Bật window update standalone install

Overview

If you prefer to manually update your Digital Vault server with Microsoft Windows security patches, you must first modify the server hardening (temporarily enable specific services) so you can install the relevant Microsoft updates. After you install the update(s), you must restore the server hardening by disabling the services again.

Installing Microsoft Windows security patches involves restarting the Digital Vault server, which causes downtime. Follow the procedures below to minimize your Vault downtime as much as possible.

Before installing the updates

Verify that you've obtained the correct Microsoft Windows KB files for your operating system, along with any related dependent and/or mandatory KBs.

Install Microsoft Windows Security Updates

Perform the procedure that is relevant for your system architecture; Primary-DR, Distributed Vaults, or clustered.

Primary-DR Environment

1. Go to the Disaster Recovery server.

   1. Upload the KB file to the Digital Vault server machine.

   2. Navigate to Services Management.

      • Enable and start the Windows Update service.

      • Enable and start the Windows Module Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Back up the entry.
        • Change the value of Start to 3.
        • Restart the Digital Vault server.
        • Navigate to Services Management and start the Windows Installer service.

   3. Navigate to Services Management.

      • Stop the CyberArk Disaster Recovery service.
      • Stop the CyberArk Database service.
      • If applicable, stop the PrivateArk Remote Control Agent service.
   4. Install the Windows patch for the relevant Operating System. Restart the Digital Vault server if requested to.
   5. Verify the KB installed successfully on the server.

   6. Navigate to Services Management.

      • Stop and disable the Windows Update service.
      • Stop and disable the Windows Module Installer service.

      • Stop and disable the Windows Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Change the value of Start to 4.

      • Restart the Digital Vault server.

   7. Repeat step 1 for all DR Vaults, followed by the Primary Candidate.

      To disable automatic failover:

      • Open the PADR.ini file located at PADR/conf.
      • Set EnableFailover=no and save the file.
      • Restart the CyberArk Disaster Recovery service on the Primary Candidate.

2. Go to the Active server.

   1. Upload the KB file to the Digital Vault server machine.

   2. Navigate to Services Management.

      • Enable and start the Windows Update service.

      • Enable and start the Windows Module Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Back up the entry.
        • Change the value of Start to 3.
        • Restart the Digital Vault server.
        • Navigate to Services Management and start the Windows Installer service.

   3. Navigate to Services Management.

      • Stop the PrivateArk Server service.
      • Stop the CyberArk Database service.
      • If applicable, stop the PrivateArk Remote Control Agent service.
   4. Install the Windows patch for the relevant operating system. Restart the Digital Vault server if requested to.
   5. Verify that the KB was installed successfully on the server.

   6. Navigate to Services Management.

      • Stop and disable the Windows Update service.
      • Stop and disable the Windows Module Installer service.

      • Stop and disable the Windows Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Change the value of Start to 4.
      • Restart the Digital Vault server.

   7. If there was failover to the passive node, follow the procedure to initiate a DR failback to the production Vault.

Distributed Vault

1. Connect to the Satellite server that is not the Primary Candidate.

   1. Upload the KB file to the Digital Vault server machine.

   2. Navigate to Services Management.

      • Enable and start the Windows Update service.

      • Enable and start the Windows Module Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Back up the entry.
        • Change the value of Start to 3.
        • Restart the Digital Vault server.
        • Navigate to Services Management and start the Windows Installer service.

   3. Navigate to Services Management.

      • Stop the CyberArk Disaster Recovery service.
      • Stop the PrivateArk Server service.
      • Stop the CyberArk Database service.
   4. Install the Windows patch for the relevant operating system. Restart the Digital Vault server if requested to.
   5. Verify the KB installed successfully on the server.

   6. Navigate to Services Management.

      • Stop and disable the Windows Update service.
      • Stop and disable the Windows Module Installer service.

      • Stop and disable the Windows Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Change the value of Start to 4.
      • Restart the Digital Vault server.
   7. To disable automatic failover, stop the CyberArk Disaster Recovery service.
   8. Repeat step 1 for all Satellites that are not the Primary Candidate.

2. Connect to the Primary Candidate.

   1. Disable automatic failover:

      • Open the PADR.ini file located at PADR/conf.
      • Set EnableFailover=no and save the file.
      • Restart the CyberArk Disaster Recovery service on the Primary Candidate.

   2. Repeat step 1 for the Primary Candidate.

3. Connect to the Primary server.

   1. Upload the KB file to the Digital Vault server machine.

   2. Navigate to Services Management.

      • Enable and start the Windows Update service.

      • Enable and start the Windows Module Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Back up the entry.
        • Change the value of Start to 3.
        • Restart the Digital Vault server.
        • Navigate to Services Management and start the Windows Installer service.

   3. Navigate to Services Management.

      • Stop the PrivateArk Server service.
      • Stop the CyberArk Database service.
      • If applicable, stop the PrivateArk Remote Control Agent service.
   4. Install the Windows patch for the relevant operating system. Restart the Digital Vault server if requested to.
   5. Verify that the KB was installed successfully on the server.

   6. Navigate to Services Management.

      • Stop and disable the Windows Update service.
      • Stop and disable the Windows Module Installer service.

      • Stop and disable the Windows Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Change the value of Start to 4.
      • Restart the Digital Vault server.

4. If there was a failover to the Primary Candidate, follow the procedure to fail back upon recovery.

5. If you disabled automatic failover, enable it again.

Cluster Environment for Primary-DR and Distributed Vaults

On the Disaster Recovery / Satellite site:

1. Connect to the passive node.

   1. Upload the KB file to the Digital Vault server machine.

   2. Navigate to Services Management.

      • Enable and start the Windows Update service.

      • Enable and start the Windows Module Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Back up the entry.
        • Change the value of Start to 3.
        • Restart the Digital Vault server.
        • Navigate to Services Management and start the Windows Installer service.
   3. Stop the passive node from the CyberArk Cluster Vault Management interface and exit the application.
   4. Install the Windows patch for the relevant Operating System. Restart the Digital Vault server if requested to.
   5. Verify the KB installed successfully on the server.

   6. Navigate to Services Management.

      • Stop and disable the Windows Update service.
      • Stop and disable the Windows Module Installer service.

      • Stop and disable the Windows Installer service.

        • Navigate to Registry Editor.
        • Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
        • Change the value of Start to 4.
        • Restart the Digital Vault server.

2. Connect to the active node.

   1. Initiate failover (switch-over) to the passive node on the same site, wait for the failover to complete.
   2. Follow step 1.
3. Repeat steps 1-2 on all Disaster Recovery / Satellites sites.
4. Repeat steps 1-2 on the Primary site.