One installer for all new clients?

Is it possible to have one install agent software for all new devices? It’s pretty tedious having to log into the portal and select “Enroll Device” and copy and paste that link or download that specific install and run it on every new device.

What I’m looking for is something like:

Download file:
Then run it silently on command line: MYcustomCOMODOagent.exe /s

Hi, this is normal for most RMM as agents are setup for customers/groups or single one off systems.

Select the bulk installer, have at least one “generic” default group enabled and once deployed it is fairly easy to move systems between that and your customer setup.

I keep most of my customer installers on a personal keyring usb just for adhock onsite installs, but also have them on a simple web site for easy access for both myself and for new onboarding as required.

Same as what you suggest www.mysite/agent.exe

All others are deployed server/gpo setup.


Bulk Installer wants to download the ADDT tool which appears to allow you to remotely install the agent. I’d like to just grab an executable once for CompanyA and keep installing it for all CompanyA’s new PCs. I don’t mind creating an executable for each customer if that’s possible?

Sorry, I should have explained better.

Choose the BULK installer you then create as per customer/company, in your case call it CompanyA

You can then use that for every new system per CompanyA

I have created the bulk installer for each company, so they are held in a folder/website/server and usb stick for usage anywhere if needed.

But at each customer site is held only the installer for that company.

I also have one generic default one I can use, then afterwards I can move the device to whatever customer group I need.
Handy for ad hock onboarding for new users as can add a device first then create the customer a bit later.


If you go to:

Endpoint Manager >> Bulk Installation Package

Then fill out User, Customer, and Device Group, Platform.

Then click on Download button.

A popup appears that says “Auto Discovery and Deployment Tool” with an option for Download.

Do you just X (close) that dialog box and grap the .msi that was generated?

Hello @sunshinetp ,

Auto Discovery and Deployment Tool discovers all endpoints on your network or Active Directory, and deploys the bulk installation package to found endpoints. You do not need to use this tool but it makes it easier to deploy all your endpoints at once. Please find details about enrollment methods below.

If you have any other question, I would be more than happy to answer.

Best regards,

So I downloaded the .MSI file produced by the bulk download page and made sure to select customer, user, etc… Then did a silent install and it did install but on reboot I get a dialog box asking for token and port. Shouldn’t the bulk installer have this info?

The silent install was done like this:

msiexec.exe /qn /norestart comodo-installer.msi

Any other ideas?

When you install those customer installs from the personal keyring, does the agent popup a window asking for you to provide a token, host, and port?

Here’s the answer in case anyone else is looking. You cannot have a permanent install per customer because the token expires every 90 days. So even if you set up GPO you will have to manually log into the Comodo/Itarian portal and redownload a new version of the bulk installer and update your GPO settings or else every new install after that 90 days will begin asking for token, host, and port. Same with storing these custom installs on a USB. What’s the point to have it on a USB when it will expire in 90 days anyway.

For what it’s worth, I’m not sure about other RMM’s but Kaseya had a custom link / install per customer that never expired and made it super easy to deploy agents.


Thanks to those who responded.

Hi @sunshinetp

Sorry for the late reply, I missed this post when it was first posted and I’ve just found it while looking for a script to download and install an MSI package.

Regarding this specific point:

As far as I know, according to my own notes, at least since May 2019 the tokens generated for the ITSM package expire after 720 days. That’s not permanent, indeed, but it’s not a big deal to me to re-generate the tokens once every two years. Mind that this applies only to “Communication Client” packages only, if you are generating packages with the “Client Security” they might still expire after 90 days, due to the nature of the Security Client itself.

For reusing the downloaded ITSM agent installation package, this is very important to know: the file name is linked to the enrollment token, so the weird file name should not be changed under any circumstance or it will not be able to auto-enrol and it will ask for the token, host, and port. If you have renamed the MSI package, that’s why it was asking for the token…

Going a bit deeper into this topic, the “custom” MSI package is not custom at all: if you verify the checksum of different packages, you will find that the checksum is the same, only the filename is different. So, you could just keep note of the file names generated for your enrolment tokens, and then just download the generic package and rename it with the “tokenized” filename; it will install and auto-enrol the endpoint on the adequate Device Group.

In fact, this is what our deployment CMD script does: we have a single MSI package for all the entities, the deployment script just reads an environment variable that tells it which entity is being deployed, it then copies the MSI package to a temporary folder, rename the MSI package with the “tokenized” filename, runs the installation and at the end deletes the package from the temporary folder. With that simple trick, we are deploying a dozen different entities with a single MSI package.

Let me know if you still need help on this topic, I have a couple of tricks more that I can share if you need it.

Best regards,

– Javier Llorente
Endpoint Security, Devoteam

If I want to install this via Microsoft Endpoint Manager (Intune), how would I make this work? I have tried to install it as a LOB App (without changing the name of the installer) but that still required the Host and Token info to enroll.

Hi @RichAY,

I’m not sure, I have not used LOB Apps yet, but if it’s asking you for the Host and Token info to enrol, clearly there is something that it’s not working.

The first step would be to check the MSI package log, look for a line that begins with “Property(S): CDM_TOKEN” and confirm that it’s equal to the token in the msi package filename. The tokenized filename will be something like “em_RC_CDMTOKEN_installer.msi”, where RC is the Region Code (either “us” or “eu”) and the CDMTOKEN is an eight-character alphanumeric string. If the MSI log is showing the CDM_TOKEN as blank, this means that the tokenized filename is being lost somewhere.

I’m not sure if this token value could be passed as a Public Property to the msiexec command. In such a case, the format would be the following:

msiexec /i "itsm_agent.msi" /qn /L*v "C:\SetupLogs\Itarian_EMCC.log" CDM_TOKEN=Wh4t3V3r

I’ve never tested this method and this doesn’t seem to be documented anywhere, but it might be worth trying it. let me know if this works for you.

Best regards,

– Javier Llorente
Endpoint Security, Devoteam

Hi @RichAY

Hmmm… In the CDM_TOKEN parameter, you must not use the long token provided in the User page on the EM; there you must use the short token that is included in the MSI package filename (in this case, iwXXXX0w, mind the upper and lower cases). Also, check the “C:\SetupLogs\Itarian_EMCC.log” file, look for CDM_TOKEN and check if it’s being filled properly.

Good luck and best regards,

– Javier Llorente
Endpoint Security, Devoteam

I think i’m understanding it correctly now. i’ve updated the arguments to "/Lv “C:\Itarian_EMCC.log”" and noticed that the log shows that the installer file name is different than if i were to install it directly to a computer (Microsoft in their wisdom apparently changes it when sending it to the client to be installed.) i’ve updated the arguments to just add the CDM_TOKEN=iw****** (the line I got from the log and the file name) and will update my findings after it pushes down the installer again.

still no joy. i’m assuming there is something within the file to reference the name of the file in order to properly auto-enroll the client after it is installed. is there no way to have the bulk installer package be created/modified with this information in it before downloading it from the portal? it seems a bit silly in my opinion.

still no joy. if there was a way to put “whatever information it’s referencing the filename for” inside the installer then the issue would be non-existent.

Hi @RichAY

Well, there is another way: you can provide the enrollment information by placing a configuration file in the application folder before installing the EMCC.

Path: C:\Program Files (x86)\COMODO\Comodo ITSM (Unless it’s a 32 bit Windows or you’re using a custom installation path)
File Name: enrollment_config.ini
File content:

host =
port = 443
token = LongTokenFromTheEndpointManagerWeb

Some time ago, @curatrix_pl posted a way to create that file on the fly using a PowerShell script, the post is pretty old but I think the script should work for you, please take a look at it:

Hope this will help.

Best regards,

– Javier Llorente
Endpoint Security, Devoteam

using the script (with our information in it) in addition to having the app install with no arguments worked!

Much thanks!

Great! Thanks a lot for the feedback! :slight_smile:

Best regards,

– Javier Llorente
Endpoint Security, Devoteam