Netskope Client For Windows

Netskope Client For Windows

The MSIEXEC command is used to mass deploy Netskope Client (MSI packages) on Windows devices.

Supported Operating Systems

Refer to Netskope Client Supported OS and Platform to understand the supported versions for Windows.

Download Client Packages

You can download Netskope client installers from Download Netskope Client and Scripts.

MSIEXEC Command Format

The generic format of MSIEXEC command to install Client is as follows:

msiexec /I NSClient.msi host=addon-<tenant-name>[.region].<tenant-domain> [token=<Organization ID>] [installmode=IDP] [mode=peruserconfig [userconfiglocation=<path>]] [fail-close=no-npa|all] [autoupdate=on|off] [/l*v %PUBLIC%nscinstall.log]


The parameters in the above command may vary according to the deployment mode used in your script.

For example, use the following command to install Netskope Client in a multi-user system with an auto-update option:

msiexec /I NSClient.msi host=addon-<tenant-URL> token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig autoupdate=on /l*v %PUBLIC%nscinstall.log


Enter the command in a single line without any line-breaks.

/iOptional Command. Refers to normal installation type.
modeOptional parameter. Use peruserconfig when installing in a multi-user system.
prelogonuserOptional parameter. Use prelogonuser to enable prelogon as in Configure Client Prelogon Connectivity for Private Access.
installmodeOptional parameter. Use Idp value when provisioning users via IdP.
userconfiglocationSpecifies the user-specific directory used for storing the user configuration. It is recommended to use default value unless user’s home directories are hosted on external file servers or network shares. This is recommended to be used only for the multi-user environment.

This is an optional parameter. By default the path is %AppData%NetskopeSTAgent.

Note: The path can be an absolute path, a network share, or a path having environment variables.

  • To run the above from command prompt with environment variables, append ‘^’ before ‘%’.

    Example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users^%USERNAME^%Netskope

  • To run the above command from a batch script with environment variables, append ‘%’ before ‘%’.

    Example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users%%USERNAME%%Netskope

  • To run the above command from SCCM (or ) with environment variables, append ‘^’ before ‘%’ and prefix with “cmd /c”.

    Example: cmd /c /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users^%USERNAME^%Netskope

fail-closeOptional parameter. If fail-close is not present, the client will honor Web UI “fail close” client configuration.
  • all: Fail close will be applicable to CASB / Web traffic for the NPA tunnel too. Example: If the Netskope tunnel is not established, NPA’s application traffic will also be blocked.

  • no-npa: Fail close will be applicable only for CASB / Web traffic but not for NPA tunnel. Example: If the Netskope Tunnel is not established, NPA’s application traffic will NOT be blocked.

  • on

  • off
tokenEnter your organization ID here. To find your organization ID.
  1. Login to your Netskope Admin Console with admin credentials.

  2. Go to Settings > Security Cloud Platform > MDM Distribution.

  3. Locate your Organization ID under Create VPN Configuration section. The organization ID is case-sensitive.
hostEnter the addon URL of your tenant. For example: if your tenant URL is, then your addon URL is =
domainEnter the domain URL= [region.] during IDP enrollment.
tenantEnter the tenant name.
/l*vThe log file path.
/qnUse this option for silent installation.


  • The /j option is not supported while using the msiexec command for Netskope Client installation.
  • ​If ​Secure Enrollment​​ is enabled, each deployment mode consists of two additional parameters(Authentication and Encryption token):
    • ​​​enrollauthtoken:​​ Specifies the authentication token.
    • ​​​
    • enrollencryptiontoken:​​ Specifies the encryption token.

A few other examples for the Client installation are as follows:

  • Single-User Mode Installation for Domain-joined Endpoints: System-level enrollment including local non-AD accounts; auto-enrolled one time based on the UPN of the first domain user to log in.
    msiexec /I NSClient.msi host=addon-<tenant>[.region].<tenant-domain> token=<Organization ID>

    Example: msiexec /I NSClient.msi token=ifxqWJDBVoLFxmAUq36v

  • Multi-User Mode Installation for Domain-joined Endpoints: Per-user enrollment; each user auto-enrolled at login based on their UPN.
    msiexec /I NSClient.msi host=addon-<tenant>[.region].<tenant-domain> token=<Organization ID> mode=peruserconfig

    Example: msiexec /I NSClient.msi token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig

Netskope Client Deployment Commands

  • Microsoft Endpoint Configuration Manager
    msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig | installmode=IDP [userconfiglocation=<path>]] fail-close=[no-npa|all] [autoupdate=on|off].

    To learn more, view Microsoft Endpoint Configuration Manager.

  • VMware Workspace One
     msiexec /I NSClient.msi installmode=idP tenant=corp /qn

    To learn more, view VMware Workspace ONE. VMWare Workspace One

  • IDP For Client Deployment

    This includes two modes:

    • Single-User Mode Installation for IdP-based Enrollment: System-level enrollment based on the first user to enroll the Client viaIdP.
      msiexec /I NSClient.msi tenant=<tenant> domain=[region.]<tenant-domain> installmode=IDP

      Example: msiexec /I NSClient.msi tenant=corp installmode=IDP

      Multi-User Mode Installation for IdP-based Enrollment: Per-user enrollment; each user must enroll the Client via IdP.
      msiexec /I NSClient.msi tenant=<tenant> domain=[region.]<tenant-domain> installmode=IDP mode=peruserconfig

      Example: msiexec /I NSClient.msi tenant=corp  installmode=IDP mode=peruserconfig

    To learn more, view Deploy Netskope Client via IdP.

  • Microsoft Intune

    Use the Command-Line arguments: token=<organization id> host=addon- <tenant-name> .<tenant-domain> mode=peruserconfig (Use peruserconfig only for multi-user environments) autoupdate=on (only applicable if you want the client to auto-update) /qn. To learn more, view Deploy Client On Windows Using Intune

  • Microsoft Group Policy Object (GPO)

    You can deploy Netskope Client to Active Directory (AD) joined devices via Microsoft GPO using a script based or MST based deployment option.

    To learn more, view Microsoft Group Policy Object (GPO)

  • Prelogon Connectivity for Netskope Private Access

    To install and enable the Netskope Client for Netskope Private Access Prelogon connectivity, use these commands.

    For single user mode

    The user needs to be different for each Client config. For example:

    Client config1

    msiexec /I NSClient.msi token=<token> host=<host>

    Client config2

    msiexec /I NSClient.msi token=<token> host=<host>

    For per user mode

    For per user mode, different Client configs also have different prelogon users.

    msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <
    msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <

Uninstall Netskope Client In Windows

This section provides the instructions to uninstall Netskope Client from your Windows devices. You can uninstall using multiple methods such as manually from Settings in Windows, from command-line using MSIEXEC, and so on.

Uninstall Manually

To uninstall Client from Settings in Windows:

  1. Go to Start > Settings > Apps > Apps & Features.
  2. Find and select the Netskope Client app.
  3. Click Uninstall.
  4. You are prompted to enter your administrative credentials at this point.
  5. Click OK.
  6. The Netskope Client is uninstalled from your machine.

You can check Apps & features under Apps to ensure that the Netskope Client is uninstalled from your device. To learn more about uninstalling Client from other features in Windows, view Uninstall Apps in Windows.

The Password protection for client uninstallation and service stop option under Client Configuration > Tamperproof lets the administrator restrict unauthorized uninstallation of Client by the end users. The end user must know the password set by the administrator while uninstalling the Client. To learn more, view Netskope Client Configuration.

Using MSI file From Command-Line

To uninstall Client:

  1. Open a command prompt as an administrator.

  2. Enter the following command:

    msiexec /uninstall %productCode% PASSWORD="<password in plain text within quotes>" /qn /l*v %PUBLIC%nscuninstall.log
    • Use the following command to find the product code:
      wmic product where "Name like 'Netskope Client'" get IdentifyingNumber /value
    • Use the same password that is configured under Tamperproof in Client Configuration.

Using GPO Scripts

Uninstalling can be done through GPO using a batch script similar to installation. The uninstallation script is:

wmic product where name="Netskope Client" call uninstall

Using Script in SCCM

@echo off
REM This batch file is used to uninstall Password protected Netskope Client from SCCM
for /f "tokens=2 delims==" %%f in ('wmic product where "Name like 'Netskope Client'" get IdentifyingNumber /value ^| find "="') do set "productCode=%%f"
IF DEFINED productCode (
     msiexec /uninstall %productCode% PASSWORD="<password in plain text within quotes>" /l*v %PUBLIC%nscuninstall.log  /qn
     ) ELSE (
REM Did not find product code for Netskope Client

Multilingual Support For Windows

Netskope supports the following languages for end-user support:

  • French

  • German

    This helps non-english speaking users to understand Netskope Client menu and notifications. To display end-user Netskope Client notifications in French and German, modify your language and region settings in the Windows devices. To learn more about how to change your language and region settings in your Windows devices, view Manage display language settings in Windows.

Windows Support For WSLv2

Netskope Client supports Windows Subsystem for Linux(WSL) version 2 that allows you to run  Linux on your Windows devices without the need of a separate virtual machine. This enables a seamless and simultaneous usage of Windows and Linux operating systems. You can deploy Netskope Client for Linux onto a Linux distribution to extend Netskope services to wSLv2 Linux environment.

  • Currently, Netskope Client extends only command-line interface(CLI) support for WSLv2. This is available only as Beta in version 113.0.0.
  • Netskope Private Access will be available as Beta in 117.0.0. Periodic reauthentication is not supported with the CLI version of the Linux Client on WSLv2.

To learn more, view Install Linux on Windows Using WSL.

Support Versions

  • Windows OS: Windows 10 and later versions.

  • WSLv2  and Minor Version 0.67.6 or above.

  • Netskope Client: Version 113.0.0 or later.

  • Set the systemd flag set in your WSL distro settings.  If systemd is disabled, turn on the flag and reboot the distro.
  • Check the WSL version and Netskope Client does not support WSLv1.


  • WSL Linux distribution contains no login name as it does not support UI desktop by default. This info only appears as an install log message and not used by Netskope Client features. Hence it does not impact any functionalities.

  • The device manufacture information is not available in WSL Linux distributions. There is no file naming “/sys/devices/virtual/dmi/id/sys_vendor” that the manufacturer comes from. The information is for display only, it doesn’t impact any functionalities of the products.

  • If Netskope Client for Linux is installed before the installation of applications such as Firefox and Chrome and so on, the WSL distro needs reboot to make the browsers working.

Netskope Client Auto-Restart

In instances where the user forgets to enable a Client after disabling it, Netskope set a feature flag AutoStart NSClient with Reboot/Relogin to enable the Netskope Client. After the administrator enables the feature flag, the Netskope Client is enabled after the user restarts the system or the user logs off and logs in again.

  • Contact Netskope Support to enable this feature for your tenant.
  • This feature is available only for Windows and macOS devices.
  • Administrator cannot use this feature flag for NPA services.
  • This re-enable feature of Netskope Client for SWG does not apply when the user puts the device in sleep mode.

Netskope Client Auto-Upgrade Failures and Rollback

In certain situations, the Netskope Client may be susceptible to various issues during the auto-upgrade process and the Client installer needs to handle the failure and revert to the previous version.

Client Upgrade or Uninstallation Failure

In the event of any upgrade/uninstall failures, the Netskope Client rollback to the previous version of the client thereby preventing the removal of the Client from the end-user device.

  • In the event of a Client upgrade failure, the Client installer reverts to the previously installed version.
  • In the event of a Client uninstallation failure, the Client installer reverts to the installed version.


The auto-rollback during Client upgrade is available only from Client version 103.0.0 and later. For example, in the event of a failure during the Client upgrade from version 103.0.0 to 104.0.0, the Client automatically rollback to the version 103.0.0. However, the Client is removed for end-user devices running Client versions below 103.0.0.

You can go to Settings > Security Cloud Platform > Netskope Client > Devices to view the events displayed during the Client upgrade failure. Click the device name to view the related events and the corresponding details. The following table lists the different events displayed in the event of a Client upgrade or uninstallation:

EventEvent Details
InstalledInstalled client version ‘x’
UninstalledUninstalled client version ‘x’
Installation FailureFailed to install client version ‘x’ – < reason for failure>
Uninstallation FailureFailed to uninstall client version ‘x’ – < reason for failure >
UpgradedUpgraded from client version ‘x’ to ‘y’
Upgrade FailureFailed to upgrade from ‘x’ to ‘y’ – < Reason for failure >
Rollback SuccessRolled back to client version ‘x’
Rollback FailureFailed to rollback to client version ‘x’

Rollback Success, Upgrade Failure, Installed


Rollback Failure


Uninstalled, Uninstallation Failure




Client Upgrade Failure During System Restart/ Shutdown/ Hard Reboot/ Power Failure

There are occurrences where the auto-upgrade processes gets impacted due to unplanned events such as:

  • System restart
  • Shutdown
  • Crash
  • Hard reboot
  • Power failure

To eliminate this issue, during the upgrade process, Netskope creates an installation monitor service stAgentSvcMon.exe that is a copy of the existing Netskope Client Services, with limited functionality. The installation monitor service relaunches the Client installation process on the end-user device whenever the auto-upgrade process is interrupted by system restart/crash/shutdown/hard-reboot/power failure. Once the auto-upgrade process is completed, this monitor service is removed from the endpoint.

However, there are a few limitations that would stop the monitor service from relaunching the Client installation process. Refer to the following table to learn more:

ScenarioClient Behavior
Consecutive system restart during the auto-upgrade processThe monitor service stops the auto-upgrade process after two attempts.
The monitor service stopsThe auto-upgrade process ends.
The auto-upgrade process fails and the system restart/crash happens during rollback phaseThe monitor service attempts to reinstall the new build.
Antivirus configurations to block new processesThe copy of the Client services is not launched.
MSIEXEC behavior during upgradesMSIEXEC restart the system during this process.

Private Access Tunnel Status Update in Windows Registry

Private Access service on Netskope Windows Client updates the status of the tunnel in the following registry location: 


Status Descriptions 

Tunnel Status              Registry Value

Enabled                        Connected

Disabled                       Disconnected

In addition, the timestamp at which this status change was made is updated in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\NetSkope\NpaTunnel/NpaStatusLastChanged.

Share this Doc

Netskope Client For Windows

Or copy link

In this topic ...