How to Set Up Windows Server 2016 PowerShell Web Access
PowerShell Web Access (PSWA) is a feature in Windows Server 2016 that provides a web-based PowerShell console, allowing administrators to run PowerShell commands from any device with a modern browser. This is particularly valuable in environments where traditional remote management tools are blocked by firewalls, or when connecting from a machine that does not have PowerShell installed locally.
PSWA acts as a gateway: the browser connects to an IIS web application on the server, which in turn establishes a PowerShell remoting session to whatever target computer the user specifies. The result is a full interactive PowerShell terminal accessible through HTTPS. This guide walks through every step required to get PSWA running on Windows Server 2016, from installation through authorization and ongoing administration.
Prerequisites
You need a Windows Server 2016 machine with administrative privileges. Internet Information Services will be installed automatically if it is absent. For production deployments, obtain a valid SSL certificate issued by a trusted certificate authority and bind it to the IIS site. You should also ensure PowerShell remoting is enabled on any target servers you plan to manage through PSWA:
Enable-PSRemoting -ForceConfirm that the Windows Remote Management service is running and that inbound port 5985 (HTTP) or 5986 (HTTPS) is permitted on the target machines.
Step 1: Install the PowerShell Web Access Feature
Open an elevated PowerShell session on the gateway server and run the Install-WindowsFeature cmdlet to add PSWA along with its management tools:
Install-WindowsFeature WindowsPowerShellWebAccess -IncludeManagementToolsThe installation pulls in IIS and its required role services automatically. When the output shows Success as True, the feature is ready to configure.
Step 2: Configure the Web Application
Run Install-PswaWebApplication to create the pswa IIS application. In a test environment you can use a self-signed certificate:
Install-PswaWebApplication -UseTestCertificateIn production, first import your SSL certificate into the Local Machine certificate store, note its thumbprint, and bind it manually in IIS Manager. Then run the cmdlet without the test-certificate flag:
Install-PswaWebApplication -WebApplicationName pswa -UseTestCertificate:$falseOpen IIS Manager afterward and verify the pswa application appears under Default Web Site and that HTTPS is configured on port 443.
Step 3: Add Authorization Rules
PSWA uses an explicit allowlist model. No connections are permitted until you add authorization rules. The Add-PswaAuthorizationRule cmdlet defines which users may connect to which computers using which session configurations.
Allow a single domain user to connect to one named computer with any session configuration:
Add-PswaAuthorizationRule -UserName CORPjsmith -ComputerName WEB01 -ConfigurationName *Allow all members of a security group to connect to any computer (suitable only for tightly controlled lab environments):
Add-PswaAuthorizationRule -UserGroupName CORPServerAdmins -ComputerName * -ConfigurationName *List all current rules to confirm your changes:
Get-PswaAuthorizationRuleStep 4: Open the Firewall
Create an inbound firewall rule to allow HTTPS traffic if Windows Firewall is active on the gateway server:
New-NetFirewallRule -DisplayName "PSWA HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action AllowVerify the rule was created:
Get-NetFirewallRule -DisplayName "PSWA HTTPS"Step 5: Test Access from a Browser
Navigate to the gateway URL from any machine on the network:
https://GatewayServerName/pswaThe sign-in page prompts for a username, password, and the name of the computer to connect to. After authentication and authorization succeed, a web-based PowerShell window opens. You can execute any command the remote session permits, including file operations, service management, and module imports.
Step 6: Managing and Auditing Rules
Periodically review authorization rules. Remove stale entries by ID:
Remove-PswaAuthorizationRule -Id 2Test whether a specific user would be authorized before they attempt to connect:
Test-PswaAuthorizationRule -UserName CORPjsmith -ComputerName WEB01Security Best Practices
Never expose PSWA directly to the public internet without additional controls. Place it behind a VPN or web application firewall. Always use a certificate from a trusted CA in production. Apply the principle of least privilege to authorization rules, naming specific session configurations rather than using wildcards wherever possible. Monitor IIS access logs and the Windows Security event log for failed authentication attempts, which may indicate a brute-force attack against the gateway.
Consider enabling Windows Defender Credential Guard and configuring account lockout policies to protect against credential stuffing. Rotate SSL certificates before expiry and check IIS binding validity after each renewal.
Removing PSWA
To decommission PSWA, first remove the web application and then uninstall the feature:
Uninstall-PswaWebApplicationRemove-WindowsFeature WindowsPowerShellWebAccessPowerShell Web Access on Windows Server 2016 bridges the gap between convenience and security for remote administration. With properly scoped authorization rules, a valid SSL certificate, and sound network controls, it becomes a reliable tool for teams that need flexible, browser-based access to their server estate.
