System requirements for EPM agents on Windows

This topic describes the system requirements for the EPM agents that are installed on Windows endpoints.

Supported platforms

  • Windows 10 x32 & x64

  • Windows 11 x64

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

Support on outdated Windows versions

Microsoft no longer supports Windows XP, Windows Vista, Windows Server 2003, Windows 7, Windows 8, Windows 8.1, Windows Server 2008/R2, or Windows Server 2012/2012 R2 and this may put your workstations and servers at risk from security threats.

CyberArk strongly recommends that you upgrade your endpoint's operating system to a newer and supported Windows version as soon as possible.

CyberArk, at its sole discretion, may make commercially reasonable efforts to provide limited helpdesk technical support for supported EPM agents installed on outdated Windows OS. According to CyberArk’s End of Life Policy, CyberArk is not committed to providing any security, functional or operational code fixes for the aforementioned agents.


EPM modules

This table lists the prerequisites for various EPM modules.


Make sure that .Net 4.6.2 is installed on the following platforms where the default .Net version is lower than 4.6.2:

  • Windows platforms lower than Win 10 (e.g., Win 7, Win 8.1).

  • Windows Server platforms lower than Win 2016 (e.g., Win 2012 R2 and Win Server 2008 R2).



Privilege Threat Protection

  • .NET 4.6.2 or higher

Credentials Rotation

  • .NET 4.6.2 or higher

  • On the endpoint, make sure that the Windows "Server" service has not been disabled, and that it is running.

  • For LCD credential rotation, the EPM must be able to make the following internal REST API calls to PVWA:

    • POST https://<IIS_Server_Ip>/PasswordVault/API/EPM/NotifyEndpointPasswordChange

    • POST https://<IIS_Server_Ip>/PasswordVault/API/EPM/RetrieveEndpointPassword

Offline Policy Authorization Generator tool

  • .NET 4.8 or higher

EPM Admin Utility

  • Windows 10 x64

  • Windows Server 2019 x64

  • .NET 4.8 or higher

Step-Up authentication

Latest version of WebView2 Download WebView2 Runtime.


Make sure the following certificate is installed and updated on your endpoints, under “Trust Root Certification Authorities” in the Windows certificate store.

  • CA “GlobalSign Code Signing R45 Root” certificate

You can download this certificate from the globalsign website.

Firewall rules

Open the network to the S3 bucket that is relevant to your region. You can check where the tenant region is, based on the login URL provided in the following table.


Tenant URL












For more details, see Outbound firewall rules required for EPM SaaS Agents to connect.

Minimum requirements

There are no minimum requirements for endpoint machines.

On average, agents consume the following:

  • Less than 1% of CPU

  • Between 20 and 50 MB of RAM, depending on the number of policies

  • Approximately 100 MB of disk space, not including policies and trace files.

Supported processors

The EPM agent for Windows is compatible with ARM-64, x86-64 & x86 processors, which include Intel, AMD and ARM processors.

For more details, see the following links:

User Account Control (UAC)

UAC configuration for GPO

To manage Privilege Management in EPM, configure the following settings in the User Account Control (UAC) dialog box.

  1. On the EPM endpoint machine, open Local Group Policy Editor > Security Settings > Local Policies > Security Options.

  2. Set the following:


    Set to...

    User Account Control: Admin Approval Mode for the Built-in Administrator account


    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    Prompt for consent for non-Windows binaries

    User Account Control: Behavior of the elevation prompt for standard users

    Prompt for credentials

    User Account Control: Run all administrators in Admin Approval Mode


    For more information about these settings, see UAC Group Policy Settings and Registry Key Settings.

Minimum UAC configuration for Intune

On Microsoft Intune implementations that do not utilitze GPO, configure the following settings.

  1. In the Microsoft Endpoint Manager admin center, go to Endpoint security > MDM Security Baseline, and create a baseline profile.

  2. In the profile properties, set the following:


    Set to...

    Administrator elevation prompt behavior

    Prompt for consent for non-Windows binaries

    Standard user elevation prompt behavior

    Prompt for credentials

    Detect application installations and prompt for elevation


    Use Admin Approval Mode