PSM automatic installation

This topic describes the PSM installation process.

Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Overview

The PSM installation is divided into several configurable stages: setup, installation, post-installation, hardening and registration.

The PSM installation package includes an automatic tool that executes the powershell scripts under the InstallationAutomation folder. This tool provides a more user-friendly way to invoke the InstallationAutomation scripts, with all stages, including hardening, invoked by default.

The tool, PSMAutoInstallation.exe, is located inside the PSMAutoInstallation directory in the PSM CD-Image package.

Installation notes

To run the automatic installation, you must be logged on as a user who is a member of the local administrators group. If PSM is joined to a domain, the user must be a domain user.
Install the PSM server on a separate from the Vault server.
Enable File and Printer Sharing for Microsoft Networks on the server during PSM installation. This is required to set the PSMInitSession.exe application as a RemoteApp application. You can disable it again after the installation is complete.
The PSM server is installed as a Windows service called CyberArk Privileged Session Manager.

If you download installation files from the internet, use the following PowerShell command to unblock the files:

dir C:\Downloads -Recurse | Unblock-File

For details about installing the PSM in a load balancing environment, see Install PSM in a Load-Balancing Environment.

PSM automatic installation tool

PSMAutoInstallation.exe runs all the PSM installation stages: readiness, setup, installation, post-installation, hardening, and registration.

This tool DOES NOT support upgrade. Do NOT run it if PSM is already installed on your machine.

PSM installation runs the hardening steps, including PSMConfigureApplocker, with a default configuration. You can always re-run the PSMConfigureApplocker script at a later stage with a different configuration. For details, see Hardening.
The hardening stage blocks all administrators from navigating in the PSM server file system. To enable an administrator to explore folders on the PSM server, update the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] registry key for the administrator to "NoRun"=dword:00000000.
The Registration stage creates the relevant PSM objects in the Vault each time it runs. When you run the tool, this stage is only run if it has not yet run or if the connection to the Vault failed. If registration started and was cancelled, you must run the repair via the installation Wizard.

The tool runs with the following default values:

Step	Name	Description
	Readiness
1.1	Check OS	This step verifies that the operating system is a compatible version, either Windows server 2016 or 2019. Default - Enable = "Yes"
1.2	Validate domain user	This step validates that the user is a domain user. Default - Enable = "Yes"
1.3	Check system requirements	This step verifies the minimum system requirements for PSM installation according the deployment size (small, medium, or large). The default deployment size is small. Default - Enable = "Yes"
1.4	Verify .Net	This step verifies that .Net Framework 4.8 is installed on the machine. Default - Enable = "Yes"
	Set up
2.1	.Net 4.8	This step verifies that a compatible version of .Net Framework is installed on the machine. Default - Enable = "Yes"
2.2	Install Remote Desktop Services rules	This step installs the Remote Desktop Services (RDS) Session Host Role Default - Enable = "Yes"
2.3	Disable NLA authentication	This step disables NLA. Default - Enable = "Yes"
2.4	Update the RDS security layer	This step updates the RDS security layer to 1. Default - Enable = "No" This step is disabled by default, since we highly recommend that you configure secure RDP connections using SSL. For details, see Secure RDP Connections with SSL. Enable this step if you do not secure RDP Connections with SSL.
	Installation
3.1	Install PSM
	Name	Your name Default - Windows User
	Company	Your company name Default - My Company
	InstallationDirectory	PSM installation folder location. Default - "C:\Program Files (x86)\CyberArk"
	RecordingDirectory	Location of the local recordings folder (before the recordings are uploaded to the Vault). Default - "C:\Program Files (x86)\CyberArk\PSM\Recordings"
	Post Installation
4.1	Disable screen saver for the PSM local users	During installation, the following two Windows users are created for the PSM environment on the PSM machine: PSMConnect - A Windows user that is created in order to start PSM sessions on the PSM machine. PSMAdminConnect - A Windows user that is created in order to monitor live privileged sessions. After the PSM has been installed successfully, the Screen Saver for these users is disabled during the post-installation stage. Default - Enable = "Yes"
4.2	Configure users for PSM sessions	The step configures the PSMConnect and PSMAdminConnect Windows users created on the PSM Server machine during PSM installation and configured during the post-installation stage. Default - Enable = "Yes"
4.3	Improve Non RDP Connector Performance	This step disables Microsoft's Dynamic Fair Share Scheduling (DFSS) feature, which dynamically distributes and prioritizes resources across active RDP sessions. This decreases the start-up time of non-RDP connection components, such as Toad, PLSQL, and CheckPoint. Default - Enable = "Yes"
4.4	Enable PSM for web applications	You can connect transparently through PSM to web sites and web applications with a Google Chrome or Microsoft Edge browser. For configuration details, see Web applications for PSM. After the post-installation stage, refer to the Certificates section. Default - Enable = "Yes"
4.5	Enable users to print PSM sessions	End users can print sessions initiated by the PSM on their local printers. This procedure is required so that users who are connected though the PSM can print from clients that are installed on the PSM machine. For example, Toad. Default - Enable = "No"
4.6	Reduce Win Certificate Wait Time	This step reduces the time that Windows waits for a Certificate Revocation List when connecting to a target using SSL, to achieve better connection times from PSM to target machines. You can set the [URLTimeout] and [PathValidationTimeout] parameters, which by default are each 3 seconds. Enable this step if the PSM does not have internet access or if your organization does not have access to the Certificate Revocation List. Default - Enable = "No"
	Hardening
5.1	Run the Hardening script	The PSM hardening procedure on the PSM server machine enhances PSM security. The hardening stage blocks all administrators from navigating in the PSM server file system. To enable an administrator to explore folders on the PSM server, update the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] registry key for the administrator to "NoRun"=dword:00000000. Default - Enable = "Yes"
5.2	Post hardening tasks	Hide PSM local drives in PSM sessions For details, see, After running the hardening script. Default - Enable = "Yes"
5.3	Set up AppLocker rules	To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications. For details, see Run AppLocker rules Default - Enable = "Yes"
5.4	Configure Out-of-domain PSM server	Runs 'Out of Domain' PSM server including: Imports an INF file to the local machine Applies advanced audit Manually Adds User Changes for Installation Set time limit for active but idle RDS sessions Default - Enable = "Yes" This step is enabled only for out of domain machines. If you enable this step on a domain joint machine, update the following group policy setting: In Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service\, set the Log on as a service property to include NT SERVICE\ALL SERVICES.
5.5	Harden TLS settings	Disables SSL/TLS versions earlier than TLS 1.2. RemoteApp requires a connection broker and a session collection to be associated with it. When PSM is installed, the RD Connection Broker is installed on the machine. This step installs SQL Server Express and configures RD Connection Broker to work with SQL Server Express. If the PSM Server machine is running on Windows 2016 and you have SQL server SP2 installed, select the TLS hardening checkbox to upgrade the SQL server to SP3. If you need to enable earlier versions of SSL/TLS after this script has run (for example, if your custom PSM connectors and installed clients utilize TLS 1.0/1.1), configure the Windows registry as follows: Go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\<SSL/TLS version> Under Client and/or Server, change value for DisabledByDefault to 0 and the value for Enabled to 1. Default - Enable = "Yes"
	Registration
6.1	Register PSM to Vault
	vaultip	IP address or hostname of the vault server When you register PSM to a DR Vault environment, value Vaultip with <vault ip>,<DR ip>
	Vaultport	Vault’s configured communication port. Default - 1858
	Vaultusername	Vault user performing the installation. We recommend using the Vault administrator user to install Privileged Session Manager as this user has the appropriate Vault authorizations and is created in the appropriate location in the Vault hierarchy. If you install multiple PSMs in the same Vault environment, you must install all PSMs with the same Vault user.
	Usercredfile	The path to the user credential file. For details on creating a cred file, see CreateCredFile utility. The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM installation. We highly recommend that you delete the credential file after completing the registration. Default - {PSMInstallDir}\vault\userCred.ini
	Accepteula	Accept the end user License agreement Default - No
	EnablePKI	This parameter enables PKI authentication to the Vault via a smart card for PSM connections. Do not enable this setting if PKI authentication is not used in your organization. If you do not enable this setting during installation and want to enable PKI authentication for PSM, follow the instructions in During PSM installation. Default - No
	APIHost	The PVWA host name. In a Distributed Vaults environment, you must define the PVWA where PSM will send REST API calls. To automatically unlock accounts, you must define the PVWA. Default - ""
	APIProtocol	To automatically unlock accounts, you must define the protocol. Default - Https

Run the installation tool

From the installation CD, copy the PSM folder to the component server and unzip.

Open CMD and run

CD <PSM CD-Image Path>\PSMAutoInstallationTool
PSMAutoInstallationTool /vaultip <Vault IP address> /vaultuser <Vault username for installation> /accepteula yes

Restart - The tool runs the PSM installation stages. When a restart is required, the user is prompted to press Enter, restarting the machine. When the user logs in to the machine again, the tool continues from the relevant step.
Vault user credentials - If you are using a Vault username and password, after the last restart you are prompted to enter a password. Enter the password and click Enter. You can use the cred file to avoid entering the password interactively.

If one of the preconditions is not met during the Readiness stage, a message is displayed. The user must adjust the environment to meet the requirements or exclude the step from the script, by performing the following command:

.\PSMAutoInstallationTool.exe /exclude x.x (the relevant step number)

The tool receives the following parameters:

Parameter	Description
Vaultip	This parameter is mandatory
vaultuser	This parameter is mandatory
usercredfile	If there is no user credential file, you are prompted to enter the Vault password when you reach the Registration stage
accepteula	This parameter is mandatory
apihost
usepki
Name
Company
InstallDir
RecordingDir
Include	Steps you want to enable that are disabled by default. Step numbers are shown in the default values table above. For example: /include 4.6 will enable the Reduce Win Certificate Wait Time step
Exclude	Steps you want to disable that are enabled by default. Step numbers are shown in the default values table above. For example: /exclude 2.2 will disable the Install RDS Rules step

If the same step number appears in both the /include and /exclude lists, it is ignored and the default value remains in effect.

Run PSM installation in stages

Readiness

This stage performs the following:

Step	Procedure	Default setting
Check OS	This step verifies that the operating system is a compatible version, either Windows server 2016 or 2019.	Enable = "Yes"
Validate domain user	This step validates that the user is a domain user.	Enable = "Yes"
Check system requirements	This step verifies the minimum system requirements for PSM installation according the deployment size (small, medium, or large). The default deployment size is small.	Enable ="Yes"
Verify .Net	This step verifies that .Net Framework 4.8 is installed on the machine.	Enable ="Yes"

Configure the readiness stage

From the installation CD, copy the PSM folder to the component server and unzip.
Open InstallationAutomation\Readiness\ReadinessConfig.XML and select the steps to enable by setting Enable = "Yes".
Select the deployment size based on your environment.

Run the readiness stage

To run the script in standard mode, open a PowerShell window and run the following command:

CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\InstallationAutomation\Readiness\ReadinessConfig.XML”

To run the script in silent mode which includes an automatic restart, open a PowerShell window and run the following command:

 .\Execute-Stage.ps1 .\Readiness\ReadinessConfig.XML silent

Set up

This stage performs the following:

Step	Procedure	Default setting
.Net 4.8	This step verifies that a compatible version of .Net Framework is installed on the machine.	Enable = "Yes"
Install Remote Desktop Services	This step installs the Remote Desktop Services (RDS) Session Host Role	Enable = "Yes"
Disable NLA	This step disables NLA.	Enable ="Yes"
Update the RDS security layer	This step updates the RDS security layer to 1. This step is disabled by default since we highly recommend that you configure secure RDP connections using SSL. For details, see Secure RDP Connections with SSL. Enable this step if you do not secure RDP Connections with SSL.	Enable ="No"

Configure the set up stage

From the installation CD, copy the PSM folder to the component server and unzip.
Open InstallationAutomation\Prerequisites\PrerequisitesConfig.XML and select the steps to enable by setting Enable = "Yes".

Run the set up stage

To run the script in standard mode, open a PowerShell window and run the following command:

CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\InstallationAutomation\Prerequisites\PrerequisitesConfig.XML”

The Remote Desktop Services (RDS) installation requires a machine restart. You will be notified before the restart begins.

To run the script in silent mode which includes an automatic restart, open a PowerShell window and run the following command:

 .\Execute-Stage.ps1 .\Prerequisites\PrerequisitesConfig.XML silent

Installation

The installation stage installs Privileged Session Manager automatically using the PAM - Self-Hosted deployment scripts. For details about manually installing the PSM, see PSM wizard installation.

If you install multiple PSMs in the same Vault environment, verify that each PSM has the same path to the RecordingsDirectory.

Configure installation

From the CD image, open InstallationAutomation\Installation\InstallationConfig.XML and edit the following parameters:

Parameter	Description
Name	Your name
Company	Your company name
InstallationDirectory	PSM installation folder location. Default value: "C:\Program Files (x86)\CyberArk"
RecordingsDirectory	Location of the local recordings folder (before the recordings are uploaded to the Vault). Default value: "C:\Program Files (x86)\ CyberArk\PSM\Recordings"

Run installation

To run the script in standard mode, open a PowerShell window and run the following command:

CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\
InstallationAutomation\Installation\InstallationConfig.XML”

The PSM installation requires a machine restart. You will be notified before the restart begins.

Or, to run the script in silent mode which includes an automatic restart, open a PowerShell window and run the following command:

.\Execute-Stage.ps1 .\Installation\InstallationConfig.XML silent

Post-installation

The post installation stage configures the PSM server after it has been installed successfully.

The post installation stages does the following steps automatically. For troubleshooting or to perform the step manually, see the procedure:

Step	Procedure
Disables the screen saver for local PSM users	Disable the screen saver for the PSM local users
Configures users for PSM sessions	Configure users for PSM sessions
Improves non-RDP Connector Performance
Enables PSM for web applications	Configure PSM to connect to Web applications
Enables users to print PSM sessions	Enable Users to Print PSM Sessions
Reduces WinCertificate Wait Time

Configure the post-installation stage

From the CD image, open InstallationAutomation\PostInstallation\PostInstallationConfig.XML. and select the steps you want to enable by setting Enable = "Yes"

Steps	Description	Default setting
Disable the screen saver for the PSM local users	During installation, the following two Windows users are created for the PSM environment on the PSM machine: PSMConnect - A Windows user that is created in order to start PSM sessions on the PSM machine. PSMAdminConnect - A Windows user that is created in order to monitor live privileged sessions. After the PSM has been installed successfully, the Screen Saver for these users is disabled during the post-installation stage.	Enable= "Yes"
Configure users for PSM sessions	The step configures the PSMConnect and PSMAdminConnect Windows users created on the PSM Server machine during PSM installation and configured during the post-installation stage.	Enable= "Yes"
Improve non-RDP Connector Performance	This step disables Microsoft's Dynamic Fair Share Scheduling (DFSS) feature, which dynamically distributes and prioritizes resources across active RDP sessions. This decreases the start-up time of non-RDP connection components, such as Toad, PLSQL, and CheckPoint.	Enable= "Yes"
PSM for Web Applications	You can connect transparently through PSM to web sites and web applications with a Google Chrome or Microsoft Edge browser. For configuration details, see Web applications for PSM. If you enable this step, run the hardening script with SupportWebApplications="Yes". After the post-installation stage, refer to the Certificates section.	Enable= "Yes"
Enable Users to Print PSM Sessions	End users can print sessions initiated by the PSM on their local printers. This procedure is required so that users who are connected though the PSM can print from clients that are installed on the PSM machine. For example, Toad.	Enable= "No"
Reduce WinCertificate Wait Time	This step reduces the time that Windows waits for a Certificate Revocation List when connecting to a target using SSL, to achieve better connection times from PSM to target machines. You can set the [URLTimeout] and [PathValidationTimeout] parameters, which by default are each 3 seconds. Enable this step if the PSM does not have internet access or if your organization does not have access to the Certificate Revocation List.	Enable= "No"

Run the post-installation stage

Open a PowerShell window and run the following command:

CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\PostInstallation\PostInstallationConfig.XML

Following installation

Perform the following steps, if required:

Step	Description
Check the installation log files	Verify that the installation completed successfully.
Connect to a target system directly from desktop	If NLA is enabled in your environment and your users connect directly from their desktops.
Configure the PSM users’ passwords	This procedure describes how to configure the PSMConnect and PSMAdminConnect users’ passwords so that they are managed by the CPM.
Enable maintenance users to log on remotely	Maintenance users who need to logon remotely to the PSM server must be members of the RemoteDesktopUsers group in the PSM server and must also be added to the list of users with the “Allow log on through Remote Desktop Services” permission in the Windows security policy.

Hardening

Run the Post-installation stage before hardening the server.

The PSM hardening stage enhances PSM security by defining a highly secured Windows server. The hardening procedure, which disables multiple operating system services on the PSM server machine, is included as part of the PSM installation.

The hardening stage blocks all administrators from navigating in the PSM server file system. To enable an administrator to explore folders on the PSM server, update the [HKEY_CURRENT_USER\
Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer] registry key for the administrator to "NoRun"=dword:00000000.

Configure the hardening stage

From the CD image, open InstallationAutomation\Hardening\HardeningConfig.XML and verify that the following parameters are set to Enable = Yes:

Step	Description
1. Runs the hardening script	The PSM hardening procedure on the PSM server machine enhances PSM security. Default: Enabled = Yes Additional step parameters: SupportWebApplications - Set this parameter to Enable="Yes" if you are using web applications. ClearRemoteDesktopUsers - For security reasons, the hardening stage clears the Remote Desktop Users group. The Remote Desktop Users group should include maintenance users that are not administrators.
2. Runs post hardening tasks	Hide PSM local drives in PSM sessions Default: Enabled = Yes For details, see, After running the hardening script.
3. Run AppLocker rules	To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications. Default: Enabled = Yes For details, see Run AppLocker rules
4. Automatic hardening in 'Out of Domain' deployments	Runs 'Out of Domain' PSM server including: Imports an INF file to the local machine Applies advanced audit Manually Adds User Changes for Installation Set time limit for active but idle RDS sessions Default: Enabled = No Set to Yes if you are using the PSM server out of domain. For in domain deployments, see Hardening 'In Domain' deployments. For configuration details, see Harden the PSM server in 'Out of Domain' deployments.
5. Harden TLS Settings	Disables SSL/TLS versions earlier than TLS 1.2. RemoteApp requires a connection broker and a session collection to be associated with it. When PSM is installed, the RD Connection Broker is installed on the machine. This step installs SQL Server Express and configures RD Connection Broker to work with SQL Server Express. Default: Enabled = Yes If the PSM Server machine is running on Windows 2016 and you have SQL server SP2 installed, select the TLS hardening checkbox to upgrade the SQL server to SP3. If you need to enable earlier versions of SSL/TLS after this script has run (for example, if your custom PSM connectors and installed clients utilize TLS 1.0/1.1), configure the Windows registry as follows: Go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\ Protocols\<SSL/TLS version> Under Client and/or Server, change value for DisabledByDefault to 0 and the value for Enabled to 1.

Run the hardening stage

Open a PowerShell window and run the following command:

CD “<CD-Image Path>\InstallationAutomation”
.\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\Hardening\HardeningConfig.XML

After the hardening stage, see the following steps for in-domain and out-of-domain deployments:

Step	Description
Administrative templates	This section describes the manual configuration that must be performed in 'Out of Domain' deployments.
General hardening tasks	This section describes configuration that must be performed in 'In Domain' deployments as well as in 'Out of Domain' deployments.
Hardening 'In Domain' deployments	This section describes the automatic hardening procedure for In Domain deployments, including each file type and its configuration, as well as the procedures for applying and editing these files in a customer's environment. For configuration details, see Harden the PSM server in 'In Domain' deployments

Step

Description

Administrative templates

This section describes the manual configuration that must be performed in 'Out of Domain' deployments.

General hardening tasks

This section describes configuration that must be performed in 'In Domain' deployments as well as in 'Out of Domain' deployments.

Hardening 'In Domain' deployments

This section describes the automatic hardening procedure for In Domain deployments, including each file type and its configuration, as well as the procedures for applying and editing these files in a customer's environment.

For configuration details, see Harden the PSM server in 'In Domain' deployments

Registration

The Registration stage registers the Privileged Session Manager server to the Vault.

If you use the PSM wizard installation, which registers the PSM server to the Vault, you can skip this step.

Configure the registration stage. From the installation package, open InstallationAutomation\Registration\RegistrationConfig.XML and edit the following parameters:

Parameter	Description
Vaultip	IP address or hostname of the vault server When you register PSM to a DR Vault environment, value Vaultip with <vault ip>,<DR ip>
vaultport	Vault’s configured communication port. Default Vault port: 1858
vaultusername	Vault user performing the installation. We recommend using the Vault administrator user to install Privileged Session Manager as this user has the appropriate Vault authorizations and is created in the appropriate location in the Vault hierarchy. If you install multiple PSMs in the same Vault environment, you must install all PSMs with the same Vault user.
usercredfile	The path to the user credential file. For details on creating a cred file, see CreateCredFile utility. The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM installation. We highly recommend that you delete the credential file after completing the registration.
accepteula	Accept the end user License agreement
apigwhost	The PVWA host name. In a Distributed Vaults environment, you must define the PVWA where PSM will send REST API calls. To automatically unlock accounts, you must define the PVWA.
apigwprotocol	The protocol. By default the value is HTTPS. To automatically unlock accounts, you must define the protocol.
usepkiauthentication	This parameter enables PKI authentication to the Vault via a smart card for PSM connections. Do not enable this setting if PKI authentication is not used in your organization. If you do not enable this setting during installation and want to enable PKI authentication for PSM, follow the instructions in During PSM installation.
registerpsmwithdomain	This parameter enables registration to the Vault using the DNS name. By default the value is No. Set the value to Yes to enable registration with the DNS name.

Run the registration stage with a password. Open a PowerShell window and run one of the following commands:

Interactively run the script with the -spwd parameter to securely pass the password to the script. After running the script, enter the Vault user password and press Enter.

CD “<installation package Path>InstallationAutomation”
.\Execute-Stage.ps1 “<installation package Path>\InstallationAutomation\Registration\RegistrationConfig.XML”-spwd

Automatically run the script with the -spwdObj parameter to securely pass the password to the script. First create a secure string that holds the Vault user password. For example:

$sp = Read-Host -AsSecureString

Enter the Vault user password, press Enter, and run the script.

CD “<installation package Path>InstallationAutomation”
.\Execute-Stage.ps1 “<installation package Path>\InstallationAutomation\Registration\RegistrationConfig.XML”-spwdObj $sp

Interactively run the script with the -pwd parameter:

CD “<installation package Path>InstallationAutomation”
.\Execute-Stage.ps1 “<installation package Path>\InstallationAutomation\Registration\RegistrationConfig.XML”-pwd <vaultpassword>

This method is not recommended, as it runs with the password in clear text.

If you use a credfile, open a PowerShell window and run the following command:

CD “<installation package Path>InstallationAutomation”
.\Execute-Stage.ps1 “<installation package Path>\InstallationAutomation\Registration\RegistrationConfig.XML”

When you use the registration tool, the PSM server is assigned a unique identifier, PSM-<identifier>.

To view the ID assigned to each of PSM servers in your environment, go to PVWA > ADMINISTRATION > Systems Configuration > Options > Privileged Session Management > Configured PSM Servers.
When you use the registration tool on an existing Vault environment, every platform's PSM in this Vault environment is set to the unique identifier described in the previous step.

To edit a PSM Server ID on an individual platform, go to Platform Management, select the platform and reset the PSM server ID.

To edit multiple PSM Server IDs, you can do a bulk change. Go to Vault > PVWAConfiguration Safe > Policies.XML, and edit the PSM server IDs.

For more information, see Advanced PSM Implementations