PowerShell on Target Machines task
TFS 2017 | TFS 2015
Use this task to execute PowerShell scripts on remote machine(s).
This task can run both PowerShell scripts and PowerShell-DSC scripts:
- For PowerShell scripts, the computers must have PowerShell 2.0 or higher installed.
- For PowerShell-DSC scripts, the computers must have the latest version of the Windows Management Framework installed. This is installed by default on Windows 8.1, Windows Server 2012 R2, and later.
Note
In Microsoft Team Foundation Server (TFS) 2018 and previous versions, build and release pipelines are called definitions, runs are called builds, service connections are called service endpoints, stages are called environments, and jobs are called phases.
Prerequisites
This task uses Windows Remote Management (WinRM) to access on-premises physical computers or virtual computers that are domain-joined or workgroup-joined.
To set up WinRM for on-premises physical computers or virtual machines
Follow the steps described in domain-joined
To set up WinRM for Microsoft Azure Virtual Machines
Azure Virtual Machines require WinRM to use the HTTPS protocol. You can use a self-signed Test Certificate. In this case, the automation agent will not validate the authenticity of the certificate as being issued by a trusted certification authority.
Azure Classic Virtual Machines. When you create a classic virtual machine from the Azure portal, the virtual machine is already set up for WinRM over HTTPS, with the default port 5986 already opened in the firewall and a self-signed certificate installed on the machine. These virtual machines can be accessed with no further configuration required. Existing Classic virtual machines can be also selected by using the Azure Resource Group Deployment task.
Azure Resource Group. If you have an Azure Resource Group
already defined in the Azure portal, you must configure it to use the WinRM HTTPS protocol. You need to open port 5986 in the firewall, and install a self-signed certificate.
To dynamically deploy Azure Resource Groups that contain virtual machines, use the Azure Resource Group Deployment task. This task has a checkbox named Enable Deployment Prerequisites. Select this to automatically set up the WinRM HTTPS protocol on the virtual machines, open port 5986 in the firewall, and install a test certificate. The virtual machines are then ready for use in the deployment task.
Arguments
| Argument | Description |
|---|---|
| Machines | A comma-separated list of machine FQDNs or IP addresses, optionally including the port number. Can be: - The name of an Azure Resource Group. - A comma-delimited list of machine names. Example: dbserver.fabrikam.com,dbserver_int.fabrikam.com:5986,192.168.34:5986- An output variable from a previous task. If you do not specify a port, the default WinRM port is used. This depends on the protocol you have configured: for WinRM 2.0, the default HTTP port is 5985 and the default HTTPS port is 5986. |
| Admin Login | The username of either a domain or a local administrative account on the target host(s). - Formats such as username, domain\username, machine-name\username, and .\username are supported. - UPN formats such as username@domain.com and built-in system accounts such as NT Authority\System are not supported. |
| Password | The password for the administrative account specified above. Consider using a secret variable global to the build or release pipeline to hide the password. Example: $(passwordVariable) |
| Protocol | The protocol that will be used to connect to the target host, either HTTP or HTTPS. |
| Test Certificate | If you choose the HTTPS option, set this checkbox to skip validating the authenticity of the machine's certificate by a trusted certification authority. |
| Deployment - PowerShell Script | The location of the PowerShell script on the target machine. Can include environment variables such as $env:windir and $env:systemroot Example: C:\FabrikamFibre\Web\deploy.ps1 |
| Deployment - Script Arguments | The arguments required by the script, if any. Example: -applicationPath $(applicationPath) -username $(vmusername) -password $(vmpassword) |
| Deployment - Initialization Script | The location on the target machine(s) of the data script used by PowerShell-DSC. It is recommended to use arguments instead of an initialization script. |
| Deployment - Session Variables | Used to set up the session variables for the PowerShell scripts. A comma-separated list such as $varx=valuex, $vary=valuey Most commonly used for backward compatibility with earlier versions of the release service. It is recommended to use arguments instead of session variables. |
| Advanced - Run PowerShell in Parallel | Set this option to execute the PowerShell scripts in parallel on all the target machines |
| Advanced - Select Machines By | Depending on how you want to specify the machines in the group when using the Filter Criteria parameter, choose Machine Names or Tags. |
| Advanced - Filter Criteria | Optional. A list of machine names or tag names that identifies the machines that the task will target. The filter criteria can be: - The name of an Azure Resource Group. - An output variable from a previous task. - A comma-delimited list of tag names or machine names. Format when using machine names is a comma-separated list of the machine FQDNs or IP addresses. Specify tag names for a filter as {TagName}:{Value} Example: Role:DB;OS:Win8.1 |
| Control options | See Control options |
Version 3.x of the task includes the Inline script setting where you can enter your PowerShell script code.
Open source
This task is open source on GitHub. Feedback and contributions are welcome.
FAQ
Do I need an agent?
You need at least one agent to run your build or release.
I'm having problems. How can I troubleshoot them?
See Troubleshoot Build and Release.
I can't select a default agent pool and I can't queue my build or release. How do I fix this?
See Agent pools.
My NuGet push task is failing with the following error: "Error: unable to get local issuer certificate". How can I fix this?
This can be fixed by adding a trusted root certificate. You can either add the NODE_EXTRA_CA_CERTS=file environment variable to your build agent, or you can add the NODE.EXTRA.CA.CERTS=file task variable in your pipeline. See Node.js documentation for more details about this variable. See Set variables in a pipeline for instructions on setting a variable in your pipeline.
I use TFS on-premises and I don't see some of these features. Why not?
Some of these features are available only on Azure Pipelines and not yet available on-premises. Some features are available on-premises if you have upgraded to the latest version of TFS.