# On-prem agent installation using Windows package
Refer to the information on this page to install an on-prem agent using Windows package.
PREREQUISITES
You must create an on-prem group before you can set up an on-prem agent.
# Install an on-prem agent
Complete the following steps to create an on-prem agent (OPA) for a Windows operating system (OS):
Sign in to your Workato account.
Go to Tools > On-prem groups and select the group where you plan to add an agent.
Click Add agent. The Add agent dialog opens.
Provide an Agent name, use the Operating system drop-down menu to select Windows, and then click Next.
Select Windows as your operating system
Click Download installer and click Next.
Click Download agent package
Run the installer. The installer creates a Workato group in the Start menu, and installs a Windows service called Workato on-prem agent by default.
OPA WINDOWS SERVICE USER ACCOUNTS
From OPA version 2.18.0 onwards, the Workato OPA Windows service user account is set to Local Service instead of Local System, which was used in previous versions.
Complete the following steps to access the settings of an OPA Windows service user account:
Press Win + R, type services.msc, and press Enter.
Go to the Services window and locate the agent.
Right-click the agent and select Properties
Select whether to store the agent private key and certificate in the default Windows Certificate Store location or in C:\Program Files\Workato Agent\conf. You must protect the conf folder from unauthorized access if you select this option as your storage location.
This option is only available in OPA versions 30.0 and later. Refer to the Security section for more information.
Choose where to store OPA key and certificate
Copy and paste the Activation command from Workato. The code is valid for one hour. Click Regenerate code to generate a new code if it expires.
Alternatively, you can select Activate agent manually and activate the OPA after installation by starting the Workato on-prem agent Windows service or using the activation script, depending on your setup.
Copy and paste the Activation code
ALLOW TRAFFIC TO WORKATO FROM YOUR SERVER
Ensure traffic to Workato is allowed from your server to use OPA. Refer to security allowlists to add Workato to your allowlist.
Return to Workato and click Next.
Click Test agent to confirm that your on-prem agent is working as expected.
Test the on-prem agent
Click Done to complete the installation.
CERTIFICATE VALIDITY PERIOD
The agent certificate remains valid for 1 year after the generation date.
Renew the certificate before its expiration date to avoid interruptions. Refer to the Renew agent keys guide for more information.
# Security
OPA 2.18.0 and later versions run the OPA Windows service under the Local Service system account by default. You can alter this account to better match your security requirements, for example, by running it under a domain user account with dedicated privileges.
OPA 30.0 and later versions enable you to choose whether to store the agent private key (cert.key) and certificate (cert.pem) in the conf folder or the Windows Certificate Store. The default storage location is the Windows Certificate Store.
It's extremely important to restrict access to the OPA conf folder if you store the private key and certificate in the local file system. Workato doesn't have access to your private key.
The conf folder also contains a config.yml file where you can configure options and connection properties if you aren't using cloud profiles. Ensure you protect this file from unauthorized access.
# How to set permissions
Complete the following steps to protect the OPA's conf folder:
Right-click the conf folder and select Properties.
Go to the Security tab.
Click Advanced and remove any unnecessary explicit or implicit access to the conf folder.
Explicitly allow Read access to the conf folder for the LOCAL SERVICE system account (or the account assigned to run OPA as a Windows service).
OPA conf directory permissions
Click Apply, then OK.
Last updated: 1/30/2026, 9:16:47 PM