Module 1 — Lesson 8 of 8 (Capstone)

Real-World Scenarios

Apply everything you have learned in Module 1 to four realistic scenarios based on challenges IT teams face at Mercury Insurance every day.
📚 Overview
🔧 Deep Dive
🛠 Hands-On
Check
🎯
4
Real-World Scenarios
📚
7
Lessons Applied
🏆
1
Module Completion Badge

Performance + Investigate Integration

TANIUM PERFORMANCE Health Scores Alerts RCA Remediation Verification Escalate TANIUM INVESTIGATE Endpoint View Data Collect Direct Connect Workspace ServiceNow
Capstone Approach

Each scenario below requires you to apply multiple skills: reading dashboards, interpreting health scores, performing RCA, choosing remediation, and verifying results. Think through your approach before checking answers.

Scenario 1: Post-Patch Performance Degradation

Tanium Console — Personal Lines Group
Overview
Alerts
Timeline
48
Avg Health Score
72%
Avg CPU
3x
Disk I/O Latency
65%
Memory (Normal)
320
of 500 Affected
500 endpoints patched Tuesday night. Commercial Lines (same hardware, not patched) stable at 80+ health.

What is the best immediate action?

Correct: B. Before rolling back, identify what is consuming resources. SearchIndexer.exe was rebuilding its index post-patch — a transient 6-8 hour process. Communicate to the help desk, monitor, and remediate the 30 stragglers with a targeted Windows Search service restart.

Scenario 2: Single User Reports Slow Laptop

Tanium Console — Endpoint: CAEI-998712
Summary
Processes
History
Health Score 22 (Critical — normally 75+)
CPU 98% for 3 hours — Top: MsMpEng.exe at 65%
Memory 91% (8 GB total) — Top: Chrome (42 tabs) at 3.8 GB
Disk 45% free (not an issue)
Last Reboot 18 days ago

What is the best approach?

Correct: C. Three compounding issues: (1) Defender full scan during business hours at 65% CPU, (2) Chrome with 42 tabs consuming 3.8 GB RAM, (3) 18 days uptime accumulating leaks. Address all three: reschedule scans, educate on tabs, schedule a reboot. New laptop (B) is overkill for a software issue. Uninstalling Defender (D) is a security violation.

Scenario 3: Hardware Refresh Prioritization

The Situation

The VP of IT asks: "We have budget for 200 device replacements this quarter. Which 200? Give me a data-driven answer by Friday." Fleet: 4,500 endpoints, ages 1-7 years.

Composite Scoring Methodology

Health Score (40%) Asset Age (25%) Tickets (20%) HW Specs (15%) = Composite Score Rank bottom 200 Present to leadership "Replacing these 200 will raise fleet health 68 → 74"

What is the best methodology?

Correct: B. A data-driven composite approach is most defensible: (1) 30-day average health scores, (2) asset age (prioritize 4+ years with poor scores), (3) ticket history (3+ performance tickets = extra weight), (4) rank bottom 200 with supporting data. Age alone (A) misses that some old devices perform fine. Nominations (C) introduce politics.

Scenario 4: VDI Performance Monitoring

The Situation

800 remote workers using VDI report 60% more performance complaints this month: lag, frozen screens, disconnections. Your manager asks you to determine whether the problem is endpoint-side, VDI infrastructure, or network.

Tanium Console — VDI Users vs. Office Users Comparison
Comparison
Network
Endpoints
Metric VDI Users (800) Office Users (3,700) Delta
Avg Health Score 62 78 -16
Avg CPU 52% 38% +14%
Network Latency 85ms 12ms +73ms
Avg Device Age 4.2 years 2.8 years +1.4 yrs

What is the best first step?

Correct: B. Tanium on the physical endpoints reveals user-side factors: network latency, endpoint health, device age. The comparison table shows 40% of complaints are likely network-related (home internet), 15% endpoint-related (older hardware), and 45% point to VDI infrastructure. Present the breakdown to the VDI team.

Module 1 Progress Checkpoint

You have completed all 8 lessons in Module 1: Tanium Performance. Test your knowledge with these 5 review questions covering Lessons 5-8.

Module 1 Review: Lessons 5-8

1. What is the primary risk of setting alert thresholds too aggressively (e.g., CPU > 70%)?

Correct: B. Alert fatigue is the primary risk. Too many notifications for normal conditions causes the team to ignore alerts — including the ones that matter.

2. In the five-step RCA process, what comes immediately after "Check the timeline"?

Correct: C. The five steps: (1) Identify symptom, (2) Check timeline, (3) Correlate with changes, (4) Isolate affected group, (5) Determine root cause.

3. Why should remediation packages always be tested on a pilot group before full deployment?

Correct: B. A pilot test catches problems in a controlled environment. Even well-intentioned scripts can have unintended consequences on 10-20 endpoints, limiting the blast radius.

4. You need to justify a hardware refresh for 200 endpoints to leadership. What data from Tanium Performance is most compelling?

Correct: B. Leadership responds to data-driven, multi-factor analysis. A composite score combining health data, age, and ticket impact tells a compelling story about productivity loss and support cost.

5. When investigating VDI performance complaints, what can Tanium Performance on the physical endpoint tell you that VDI infrastructure monitoring cannot?

Correct: B. Tanium on the physical endpoint reveals user-side factors: network latency, packet loss, endpoint CPU/memory contention, and whether the local device can run the VDI client smoothly. These client-side factors are responsible for a significant portion of VDI complaints.

Module 1 Complete!

Congratulations — you have completed all 8 lessons in Module 1: Tanium Performance. You now understand how to monitor endpoint performance, interpret health scores, configure alerts, perform root cause analysis, and execute remediation at scale.

🏆 Tanium Performance — Module Complete

Continue your DEX Specialization by starting Module 2: Tanium Investigate, or if you have completed both modules, head to the Certification Exam.

← Previous: Remediation at Scale Next: Tanium Investigate — Overview →