System requirements for EPM agents on Windows
This topic describes the system requirements for the EPM agents that are installed on Windows endpoints.
Supported platforms
-
Windows 10 x32 & x64
-
Windows 11 x64
-
Windows Server 2016
-
Windows Server 2019
-
Windows Server 2022
Support on outdated Windows versions
Microsoft no longer supports Windows XP, Windows Vista, Windows Server 2003, Windows 7, Windows 8, Windows 8.1, Windows Server 2008/R2, or Windows Server 2012/2012 R2 and this may put your workstations and servers at risk from security threats.
CyberArk strongly recommends that you upgrade your endpoint's operating system to a newer and supported Windows version as soon as possible.
CyberArk, at its sole discretion, may make commercially reasonable efforts to provide limited helpdesk technical support for supported EPM agents installed on outdated Windows OS. According to CyberArk’s End of Life Policy, CyberArk is not committed to providing any security, functional or operational code fixes for the aforementioned agents.
Prerequisites
EPM modules
This table lists the prerequisites for various EPM modules.
Make sure that .Net 4.6.2 is installed on the following platforms where the default .Net version is lower than 4.6.2:
|
Module |
Prerequisite |
---|---|
Privilege Threat Protection |
|
Credentials Rotation |
|
Offline Policy Authorization Generator tool |
|
EPM Admin Utility |
|
Step-Up authentication |
Latest version of WebView2 Download WebView2 Runtime. |
Certificate
Make sure the following certificate is installed and updated on your endpoints, under “Trust Root Certification Authorities” in the Windows certificate store.
-
CA “GlobalSign Code Signing R45 Root” certificate
You can download this certificate from the globalsign website.
Firewall rules
Open the network to the S3 bucket that is relevant to your region. You can check where the tenant region is, based on the login URL provided in the following table.
Region |
Tenant URL |
S3 URL |
---|---|---|
USA |
login.epm.cyberark.com/login |
epm-downloads.s3.us-east-2.amazonaws.com |
Europe |
eu.epm.cyberark.com/login |
epm-downloads-eu.s3.eu-central-1.amazonaws.com |
UK |
uk.epm.cyberark.com/login |
epm-downloads-uk.s3.eu-west-2.amazonaws.com |
Australia |
au.epm.cyberark.com/login |
epm-downloads-au.s3.ap-southeast-2.amazonaws.com |
Canada |
ca.epm.cyberark.com/login |
epm-downloads-ca.s3.ca-central-1.amazonaws.com |
India |
in.epm.cyberark.com/login |
epm-downloads-in.s3.ap-south-1.amazonaws.com |
Japan |
jp.epm.cyberark.com/login |
epm-downloads-jp.s3.ap-northeast-1.amazonaws.com |
Singapore |
sg.epm.cyberark.com/login |
epm-downloads-sg.s3.ap-southeast-1.amazonaws.com |
Italy |
it.epm.cyberark.com/login |
epm-downloads-it.s3.eu-south-1.amazonaws.com |
Federal |
login.epm.cyberarkgov.cloud/login |
epm-epmprod-us-gov-west-1-epm-downloads.s3-us-gov-west-1.amazonaws.com |
For more details, see Outbound firewall rules required for EPM SaaS Agents to connect.
Minimum requirements
There are no minimum requirements for endpoint machines.
On average, agents consume the following:
-
Less than 1% of CPU
-
Between 20 and 50 MB of RAM, depending on the number of policies
-
Approximately 100 MB of disk space, not including policies and trace files.
Supported processors
The EPM agent for Windows is compatible with ARM-64, x86-64 & x86 processors, which include Intel, AMD and ARM processors.
For more details, see the following links:
-
64-bit architecture (x86-64): https://en.wikipedia.org/wiki/X86-64
-
32-bit architecture (x86): https://en.wikipedia.org/wiki/X86
User Account Control (UAC)
UAC configuration for GPO
To manage Privilege Management in EPM, configure the following settings in the User Account Control (UAC) dialog box.
-
On the EPM endpoint machine, open Local Group Policy Editor > Security Settings > Local Policies > Security Options.
-
Set the following:
Option
Set to...
User Account Control: Admin Approval Mode for the Built-in Administrator account
Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Prompt for consent for non-Windows binaries
User Account Control: Behavior of the elevation prompt for standard users
Prompt for credentials
User Account Control: Run all administrators in Admin Approval Mode
Enabled
For more information about these settings, see UAC Group Policy Settings and Registry Key Settings.
Minimum UAC configuration for Intune
On Microsoft Intune implementations that do not utilitze GPO, configure the following settings.
-
In the Microsoft Endpoint Manager admin center, go to Endpoint security > MDM Security Baseline, and create a baseline profile.
-
In the profile properties, set the following:
Option
Set to...
Administrator elevation prompt behavior
Prompt for consent for non-Windows binaries
Standard user elevation prompt behavior
Prompt for credentials
Detect application installations and prompt for elevation
Yes
Use Admin Approval Mode
Yes