Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
SharePoint | Configure Server To Server Authentication | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/hybrid/configure-server-to-server-authentication.md | $serviceConfig.Update() ## Configure server-to-server authentication between on-premises SharePoint Server and SharePoint in Microsoft 365 <a name="s2s"> </a> -This section will help you set up server-to-server authentication among: +This section helps you set up server-to-server authentication among: - SharePoint Server To install the online service management tools and configure the PowerShell wind 9. Enter the following commands to sign in to SharePoint in Microsoft 365, from the PowerShell command prompt: ```powershell- Connect-MgGraph -Scopes "Group.ReadWrite.All","RoleManagement.ReadWrite.Directory" + Connect-MgGraph -Scopes "Group.ReadWrite.All","RoleManagement.ReadWrite.Directory","Organization.ReadWrite.All" ``` - You are prompted to sign in. You need to sign in using a Microsoft 365 global admin account. You can explore [other ways to connect to Microsoft Graph](/powershell/microsoftgraph/authentication-commands). + You're prompted to sign in. You need to sign in using a Microsoft 365 global admin account. You can explore [other ways to connect to Microsoft Graph](/powershell/microsoftgraph/authentication-commands). Leave the PowerShell window open until you've completed all the steps in this article. You need it for a variety of procedures in the following sections. Now that you installed the tools to enable you to remotely administer Microsoft #### About the variables you'll create -This section describes the variables you will set in the procedure that follows. These variables contain important information used in many of the remaining configuration steps. +This section describes the variables you'll set in the procedure that follows. These variables contain important information used in many of the remaining configuration steps. |Variable|Comments| |:--|:--|-|$spcn|The root domain name of your public domain. This value should not be in the form of a URL; it should be the **domain name only**, with **no protocol**. <br/> An example is adventureworks.com.| -|$spsite|The internal URL of your on-premises primary web application, such as **http://sharepoint** or **`https://sharepoint.adventureworks.com`**. This value is a full URL using the proper protocol (either **http:** // or **https://** ). <br/> This is the internal URL of the web application that you are using for hybrid functionality. <br/> An example is http://sharepoint or `https://sharepoint.adventureworks.com`.| +|$spcn|The root domain name of your public domain. This value shouldn't be in the form of a URL; it should be the **domain name only**, with **no protocol**. <br/> An example is adventureworks.com.| +|$spsite|The internal URL of your on-premises primary web application, such as **http://sharepoint** or **`https://sharepoint.adventureworks.com`**. This value is a full URL using the proper protocol (either **http:** // or **https://** ). <br/> This is the internal URL of the web application that you're using for hybrid functionality. <br/> An example is http://sharepoint or `https://sharepoint.adventureworks.com`.| |$site|The object of your on-premises primary web application. The command that populates this variable gets the object of the site you specified in the **$spsite** variable. <br/> This variable is automatically populated.| |$spoappid|The SharePoint in Microsoft 365 application principal ID is always 00000003-0000-0ff1-ce00-000000000000. This generic value identifies SharePoint in Microsoft 365 objects in a Microsoft 365 organization.| |$spocontextID|The context ID (ObjectID) of your SharePoint in Microsoft 365 tenant. This value is a unique GUID that identifies your SharePoint in Microsoft 365 tenant. <br/> This value is automatically detected when you run the command to set the variable.| $spsite=Get-Spsite <principal_web_application_URL> $site=Get-Spsite $spsite $spoappid="00000003-0000-0ff1-ce00-000000000000" $spocontextID = (Get-MgOrganization).Id-$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1 +$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1" ``` After you populate these variables, you can view their values by entering the variable name in the PowerShell window. For example, entering `$metadataEndpoint` returns a value similar to the following: The commands in this step add the on-premises STS certificate (public key only) From the PowerShell command prompt, type the following commands. ```powershell-Import-Module Microsoft.Graph.Applications --$params = @{ - keyCredential = @{ - type = "AsymmetricX509Cert" - usage = "Verify" - key = [System.Text.Encoding]::ASCII.GetBytes("MIIDYDCCAki...") - } - passwordCredential = $null - proof = "eyJ0eXAiOiJ..." +$Cert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate ++$principal = Get-MgServicePrincipal -Filter "AppId eq '$spoappidΓÇÖΓÇ¥ -Property "Id,DisplayName,KeyCredentials,AppId" ++$existingCerts = $principal.KeyCredentials ++$keyCredentials = @(@{ Type = "AsymmetricX509Cert"; Usage = "Verify"; Key = $Cert.RawData; KeyId = New-Guid; StartDateTime = $Cert.NotBefore; EndDateTime = $Cert.NotAfter; }) ++$noUpdate = $false ++foreach($existingCert in $existingCerts) { ++ if ([string]$existingCert.Key -eq [string]$Cert.RawData) { ++ $noUpdate = $true ++ break ++ } ++ else { ++ $existingCert.Key = $null ++ $keyCredentials += $existingCert ++ } } -Add-MgServicePrincipalKey -ServicePrincipalId $spoappid -BodyParameter $params +if (-Not $noUpdate) { ++ Update-MgServicePrincipal -ServicePrincipalId $principal.Id -KeyCredentials $keyCredentials ++} ``` <a name='step-3-add-an-spn-for-your-public-domain-name-to-azure-active-directory'></a> Here's an example: `00000003-0000-0ff1-ce00-000000000000/*.<public domain name>.com` -If the common name in your certificate is sharepoint.adventureworks.com, the syntax of the SPN will look like this: +If the common name in your certificate is sharepoint.adventureworks.com, the syntax of the SPN looks like this: `00000003-0000-0ff1-ce00-000000000000/*.adventureworks.com` This step registers the SharePoint in Microsoft 365 application principal object From the PowerShell command prompt, type the following commands. ```powershell-$spoappprincipalID = (Get-MgServicePrincipal -Filter "servicePrincipalName eq '$spoappid'").Id +$spoappprincipalID = (Get-MgServicePrincipal -Filter "AppId eq '$spoappid'").Id $sponameidentifier = "$spoappprincipalID@$spocontextID" $appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint" ``` The output of each of these commands is the GUID that represents the context ID #### Step 6: Configure an on-premises proxy for Microsoft Entra ID <a name="step8"> </a> -In this step, you create a Microsoft Entra ID proxy service in the SharePoint Server farm. This enables Microsoft Entra ID as a *trusted token issuer* that SharePoint Server will use to sign and authenticate claims tokens from SharePoint in Microsoft 365. +In this step, you create a Microsoft Entra ID proxy service in the SharePoint Server farm. This enables Microsoft Entra ID as a *trusted token issuer* that SharePoint Server uses to sign and authenticate claims tokens from SharePoint in Microsoft 365. From the PowerShell command prompt, enter the following commands. To validate the **New-SPAzureAccessControlServiceApplicationProxy** command: Starting October 2021, an extra step is required to adjust an existing SharePoint Hybrid configuration to work with and authenticate using the new Microsoft 365 search engine. -The script must be run on a server where SharePoint On-Premises is installed (2013, 2016, or 2019). The script will attempt to install the required module dependencies (MSOnline, AzureAD) on the server where it is run. +The script must be run on a server where SharePoint On-Premises is installed (2013, 2016, or 2019). The script attempts to install the required module dependencies (MSOnline, AzureAD) on the server where it is run. 1. Download the [configuration script](https://www.microsoft.com/download/103240). The script must be run on a server where SharePoint On-Premises is installed (20 4. Wait for script execution to complete; in case there are any issues, contact Microsoft Support. -5. After script execution, users will not see any changes when this change is implemented. +5. After script execution, users won't see any changes when this change is implemented. #### Step 8 (Only required for SharePoint Server 2013): Give New App Principal QueryAsUserIgnoreAppPrincipal permission <a name="step10"> </a> SharePoint Server 2013 needs a hidden constraint in every federated query. The r 1. Go to `<CentralAdminURL>/_layouts/appinv.aspx` and Search for **c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1**, where you should find **Greenland Federated Search Bot Skill**. -2. If there are items in the App Domain field, leave them be, and if it is empty, use localhost. +2. If there are items in the App Domain field, leave them be, and if it's empty, use localhost. 3. In the Redirect URL, use https://localhost. After finishing the tasks in this topic and its validation steps, you should che So that you have a history of the steps you've taken, you should capture the entire contents of the PowerShell buffer into a file. This will be crucial if you need to reference your configuration history to troubleshoot, or for any other reasons. This will also help you pick up where you left off if the configuration spans multiple days or involves multiple people. -After you have completed and validated the configuration tasks in this topic, continue with your [configuration roadmap](configuration-roadmaps.md). +After you have completed and validated the configuration tasks in this article, continue with your [configuration roadmap](configuration-roadmaps.md). ## See also <a name="next"> </a> |
SharePoint | Updated Product Servicing Policy For Sharepoint 2013 | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/product-servicing-policy/updated-product-servicing-policy-for-sharepoint-2013.md | The product servicing policy timeline for SharePoint Server 2013 and SharePoint |Service Pack 1 <br/> |4/10/2018 <br/> | |April 2017 Public Update - March 2018 Public Update <br/> |4/10/2019 <br/> | |April 2018 Public Update - all future Public Updates <br/> |4/11/2023 <br/> |- ++> [!NOTE] +> For information on the latest public updates for SharePoint Server 2013 and SharePoint Foundation 2013, see [SharePoint Server update history](/officeupdates/sharepoint-updates#sharepoint-2013-update-history) article. To know more about the software update process, see [Deploy software updates for SharePoint Server 2013](../upgrade-and-update/deploy-software-updates-for-sharepoint-2013.md). + ## Frequently Asked Questions **Question**: **Why is Microsoft doing this?** |
SharePoint | Updated Product Servicing Policy For Sharepoint 2019 | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/product-servicing-policy/updated-product-servicing-policy-for-sharepoint-2019.md | description: "This article explains the updated product servicing policy of Shar [!INCLUDE[appliesto-xxx-xxx-2019-xxx-xxx-md](../includes/appliesto-xxx-xxx-2019-xxx-xxx-md.md)] -During mainstream support, Microsoft releases new Public Update (PU) builds for SharePoint Server 2019 each month which contain the latest functionality, performance, and stability improvements for the product. +During mainstream support, Microsoft releases new Public Update (PU) builds for SharePoint Server 2019 each month which contains the latest functionality, performance, and stability improvements for the product. ## Policy overview The product servicing policy timeline for SharePoint Server 2019 is described in |November 2022 Public Update - October 2023 Public Update|10/31/2024| |November 2023 Public Update - all future Public Updates|07/14/2026| +> [!NOTE] +> For information on the latest public updates for SharePoint Server 2019, see [SharePoint Server update history](/officeupdates/sharepoint-updates#sharepoint-2019-update-history) article. To know more about the software update process, see [Deploy software updates for SharePoint Server 2019](../upgrade-and-update/deploy-updates-for-sharepoint-server-2016.md). + ## Frequently Asked Questions ***Question**: **Why is Microsoft doing this?** |
SharePoint | Updated Product Servicing Policy For Sharepoint Server 2016 | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/product-servicing-policy/updated-product-servicing-policy-for-sharepoint-server-2016.md | description: "This article explains the updated product servicing policy of Shar [!INCLUDE[appliesto-xxx-2016-xxx-xxx-xxx-md](../includes/appliesto-xxx-2016-xxx-xxx-xxx-md.md)] -During mainstream support, Microsoft releases new Public Update (PU) builds for SharePoint Server 2016 each month which contain the latest functionality, performance, and stability improvements for the product. +During mainstream support, Microsoft releases new Public Update (PU) builds for SharePoint Server 2016 each month which contains the latest functionality, performance, and stability improvements for the product. ## Policy overview The product servicing policy timeline for SharePoint Server 2016 is described in |May 2020 Public Update - April 2021 Public Update|4/30/2022| |May 2021 Public Update - all future Public Updates|7/14/2026| +> [!NOTE] +> For information on the latest public updates for SharePoint Server 2016, see [SharePoint Server update history](/officeupdates/sharepoint-updates#sharepoint-2016-update-history) article. To know more about the software update process, see [Deploy software updates for SharePoint Server 2016](../upgrade-and-update/deploy-updates-for-sharepoint-server-2016.md). + ## Frequently Asked Questions **Question**: **Why is Microsoft doing this?** The product servicing policy timeline for SharePoint Server 2016 is described in **Question**: **Should I install the monthly Public Updates for SharePoint Server 2016 immediately or should I install them only if they contain a fix for a specific issue I'm having?** - **Answer**: Microsoft recommends that all customers install Public Updates for SharePoint Server 2016 as soon as they become available. Microsoft performs rigorous validation of each Public Update, both internally and with a select set of partners and customers before it's released to ensure it has the highest quality. + **Answer**: Microsoft recommends that all customers install Public Updates for SharePoint Server 2016 as soon as they become available. Microsoft performs rigorous validation of each Public Update, both internally and with a select set of partners and customers before it's released to ensure it has the highest quality. |
SharePoint | Updated Product Servicing Policy For Sharepoint Server Se | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/product-servicing-policy/updated-product-servicing-policy-for-sharepoint-server-se.md | description: "This article explains the updated product servicing policy of Shar [!INCLUDE[appliesto-xxx-xxx-xxx-SUB-xxx-md](../includes/appliesto-xxx-xxx-xxx-SUB-xxx-md.md)] -While in support, Microsoft releases new Public Update (PU) builds for SharePoint Server Subscription Edition each month which contain the latest functionality, performance, and stability improvements for the product. +While in support, Microsoft releases new Public Update (PU) builds for SharePoint Server Subscription Edition each month which contains the latest functionality, performance, and stability improvements for the product. ## Policy overview The product servicing policy timeline for SharePoint Server Subscription Edition |March 2023 PU|3/14/2023|3/12/2024| |April 2023 PU|4/11/2023|4/9/2024| |Future PUs|Release Date|Release Date + 1 Year (second Tuesday of the Month)|++> [!NOTE] +> For information on the latest public updates for SharePoint Server Subscription Edition, see [SharePoint Server update history](/officeupdates/sharepoint-updates#sharepoint-server-subscription-edition-update-history) article. To know more about the software update process, see [Deploy software updates for SharePoint Server Subscription Edition](../upgrade-and-update/deploy-updates-for-sharepoint-server-2016.md). |
SharePoint | Security Hardening | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/security-hardening.md | In a server farm environment, individual servers have specific roles. Security h - [Database server role](#DatabaseServer) -The snapshots are divided into common configuration categories. The characteristics defined for each category represent the optimal hardened state for SharePoint Server. This article does not include hardening guidance for other software in the environment. +The snapshots are divided into common configuration categories. The characteristics defined for each category represent the optimal hardened state for SharePoint Server. This article doesn't include hardening guidance for other software in the environment. -In addition to hardening servers for specific roles, it is important to protect the SharePoint farm by placing a firewall between the farm servers and outside requests. The guidance in this article can be used to configure a firewall. +In addition to hardening servers for specific roles, it's important to protect the SharePoint farm by placing a firewall between the farm servers and outside requests. The guidance in this article can be used to configure a firewall. ### SharePoint servers <a name="WebAndAppServer"> </a> This section identifies hardening characteristics for SharePoint servers. Some o |**Category**|**Characteristic**| |:--|:--|-|Services listed in the Services MMC snap-in <br/> | Enable the following -|| TCP 80, TCP 443 (SSL) <br/> Custom ports for search crawling, if configured (such as for crawling a file share or a website on a non-default port) <br/> Ports used by the search index component ΓÇö TCP 16500-16519 (intra-farm only) <br/> Ports required for the AppFabric Caching Service ΓÇö TCP 22233-22236 <br/> Ports required for Windows Communication Foundation communication ΓÇö TCP 808 <br/> Ports required for communication between SharePoint servers and service applications (the default is HTTP): <br/> HTTP binding: TCP 32843 <br/> HTTPS binding: TCP 32844 <br/> net.tcp binding: TCP 32845 (only if a third party has implemented this option for a service application) <br/> If your computer network environment uses Windows Server 2012, Windows Server 2008, Windows Server 2008 R2, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2012 and Windows Vista, you must enable connectivity over both the following port ranges: <br/> High port range 49152 through 65535 <br/> Low port range 1025 through 5000 <br/> Default ports for SQL Server communication ΓÇö TCP 1433, UDP 1434. If these ports are blocked on the SQL Server computer and databases are installed on a named instance, configure a SQL Server client alias for connecting to the named instance. <br/> Microsoft SharePoint Foundation User Code Service (for sandbox solutions) ΓÇö TCP 32846. This port must be open for outbound connections on all Front-end and Front-end with Distributed Cache servers. This port must be open for inbound connections on Front-end and Front-end with Distributed Cache servers where this service is turned on. <br/> Ensure that ports remain open for Web applications that are accessible to users. <br/> Block external access to the port that is used for the Central Administration site. <br/> SMTP for e-mail integration ΓÇö TCP 25, or a custom TCP port if you've configured outbound e-mail to use a non-default port. <br/> | +|Services listed in the Services MMC snap-in <br/> | Enable the following +|| TCP 80, TCP 443 (SSL) <br/> Custom ports for search crawling, if configured (such as for crawling a file share or a website on a non-default port) <br/> Ports used by the search index component ΓÇö TCP 16500-16519 (intra-farm only) <br/> Ports required for the AppFabric Caching Service ΓÇö TCP 22233-22236 <br/> Ports required for Windows Communication Foundation communication ΓÇö TCP 808 <br/> Ports required for communication between SharePoint servers and service applications (the default is HTTP): <br/> HTTP binding: TCP 32843 <br/> HTTPS binding: TCP 32844 <br/> net.tcp binding: TCP 32845 (only if a third party has implemented this option for a service application) <br/> If your computer network environment uses Windows Server 2012, Windows Server 2008, Windows Server 2008 R2, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2012 and Windows Vista, you must enable connectivity over both the following port ranges: <br/> High port range 49152 through 65535 <br/> Low port range 1025 through 5000 <br/> Default ports for SQL Server communication ΓÇö TCP 1433, UDP 1434. If these ports are blocked on the SQL Server computer and databases are installed on a named instance, configure a SQL Server client alias for connecting to the named instance. <br/> Microsoft SharePoint Foundation User Code Service (for sandbox solutions) ΓÇö TCP 32846. This port must be open for outbound connections on all Front-end and Front-end with Distributed Cache servers. This port must be open for inbound connections on Front-end and Front-end with Distributed Cache servers where this service is turned on. <br/> Ensure that ports remain open for Web applications that are accessible to users. <br/> Block external access to the port that is used for the Central Administration site. <br/> SMTP for e-mail integration ΓÇö TCP 25, or a custom TCP port if you've configured outbound e-mail to use a non-default port. <br/> ICMP for echo request ΓÇô each Distributed Cache server should have inbound/outbound firewall rules of enabling ICMP for echo request. | |Registry <br/> |No additional guidance <br/> | |Auditing and logging <br/> |If log files are relocated, ensure that the log file locations are updated to match. Update directory access control lists (ACLs) also. <br/> |-|Web.config <br/> | Follow these recommendations for each Web.config file that is created after you run Setup: <br/> Do not allow compilation or scripting of database pages via the PageParserPaths elements. <br/> Ensure \<SafeMode\> CallStack="false" and AllowPageLevelTrace="false". <br/> Ensure that the Web Part limits around maximum controls per zone are set low. <br/> Ensure that the SafeControls list is set to the minimum set of controls needed for your sites. <br/> Ensure that your Workflow SafeTypes list is set to the minimum level of SafeTypes needed. <br/> Ensure that customErrors is turned on (\<customErrors mode="On"/\>). <br/> Consider your Web proxy settings as needed (\<system.net\>/\<defaultProxy\>). <br/> Set the Upload.aspx limit to the highest size you reasonably expect users to upload. Performance can be affected by uploads that exceed 100 MB. <br/> | +|Web.config <br/> | Follow these recommendations for each Web.config file that is created after you run Setup: <br/> Don't allow compilation or scripting of database pages via the PageParserPaths elements. <br/> Ensure \<SafeMode\> CallStack="false" and AllowPageLevelTrace="false". <br/> Ensure that the Web Part limits around maximum controls per zone are set low. <br/> Ensure that the SafeControls list is set to the minimum set of controls needed for your sites. <br/> Ensure that your Workflow SafeTypes list is set to the minimum level of SafeTypes needed. <br/> Ensure that customErrors is turned on (\<customErrors mode="On"/\>). <br/> Consider your Web proxy settings as needed (\<system.net\>/\<defaultProxy\>). <br/> Set the Upload.aspx limit to the highest size you reasonably expect users to upload. Performance can be affected by uploads that exceed 100 MB. <br/> | ### Database server role <a name="DatabaseServer"> </a> The primary recommendation for SharePoint Server is to secure inter-farm communi |:--|:--| |Ports <br/> | Block UDP 1434. <br/> Consider blocking TCP 1433. <br/> | -This article does not describe how to secure SQL Server. For more information about how to secure SQL Server, see [Securing SQL Server](/sql/relational-databases/security/securing-sql-server) (https://go.microsoft.com/fwlink/p/?LinkId=186828). +This article doesn't describe how to secure SQL Server. For more information about how to secure SQL Server, see [Securing SQL Server](/sql/relational-databases/security/securing-sql-server) (https://go.microsoft.com/fwlink/p/?LinkId=186828). ## Specific port, protocol, and service guidance <a name="PortProtocolService"> </a> Additionally, third parties that develop service applications can implement a th - net.tcp binding: TCP 32845 -You can change the protocol and port binding for each service application. On the Service Applications page in Central Administration, select the service application, and then click **Publish**. +You can change the protocol and port binding for each service application. On the Service Applications page in Central Administration, select the service application, and then select **Publish**. The HTTP/HTTPS/net.tcp bindings can also be viewed and changed by using the [Get-SPServiceHostConfig](/powershell/module/sharepoint-server/Get-SPServiceHostConfig?view=sharepoint-ps&preserve-view=true) and [Set-SPServiceHostConfig](/powershell/module/sharepoint-server/Set-SPServiceHostConfig?view=sharepoint-ps&preserve-view=true) Microsoft PowerShell cmdlets. Additionally, this service requires permissions in the Active Directory environm ### Service requirements for session state <a name="SessionState"> </a> -Both Project Server 2016 and InfoPath Forms Services maintain session state. If you are deploying these features or products within your server farm, do not disable the ASP.NET State service. Additionally, if you are deploying InfoPath Forms Services, do not disable the View State service. +Both Project Server 2016 and InfoPath Forms Services maintain session state. If you're deploying these features or products within your server farm, don't disable the ASP.NET State service. Additionally, if you're deploying InfoPath Forms Services, don't disable the View State service. ### SharePoint Server Products services <a name="SharePoint"> </a> -Do not disable services that are installed by SharePoint Server (listed in the snapshot previously). +Don't disable services that are installed by SharePoint Server (listed in the snapshot previously). -If your environment disallows services that run as a local system, you can consider disabling the SharePoint Administration service only if you are aware of the consequences and can work around them. This service is a Win32 service that runs as a local system. +If your environment disallows services that run as a local system, you can consider disabling the SharePoint Administration service only if you're aware of the consequences and can work around them. This service is a Win32 service that runs as a local system. -This service is used by the SharePoint Timer service to perform actions that require administrative permissions on the server, such as creating Internet Information Services (IIS) Web sites, deploying code, and stopping and starting services. If you disable this service, you cannot complete deployment-related tasks from the Central Administration site. You must use Microsoft PowerShell to run the [Start-SPAdminJob](/powershell/module/sharepoint-server/Start-SPAdminJob?view=sharepoint-ps&preserve-view=true) cmdlet (or use the Stsadm.exe command-line tool to run the **execadmsvcjobs** operation) to complete multiple-server deployments for SharePoint Server and to run other deployment-related tasks. +This service is used by the SharePoint Timer service to perform actions that require administrative permissions on the server, such as creating Internet Information Services (IIS) Web sites, deploying code, and stopping and starting services. If you disable this service, you can't complete deployment-related tasks from the Central Administration site. You must use Microsoft PowerShell to run the [Start-SPAdminJob](/powershell/module/sharepoint-server/Start-SPAdminJob?view=sharepoint-ps&preserve-view=true) cmdlet (or use the Stsadm.exe command-line tool to run the **execadmsvcjobs** operation) to complete multiple-server deployments for SharePoint Server and to run other deployment-related tasks. ### Web.config file <a name="WebConfig"> </a> |