🦞clawempire
Install help
🦞Claw Empire private client portal

Windows 11 + WSL2

Prepare Windows 11 with Ubuntu on WSL2.

Follow these steps before the install call when Hermes will run inside Ubuntu on WSL2.

Install targetWindows step-by-step guide

Best fit when the client machine is Windows but the runtime should stay in a Linux environment.

Start Step 1Onboarding hub
Use caseBest fit when the client machine is Windows but the runtime should stay in a Linux environment.
RuntimeFresh Claw Empire installs deploy Hermes only.
SecretsUse your vault or OAuth flow; do not paste credentials.

Step-by-step guide

Do these in order before install day.

Complete as much as your policy allows. If a step is blocked, note who can approve or unblock it during onboarding.

Step 1

Update Windows and restart

Use Windows 11 with all pending updates installed. Restart before the call so WSL and virtualization changes are not waiting on reboot.

Claw Empire guide image showing a Windows 11 install host selected and updated.CLAW EMPIRE GUIDEInstall hosthost: power + networkPRIVATE SETUP • HERMES FRESH INSTALL

Step 2

Open Windows Terminal as admin

Open Windows Terminal as Administrator for setup steps that require elevated privileges. Keep the Windows device administrator available if corporate policy controls terminal or virtualization access.

Claw Empire guide image showing Windows Terminal opened as Administrator.CLAW EMPIRE GUIDETerminal adminAdmin TerminalADMPRIVATE SETUP • HERMES FRESH INSTALL

Step 3

Install or verify Ubuntu on WSL2

Install WSL2 with Ubuntu if it is not already present: wsl --install -d Ubuntu. Existing Ubuntu installs are fine if they are clean and maintained.

Claw Empire guide image showing Ubuntu ready inside WSL2 on Windows.CLAW EMPIRE GUIDEWSL UbuntuUbuntu on WSL2PRIVATE SETUP • HERMES FRESH INSTALL

Step 4

Update Ubuntu and confirm sudo

Inside Ubuntu, run standard updates before the call: sudo apt update && sudo apt upgrade -y. Confirm the Windows user can open Ubuntu, create files in the Linux home directory, and use sudo.

Claw Empire guide image showing Ubuntu package updates and sudo readiness.CLAW EMPIRE GUIDEPackages readyapt update && upgradePRIVATE SETUP • HERMES FRESH INSTALL

Step 5

Surface VPN, antivirus, and WSL policy

Keep antivirus, VPN, or corporate device policies visible. If they block local services, ports, SSH, Tailscale, or WSL networking, bring the device administrator to the install call.

Claw Empire guide image showing Windows security policy checks before WSL onboarding.CLAW EMPIRE GUIDEDevice policypolicy: reviewedPRIVATE SETUP • HERMES FRESH INSTALL
Useful checkswsl --statuswsl --install -d Ubuntusudo apt update && sudo apt upgrade -y

Shared prep

Bring the right owner and approvals.

OS readiness is only half the install. We also need account owners, MFA, and access boundaries available during the call.

Account readiness

  • Decide which always-on computer will host Hermes. Keep it on reliable power, a trusted private network, and at the location where it will normally operate.
  • Make sure the business owner or operator can approve access decisions and use an administrator account during the call.
  • Keep MFA devices, password manager access, approved accounts, and off-limits systems ready. Do not send passwords, private keys, recovery keys, or tokens in chat or email.
  • Use a private, trusted network. Avoid hotel, airport, café, and conference Wi-Fi for install day.
  • Tell us before the call about device-management, firewall, VPN, antivirus, IP allowlisting, or vendor-review constraints.

Platform notes

  • WSL works best when Windows, Ubuntu, virtualization, and network policy are all current before the call begins.
  • If your company blocks WSL, SSH, Tailscale, or local services, bring the device administrator to the install call.

Install day agenda

What we will walk through together.

Step 1

Confirm scope, owner, machine, and access boundary.

Step 2

Verify OS, network, shell, package manager, and remote access posture.

Step 3

Install and configure Hermes on your infrastructure.

Step 4

Connect approved accounts and integrations through secure OAuth or password-manager flows.

Step 5

Run supervised test workflows with clear approval gates.

Step 6

Document operating commands, recovery notes, and the handoff checklist.

Handoff boundary

Hermes launches under supervision.

Legacy OpenClaw support is diagnostic-only unless explicitly scoped. The legacy path is ~/.openclaw/. No alternate legacy directory applies.

  • Run Hermes in supervised mode first; treat the first week as calibration.
  • Keep one owner responsible for policy: autonomous actions, confirmation-required actions, and off-limits systems.
  • Store handoff notes, recovery steps, and account ownership in your internal docs or password manager.
  • Rotate temporary credentials and remove temporary remote access that is not part of ongoing support.

Other install targets

Need a different OS guide?

macOS step-by-step guide illustrationCLAW EMPIRE GUIDEInstall hosthost: power + networkPRIVATE SETUP • HERMES FRESH INSTALL

macOS workstation

macOS step-by-step guide

Best fit for an always-on Mac mini in the client office or home office.

Open macOS guide →Linux step-by-step guide illustrationCLAW EMPIRE GUIDELinux hostUbuntu LTS / DebianPRIVATE SETUP • HERMES FRESH INSTALL

Linux host

Linux step-by-step guide

Best fit for clients who already operate a stable Linux machine or server with clear admin ownership.

Open Linux guide →
🦞Claw Empire setup desk

Need a decision?

Ask before install day.

If a company policy, device constraint, or access question changes the plan, send it to your Claw Empire contact before the call. The goal is a prepared handoff, not last-minute privilege escalation.

Ask a setup questionReturn to Hub