Netskope Client For Windows

Netskope Client For Windows

The MSIEXEC command is used to mass deploy Netskope Client (MSI packages) on Windows devices.

Supported Operating Systems

Refer to Netskope Client Supported OS and Platform to understand the supported versions for Windows.

Download Client Packages

You can download Netskope client installers from Download Netskope Client and Scripts.

MSIEXEC Command Format

The generic format of MSIEXEC command to install Client is as follows:

msiexec /I NSClient.msi host=addon-<tenant>[.region] [token]=<Organization ID> [installmode=IDP] [mode=peruserconfig [userconfiglocation=<path>]] [fail-close=no-npa|all] [autoupdate=on|off] [/l*v %PUBLIC%nscinstall.log]


The parameters in the above command may vary according to the deployment mode used in your script.

For example, use the following command to install Netskope Client in a multi-user system with an auto-update option:

msiexec /I NSClient.msi token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig autoupdate=on /l*v %PUBLIC%nscinstall.log


Enter the command in a single line without any line-breaks.

/iOptional Command. Refers to normal installation type.
modeOptional parameter. Use peruserconfig when installing in a multi-user system.
prelogonuserOptional parameter. Use prelogonuser when installing in a single user system.
installmodeOptional parameter. Use Idp value when provisioning users via IdP.
userconfiglocationSpecifies the user-specific directory used for storing the user configuration. It is recommended to use default value unless user’s home directories are hosted on external file servers or network shares. This is recommended to be used only for the multi-user environment.

This is an optional parameter. By default the path is %AppData%NetskopeSTAgent.


The path can be an absolute path, a network share, or a path having environment variables.

  • To run the above from command prompt with environment variables, append ‘^’ before ‘%’.

    Example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users^%USERNAME^%Netskope

  • To run the above command from a batch script with environment variables, append ‘%’ before ‘%’.

    Example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users%%USERNAME%%Netskope

  • To run the above command from SCCM (or ) with environment variables, append ‘^’ before ‘%’ and prefix with “cmd /c”.

    Example: cmd /c /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users^%USERNAME^%Netskope

fail-closeOptional parameter. If fail-close is not present, the client will honor Web UI “fail close” client configuration.
  • all: Fail close will be applicable to CASB / Web traffic for the NPA tunnel too. Example: If the Netskope tunnel is not established, NPA’s application traffic will also be blocked.
  • no-npa: Fail close will be applicable only for CASB / Web traffic but not for NPA tunnel.  Example: If the Netskope Tunnel is not established, NPA’s application traffic will NOT be blocked.
  • on
  • off
tokenEnter your organization ID here. To find your organization ID.
  1. Login to your Netskope Admin Console with admin credentials.
  2. Go to Settings > Security Cloud Platform > MDM Distribution.
  3. Locate your Organization ID under Create VPN Configuration section. The organization ID is case-sensitive.
hostEnter the addon URL of your tenant. For example: if your tenant URL is, then your addon URL is =
domainEnter the domain URL= [region.] during IDP enrollment.
tenantEnter the tenant name.
/l*vThe log file path.
/qnUse this option for silent installation.


The /j option is not supported while using the msiexec command for Netskope Client installation.

A few other examples for the Client installation are as follows:

  • Single-User Mode Installation for Domain-joined Endpoints: System-level enrollment including local non-AD accounts; auto-enrolled one time based on the UPN of the first domain user to log in.
    msiexec /I NSClient.msi host=addon-<tenant>[.region] token=<Organization ID>

    Example: msiexec /I NSClient.msi token=ifxqWJDBVoLFxmAUq36v

  • Multi-User Mode Installation for Domain-joined Endpoints: Per-user enrollment; each user auto-enrolled at login based on their UPN.
    msiexec /I NSClient.msi host=addon-<tenant>[.region] token=<Organization ID> mode=peruserconfig

    Example: msiexec /I NSClient.msi token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig

Netskope Client Deployment Commands
  • Microsoft Endpoint Configuration Manager
    msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig | installmode=IDP [userconfiglocation=<path>]] fail-close=[no-npa|all] [autoupdate=on|off].

    To learn more, view Microsoft Endpoint Configuration Manager.

  • VMware Workspace One
     msiexec /I NSClient.msi installmode=idP tenant=corp /qn

    To learn more, view VMware Workspace ONE. VMWare Workspace One

  • IDP For Client Deployment

    This includes two modes:

    • Single-User Mode Installation for IdP-based Enrollment: System-level enrollment based on the first user to enroll the Client viaIdP.
      msiexec /I NSClient.msi tenant=<tenant> domain=[region.] installmode=IDP

      Example: msiexec /I NSClient.msi tenant=corp installmode=IDP

    • Multi-User Mode Installation for IdP-based Enrollment: Per-user enrollment; each user must enroll the Client via IdP.
      msiexec /I NSClient.msi tenant=<tenant> domain=[region.] installmode=IDP mode=peruserconfig

      Example: msiexec /I NSClient.msi tenant=corp  installmode=IDP mode=peruserconfig

    To learn more, view Deploy Netskope Client via IdP.

  • Microsoft Intune

    Use the Command-Line arguments: token=<organization id> host=addon- <tenant-name> mode=peruserconfig (Use peruserconfig only for multi-user environments) autoupdate=on (only applicable if you want the client to auto-update) /qn

    To learn more, view Deploy Client On Windows Using Intune

  • Microsoft Group Policy Object (GPO)

    You can deploy Netskope Client to Active Directory (AD) joined devices via Microsoft GPO using a script based or MST based deployment option.

    To learn more, view Microsoft Group Policy Object (GPO)

  • Prelogon Connectivity for Netskope Private Access

    To install and enable the Netskope Client for Netskope Private Access Prelogon connectivity, use these commands.

    For single user mode

    The user needs to be different for each Client config. For example:

    Client config1

    msiexec /I NSClient.msi token=<token> host=<host>

    Client config2

    msiexec /I NSClient.msi token=<token> host=<host>

    For per user mode

    For per user mode, different Client configs also have different prelogon users.

    msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <
    msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <
Uninstall Netskope Client

To uninstall Client from Settings in Windows:

  1. Go to Start > Settings > Apps > Apps & Features.
  2. Find and select the Netskope Client app.
  3. Click Uninstall.
  4. You are prompted to enter your administrative credentials at this point.
  5. Click OK.
  6. The Netskope Client is uninstalled from your machine.

You can check Apps & features under Apps to ensure that the Netskope Client is uninstalled from your device. To learn more about uninstalling Client from other features in Windows, view Uninstall Apps in Windows.

The Password protection for client uninstallation and service stop option under Client Configuration > Tamperproof lets the administrator restrict unauthorized uninstallation of Client by the end users. The end user must know the password set by the administrator while uninstalling the Client. To learn more, view Netskope Client Configuration

Netskope Client Auto-Restart

In instances where the user forgets to enable a Client after disabling it, Netskope set a feature flag AutoStart NSClient with Reboot/Relogin to enable the Netskope Client. After the administrator enables the feature flag, the Netskope Client is enabled after the user restarts the system or the user logs off and logs in again.


  • Contact Netskope Support to enable this feature for your tenant.
  • This feature is available only for Windows and macOS devices.
  • Administrator cannot use this feature flag for NPA services.
Netskope Client Auto-Upgrade Failures and Rollback

In certain situations, the Netskope Client may be susceptible to various issues during the auto-upgrade process and the Client installer needs to handle the failure and revert to the previous version.

Client Upgrade or Uninstallation Failure

In the event of any upgrade/uninstall failures, the Netskope Client rollback to the previous version of the client thereby preventing the removal of the Client from the end-user device.

  • In the event of a Client upgrade failure, the Client installer reverts to the previously installed version.
  • In the event of a Client uninstallation failure, the Client installer reverts to the installed version.


The auto-rollback during Client upgrade is available only from Client version 103.0.0 and later. For example, in the event of a failure during the Client upgrade from version 103.0.0 to 104.0.0, the Client automatically rollback to the version 103.0.0. However, the Client is removed for end-user devices running Client versions below 103.0.0.

You can go to Settings > Security Cloud Platform > Netskope Client > Devices to view the events displayed during the Client upgrade failure. Click the device name to view the related events and the corresponding details. The following table lists the different events displayed in the event of a Client upgrade or uninstallation:

EventEvent Details
InstalledInstalled client version ‘x’
UninstalledUninstalled client version ‘x’
Installation FailureFailed to install client version ‘x’ – < reason for failure>
Uninstallation FailureFailed to uninstall client version ‘x’ – < reason for failure >
UpgradedUpgraded from client version ‘x’ to ‘y’
Upgrade FailureFailed to upgrade from ‘x’ to ‘y’ – < Reason for failure >
Rollback SuccessRolled back to client version ‘x’
Rollback FailureFailed to rollback to client version ‘x’

Rollback Success, Upgrade Failure, Installed


Rollback Failure


Uninstalled, Uninstallation Failure



Client Upgrade Failure During System Restart/ Shutdown/ Hard Reboot/ Power Failure

There are occurrences where the auto-upgrade processes gets impacted due to unplanned events such as:

  • System restart
  • Shutdown
  • Crash
  • Hard reboot
  • Power failure

To eliminate this issue, during the upgrade process, Netskope creates an installation monitor service stAgentSvcMon.exe that is a copy of the existing Netskope Client Services, with limited functionality. The installation monitor service relaunches the Client installation process on the end-user device whenever the auto-upgrade process is interrupted by system restart/crash/shutdown/hard-reboot/power failure. Once the auto-upgrade process is completed, this monitor service is removed from the endpoint.

However, there are a few limitations that would stop the monitor service from relaunching the Client installation process. Refer to the following table to learn more:

ScenarioClient Behavior
Consecutive system restart during the auto-upgrade processThe monitor service stops the auto-upgrade process after two attempts.
The monitor service stopsThe auto-upgrade process ends.
The auto-upgrade process fails and the system restart/crash happens during rollback phaseThe monitor service attempts to reinstall the new build.
Antivirus configurations to block new processesThe copy of the Client services is not launched.
MSIEXEC behavior during upgradesMSIEXEC restart the system during this process.
Private Access Tunnel Status Update in Windows Registry

Private Access service on Netskope Windows Client updates the status of the tunnel in the following registry location: 


Status Descriptions 

Tunnel Status              Registry Value

Enabled                        Connected

Disabled                       Disconnected

In addition, the timestamp at which this status change was made is updated in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\NetSkope\NpaTunnel/NpaStatusLastChanged.

Share this Doc
In this topic ...