Upgrade Roadmap

The following provides a roadmap for the steps necessary to upgrade Privileged Identity.


You will need a complete inventory of every server that is running one or more PI components during the upgrade process. Documenting every piece of your PI environment is crucial.

For more information, please see Document an Inventory of Your Existing Privileged Identity Environment.

Log into the BeyondTrust Customer Portal to download the Privileged Identity installer file.

For more information, please see Download the Privileged Identity Installer.

Understand the product requirements prior to installation by reviewing the release notes, prerequisites, host system requirements, database requirements, and service account requirements.

Also, run the Prerequisites Checker on each PI component server and resolve any noted deficiencies.

For more information, please see Review Prerequisites and Install Required Software.

If there are any difficulties during or after upgrade and a rollback is required, the upgraded database may prevent previous functionality from working. The database and encryption key are required for disaster recovery purposes. The encryption key is the only way to recover PI data if PI itself is not available.

The license key and recovery access password should be backed up in case you need to perform a fresh install of PI. Store the license key and recovery access password in a location outside of your PI environment (for example, external media or a server not used to host any PI components).

Create and test backups of the servers that host one or more PI components in your environment.

For more information, please see Back Up Privileged Identity Data Store, Components, and Servers .

This step is optional; however, it is highly recommended. Perform SQL Server database maintenance, including SQL Server Index Defragmentation, SQL Server Index Tuning, and Privileged Identity App Data Store Maintenance in accordance with your organization’s data retention policies. Also run a query to remove stored procedures and views and remove the version tracking from the database.

For more information, please see Perform Database Maintenance and Delete Stored Procedures and Views.

Remove Existing Privileged Identity Components

  • Use the PI management console or Windows Services snap-in to stop and remove all of the deferred and zone processing services. This ensures that jobs will not be processed during the database upgrade and helps prevent any data loss or corruption.
  • In product versions 5.5.2 and earlier, the Deferred Processing Service was called Enterprise Random Password Manager Deferred Processing Service.

    For more information, please see Remove Deferred Processors and Zone Processors.

    If upgrading from version 5.5.2 or earlier, the web site registration and naming process follows a different process than or later. Failure to remove existing web sites will cause multiple registrations with different names to appear in the web site registration dialog and can cause your security and other settings not to take effect.

    For more information, please see Remove All Web Application Instances and Web Services.

    Upgrade Privileged Identity Components

    The primary management console is the administrative component where most settings for Privileged Identity are configured. If you have multiple management consoles, upgrade your primary licensed management console first. Launch that console, and then upgrade any other secondary management consoles.


    All Privileged Identity management consoles must be closed prior to running the upgrade installer.

    For more information, please see Upgrade the Management Console.

    The web application is used by consumers and auditors. Consumers will retrieve secured passwords or establish sessions through a delegated and audited process. Auditors will be able to generate reports and audit settings.

    For more information, please see Upgrade the Web Application Instance.

    The web service provides API-based functionality via a SOAP or REST-based URI and is required by the web application, PowerShell, federated logins (SAML/OAUTH), and application launcher modules. The web service is deployed from a separate installer or can be pushed from the management console with version or later of the product.

    For more information, please see Upgrade the Web Service.

    Upgrade the Deferred Processing Services as well as Zone Processors.

    For more information, please see Upgrade Scheduling Services.

    This step is optional. A zone processor is a remotely deployed scheduling service designated to perform specific jobs against a specific list of systems and devices (management set). Conversely, the default deferred processor is installed with the management console and will handle any configured jobs against any and all lists of systems. Zone processors are typically used in demilitarized zones (DMZs) or distributed networks where normal communication may not be allowed. Zone processors are also used to improve the job processing throughput of the entire solution. Zone processors may also require secondary installations of integration components and the cross-platform support library.

    For more information, please see Deploy Zone Processors.

    PowerShell cmdlets extend the management of Privileged Identity to a command line scripting environment.

    For more information, please see Upgrade PowerShell.

    Application launching allows users to enter a privileged session without gaining access to the underlying credentials (password, key, etc.) using a secured host where session recording may also be enabled for the session.

    For more information, please see Upgrade Application Launcher and Session Recording Software.

    This service is listed for syslog UDP traffic and retransmits it using SSL or TCP for greater security and reliability when forwarding events to loggers and SIEM products.

    For more information, please see Using the Syslog Forwarder to Forward Syslog & MSMQ in the Privileged Identity Admin Guide.