Requirements for Windows platforms

Supported operating systems

On 30 June 2025, our Windows protection for these OS versions will become End of Life (EOL): Windows XP, Vista, Server 2003, and Server 2008 (Windows 2008 R2 will continue to be supported). After the EOL date, the product license will be automatically removed from all computers that run these OS versions, and you will not be able allocate licenses to affected computers. Computers without a license will have all protections disabled, lose access to Collective Intelligence, stop receiving signature file updates, and cease to run assigned tasks. See https://www.watchguard.com/wgrd-trust-center/end-of-life-policy.

Workstations with an x86 or x64 microprocessor

  • Windows XP SP3 (32-bit)

  • Windows Vista (32-bit and 64-bit)

  • Windows 7 (32-bit and 64-bit)

  • Windows 8 (32-bit and 64-bit)

  • Windows 8.1 (32-bit and 64-bit)

  • Windows 10 (32-bit and 64-bit)

  • Windows 11 (64-bit)

Computers with an ARM microprocessor

  • Windows 10 Pro

  • Windows 10 Home

  • Windows 11 Pro

  • Windows 11 Home

Servers with an x86 or x64 microprocessor

  • Windows 2003 (32-bit, 64-bit, and R2) SP2 and higher

  • Windows 2008 (32-bit and 64-bit) and 2008 R2

  • Windows Small Business Server 2011, 2012

  • Windows Server 2012 and Windows Server 2012 R2

  • Windows Server 2016 and 2019

  • Windows Server Core 2008, 2008 R2, 2012 R2, 2016, and 2019

  • Windows Server 2022

IoT and Windows Embedded Industry

  • Windows XP Embedded

  • Windows Embedded for Point of Service

  • Windows Embedded POSReady 2009, 7, 7 (64-bit)

  • Windows Embedded Standard 2009, 7, 7 (64-bit), 8, 8 (64-bit)

  • Windows Embedded Pro 8, 8 (64-bit)

  • Windows Embedded Industry 8, 8 (64-bit), 8.1, 8.1 (64-bit)

  • Windows IoT Core 10, 10 (64-bit)

  • Windows IoT Enterprise 10, 10 (64-bit)

  • Windows Server IoT 2019

Windows Embedded systems allow custom installations that could impact Advanced EDR. After you install Advanced EDR, we recommend that you confirm it works as expected.

Hardware requirements

  • Processor: x86- or x64-compatible CPU with at least SSE2 support.

  • RAM: 1 GB.

  • Available hard disk space for installation: The minimum space required to install the security software varies depending on the operating system version installed on the computer. On average, the security software requires 650 MB of available space for installation.

Other requirements

Ports

Advanced EDR requires access to multiple Internet-hosted resources. It requires access to ports 80 and 443.

The Advanced EDR agent requires port 33000 for communication between protected computers and with the Firebox or Access Point devices (see Endpoint Access Enforcement settings and Network Access Enforcement

Update root certificates

It is necessary to keep the root certificates of workstations and servers up to date. Also, the computers must be able to access these URLs:

http://*.globalsign.com

http://*.digicert.com

http://*.sectigo.com

Windows computers update root certificates automatically through Windows Update. Nevertheless, incorrectly installed updates might cause problems.

If root certificates are not up to date, some features such as the ability for agents to establish real-time communications with the management console, or the Cytomic Patch module, might not work.

To identify and update root certificates, use the tool available at https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Endpoint-Security/troubleshooting/psinfotool/psinfo-check-cert.html?Highlight=psinfo.

Time synchronization of computers (NTP)

Although not an essential requirement, it is recommended that the clocks on computers protected by Advanced EDR be synchronized. This synchronization is normally achieved using an NTP server.

If a computer is not synchronized, several security issues could arise:

  • A lack of stability in the communications between the computer and the Cytomic servers.

  • Errors checking certificates, which appear as valid or expired based on the computer system date, not the real date.

  • Date errors in the alerts generated by the protections, which show the computer system date, not the real date.

  • The scan and patch installation tasks show the computer system date, not the real date.

  • The installer expiration date is not respected.

  • Some scheduled actions might not run correctly, such as computer restarts and problem notifications.

Support for SHA-256 driver signing

To keep security software up to date, the workstation or server must support SHA-256 driver signing. Some versions of Windows do not include this feature by default and you must update them:

Windows platform Updates required URL

Windows Vista x86/Vista x64

SP2 and KB4474419

KB4474419

SP2

Windows Server 2008 x86/Server 2008 x64

SP2 and KB4474419

KB4474419

SP2

Windows 7 x86/Windows 7 x64

SP1 and KB4474419

KB4474419

SP1

Windows 2008 R2 x64

KB4474419

KB4474419

Updates required to support SHA-256 signed drivers

Computers that do not support SHA-256 driver signing will not have their protection software updated beyond protection version 4.00.00. These computers are not shown in the Outdated protection widget as candidates to be updated. These computers are shown with the warning Cannot upgrade this computer’s protection to the latest version. For more information about computer alerts and how to display them, see Computer details.

To find computers that do not support SHA-256 driver signing, create a filter in the filter tree with the parameters shown in Filter computers not compatible with SHA-256 signed drivers. For more information about the filter tree, see Filter tree.

We recommend that you update all computers to make sure they are protected with the latest available version of the protection software.

After you install the patches indicated, the latest available version of the protection software downloads within four hours. You must restart the computer to complete the update.

Communication with the Advanced EDR server through TLS 1.2

To enable the security software to communicate with the Advanced EDR server through the TLS 1.2 protocol, ciphers TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 are required. For more information, see Manage SSL/TLS protocols and cipher suites for AD FS.

Windows 2008 R2 does not support TLS 1.2 natively. It requires that you install a patch available for certain WinHTTP protocols. For more information, see Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.

Windows XP and Windows 2003 operating systems

For the advanced protection to operate correctly on these operating systems, Internet Explorer 7 or higher must be installed on the computer.

You cannot install or update the security software directly on Windows XP. You must use a cache computer. For more information, see Configuring downloads from cache computers

You can install or update the security software on Windows 2003 only if the operating system is fully updated and all required patches are installed. Otherwise, you must use a cache computer. For more information, see Cytomic Patch (Updating vulnerable programs).