Preparing OS bundle content

Before you begin

You must obtain the following content before you complete the Provision setup.

Windows

  • Windows ADK: You can download the latest Windows 11 or Windows 10 ADK files from Microsoft Documentation: Download and install the Windows ADK to use with Tanium Provision. Both the Windows ADK and the WinPE add-on must be installed. For the ADK installation, the deployment tools and User State Migration Tool (USMT) components must be installed on any supported Windows endpoint, such as Windows 10, Windows 11, or Windows Server.
  • Windows image file: You can use the install.wim file from the standard Windows media ISOs, or a custom WIM file captured after the OS was sysprepped using Microsoft Deployment Toolkit (MDT). For more information about how to acquire the WIM file from the Windows media, see Microsoft Documentation: Create a Windows 10 reference image.
  • Tanium Client installer package: Create a client configuration for Windows using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.
  • Drivers for the models of computers that you are deploying: Each computer model needs different driver packages, which can include INF, catalog, driver, or other files. Copy these drivers and create separate ZIP or CAB files for each model, where the file name indicates the model with which the drivers use. For example, drivers_SurfaceBook.zip or drivers_SurfaceBook.cab. For more information, see Microsoft Documentation: Components of a Driver Package.
  • Patches: (Optional) You can specify one or more OS updates or patches to inject into the OS offline, before booting into the OS for the first time.

    Use Tanium Patch to install patches after the endpoint is provisioned to save deployment time in Provision.

Linux

  • Cloud-init file: To support customizing and configuring the Linux image, Provision uses the cloud-init configuration tool. For more information, see the cloud-init website. The cloud-init tool must be installed in the Linux OS using the appropriate method for the specific OS that you want to deploy. For example:
    • AlmaLinux, Centos, RedHat, and Rocky Linux: yum install cloud-init
    • Debian and Ubuntu: apt install cloud-init
    Two cloud-init template files are also provided in the utility.zip file that you can download from the File Downloads tab of the Provision Settings . You can use either of these files as-is, or customize them by adding any additional configuration.
    • user-data.yaml: configures the admin password and installs the Tanium Client
    • redhat.yaml: configures the admin password, installs the Tanium Client, and refreshes the RedHat subscription
  • Tanium Client installer package: Create a client configuration for Linux using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.

Download provided files for Provision

Provision includes two ZIP files that are used to Generate the Windows ADK content and (Optional) Create custom Windows content for Windows OS bundles or (Optional) Create custom Linux content for Linux OS bundles.

  1. From the Provision Overview page, click Settings and then click File Downloads.
  2. (Optional) Click scripts.zip to download the optional custom content files.

    Download this file only if you need to make modifications to the included Provision scripts.

  3. Click utility.zip to download the required scripts and related files.

Configure a Windows OS bundle

Deploying a Windows operating system using Tanium Provision requires some files from the Windows Assessment and Deployment Kit (ADK).

Generate the Windows ADK content

  1. Extract the contents of the previously downloaded utility.zip file to a folder, such as C:\Users\Administrator\Documents.
  2. Open an elevated PowerShell command.
    1. Ensure that the execution of scripts is allowed by entering the following command:

      Set-ExecutionPolicy bypass

    2. Navigate to the folder that contains the ADKPrep.ps1 script by entering the following command:

      cd C:\Users\Administrator\Documents\utility\ADKPrep

    3. (Optional) If any additional mass storage drivers are required for Windows PE, put them in an architecture-specific folder, such as C:\Users\Administrator\Documents\utility\ADKPrep\amd64\Drivers.
      These files are automatically injected into Windows PE as part of the ADKPrep.ps1 script execution.
    4. Generate the ADK zip files for the architecture that you need by entering the following command:

      .\ADKPrep.ps1 -Architecture amd64

  3. Ensure that no errors were generated.
  4. Copy the generated ADK_<architecture>.zip files to a convenient location that is easy to remember, such as C:\ProvisionFiles.

The utility.zip file also includes an Unattend folder with unattend_<architecture>.xml template files that are required to create an OS bundle. You can copy them to C:\ProvisionFiles to use in Create a Windows OS bundle.

(Optional) Create custom Windows content

You can create a ZIP file that contains at least a Customer.ps1 PowerShell script file for any custom Windows content that you want to include. The main Provision scripts download and extract the contents of the ZIP file (if specified in the OS bundle) into the C:\_t folder, and then automatically run the Customer.ps1 PowerShell script, if found.

Do not name your custom ZIP file scripts.zip. If your Customer.ps1 script requires additional files, you can include those files in your custom ZIP file.

Any files in this custom ZIP file can overwrite any of the standard scripts from Tanium Provision.

Create a Windows OS bundle

To specify the details of the OS that you want to deploy, create a Windows OS bundle.

  1. From the Provision menu, click OS Bundles and then click Create Bundle.

    You can also click Create OS Bundle from the Quick Links section of the Provision Overview page.

  2. In the Details section, provide identifying details for the bundle.
    1. Enter a name and optional description.
    2. For Platform, select Windows.
    3. Select an Operating System and Architecture.
  3. In the Files section, add required or optional files.
    1. In the OS Image WIM section, select an image index if needed and click Browse for File to select the install.wim file that you previously downloaded in Before you begin: Windows.

      For the default image, select the Image Index of 3 for Windows 10 Enterprise.

    2. In the ADK Files section, click Browse for File to select the ADK_<architecture>.zip file that you previously generated in Generate the Windows ADK content.
    3. In the Unattended XML section, click Browse for File to select the appropriate unattend_<architecture>.xml file that you previously extracted from the utility.zip file.
    4. In the Tanium Client Installation Files section, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    5. (Optional) For Script and Other Files, click Browse for File to select the custom ZIP file that you previously created in (Optional) Create custom Windows content.
  4. (Optional) In the Drivers and Patches section, add driver and patch files.
    1. For Drivers, click Browse for File to select each drivers_<model>.zip or drivers_<model>.cab file that you previously created in Before you begin: Windows.
      Driver files are downloaded and used only when they match the following regular expression:
      drivers.(zip|cab)|drivers_%Model%.(zip|cab)|drivers_%ModelAlias%.(zip|cab)|drivers_%Version%.(zip|cab)

      where Model is the computer model, ModelAlias is the first four characters of Lenovo model IDs, and Version is generally a descriptive model string, such as Lenovo ThinkPad X1 Carbon gen 2.

      Any spaces in the Model or Version strings are removed prior to checking against the regular expression.

      To get the Model, ModelAlias, and Version strings, you can run the following PowerShell commands:

      Model

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Replace(" ","")

      ModelAlias

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Substring(0,4)

      Version

      (Get-WmiObject -Class Win32_ComputerSystemProduct| Select-Object -ExpandProperty Version).Replace(" ","")

    2. For Patches, click Browse for File to select each .msu file name extension for the patches that you previously gathered in Before you begin: Windows.
  5. (Optional) In the Key Value Entries section, click Add Key Value Pair to add key value pairs. For more information about the available key value pairs, see Reference: Provision key value pair options.

    If a key value entry already exists, click Add next to the last key value entry instead of clicking Add Key Value Pair.

  6. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.

Configure a Linux OS bundle

Deploying a Linux operating system using Tanium Provision requires capturing an image of a complete Linux installation.

The following Linux distributions and versions are supported by Provision:

  • AlmaLinux 8.6
  • CentOS 7, 8, Stream
  • Debian 11
  • RedHat Enterprise Linux 8.5, 8.6
  • Rocky Linux 8.6
  • Ubuntu 22.04

The following Linux distributions are not supported by Provision:

  • Amazon Linux
  • IBM AIX
  • Oracle Solaris
  • SUSE (SLES)

Linux OS bundles can be used only to refresh Windows endpoints to Linux. Re-imaging a Linux endpoint with a Linux OS bundle is not supported.

Capture the OS image

Provision supports the default disk layouts for each OS that is captured and deployed:

  • AlmaLinux, CentOS, RedHat, and Rocky Linux: LVM and XFS file systems
  • Debian and Ubuntu: single Ext4 partition contains the entire OS

After you configure your Linux OS, you can use Provision to capture the OS into an image file.

  1. Boot the computer, using either the media or PXE options, into the Tanium Provision boot image.
  2. After connecting to a network, click Capture Linux.
  3. Enter a File name with a .fsa file extension.
  4. Enter the UNC (SMB/CIFS) path where you want the image file to be created.
  5. Enter the User name and Password credentials to establish a connection with the SMB path and then click CAPTURE.
  6. After the capture process completes, you can reboot the computer back into the OS, which is not modified during the capture process.

(Optional) Create custom Linux content

For any custom Linux content that you want to include, you can create a ZIP file that contains a script file that can be referenced in the cloud-init. The main Provision scripts download and extract the contents of the ZIP file (if specified in the OS bundle) into the \_t folder, and then automatically run the script, if found.

Do not name your custom ZIP file scripts.zip. If your script requires additional files, you can include those files in your custom ZIP file.

Any files in this custom ZIP file can overwrite any of the standard scripts from Tanium Provision.

Create a Linux OS bundle

To specify the details of the OS that you want to deploy, create a Linux OS bundle.

  1. From the Provision menu, click OS Bundles and then click Create Bundle.

    You can also click Create OS Bundle from the Quick Links section of the Provision Overview page.

  2. In the Details section, provide identifying details for the bundle.
    1. Enter a name and optional description.
    2. For Platform, select Linux.
    3. Select an Operating System and Architecture.
  3. In the Files section, add required or optional files.
    1. In the OS Image FSA section, click Browse for File to select the FSA file that you previously created in Capture the OS image.
    2. In the Cloud-init section, click Browse for File to select the cloud-init file that you previously prepared in Before you begin: Linux.
    3. In the Tanium Client Installation Files section, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    4. (Optional) For Script and Other Files, click Browse for File to select the custom ZIP file that you previously created in (Optional) Create custom Linux content.
  4. (Optional) In the Key Value Entries section, click Add Key Value Pair to add key value pairs. For more information about the available key value pairs, see Reference: Provision key value pair options.

    If a key value entry already exists, click Add next to the last key value entry instead of clicking Add Key Value Pair.

  5. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.

Manage OS bundles

You can manage OS bundles from the Provision OS Bundles page.

Edit an OS bundle

To edit an OS bundle, select a bundle and then click Edit .

View OS bundle details

To view OS bundle details on the OS Bundles page, click Additional Data next to the OS bundle.

Additionally, you can download any of the bundle files from this view by clicking Download next to available file names.

Until the bundle has a Ready status, the download icon is grayed out and inactive. You can view the status of a bundle from the OS Bundles page.

Clone an OS bundle

To make a copy of an existing OS bundle, select an OS bundle, click More , and then click Duplicate. The OS bundle name is automatically prepended with Clone:, but you can make any changes before you click Save.

Delete an OS bundle

To delete an OS bundle, select one or more OS bundles and click Delete .

Download Windows files directly from Microsoft

For Windows bare metal or OS refresh deployments, the content for that deployment is downloaded from the Tanium PXE service, which runs on a corporate network. For deployments over the internet or in situations where the connection to the internet is faster than the connection to the Tanium PXE service, you can alternatively configure Provision to download the Windows OS system image file directly from the Microsoft Windows Update servers.

Tanium Provision 1.3 or later is required, along with an updated ADK_<architecture>.zip file that was generated using the ADKPrep.ps1 script from that version.

You must use an updated ADK_<architecture>.zip file that was generated using the latest ADKPrep.ps1 script.

To configure direct download, modify or configure an OS bundle and specify the properties that tell Provision which OS image to download and apply.

  1. In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair and select DirectDownload from the Key drop-down list.

    If a key value entry already exists, click Add next to the last key value entry instead of clicking Add Key Value Pair.

  2. For the Value field, enter the example JSON string:
    {"build":"<build>","arch":"<architecture>","lang":"<language>","edition":"<edition>"}
    where:
    • build specifies the Windows build number (example: 19044 is Windows 10 21H2 or 22000 is Windows 11 21H2)
    • arch specifies the machine architecture (x64, x86, or a64)
    • lang specifies one of the available Windows language codes (example: en-us)
    • edition specifies the edition from the downloaded image file (example: Pro, Enterprise, or Education)

For example, {"build":"22000","arch":"x64","lang":"en-us","edition":"Enterprise"} tells Provision to automatically download the most recent image that matches the build, architecture, and language. The edition is then used to find the appropriate image index within that image: 64-bit Windows 11 21H2 Enterprise for English CPUs.

To verify which image was downloaded, check the download.log file after the deployment is complete. To verify which image index was selected, check the provision-pe.log file. If any errors occurred while attempting to find a direct download image, Provision automatically uses the image that is specified in the OS bundle.

Download OS refresh files with the Tanium Client

During OS refresh deployments, you can configure endpoints to use the Tanium Client to download the files instead of downloading them directly from the PXE endpoint.

Tanium Provision 1.3 or later is required.

To configure endpoints to use the Tanium Client for downloads, modify or configure an OS bundle and specify the UseTaniumClient key value pair.

  1. In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair.

    If a key value entry already exists, click Add next to the last key value entry instead of clicking Add Key Value Pair.

  2. For the Key field, manually enter UseTaniumClient.
  3. For the Value field, enter Yes.

Change the display order of bundles in the PXE boot menu

By default, OS bundles are listed in alphabetical order by bundle name in the PXE boot menu. You can change the default sort order in the Settings .

  1. From the Provision Overview page, click Settings and then click Global Key Values.
  2. In the OS Bundle Selection section, configure the following details.
    1. Select the default sort order by: Name, Bundle ID, or Description. The default is Name.
    2. Select how long to wait before automatically choosing the default keyboard layout: Never, 30 seconds, 1 minute, or 5 minutes. The default selection is 30 seconds.
    3. Select how long to wait before automatically choosing the default network configuration: Never, 30 seconds, 1 minute, or 5 minutes. The default selection is 30 seconds.
    4. To specify a bundle to be selected by default, select Enable automated OS bundle selection and then select an OS Bundle and OS Bundle Timeout.
  3. (Optional) If you want to store your boot image files in Microsoft Azure storage, configure the details in the Azure Authentication section. For more information, see Microsoft Documentation: Azure Storage documentation.
    1. Select Enable Azure storage integration.
    2. Enter the Client ID, Tenant ID, and Azure Blob URL.

Reference: Provision key value pair options

Key Description
AdminPassword

The password for the local Administrator account password.

-%serialnumber% is automatically appended to the end of the password.

BitLocker

A value to enable BitLocker drive encryption during pre-provisioning, prior to the OS image being applied. If the value XTS-AES-256 is specified, the encryption level is set to that value before initializing BitLocker encryption on the device. Any other value encrypts the drive using the default XTS-AES-128 encryption.

If a value is not specified, BitLocker pre-provisioning is not performed and the drive is unencrypted.

CertTemplate

Manually specify this key with the name of the certificate template to use when generating a new certificate in the ODJ blob for the computer.

For more information, see (Optional) Add certificates and group policy templates.

ComputerName

The computer name is set to the value that you specify. ComputerName also supports variable substitution, such as TAN-%RAND:10% to generate a name with ten random digits, or more complex names like A-%Manufacturer:3%-%SERIAL% to generate a name where the first three characters of the manufacturer are inserted with the complete serial number.

Do not use this format for virtual machines.

If a value is not specified, the computer name is randomly generated.

DirectDownload

A JSON string of properties to download Windows system OS image files directly from Microsoft.

For more information, see Download Windows files directly from Microsoft.

DomainName If an ODJService value is specified, specify the domain to join.
IncludeRootCerts

Manually specify this key with a value of 1 to include root certificates in Active Directory in the generated ODJ blob.

For more information, see (Optional) Add certificates and group policy templates.

Migrate For an OS refresh, specify no to skip the USMT capture/restore.
ODJService

The URL of the ODJ service, such as https://myServer.myDomain.com:myPort/getblob.

If a value is not specified, domain join is not performed.

OU

If an ODJService value is specified, specify the OU where you want the device to be created, such as OU=MyComputerOU,DC=myDomain,DC=com.

Do not use double quotes.

PolicyNames

Manually specify this key to the list of group policy objects to include in the ODJ blob for the computer.

For more information, see (Optional) Add certificates and group policy templates.

Tags

A comma-delimited list of tags to be added to the Tanium Client during the deployment process.

If a value is not specified, only an OSD tag is added.

Timezone A Windows time zone string, such as Eastern Standard Time to be set on the endpoint.
UseTaniumClient

For OS refresh bundles, manually specify this key with a value of Yes to download files with the Tanium Client instead of from the PXE endpoint.

For more information, see Download OS refresh files with the Tanium Client.

WaitFor

A path or file to wait for that path or file to exist, such as C:\Program Files\PuTTY.

Specify CX to wait for the Tanium Deploy and Tanium Patch CX files to be installed.

Specify JSON strings if you want to prompt for values during the deployment process. These JSON strings support simple text input, checkboxes, and dropdown lists.

Examples include:

{ "parameterType": "com.tanium.components.parameters::TextInputParameter", "label": "Computer Name", "helpString": "Specify the name to assign to the computer." }
{ "parameterType": "com.tanium.components.parameters::TextInputParameter", "label": "Admin Password", "helpString": "Specify the password to assign to the Windows local Administrator account." }
{ "parameterType": "com.tanium.components.parameters::DropDownParameter", "label": "Time Zone", "helpString": "Specify the time zone that should be configured.", "values": ["Eastern Standard Time", "Pacific Standard Time"] }
{ "parameterType": "com.tanium.components.parameters::DropDownParameter", "label": "OU", "helpString": "Specify the OU that the computer object should be created in.", "values": ["OU=Provision,DC=lab,DC=local", "OU=Provision2,DC=lab,DC=local"] }
{ "parameterType": "com.tanium.components.parameters::CheckBoxParameter", "label": "Debug" }