Provisioning endpoints

Deploy the Tanium PXE service

You can deploy the Tanium PXE service to one or more endpoints. These endpoints can be running Windows, Windows Server, macOS, or Linux.

Deploy the Tanium PXE service on trusted networks where measures are implemented to prevent unauthorized access to booting machines and the Tanium PXE server.

  1. Configure PXE settings if needed.

  2. From the Provision menu, click Provision Endpoints and then click Create Provision Endpoint.

    You can also click Create Provision Endpoint from the Quick Links section of the Provision Overview page.

  3. In the Satellite Endpoints section, select one or more satellites or click Create Satellite to create one in Direct Connect. For more information, see Tanium Direct Connect: Create satellites.

  4. In the Features section, select Preboot Execution Environment (PXE).

    Content Caching is automatically selected for PXE endpoints. You can create a Provision Endpoint with only Content Caching selected, but content caching by itself is useful only when a Provision Endpoint is located in a cloud-hosted environment or a DMZ (edge endpoint) where you need access to the content but are not able to PXE boot.

  5. In the OS Bundles section, select one or more OS bundles and then click Save and Deploy Now.

The required service and related files are deployed automatically using Tanium Endpoint Configuration.

This process can take several minutes. The Provision Endpoints page is updated when the process is complete.

After you create and deploy a Provision endpoint, you can boot endpoints on that network segment from a PXE network. The deployed Tanium PXE service detects the PXE boot request and responds with the required information.

If you have more than one PXE server in the same local network, the first PXE server to respond to the PXE boot request might not be the expected Tanium PXE service. For more information, see Error: PXE boot does not boot to the Tanium PXE service.

Initiate PXE network boot

To initiate the PXE network boot process, select one or more keys during the device power-on sequence, which vary by manufacturer. For example, on a Lenovo device, you must select the Enter key and then F12 to get to a boot menu where you can choose the PXE boot (IPv4) option.

After a PXE response is sent, a Grand Unified Bootloader (GRUB) loader screen displays for a few seconds before the Linux boot environment is downloaded and boots. After it initializes, the deployment wizard prompts you to begin the provisioning process.

(Optional) Wipe the drive

You can optionally wipe the drive during a PXE boot and either shut down or display a summary screen when the wipe is completed.

  1. From the boot menu, click Wipe.
  2. Select the number of passes. You can configure 1-25 passes.
  3. To shut down the system after the wipe is complete, select the Shutdown when complete option.

    To display a summary screen after the wipe is complete, do not select this option.

(Optional) Configure DHCP scope options

If you need to specify DHCP scope options, use DHCP/bootp helpers to ensure that the DHCP and PXE requests are forwarded to the Tanium PXE computer or network segment.

In rare scenarios, depending on your network requirements, you might need to configure DHCP Option 66 and Option 67 if IP Helper is not available on the router and the endpoint is not in the same broadcast domain as the Tanium PXE server.

  • DHCP Option 66: IP or DNS name of the PXE endpoint
  • DHCP Option 67: boot file name (Example: \shimx64.efi)

Using this option does not handle UEFI versus non-UEFI interfaces, where lpxelinux.0 must be specified instead of shimx64.efi.

Create bootable USB media for deployments

To create bootable USB media for Unified Extensible Firmware Interface (UEFI) devices, use the USBKey.ps1 script that you previously extracted from the utility.zip file in Download provided files for Provision.

Make sure that your USB media is at least 1 GB in size.

  1. Open a command prompt and navigate to the folder that contains the USBKey.ps1 script, such as C:\Users\Administrator\Documents\utility\USBKey.
  2. Choose which option you want to run the USBKey.ps1 script:
    • If you want to get the USB content from the Tanium PXE server at the specified IP address and write that content to the USB key at the specified drive, run the script with the -TPXEHost and -Destination parameters. For example:

      Powershell.exe -ExecutionPolicy Bypass -File .\USBKey.ps1 -TPXEHost 10.1.2.3 -Destination D:

    • If you want to get the USB content from the Tanium PXE server at the specified IP address and write that content to the ISO at the specified drive, run the script with the -TPXEHost and -Destination parameters and specify the ISO file name. For example:

      Powershell.exe -ExecutionPolicy Bypass -File .\USBKey.ps1 -TPXEHost 10.1.2.3 -Destination C:\Media.iso

    • If you want to get the USB content from the Tanium PXE server at the specified IP address, but configure the USB key to pull the content from an alternate IP address during the boot process, run the script with the -TPXEHost, -AnchorHost, and -Destination parameters. For example:

      Powershell.exe -ExecutionPolicy Bypass -File .\USBKey.ps1 -TPXEHost 10.1.2.3 -AnchorHost 10.1.5.1 -Destination D:

    • If you want to specify the BundleID of the bundles to include on the USB media, run the script with the -TPXEHost, -Destination, and -Bundles parameters. You can find the BundleID in View OS bundle details. For example:

      Powershell.exe -ExecutionPolicy Bypass -File .\USBKey.ps1 -TPXEHost 10.1.2.3 -Destination D: -Bundles 1,2,3

      If any of the OS bundles that you specify includes an ODJService or AdminPassword setting, the script returns the following error: Bundle requires network connectivity to a Tanium PXE server. Specify -Force to generate the media anyway. To generate the media anyway, specify the -Force parameter. When you deploy with this media, if network connectivity is not established, then the ODJ and admin password logic is bypassed, so the computer ends up in a workgroup. The local Administrator account is enabled with the password set to **restricted**-%serial% where %serial% is replaced with the serial number of the machine.

      For isolated endpoints without network connectivity, using OS bundles that include an ODJService or AdminPassword setting is not supported. For more information, see Error: [ERR_INVALID_URL]: Invalid URL.

  3. The script reformats and labels the USB key with a default label of PROVISION and then downloads the required boot files from the specified PXE server. After the script finishes, eject the USB device and use it to boot a physical device.

To boot the device from USB media, you must select one or more keys during the device power-on sequence, which varies by manufacturer. For example, on a Lenovo device, you must select the Enter key and then F12 to get to a boot menu where you can choose the USB key.

Refresh an existing operating system

To refresh an existing operating system, including user state migration, create an OS refresh deployment.

Linux OS bundles can be used to perform bare-metal Linux provisioning or to refresh Windows endpoints to Linux. Re-imaging a Linux endpoint with a Linux OS bundle is not supported.

  1. Create an OS bundle if needed.
  2. From the Provision menu, click OS Refresh Deployments and then click Create OS Refresh Deployment.

    You can also click Create OS Refresh Deployment from the Quick Links section of the Provision Overview page.

  3. In the Deployment Overview section, enter a name and optional description.
  4. In the Deployment Details section, configure the following details.
    1. For Content to deploy, select a bundle.
    2. For Endpoints to target, choose the targeting criteria: computer groups, filter question, or computer names.
    3. (Optional) For Deployment type and schedule, review the details and click Edit if you need to make any changes.
  5. Click Preview To Continue, review the Deployment Preview details, and then click Deploy.

You can also create a deployment from the OS Bundles page by selecting an OS bundle, clicking More , and then clicking Deploy to Existing Endpoints.

To edit an OS refresh deployment, select a deployment and then click Edit .

Monitor a deployment

You can monitor deployments from either the OS Refresh Deployments page or with the Tanium Provision - Deployment Progress sensor.

Monitor deployment progress on endpoints

  1. From the Provision menu, click OS Refresh Deployments.
  2. To view deployment progress, choose one of the following options.
    1. (Optional) To view the Deployment Progress on Endpoints, click Expand next to a deployment.
    2. (Optional) To view additional Status and Deployment Details, click the name of a deployment.

    You can also click each of the Running, Complete, or Failed statuses to view additional details in Interact.

Monitor in-progress deployments from the Tanium PXE server

To monitor in-progress deployments and deployments that completed in the last 48 hours, ask the following question in Interact:

Get Tanium Provision - Deployment Progress?maxAge=50 from all machines with Tanium Provision - Deployment Progress:Source equals Tanium PXE

View historical deployment information from deployed clients

To see historical information on clients that were deployed by Provision, ask the following question in Interact:

Get Tanium Provision - Deployment Progress?maxAge=50 from all machines with Tanium Provision - Deployment Progress:Source equals Client

View PXE endpoint details

To view PXE endpoint details on the Provision Endpoints page, click Additional Data next to the endpoint.

Remove the PXE service from endpoints

  1. From the Provision menu, click Provision Endpoints.
  2. Select one or more endpoints and then click Delete .