Reference: Variables and advanced customization

Each OS bundle contains a list of key value pairs, which are settings that control the flow or processing of the OS bundle itself. In addition to the predefined settings listed in Provision key value pair options, you can also add custom variables. These custom variables are not used by the default Tanium Provision scripts, but they can be combined into variables that are used by the scripts, or they can be used in your own scripts.

Provision key value pair options

The following key value pair options are configurable in OS bundles. If you want to prompt for a user to enter or select values for any keys instead of configuring set values, see Prompt for information during deployment.

Key	Description
AdminPassword	The password for the local Administrator account password. -%serial% is automatically appended to the end of the password.
BitLocker	(Windows) A value to enable BitLocker drive encryption during pre-provisioning, prior to the OS image being applied. If the value XTS-AES-256 is specified, the encryption level is set to that value before initializing BitLocker encryption on the device. Any other value encrypts the drive using the default XTS-AES-128 encryption. If a value is not specified, BitLocker pre-provisioning is not performed and the drive is unencrypted.
ComputerName	The computer name is set to the value that you specify. ComputerName also supports variable substitution, such as TAN-%RAND:10% to generate a name with ten random digits, or more complex names like A-%manufacturer:3%-%serial:-5% to generate a name where the first three characters of the manufacturer are inserted with the last five characters of the serial number. Do not use this format for virtual machines. If a value is not specified, the computer name is randomly generated. For more information, see Read-only variables.
DirectDownload	(Windows) A JSON string of properties to download Windows system OS image files directly from Microsoft. For more information, see Download Windows files directly from Microsoft.
DomainName	(Windows) If an ODJService value is specified, specify the domain to join.
Migrate	(Windows) For an OS refresh, specify no to skip the USMT capture/restore.
ODJService	(Windows) The URL of the ODJ service, such as https://myServer.myDomain.com:myPort/getblob. If a value is not specified, domain join is not performed.
Offline Domain Join: CertTemplate	(Windows) Specify this key with the name of the certificate template to use when generating a new certificate in the ODJ blob for the computer. For more information, see (Optional) Add certificates and group policy templates.
Offline Domain Join: IncludeRootCerts	(Windows) Specify this key with a value of 1 to include root certificates in Active Directory in the generated ODJ blob. For more information, see (Optional) Add certificates and group policy templates.
Offline Domain Join: PolicyNames	(Windows) Specify this key to the list of group policy objects to include in the ODJ blob for the computer. For more information, see (Optional) Add certificates and group policy templates.
OS Refresh: UseTaniumClient	For OS refresh bundles, specify this key with a value of Yes to download files with the Tanium Client instead of from the PXE endpoint. For more information, see Download OS refresh files with the Tanium Client.
OU	(Windows) If an ODJService value is specified, specify the OU where you want the device to be created, such as OU=MyComputerOU,DC=myDomain,DC=com. Do not use double quotes.
RebootAndRerun	Manually specify this variable to restart and rerun the Customer.ps1 script as many times as necessary. For more information, see Example: Restart and rerun the Customer.ps1 script.
Tags	A comma-delimited list of tags to be added to the Tanium Client during the deployment process. If a value is not specified, only an OSD tag is added.
Timezone	(Windows) A Windows time zone string, such as Eastern Standard Time to be set on the endpoint.
WaitFor	A path or file to wait for that path or file to exist, such as C:\Program Files\PuTTY. Specify CX to wait for the Tanium Deploy and Tanium Patch CX files to be installed.
WebService	Manually specify this key to define web service calls prior to customizing OS bundle values. For more information, see Get settings from an external web service.
WebServicePost	Manually specify this key to define web service calls after customizing OS bundle values. For more information, see Get settings from an external web service.

Read-only variables

The following read-only OS bundle variables are automatically defined at the start of the Provision process.

Variable	Description
anchor	The URL of the Tanium PXE server that is currently in use.
asset	The asset tag of the computer.
architecture	The architecture of the computer/OS. Example: X64, X86, or ARM64
chassis	The string representing the chassis type. Example: DESKTOP, LAPTOP, or SERVER
chassis_type	The chassis type that is specified by WMI/DMI for the machine. Example: 3 for desktop, 8 for laptop, or 23 for server
ExecutionPass	The number of times the Customer.ps1 script ran. This variable is automatically incremented by one each time the script is called. For more information, see Example: Restart and rerun multiple times.
is_desktop	Set to true if the device is a desktop (based on chassis_type).
is_laptop	Set to true if the device is a laptop (based on chassis_type).
is_server	Set to true if the device is a server (based on chassis_type).
manufacturer	The manufacturer of the computer or virtual machine. Example: LENOVO
model	The model of the computer or virtual machine. Example: Latitude E5400
refresh	When set to true, specifies a refresh deployment. The existing OS is wiped and a new OS is applied.
serial	The serial number of the computer.
uefi	Specifies whether the computer is using UEFI (true) or not (false).
uuid	The SMBIOS UUID (a GUID that uniquely identifies the device, assigned by the manufacturer) of the computer.
version	The version field from SMBIOS, which is often a friendly name for the specified computer model, typically on Lenovo computers. Example: ThinkStation P620 (where the model is 30E0CTO1WW)

Prompt for information during deployment

If you want to prompt for values during the deployment process, click Prompt when you add a key value pair. You can then enter additional details such as label, optional help text, and select the input type which supports simple text input, dropdown lists, and checkboxes. Depending on which input type you select, you can configure the following options:

Text: (optional) Max Characters and (optional) Validation Expression
Dropdown: (required) Values
Checkbox: (no additional options)

Additionally, if you select the Dropdown input type, you can select the Enable multiple value selection option to allow for multiple selections. If you want to allow only a single selection, do not select this option.

Change the display order of bundles in the PXE boot menu

By default, OS bundles are listed in alphabetical order by bundle name in the PXE boot menu. You can change the default sort order in the Settings .

For more information, see Configure OS bundle behavior.

Get settings from an external web service

Provision supports getting settings through the ability to call one or more web services. These web services can take the information that is provided and return a list of additional settings or override existing settings. The following web service settings are supported:

Web Service URLs global setting: called prior to the display of the OS bundle list in the Tanium Provision wizard
WebService bundle variable: called after selecting an OS bundle, but before any customization prompts
WebServicePost bundle variable: called after the customization prompts, which enables calculations of other variables based on values that are entered by the user during customization

These web services are specified by their URL, and the URL can contain variables. Both GET and POST methods are supported by specifying the method as a prefix to the URL. If no prefix is specified, then GET is the default method.

For a GET request, any available variable can be provided to the web service as a query parameter in the URL, so you must explicitly specify each value that the web service requires.

For a POST request, all current variables are passed to the web service as a JSON-encoded body.

Example: Two web services

If you want to call two web services, you can specify a WebService setting as follows:

https://myServer/GetSettings?model=%Model%;POST https://myServer/DoProcessing

Example: Static file

Because a web services is basically a web request that returns a JSON response, you can also use static files that are returned by a GET request. If you specify a WebService URL of https://myServer/%Model%.json and the model of the current endpoint is Virtual Machine, then Provision makes a GET request to https://myServer/Virtual Machine.json. If the web server contains a file by that name, then you can put settings in that file. For example, you can specify that all virtual machines get a specific time zone as follows:

{
	"TimeZone": "GMT Standard Time"
}

Download Windows files directly from Microsoft

For Windows bare metal or OS refresh deployments, the content for that deployment is downloaded from the Tanium PXE service, which runs on a corporate network. For deployments over the internet or in situations where the connection to the internet is faster than the connection to the Tanium PXE service, you can alternatively configure Provision to download the Windows OS system image file directly from the Microsoft Windows Update servers.

Before you begin

Ensure that you meet the following prerequisites:

Tanium Provision 1.3 or later is required, along with an updated ADK_<architecture>.zip file that was generated using the ADKPrep.ps1 script from that version.
You must use an updated ADK_<architecture>.zip file that was generated using the latest ADKPrep.ps1 script.
Unauthenticated outbound Internet access to *.download.windowsupdate.com on TCP port 80 and content.tanium.com on TCP port 443 is required. If content filters, proxies, firewalls, or other security hardware or software are used to restrict Internet access in your environment, your security administrator might need to allow access.

Configure direct download

To configure direct download, modify or configure an OS bundle and specify the properties that tell Provision which OS image to download and apply.

In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair and select DirectDownload from the Key drop-down list.
For the Value field, enter the example JSON string:
{"build":"<build>","arch":"<architecture>","lang":"<language>","edition":"<edition>"}
where:
- build specifies the Windows build number (example: 19044 is Windows 10 21H2 or 22000 is Windows 11 21H2)
- arch specifies the machine architecture (x64, x86, or a64)
- lang specifies one of the available Windows language codes (example: en-us)
- edition specifies the edition from the downloaded image file (example: Pro, Enterprise, or Education)

For example, {"build":"22000","arch":"x64","lang":"en-us","edition":"Enterprise"} tells Provision to automatically download the most recent image that matches the build, architecture, and language. The edition is then used to find the appropriate image index within that image: 64-bit Windows 11 21H2 Enterprise for English CPUs.

To verify which image was downloaded, check the download.log file after the deployment is complete. To verify which image index was selected, check the provision-pe.log file. If any errors occurred while attempting to find a direct download image, Provision automatically uses the image that is specified in the OS bundle.

Download OS refresh files with the Tanium Client

During OS refresh deployments, you can configure endpoints to use the Tanium Client to download the files instead of downloading them directly from the PXE endpoint.

Network connectivity between these endpoints and the PXE endpoint is still required.

To configure endpoints to use the Tanium Client for downloads, modify or configure an OS bundle and specify the OS Refresh: UseTaniumClient key value pair.

In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair.
For the Key field, select OS Refresh: UseTaniumClient.
For the Value field, enter Yes.

Include custom scripts

You can include custom scripts to call automatically during the provisioning process. You can create a ZIP file that contains at least one PowerShell script file for any custom Windows content that you want to include. The main Provision scripts download and extract the contents of the ZIP file (if specified in the OS bundle) into the C:\_t folder, and then automatically run any PowerShell scripts, if found.

Do not name your custom ZIP file scripts.zip. If your scripts require additional files, you can include those files in your custom ZIP file.

Use the following script names, depending on when you want your scripts to run:

Customer-PE-Pre.ps1 - called at the start of the Windows PE phase, prior to applying the OS image
Customer-PE.ps1 - called at the end of the Windows PE phase, after applying the OS image, injecting drivers and updates, and placing the unattend.xml in place (prior to restarting into Windows)
Customer-Pre.ps1 - called at the start of the Windows configuration process in the new Windows OS, but prior to installing the Tanium Client or joining the device to Active Directory or Azure AD
Customer.ps1 - called at the end of the Windows configuration process, as the last action before completion

Any files in this custom ZIP file can overwrite any of the standard scripts from Tanium Provision.

Example: Load the TaniumOSD or TaniumClient modules

The script can load the TaniumOSD or TaniumClient modules:

Import-Module C:\_T\TaniumOSD
Import-Module C:\_T\TaniumClient

The Provision logs automatically capture a transcript of the output from the custom script.

The TaniumOSD module includes a variety of cmdlets, including some that are useful to work with variables:

Get-OSDVariable -Name "variableName"
- This cmdlet returns the current value of the specified variable.
Resolve-OSDVariables -Value "This is a %model% computer from %manufacturer%."
- This cmdlet returns the current value of the specified string, substituting the current values of any variable references in that string.
Set-OSDVariable -Name "variableName" -Value "my value"
- This cmdlet sets the specified variable to the provided value.
Set-OSDProgressDisplay -Message "Currently installing something..."
- This cmdlet changes the on-screen progress display so that the user knows what is currently happening.

The TaniumClient module also includes some useful cmdlets:

Add-TaniumTag -Tag "tagName"
- This cmdlet adds a tag with the specified name.
Invoke-TaniumDownload -URL "https://server.com/path/file.zip" -Destination "C:\file.zip"
- This cmdlet uses the Tanium Client API to download a file from the specified URL and then moved to the specified destination.
  This URL must be on the Allowed URLs list. For more information, see Tanium Console User Guide: Managing allowed URLs.

Example: Restart and rerun the Customer.ps1 script

If you need to run the Customer.ps1 script multiple times, followed by a restart each time the script is run, you can set the RebootAndRerun variable to true:

Set-OSDVariable -Name "RebootAndRerun" -Value $true

Example: Restart and rerun multiple times

If you need to restart and rerun the script multiple times, you can set the RebootAndRerun variable each time the script runs. This value is automatically cleared by the restart process. If you need to keep track of which time the script is running, you can use the ExecutionPass variable, which is incremented by one each time the script runs.

The following example script runs a command after the initial restart:

Import-Module C:\_T\TaniumOSD
Import-Module C:\_T\TaniumClient

$pass = Get-OSDVariable -Name "ExecutionPass"
switch ($pass) {
   1 {
      Write-Host "Nothing to do in the first pass; schedule a second pass."
      Set-OSDVariable -Name "RebootAndRerun" -Value $true
   }
   2 {
      # Set computer description
      $computerDescription = Get-OSDVariable -Name "ComputerDescription"
      Write-Host "Second pass; setting computer description to $computerDescription."
      & net.exe config server /srvcomment:"$computerDescription"
   }
}