Prerequisites for deploying the Windows Cloud Agent

The Windows Cloud Agent supports AD, Hybrid Azure AD, and CyberArk Cloud Directory users on both domain-joined and non domain-joined Windows machines (workstations and servers). AD users on machines that are not domain joined essentially function as cloud users; they are not bound to AD infrastructure. CyberArk Identity facilitates their log in through AD credentials; however, remember that features that are specific to AD-joined machines (IWA, Kerberos) are not available.

Ensure the following prerequisites are met before deploying the Windows Cloud Agent.

Prerequisites for WCA deployment



Allow communication on outbound ports

The Windows Cloud Agent does not listen on any incoming ports. It only requires an outbound connection - either direct or through a proxy - and connects to either or on port 443.

You must install the Windows Cloud Agent on a supported version of Windows.

CyberArk supports the Windows Cloud Agent on Windows 10, 11, Server 2012 R2, Server 2016, Server 2019 and Server 2022.

Desktop Experience is required for Windows servers.

AD users on domain-joined machines must have a connection to the domain controller for their first login to the machine.

This prerequisite is typical of AD-based Windows environments, and is not specific to the Windows Cloud Agent.

Some VPN clients can be configured to make the VPN available on the login screen. For example:

The CyberArk Identity Connector must be installed and running on a domain server in order to support AD users.

Refer to Install the CyberArk Identity Connector for more information.

Users subject to an authentication policy must have sufficient authentication mechanisms configured in their account.

Refer to Manage adaptive MFA for more information.