About client installation properties in System Center Configuration Manager
Applies to: System Center Configuration Manager (Current Branch)
Use the System Center Configuration Manager CCMSetup.exe command to manually install the Configuration Manager client.
The CCMSetup.exe command downloads needed files to install the client from a management point or a source location. These files might include:
The Windows Installer package Client.msi that installs the client software.
Microsoft Background Intelligent Transfer Service (BITS) installation files.
Windows Installer installation files.
Updates and fixes for the Configuration Manager client.
In Configuration Manager, you cannot run the Client.msi file directly.
CCMSetup.exe provides command-line properties to customize the installation. You can also specify properties to modify the behavior of Client.msi at the CCMSetup.exe command line.
Specify CCMSetup properties before you specify properties for Client.msi.
CCMSetup.exe and its supporting files are located on the Configuration Manager site server in the Client folder of the Configuration Manager installation folder. This folder is shared to the network as <Site Server Name>\SMS_<Site Code>\Client.
At the command prompt, the CCMSetup.exe command uses the following format:
CCMSetup.exe [<Ccmsetup properties>] [<client.msi setup properties>]
'CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=S01 FSP=SMSFSP01`
This example does the following:
Specifies the management point named SMSMP01 to request a list of distribution points to download the client installation files.
Specifies that installation should stop if a version of the client already exists on the computer.
Instructs client.msi to assign the client to the site code S01.
Instructs client.msi to use the fallback status point named SMSFP01.
If a property contains spaces, surround it with quotation marks.
If you have extended the Active Directory schema for Configuration Manager, many client installation properties are published in Active Directory Domain Services and read automatically by the Configuration Manager client. For a list of the client installation properties published in Active Directory Domain Services, see About client installation properties published to Active Directory Domain Services in System Center Configuration Manager
CCMSetup.exe Command-Line Properties
Opens the CCMSetup dialog box showing command-line properties for ccmsetup.exe.
Example: ccmsetup.exe /?
Specifies the file download location. Use a local or UNC path. Files are downloaded using the server message block (SMB) protocol. To use /source, the Windows user account for client installation must have Read permissions to the location.
You can use the /source property multiple times in a command line to specify alternative download locations.
Example: ccmsetup.exe /source:"\\computer\folder"
Specifies a source management point for computers to connect to so that they can find the nearest distribution point for the installation files. If there are no distribution points or computers cannot download the files from the distribution points after 4 hours, clients download the files from the specified management point.
This property is used to specify an initial management point for computers to find a download source, and can be any management point in any site. It does not assign the client to a management point.
Computers download the files over an HTTP or HTTPS connection, depending on the site system role configuration for client connections. The download uses BITS throttling, if configured. If all distribution points and management points are configured for HTTPS client connections only, verify that the client computer has a valid client certificate.
You can use the /mp command-line property to specify multiple management points so that if the computer fails to connect to the first one, the next is tried, and so on. When you specify multiple management points, separate the values by semicolons.
If the client connects to a management point using HTTPS, typically, you must specify the FQDN, not the computer name. The value must match the management point’s PKI certificate Subject or Subject Alternative Name. Although Configuration Manager supports using a computer name in the certificate for connections on the intranet, as a security best practice, an FQDN is recommended.
Example for when you use the computer name:
Example for when you use the FQDN:
The retry interval if CCMSetup.exe fails to download installation files. CCMSetup continues to retry until it reaches the limit specified in the downloadtimeout property.
Prevents CCMSetup from running as a service, which is the default. When CCMSetup runs as a service, it runs in the context of the Local System account of the computer, which might not have sufficient rights to access required network resources for the installation. With /noservice, CCMSetup.exe runs in the context of the user account that you use to start the installation. Also, if you are use a script to run CCMSetup.exe with the /service property, CCMSetup.exe exits after the service starts and might not report installation details correctly.
Specifies that CCMSetup should run as a service that uses the local system account.
Specifies that the client software should be uninstalled. For more information, see How to manage clients in System Center Configuration Manager.
Specifies that the client installation should stop if any version of the client is already installed.
Specifies that CCMSetup should force the client computer to restart if necessary to complete the installation. If this is not specified, CCMSetup exits when a restart is necessary, and then continues after the next manual restart.
Specifies the download priority when client installation files are downloaded over an HTTP connection. Possible values are as follows:
The default value is NORMAL.
The length of time in minutes that CCMSetup attempts to download the installation files before stopping. The default value is 1440 minutes (1 day).
When specified, the client uses a PKI certificate that includes client authentication, if available. If a valid certificate cannot be found, the client uses an HTTP connection and a self-signed certificate, which is also the behavior when you don't use this property.
In some scenarios you do not have to specify this property when you are installing a client, and still use a client certificate. These scenarios include installing a client by using client push, and software update point–based client installation. However, you must specify this property whenever you manually install a client and use the /mp property to specify a management point that is configured to accept only HTTPS client connections. You also must specify this property when you install a client for Internet-only communication, by using the CCMALWAYSINF=1 property (together with the properties for the Internet-based management point and the site code). For more information about Internet-based client management, see Considerations for client communications from the Internet or an untrusted forest in Communications between endpoints in System Center Configuration Manager.
Specifies that a client should not check the certificate revocation list (CRL) when it communicates over HTTPS with a PKI certificate.
When not specified, the client checks the CRL before establishing an HTTPS connection.
For more information about client CRL checking, see Planning for PKI certificate revocation in Plan for security in System Center Configuration Manager.
CCMSetup.exe /UsePKICert /NoCRLCheck
Specifies the name of a text file containing client installation properties.
- If you don't specify the /noservice CCMSetup property, this file must be located in the CCMSetup folder, which is %Windir%\Ccmsetup for 32-bit and 64-bit operating systems.
- If you specify the /noservice property, this file must be located in the same folder from which you run CCMSetup.exe.
CCMSetup.exe /config:<Configuration File Name.txt\>
Use the mobileclienttemplate.tcf file in the <Configuration Manager directory>\bin\<platform> folder on the site server computer to provide the correct file format. This file also contains comments about the sections and how they are used. Specify the client installation properties in the [Client Install] section, after the following text: Install=INSTALL=ALL.
Example [Client Install] section entry:
Install=INSTALL=ALL SMSSITECODE=ABC SMSCACHESIZE=100
Specifies that CCMSetup.exe must not install the specified prerequisite program when the Configuration Manager client is installed. This property supports entering multiple values. Use the semicolon character (;) to separate each value.
CCMSetup.exe /skipprereq:silverlight.exe or
Specify that any existing client will be uninstalled and a new client will be installed.
Specifies that CCMSetup.exe will not install the specified feature when the client is installed.
CCMSetup.exe /ExcludeFeatures:ClientUI will not install Software Center on the client.
For this release, ClientUI is the only value supported with the /ExcludeFeatures property.
CCMSetup.exe return codes
The CCMSetup.exe command provides the following return codes completed. To troubleshoot, review the ccmsetup.log file on the client computer for context and additional detail about return codes.
|8||Setup already running|
|9||Prerequisite evaluation failure|
|10||Setup manifest hash validation failure|
The following properties can modify the installation behavior of client.msi. If you use the client push installation method, you can also specify the properties in the Client tab of the Client Push Installation Properties dialog box.
Specifies one or more Windows user accounts or groups to be given access to client settings and policies. This is useful where the Configuration Manager admin does not have local administrative credentials on the client computer. Specify a list of accounts that are separated by semi-colons.
Specifies that the computer is allowed to restart following the client installation if required.
The computer will restart without warning even if a user is logged on.
Example: CCMSetup.exe CCMALLOWSILENTREBOOT
Set to 1 to specify that the client will always be Internet-based and will never connect to the intranet. The client's connection type displays Always Internet.
This property should be used in conjunction with CCMHOSTNAME, which specifies the FQDN of the Internet-based management point. It should also be used in conjunction with the CCMSetup property /UsePKICert and with the site code.
For more information about Internet-based client management, see Considerations for client communications from the Internet or an untrusted forest in Communications between endpoints in System Center Configuration Manager.
CCMSetup.exe /UsePKICert CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSITECODE=ABC
Specifies the certificate issuers list, which is a list of trusted root certification (CA) certificates that the Configuration Manager site trusts.
For more information about the certificate issuers list and how clients use it during the certificate selection process, see Planning for PKI client certificate selection in Plan for security in System Center Configuration Manager.
This is a case-sensitive match for subject attributes that are in the root CA certificate. Attributes can be separated by a comma (,) or semi-colon (;). Multiple root CA certificates can be specified by using a separator bar. Example:
CCMCERTISSUERS=”CN=Contoso Root CA; OU=Servers; O=Contoso, Ltd; C=US | CN=Litware Corporate Root CA; O=Litware, Inc.”
Reference the mobileclient.tcf file in the <Configuration Manager directory>\bin\<platform> folder on the site server computer to copy the CertificateIssuers=<string> that is configured for the site.
Specifies the certificate selection criteria if the client has more than one certificate for HTTPS communication (a valid certificate that includes client authentication capability).
You can search for an exact match (use Subject:) or a partial match (use SubjectStr:) in the Subject Name or Subject Alternative Name. Examples:
CCMCERTSEL="Subject:computer1.contoso.com" searches for a certificate with an exact match to the computer name "computer1.contoso.com" in the Subject Name or the Subject Alternative Name.
CCMCERTSEL="SubjectStr:contoso.com" searches for a certificate that contains "contoso.com" in the Subject Name or the Subject Alternative Name.
You can also use Object Identifier (OID) or distinguished name attributes in the Subject Name or Subject Alternative Name attributes, for example:
CCMCERTSEL="SubjectAttr:184.108.40.206 = Computers" searches for the organizational unit attribute expressed as an object identifier, and named Computers.
CCMCERTSEL="SubjectAttr:OU = Computers" searches for the organizational unit attribute expressed as a distinguished name, and named Computers.
If you use the Subject Name box, the Subject: is case-sensitive, and the SubjectStr: is case-insensitive.
If you use the Subject Alternative Name box, the Subject:and the SubjectStr: are case-insensitive.
The complete list of attributes that you can use for certificate selection is listed in Supported Attribute Values for the PKI Certificate Selection Criteria.
If more than one certificate matches the search, and the property CCMFIRSTCERT has been set to 1, the certificate with the longest validity period is selected.
Specifies an alternate certificate store name if the client certificate for HTTPS is not located in the default certificate store of Personal in the Computer store.
CCMSetup.exe /UsePKICert CCMCERTSTORE="ConfigMgr"
Enables debug logging. Values can be set to 0 (off, default) or 1 (on). This causes the client to log low-level information for troubleshooting. As a best practice, avoid using this property in production sites because excessive logging can occur, which might make it difficult to find relevant information in the log files. CCMENABLELOGGING must also be set to TRUE to enable debug logging.
By default, set to TRUE to enable logging. The log files are stored in the Logs folder in the Configuration Manager client installation folder. By default, this folder is %Windir%\CCM\Logs.
The frequency at which client health evaluation tool (ccmeval.exe) runs. Can be 1 to 1440 minutes. By default, runs once a day.
The hour when the client health evaluation tool (ccmeval.exe) runs, between 0 (midnight) and 23 (11pm). Runs at midnight by default.
If set to 1, this property specifies that the client should select the PKI certificate with the longest validity period. This setting might be required if you are using Network Access Protection with IPsec enforcement.
CCMSetup.exe /UsePKICert CCMFIRSTCERT=1
Specifies the FQDN of the Internet-based management point, if the client is managed over the Internet.
Do not specify this option with the installation property of SMSSITECODE=AUTO. Internet-based clients must be directly assigned to their Internet-based site.
CCMSetup.exe /UsePKICert CCMHOSTNAME="SMSMP01.corp.contoso.com"
Specifies the port that the client should use when communicating over HTTP to site system servers. Set to Port 80 by default.
Specifies the port that the client should use when communicating over HTTPS to site system servers. Set to Port 443 by default.
CCMSetup.exe /UsePKICert CCMHTTPSPORT=443
Identifies the folder where the Configuration Manager client files are installed, %Windir%\CCM by default. Regardless of where these files are installed, the Ccmcore.dll file is always installed in the %Windir%\System32 folder. Also, on 64-bit operating systems, a copy of the Ccmcore.dll file is always installed in the %Windir%\SysWOW64 folder to support 32-bit applications that use the 32-bit version of the Configuration Manager client APIs from the Configuration Manager software developer kit (SDK).
Specifies the level of detail to write to Configuration Manager log files. Specify an integer from 0 to 3, where 0 is the most verbose logging and 3 logs only errors. The default is 1.
When a Configuration Manager log file reaches 250000 bytes in size (or the value specified by the property CCMLOGMAXSIZE), it is renamed as a backup, and a new log file is created.
This property specifies how many previous versions of the log file to retain. The default value is 1. If the value is set to 0, no old log files are kept.
The maximum log file size in bytes. When a log grows to the size that is specified, it is renamed as a history file, and a new file is created. This property must be set to at least 10000 bytes. The default value is 250000 bytes.
If set to TRUE, disables the ability of end users with administrative credentials on the client computer to change the Configuration Manager assigned site in Configuration Manager in the client Control Panel.
Example: CCMSetup.exe DISABLESITEOPT=TRUE
If set to TRUE, disables the ability of end users with administrative credentials on the client computer to change the client cache folder settings for the Configuration Manager client by using Configuration Manager in Control Panel of the client computer.
Specifies a DNS domain for clients to locate management points that are published in DNS. When a management point is located, it informs the client about other management points in the hierarchy. This means that the management point that is located by using DNS publishing does not have to be from the client’s site, but can be any management point in the hierarchy.
You do not have to specify this property if the client is in the same domain as a published management point. In that case, the client’s domain is automatically used to search DNS for management points.
For more information about DNS publishing as a service location method for Configuration Manager clients, see Service Location and how clients determine their assigned management point in Understand how clients find site resources and services for System Center Configuration Manager .
By default, DNS publishing is not enabled in Configuration Manager.
CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=contoso.com
Specifies the fallback status point that receives and processes state messages sent by Configuration Manager client computers.
For more information about the fallback status point, see Determine if you need a fallback status point.
Specifies that the presence of the minimum required version of Microsoft Application Virtualization (App-V) is not checked before the client is installed.
If you install the Configuration Manager client without installing App-V, you cannot deploy virtual applications.
Specifies that client status will report, but not remediate problems that are found with the client.
For more information, see How to configure client status in System Center Configuration Manager.
If a Configuration Manager client has the wrong Configuration Manager trusted root key and cannot contact a trusted management point to receive the new trusted root key, you must manually remove the old trusted root key by using this property. This situation may occur when you move a client from one site hierarchy to another. This property applies to clients that use HTTP and HTTPS client communication.
Enables automatic site reassignment for client upgrades when used with SMSSITECODE=AUTO.
CCMSetup.exe SMSSITECODE=AUTO SITEREASSIGN=TRUE
Specifies the location of the client cache folder on the client computer, which stores temporary files. By default, the location is %Windir \ccmcache.
This property can be used in conjunction with the SMSCACHEFLAGS property to control the client cache folder location.
CCMSetup.exe SMSCACHEDIR=Cache SMSCACHEFLAGS=MAXDRIVE installs the client cache folder on the largest available client disk drive.
Specifies further installation details for the client cache folder. You can use SMSCACHEFLAGS properties individually or in combination, separated by semicolons. If this property is not specified, the client cache folder is installed according to the SMSCACHEDIR property, the folder is not compressed, and the SMSCACHESIZE value is used as the size in MB of the folder.
This setting is ignored when you upgrade an existing client.
PERCENTDISKSPACE: Specifies the folder size as a percentage of the total disk space. If you specify this property, you must also specify the property SMSCACHESIZE as the percentage value to use.
PERCENTFREEDISKSPACE: Specifies the folder size as a percentage of the free disk space. If you specify this property, you must also specify the property SMSCACHESIZE as the percentage value to use. For example, if the disk has 10 MB free and SMSCACHESIZE is specified as 50, the folder size is set to 5 MB. You cannot use this property with the PERCENTDISKSPACE property.
MAXDRIVE: Specifies that the folder should be installed on the largest available disk. This value will be ignored if a path has been specified with the SMSCACHEDIR property.
MAXDRIVESPACE: Specifies that the folder should be installed on the disk drive that has the most free space. This value will be ignored if a path has been specified with the SMSCACHEDIR property.
NTFSONLY: Specifies that the folder can be installed only on NTFS disk drives. This value will be ignored if a path has been specified with the SMSCACHEDIR property.
COMPRESS: Specifies that the folder should be stoed in a compressed form.
FAILIFNOSPACE: Specifies that the client software should be removed if there is insufficient space to install the folder.
Beginning with Configuration Manager version 1606, new client settings are available for specifying the client cache folder size. The addition of those client settings effectively replaces using SMSCACHESIZE as a client.msi property to specify the size of the client cache. For more information, see the client settings for cache size.
For 1602 and earlier, SMSCACHESIZE specifies the size of the client cache folder in megabyte (MB) or as a percentage when used with the PERCENTDISKSPACE or PERCENTFREEDISKSPACE property. If this property is not set, the folder defaults to a maximum size of 5120 MB. The lowest value that you can specify is 1 MB.
If a new package that must be downloaded would cause the folder to exceed the maximum size, and if the folder cannot be purged to make sufficient space available, the package download fails, and the program or application will not run.
This setting is ignored when you upgrade an existing client and when the client downloads software updates.
If you reinstall a client, you cannot use the SMSCACHESIZE or SMSCACHEFLAGS installation properties to set the cache size to be smaller than it was previously. If you try to do this, your value is ignored and the cache size is automatically set to the size it was previously.
Specifies the location and order that the Configuration Manager Installer checks for configuration settings. The property is a string containing one or more characters, each defining a specific configuration source. Use the character values R, P, M, and U, alone or in combination:
R: Check for configuration settings in the registry.
For more information, see information about storing client installation properties in the registry..
P: Check for configuration settings in the installation properties provided at the command prompt.
M: Check for existing settings when upgrading an older client with the Configuration Manager client software.
U: Upgrade the installed client to a newer version (and use the assigned site code).
By default, the client installation uses
PUto check first the installation properties and then the existing settings.
Specifies whether the client can use Windows Internet Name Service (WINS) to find a management point that accepts HTTP connections. Clients use this method when they cannot find a management point in Active Directory Domain Services or in DNS.
This property doesn't affect whether the client uses WINS for name resolution.
You can configure two different modes for this property:
NOWINS: This is the most secure setting for this property and prevents clients from finding a management point in WINS . When you use this setting, clients must have an alternative method to locate a management point on the intranet, such as Active Directory Domain Services or by using DNS publishing.
WINSSECURE (default): In this mode, a client that uses HTTP communication can use WINS to find a management point. However, the client must have a copy of the trusted root key before it can successfully connect to the management point. For more information, see Planning for the Trusted Root Key in Plan for security in System Center Configuration Manager.
Specifies an initial management point for the Configuration Manager client to use.
If the management point only accepts client connections over HTTPS, you must prefix the management point name with https://.
Specifies the Configuration Manager trusted root key when it cannot be retrieved from Active Directory Domain Services. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key in Plan for security in System Center Configuration Manager.
Used to reinstall the Configuration Manager trusted root key. Specifies the full path and file name to a file containing the trusted root key. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key in Plan for security in System Center Configuration Manager.
Example: 'CCMSetup.exe SMSROOTKEYPATH=<Full path and filename>`
Specifies the full path and .cer file name of the exported self-signed certificate on the site server.
This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate.
Example: CCMSetup.exe /UsePKICert SMSSIGNCERT=<Full path and file name>
Specifies the Configuration Manager site to assign the Configuration Manager client to. This can either be a three-character site code or the word AUTO. If AUTO is specified, or if this property is not specified, the client attempts to determine its Configuration Manager site assignment from Active Directory Domain Services or from a specified management point. To enable AUTO for client upgrades, you must also set SITEREASSIGN to TRUE.
Do not use AUTO if you also specify the Internet-based management point (CCMHOSTNAME). In that case, you must directly assign the client to its site.
Supported Attribute Values for the PKI Certificate Selection Criteria
Configuration Manager supports the following attribute values for the PKI certificate selection criteria:
|OID attribute||Distinguished Name attribute||Attribute definition|
|1.2.840.1135220.127.116.11||E or E-mail||Email address|
|18.104.22.168||S or ST||State or province name|
|22.214.171.124||T or Title||Title|
|126.96.36.199||G or GN or GivenName||Given name|
|188.8.131.52||I or Initials||Initials|
|184.108.40.206||(no value)||Subject Alternative Name|