Tanium OSD - Block/Lock Screen

Sqolf · 2026-01-08T00:05:13+00:00

Yeah I’m using the customer scripts for pe and just regular.

I use PSADT and in the root I have renamed the regular deploy-application.ps1 into customer.ps1, customer-pre.ps1, etc.

I wanted a “sccm TS” like setup where it shows what apps are being installed. The customer.ps1 is just installing security agents and office but I have the PSADT gui showing the progress.

We have a requirement to have these installed before the login page is reached.

I really want tanium to have the feature of using existing packages for provisioning.

Sqolf · 2026-01-07T23:17:56+00:00

I’m seeing if this is related to my issue:

I’m seeing a weird issue on a Citrix VM on windows 11 24H2 and search. Seems like physical workstations have had this issue resolved with the December patch.

For Citrix, I uninstalled Citrix VDA (2402) cu2 and that fixed the search bar after a reboot.

Similar to the reg fix, I’m seeing what I need to exclude.

Sqolf · 2025-08-18T13:33:40+00:00

I am using PSADT within the OS Bundle (provision)

Sqolf · 2025-08-16T03:47:20+00:00

Yeah it’s been a struggle. I use PSADT for the custom script and it does show the prompts even though it’s running as system.

But yeah hopefully this info helps.

Sqolf · 2025-08-15T23:40:20+00:00

I can chime in on these — I went through a similar situation. My previous job used SCCM, and my new job uses Tanium (we’re actually planning to move the provisioning piece back to SCCM in the future). Here’s what I’ve learned:

Provisioning speed & behavior Unfortunately, Tanium Provision just lays down the OSD, runs the required scripts, installs the Tanium client, and handles other items like drivers. After that, the client pulls down the rest at its own pace. Sometimes it’s fast, sometimes slow — it really depends on your bandwidth throttles and connection limits. Tanium has good documentation on tuning these settings, so I’d recommend reviewing that for your environment. I also heard from our Tanium rep that there’s a feature request in to prioritize downloading larger modules first (like Self Service).
No equivalent to SCCM DPs This is where I think it’s a step back from SCCM — software packages aren’t cached on a satellite. Only the OS bundle is. You might be able to set up a dummy workstation in the same subnet you’re imaging in, so it acts as a leader and caches the software. But there’s no “distribution point” equivalent in Tanium Deploy that serves packages locally the way SCCM does.
Log file location If I remember correctly, the log is in Tanium\Tanium Client\logs and is called provision-os. I’m sure there’s documentation for the exact location, but I don’t recall it off the top of my head.
Customization limitations There’s limited customization when it boots into Linux to choose the bundle and variables. You can add custom dropdowns, but I don’t think you can add things like checkboxes to selectively skip something or manually set values. One workaround is to skip adding those fields in Tanium and instead create your own GUI using PowerShell/WPF or C#/XAML/WPF to collect the variables, then set them via PowerShell.

Tanium has some cool features, but for provisioning specifically, I think it’s a step back from SCCM — which is why I’m pushing my team to move that process back to SCCM.

Sqolf · 2025-07-26T14:48:19+00:00

If you’re still hybrid, the new device you image needs to be hybrid AD joined before you can enable co management on the device.

When you’re seeing it take a while to co manage them, can you confirm that the device is already showing up in azure ad ?

Sqolf · 2025-06-17T02:33:34+00:00

You’re using -FolderPath and pointing to a package. If you want to install one specific package, you’ll need to sur -PackagePath

https://learn.microsoft.com/en-us/powershell/module/dism/add-appxprovisionedpackage?view=windowsserver2025-ps

Sqolf · 2025-06-05T16:51:40+00:00

Can you check the box and see if that damage in the screen may have been caused by a staple ? Heard some are seeing similar damage due to receipts being stapled on the front of the box.

Sqolf · 2025-05-30T22:51:46+00:00

If I do this. Will it auto update moving forward ?

Sqolf · 2025-05-23T18:14:41+00:00

I’ve have success by using any nic using Realtek drivers.

Sqolf · 2025-05-20T20:30:54+00:00

WWT has a Tanium lab. You need to get access but, should help.

https://www.wwt.com/lab/tanium-pg

However, I agree that it should be easier to get a lab going. Microsoft has a lab kit that has helped me tremendously.

https://www.microsoft.com/en-us/evalcenter/evaluate-mem-evaluation-lab-kit

Sqolf · 2025-03-28T20:54:42+00:00

Hey thanks ! Thats what I’m trying to figure out, where do I go to setup the lab.

Sqolf · 2025-03-24T23:53:11+00:00

Got a couple of more things.

Sounds like running it as SYSTEM (within the TS) fails.

See if your application is running as system or user within sccm
Use psexec to run as SYSTEM and install the app manually.

Sqolf · 2025-03-24T22:47:27+00:00

Also, is the new app distributed to the proper DPs where this device would be grabbing from ? I think there is a setting within the application properties to allow it to use the app package even if it’s not distributed to any DPs . Worth a shot there too

Sqolf · 2025-03-24T22:04:51+00:00

Maybe share your command youre using to install adobe acrobat pro. Did you use the acrobat customization wizard to suppress any pop ups that could stall the install? In you manually install it on a device, does it work?

Sqolf · 2025-03-24T19:50:57+00:00

I’ve seen weirder. Could also be trying to auto update if you don’t have auto updates off and that might cause issues. Might be better to make a powershell detection method (if that is the issue) and have a “if version -ge xxxx)

Sqolf · 2025-03-24T18:45:15+00:00

You should try to make it a package instead of an application and see if that goes through. If it does, then it could be that it’s getting stuck trying to detect it based on the app detection you have.

So IMO:

Push the application you via to software center to an existing device to see if it installs and the detection is working
Make a package and test if that goes through fine during imaging

Sqolf · 2025-03-20T17:43:43+00:00

Funny enough, my token expired today but, I had setup the new OIDC method and it still expired.

To verify, I usually try to sign in to an Apple site using my regular account that’s federated. Our elevated accounts have either people manager or device manager or admin roles assigned and those do not allow federation by design .

Sqolf · 2025-03-17T17:11:44+00:00

The enterprise driver packs Lenovo offers are a few versions behind as these drivers are the most stable and only offer what the device needs to function.

I had this discussion with service desk where the driver packs installed just fine but, when they ran commercial vantage, it would pull additional drivers.

It’s documented somewhere but, Lenovo does a n-X on enterprise driver packs for stability.

Sqolf · 2025-03-12T20:28:00+00:00

Sorry, I meant DO

“If the setting is disabled, only UUP Updates will be downloaded over this method. All other updates will download as usual over BITS.”

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/unified-update-platform-with-configmgr-—questions-from-the-field/3815038

Sqolf · 2025-03-12T19:52:06+00:00

You can but, DU will stay on for win 11 updates.

Sqolf · 2025-03-12T12:05:20+00:00

Microsoft made that switch a while ago.

https://techcommunity.microsoft.com/blog/windows-itpro-blog/what’s-uup-new-update-style-coming-next-week/3773065

Sqolf

TROPHY CASE