Client Startup Script
Startup ScriptVersion: 1.8.1

What is a startup script?

A startup script runs during a system’s initial boot up; it is applied to a system using a group policy. Startup scripts run under the context of the local computer’s SYSTEM account.

Why use a Startup Script for ConfigMgr?

To check configuration settings and the state of services that the ConfigMgr client agent depends on for successful operation as well as install the client agent if it is not installed or functioning properly.

Why use a Startup Script instead one of the built-in methods to install the client agent?

A startup script avoids most common DNS issues, firewall issues, and other connectivity issues that are common when a central system attempts to touch all of the clients. It also adds the health/configuration checks mentioned above to check for (and correct some) dependencies as well as report on systems still having issues.

Some FAQs

53 Comments

Cancel

  1. Dumb question perhaps…..

    But for the “AgentVersion” setting: Defines the minimum client agent version. Systems with version less than this value will have the client agent install triggered.

    It appears SCCM shows the client version as 9.99.9999.9999 in the registry – Is this what the script runs against ? Because if so, it would never run.

  2. We have implemented the script in our test environment (where SCCM client is not available), the policy is applied and generating “ConfigMgrStartup1.75.vbs.log” but unfortunately client installation is not starting. Please find below mentioned log file for reference and help us to make the script working.

    XML File

    ABC
    5120
    5.00.8355.1000
    1
    \\X.X.X.X\SCCM_Client_AutoRem$
    1024
    \\X.X.X.X\SCCM_Client_AutoRem$\Error Logs
    30
    SCCM.DOMAIN.COM
    SCCM.DOMAIN.COM
    HIGH

    ConfigMgrStartup1.75.vbs.log

    Beginning Execution at 7/30/2017 10:42:19 AM ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Opened configuration file: ConfigMgrStartup.xml ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Loading Options and Parameters from configuration file ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: SiteCode: ‘ABC’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: CacheSize: ‘5120’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: AgentVersion: ‘5.00.8355.1000’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: MinimumInterval: ‘1’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: ClientLocation: ‘\\X.X.X.X\SCCM_Client_AutoRem$’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: MaxLogFile: ‘1024’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: ErrorLocation: ‘\\X.X.X.X\SCCM_Client_AutoRem$\Error Logs’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: Delay: ’30’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Property loaded: FSP: ‘SCCM.DOMAIN.COM’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Property loaded: SMSMP: ‘SCCM.DOMAIN.COM’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Parameter loaded: BITSPriority: ‘HIGH’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Parameter loaded: noservice: ” ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Verifying Last Result from Registry: HKLM\Software\ConfigMgrStartup\Last Execution Result ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    No last result recorded in registry ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Verifying Last Run time from Registry: HKLM\Software\ConfigMgrStartup\Last Run ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Last run time: 7/30/2017 9:42:07 AM ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    30… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    29… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:20 AM 0 (0x0000)
    28… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:22 AM 0 (0x0000)
    27… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:24 AM 0 (0x0000)
    26… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:27 AM 0 (0x0000)
    25… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:28 AM 0 (0x0000)
    24… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:29 AM 0 (0x0000)
    23… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:30 AM 0 (0x0000)
    22… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:31 AM 0 (0x0000)
    21… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:32 AM 0 (0x0000)
    20… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:34 AM 0 (0x0000)
    19… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:35 AM 0 (0x0000)
    18… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:36 AM 0 (0x0000)
    17… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:37 AM 0 (0x0000)
    16… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:38 AM 0 (0x0000)
    15… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:39 AM 0 (0x0000)
    14… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:40 AM 0 (0x0000)
    13… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:41 AM 0 (0x0000)
    12… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:42 AM 0 (0x0000)
    11… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:43 AM 0 (0x0000)
    10… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:44 AM 0 (0x0000)
    9… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:45 AM 0 (0x0000)
    8… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:46 AM 0 (0x0000)
    7… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:47 AM 0 (0x0000)
    6… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:48 AM 0 (0x0000)
    5… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:49 AM 0 (0x0000)
    4… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:50 AM 0 (0x0000)
    3… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:51 AM 0 (0x0000)
    2… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:52 AM 0 (0x0000)
    1… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:53 AM 0 (0x0000)
    Successfully Connected to WMI ConfigMgrStartup1.75.vbs 7/30/2017 10:42:54 AM 0 (0x0000)
    START: Service Check… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:54 AM 0 (0x0000)
    *BITS…found (Stopped,Auto)…expected State of Running…started service…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:09 AM 0 (0x0000)
    *winmgmt…found (Running,Auto)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:09 AM 0 (0x0000)
    *wuauserv…found (Stopped,Auto)…expected State of Running…started service…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *lanmanserver…found (Running,Auto)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *RpcSs…found (Running,Auto)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    START: Admin Share Check… ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *Admin$…found…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    START: Registry Check… ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM…found (Y)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel…found (2)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)

  3. Hi Jason,
    Just implemented this and it looks great. My only issue is the log file, it seems to be created with permissions that make it unreadable, even by local admins. Is this something you’ve encountered? Clients are Win10 1607.

    • Hi John,

      Do you mean the local log file created by the script? I’m assuming so. I don’t recall that ever being an issue. What folder are you looking in for the log file?

  4. how would you add the /source parameter or the /forceinstall one

    • Using a CCMSetupParameter element; e.g., HIGH.

      For forceinstall:

      For source:

      \\server\path

      Why would you use /source though instead of just letting ccmsetup grab the source from the closest DP?

  5. Hi,

    I still have a number of stubborn machines that do not appear to have the client installed. Will enabling automatic site-wide client push installation cause any new problems? Thanks! -G

    • That depends upon what you define as a problem. Auto client push attempts to copy and start ccmsetup.exe on all discovered resources that are assigned to the site and that do not already report as having the client agent installed.

  6. Thank you for the script and your answer
    we could use the source path for cases of acquisitions when we do not have all offices routed or provisioned with dps.. we can distribute the source binaries using netlogon or dfs replication.

    Is there a way to use the ccmexec from the location where the script resides?ClientLocation= with something like an invocation path variable?
    (if I would use a group policy to start the script and place the ccmexec into the scripts folder of the group policy..That client location could change based on the guid of the gpo.. )

  7. Great script.
    Can you also add the Windows firewall (port 80, file / print sharing…) used by sccm in the script
    SCCM client will have an issue reporting to the server if those ports are not opened in the firewall.
    Thanks

    • That’s not actually accurate depending on exactly what you are referring to. All client agent traffic in ConfigMgr is client agent initiated meaning that unless you are explicitly blocking outbound traffic on the client side firewall, then nothing is needed. Blocking outbound connections and traffic is not the default configuration on the Windows firewall and it’s not standard practice either so this is not needed in most cases.

  8. Thanks for your script, Will this work in sccm 2016?

    • There’s no such thing as SCCM/ConfigMgr 2016. If you mean ConfigMgr Current Branch, then yes. ccmsetup has changed much at all from an operational perspective and neither has client agent installation in general.

  9. Hi Jason, the admin$ check throws an error:

    ConfigMgrStartup.vbs(884, 2) SWbemServicesEx:
    not found

    I’ve disabled the admin share with the following registry setting:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]
    “AutoShareWks”=dword:00000000

    Let me know if you need xml config or log.

    • That certainly looks to be an error in the script. The admin shares aren’t required for ConfigMgr client agent operation but they are required for client push. Why are you disabling them though? No one, to my knowledge, recommends disabling them anymore.

      • Sorry for the super late reply, i thought i subscribed to the thread.

        I have disabled this on my workstation because of a (bad) habit not wanting anyone to browse my shares. But i can’t be certain that this is not configured somewhere else so a fix is appreciated.

        • The latest update I posted a little over a month ago (version 1.8.1) includes the fix for this. Note though, that folks can’t “browse” your admin shares unless they have local admin permissions and if they have local admin permissions, well, they can do pretty anything with or without the admin shares enabled.

  10. Hi Jason we seem to be getting the same error at mt7479 but we do not have admin shares disabled.

    • Right, as noted, it looks to be a bug in the code. Same question though, why disable them? No one recommends disabling admin shares anymore?

  11. Hi Jason, this is the first time I am implementing your script and I am getting this is in the errorlogs: ” *HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel…found (3)…expected value of 2…FAILED” Exactly what does this mean?

    • Info on LegacyImpersonationLevel is at https://msdn.microsoft.com/en-us/library/windows/desktop/ms680736(v=vs.85).aspx.

      This used to have to be explicitly set for client push and other remote RPC calls to function correctly.

      Keep in mind, the *example* XML configuration file included with the startup script is just that, an example. You don’t have to include everything in the XML is you don’t want or need it. In the case of this setting, I think the default value set by the OS is sufficient and checking it is no longer necessary.

  12. I feel like I’m having a serious dumb struck moment here. I don’t see instructions as to how to actually Implement this. I see that it has a group policy connection, but I don’t the instructions as to how to define that group policy? Can someone point to information which tells me how to make machines actually start leveraging this?

    I’m quite confused?

  13. Hi Jason, thanks for the script – we’ve been using it for a couple of years now and we’ve been having great success – far better than what client push would provide.

    We’re currently running 1.75 and I was just taking a look at the example XML file for 1.81. Curious as to the purpose of this example PreReq:

    HKLM\SOFTWARE\Microsoft\SMS\Client\Configuration\Client Properties5\

    Not sure why you would use that as a prereq, whether it’s just an example or it serves some actual purpose in your test or production environments. Also, not sure if the ‘5’ on the end is a typo or not. Seems to be.

    Anyway, thanks a ton for your hard work on this and the service you provide the wider ConfigMgr community.

    • That’s a remnant from my testing; you are correct that it is not a valid key used by ConfigMgr. You can simply remove that element or use it is an example.

  14. Hi Jason, wanted to check what would be easiest way to disable the SCCM Client Cache size setting in your ConfigMgrStartupScript 1.8.1. I did not set a CacheSize option in the xml file, but didn’t want the script to set it to the default 5120 also, thanks

    • Simply exclude that element from the script. That won’t change the default cache size though as that’ll still be 5120.

  15. What is your recommendation on the Client Install Location? Do you recommend just sharing out the default Client Folder? or copying to another share and using that?

    • No, never. The default location’s permissions are subject to ConfigMgr’s control. Also, these are files directly used by ConfigMgr so if these get messed up, ConfigMgr may have issues (this is a remote possibility and the impact is low, but still not something I like to tempt).

      I always recommend copying the files to another location. In general, all you really need to copy is ccmsetup.exe.

  16. Hello,

    I have my startup script running, it can access the CCMSetup.exe, but it appears nothing happens. From the log it shows

    -It shows the Expected version, and my Unpatched version
    -It finds the CCMSetup in the network share
    -It initiates the install
    -Client Check Succeeded
    -Finishes execution

    But my client version is still old/out of date

  17. Is there any way to call a WMI Script that is a Batch file ? or is it VBS only ?

    I tried pointing the XML to a batch file, but it just causes the whole thing not to run. (As noticed by nothing new showing up in CCMSetup.log)

  18. After messing with this for 3 days I guess I need help. I copied the client installer to a network share. Shared it but no matter how I share it I get:

    not found \\store1.domain.com\apps\sccm\cmmsetup.exe

    I can launch the file just fine once I’m logged in. I’ve given the share (and security tab) full access for “everyone”, machine account, authenticated users, domain computers…. Nothing.

    What exactly is trying to access the share on “startup”?

    Thanks for any help!

    • Not sure if this is a typo above or not, but the setup bootstrapper is ccmsetup.exe and not cmmsetup.exe (two c’s, not two m’s).

      • Yes, typo. ccmsetup.exe isn’t in the XML, your code pastes that there in the error file.

        • Nope, not my code. I just did a find on the entire .vbs and that doesn’t exist. Perhaps something got messed up in your file? Can you search your copy of the .vbs for “cmm” or “cmmsetup” please?

          Also, where exactly are you getting that error? In the script’s log file?

          • No, it was a typo in my comment here. Not in your error log. The error logs shows it properly. I’m not cutting and pasting from the error log. That machine isn’t on my network.

          • So…any insight as to what exactly is trying to authentic during “startup”?

          • That depends on how you are running it. If you are running it as a startup script, then its the computer account of the system running it which should be included in the Domain Computers security group.

            Have you tried manually accessing the path specified?

          • Yes – “I can launch the file just fine once I’m logged in.”

            So if it’s definitely the local computer account then I’ll concentrate on that and see what’s going on. Might be something dumb like the NIC isn’t available when it’s trying to access on start up because the computer boots from POST to login in like 2.5 seconds.

  19. Hi,

    Would you still Anders’s health check toegther with your startup script?

    https://gallery.technet.microsoft.com/ConfigMgr-Client-Health-ccd00bd7

    Thanks.

    • I honestly haven’t looked at his script in-depth at all. My initial reaction is that a lot of what his script done may be better done in a CI so that it can be reported on. There are also a couple from items in his script I would never recommend doing (not trying to bash, just stating my opinion). Of course, if it works for you and helps, go for it.

  20. Hi Jason,
    I just wanted to drop you a Big Thank You. I’ve been using your Startup Script for years and love it. Thank you sir!

    Scott

  21. Hi

    How I should run the script with admin rights ?

    the GPO is linked and working, but I get the error “User is not a local admin” I’m logging as a test domain user with no rights, like most people on domain … so there’s any way to allow anyone to run the script with no admin rights at logon ?

    Thanks in advances

  22. Jason, just a note to let you know I really appreciate the work you put in this script. We use it in our VDI environment for managing full clones, and it works without a hitch. Just gotta remember to rev the Agent Version number in the XML file after an update and then I can forget about it. Danke!