Create a Custom Package in Tanium Deploy

This example shows how to create a custom package in Tanium Deploy. Here the package is a ZIP archive with files and scripts.

Prepare the Package Content

Start outside Tanium. Put the installer, scripts, transforms, config files, and other content in a clear folder structure before you create the package.

  • Gather the installer files, scripts, and configuration assets required for the deployment.
  • Package everything into a single ZIP archive.
  • Test the install command outside Tanium first so Deploy is not your first validation point.
Example of organized application files prepared for packaging

If the package has multiple files, use one ZIP archive. This is often simpler than trying to force everything into one executable.

Create the Custom Package

  1. Open Deploy -> Software and click Create Software Package.
Create Software Package entry point in Tanium Deploy
  1. Upload the prepared ZIP in Package Files.
Package Files section used to upload the ZIP archive
  1. Define a clear package name in Package Details.
Package Details screen with the package name field

Use a clear package name. It should identify the application and, if needed, the runtime or version family.

Set Requirements Carefully

Requirements decide which endpoints are eligible before the install starts. A bad requirement can create false Not Applicable results or target systems that should be excluded.

Requirements configuration for a custom package
  • Use requirements for OS, architecture, prerequisites, disk space, or existing software state.
  • Keep the requirement logic readable. Complex filters become hard to troubleshoot later.
  • If a package already exists on many systems, make sure the requirement and verification logic clearly distinguish installed from not installed.

Define Installation Actions

For ZIP-based packages, a common pattern is to extract the archive first, then run the installation command from the extracted working directory.

Action used to extract the ZIP archive into the working directory

Important: check the extract path and the path used by the next command. Many failures come from a simple path mismatch.

Run Command action used to launch the installation script

Example install command:

cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -File c:\ProgramFiles\YourApp\install.ps1"

Replace the path with the real script location after extraction. If you use a working directory, test it on one endpoint before broad deployment.

Add Verification

Verification tells Tanium Deploy whether the install succeeded. Use a check that is clear and stable.

Install verification configuration for the package
  • File existence works well for predictable binaries or markers.
  • Registry checks are useful for Windows installers that publish a stable key or version value.
  • Version-based logic is better than process checks when the application does not stay running.
  1. Save the configuration and create the package.
Apply and Create Package actions in Tanium Deploy

Launch the Deployment

After the package is ready, target the right endpoints and launch in the right time window.

Deploy Package action for a custom software package
  • Select the target group carefully. Broad groups hide mistakes until too late.
  • Use pilots or rings before rolling out to the full production scope.
  • Confirm the schedule matches your maintenance policy and rollout window.
Target selection for a Tanium Deploy package
Deployment schedule configuration in Tanium Deploy

Always review the deployment preview before launch. It is the last easy check for a wrong target group or a wrong endpoint count.

Deployment preview showing affected endpoint count before launch
Deployment detail page after the deployment has been launched

Monitor and Troubleshoot

Deploy troubleshooting usually comes down to a few recurring questions:

  • Is the endpoint eligible?
  • Is the endpoint allowed to run the deployment now?
  • Did the package download?
  • Did the command execute successfully?
  • Did verification confirm success?

Coverage Status Details

Start with Coverage Status Details. It shows how endpoints are split across waiting, downloading, installing, completed, failed, or not applicable.

Coverage Status Details report for a Tanium Deploy rollout

Action Lock

If endpoints use Action Lock, Deploy can be blocked before the install starts. Check this early.

Useful Interact query:

Get Action Lock Status from all machines
Interact results showing Action Lock status on endpoints

Maintenance Windows

Endpoints outside an active maintenance window can stay in Waiting even when the package is correct. Check the maintenance window before treating this as a failure.

Maintenance Window configuration impacting deployment execution

Scan Interval

The scan interval controls how often the client checks for deployments. If it is too long, endpoints may start late.

Scan Interval setting used by Tanium Deploy

Tools Status Details

For a single problematic endpoint, query the tool status directly.

Get Endpoint Configuration - Tools Status Details from all machines with Computer Name contains LABLTSC2019.monlab.lan
Tools Status Details query for a specific endpoint

This helps you separate package issues from client or tool issues on the endpoint.

Deployment Phases

The deployment activity view becomes much easier to read when each state is interpreted correctly:

  • Waiting: the deployment has not started yet, often because of schedule, maintenance window, or readiness conditions.
  • Downloading: content transfer is in progress.
  • Installing: the install command is running.
  • Completed: the install and verification steps succeeded.
  • Not Applicable: the endpoint does not satisfy package applicability or already matches the target state.
  • Failed: execution or verification did not succeed.
Deployment Activity Detail overview showing rollout phases
Downloading phase example in Deployment Activity Detail
Installing phase example with return code details

Check Applicability Explicitly

If many endpoints show Not Applicable, check applicability directly with Interact.

Software Packages list showing the package ID used for applicability checks

Example query using package ID 6220:

Get Deploy - Software Packages Applicability Details[6220] from all machines
Applicability Details query results for a Deploy package

This helps you separate eligible endpoints from endpoints that are already compliant, on the wrong architecture, or outside the requirement scope.

Applicability breakdown between Update Eligible and Not Applicable

To drill into one endpoint, add a computer filter:

Get Deploy - Software Packages Applicability Details[6220] from all machines with Computer Name contains LABLTSC2019.monlab.lan
Applicability Details filtered for a specific endpoint

Read the Client Logs

When the console view is not enough, read the endpoint logs directly:

C:\Program Files (x86)\Tanium\Tanium Client\Tools\SoftwareManagement\logs
  • software-management.log shows the main deployment workflow.
  • subprocess.log shows command output and execution failures from the installer layer.
software-management.log content for Deploy troubleshooting
subprocess.log output showing installer execution details

Good Practices

  • Start with a pilot deployment before pushing to broad production scope.
  • Keep the install command simple and predictable, and test it outside Tanium first.
  • Use verification that reflects the final installed state, not only command completion.
  • Investigate Not Applicable and Waiting with the same seriousness as Failed, because they often point to logic errors in targeting or scheduling.

Track with Custom Tags

Custom tags can help mark endpoints after a successful deployment and make post-rollout checks easier through Interact.

Custom Tags configuration for deployment tracking

Example Interact query:

Get Custom Tags from all machines
Interact results showing endpoints with custom tags

Keep the package, applicability, execution path, and verification aligned. If one of these parts is weak, troubleshooting gets harder very quickly.

David Wuibaille

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.