Deploy an agent on Windows
https://www.visualstudio.com/zh-cn/docs/build/actions/agents/v2-windows
Last Update: 6/27/2017 In this article- Learn about agents
- Check prerequisites
- Prepare permissions
- Decide which user you‘ll use
- Confirm the user has permission
- Download and configure the agent
- Server URL
- Authentication type
- Choose interactive or service mode
- Replace an agent
- Remove and re-configure an agent
- Help on other options
- Capabilities
- Q&A
- I‘m running a firewall and my code is in Team Services. What URLs does the agent need to communicate with?
- How do I configure the agent to work through a web proxy and connect to Team Services?
- How do I configure the agent to bypass a web proxy and connect to Team Services?
- I‘m using TFS and the URLs in the sections above don‘t work for me. Where can I get help?
- I use Team Foundation Server on-premises and I don‘t see some of these features. Why not?
Team Services | TFS 2017 | TFS 2015 | Previous versions (XAML builds)
To build and deploy Windows, Azure, and other Visual Studio solutions you‘ll need at least one Windows agent. Windows agents can also build Java and Android apps.
Before you begin:
- If your code is in Visual Studio Team Services and the hosted agent meets your needs, you can skip setting up a private Windows agent.
- If your code is in an on-premises Team Foundation Server (TFS) 2015 server, see Deploy an agent on Windows for on-premises TFS 2015.
- Otherwise, you‘ve come to the right place to set up an agent on Windows. Continue to the next section.
Learn about agents
If you already know what an agent is and how it works, feel free to jump right in to the following sections. But if you‘d like some more background about what they do and how they work, see Build and release agents.
Check prerequisites
Make sure your machine is prepared with our Windows system prerequisites.
If you‘re building from a Subversion repo, you must install the Subversion client on the machine.
Prepare permissions
Decide which user you‘ll use
Decide which user account you‘re going to use to register the agent.
Authenticate with a personal access token (PAT) to Team Services or TFS 2017
-
Sign in with the user account you plan to use in either your Visual Studio Team Services account (
https://{your-account}.visualstudio.com
) or your Team Foundation Server web portal (https://{your-server}:8080/tfs/
). -
From your home page, open your profile. Go to your security details.
-
Create a personal access token.
-
For the scope select Agent Pools (read, manage) and make sure all the other boxes are cleared. If its a deployment group agent, for the scope select Deployment group (read, manage) and make sure all the other boxes are cleared.
-
Copy the token. You‘ll use this token when you configure the agent.
Authenticate as TFS user
-
TFS 2017: You can use either a domain user or a local Windows user on each of your TFS application tiers.
-
TFS 2015 (applies only to OSX and Linux): We recommend that you create a local Windows user on each of your TFS application tiers and dedicate that user for the purpose of deploying build agents.
Confirm the user has permission
Make sure the user account that you‘re going to use has permission to register the agent.
Is the user you plan to use is a Team Services account owner or a TFS server administrator? If so, then skip these steps. Otherwise you might see a message like this: Sorry, we couldn‘t add the identity. Please try a different identity.
- Open a browser and navigate to the Agent pools tab for your Team Services account or TFS server:
- Team Services:
https://{your_account}.visualstudio.com/_admin/_AgentPool
- TFS 2017:
https://{your_server}/tfs/DefaultCollection/_admin/_AgentPool
- TFS 2015:
http://{your_server}:8080/tfs/_admin/_AgentPool
The TFS URL doesn‘t work for me. How can I get the correct URL?
- Team Services:
- Click the pool on the left side of the page and then click Roles.
- If the user account you‘re going to use is not shown, then get an administrator to add it. The administrator can be an agent pool administrator, a Team Services account owner, or a TFS server administrator. If its a deployment group agent, the administrator can be an deployment group administrator, a Team Services account owner, or a TFS server administrator. You can add a user to the deployment group adminstrator role in the Security tab on the Deployment Groups page of the Build & Release hub.
Q: I‘m concerned about security. How is this account used? A: Agent communication.
Download and configure the agent
- Log on to the machine using the account for which you‘ve prepared permissions as explained above.
- In your web browser, sign on to Team Services or TFS, and navigate to the Agent pools tab:
- Team Services:
https://{your_account}.visualstudio.com/_admin/_AgentPool
- TFS 2017:
https://{your_server}/tfs/DefaultCollection/_admin/_AgentPool
- TFS 2015:
http://{your_server}:8080/tfs/_admin/_AgentPool
The TFS URL doesn‘t work for me. How can I get the correct URL?
- Team Services:
- Click Download agent.
- On the Get agent dialog box, click Windows.
- Click the Download button.
- Follow the instructions on the page.
Server URL
-
Team Services:
https://{your-account}.visualstudio.com
-
TFS 2017:
https://{your_server}/tfs
-
TFS 2015:
http://{your-server}:8080/tfs
Authentication type
Team Services
Choose PAT, and then paste the PAT token you created into the command prompt window.
TFS
IMPORTANT
Make sure your server is configured to support the authentication method you want to use.
When you configure your agent to connect to TFS, you‘ve got the following options:
-
Alternate Connect to TFS using Basic authentication. After you select Alternate you‘ll be prompted for your credentials.
-
Negotiate Connect to TFS as a user other than the signed-in user via a Windows authentication scheme such as NTLM or Kerberos. After you select Negotiate you‘ll be prompted for credentials.
-
Integrated (Default) Connect a Windows agent to TFS using the credentials of the signed-in user via a Windows authentication scheme such as NTLM or Kerberos. You won‘t be prompted for credentials after you choose this method.
-
PAT Supported only on Team Services and TFS 2017 or newer. After you choose PAT, paste the PAT token you created into the command prompt window.
NOTE
When using PAT as the authentication method, the PAT token is used only for the initial configuration of the agent. Learn more at Communication with Team Services or TFS.
Choose interactive or service mode
For guidance on whether to run the agent in interactive mode or as a service, see Agents: Interactive vs. service.
If you configured the agent to run interactively, to run it:
.\run.cmd
If you configured the agent to run as a service, it starts automatically. You can view and control the agent running status from the services snap-in. Run services.msc
and look for "VSTS Agent (name of your agent)".
If you need to change the logon account, don‘t do it from the services snap-in. Instead, see the information below to re-configure the agent.
Replace an agent
When you configure an agent using the same name as an agent that already exists, you‘re asked if you want to replace the existing agent. If you answer Y
, then make sure you remove the agent (see below) that you‘re replacing. Otherwise after a few minutes of conflicts, one of the agents will shut down.
Remove and re-configure an agent
To remove the agent:
.\config remove
After you‘ve removed the agent, you can configure it again.
Help on other options
To learn about other options:
.\config --help
The help provides information on authentication alternatives and unattended configuration.
Capabilities
Your agent‘s capabilities are cataloged and advertised in the pool so that only the builds and releases it can handle are assigned to it. See Build and release agent capabilities.
In many cases after you deploy an agent you‘ll need to install software or utilities. Generally you should install on your agents whatever software and tools you use on your dev machine.
For example, if your build includes the npm task, then the build won‘t run unless there‘s a build agent in the pool that has npm installed.
IMPORTANT
After you install new software on a agent, you must restart the agent for the new capability to show up in the pool so that the build can run.
Q&A
I‘m running a firewall and my code is in Team Services. What URLs does the agent need to communicate with?
If you‘re running an agent in a secure network behind a firewall, make sure the agent can initiate communication with the following URLs:
https://login.microsoftonline.com
https://app.vssps.visualstudio.com
https://{accountname}.visualstudio.com
https://{accountname}.vsrm.visualstudio.com
How do I configure the agent to work through a web proxy and connect to Team Services?
In the agent root directory, create a .proxy file with your proxy server URL.
echo http://name-of-your-proxy-server:8888 | Out-File .proxy
If your proxy doesn‘t require authentication, then you‘re ready to configure and run the agent as explained above.
NOTE
For backwards compatibility, if the proxy is not specified as described above, the agent also checks for a proxy URL from the VSTS_HTTP_PROXY environment variable.
If your proxy requires authentication, the simplest way to handle it is to grant permissions to the user under which the agent runs. Otherwise, you can provide credentials through environment variables. When you provide credentials through environment variables, the agent keeps the credentials secret by masking them in job and diagnostic logs. To grant credentials through environment variables, set the following variables:
$env:VSTS_HTTP_PROXY_USERNAME = "proxyuser"
$env:VSTS_HTTP_PROXY_PASSWORD = "proxypassword"
NOTE
This procedure enables the agent infrastructure to operate behind a web proxy. Your build definition and scripts must still handle proxy configuration for each task and tool you run in your build. For example, if you are using a task that makes a REST API call, you must configure the proxy for that task.
How do I configure the agent to bypass a web proxy and connect to Team Services?
If you want the agent to bypass your proxy and connect to Team Services directly, then you should configure your web proxy to enable the agent to access the following URLs:
-
https://management.core.windows.net
-
*.visualstudio.com
-
https://login.microsoftonline.com
-
https://app.vsspsext.visualstudio.com
NOTE
This procedure enables the agent to bypass a web proxy. Your build definition and scripts must still handle bypassing your web proxy for each task and tool you run in your build.
For example, if you are using a NuGet task, you must configure your web proxy to support bypassing the URL for the server that hosts the NuGet feed you‘re using.
I‘m using TFS and the URLs in the sections above don‘t work for me. Where can I get help?
Web site settings and security
I use Team Foundation Server on-premises and I don‘t see some of these features. Why not?
Some of these features are available only on Visual Studio Team Services and not yet available on-premises. Some features are available on-premises if you have upgraded to the latest version of TFS.
Deploy an agent on Windows