Installing Windows Agents

When installing the agent for the first time or upgrading from a previous version, review the information presented in Reboot Requirements - Windows Agents to understand what conditions in the runtime environment will result in a required reboot of the computer in order for the install/upgrade to be completed properly and the agent to function properly. Failing to understand the reboot requirements in relation to your environment may result in the application control service or other components of the agent failing to function properly.

Agent System Requirements

For agents in an environment with a moderate policy configuration, the requirements for memory and disk space are as follows:

  • Memory usage: 50Mb
  • Disk usage:

    • IBM Security base agent: 10MB
    • Application Control Solution: 9MB
    • Local Security Solution: 3MB
    • Security Analysis Solution: 13 MB
  • CPU Architecture: Intel (ARM not supported)
  • Average CPU over a week: 3%
  • Impact to boot time: Negligible

Directory Services Agent

The Directory Services Agent needs to be installed on a well resourced system running either

  • Windows 10 or above
  • Windows Server 2016, 2019, 2022, 2025
  • Port requirements:

    • The agent needs to be able to communicate to the server on 443
    • AD Sync agent and Domain Controller over LDAPS

The Directory Services Agent is available for x64-bit systems only.

Supported Windows Operating Systems (both 32- and 64-bit) on Systems Considered Workstations:

  • Desktops: Windows 10, Windows 11
  • Servers: Windows Server 2016, 2019, 2022, 2025
  • Disable the GPO security option "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing."
  • Under certain conditions (e.g., when a computer is enrolled in the Windows Insider Program) it may be necessary to ensure that the Application Control Service continues to work on unsupported OS build versions. A registry entry can be created manually that will bypass kernel checks on unsupported OS builds. To do so:

    1. Under the device driver's service registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ArelliaACDrv, create a subkey named Parameters.

    2. Under the Parameters subkey, create a DWORD value named SupportedOSBuildOverride with a decimal value that corresponds to the maximum OS build number that the driver can safely work with, where the OS build number is higher than the value that the driver was originally built to support.

    The override value will be compared to the OS build number of the system, and if the override value is ">=" to the OS build number value, the driver will allow itself to continue loading normally.