In-Depth

Enabling IIS Remote Management Using PowerShell

Using PowerShell Remoting, the task can be complete in just a handful of steps.

• By Jason Helmick
• 10/21/2014

Managing Microsoft IIS Web servers remotely using the graphical tool is fairly simple to enable if you're sitting at the Web server. But if you're like me and host many servers in different locations or in the cloud, then sitting at a graphical desktop. Or worse, using RDP to enable the service is impractical. A better way, and much more efficient as it can be applied to multiple servers at once, is with PowerShell Remoting.

The Process
If you have done this through the graphical IIS Manager before, you know there are several steps to the process. When you use PowerShell, you follow the same steps, but a few of them are tricky because cmdlets don't exist to help with all the steps. I've given you tips around those pesky missing cmdlets so you can be successful.  Here's the general process I will follow:

1. Create a PowerShell session to each of the servers
2. Install the Management Service
3. Enable the Management Service
4. Start the Management Service (WMSVC)
5. Replace the self-signed certificate
6. Connect using the IIS Manager

In my cmdlet examples, I will enable remote management on four IIS servers (Server 2012 R2) named Web1, Web2, Web3 and Web4 -- all at the same time. After getting them working I will replace the temporary certificate with a trusted certificate from Active Directory Certificate Services.

1. Creating PowerShell Remoting sessions to the Web servers
The first step is to create a PowerShell Remoting session to the Web servers. I start by creating a variable $servers that holds the computer names of the Web servers.  You can also fill this variable from a .csv or .txt file. If your Web servers are in Active Directory, you can filter using the Get-ADComputer cmdlet to get the target server names.  

PS>  C:\> $Servers = 'web1', 'web2', 'web3', 'web4'

Then create a PowerShell Remote session to the servers using New-PSSession. I normally store the sessions to a variable $Sessions for easy use later with the Invoke-Command cmdlet.

PS>  C:\> $Sessions = New-PSSession –ComputerName $Servers

Now you're ready to start configuring the remote management capability on those servers.

2. Installing the Management Service
The IIS management service is an additional role service that you will need to install to enable the remote management. Using the Remoting sessions in the $Sessions variable makes this easy:

PS  C:\> Invoke-Command –Session $Sessions –ScriptBlock {Install-WindowsFeature  Web-Mgmt-Service}

Once the role service is installed, it still must be enabled. There aren't any cmdlets to help enable the service, so I will show you a tip using the Registry.

3. Enabling the Management Service
The default settings when you first enable the management service are set to permit Windows credentials, using port 8172. The default settings also create and apply a temporary 10-year self-signed certificate. In many cases, especially for internal management, these setting are fine, including the 10-year self-signed certificate, but I will show how to replace the certificate later just in case you want a trusted certificate.

To enable the management service over PowerShell Remoting, Use the Set-ItemProperty cmdlet to change the registry key EnableRemoteManagement.

PS  C:\> Invoke-command –Session $Sessions -ScriptBlock{Set-ItemProperty -Path  HKLM:\SOFTWARE\Microsoft\WebManagement\Server -Name EnableRemoteManagement  -Value 1}

Now that the management service is enabled, the service must still be started before it can be used as a connection point for your local graphical IIS Manager.

4. Starting the Management Service
Starting the remote management service (WMSVC) is easy with PowerShell, but there is a small detail overlooked by many people that will cause problems later. The WMSVC service has a startup type of Manual - which means if you reboot the server in the future, the remote management will fail. To fix this, first set the startup type to Automatic and then start the service.

PS  C:\> Invoke-command –Session $Sessions -ScriptBlock {Set-Service -name WMSVC  -StartupType Automatic}

PS  C:\> Invoke-command –Session $Sessions -ScriptBlock {Start-service WMSVC}

At this point the management service is running and you can remotely manage the Web servers using the graphical IIS Manager. If you don't want to use the self-signed certificate -- which really is not an issue in most cases -- then you can replace it with a new and trusted certificate.

5. Replacing the Self-Signed certificate
You can obtain a certificate from a trusted provider or Active Directory Certificate Services for internal management. Export the certificate to a .PFX with a password, then you can use the native CertUtil.Exe command to install the new certificate.

First, copy the certificate (.pfx file) to the remote Web servers:

PS  C:\> $Servers | Foreach-Object {Copy-Item -Path C:\Remote.Company.loc.pfx  -Destination "\\$_\c$"}

Use CertUtil.exe to install the certificate.

PS>  c:\> Invoke-Command -Session $Sessions {certutil -p P@ssw0rd -importpfx c:\Remote.company.loc.pfx}

Notice I sent the password in clear text. PowerShell Remoting is completely secure and encrypted so this is not an issue. I would not however have put this into an automated script.

After the certificate is installed, it's important to remember to delete the .pfx file off the Web servers.

PS>  $Servers | Foreach-Object {Remove-Item -Path "\\$_\c$\remote.Company.loc.pfx"}

At this point you will need to get the Thumbprint of the installed certificate and change the binding for the management service. To do this, you will need the IIS: provider. To get the PSProvider, you must load the WebAdministration module on the remote servers.

PS  C:\> Invoke-Command -Session $Sessions {Import-Module WebAdministration}

Get the certificate Thumbprint to make a new binding:

PS  C:\> Invoke-Command -Session $Sessions {$cert = Get-ChildItem -Path  Cert:\LocalMachine\My | Where {$_.subject -like "*company*"} |  Select-Object -ExpandProperty Thumbprint}

Remove the old SSL binding:

PS  C:\> Invoke-command -Session $Sessions {Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172}

Add the new SSL binding using the certificate Thumbprint:

PS  C:\> Invoke-Command -Session $Sessions {Get-Item -Path  "cert:\localmachine\my\$cert" | New-Item -Path IIS:\SslBindings\0.0.0.0!8172} 

Now you're ready to connect to the Web servers using the graphical IIS Manager!

6. Connecting to the remote Web servers using the IIS Manager
The last step is to open your graphical IIS Manager, select the Start Page on the left pane and in the center pane select "Connect to a server…."Supply the server name, your credentials and a new connection will be displayed in the navigation pane of the IIS Manager. If your client version of the graphical IIS doesn't have the Start Page, you can download that additional feature from the Web Platform Installer.

Complete
While the certificate replacement can be a little messy, most of the process is simple to perform. I don't use these steps as much as I did in the past because now my configurations are done through Desired State Configuration(DSC) -- and I have it enable everything I need.  If you haven't started looking at DSC and you work with IIS, now is the time to start!