Tanium Provisioning: Build and Deploy Windows with PXE

Tanium Provisioning – This guide explains how to use Tanium Provision for Windows bare-metal deployment with ADK preparation, OS bundle creation, WIM, drivers, unattend.xml, Tanium Client package, PXE endpoint setup, and first troubleshooting checks.

Provision a Windows Build

Tanium Provisioning – Prepare the content, check the PXE prerequisites, configure the Provision satellite, then launch the first deployment.

Tanium Provisioning – Reference: Provision Quick Start: Install, Configure, and Test

Prepare the Tools

Tanium tools

  • In the Tanium Console, open Provision -> Settings.
  • Download the ZIP files provided by the module, typically scripts.zip and utility.zip.
  • These files are used later to prepare the ADK content and build the OS bundle.
Tanium Provisioning screenshot
Provision tool archives available for download

ADK tools

  • On the preparation machine, install the Windows ADK and the Windows PE add-on from Microsoft Learn.
  • This step is only required once per preparation machine.
Windows ADK installer screen

Provisioning Content

Create ADK

  • Extract utility.zip on the ADK machine.
  • Run adkprep.ps1 to generate the ADK package expected by Tanium Provision.
  • Keep the generated archive ready to upload into the OS bundle.
adkprep.ps1 extracted from utility.zip

Tanium ProvisioningPowerShell command to prepare ADK content

Tanium ProvisioningGenerated ADK archive after running adkprep.ps1

Prepare Unattend

  • Prepare an unattend.xml adapted to your Windows deployment.
  • If you need post-install logic, package it in a script ZIP or a PowerShell script.
  • Keep the files simple and test them outside Provision before using them in a production bundle.

Tanium Provisioning – Example unattend.xml: GitHub sample

Tanium Provisioning – Provision post-install references: Provision advanced options

Tanium Client

  • Download the Tanium Client ZIP that matches your environment.

Tanium ProvisioningTanium client package selection for Provision

Wim

  • Use the Windows install.wim from the Microsoft ISO as the operating system image.

Tanium ProvisioningWindows install.wim extracted from the ISO

Drivers

  • Prepare the driver ZIP that matches the target model or virtual platform.

Tanium Provisioning – Driver packaging reference: Preparing content

Tanium ProvisioningDriver package prepared for upload into the OS bundle

Custom Post-Install Content

Tanium Provisioning – Add custom post-install content when you need actions specific to your environment. This is usually a PowerShell script or a ZIP with scripts and support files.

  • Use this content for actions not covered by the base image, drivers, unattend.xml, or the Tanium Client package.
  • Keep the logic simple, test it outside Provision first, and do not rely on user input or network access during deployment.
  • If the action must restart the machine or use advanced post-install behavior, check the Tanium Provision advanced options documentation.

Tanium Provisioning – Reference: Provision advanced options

Tanium ProvisioningPost-install file example used by a Provision bundle

Create the OS Bundle

  • In Provision, click Create OS Bundle.

Tanium ProvisioningCreate OS Bundle action in Tanium Provision

  • Name the bundle, select the operating system and architecture, then add each required component.

Tanium ProvisioningOS bundle general settings

  • Add the WIM.

Tanium ProvisioningWIM file added to the OS bundle

  • Add the prepared ADK archive.

Tanium ProvisioningADK package added to the OS bundle

  • Add unattend.xml.

Tanium Provisioningunattend.xml attached to the OS bundle

  • Add the Tanium client ZIP.

Tanium ProvisioningTanium client ZIP added to the OS bundle

  • Add the custom script ZIP or PowerShell file used during provisioning.

Tanium ProvisioningCustom script added to the OS bundle

Tanium ProvisioningValidation checklist: before moving to PXE, confirm that the bundle is saved and all required files appear in the bundle details.

PXE Prerequisites

Tanium Provisioning – Before enabling PXE on an endpoint, check the network and firmware prerequisites. These checks prevent many first-run failures.

  • Confirm that the target endpoint can reach the Provision satellite for PXE boot. If it is on another subnet, configure the DHCP relay or IP helper.
  • Check that the firewall does not block the PXE path. Common PXE flows use DHCP / BOOTP (UDP 67/68), TFTP (UDP 69), and PXE proxy / BINL (UDP 4011), depending on your design.
  • Make sure the test endpoint uses the expected firmware mode: UEFI or legacy BIOS, correct boot order, and correct Secure Boot behavior.
  • Verify that the OS bundle is fully synchronized to the Provision satellite before the first PXE boot. A saved bundle is not enough if replication is still running.
  • For lab testing on Hyper-V, disable Secure Boot if the guest does not boot correctly with your selected PXE flow.

Tanium Provisioning – Reference: Provision Quick Start: Install, Configure, and Test

Create the PXE Endpoint

Tanium ProvisioningImportant: create and save the OS bundle before enabling PXE on an endpoint.

  • In Provision, select Create Provision Endpoint then Create Satellite.

Tanium ProvisioningProvision endpoint naming screen

  • Choose a device name.
  • On the target client, run get_endpoint_fingerprint.cmd and collect the MAC address.

Tanium ProvisioningMAC address collected from the target endpoint

  • Enter the MAC address under Unique Identifier, enable PXE, and finish the configuration.

Tanium ProvisioningUnique Identifier and PXE settings in the endpoint configuration

  • Select the PXE role and the cache that will host your bundle.

Tanium ProvisioningProvision endpoint summary after PXE enablement

  • Wait for the PXE service to be installed on the satellite and for the OS bundle synchronization to complete.

Tanium ProvisioningPXE-ready endpoint details in Provision

  • When the PXE service is ready and the bundle is synchronized, the endpoint is ready for testing. The first sync can take several minutes.

Tanium ProvisioningProvision endpoint shown as ready for PXE deployment

Run the Deployment

  • For a Hyper-V lab, disable Secure Boot on the VM before testing PXE boot.
Secure Boot setting disabled on a Hyper-V virtual machine
  • Boot the endpoint on PXE.
  • In the PXE workflow, select the keyboard layout and continue.
Provision PXE menu with keyboard selection
  • Select the Task Sequence or deployment target presented by Provision.
Task sequence selection during the Provision PXE workflow

First Troubleshooting Checks

  • No PXE response: check DHCP relay / IP helper, VLAN path, and firewall rules first.
  • PXE menu appears but no task sequence is available: verify the OS bundle is fully synchronized to the selected cache / satellite.
  • Boot starts but deployment fails later: check the OS bundle content again, especially install.wim, drivers, unattend.xml, the Tanium Client ZIP, and custom post-install files.

References