Preparing OS bundle content

Before you begin

You must obtain the following content before you complete the Provision setup.

Windows

  • Windows ADK: You can download the latest Windows 11 or Windows 10 ADK files from Microsoft Documentation: Download and install the Windows ADK to use with Tanium Provision. Both the Windows ADK and the WinPE add-on must be installed. For the ADK installation, the deployment tools and User State Migration Tool (USMT) components must be installed on any supported Windows endpoint, such as Windows 10, Windows 11, or Windows Server.
  • Windows image file: You can use the install.wim file from the standard Windows media ISOs, or a custom WIM file captured after the OS was sysprepped using Microsoft Deployment Toolkit (MDT). For more information about how to acquire the WIM file from the Windows media, see Microsoft Documentation: Create a Windows 10 reference image.
  • Tanium Client installer package: Create a client configuration for Windows using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.Download the Windows client installer bundle from the Tanium Client Management Overview page. For more information, see Tanium Client Management User Guide: Download installation packages for the Tanium Client.
  • Drivers for the models of computers that you are deploying: Each computer model needs different driver packages, which can include INF, catalog, driver, or other files. Copy these drivers and create separate ZIP or CAB files for each model, where the file name indicates the model with which the drivers use. For example, drivers_SurfaceBook.zip or drivers_SurfaceBook.cab. For more information, see Microsoft Documentation: Components of a Driver Package.
  • Patches: (Optional) You can specify one or more OS updates or patches to inject into the OS offline, before booting into the OS for the first time.

    Use Tanium Patch to install patches after the endpoint is provisioned to save deployment time in Provision.

Linux

  • Cloud-init file: To support customizing and configuring the Linux image, Provision uses the cloud-init configuration tool. For more information, see the cloud-init website. The cloud-init tool must be installed in the Linux OS using the appropriate method for the specific OS that you want to deploy. For example:
    • AlmaLinux, Centos, RedHat, and Rocky Linux: yum install cloud-init
    • Debian and Ubuntu: apt install cloud-init
    Two cloud-init template files are also provided in the utility.zip file that you can download from the File Downloads tab of the Provision Settings . You can use either of these files as-is, or customize them by adding any additional configuration.
    • user-data.yaml: configures the admin password and installs the Tanium Client
    • redhat.yaml: configures the admin password, installs the Tanium Client, and refreshes the RedHat subscription
  • Tanium Client installer package: Create a client configuration for Linux using Tanium Client Management. For more information, see Tanium Client Management User Guide: Create a client configuration.Download the Linux client installer bundle from the Tanium Client Management Overview page. For more information, see Tanium Client Management User Guide: Download installation packages for the Tanium Client.

Download provided files for Provision

Provision includes two ZIP files that are used to Generate the Windows ADK content and (Optional) Create custom Windows content for Windows OS bundles or (Optional) Create custom Linux content for Linux OS bundles.

  1. From the Provision Overview page, click Settings and then click File Downloads.
  2. (Optional) Click scripts.zip to download the optional custom content files.

    Download this file only if you need to make modifications to the included Provision scripts.

  3. Click utility.zip to download the required scripts and related files.

Configure a Windows OS bundle

Deploying a Windows operating system using Tanium Provision requires some files from the Windows Assessment and Deployment Kit (ADK).

Generate the Windows ADK content

Ensure that you install both the Windows ADK and WinPE add-on to the computer that you are using to generate the Windows ADK content. For more information, see Before you begin: Windows.

  1. Extract the contents of the previously downloaded utility.zip file to a folder, such as C:\Users\Administrator\Documents.
  2. Open an elevated PowerShell command.
    1. Ensure that the execution of scripts is allowed by entering the following command:

      Set-ExecutionPolicy bypass

    2. Navigate to the folder that contains the ADKPrep.ps1 script by entering the following command:

      cd C:\Users\Administrator\Documents\utility\ADKPrep

    3. (Optional) If any additional mass storage drivers are required for Windows PE, put them in an architecture-specific folder, such as C:\Users\Administrator\Documents\utility\ADKPrep\amd64\Drivers.
      These files are automatically injected into Windows PE as part of the ADKPrep.ps1 script execution.
    4. Generate the ADK zip files for the architecture that you need by entering the following command:

      .\ADKPrep.ps1 -Architecture amd64

    You can alternatively open a command prompt and enter the following command from C:\Users\Administrator\Documents\utility\ADKPrep:

    Powershell.exe -ExecutionPolicy Bypass -File .\ADKPrep.ps1 -Architecture amd64

  3. Ensure that no errors were generated.
  4. Copy the generated ADK_<architecture>.zip files to a convenient location that is easy to remember, such as C:\ProvisionFiles.

The utility.zip file also includes an Unattend folder with unattend_<architecture>.xml template files that are required to create an OS bundle. You can copy them to C:\ProvisionFiles to use in Create a Windows OS bundle.

(Optional) Create custom Windows content

You can create a ZIP file that contains at least one PowerShell script file for any custom Windows content that you want to include. The main Provision scripts download and extract the contents of the ZIP file (if specified in the OS bundle) into the C:\_t folder, and then automatically run any PowerShell scripts, if found.

Use the following script names, depending on when you want your scripts to run:

  • Customer-PE-Pre.ps1 - called at the start of the Windows PE phase
  • Customer-PE.ps1 - called at the end of the Windows PE phase
  • Customer-Pre.ps1 - called at the start of the full OS phase
  • Customer.ps1 - called at the end of the full OS phase

Do not name your custom ZIP file scripts.zip. If your scripts require additional files, you can include those files in your custom ZIP file.

Any files in this custom ZIP file can overwrite any of the standard scripts from Tanium Provision.

Create a Windows OS bundle

To specify the details of the OS that you want to deploy, create a Windows OS bundle.

  1. From the Provision menu, click OS Bundles and then click Create Bundle.

    You can also click Create OS Bundle from the Quick Links section of the Provision Overview page.

  2. In the Details section, provide identifying details for the bundle.
    1. Enter a name and optional description.
    2. For Platform, select Windows.
    3. Select an Operating System and Architecture.
  3. In the Files section, add required or optional files.
    1. In the OS Image WIM section, select an image index if needed and click Browse for File to select the install.wim file that you previously downloaded in Before you begin: Windows.

      For the default image, select the Image Index of 3 for Windows 10 Enterprise.

    2. In the ADK Files section, click Browse for File to select the ADK_<architecture>.zip file that you previously generated in Generate the Windows ADK content.
    3. In the Unattended XML section, click Browse for File to select the appropriate unattend_<architecture>.xml file that you previously extracted from the utility.zip file.
    4. In the Tanium Client Installation Files section, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    5. (Optional) For Script and Other Files, click Browse for File to select the custom ZIP file that you previously created in (Optional) Create custom Windows content.
  4. (Optional) In the Drivers and Patches section, add driver and patch files.
    1. For Drivers, click Browse for File to select each drivers_<model>.zip or drivers_<model>.cab file that you previously created in Before you begin: Windows.
      Driver files are downloaded and used only when they match the following regular expression:
      drivers.(zip|cab)|drivers_%Model%.(zip|cab)|drivers_%ModelAlias%.(zip|cab)|drivers_%Version%.(zip|cab)

      where Model is the computer model, ModelAlias is the first four characters of Lenovo model IDs, and Version is generally a descriptive model string, such as Lenovo ThinkPad X1 Carbon gen 2.

      Any spaces in the Model or Version strings are removed prior to checking against the regular expression.

      To get the Model, ModelAlias, and Version strings, you can run the following PowerShell commands:

      Model

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Replace(" ","")

      ModelAlias

      (Get-ComputerInfo | Select-Object -ExpandProperty CsModel).Substring(0,4)

      Version

      (Get-WmiObject -Class Win32_ComputerSystemProduct| Select-Object -ExpandProperty Version).Replace(" ","")

    2. For Patches, click Browse for File to select each .msu file name extension for the patches that you previously gathered in Before you begin: Windows.
  5. (Optional) In the Key Value Entries section, click Add Key Value Pair to add key value pairs. For more information about the available key value pairs, see Reference: Provision key value pair options.
  6. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.

Configure a Linux OS bundle

Deploying a Linux operating system using Tanium Provision requires capturing an image of a complete Linux installation.

The following Linux distributions and versions are supported by Provision:

  • AlmaLinux 8.6, 9
  • CentOS 7, 8, 9, Stream
  • Debian 11
  • RHEL 8.5, 8.6, 9
  • Rocky Linux 8.6, 9
  • Ubuntu 22.04

The following Linux distributions are not supported by Provision:

  • Amazon Linux
  • IBM AIX
  • Oracle Solaris
  • SUSE (SLES)

Linux OS bundles can be used only to refresh Windows endpoints to Linux. Re-imaging a Linux endpoint with a Linux OS bundle is not supported.

Capture the OS image

Provision supports the default disk layouts for each OS that is captured and deployed:

  • AlmaLinux, CentOS, RedHat, and Rocky Linux: LVM and XFS file systems
  • Debian and Ubuntu: single Ext4 partition contains the entire OS

If you capture a Linux image with a swap file enabled, deploying that image might fail because the swap file is no longer available. Before you capture the image, disable the swap file. For example, on AlmaLinux, CentOS, RedHat, and Rocky Linux, use the swapoff -a command.

After you configure your Linux OS, you can use Provision to capture the OS into an image file.

Ensure that the capture image disk size is at least 55 GB.

  1. Boot the computer, using either the media or PXE options, into the Tanium Provision boot image.
  2. After connecting to a network, click Capture Linux.
  3. Enter a File name with a .fsa file extension.
  4. Enter the UNC (SMB/CIFS) path where you want the image file to be created.
  5. Enter the User name and Password credentials to establish a connection with the SMB path and then click CAPTURE.
  6. After the capture process completes, you can reboot the computer back into the OS, which is not modified during the capture process.

(Optional) Create custom Linux content

For any custom Linux content that you want to include, you can create a ZIP file that contains a script file that can be referenced in the cloud-init. The main Provision scripts download and extract the contents of the ZIP file (if specified in the OS bundle) into the \_t folder, and then automatically run the script, if found.

Do not name your custom ZIP file scripts.zip. If your script requires additional files, you can include those files in your custom ZIP file.

Any files in this custom ZIP file can overwrite any of the standard scripts from Tanium Provision.

Create a Linux OS bundle

To specify the details of the OS that you want to deploy, create a Linux OS bundle.

  1. From the Provision menu, click OS Bundles and then click Create Bundle.

    You can also click Create OS Bundle from the Quick Links section of the Provision Overview page.

  2. In the Details section, provide identifying details for the bundle.
    1. Enter a name and optional description.
    2. For Platform, select Linux.
    3. Select an Operating System and Architecture.
  3. In the Files section, add required or optional files.
    1. In the OS Image FSA section, click Browse for File to select the FSA file that you previously created in Capture the OS image.
    2. In the Cloud-init section, click Browse for File to select the cloud-init file that you previously prepared in Before you begin: Linux.
    3. In the Tanium Client Installation Files section, click Browse for File to select the ZIP file that you previously downloaded from Tanium Client Management.
    4. (Optional) For Script and Other Files, click Browse for File to select the custom ZIP file that you previously created in (Optional) Create custom Linux content.
  4. (Optional) In the Key Value Entries section, click Add Key Value Pair to add key value pairs. For more information about the available key value pairs, see Reference: Provision key value pair options.
  5. Click Save.

Depending on connection speeds, uploading this content could take some time. After the upload is complete, it can take several more minutes before the OS bundle is available to use.

Manage OS bundles

You can manage OS bundles from the Provision OS Bundles page.

Edit an OS bundle

To edit an OS bundle, select a bundle and then click Edit .

View OS bundle details

To view OS bundle details on the OS Bundles page, click Additional Data next to the OS bundle.

Additionally, you can download any of the bundle files from this view by clicking Download next to available file names.

Until the bundle has a Ready status, the download icon is grayed out and inactive. You can view the status of a bundle from the OS Bundles page.

Clone an OS bundle

To make a copy of an existing OS bundle, select an OS bundle, click More , and then click Duplicate. The OS bundle name is automatically prepended with Clone:, but you can make any changes before you click Save.

Delete an OS bundle

To delete an OS bundle, select one or more OS bundles and click Delete .

You cannot delete the last OS bundle that is assigned to a Provision endpoint.

Download Windows files directly from Microsoft

For Windows bare metal or OS refresh deployments, the content for that deployment is downloaded from the Tanium PXE service, which runs on a corporate network. For deployments over the internet or in situations where the connection to the internet is faster than the connection to the Tanium PXE service, you can alternatively configure Provision to download the Windows OS system image file directly from the Microsoft Windows Update servers.

Tanium Provision 1.3 or later is required, along with an updated ADK_<architecture>.zip file that was generated using the ADKPrep.ps1 script from that version.

You must use an updated ADK_<architecture>.zip file that was generated using the latest ADKPrep.ps1 script.

To configure direct download, modify or configure an OS bundle and specify the properties that tell Provision which OS image to download and apply.

  1. In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair and select DirectDownload from the Key drop-down list.
  2. For the Value field, enter the example JSON string:
    {"build":"<build>","arch":"<architecture>","lang":"<language>","edition":"<edition>"}
    where:
    • build specifies the Windows build number (example: 19044 is Windows 10 21H2 or 22000 is Windows 11 21H2)
    • arch specifies the machine architecture (x64, x86, or a64)
    • lang specifies one of the available Windows language codes (example: en-us)
    • edition specifies the edition from the downloaded image file (example: Pro, Enterprise, or Education)

For example, {"build":"22000","arch":"x64","lang":"en-us","edition":"Enterprise"} tells Provision to automatically download the most recent image that matches the build, architecture, and language. The edition is then used to find the appropriate image index within that image: 64-bit Windows 11 21H2 Enterprise for English CPUs.

To verify which image was downloaded, check the download.log file after the deployment is complete. To verify which image index was selected, check the provision-pe.log file. If any errors occurred while attempting to find a direct download image, Provision automatically uses the image that is specified in the OS bundle.

Download OS refresh files with the Tanium Client

During OS refresh deployments, you can configure endpoints to use the Tanium Client to download the files instead of downloading them directly from the PXE endpoint.

Network connectivity between these endpoints and the PXE endpoint is still required.

To configure endpoints to use the Tanium Client for downloads, modify or configure an OS bundle and specify the OS Refresh: UseTaniumClient key value pair.

  1. In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair.
  2. For the Key field, select OS Refresh: UseTaniumClient.
  3. For the Value field, enter Yes.

Change the display order of bundles in the PXE boot menu

By default, OS bundles are listed in alphabetical order by bundle name in the PXE boot menu. You can change the default sort order in the Settings .

  1. From the Provision Overview page, click Settings and then click Global Key Values.
  2. In the OS Bundle Selection section, configure the following details.
    1. Select the default sort order by: Name, Bundle ID, or Description. The default is Name.
    2. Select how long to wait before automatically choosing the default keyboard layout: Never, 30 seconds, 1 minute, or 5 minutes. The default selection is 30 seconds.
    3. Select how long to wait before automatically choosing the default network configuration: Never, 30 seconds, 1 minute, or 5 minutes. The default selection is 30 seconds.
    4. (Optional) To specify a required installation confirmation code before the OS bundle installation can continue, enter an Installation Confirmation Code.
    5. To specify a bundle to be selected by default, select Enable automated OS bundle selection and then select an OS Bundle and OS Bundle Timeout.
  3. (Optional) If you want to store your boot image files in Microsoft Azure storage, configure the details in the Azure Authentication section. For more information, see Microsoft Documentation: Azure Storage documentation.
    1. Select Enable Azure storage integration.
    2. Enter the Client ID, Tenant ID, and Azure Blob URL.
  4. (Optional) If you want to define web service calls to make while provisioning an endpoint, enter a semicolon-separated list of HTTP GET or POST requests in the Web Service Integration section.

Reference: Provision key value pair options

The following key value pair options are configurable in OS bundles.

Key Description
AdminPassword

The password for the local Administrator account password.

-%serial% is automatically appended to the end of the password.
BitLocker

(Windows) A value to enable BitLocker drive encryption during pre-provisioning, prior to the OS image being applied. If the value XTS-AES-256 is specified, the encryption level is set to that value before initializing BitLocker encryption on the device. Any other value encrypts the drive using the default XTS-AES-128 encryption.

If a value is not specified, BitLocker pre-provisioning is not performed and the drive is unencrypted.
ComputerName

The computer name is set to the value that you specify. ComputerName also supports variable substitution, such as TAN-%RAND:10% to generate a name with ten random digits, or more complex names like A-%manufacturer:3%-%serial% to generate a name where the first three characters of the manufacturer are inserted with the complete serial number.

Do not use this format for virtual machines.

If a value is not specified, the computer name is randomly generated.

For more information, see Reference: Read-only variables.
DirectDownload

(Windows) A JSON string of properties to download Windows system OS image files directly from Microsoft.

For more information, see Download Windows files directly from Microsoft.
DomainName

(Windows) If an ODJService value is specified, specify the domain to join.
Migrate

(Windows) For an OS refresh, specify no to skip the USMT capture/restore.
ODJService

(Windows) The URL of the ODJ service, such as https://myServer.myDomain.com:myPort/getblob.

If a value is not specified, domain join is not performed.
Offline Domain Join: CertTemplate

(Windows) Specify this key with the name of the certificate template to use when generating a new certificate in the ODJ blob for the computer.

For more information, see (Optional) Add certificates and group policy templates.
Offline Domain Join: IncludeRootCerts

(Windows) Specify this key with a value of 1 to include root certificates in Active Directory in the generated ODJ blob.

For more information, see (Optional) Add certificates and group policy templates.
Offline Domain Join: PolicyNames

(Windows) Specify this key to the list of group policy objects to include in the ODJ blob for the computer.

For more information, see (Optional) Add certificates and group policy templates.
OS Refresh: UseTaniumClient

For OS refresh bundles, specify this key with a value of Yes to download files with the Tanium Client instead of from the PXE endpoint.

For more information, see Download OS refresh files with the Tanium Client.
OU

(Windows) If an ODJService value is specified, specify the OU where you want the device to be created, such as OU=MyComputerOU,DC=myDomain,DC=com.

Do not use double quotes.
Tags

A comma-delimited list of tags to be added to the Tanium Client during the deployment process.

If a value is not specified, only an OSD tag is added.
Timezone

(Windows) A Windows time zone string, such as Eastern Standard Time to be set on the endpoint.
WaitFor

A path or file to wait for that path or file to exist, such as C:\Program Files\PuTTY.

Specify CX to wait for the Tanium Deploy and Tanium Patch CX files to be installed.

If you want to prompt for values during the deployment process, click Prompt when you add a key value pair. You can then enter additional details such as label, optional help text, and select the input type which supports simple text input, dropdown lists, and checkboxes. Depending on which input type you select, you can configure the following options:
  • Text: (optional) Max Characters and (optional) Validation Expression
  • Dropdown: (required) Values
  • Checkbox: (no additional options)

Reference: Read-only variables

The following read-only OS bundle variables are automatically defined at the start of the Provision process.

Variable Description
anchor

The URL of the Tanium PXE server that is currently in use.
asset

The asset tag of the computer.
architecture

The architecture of the computer/OS.

Example: X64, X86, or ARM64
manufacturer

The manufacturer of the computer or virtual machine.

Example: LENOVO
model

The model of the computer or virtual machine.

Example: Latitude E5400
refresh

When set to true, specifies a refresh deployment. The existing OS is wiped and a new OS is applied.
serial

The serial number of the computer.
uefi

Specifies whether the computer is using UEFI (true) or not (false).
uuid

The SMBIOS UUID (a GUID that uniquely identifies the device, assigned by the manufacturer) of the computer.
version

The version field from SMBIOS, which is often a friendly name for the specified computer model, typically on Lenovo computers.

Example: ThinkStation P620 (where the model is 30E0CTO1WW)