Upgrade the Privilege Cloud Connector v12.7 and later

This topic describes the Privilege Cloud Connector upgrade for versions 12.7 and later.


Upgrading the CPM and PSM components requires downtime (typically a few minutes). We recommend performing the upgrade at a time that will have the least impact on your operations.

Perform the following steps:

Step 1: Before you begin

For CPM upgrade, there are two upgrade tools:

  • Connector Management installer (recommended installer). Currently supports CPM upgrade for any installed CPM in your system, disregarding which installer was used at the time it was installed.

  • Privilege Cloud installer (legacy installer)

The upgrade workflows support both installer tools.

Select one of the following tools and perform the related steps:

Step 2: Upgrade the CPM

Select one of the following tools to upgrade the CPM:

Step 3: Update GPO hardening

To update the GPO hardening, choose one of the following methods:

Deploy the updated GPO hardening package

  1. Download the version's Privilege Cloud Unified Hardening GPO file as described in Prepare the Privilege CloudConnector machine:.
  2. Import the GPO file to your Active Directory domain.

    1. Open the Group Policy Management Console (GPMC.msc).

    2. Create a new GPO:   
      1. Expand Group Policy Management> <yourDomain>, then right-click Group Policy Objects and select New. The New GPO window appears.

      2. In the Name field, specify a name for the Unified GPO indicating the purpose and current version (for example, Unified Hardening vN.N), and click OK.

    3. In the list of Group Policy Objects, right-click the new Hardening GPO and select Import Settings.
    4. In the Welcome to the Import Settings Wizard window, click Next, and define the following:



      Backup GPO window

      Click Next.

      Backup location screen

      Click Browse and select the location where you stored the version's unified Hardening GPO settings, for example Privilege Cloud Connector Unified Hardening GPO and click OK.

      The folder path appears in the Backup Location window.

      Click Next.

      Source GPO window

      Click Next.

      Scanning Backup window

      Click Next.

      Completing the Import Settings Wizard window

      Click Finish.

      The Import window appears indicating the progress of the GPO import.

    5. When the GPO import process has completed. Click OK.
    6. After import, select the GPO and in the Settings tab verify the settings have been imported successfully.

  3. Link the GPO file to the dedicated CyberArk OU containing CyberArk servers.

    1. Make sure all Connector servers are located under the dedicated OU, so the GPO will not affect any other server.

    2. Delete the previous GPO links according to the following steps:

      • In the Group Policy Management Console, click the OU to which the current PSM and CPM GPOs are linked.

      • Right-click each of the links and select Delete. Click OK to approve.

      • If upgrading from a version prior to v13.0, click the OU to which the legacy CPM and PSM GPO files are linked and delete each of the links. The legacy CPM and PSM GPO files are no longer relevant from v13.0 onward.

        In case of customizations to the default CyberArk CPM/PSM GPO such as added Active Directory security groups or user objects, note these changes and reapply them to the Group Policy after the upgrade.

    3. In the Group Policy Management Console, right-click the OU, then select Link an Existing GPO.

    4. Select the Unified Hardening GPO and click OK. The Unified Hardening GPO policy appears in the Linked Group Policy Objects tab.

  4. It is time to restart the Connector machine. Restart the machine so it will pull the updated GPO


    run gpupdate /force on the upgraded machines.

  5. Optionally, to support the following functions in Privilege Cloud, customize the GPO settings according to these guidelines:

    To support

    GPO update guidelines

    Direct RDP connections

    Add the following setting to the Group Policy with the appropriate Domain Security Group(s) or Users.

    Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/User Rights Assignment > Access this computer from the network (NT AUTHORITY\NETWORK SERVICE, BUILTIN\Administrators, Domain\RDPUserGroup).

    See Connect using RDP.

    Domain-level PSMConnect/PSMAdminConnect

    See Move PSM application users to the domain level.

    Take care when adding any domain-specific settings to the GPO and configure domain-specific settings according to CyberArk guidelines and documentation.

Manually add CPM and PSM hardening settings

If you want to retain customized GPO settings applied to the Connector machine, add the following hardening settings, that are part of this version. For full details about the Connector's GPO hardening parameters, see Connector GPO parameters.

  1. Open the Group Policy Management Console (GPMC.msc).
  2. Click the OU that stores your legacy CPM and PSM hardening setup.
  3. Apply the following changes, which are the updates made to the GPO settings in this version:

    Go to User Rights Assignment:

    Location: Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment

    Apply the following:



Adjust memory quotas for a process


Allow log on locally

BUILTIN\Administrators, PSMShadowUsers, PluginManagerUser

Log on as a service


Replace a process level token


Step 4: Upgrade the PSM

Upgrade the PSM component using the installation wizard.

Before you upgrade the PSM component:
  • Make sure you have performed the preparatory steps described in Before you begin, in this topic.

  • Note that as part of the upgrade, legacy PSM logs are grouped in a zip file and copied to internal archive folders for future access if necessary.

To upgrade the PSM component:

  1. Open the PSM installation package you created in Prepare the Privilege CloudConnector machine:.

  2. Right-click Setup.exe, and then select Run as Administrator.

  3. The installation wizard appears. Click Next and follow these steps within the wizard:



    Microsoft Visual C++ 2013 Redistributable Package (x64) error Ignore and click Yes to Continue

    If Connector machine is domain-joined, and you logged on with a local user, the following message appears:

    • Click Yes if you are not using the RemoteApp user experience capability.

    • Click No to stop the upgrade, log on with a domain user who is a local administrator, and start the upgrade again.

    Password Vault Web Access Environment page

    Retain the default settings and click Next .

    Vault's Connection Details page

    Retain the default settings and click Next .

    Vault's Username and Password details page

    Enter the same Privilege Cloud admin credentials used for the Connector installation(installeruser@cyberark.cloud.<suffix>) and click Next.

    API Gateway connection details page

    Optionally, to apply the PSM automatically unlock accounts capability, enter the Privilege Cloud portal hostname in the Host field:


    Otherwise, click Next .

    PKI Authentication configuration page

    Optionally, to benefit from the Smart Card authentication for RDP connection capability, select Enable PKI authentication for PSM.

    Otherwise, click Next .

    If message appears, click Yes

  4. In the Hardening page, click Advanced and enter the following selections, depending on in-domain or out-of-domain hardening solution:

    Click Next .

  5. On the Update Complete page, click Finish.


    You can restart the Connector machine at a later stage. In any case, you must restart the Connector machine before you can use it.

Step 5: Verify the Connector upgrade is completed successfully

  1. Review installation logs.

    Review the installation logs to make sure that there are no errors in the upgrade process.

    You can find the logs in the following locations:






    v13.1 and later: <Windows installation directory>\Temp\PSM\PSMInstall.log

    v13.0 and earlier: <Windows installation directory>\Temp\PSMInstall.log

  2. Verify all services are running on the Connector:

    • CPM

    • Scanner (a CPM service)

    • PSM

  3. Test PSM connectors.

    Test a few sample components, for example, Standard Windows server, Web App connection, or SSH connection.

    In the event that any of the PSM connectors are not functioning properly, ensure the relevant executables are included in the PSMConfigureApplocker.xml file. See details in Check Privilege Cloud Connector functionality.

  4. Test CPM

    On the CPM that you updated, test the password verify/change/reconcile for a managed account.

  5. Enable the existing antivirus agent, or install an industry standard antivirus software.