Retiring and locking devices

If a Windows endpoint is lost or stolen, you can use device retirement actions to:

  • lock the endpoint
  • unlock the previously locked endpoint
  • delete non-essential files on the endpoint
  • force a BitLocker key recovery on the endpoint

You can deploy device retirement actions on Tanium-managed and unknown endpoints. Unknown endpoints can occur if a computer is imaged and sent to a user from the computer vendor, but that computer is lost in transit. The Tanium Client is installed on the unknown endpoint, but not reporting into the Tanium Server.

Overview

You can create device retirement action types in Provision and then deploy the actions from the Endpoint Details page in Tanium Reporting or the Device Retirement page in Provision. When you deploy a device retirement action on an endpoint, actions taken on the endpoint are logged for auditing.

To deploy an action through the Endpoint Details page in Tanium Reporting, the endpoint must be online.

Device retirement actions

You can configure the following retirement actions for an action type:

  • User Lockout: Locks the endpoint by revoking user rights and signing off all user sessions, which prevents any users from accessing the endpoint and reboots the endpoint to close open programs. Cannot be paired with the Unlock User action in an action type.
  • Unlock User: Unlocks an endpoint where the User Lockout action was previously deployed. Cannot be paired with any of the other actions.
  • Delete all non-essential files: Takes ownership of the endpoint and gains permission for all files possible by signing off all user sessions, setting the power policy to never sleep and never turn off the display, and deleting all volume shadow copies. Also deletes all user profiles, deletes all files that are not open, but does not delete any files in the C:\windows\ and %ProgramFiles%\Tanium\ folders, and overwrites unallocated space.
  • BitLocker Freeze: Forces a BitLocker key recovery. If a user manually unfreezes after a BitLocker freeze action, Tanium Enforce immediately rotates the key and requires the user to provide a new key the next time the user signs in if a BitLocker policy is configured. For more information about creating BitLocker policies, see Tanium Enforce User Guide: Create a BitLocker policy.

For optimal performance:
  • When you select Delete all non-essential files, also select User Lockout and BitLocker Freeze.
  • When you select BitLocker Freeze, also select User Lockout.

Before you begin

  • Tanium Reporting 1.27.21 or later is required.
  • To view existing retirement actions and audit logs, you must have the Provision Device Retirement Viewer role.
  • To create and modify device retirement actions, you must have the Provision Device Retirement Administrator role.

Manage device retirement action types

Add an action type

Create new action types that you can deploy from the Endpoint Details or Device Retirement pages. For a description of the available actions, see Device retirement actions.

  1. From the Provision Overview page, click Settings and then click the Device Retirement tab.
  2. Click Add Action Type and then enter a Name and optional Description for the retirement action type.
  3. Select the Retirement Actions for the action type:
    • User Lockout (cannot be paired with Unlock User)
    • Unlock User (cannot be paired with any of the other actions)
    • Delete all non-essential files
    • BitLocker Freeze (must enter Pre-Boot Recovery Message)
  4. (Optional) Select Use action prompts to prompt the user who deploys the action for additional information. If you enable this option, select the information that you want the user who deploys the action to provide:
    • Requested By
    • Ticket Number
    • Comment

    When you select an option, specify the Label for the prompt, which appears on the form that is presented to the user. The Requested By, Ticket Number, or Comment text does not appear on the form. You can also optionally set the value as Required.

  5. Click Save.
  6. Select the action type, and then click Enable.

(Optional) Configure Secure Delete

If you want to use the Microsoft SDelete utility for file deletions to take additional measures to ensure that data is not recoverable, upload the Microsoft SDelete utility to the Device Retirement settings. For more information about this utility and to download the file, see Microsoft Sysinternals documentation: Sdelete.

You must download and upload the unaltered file. Any altered files are not accepted.

Before you begin

Download the SDelete utility: Microsoft: Download SDelete.

Upload and configure the Sdelete utility

  1. From the Provision Overview page, click Settings and then click the Device Retirement tab.
  2. In the Secure Delete section, select Perform secure deletes with Microsoft "SDelete" utility.
  3. Click Upload SDelete Utility, browse to the SDelete.zip file that you downloaded, and then click Upload. Click Done when the upload completes.
  4. (Optional) Update the Overwrite Passes value. Valid values are 1-35.
  5. Click Save.

Set the display order for actions

Set the display order for action types in the Deploy Action menu on the Endpoint Details page.

  1. From the Provision Overview page, click Settings and then click the Device Retirement tab.
  2. Click Set Display Order, drag the actions into the order that you prefer, and then click Save.

Enable an action type

Enable an action type so that it is available in the Deploy Action menu on the Endpoint Details page.

  1. From the Provision Overview page, click Settings and then click the Device Retirement tab.
  2. Select the row for an action type and then click Enable.

Edit an action type

You can edit retirement action types that are not deployed to endpoints.

  1. From the Provision Overview page, click Settings and then click the Device Retirement tab.
  2. Select the row for an action type and then click Edit.
  3. Edit the action and then click Save.

Disable an action type

Disable an action type so that it is not available in the Deploy Action menu on the Endpoint Details page.

  1. From the Provision Overview page, click Settings and then click the Device Retirement tab.
  2. Select the row for an action type and then click Disable.

Delete an action type

  1. From the Provision Overview page, click Settings and then click the Device Retirement tab.
  2. Select the row for an action type and click Delete.

Deploy an action to retire a device

You can deploy a device retirement action to a single endpoint through the Endpoint Details page in Tanium Reporting or the Device Retirement page in Provision. To deploy a device retirement action, you must have the Provision Manual Retirement Actions WRITE permission and management rights for the targeted endpoint. You can deploy only one action to an endpoint at a time. After an action completes, you can deploy another action to that endpoint.

To deploy an action through the Endpoint Details page in Tanium Reporting, the endpoint must be online.

Deploy an action from the Endpoint Details page

  1. Open the Endpoint Details page for the endpoint that requires a device retirement action. See Tanium Reporting User Guide: View endpoint details.
  2. Click Deploy Action > action that you want to deploy.

    You can deploy only one action to an endpoint at a time. After an action completes, you can deploy another action to that endpoint.

  3. If the retirement action prompts for additional information, enter the information.
  4. Type CONFIRM in the confirmation field and click Confirm.

The endpoint appears in the Devices section of the Device Retirement page. For more details, see Manage pending and retired devices.

Deploy an action from the Device Retirement page

  1. From the Provision menu, go to Device Retirement.
  2. In the Select a Device for Retirement Action section, search for the endpoint:
    • To search for a Tanium-managed endpoint, click Search endpoints and enter the endpoint IP address or Computer Name (exactly how it appears in the Computer Name sensor). In the row for the targeted endpoint, click Actions > action that you want to deploy.
    • To add an unknown endpoint, click Add Unknown Asset and provide the required details about the endpoint: Computer Name, Manufacturer, Model, Serial Number, and Retirement Action Type. Click Continue.

      These details are case sensitive.

  3. If the retirement action prompts for additional information, enter the information.
  4. Type CONFIRM in the confirmation field and click Confirm.

The endpoint appears in the Devices section of the Device Retirement page. For more details, see Manage pending and retired devices.

Manage pending and retired devices

The Device Retirement page shows details for endpoints on which a device retirement action was deployed. From the Provision Device Retirement page, you can manage pending and retired devices and also cancel pending actions.

View the details and logs for the device retirement action

The Devices section of the Device Retirement page includes a grid that shows all device retirement actions for endpoints in your environment. You can filter the grid by action status, computer name, manufacturer, model, serial number, created, or last update. Click Customize Columns to add columns, remove columns or change the order of the columns in the grid.

Action details

Click Expand details to show the Action Status and Event Log for the selected endpoint and retirement action.

Status

Status of the action on the endpoint:

StatusDescription
Pending Action is deployed on the endpoint, but work is not started.
In Progress Action is in progress on the endpoint.
Completed Action on the endpoint is complete.
Canceled Action on the endpoint was canceled while in a pending state.
Failed Action on the endpoint failed to complete.

Computer Name

Computer Name for the endpoint as it displays in the Computer Name sensor. Used with Manufacturer, Model, and Serial Number to uniquely identify an endpoint.

Manufacturer

Manufacturer for the endpoint. Used with Computer Name, Model, and Serial Number to uniquely identify an endpoint.

Model

Model for the endpoint. Used with Computer Name, Manufacturer, and Serial Number to uniquely identify an endpoint.

Serial Number

Serial Number for the endpoint. Used with Computer Name, Model, and Manufacturer to uniquely identify an endpoint.

Notes

If the device retirement action prompted the user for information, click the Details link to see the details provided by the user who deployed the action.

Action

The device retirement action deployed to the endpoint.

Created

Deployment date and time for the device retirement action.

Updated

Date and time when the device retirement action was last updated.

Edit the information for a deployed action

If a retirement action collected information from the user who deployed the action, you can edit that information while the action is in a pending state.

  1. In the Devices section of the Device Retirement page, select the row for the endpoint.
  2. Click Edit to edit the information and then click Confirm.

Cancel a deployed action

You can cancel pending actions from the Devices section of the Device Retirement page. Only pending actions can be canceled.

  1. In the Devices section of the Device Retirement page, select the row for the endpoint and action that you want to cancel.
  2. Click Cancel and then click Confirm.

You can also cancel the action from the action details by clicking Expand Details in the row for the endpoint and action that you want to cancel and then clicking Cancel Action.