Master Cybersecurity Skills. Build a Real Career.

CyberArk CPM Upgrade Guide 2026: Complete Step-by-Step Central Policy Manager Upgrade Process for PAM Self-Hosted

  • Home
  • Blog
  • CyberArk CPM Upgrade Guide 2026: Complete Step-by-Step Central Policy Manager Upgrade Process for PAM Self-Hosted
Image
  • July 07 2026

CyberArk CPM Upgrade Guide 2026: Complete Step-by-Step Central Policy Manager Upgrade Process for PAM Self-Hosted

CyberArk CPM Upgrade Guide 2026 | Complete Central Policy Manager Upgrade Process

Estimated Reading Time: 12 Minutes

Learn how to perform a CyberArk CPM Upgrade with this complete 2026 guide. Covers prerequisites, PowerShell automation, registration, secure communication, TLS, repair procedures, validation, post-upgrade tasks, and enterprise best practices.

The CyberArk Central Policy Manager (CPM) is one of the most critical components of the CyberArk Privileged Access Manager (PAM) Self-Hosted platform. While the Vault securely stores privileged credentials and the Password Vault Web Access (PVWA) provides administrative access, the CPM is responsible for automatically changing, verifying, and reconciling passwords across thousands of managed accounts throughout an enterprise.

Because the CPM directly manages privileged credentials, upgrading it requires careful planning. A poorly executed upgrade can interrupt password rotations, break platform integrations, delay password reconciliations, or affect production operations. For this reason, CyberArk recommends following a structured upgrade methodology that includes preparation, automated installation, secure registration, validation, and hardening.

This comprehensive guide walks you through the complete CyberArk CPM Upgrade Process, based on CyberArk best practices and real-world enterprise deployment experience.


Why Upgrading the CyberArk CPM is Important

Modern organizations continuously upgrade their CyberArk environments to remain secure, supported, and compatible with the latest platform enhancements.

Every new CyberArk release introduces security improvements, enhanced password management capabilities, updated plugins, performance optimizations, improved platform compatibility, and important bug fixes. Running an outdated CPM can expose organizations to operational challenges, unsupported configurations, and compatibility issues with newer versions of the Vault, PVWA, PSM, and external target systems.

A properly planned CPM upgrade ensures uninterrupted password management while maintaining compliance and operational stability.


CPM Upgrade Overview

The CyberArk CPM upgrade consists of five major phases:

Environment Validation → CPM Installation → Registration with Vault → Post-Upgrade Validation → Security Hardening

CyberArk supports upgrading the CPM using either the PowerShell automation scripts included with the installation package or the graphical Installation Wizard. For enterprise environments, CyberArk strongly recommends using the automation scripts because they provide consistency, repeatability, and reduced manual configuration errors.


Phase 1 – Perform Pre-Upgrade Tasks

Before beginning the upgrade, verify that the entire CyberArk environment is ready for the new version.

A successful CPM upgrade always starts with planning rather than installation.

Administrators should review the CyberArk compatibility matrix to ensure that all deployed components—including the Vault, PVWA, PSM, PTA, Identity integrations, and external authentication providers—are supported with the target CPM version.

Running incompatible versions may lead to registration failures, communication problems, or unsupported production configurations.


Verify Component Compatibility

Always validate compatibility between the Vault, PVWA, CPM, PSM, PTA, and other CyberArk components before upgrading. Keeping every component within the supported compatibility matrix significantly reduces upgrade risks.

Compatibility verification should be completed before any production changes are made.


Upgrade PVWA Before CPM

One of CyberArk's most important recommendations is upgrading the Password Vault Web Access (PVWA) before upgrading the CPM.

The newer PVWA versions introduce enhancements that the upgraded CPM expects during registration and secure communication.

If both components are scheduled for maintenance, always complete the PVWA upgrade first.

You can follow our detailed guide here:

CyberArk PVWA Upgrade Guide 2026 – Complete Step-by-Step Upgrade Process


Verify Windows PowerShell

The CPM installation automation requires:

Windows PowerShell Version 5 or Later

Before upgrading, verify the installed PowerShell version by running:

$PSVersionTable.PSVersion

If PowerShell is outdated, update it before continuing with the upgrade.


Back Up the CPM Environment

A production upgrade should never begin without a verified backup.

CyberArk recommends backing up the complete CPM installation directory along with all customized platform configurations stored inside the PasswordManagerShared Safe.

These platform configurations represent years of customization in many organizations and should always be preserved before making any changes.

Always back up the CPM installation folder and the PasswordManagerShared Safe containing platform configurations. These backups provide a reliable rollback option if unexpected issues occur during the upgrade.

 


Establish a Secure Channel Between CPM and PVWA

Modern CyberArk versions require secure communication between the CPM and the PVWA.

This secure communication depends on proper SSL certificate validation.

Before upgrading:

  • Import the Certificate Authority (CA) certificate that issued the PVWA SSL certificate.

  • Verify that the CPM server can reach the Certificate Revocation List (CRL) distribution points.

  • Confirm SSL trust between both servers.

Beginning with CyberArk version 15.0, the validatePVWASecureConnect flag controls certificate validation.

When this parameter is set to true, certificate validation is enforced during installation.

If validation fails, the registration process immediately stops.

Although the parameter can be disabled, this is not recommended for production environments.


Certificate Validation Failure

If PVWA certificate validation fails, the CPM cannot fully register with the Vault. As a result, the CPM Settings page does not appear in the PVWA, System Health cannot display complete CPM information, and default platform packages are not imported automatically.

The preferred solution is always to resolve the SSL certificate issue and rerun the registration process rather than bypassing validation.


Enable TLS 1.2

CyberArk requires TLS 1.2 or later for secure communication.

The prerequisite PowerShell script automatically enables TLS support.

Execute:

CPM_PreInstallation.ps1

from an elevated PowerShell session before beginning the installation.


Phase 2 – Upgrade the CPM

CyberArk provides two supported upgrade methods.

Organizations can use the PowerShell automation scripts or the graphical Installation Wizard.

Large enterprises almost always choose the automated PowerShell approach because it ensures standardized deployments across multiple environments.


Stop CPM Services

Before upgrading, stop the following Windows services:

CyberArk Password Manager

CyberArk Central Policy Manager Scanner

Stopping these services prevents file locking during installation.


Configure InstallationConfig.xml

Open:

CPM\InstallationAutomation\Installation\InstallationConfig.xml

Update the installation parameters, including:

  • Username

  • Company Name

  • CPM Installation Directory

Most importantly:

isUpgrade=True

This informs the installer that the existing CPM installation should be upgraded rather than creating a new environment.


Execute the Installation Script

Run the installation script from an elevated PowerShell window:

CPMInstallation.ps1

The script upgrades both the Central Policy Manager and the Scanner components.

Unlike a fresh installation, the authentication file already used by the CPM to connect with the Vault is preserved during the upgrade.


DR Mode Considerations

Organizations operating a Disaster Recovery (DR) CPM should note an important behavior.

During a DR CPM upgrade, the PluginManagerUser account is not automatically created.

Administrators must manually create this account before running the hardening process.

This behavior is expected and does not indicate an installation failure.


Phase 3 – Register the CPM

After installation completes successfully, the upgraded CPM must reconnect to the Vault.

This process is known as Registration.

Registration establishes secure communication, creates the CPM environment inside the Vault, validates connectivity, and finalizes the upgrade.


Configure CPMRegisterComponentConfig.xml

Edit:

CPMRegisterComponentConfig.xml

Update all required parameters including:

  • Vault IP Address

  • Vault Port

  • Vault User

  • Installation Directory

  • Username

  • TLS Version

  • Vault Communication Protocol

Ensure the following parameter is configured:

isUpgrade=True

Run the Registration Script

CyberArk recommends executing:

CPMRegisterComponent.ps1

using a Secure String password rather than supplying passwords in plain text.

After successful registration, the CPM reconnects to the Vault and resumes normal password management activities.


Repairing the CPM Environment

Sometimes upgrades fail because of incorrect Vault credentials, interrupted installations, or missing registration information.

CyberArk provides a built-in Repair Wizard to recreate the CPM environment without recreating existing Vault users.

The repair process reinstalls the CPM binaries while preserving previously created users and credential files.

If the upgrade fails because of incorrect Vault credentials or incomplete registration, use the Repair option from Windows Programs and Features to recreate the CPM environment instead of reinstalling the component from scratch.

Version-Specific Upgrade Considerations

Beginning with CyberArk version 13.2, a predefined Vault group named PVWAAccountsFeedAdmins is automatically created.

If an existing group already uses this name, administrators should rename the existing group and rerun the repair procedure after upgrading.

Review all release-specific notes before upgrading to avoid unexpected compatibility issues.


Validate the Upgrade

Once the CPM upgrade is complete, administrators should validate the installation before returning the environment to production.

Review the installation logs located in the Windows Temp directory.

The primary installation log:

CPMInstall.log

contains detailed information about every installation step and any errors encountered.

Successful completion of the upgrade should also be verified by checking:

  • CPM Windows Services

  • Vault Registration

  • Password Changes

  • Password Verification

  • Password Reconciliation

  • Scanner Functionality

  • Platform Availability

  • PVWA Component Health


CPM Plugin Best Practices

CyberArk strongly recommends avoiding direct modifications to the default CPM plugins supplied with the product.

If platform customization is required, create separate custom plugins rather than modifying the original files.

This approach simplifies future upgrades and prevents customized files from being overwritten.

Organizations should also regularly download the latest certified platforms from the CyberArk Marketplace to take advantage of updated integrations and security enhancements.


Enterprise Upgrade Best Practices

Always perform CPM upgrades first in Development, then Test, and finally Production. Validate password rotation, verification, reconciliation, plugin functionality, platform integrity, and Vault connectivity before allowing production workloads to resume. Maintain verified backups throughout the upgrade process to support rapid rollback if necessary.

Following a structured enterprise methodology significantly reduces deployment risk while ensuring continuous privileged credential management.


Final Thoughts

The CyberArk Central Policy Manager is responsible for one of the most security-critical operations in the PAM ecosystem—automatically managing privileged credentials. Because of its importance, upgrading the CPM requires far more than simply replacing binaries. Administrators must validate compatibility, prepare the operating system, establish secure communication with the PVWA, perform the installation, register the component with the Vault, review installation logs, verify password management functionality, and complete post-upgrade hardening.

Using CyberArk's PowerShell automation scripts simplifies the process and reduces manual configuration errors, making upgrades more reliable and repeatable across enterprise environments. Whether you are upgrading a standalone CPM, a Disaster Recovery environment, or a highly available production deployment, following CyberArk best practices ensures a secure and successful upgrade.


πŸ“– Read the Complete CyberArk Upgrade Handbook

CyberArk PAM Self-Hosted Upgrade Guide 2026 – Complete Vault, DR, Cluster & Distributed Upgrade Handbook

🎯 Whether you are a CyberArk Engineer, PAM Architect, or Security Consultant, this comprehensive guide explains how real enterprise CyberArk upgrades are planned and executed safely in production environments.

You may also find this related guide useful:

CyberArk PVWA Upgrade Guide 2026 – Complete Step-by-Step Upgrade Process


Continue Your CyberArk Learning Journey

Advance your CyberArk skills with hands-on, enterprise-focused training:

CyberArk Full Training Program

CyberArk Instructor-Led Training

CyberArk Privilege Cloud (CPC) Self-Paced Online Training

CyberArk Server Migration and Version Upgrade Course

Comments ()

Leave a reply

Your email address will not be published. Required fields are marked*

Recent Post

Copyright 2022 SecApps Learning. All Right Reserved