You can host PowerShell Universal as a Windows Service, in IIS, as a Azure Web App or just as a stand alone application. If you are running on Windows, we suggest either a Windows Service or IIS.
To host as a Windows Service, you can download and install the PowerShell Universal MSI. The MSI will automatically install the PowerShell Universal service and start it. Jobs will run under the system account by default but you can configure the service to run under another account after installation.
After the MSI has finished setup, your default web browser will open to http://localhost:5000 for login. The default login credentials are set to Admin and any password.
You do not need to use the MSI to configure Universal as a Windows Service. You can also do it manually with the following PowerShell script.
You can host PowerShell Universal in Azure as a Linux, Windows or Docker web app. To create a persistent web app, it's easiest to deploy using a standard Azure Web App.
We have a GitHub repository that contains a GitHub action workflow for downloading the latest version of PowerShell Universal, updating appsettings.json
and web.config
to work with Azure and then deploying to an existing web app.
You can also host the Universal server as a stand alone application. Simply run the Universal.Server.exe
from the binary directory to utilize the Kestrel web server implementation in ASP.NET Core to start the web server.
This section applies to Universal when it is hosted outside of IIS.
You can set the port of the Universal server by modifying the appsettings.json
file. We recommend that you create an appsettings.json
file in the default configuration folder.
Windows
%ProgramData%\PowerShellUniversal
Linux
%HOME%/.PowerShellUniversal
To set the port, change the Kestrel endpoints section of the appsettings.json
. By default, the configuration is defined to listen on port 5000 and on any address.
To configure HTTPS, you can adjust the appsettings.json
file to use a particular certificate and port. The below configuration uses the testCert.pfx
file and testPassword
and listens on port 5463.
To configure a certificate in a particular location and store, you can use a configuration such as this.
Location can be either CurrentUser
or LocalMachine
.
By default, Universal will listen on HTTP1 and HTTP2. You can adjust the protocols that the server listens to by setting the Protocols property. For example, you can specifically set HTTP1 and HTTP2 support with the following setting.
Some versions of Windows Server (like 2012R2), do not support HTTP2. To disable HTTP2 support, set the listener to only listen on HTTP1.
For a full set of listening options, you can refer to the ASP.NET Core Documentation.
Single-file hosting and configuration for PowerShell Universal.
You can configure and run the PowerShell Universal server from the command line. The Start-PSUServer
and Install-PSUServer
cmdlets can be used to install, configure and run a Universal instance in a single file.
To install from the command line, use Install-PSUServer
. By default, it will store the latest version of the PowerShell Universal Server to the $Env:ProgramData\PowerShellUniversal
folder. You can specify an alternate path and optionally add the older to the $Env:Path
environment variable .
Once the server is installed, you can start it with Start-PSUServer
.
You can configure PowerShell Universal from the command line using Start-PSUServer
and the -Configuration
parameter. You can use the same cmdlets that you would use in the various configuration files but utilize a single file. You should save this file and then execute the PS1 file. Any changes to the file will be auto-reloaded.
Single file hosting has some limitations in terms of scoping. Variables, functions and modules used within the parent scope or the configuration script block scope will not be accessible in the dashboard, endpoint or script content scopes.
You can work around these limitations by using variables and environments.
The single-file hosting and configuration does not actually require the use of a single file. Rather, it means that you have a single entry point for the hosting and configuration of your PowerShell Universal server. You can reference other files within the -Configuration
script block parameter.
For example, if you wanted to load endpoints from a nested folder, you could do the following.
With this configuration, you can have an endpoints
folder within the same directory as your root file and they will be loaded automatically when the server starts of the files change.
Information about hosting PowerShell Universal in IIS.
PowerShell Universal supports being hosted in IIS (Internet Information Services (IIS) for Windows® Server). Please note that a series of host prerequisites and specific configuration steps are required to facilitate running PowerShell universal on IIS. Please review each section carefully as IIS requires many specific configuration settings applied to work with modern .NET Core applications such as PowerShell Universal.
The following components are required in order to host PowerShell Universal on IIS.
Including: WebSocket Protocol
.
The following Windows Server IIS features are also required to be enabled on the IIS Host:
First make sure to enable the IIS feature on Windows Server and then install the ASP.NET Core hosting bundle.
NOTE: IIS often requires a host reboot after installing the .NET Core Hosting bundle! It is strongly recommended that you REBOOT the IIS host after installing the .NET Core Hosting bundle.
Once these prerequisites are met, you are ready to begin configuration of PowerShell Universal on IIS.
Enabling the IIS WebDav Publishing feature will cause issues with Universal. WebDav Publishing filters HTTP requests and prevents PUT and DELETE verbs by default. If you have WebDav Publishing enabled, please ensure you have it configured properly to allow these verbs.
Download the Latest copy of PowerShell Universal. You will need to download the ZIP Archive version of PowerShell Universal. This archive is specifically built for those wishing to configure PowerShell Universal for IIS or other third party web servers. Extract the contents of the Zip to the intended web host folder location on your IIS Host.
You must ensure that the PowerShell Universal application files are unblocked after extracting them. You can unblock them with the Unblock-File
cmdlet.
This location is very important and will be referenced throughout this document. Most importantly this location must be accessible by the Identity used by the IIS Application Pool.
Now that our Host is ready and we have downloaded PowerShell Universal, we can begin configuring IIS.
The First step in the IIS configuration process is to create a new Application Pool in IIS. Before we begin the configuration we should ensure that we select a valid identity for the IIS Application Pool.
The Application Pool Identity is crucial for PowerShell Universal as this will be the "default user" that jobs and dashboards will run as. It will also be the user that will perform read/write operations to the Universal Automation database and will be used by IIS to read the web content directory and execute the application.
It is suggested to use "LocalSystem" or a Service Account of your choosing.
Due to limitations in IIS, the Application Pool Identity settings have MAJOR consequences on the behavior for "Run As" options when using Universal Automation.
IIS Limitations with Universal Automation
App Service configured as Local System - Scripts will execute as the System Account by default and a Run as Accounts CAN be specified when executing a Script in Universal Automation
App Service configured as a Service Account - Scripts can ONLY be executed with the Service Account and a **Run as Account **CANNOT** be specified when executing scripts.
Service Account Identity Requirements
The Default Database location can be customized via the PowerShell Universal appsettings.json
file if desired.
Once we have selected a valid identity we are ready to create the Application Pool in IIS.
Now that we have chosen an App Pool identity that has read/write access to the PowerShell Universal Application and Database folders we can create the Application Pool in IIS.
In IIs Manager, Choose the option to Add Application Pool...
Name: Use any Name you would like for the Application Pool
.NET CLR Version: No managed code
Click OK create the Application Pool.
Now that the Application Pool has been created, we will need to configure the Advanced Settings
Open the "Advanced Settings" for the Application Pool and apply the following Configurations:
General / Enable 32-Bit Applications: False
Process Model / Identity: Use the Identity we selected for our Application Pool in the "Choosing an App Pool Identity" section above.
Process Model / Load User Profile: True
Once the Advanced Settings have been applied, our Application Pool is ready, our next step will be to configure the IIS Web Site that will utilize this Application Pool.
Now that we have a valid Application Pool we need to create an IIS website to expose the application. Before we do this we will want to review the PowerShell Universal web.config
file for our website. Within the extracted PowerShell Universal Application folder, we will find a web.config file. This configuration file has been specifically designed for IIS and has a number of configurations we need to review prior to creating the IIS Website.
Most Importantly we will need to update "processPath" argument value of this configuration file. This value will provide IIS with the exact path of the application binary so that it can properly launch the application.
Open the web.config file in the PowerShell Universal Application Folder
Locate the <aspNetCore processPath section of the configuration file
Update the arguments="PATH" value to be the exact location of the Universal.Server.exe path.
Save the file to apply the configuration
There are a variety of additional configurations in this file. We'll be reviewing these in more detail in the "Advanced Configuration" Section but you can refer to the "Additional web.config configurations" on this page for more details
Now that an Application Pool has been created for PowerShell Universal with a valid Identity and we have configured the web.config file, we are finally ready to create the IIS Website. The Website component of IIS loads the application artifacts and exposes the application on the configured web endpoint.
In the IIS Manager: Click "Add Website.."
Configure the new website options :
Site Name: Use any name you would like, ex: PowerShell Universal.
Application Pool: DO NOT use the DefaultAppPool - Select the Application Pool we created in our previous step.
Physical Path: This must be the physical path to the PowerShell Universal Content we extracted from our download .zip file. NOTE: The AppPool identity must have access to the location.
Binding Settings: Note, for initial configuration is suggested to use the base defaults, we'll update these later in our advanced configuration
Type http - For Initial Configuration
IP Address: All Unassigned
Port: 80
Host Name: Name of the Host
At this point, all the required configurations should be in place, and the IIS website hosting PowerShell Universal should be up and running. With a web browser - browse to the configured website location to validate that PowerShell Universal has started. From here you can follow the "Getting Started" guide to validate base functionality. Once you are sure that the Application is working properly with a Basic IIS configuration you can proceed to the "Advanced Configuration" to secure and finalize your desired IIS Configuration.
You are are still experiencing issues with the basic IIS Configuration try checking the "Logs" path specified in the web.config for common issues. If you are still experiencing issues reach out on the forums or support for assistance.
If you are going to be running scheduled jobs within your PowerShell Universal instance hosted in IIS, you must make sure to configure IIS appropriately. There are several settings to validate when configuring your application pool.
IIS will terminate your PSU process after a default of 20 minutes of idle time. This will cause jobs to fail to run since the process is not running. You can set the idle timeout to 0 to disable timeouts.
When the IIS server is restarted, the application pool will not start until the website is requested. You can avoid this by changing the start mode to Always Running for your application pool in Advanced Settings.
PowerShell Universal can use anonymous authentication and Windows Authentication in IIS.
To enable Windows Authentication, you will first need to enable it for your Web Server and then for your website. You can find the authentication settings under the Authentication section in IIS Manager.
For the website, set the same settings.
Once authentication is enabled in IIS, you will have to ensure that Windows Authentication is enabled for PowerShell Universal.
First, adjust the web.config
file to forward the Windows authentication token.
Next, enable Windows Authentication in the appsettings.json
file for PowerShell Universal.
Restart your Application Pool and now you should be able to login with Windows credentials.
When enabling Windows Authentication but not Anonymous Authentication, you will no longer be able to use PowerShell Universal AppTokens. You will need to enable both authentication methods to support Windows Credentials as well as App Tokens.
Anonymous Authentication can be enabled to allow for app tokens and other requests to be transmitted through the IIS proxy. You will need to enable Anonymous Authentication on both the Server and Web site levels. There is no additional configuration to do within PowerShell Universal.
The settings within the Universal web.config can be adjusted as you see fit. Below you will find a description of each setting.
This setting is used for Windows Authentication. If you wish to use Windows Authentication with IIS, ensure that you disable Anonymous Authentication and enable Windows Authentication within your IIS site and then set this setting to true.
This setting is used for debugging start up issues with your Universal setup. It's recommended to enable this when first configuring IIS integration. You can disable it once everything is configured. You need to ensure that your AppPool identity has write access to the StdOutLogFile location.
The hosting model sets how the Universal server will run. When set to InProcess, the Universal Server will run from within the IIS agent. This provides better performance than using OutOfProcess hosting. InProcess hosting does not work with StdOutLogEnabled. It's recommended to use OutOfProcess hosting only while configuring Universal and, InProcess when your configuration steps have been completed.
Feature Display Name
Requirement
Installation Script
WebSocket Protocol
Required to run PowerShell Universal
Install-WindowsFeature Web-WebSockets
Windows Authentication
Required for using Windows Authentication
Install-WindowsFeature Web-Windows-Auth