Integrate the Digital Vault with a Windows Patch Server (WSUS)


Microsoft security updates ensure that the underlying Operating System is protected and current with the latest known security updates. The following procedure describes how Vault administrators can perform these monthly Microsoft updates in a way that maintains CyberArk's high level of security and ensures that the Vault’s hardening remains intact at all times.

This procedure includes two stages:

Initial set up and configuration

Install security updates

Supported Platforms

  • Windows Server 2016

  • Windows Server 2012 R2
  • Windows Server 2008 R2


  • To prevent the GPO from overriding the configuration explained below, make sure that the Vault is not a member of the domain.

  • The Vault must be hardened according to CyberArk's Security Standards. For more information, refer to Digital Vault Security Standard.

  • Customers who use DNS records for the WSUS server must manually add them to the hosts file.

  • Customers who use TLS (https) to communicate with the WSUS server must manually install the CA that signed the WSUS server on the Vault machine.

Initial set up and configuration

This section describes how to set up and configure the Vault and the WSUS server for the first time. Either use the ConfigureWSUS.ps1 script OR set up configuration manually.

Copy the WSUS scripts to the Vault machine

All the scripts required to configure and update monthly Microsoft security patches are included in the PAS installation package, in the WSUS folder.

Configure the Vault and the WSUS server


Install security updates

This is a recurring process that must be run each time you apply an OS update.

Known issues

On Windows server 2008 R2, the Execution is disabled on this system message appears.

  1. The first time you get this error message, run the command that will allow you to run scripts on the system.

  2. Open Powershell as an administrator and run Set-ExecutionPolicy RemoteSigned.


TruePrivileged Access Security11.4