Customizable OSD PowerShell Web Service

Using web services for OSD is a great way to allow your task sequence to request changes to your ConfigMgr or Active Directory environment even if your devices are running from WinPE.  The problem with building web  services for many IT administrators is that they either need to find a web service online that has all of the functionality that they need, or they need to learn a web development framework to build their own.  I wrote the PowerShell Web Service to help bridge the gap – it allows you to customize all of the available web calls by writing new PowerShell scripts or editing the out of box samples.

URL Structure
The URL format is http://<servername>/powershell/<scriptname> , where <scriptname> is the name of the .ps1 file that you want to run on the server.  If your script has parameters, you can pass them in with the format http://<servername>/powershell/demo/scriptparam1=value1;scriptparam2=value2

This URL would call the demo.ps1 script with the arguments -scriptparam1=value1 -scriptparam2=value2

Folder Structure
The scripts can be stored in one of four folders: Delete, Get, Post, and Put.  Each folder corresponds to a REST verb.  If you want to run a script in the Post folder, you would need to send a Post response to http://<servername>/powershell/<scriptname>.

For example, if you wanted to run the DeleteUnknownDevice.ps1 sample script in the Delete folder, you could use the following PowerShell.

Invoke-RestMethod -Method DELETE -uri "http://server/powershell/deleteunkowndevice/sitecode=ps1;smsprovider=server" -UseDefaultCredentials


The DeleteUnkonwnDevice.ps1 file accepts siteCode and smsProvider as script parameters, so those parameters are passed in to the script:

Remove-CimInstance -Query "select * from SMS_R_System where SMS_R_System.Unknown = 1" -ComputerName $smsProvider -Namespace root\sms\site_$siteCode

Note that the REST verb exclusively determines which folder is searched for the script.  If you have a DeleteUnknownDevice script in the Delete folder but try to do a POST request, the request will fail.

Body Parameters
If you have a lot of parameters to your PowerShell script or have parameters that would not be encoded nicely in the URL, you can also pass parameters via the body on PUT and POST requests.  For example, I could call the AddToAdGroup script in the Post folder with the following PowerShell:

$dict = @{}
$dict.Add("user", "test_user")
$dict.Add("group", "CM-Admins")
$json = $dict | ConvertTo-Json
Invoke-RestMethod -Method POST -uri "http://server/powershell/AddToAdGroup" -UseDefaultCredentials -Body $json -ContentType "application/json"

The PowerShell web service has support for custom authorization.  The Authorize\authorize.ps1 script is called for every web request to determine if a user is allowed to access a script.  The authorize.ps1 script takes the username and script name as parameters and returns true if the user is allowed to run the script and false otherwise.  If the user is not allowed to run a script, a 401 response is returned from the web server.

You can install the web service using the MSI on our website.  The installation prompts for a username, password, and port number.  These are used to configure the PsWebSvc Application Pool account and the port that the PowerShell Web Service IIS site listens on.  Note that if the out of box scripts are used and the installation is performed on a server other than your SMS Provider server, you will need to add the service account to the WinRMRemoteWMIUsers__ group on your SMS Provider since the default scripts use the CIM cmdlets.

 Find the PowerShell Web Service download on the ImageConnect page!