How to Configure Windows Server 2022 for Azure Hybrid Benefit

How to Install Jenkins on Windows Server 2022

Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) pipelines. Installing Jenkins on Windows Server 2022 gives your development teams a stable, enterprise-grade build server that integrates with source control, build tools, and deployment pipelines. This guide covers the complete installation process from prerequisites to a production-ready Jenkins setup running behind IIS as a reverse proxy.

Prerequisites: Installing Java Development Kit

Jenkins requires a Java Development Kit (JDK). As of Jenkins LTS 2.387+, Java 17 or Java 21 is required. Java 11 is no longer supported in current releases. Download the Microsoft Build of OpenJDK or Eclipse Temurin from the Adoptium website. The Temurin JDK 21 Windows x64 MSI installer is recommended for server deployments.

After downloading, install the JDK. Then set the JAVA_HOME environment variable system-wide. Open an elevated PowerShell session and run:

[System.Environment]::SetEnvironmentVariable("JAVA_HOME", "C:Program FilesEclipse Adoptiumjdk-21.0.3.9-hotspot", "Machine")
[System.Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:Program FilesEclipse Adoptiumjdk-21.0.3.9-hotspotbin", "Machine")

Close and reopen your shell, then verify Java is accessible:

java -version

You should see output indicating Java 21. If you see an error, confirm the PATH variable was updated correctly and restart the session.

Downloading and Installing Jenkins

Jenkins offers two installation approaches on Windows: a native Windows installer (.msi) and a generic WAR file. The Windows installer is recommended for most server deployments because it sets up the Jenkins Windows service automatically.

Download the latest Jenkins LTS Windows installer from https://www.jenkins.io/download/. Choose the LTS (Long-Term Support) release for production environments, not the weekly release channel. Run the downloaded MSI as Administrator. The installer will prompt you to select the JDK location, the service account under which Jenkins runs, the port (default 8080), and the installation directory (default C:Program FilesJenkins).

During installation, choose a dedicated Windows service account rather than LocalSystem for better security isolation. Create a local account named “jenkins” before running the installer:

net user jenkins StrongPassword123! /add /comment:"Jenkins Service Account"
net localgroup Administrators jenkins /add

After installation completes, the Jenkins Windows service starts automatically. You can verify its status with:

Get-Service -Name Jenkins

Installing Jenkins as a Windows Service Manually (WAR Method)

If you prefer the WAR-based deployment, download jenkins.war from the Jenkins website. Create a directory for Jenkins and place the WAR file there:

New-Item -ItemType Directory -Path C:Jenkins
Copy-Item jenkins.war C:Jenkinsjenkins.war

To install Jenkins as a Windows service using the WAR file, run it once manually to generate the initial setup, then use sc.exe or NSSM (Non-Sucking Service Manager) to register it as a service. Using NSSM is the cleaner approach:

nssm install Jenkins "C:Program FilesEclipse Adoptiumjdk-21.0.3.9-hotspotbinjava.exe"
nssm set Jenkins AppParameters "-jar C:Jenkinsjenkins.war --httpPort=8080"
nssm set Jenkins AppDirectory "C:Jenkins"
nssm set Jenkins DisplayName "Jenkins CI Server"
nssm set Jenkins Description "Jenkins Automation Server"
nssm set Jenkins Start SERVICE_AUTO_START
nssm start Jenkins

Jenkins Initial Setup: Unlocking Jenkins

On first access at http://localhost:8080 (or the server’s IP), Jenkins displays an “Unlock Jenkins” screen. It asks for the initial administrator password stored on disk. By default the MSI installer and WAR launcher both write this file to:

%USERPROFILE%.jenkinssecretsinitialAdminPassword

If Jenkins runs as the “jenkins” service account, the path is:

C:Usersjenkins.jenkinssecretsinitialAdminPassword

Read the file content with PowerShell and paste it into the browser:

Get-Content "C:Usersjenkins.jenkinssecretsinitialAdminPassword"

Note that the MSI installer may place the Jenkins home directory at C:ProgramDataJenkins.jenkins instead, depending on the version. Check both locations if the first does not exist.

Installing Plugins and Creating an Admin User

After entering the unlock password, Jenkins presents two options: “Install suggested plugins” or “Select plugins to install.” For most CI/CD setups, choose “Install suggested plugins.” This installs the Git plugin, Pipeline plugin, Blue Ocean, credentials management, and other common integrations automatically. Plugin installation may take several minutes depending on your network connection.

After plugins install, Jenkins prompts you to create the first admin user. Fill in a username, password, full name, and email address. This replaces the temporary initialAdminPassword. Store these credentials securely in your password manager.

Next, configure the Jenkins URL. This is used in notifications and build links. Set it to the DNS name of your server:

http://jenkins.yourdomain.com:8080/

Configuring the Jenkins Workspace

The Jenkins workspace directory stores all job workspaces, build artifacts, and configuration. By default it is located at the Jenkins home directory (C:ProgramDataJenkins.jenkins or C:Usersjenkins.jenkins). For servers with dedicated data disks, relocate the workspace to a data volume to avoid filling the OS disk.

Set the JENKINS_HOME environment variable before starting the service, or configure it in the service’s environment. To change it for the Windows service:

[System.Environment]::SetEnvironmentVariable("JENKINS_HOME", "D:JenkinsData", "Machine")

Restart the Jenkins service after changing JENKINS_HOME and confirm the data directory is initialized at the new location.

Using the Jenkins CLI

Jenkins includes a CLI (Command Line Interface) accessible via the jenkins-cli.jar. Download it from your Jenkins instance:

Invoke-WebRequest -Uri "http://localhost:8080/jnlpJars/jenkins-cli.jar" -OutFile "C:Jenkinsjenkins-cli.jar"

Use the CLI to manage Jenkins programmatically. Authenticate with an API token generated from your user profile in the Jenkins web UI (User > Configure > API Token > Add new Token):

java -jar C:Jenkinsjenkins-cli.jar -s http://localhost:8080/ -auth admin:YOUR_API_TOKEN list-jobs
java -jar C:Jenkinsjenkins-cli.jar -s http://localhost:8080/ -auth admin:YOUR_API_TOKEN build my-pipeline-job
java -jar C:Jenkinsjenkins-cli.jar -s http://localhost:8080/ -auth admin:YOUR_API_TOKEN install-plugin git pipeline-model-definition

The CLI can also be used to reload configuration, safely restart Jenkins, and import/export jobs as XML, making it useful for infrastructure-as-code workflows.

Configuring Tools: JDK, Maven, and Git in Global Tool Configuration

Jenkins needs to know where build tools are installed. Navigate to Manage Jenkins > Global Tool Configuration. Under JDK, click “Add JDK,” give it a name like “JDK 21,” uncheck “Install automatically,” and set JAVA_HOME to the JDK path. Repeat for Maven: click “Add Maven,” name it “Maven 3.9,” and provide the path to the Maven installation directory. For Git, provide the path to git.exe, typically:

C:Program FilesGitbingit.exe

If you want Jenkins to auto-install tools, check “Install automatically” and select the version from the dropdown. Jenkins will download and install the tool the first time a job requires it. This is convenient for disposable build agents but may cause delays on first builds.

Configuring the Firewall Rule for Port 8080

Windows Server 2022 blocks inbound connections by default. Add a firewall rule to allow access to Jenkins on port 8080:

New-NetFirewallRule -DisplayName "Jenkins HTTP" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 8080 `
  -Action Allow `
  -Profile Domain,Private

For production environments, restrict source IP addresses to known developer workstations or your internal network rather than allowing all inbound connections. You can scope the rule with the -RemoteAddress parameter:

New-NetFirewallRule -DisplayName "Jenkins HTTP Restricted" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 8080 `
  -Action Allow `
  -RemoteAddress 192.168.1.0/24

Running Jenkins Behind an IIS Reverse Proxy

Exposing Jenkins on port 80 or 443 via IIS provides TLS termination, integrates with existing server certificates, and allows using a proper DNS name without port numbers in the URL. First install IIS and the URL Rewrite module and the Application Request Routing (ARR) module on the server:

Install-WindowsFeature Web-Server, Web-Mgmt-Tools
# Download and install ARR 3.0 and URL Rewrite from Microsoft's site

Enable proxy functionality in ARR. Open IIS Manager, click the server node, open “Application Request Routing Cache,” click “Server Proxy Settings,” and check “Enable proxy.” Apply.

Create a new site in IIS bound to port 443 with your TLS certificate. In the site’s web.config, add the following URL rewrite rules to forward traffic to Jenkins on port 8080:

After applying the IIS configuration, update the Jenkins URL in Manage Jenkins > Configure System > Jenkins URL to reflect the HTTPS hostname. Also configure the X-Forwarded-For and X-Forwarded-Proto headers so Jenkins records the correct client IP addresses in build logs. This completes a production-ready Jenkins installation on Windows Server 2022 with secure access over HTTPS via IIS.