Preparing OS bundle content

Deploying a Windows operating system using Tanium Provision requires some files from the Windows Assessment and Deployment Kit (ADK).

Before you begin

The following content must be obtained to complete the Provision setup.

  • Windows ADK: You can download the latest Windows 11 or Windows 10 ADK files from Microsoft Documentation: Download and install the Windows ADK to use with Tanium Provision. Both the Windows ADK and the WinPE add-on must be installed. For the ADK installation, the deployment tools and User State Migration Tool (USMT) components must be installed on any supported Windows endpoint, such as Windows 10, Windows 11, or Windows Server.
  • Windows image file: You can use the install.wim file from the standard Windows media ISOs, or a custom WIM file captured after the OS was sysprepped using Microsoft Deployment Toolkit (MDT), can be used.
  • Tanium Client installer package: Create a client configuration for Windows using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.
  • Drivers for the models of computers that you are deploying: Each computer model needs different drivers. Copy these drivers and create separate ZIP files for each model, where the file name indicates the model with which the drivers use. For example, drivers_SurfaceBook.zip.
  • Patches: (Optional) You can specify one or more OS updates or patches to inject into the OS offline, before booting into the OS for the first time.

    Use Tanium Patch to install patches after the endpoint is provisioned to save deployment time in Provision.

Download provided files for Provision

Provision includes two ZIP files that are used to Generate the Windows ADK content and Create custom content for OS bundles.

  1. From the Provision Overview page, click Settings  and then click File Downloads.
  2. (Optional) Click scripts.zip to download the optional custom content files.

    Download this file only if you need to make modifications to the included Provision scripts.

  3. Click utility.zip to download the required scripts and related files.

Generate the Windows ADK content

  1. Extract the contents of the previously downloaded utility.zip file to a folder, such as C:\Users\Administrator\Documents.
  2. Open an elevated PowerShell command.
    1. Ensure that the execution of scripts is allowed by entering the following command:

      Set-ExecutionPolicy bypass

    2. Navigate to the folder that contains the ADKPrep.ps1 script by entering the following command:

      cd C:\Users\Administrator\Documents\utility\ADKPrep

    3. (Optional) If any additional mass storage drivers are required for Windows PE, put them in an architecture-specific folder, such as C:\Users|Administrator\Documents\utility\ADKPrep\amd64\Drivers.
      These files are automatically injected into Windows PE as part of the ADKPrep.ps1 script execution.
    4. Generate the ADK zip files for the architecture that you need by entering the following command:

      .\ADKPrep.ps1 -Architecture amd64

  3. Ensure that no errors were generated.
  4. Copy the generated ADK_<architecture>.zip files to a convenient location that is easy to remember, such as C:\ProvisionFiles.

The utility.zip file also includes an Unattend folder with unattend_<architecture>.xml template files that are required to create an OS bundle. You can copy them to C:\ProvisionFiles to use in Configure an OS bundle.

Create custom content

You can create a ZIP file that contains at least a Customer.ps1 PowerShell script file for any custom content that you want to include. The main Provision scripts download and extract the contents of the ZIP file (if specified in the OS bundle) into the C:\_t folder, and then automatically run the Customer.ps1 PowerShell script, if found.

You can use the scripts.zip file that Provision provides as a starting point, but do not name your custom ZIP file scripts.zip. If your Customer.ps1 script requires additional files, you can include those files in your custom ZIP file.

Any files in this custom ZIP file can overwrite any of the standard scripts from Tanium Provision.

Configure an OS bundle

To specify the details of the OS that you want to deploy, create an OS bundle.

  1. From the Provision menu, click OS Bundles, and then click Create OS Bundle.
  2. In the Details section, provide a name, optional description, and select a Bundle Architecture.
  3. In the OS Image File section, click Browse for File to select the install.wim file that you previously downloaded in Before you begin.

    For the default image, select the Image Index of 3 for Windows 10 Enterprise.

  4. In the ADK Files section, click Browse for File to select the ADK_<architecture>.zip file that you previously generated in Generate the Windows ADK content.
  5. In the Additional Files section, add unattend, Tanium Client installation, and script files.
    1. For Unattended XML File, click Browse for File to select the appropriate unattend_<architecture>.xml file that you previously extracted from the utility.zip file.
    2. For Tanium Client Installation Files, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    3. (Optional) For Script and Other Files, click Browse for File to select the scripts.zip file that you previously downloaded in Download provided files for Provision.
  6. (Optional) In the Drivers and Patches section, add driver and patch files.
    1. For Driver zips, click Browse for File to select the drivers_<model>.zip file that you previously created.
      Driver files are downloaded and used only when they match the following regular expression: drivers.zip|drivers_%Model%.zip|drivers_%ModelAlias%.zip|drivers_%Version%.zip

      where Model is the computer model, ModelAlias is the first four characters of Lenovo model IDs, and Version is generally a descriptive model string, such as Lenovo ThinkPad X1 Carbon gen 2.

      Any spaces in the Model or Version strings are removed prior to checking against the regular expression.

    2. For Patches, click Browse for File to select the ZIP file that you previously created in Before you begin.
  7. (Optional) In the Key Value Entries section, click Add Key Value Pair to add the following key/value pairs.
    KeyDescription
    AdminPassword

    The password for the local Administrator account password.

    If a value is not specified, the password is randomized.

    -%serialnumber% is automatically appended to the end of the password.

    BitLocker

    A value to enable BitLocker drive encryption during pre-provisioning, prior to the OS image being applied. If the value XTS-AES-256 is specified, the encryption level is set to that value before initializing BitLocker encryption on the device. Any other value encrypts the drive using the default XTS-AES-128 encryption.

    If a value is not specified, BitLocker pre-provisioning is not performed and the drive is unencrypted.

    BundleIDThe bundle to be selected by default.
    BundleTimeoutThe number of seconds before the currently-selected bundle is automatically chosen.
    ComputerName

    The computer name is set to the value that you specify. ComputerName also supports variable substitution, such as TAN-%RAND:10% to generate a name with ten random digits, or more complex names like A-%Manufacturer:3%-%SERIAL% to generate a name where the first three characters of the manufacturer are inserted with the complete serial number.

    Do not use this format for virtual machines.

    If a value is not specified, the computer name is randomly generated.

    DomainNameIf an ODJService value is specified, specify the domain to join.
    MigrateFor an OS refresh, specify no to skip the USMT capture/restore.
    ODJService

    The URL of the ODJ service, such as https://myServer.myDomain.com:myPort/myService.

    If a value is not specified, domain join is not performed.

    OUIf an ODJService value is specified, specify the OU where you want the device to be created, such as OU=MyComputerOU,DC=myDomain,DC=com.
    Tags

    A comma-delimited list of tags to be added to the Tanium Client during the deployment process.

    If a value is not specified, only an OSD tag is added.

    TimezoneA Windows time zone string, such as Eastern Standard Time to be set on the endpoint.
    WaitFor

    A path or file to wait for that path or file to exist, such as C:\Program Files\PuTTY.

    Specify CX to wait for the Tanium Deploy and Tanium Patch CX files to be installed.

    Specify JSON strings if you want to prompt for values during the deployment process. These JSON strings support simple text input, checkboxes, and dropdown lists.

    Examples include:

    { "parameterType": "com.tanium.components.parameters::TextInputParameter", "label": "Computer Name", "helpString": "Specify the name to assign to the computer." }
    { "parameterType": "com.tanium.components.parameters::TextInputParameter", "label": "Admin Password", "helpString": "Specify the password to be assigned to the Windows local Administrator account." }
    { "parameterType": "com.tanium.components.parameters::DropDownParameter", "label": "Time Zone", "helpString": "Specify the time zone that should be configured.", "values": ["Eastern Standard Time", "Pacific Standard Time"] }
    { "parameterType": "com.tanium.components.parameters::CheckBoxParameter", "label": "Debug" }

  8. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.