Troubleshooting Zero Trust

If Zero Trust is not performing as expected, you might need to troubleshoot issues or change settings.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Zero Trust Overview page, click Help , then the Troubleshooting tab.
  2. Click Download Support Bundle.

    A ZIP file downloads to the local download directory.

  3. Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.

Tanium Zero Trust maintains logging information in the \Program Files\Tanium\Tanium Module Server\services\zero-trust-files\logs directory.

Manually modify endpoint attribute

You can manually apply or remove an extension attribute from an existing rule for one or more endpoints. The option to manually modify an endpoint attribute uses enforcement rules only. Manually editing an extension attribute is useful to test a rule.

For each endpoint, any attribute that you modify is subject to change the next time a rule runs and targets the endpoint.

  1. From the Zero Trust menu, go to Modify Endpoint Attribute.
  2. Select the endpoints to target:
    1. In Target Endpoints, enter a string to search for endpoints by computer name, IP address, or device ID.
    2. Click Add Endpoint next to the endpoint in the results that appear.
    3. Repeat to add additional endpoints.

    The Add Endpoint option only appears for endpoints that have a device ID. The device ID is provided by your IAM provider. For information on device IDs, see Manage device identities by using the Entra ID portal.

  3. Select an Action.
    • To apply the extension attribute, select Apply.
    • To remove the extension attribute, select Remove.
  4. For Rule Attributes, select the enforcement rule with the extension attribute and extension attribute string that you want to apply.
  5. Click Save.

Zero Trust attempts to apply the attribute to the selected endpoints. To verify the attribute was successfully applied, review the Entra ID audit log. For information, see Review data sent to your IAM provider.

Endpoint does not appear in the audit log

Symptom

The audit log does not contain expected entries for an endpoint.

Cause

Possible causes include:

  • The endpoint might not be registered in Entra ID. Tanium Zero Trust does not monitor endpoints that are not registered with Entra ID.
  • There are no rules that target the endpoint.

Solution

Entra ID log shows endpoint does not exist

Symptom

The audit log contains error messages that an endpoint does not exist, such as the following:

making patch request: Call to https://graph.microsoft.com/v1.0/devices(deviceId='285a3512-728f-4ac1-9295-485f9e3312ee'): Bad Status Code Received: 404 Not Found {"error":{"code":"Request_ResourceNotFound","message":"Resource '285a3522-728f-4ae1-9295-485f5e3812ee' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2023-06-23T20:31:25","request-id":"132288da-b683-4d24-b6ec-ff2a539f9752","client-request-id":"132288da-b683-4d24-b6ec-ff2a539f9752"}}}

Cause

These messages commonly occur when an endpoint de-registers from Entra ID. Although the endpoint is no longer registered in Entra ID, the endpoint still qualifies for one or more enforcement rules in Tanium Zero Trust.

Solution

  • To continue monitoring the endpoint:

    Re-register the endpoint in Entra ID. For information, see Manage device identities by using the Entra ID portal.

  • To discontinue monitoring for the endpoint:
    • Remove the following registry entry key on the endpoint:

      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo

    • Replace any rules that target the endpoint. After you create a rule, you can only edit the name and description of the rule. To update the targets for a rule, clone the rule, modify the targeting, and then save the new rule. For information, see Troubleshooting Zero Trust.

Uninstall Zero Trust

If you need to uninstall Zero Trust, perform the following steps.

Consult with Tanium Support before you uninstall or reinstall Zero Trust.

  1. Sign in to the Tanium Console as a user with the Administrator role.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. In the Content section, select the Zero Trust row and click Uninstall.
  4. Review the summary and click Yes to proceed with the uninstallation.
  5. When prompted to confirm, enter your password.

The uninstall does not remove the Zero Trust log from the Tanium Module Server. To remove the log after the uninstall completes, manually delete the \Program Files\Tanium\Tanium Module Server\services\zero-trust-files\ directory.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.