Health Check requirements

Review the requirements before you install and use Health Check.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Health Check. For information about licensing, Contact Tanium Support.
  • Tanium™ Core Platform servers: 7.4 or later

Tanium™ Module Server

Health Check is installed and runs as a service on the Module Server. The resource impact on the Module Server is minimal and depends on usage.


Health Check does not deploy packages to endpoints. For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Host and network security requirements

Specific ports and processes are needed to run Health Check.


The following ports are required for Health Check communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17242 TCP Internal purposes; not externally accessible
Module Server Tanium Server 443 TCP Communicate with Tanium Server using API, collect host information for Tanium Server

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Health Check security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\health-service\node.exe
  Process <Module Server>\services\health-service\twsm.exe

Internet URLs

For data sharing through a proxy from the Tanium Server to the Internet, your security administrator must allow the following URLs.


User role requirements

The Administrator reserved role is required for all Health Check tasks.

If you are running Tanium Servers on Windows, ensure that you change the account that is used to run the Tanium Health Check service from LOCAL SYSTEM to an account that has access to the Tanium Servers and Zone Servers. Otherwise, the generated reports do not contain server information about the Tanium Servers and Zone Servers.