Book a Demo
Request a Health Check

Tanium Client Edge Migration: Don't Forget Your OS Imaging Pipeline

This is a companion piece to our earlier post, Tanium Cloud Client Edge Server Names Are Changing — Here’s What to Do. If you haven’t read that one yet, start there for the full overview of the migration.

You’ve run the Client Edge Migration Status dashboard, updated your ServerNameList, and watched your endpoints move to Complete. You’re done, right?

Not quite. There’s one area that’s easy to overlook: any process that installs a fresh Tanium Client onto a newly provisioned endpoint.

If your imaging or provisioning pipelines still reference the legacy zsb1/zsb2 server names, every new endpoint you build will ship with a stale configuration. Once the legacy server names are decommissioned, those endpoints won’t register with Tanium Cloud.

Where to look

Audit anywhere in your build and provisioning chain that installs the Tanium Client. Common places to check include:

Tanium Provision images

Any OS images managed through Tanium Provision should be reviewed and rebuilt with an updated Tanium Client installer that already targets the new Client Edge URLs. Confirm that the bundled installation parameters reference the new FQDNs and not the legacy ones.

Golden images and OS deployment templates
  • Microsoft Configuration Manager (MECM/SCCM) task sequences and reference images
  • Microsoft Deployment Toolkit (MDT) deployment shares
  • VMware / vSphere templates and clones
  • Citrix MCS / PVS master images
  • Cloud images (AMIs, Azure managed images, GCP custom images)
  • Mac and Linux base images used by your provisioning team
Automated installers and onboarding scripts
  • Intune, Jamf, Workspace ONE, or Kandji deployment policies that push the Tanium Client
  • PowerShell, Bash, or Ansible/Puppet/Chef provisioning scripts that install or configure the Tanium Client
  • Cloud-init, Packer, or Terraform pipelines that bake the Tanium Client into images
  • Any internally maintained installer packages, MSIs, or PKGs that pre-seed a ServerNameList

What to update in each pipeline

For every imaging or provisioning workflow that installs the Tanium Client, make sure of the following:

  1. Use a current Tanium Client installer. Replace any embedded installer with a current version (ideally 7.6.2 or later) so that server prioritization is supported and the migration behavior matches your live fleet.
  2. Update the ServerNameList values used at install time. Whether the FQDNs are passed via installer parameters, an answer file, an MSI transform, a config file, or a post-install script, replace any references to the legacy zsb1 / zsb2 URLs with the new zs1 / zs2 URLs (using your tenant’s customer string).
  3. Verify firewall and proxy paths from build environments. If you build images in an isolated network segment, confirm that the new FQDNs are reachable from there on TCP 17472 and 17486 — otherwise newly provisioned endpoints may be unable to register on first boot.
  4. Re-test your image. After updating, build a test endpoint from each refreshed image or pipeline and confirm it shows up in the Tanium console with the updated Client Edge URLs and reaches Complete in the Client Edge Migration Status dashboard.

Recommended sequencing

  1. Add the new Client Edge FQDNs to your firewall egress allow-lists (this should already be in flight as part of the main migration).
  2. Run the Client Edge Migration Status dashboard actions to update your existing endpoints.
  3. In parallel, identify owners of every pipeline, image, and automation that installs the Tanium Client.
  4. Refresh those images and update those scripts and policies to use a current Tanium Client installer and the new FQDNs.
  5. Validate by provisioning a test endpoint from each updated source and confirming registration against the new URLs.
  6. Periodically re-check the dashboard during the migration window for any new endpoints that show up Not Started — that is your tell-tale sign that a stale image or pipeline is still in production.

Need a hand? Contact your Chuco Consultant

If you would like a second set of eyes on your imaging and provisioning workflows, contact your Chuco consultant for assistance with this project. We are happy to walk through them with your team — including reviewing your Tanium Provision images, MECM task sequences, or any custom installer scripts you use to onboard new endpoints — and to validate that your refreshed images and pipelines register cleanly against the new Client Edge URLs.

If you don’t have a direct contact at Chuco yet, you can also reach us through chuco.com/contact.

Reference

Primary Tanium documentation for the Client Edge URL migration:

https://help.tanium.com/bundle/ClientEdgeMigration/page/KA/ClientEdgeMigration/ClientEdgeMigration.htm

Stay Ahead with the Tanium Insider Newsletter!

Other Resources that might interest you ​