Client Startup Script

What is a startup script?

A startup script runs during a system’s initial boot up; it is applied to a system using a group policy. Startup scripts run under the context of the local computer’s SYSTEM account.

Why use a Startup Script for ConfigMgr?

To check configuration settings and the state of services that the ConfigMgr client agent depends on for successful operation as well as install the client agent if it is not install or functioning properly.

Why use a Startup Script instead one of the built-in methods to install the client agent?

A startup script avoids most common DNS issues, firewall issues, and other connectivity issues that are common when a central system attempts to touch all of the clients. It also adds the health/configuration checks mentioned above to check for (and correct some) dependencies as well as report on systems still having issues.

Some FAQs

Does this script work with ConfigMgr 2012 and ConfigMgr Current Branch (CB)?

Yes. The set up processes between 2007, 2012, and CB are nearly identical. Make sure you are aware of the different public properties available though as there are a few changes; e.g., SMSLP is no longer valid in 2012 and CB because there is no formal SLP role anymore.

Does this script fix WMI?

No. WMI can break in so many different ways that there’s no way to build a complete script to fix WMI. Instead, version 1.53 includes the ability to call an external script to do this for you. There are a handful of WMI check/fix scripts available including the one I tested with: WMIDiag (see the included documentation for more info on that).

Is this a comprehensive client *health* script?

Comprehensive? No way. I would consider it part of an overall client health strategy, but similar to WMI, there are so many different things that can go wrong with clients that it wouldn’t be impossible to keep up. This script is flexible enough to add many checks and fixes for things that are often root client health issues. There’s no real reporting or data summarization either.

Does this replace ccmeval in ConfigMgr 2012 or does ccmeval in ConfigMgr 2012 replace the need for this script?

No. ccmeval is intended only to check on the health of a handful of client issues that most often cause ConfigMgr client’s issues after the agent is installed. Thus, there is a great deal of overlap; however, the main purpose of this script is to ensure that the client is installed in the first place which ccmeval does not do.

What's new in 1.8.1?
  • Added pre-requisite checks to prevent script from performing any checks or installing the client agent
  • Corrected elapsed time calculation for final log message
  • Updated error handling when checking for admin shares
Can I still download 1.7.5?


  1. Aeron

    Dumb question perhaps…..

    But for the “AgentVersion” setting: Defines the minimum client agent version. Systems with version less than this value will have the client agent install triggered.

    It appears SCCM shows the client version as 9.99.9999.9999 in the registry – Is this what the script runs against ? Because if so, it would never run.

  2. Arindam Paul

    We have implemented the script in our test environment (where SCCM client is not available), the policy is applied and generating “ConfigMgrStartup1.75.vbs.log” but unfortunately client installation is not starting. Please find below mentioned log file for reference and help us to make the script working.

    XML File

    \\X.X.X.X\SCCM_Client_AutoRem$\Error Logs


    Beginning Execution at 7/30/2017 10:42:19 AM ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Opened configuration file: ConfigMgrStartup.xml ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Loading Options and Parameters from configuration file ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: SiteCode: ‘ABC’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: CacheSize: ‘5120’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: AgentVersion: ‘5.00.8355.1000’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: MinimumInterval: ‘1’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: ClientLocation: ‘\\X.X.X.X\SCCM_Client_AutoRem$’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: MaxLogFile: ‘1024’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: ErrorLocation: ‘\\X.X.X.X\SCCM_Client_AutoRem$\Error Logs’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Option loaded: Delay: ’30’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Property loaded: FSP: ‘SCCM.DOMAIN.COM’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Property loaded: SMSMP: ‘SCCM.DOMAIN.COM’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Parameter loaded: BITSPriority: ‘HIGH’ ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Parameter loaded: noservice: ” ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Verifying Last Result from Registry: HKLM\Software\ConfigMgrStartup\Last Execution Result ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    No last result recorded in registry ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Verifying Last Run time from Registry: HKLM\Software\ConfigMgrStartup\Last Run ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    Last run time: 7/30/2017 9:42:07 AM ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    30… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:19 AM 0 (0x0000)
    29… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:20 AM 0 (0x0000)
    28… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:22 AM 0 (0x0000)
    27… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:24 AM 0 (0x0000)
    26… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:27 AM 0 (0x0000)
    25… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:28 AM 0 (0x0000)
    24… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:29 AM 0 (0x0000)
    23… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:30 AM 0 (0x0000)
    22… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:31 AM 0 (0x0000)
    21… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:32 AM 0 (0x0000)
    20… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:34 AM 0 (0x0000)
    19… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:35 AM 0 (0x0000)
    18… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:36 AM 0 (0x0000)
    17… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:37 AM 0 (0x0000)
    16… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:38 AM 0 (0x0000)
    15… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:39 AM 0 (0x0000)
    14… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:40 AM 0 (0x0000)
    13… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:41 AM 0 (0x0000)
    12… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:42 AM 0 (0x0000)
    11… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:43 AM 0 (0x0000)
    10… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:44 AM 0 (0x0000)
    9… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:45 AM 0 (0x0000)
    8… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:46 AM 0 (0x0000)
    7… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:47 AM 0 (0x0000)
    6… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:48 AM 0 (0x0000)
    5… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:49 AM 0 (0x0000)
    4… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:50 AM 0 (0x0000)
    3… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:51 AM 0 (0x0000)
    2… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:52 AM 0 (0x0000)
    1… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:53 AM 0 (0x0000)
    Successfully Connected to WMI ConfigMgrStartup1.75.vbs 7/30/2017 10:42:54 AM 0 (0x0000)
    START: Service Check… ConfigMgrStartup1.75.vbs 7/30/2017 10:42:54 AM 0 (0x0000)
    *BITS…found (Stopped,Auto)…expected State of Running…started service…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:09 AM 0 (0x0000)
    *winmgmt…found (Running,Auto)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:09 AM 0 (0x0000)
    *wuauserv…found (Stopped,Auto)…expected State of Running…started service…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *lanmanserver…found (Running,Auto)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *RpcSs…found (Running,Auto)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    START: Admin Share Check… ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *Admin$…found…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    START: Registry Check… ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM…found (Y)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)
    *HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel…found (2)…OK ConfigMgrStartup1.75.vbs 7/30/2017 10:43:24 AM 0 (0x0000)

  3. John

    Hi Jason,
    Just implemented this and it looks great. My only issue is the log file, it seems to be created with permissions that make it unreadable, even by local admins. Is this something you’ve encountered? Clients are Win10 1607.

    • Jason

      Hi John,

      Do you mean the local log file created by the script? I’m assuming so. I don’t recall that ever being an issue. What folder are you looking in for the log file?

  4. vas

    how would you add the /source parameter or the /forceinstall one

    • Jason

      Using a CCMSetupParameter element; e.g., HIGH.

      For forceinstall:

      For source:


      Why would you use /source though instead of just letting ccmsetup grab the source from the closest DP?

  5. Garrett


    I still have a number of stubborn machines that do not appear to have the client installed. Will enabling automatic site-wide client push installation cause any new problems? Thanks! -G

    • Jason

      That depends upon what you define as a problem. Auto client push attempts to copy and start ccmsetup.exe on all discovered resources that are assigned to the site and that do not already report as having the client agent installed.

  6. vas

    Thank you for the script and your answer
    we could use the source path for cases of acquisitions when we do not have all offices routed or provisioned with dps.. we can distribute the source binaries using netlogon or dfs replication.

    Is there a way to use the ccmexec from the location where the script resides?ClientLocation= with something like an invocation path variable?
    (if I would use a group policy to start the script and place the ccmexec into the scripts folder of the group policy..That client location could change based on the guid of the gpo.. )

  7. ChrisLD

    Great script.
    Can you also add the Windows firewall (port 80, file / print sharing…) used by sccm in the script
    SCCM client will have an issue reporting to the server if those ports are not opened in the firewall.

    • Jason

      That’s not actually accurate depending on exactly what you are referring to. All client agent traffic in ConfigMgr is client agent initiated meaning that unless you are explicitly blocking outbound traffic on the client side firewall, then nothing is needed. Blocking outbound connections and traffic is not the default configuration on the Windows firewall and it’s not standard practice either so this is not needed in most cases.

  8. Eon Louw

    Thanks for your script, Will this work in sccm 2016?

    • Jason

      There’s no such thing as SCCM/ConfigMgr 2016. If you mean ConfigMgr Current Branch, then yes. ccmsetup has changed much at all from an operational perspective and neither has client agent installation in general.

  9. mt7479

    Hi Jason, the admin$ check throws an error:

    ConfigMgrStartup.vbs(884, 2) SWbemServicesEx:
    not found

    I’ve disabled the admin share with the following registry setting:

    Windows Registry Editor Version 5.00


    Let me know if you need xml config or log.

    • Jason

      That certainly looks to be an error in the script. The admin shares aren’t required for ConfigMgr client agent operation but they are required for client push. Why are you disabling them though? No one, to my knowledge, recommends disabling them anymore.

      • mt7479

        Sorry for the super late reply, i thought i subscribed to the thread.

        I have disabled this on my workstation because of a (bad) habit not wanting anyone to browse my shares. But i can’t be certain that this is not configured somewhere else so a fix is appreciated.

        • Jason

          The latest update I posted a little over a month ago (version 1.8.1) includes the fix for this. Note though, that folks can’t “browse” your admin shares unless they have local admin permissions and if they have local admin permissions, well, they can do pretty anything with or without the admin shares enabled.

  10. rsantiago

    Hi Jason we seem to be getting the same error at mt7479 but we do not have admin shares disabled.

    • Jason

      Right, as noted, it looks to be a bug in the code. Same question though, why disable them? No one recommends disabling admin shares anymore?

  11. Lelo

    Hi Jason, this is the first time I am implementing your script and I am getting this is in the errorlogs: ” *HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel…found (3)…expected value of 2…FAILED” Exactly what does this mean?

    • Jason

      Info on LegacyImpersonationLevel is at

      This used to have to be explicitly set for client push and other remote RPC calls to function correctly.

      Keep in mind, the *example* XML configuration file included with the startup script is just that, an example. You don’t have to include everything in the XML is you don’t want or need it. In the case of this setting, I think the default value set by the OS is sufficient and checking it is no longer necessary.

  12. Bill Dunn

    I feel like I’m having a serious dumb struck moment here. I don’t see instructions as to how to actually Implement this. I see that it has a group policy connection, but I don’t the instructions as to how to define that group policy? Can someone point to information which tells me how to make machines actually start leveraging this?

    I’m quite confused?

  13. Neil

    Hi Jason, thanks for the script – we’ve been using it for a couple of years now and we’ve been having great success – far better than what client push would provide.

    We’re currently running 1.75 and I was just taking a look at the example XML file for 1.81. Curious as to the purpose of this example PreReq:

    HKLM\SOFTWARE\Microsoft\SMS\Client\Configuration\Client Properties5\

    Not sure why you would use that as a prereq, whether it’s just an example or it serves some actual purpose in your test or production environments. Also, not sure if the ‘5’ on the end is a typo or not. Seems to be.

    Anyway, thanks a ton for your hard work on this and the service you provide the wider ConfigMgr community.

    • Jason

      That’s a remnant from my testing; you are correct that it is not a valid key used by ConfigMgr. You can simply remove that element or use it is an example.

  14. Tom Wahab

    Hi Jason, wanted to check what would be easiest way to disable the SCCM Client Cache size setting in your ConfigMgrStartupScript 1.8.1. I did not set a CacheSize option in the xml file, but didn’t want the script to set it to the default 5120 also, thanks

    • Jason

      Simply exclude that element from the script. That won’t change the default cache size though as that’ll still be 5120.

  15. Justin Cochran

    What is your recommendation on the Client Install Location? Do you recommend just sharing out the default Client Folder? or copying to another share and using that?

    • Jason

      No, never. The default location’s permissions are subject to ConfigMgr’s control. Also, these are files directly used by ConfigMgr so if these get messed up, ConfigMgr may have issues (this is a remote possibility and the impact is low, but still not something I like to tempt).

      I always recommend copying the files to another location. In general, all you really need to copy is ccmsetup.exe.

  16. Aeron


    I have my startup script running, it can access the CCMSetup.exe, but it appears nothing happens. From the log it shows

    -It shows the Expected version, and my Unpatched version
    -It finds the CCMSetup in the network share
    -It initiates the install
    -Client Check Succeeded
    -Finishes execution

    But my client version is still old/out of date

  17. DrC

    Is there any way to call a WMI Script that is a Batch file ? or is it VBS only ?

    I tried pointing the XML to a batch file, but it just causes the whole thing not to run. (As noticed by nothing new showing up in CCMSetup.log)

  18. Justin

    After messing with this for 3 days I guess I need help. I copied the client installer to a network share. Shared it but no matter how I share it I get:

    not found \\\apps\sccm\cmmsetup.exe

    I can launch the file just fine once I’m logged in. I’ve given the share (and security tab) full access for “everyone”, machine account, authenticated users, domain computers…. Nothing.

    What exactly is trying to access the share on “startup”?

    Thanks for any help!

    • Jason

      Not sure if this is a typo above or not, but the setup bootstrapper is ccmsetup.exe and not cmmsetup.exe (two c’s, not two m’s).

      • Justin

        Yes, typo. ccmsetup.exe isn’t in the XML, your code pastes that there in the error file.

        • Jason

          Nope, not my code. I just did a find on the entire .vbs and that doesn’t exist. Perhaps something got messed up in your file? Can you search your copy of the .vbs for “cmm” or “cmmsetup” please?

          Also, where exactly are you getting that error? In the script’s log file?

          • Justin

            No, it was a typo in my comment here. Not in your error log. The error logs shows it properly. I’m not cutting and pasting from the error log. That machine isn’t on my network.

          • Justin

            So…any insight as to what exactly is trying to authentic during “startup”?

          • Jason

            That depends on how you are running it. If you are running it as a startup script, then its the computer account of the system running it which should be included in the Domain Computers security group.

            Have you tried manually accessing the path specified?

          • Justin

            Yes – “I can launch the file just fine once I’m logged in.”

            So if it’s definitely the local computer account then I’ll concentrate on that and see what’s going on. Might be something dumb like the NIC isn’t available when it’s trying to access on start up because the computer boots from POST to login in like 2.5 seconds.

  19. Andrew


    Would you still Anders’s health check toegther with your startup script?


    • Jason

      I honestly haven’t looked at his script in-depth at all. My initial reaction is that a lot of what his script done may be better done in a CI so that it can be reported on. There are also a couple from items in his script I would never recommend doing (not trying to bash, just stating my opinion). Of course, if it works for you and helps, go for it.

Leave a Comment