Thycotic Agent

by Delinea Inc.v12.0.5290

Last updated Jun 8, 2026

The core agent for all reporting and monitoring communication on the endpoint. It can be considered the managing agent, while the Application Control and Local Security Agents are the worker agents.

Visit homepage

Install with winget

$ winget install --id Delinea.ThycoticAgent --exact --version 12.0.5290

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Silent install command for Thycotic Agent

Thycotic Agent uses MSI (WiX). The silent install switches are /quiet /norestart.

One-line silent install (x64, machine scope)

msiexec.exe /i ThycoticAgent_x64_12_0_5290.msi /quiet /norestart

See the full silent install reference for Thycotic Agent →

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v12.0.5290

Architecture	Type	Scope	Install	Download
x86	MSI WiX	machine		Direct
x64	MSI WiX	machine		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

11 known CVEs via NVD

medium6.5Patched in wingetCVE-2025-12810affects v11.8.000001Jan 27, 2026
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password chan...
Vendor advisory
low3.8Patched in wingetCVE-2025-6943affects before 11.7.000060Jul 2, 2025
Secret Server version 11.7 and earlier is vulnerable to a SQL report creation vulnerability that allows an administrator to gain access to restricted tables.
Vendor advisory
medium6.9Patched in wingetCVE-2024-12908affects before 11.9.000006Dec 26, 2024
Delinea addressed a reported case on Secret Server v11.7.31 (protocol handler version 6.0.3.26) where, within the protocol handler function, URI's were compared before normalization and canonicalization, potentially leading to over matching against the approved list. If this att...
high8.8Patched in wingetCVE-2024-33891affects before 11.7.000001Apr 28, 2024
Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute.
Vendor advisory
medium4.3Patched in wingetCVE-2024-25653affects v11.4.000000Mar 13, 2024
Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI.
high7.6Patched in wingetCVE-2024-25652affects v11.4.000000Mar 13, 2024
In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimat...
Vendor advisory
medium5.3Patched in wingetCVE-2024-25651affects v11.4.000000Mar 13, 2024
User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint.
medium6.7Patched in wingetCVE-2024-25649affects v11.4.000000Mar 13, 2024
In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authentication is enabled), the encryption ke...

Showing 8 of 11. Source: NVD, updated 6h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

Thycotic Local Security AgentDelinea Inc.
Delinea.ThycoticLocalSecurityAgentv12.0.5290
Monitor and execute Local Security functions on Windows based endpoints.
Privilege Manager AgentsDelinea Inc.
Delinea.PrivilegeManagerAgentsv12.0.5290
Bundled Privilege Manager Agents including Thycotic Agent, Thycotic Application Control Agent and Thycotic Directory Services Agent.
Thycotic Directory Services AgentDelinea Inc.
Delinea.ThycoticDirectoryServicesAgentv12.0.5041
The agent supporting the Active Directory synchronization between Privilege Manager Cloud instances and local directory services.
Thycotic Application Control AgentDelinea Inc.
Delinea.ThycoticApplicationControlAgentv12.0.5290
Monitor processes executing the Privilege Manager Application Control Functions on the endpoint.
Delinea Connection ManagerDelinea Inc.
Delinea.DelineaConnectionManagerv2.8.3.7
Provide secure connections to remote servers using RDP and SSH, allowing IT teams to launch ad-hoc connections to manage sessions with remote resources.

Frequently asked questions

How do I install Thycotic Agent on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id Delinea.ThycoticAgent --exact --version 12.0.5290. winget downloads the installer from Delinea Inc. and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Thycotic Agent silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id Delinea.ThycoticAgent --exact 12.0.5290 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

What are the silent install switches for Thycotic Agent?

Thycotic Agent uses MSI (WiX). Run the downloaded installer with: msiexec.exe /i ThycoticAgent_x64_12_0_5290.msi /quiet /norestart. The silent switches are /quiet /norestart.

How do I uninstall Thycotic Agent via winget?

Run: winget uninstall --id Delinea.ThycoticAgent --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Thycotic Agent's Apps & Features entry.

Is Thycotic Agent free?

Thycotic Agent is distributed under Proprietary. Refer to the publisher (https://docs.delinea.com/online-help/privilege-manager/install/sw-downloads.htm) for the full license terms - Wingetly itself does not charge for installation.

Does Thycotic Agent work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Thycotic Agent directly from the publisher.

How do I keep Thycotic Agent up to date?

Run winget upgrade --id Delinea.ThycoticAgent --exact, or winget upgrade --all to update everything winget tracks. We index 9 versions of Thycotic Agent from microsoft/winget-pkgs.

Recent versions

12.0.5290latest
12.0.5289
12.0.4258
12.0.4237
12.0.3185
11.4.3235
11.4.3220
11.4.2168
11.4.1083