional Files sections, click Browse for File to select the required files with the appropriate file extensions.

    Although these files are required, the global bundle does not use any of these files. You can create empty files with the appropriate file extensions.

  4. In the Key Value Entries section, click Add Key Value Pair to add the following keys.
    1. To specify a bundle to be selected by default, select BundleID and enter the ID of the desired bundle.
    2. To specify the number of seconds before the currently-selected bundle is automatically chosen, select BundleTimeout and enter a number in seconds.
    3. To change the default sort order, select SortBy and enter ID to sort by bundle ID or Description to sort by bundle description. The default sort order is by bundle name.