Azure Installation Package

The installation package includes the CyberArk PAM - Self-Hosted Azure deployment templates. See Azure ARM templates.

CyberArk Virtual Machine Images

To quickly deploy CyberArk as an automatic process, we have created virtual machine images that contain CyberArk PAM - Self-Hosted software installed but not configured.

The deployment contains images for the Vault, PVWA, CPM, PTA, PSM for Windows, and PSM for SSH. All these images are provided with the latest CyberArk PAM - Self-Hosted version.

The images are based on a Windows Server 2016 or Windows Server 2019 operating system, the PSM for SSH image and the PTA image are based on the Azure RHEL image.

You can also create your own images. For details, see Bring your own image (BYOI) - Azure.

Sharing Images

To share the CyberArk images with your Azure account, go to the Share Image on Cloud folder in CyberArk Marketplace and click Share image on Cloud.

The sharing process involves downloading a PowerShell script from CyberArk Marketplace. The script interactively asks the customer where to download the snapshots, and automatically downloads the snapshots and creates images.

To obtain the PowerShell script that enables image sharing with your Azure subscription, go to the Share Image on Cloud folder in CyberArk Marketplace and click Share image on Cloud.

Run the script

Place the script in your Azure Cloud Shell or terminal authenticated to your Azure account. If you are using Cloud Shell, make sure to select PowerShell as your shell type.

  • Run the script with default values:

    ./import-pas-images-vXX.X.ps1 -useDefaults True
  • Run the script interactively:


Vault Image

The Vault Image supports the Windows Server 2016 and Windows Server 2019 platforms, and supports a standalone Vault or a disaster recovery environment.

The Vault Image includes the following:

  • Installed Vault and DR


    The Disaster Recovery Vault service is disabled.

  • Expired license
  • Default password for the Administrator / Master user
  • Internal utility that finalizes the Vault and DR Vault settings and can be used by the Azure template

Components Images

The Components images contain the following CyberArk PAM - Self-Hosted components: PVWA, CPM, PTA, PSM, and PSM for SSH. These components are installed and disabled. This means the Windows services for CPM and PSM are disabled and the PVWA web application is turned off, including the application pool.

  • Installed and hardened PVWA
  • Installed and hardened CPM
  • Installed and hardened PTA
  • Installed and hardened PSM
  • Installed and hardened PSM for SSH
  • The components are not attached to a Vault environment
  • Installed PrivateArk Client
  • The Remote Desktop Session Host feature is installed on the PSM machine. Once you have launched the components image, verify that you have an RDS CAL license to connect to the PSM server with the Microsoft Remote Desktop Services (RDS) Session Host. PSM can work with any RDS CAL license scheme (either per user or per device). For more information about purchasing an RDS CAL license, contact your Microsoft representative.

Azure ARM templates

The Azure ARM templates are available in the public GitHub,