Provision a Windows Build

Prepare the content, check the PXE prerequisites, configure the Provision satellite, then launch the first deployment.

Reference: Provision Quick Start: Install, Configure, and Test

Prepare the Tools

Tanium tools

  • In the Tanium Console, open Provision -> Settings.
  • Download the ZIP files provided by the module, typically scripts.zip and utility.zip.
  • These files are used later to prepare the ADK content and build the OS bundle.
Provision settings page in the Tanium Console
Provision tool archives available for download

ADK tools

  • On the preparation machine, install the Windows ADK and the Windows PE add-on from Microsoft Learn.
  • This step is only required once per preparation machine.
Windows ADK installer screen

Provisioning Content

Create ADK

  • Extract utility.zip on the ADK machine.
  • Run adkprep.ps1 to generate the ADK package expected by Tanium Provision.
  • Keep the generated archive ready to upload into the OS bundle.
adkprep.ps1 extracted from utility.zip

PowerShell command to prepare ADK content

Generated ADK archive after running adkprep.ps1

Prepare Unattend

  • Prepare an unattend.xml adapted to your Windows deployment.
  • If you need post-install logic, package it in a script ZIP or a PowerShell script.
  • Keep the files simple and test them outside Provision before using them in a production bundle.

Example unattend.xml: GitHub sample

Provision post-install references: Provision advanced options

Tanium Client

  • Download the Tanium Client ZIP that matches your environment.

Tanium client package selection for Provision

Wim

  • Use the Windows install.wim from the Microsoft ISO as the operating system image.

Windows install.wim extracted from the ISO

Drivers

  • Prepare the driver ZIP that matches the target model or virtual platform.

Driver packaging reference: Preparing content

Driver package prepared for upload into the OS bundle

Custom Post-Install Content

Add custom post-install content when you need actions specific to your environment. This is usually a PowerShell script or a ZIP with scripts and support files.

  • Use this content for actions not covered by the base image, drivers, unattend.xml, or the Tanium Client package.
  • Keep the logic simple, test it outside Provision first, and do not rely on user input or network access during deployment.
  • If the action must restart the machine or use advanced post-install behavior, check the Tanium Provision advanced options documentation.

Reference: Provision advanced options

Post-install file example used by a Provision bundle

Create the OS Bundle

  • In Provision, click Create OS Bundle.

Create OS Bundle action in Tanium Provision

  • Name the bundle, select the operating system and architecture, then add each required component.

OS bundle general settings

  • Add the WIM.

WIM file added to the OS bundle

  • Add the prepared ADK archive.

ADK package added to the OS bundle

  • Add unattend.xml.

unattend.xml attached to the OS bundle

  • Add the Tanium client ZIP.

Tanium client ZIP added to the OS bundle

  • Add the custom script ZIP or PowerShell file used during provisioning.

Custom script added to the OS bundle

Validation checklist: before moving to PXE, confirm that the bundle is saved and all required files appear in the bundle details.

PXE Prerequisites

Before enabling PXE on an endpoint, check the network and firmware prerequisites. These checks prevent many first-run failures.

  • Confirm that the target endpoint can reach the Provision satellite for PXE boot. If it is on another subnet, configure the DHCP relay or IP helper.
  • Check that the firewall does not block the PXE path. Common PXE flows use DHCP / BOOTP (UDP 67/68), TFTP (UDP 69), and PXE proxy / BINL (UDP 4011), depending on your design.
  • Make sure the test endpoint uses the expected firmware mode: UEFI or legacy BIOS, correct boot order, and correct Secure Boot behavior.
  • Verify that the OS bundle is fully synchronized to the Provision satellite before the first PXE boot. A saved bundle is not enough if replication is still running.
  • For lab testing on Hyper-V, disable Secure Boot if the guest does not boot correctly with your selected PXE flow.

Reference: Provision Quick Start: Install, Configure, and Test

Create the PXE Endpoint

Important: create and save the OS bundle before enabling PXE on an endpoint.

  • In Provision, select Create Provision Endpoint then Create Satellite.

Provision endpoint naming screen

  • Choose a device name.
  • On the target client, run get_endpoint_fingerprint.cmd and collect the MAC address.

MAC address collected from the target endpoint

  • Enter the MAC address under Unique Identifier, enable PXE, and finish the configuration.

Unique Identifier and PXE settings in the endpoint configuration

  • Select the PXE role and the cache that will host your bundle.

Provision endpoint summary after PXE enablement

  • Wait for the PXE service to be installed on the satellite and for the OS bundle synchronization to complete.

PXE-ready endpoint details in Provision

  • When the PXE service is ready and the bundle is synchronized, the endpoint is ready for testing. The first sync can take several minutes.

Provision endpoint shown as ready for PXE deployment

Run the Deployment

  • For a Hyper-V lab, disable Secure Boot on the VM before testing PXE boot.
Secure Boot setting disabled on a Hyper-V virtual machine
  • Boot the endpoint on PXE.
  • In the PXE workflow, select the keyboard layout and continue.
Provision PXE menu with keyboard selection
  • Select the Task Sequence or deployment target presented by Provision.
Task sequence selection during the Provision PXE workflow

First Troubleshooting Checks

  • No PXE response: check DHCP relay / IP helper, VLAN path, and firewall rules first.
  • PXE menu appears but no task sequence is available: verify the OS bundle is fully synchronized to the selected cache / satellite.
  • Boot starts but deployment fails later: check the OS bundle content again, especially install.wim, drivers, unattend.xml, the Tanium Client ZIP, and custom post-install files.

References

David Wuibaille

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.