It was first introduced in Windows Server 2012, and back then, I was amazed by it, really liked it, and… It’s still there, even in Windows Server 2022. I will show you what it is and how it works in this blog post.
What is Windows PowerShell Web Access?
Who should use it?
Azure Cloud Shell has more functions and also runs in a browser, but for 365/Azure. Windows PowerShell Web Access is more suitable for on-prem management and you can restrict access for users to specific servers on which they can run a task. Easy for on the go, you just need a browser and no local installation of modules on a local device.
How to install
You can install it from the Roles and Features GUI using Server Manager:
Or from a PowerShell command prompt:
Install-WindowsFeature –Name WindowsPowerShellWebAccess -IncludeManagementTools
At the end of the installation this link is shown:
For more information about how to finish installing and configuring Windows PowerShell Web Access, see http://go.microsoft.com/fwlink/?LinkID=221050.
This link is the same one from Microsoft Learn like I shared above. Restart the server to complete the installation.
Configuring the Gateway
To add the PSWA (PowerShellWebAccess) website to IIS, you must run to Install-PsaWebApplication cmdlet. You can run this with the -UseTestCertificate to let it create a certificate for you. This is ok for testing, but it’s better to have an official certificate. (My test Server is a Certificate Authority and I will be using a certificate from that).
In this example below I install the PSWA website on my test server:
PS C:\Users\Administrator> Install-PswaWebApplication Creating application pool pswa_pool... Name State Applications ---- ----- ------------ pswa_pool Started Creating web application pswa... Path : /pswa ApplicationPool : pswa_pool EnabledProtocols : http PhysicalPath : C:\Windows\Web\PowerShellWebAccess\wwwroot
Users need to be granted access before they can use PowerShell Web Access. You can do this by creating an authorization rule. To limit access to server W2K22Member.test.local to the test\administrator account, for example, you can create the Authorization Rule by running:
Add-PswaAuthorizationRule –UserName Test\Administrator -ComputerName W2K22Member.test.local -ConfigurationName Microsoft.powerShell
After running the command, you should see this:
How to use Windows PowerShell Web Access
Now that the Windows Feature is installed and the access is there, you can use your browser and connect to https://servername.domain.local/pswa. (In my example, https://w2k22dc.test.local/pswa) Note that it shows Windows Server 2016 even though my server is running Windows Server 2022 😉
You can now enter the credentials:
After clicking Sign In, you will see this:
In the lower right you can see the server that you are connected to. You can type command using the line at the buttom and clicking on Submit. I ran the Get-Service cmdlet and it shows all the services, for example:
You can reconnect your session after inactivity, delete or start a new session:
But you can also Save your session and return to it by clicking on Save:
You can autocomplete commands using the Tab-key or the arrow pointing right works and you can browse the History by clicking the arrow pointing up or using the Up-Arrow. Keys that don’t work are: (Because you’re running it in a browser)
There’s a list of things that don’t work here, most important ones are:
- Double-hop. You can encounter the double-hop (or connecting to a second computer from the first connection) limitation if you try to create or work on a new session by using Windows PowerShell Web Access. Windows PowerShell Web Access uses a remote runspace, and currently, PowerShell.exe does not support establishing a remote connection to a second computer from a remote runspace. If you attempt to connect to a second remote computer from an existing connection by using the Enter-PSSession cmdlet, for example, you can get various errors, such as “Cannot get network resources.”
- Windows PowerShell Web Access uses and has the same limitations as a remote Windows PowerShell session. Commands that directly call Windows console APIs, such as those for console-based editors or text-based menu programs, do not work because the commands do not read or write to standard input, output, and error pipes. Therefore, commands that launch an executable file, such as notepad.exe, or display a GUI, such as OpenGridView or ogv, do not work. Your experience is affected by this behavior; to you, it appears that Windows PowerShell Web Access is not responding to your command.
- Persistent Windows PowerShell sessions (Reconnection). After you time out of the Windows PowerShell Web Access gateway, the remote connection between the gateway and the target computer is closed. This stops any cmdlets or scripts that are currently in process. You are encouraged to use the Windows PowerShell -Job infrastructure when you are performing long-running tasks, so that you can start jobs, disconnect from the computer, reconnect later, and have jobs persist. Another benefit of using -Job cmdlets is that you can start them by using Windows PowerShell Web Access, sign out, and then reconnect later, either by running Windows PowerShell Web Access or another host (such as Windows PowerShell® Integrated Scripting Environment (ISE)).
You can find more information about Windows PowerShell Web Access in the link mentioned above in the first chapter, interesting links to secure access even more: