Skip to main content
Skip table of contents


Step 1

Provision a Windows host that is capable of running the Universal Orchestrator. Windows Server 2016-2022 is recommended.

Step 2

Place the SetupOrchestrator_{deploymentName}.ps1 script in a directory with the UniversalOrchestrator .zip file that you downloaded from the Command SaaS Portal.

It is required to run this script as an administrator. If you cannot elevate a PowerShell window to Administrator, please contact a System Administrator to provide these credentials.

In the following example, the script and .zip file were placed in a directory called “C:\UniversalOrchestrator”.


Step 3

Run the script by right-clicking the script file, and then selecting Run with PowerShell or by opening a PowerShell window and executing the script.


There are three options you can use when running the installation script.

  • Option 1 will install the Universal Orchestrator as a service with a user account and credentials that the script will automatically generate. This is the “easy button” version of this script. If you don’t want to create users and permissions, the script will create them all for you.

  • Option 2 will install the Universal Orchestrator as a service, but will prompt you for a domain username and password that has rights to the network and server. This is the recommended method and required if using the Orchestrator to inventory MSCA.

  • Option 3 will install the Universal Orchestrator and attempt to run it in a PowerShell window without a service. Each time the server is restarted or the window is closed, the Universal Orchestrator will need to be started manually.


Step 4

The first thing the installation script will do is try to connect to the Command SaaS deployment.


If the connection fails, this is likely because it is required to allow any addresses into the Command SaaS deployment via the Self-Service Source IP feature of Command SaaS.


If the process fails, add the outbound internet IP of the host you are using to your Command SaaS deployment.

One option to determine the outbound IP address of the host you are using is to type the following command in the PowerShell window.
Note: This method uses the third-party service .


The response will show the IP address that your host will use to access the Command SaaS Deployment.


Add this IP address to the Source IPs screen in the Command SaaS Portal for this deployment. Click Add, and then click Apply Now.


Step 5

Once the change has processed, run the script again. The script will install .NET, if needed. If .NET already exists, the script will skip this step.

The remainder of the step is determined based on the installation option you selected.

If you selected Option 1

Selecting Option 1 will create the user for the service account automatically. Once that is done, the script will prompt you for the Client Secret for your Command SaaS deployment. The Client Secret can be found on the Orchestrators screen in the Keyfactor Command SaaS Portal for the deployment being configured.

Paste the Client Secret value into the script using the PowerShell Edit > Paste method in the terminal window.


Ensure that the password is the full-length secret pasted into the window. The password will have an obfuscated character for each pasted character.


If you selected Option 2

If you selected Option 2, the script will prompt you for the credentials to run the service as.


Once the credential request is complete, paste your Client Secret using the PowerShell Edit > Paste method in the terminal window.


If you selected Option 3

Option 3 will ask for the Client Secret and will then confirm whether to run the Universal Orchestrator in the existing window.


You will then see output from the Universal Orchestrator runtime that shows it connected back to Command SaaS.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.