Overview
This guide walks through deploying Cisco Secure Client to Windows endpoints using Microsoft Configuration Manager (SCCM). It leverages the pre-deployment package method to enable a fully silent installation, without requiring any user interaction during setup.
This example includes the following modules:
• Core VPN
• Zero Trust Access (ZTA)
• DART (Diagnostic and Reporting Tool)
These are just sample modules—the deployment process is the same for any Cisco Secure Client modules on Windows.
Prerequisites
• Microsoft Configuration Manager (formerly System Center Configuration Manager) is an on-premises endpoint management solution that remains widely deployed today. It can operate independently of the cloud, though it is often used alongside Microsoft Intune in co-managed environments.
o https://learn.microsoft.com/en-us/intune/configmgr/core/understand/introduction
• Administrative rights on the SCCM site server
• Cisco Secure Client pre-deploy package downloaded from software.cisco.com
• Module profile files for any modules being deployed — in this guide a VPN profile is used as the example, but the same approach applies to any Cisco Secure Client module that requires a profile
Step 1 — Download the Pre-Deploy Package
1. Log into software.cisco.com
2. Navigate to Downloads → Security → VPN and Endpoint Security Clients → Cisco Secure Client
3. Download the Windows pre-deploy package:
cisco-secure-client-win-5.1.16.194-predeploy-k9.zip
4. Extract the zip — you will find individual MSI files for each module
Step 2 — Identify the Required MSIs
From the extracted package, the files used in this guide are:
Note
Core VPN needs to be installed first before adding any other modules.
Versioning Note
ZTA is versioned independently from the core package, so version numbers will not match—this is normal. ThousandEyes, if included, follows the same independent versioning model.
Step 3 — (Optional) Prepare the VPN Profile
If deploying a VPN profile alongside the client:
1. Create or export your VPN profile
2. The profile will be copied to the following path post-install:
C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile\
3. Place the profiles in the same source folder as your MSI files — SCCM packages all content from this folder together and distributes it as a single unit to the Distribution Point, allowing the install script to reference the profile using a simple relative path rather than reaching out to a separate location.
Step 4 — Create the SCCM Package
Note: The exact navigation and terminology in this step may vary slightly depending on your version of Microsoft Configuration Manager. The steps below reflect the general process — consult your SCCM administrator if your console differs, but the core requirement is the same: create a package that points to the source folder containing your MSIs and profile files.
1. In the SCCM console, navigate to Software Library → Application Management → Packages
2. Click Create Package
3. Configure:
- Name: Cisco Secure Client 5.1.16.194
- Version: 5.1.16.194
- Manufacturer: Cisco Systems
- Source folder: UNC path to your folder containing the MSIs and profile files
4. Select Standard program when prompted
5. When prompted for the Command Line, enter:
powershell.exe -ExecutionPolicy Bypass -File ".\install-csc.ps1"
This is what SCCM executes on the endpoint when the package is deployed — it calls PowerShell and runs the install script you will create in Step 5.
6. Complete the wizard
Step 5 — Configure the Install Script
While SCCM supports multiple methods for software deployment, a PowerShell script is the recommended approach for Cisco Secure Client. Because multiple modules must be installed in a specific order and profile files need to be copied to precise destinations post-install, a script gives the administrator full control over sequencing and file placement in a single, repeatable, and readable deployment unit. This is the method most commonly used in production environments.
https://learn.microsoft.com/en-us/intune/configmgr/apps/deploy-use/create-deploy-scripts
PowerShell Script Primer
The following guidance on creating the script file is intended for those less familiar with PowerShell. Experienced PowerShell users and SCCM administrators can skip ahead to the script content.
Creating the Script
Create a new file named install-csc.ps1 in the same source folder as your MSI files. You can create this using any of the following:
- Windows Notepad — open Notepad, paste the script content, and use Save As making sure to set the file type to All Files and name it install-csc.ps1 (not .txt)
- PowerShell ISE — built into Windows, provides syntax highlighting and is purpose-built for writing PowerShell scripts
- Visual Studio Code — recommended if available, with the PowerShell extension installed for syntax validation
Important: Ensure the file is saved with the .ps1 extension and not as a .txt file — a common mistake when using Notepad.
Script Content
Complete script for deploying VPN, ZTA, DART, and a VPN profile
# ================================================
# Cisco Secure Client - Silent Install Script
# install-csc.ps1
# ================================================
# Install Cisco Secure Client - Core VPN (must be first)
Start-Process msiexec.exe -ArgumentList '/i "cisco-secure-client-win-5.1.16.194-core-vpn-predeploy-k9.msi" /quiet /norestart' -Wait
# Install Cisco Secure Client - Zero Trust Access
Start-Process msiexec.exe -ArgumentList '/i "cisco-secure-client-win-5.1.16.4434-zta-predeploy-k9.msi" /quiet /norestart' -Wait
# Install Cisco Secure Client - DART
Start-Process msiexec.exe -ArgumentList '/i "cisco-secure-client-win-5.1.16.194-dart-predeploy-k9.msi" /quiet /norestart' -Wait
# Copy VPN Profile (if applicable)
$profileDest = "C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile\"
If (!(Test-Path $profileDest)) { New-Item -ItemType Directory -Path $profileDest -Force }
Copy-Item -Path ".\vpn_profile.xml" -Destination $profileDest -Force The script above is the complete contents of install-csc.ps1 — a single file that runs sequentially from top to bottom. SCCM executes this one script, which handles all module installations and the profile copy in the correct order. The sections below explain what each part of the script does.
# Install Cisco Secure Client - Core VPN (must be first) Start-Process msiexec.exe -ArgumentList '/i "cisco-secure-client-win-5.1.16.194-core-vpn-predeploy-k9.msi" /quiet /norestart' -Wait
This script silently installs the Cisco Secure Client Core VPN module using the Windows Installer (msiexec.exe). The /quiet flag suppresses any installation dialogs so the process is invisible to the end user. The /norestart flag prevents an automatic reboot immediately after install — allowing all remaining modules to install before a single reboot is performed at the end. The -Wait parameter ensures the script pauses until this installation completes before moving on to the next module, which is critical since all other modules require Core VPN to be present before they can install
# Install Cisco Secure Client - Zero Trust Access Start-Process msiexec.exe -ArgumentList '/i "cisco-secure-client-win-5.1.16.4434-zta-predeploy-k9.msi" /quiet /norestart' -WaitThis script silently installs the Cisco Secure Client Zero Trust Access (ZTA) module. It follows the same installation flags as Core VPN — /quiet keeps the process invisible to the end user, /norestart holds off any reboot, and -Wait ensures the script pauses until this module is fully installed before proceeding. Note that the ZTA module carries its own version number independent of the Core VPN package — this is expected behavior as ZTA ships on its own release cadence.
Note: Copy VPN Profile (if applicable)
This script copies your VPN profile file to the correct destination on the endpoint. It first defines the target folder path where Cisco Secure Client expects to find the VPN profile. Before copying, it checks whether that folder already exists — if it does not, it creates it automatically. It then copies the vpn_profile.xml file from the current package folder directly into that destination. This ensures the VPN profile is in place and ready for Cisco Secure Client to load immediately after installation without any manual intervention.
Step 6 — Distribute Content
1. Right-click the package → Distribute Content
2. Select your Distribution Point(s)
3. Monitor distribution status in Monitoring → Distribution Status
Step 7 — Deploy to Collection
- Right-click the package → Deploy
- Select the target Device Collection
- Configure deployment settings:
- Purpose: Required (silent install) or Available
- Schedule: Configure maintenance window as needed
- Under User Experience, set:
- User notifications: Hide in Software Center for a silent deployment
- Restart behavior: Configure according to your organization’s policy
Step 8 — (Optional) Verify Installation based on our example
After deployment, confirm installation on a target endpoint:
- Open Add or Remove Programs and verify:
- Cisco Secure Client – AnyConnect VPN
- Cisco Secure Client – Zero Trust Access Module (if deployed)
- Cisco Secure Client – Diagnostics and Reporting Tool
Note: Modules and versions differ from the example used here.
2. Verify the system tray icon is present
3. Run DART to confirm it launches and can generate a diagnostic bundle
4. Confirm VPN profile appears in the client if a profile was deployed
References
Cisco
Cisco Secure Client Administrator Guide —
Cisco Secure Client Software Download — https://software.cisco.com
Microsoft
Introduction to Microsoft Configuration Manager — https://learn.microsoft.com/en-us/intune/configmgr/core/understand/introduction
Create and Deploy Packages and Programs in Configuration Manager — https://learn.microsoft.com/en-us/intune/configmgr/apps/deploy-use/packages-and-programs
Create and Run PowerShell Scripts from the Configuration Manager Console — https://learn.microsoft.com/en-us/intune/configmgr/apps/deploy-use/create-deploy-scripts