Manually deploy Windows Admin Center in Azure for managing multiple servers

This article describes how to manually deploy Windows Admin Center in an Azure VM for use in managing multiple Azure VMs. To manage a single VM, instead use the Windows Admin Center functionality built into the Azure portal, as described in Use Windows Admin Center in the Azure portal.

Deploy using script

You can download Deploy-WACAzVM.ps1 which you will run from Azure Cloud Shell to set up a Windows Admin Center gateway in Azure. This script can create the entire environment, including the resource group.

Jump to manual deployment steps


  • Set up your account in Azure Cloud Shell. If this is your first time using Cloud Shell, you will be asked you to associate or create an Azure storage account with Cloud Shell.
  • In a PowerShell Cloud Shell, navigate to your home directory: PS Azure:\> cd ~
  • To upload the Deploy-WACAzVM.ps1 file, drag and drop it from your local machine to anywhere on the Cloud Shell window.

If specifying your own certificate:

  • Upload the certificate to Azure Key Vault. First, create a key vault in Azure portal, then upload the certificate into the key vault. Alternatively, you can use Azure portal to generate a certificate for you.

Script parameters

  • ResourceGroupName - [String] Specifies the name of the resource group where the VM will be created.

  • Name - [String] Specifies the name of the VM.

  • Credential - [PSCredential] Specifies the credentials for the VM.

  • MsiPath - [String] Specifies the local path of the Windows Admin Center MSI when deploying Windows Admin Center on an existing VM. Defaults to the version from if omitted.

  • VaultName - [String] Specifies the name of the key vault that contains the certificate.

  • CertName - [String] Specifies the name of the certificate to be used for MSI installation.

  • GenerateSslCert - [Switch] True if the MSI should generate a self signed ssl certificate.

  • PortNumber - [int] Specifies the ssl port number for the Windows Admin Center service. Defaults to 443 if omitted.

  • OpenPorts - [int[]] Specifies the open ports for the VM.

  • Location - [String] Specifies the location of the VM.

  • Size - [String] Specifies the size of the VM. Defaults to "Standard_DS1_v2" if omitted.

  • Image - [String] Specifies the image of the VM. Defaults to "Win2016Datacenter" if omitted.

  • VirtualNetworkName - [String] Specifies the name of the virtual network for the VM.

  • SubnetName - [String] Specifies the name of the subnet for the VM.

  • SecurityGroupName - [String] Specifies the name of the security group for the VM.

  • PublicIpAddressName - [String] Specifies the name of the public IP address for the VM.

  • InstallWACOnly - [Switch] Set to True if WAC should be installed on a pre-existing Azure VM.

There are 2 different options for the MSI to deploy and the certificate used for MSI installation. The MSI can either be downloaded from or, if deploying to an existing VM, the filepath of an MSI locally on the VM can be given. The certificate can be found in either Azure Key Vault or a self-signed certificate will be generated by the MSI.

Script Examples

First, define common variables needed for the parameters of the script.

$ResourceGroupName = "wac-rg1"
$VirtualNetworkName = "wac-vnet"
$SecurityGroupName = "wac-nsg"
$SubnetName = "wac-subnet"
$VaultName = "wac-key-vault"
$CertName = "wac-cert"
$Location = "westus"
$PublicIpAddressName = "wac-public-ip"
$Size = "Standard_D4s_v3"
$Image = "Win2016Datacenter"
$Credential = Get-Credential

Example 1: Use the script to deploy WAC gateway on a new VM in a new virtual network and resource group. Use the MSI from and a self-signed cert from the MSI.

$scriptParams = @{
    ResourceGroupName = $ResourceGroupName
    Name = "wac-vm1"
    Credential = $Credential
    VirtualNetworkName = $VirtualNetworkName
    SubnetName = $SubnetName
    GenerateSslCert = $true
./Deploy-WACAzVM.ps1 @scriptParams

Example 2: Same as #1, but using a certificate from Azure Key Vault.

$scriptParams = @{
    ResourceGroupName = $ResourceGroupName
    Name = "wac-vm2"
    Credential = $Credential
    VirtualNetworkName = $VirtualNetworkName
    SubnetName = $SubnetName
    VaultName = $VaultName
    CertName = $CertName
./Deploy-WACAzVM.ps1 @scriptParams

Example 3: Using a local MSI on an existing VM to deploy WAC.

$MsiPath = "C:\Users\<username>\Downloads\WindowsAdminCenter<version>.msi"
$scriptParams = @{
    ResourceGroupName = $ResourceGroupName
    Name = "wac-vm3"
    Credential = $Credential
    MsiPath = $MsiPath
    InstallWACOnly = $true
    GenerateSslCert = $true
./Deploy-WACAzVM.ps1 @scriptParams

Requirements for VM running the Windows Admin Center gateway

Port 443 (HTTPS) must be open. Using the same variables defined for script, you can use the code below in Azure Cloud Shell to update the network security group:

$nsg = Get-AzNetworkSecurityGroup -Name $SecurityGroupName -ResourceGroupName $ResourceGroupName
$newNSG = Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name ssl-rule -Description "Allow SSL" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $newNSG

Requirements for managed Azure VM's

Port 5985 (WinRM over HTTP) must be open and have an active listener. You can use the code below in Azure Cloud Shell to update the managed nodes. $ResourceGroupName and $Name use the same variables as the deployment script, but you will need to use the $Credential specific to the VM you are managing.

Enable-AzVMPSRemoting -ResourceGroupName $ResourceGroupName -Name $Name
Invoke-AzVMCommand -ResourceGroupName $ResourceGroupName -Name $Name -ScriptBlock {Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any} -Credential $Credential
Invoke-AzVMCommand -ResourceGroupName $ResourceGroupName -Name $Name -ScriptBlock {winrm create winrm/config/Listener?Address=*+Transport=HTTP} -Credential $Credential

Deploy manually on an existing Azure virtual machine

Before installing Windows Admin Center on your desired gateway VM, install a SSL certificate to use for HTTPS communication, or you can choose to use a self-signed certificate generated by Windows Admin Center. However, you will get a warning when trying to connect from a browser if you choose the latter option. You can bypass this warning in Edge by clicking Details > Go on to the webpage or, in Chrome, by selecting Advanced > Proceed to [webpage]. We recommend you only use self-signed certificates for test environments.


These instructions are for installing on Windows Server with Desktop Experience, not on a Server Core installation.

  1. Download Windows Admin Center to your local computer.

  2. Establish a remote desktop connection to the VM, then copy the MSI from your local machine and paste into the VM.

  3. Double-click the MSI to begin installation, and follow the instructions in the wizard. Be aware of the following:

    • By default, the installer uses the recommended port 443 (HTTPS). If you want to select a different port, note that you need to open that port in your firewall as well.

    • If you have already installed an SSL certificate on the VM, ensure you select that option and enter the thumbprint.

  4. Start the Windows Admin Center service (run C:/Program Files/Windows Admin Center/sme.exe)

Learn more about deploying Windows Admin Center.

Configure the gateway VM to enable HTTPS port access:

  1. Navigate to your VM in the Azure portal and select Networking.

  2. Select Add inbound port rule and select HTTPS under Service.


If you chose a port other than the default 443, choose Custom under Service and enter the port you chose in step 3 under Port ranges.

Accessing a Windows Admin Center gateway installed on an Azure VM

At this point, you should be able to access Windows Admin Center from a modern browser (Edge or Chrome) on your local computer by navigating to the DNS name of your gateway VM.


If you selected a port other than 443, you can access Windows Admin Center by navigating to https://<DNS name of your VM>:<custom port>

When you attempt to access Windows Admin Center, the browser will prompt for credentials to access the virtual machine on which Windows Admin Center is installed. Here you will need to enter credentials that are in the Local users or Local administrators group of the virtual machine.

In order to add other VMs in the VNet, ensure WinRM is running on the target VMs by running the following in PowerShell or the command prompt on the target VM: winrm quickconfig

If you haven't domain-joined the Azure VM, the VM behaves like a server in workgroup, so you'll need to make sure you account for using Windows Admin Center in a workgroup.