KB0015 - Offline PSU server has slow dashboards
Disclaimer
Please be careful with changing any settings on your server around the Certificate Revocation List. You should only do this if you know what you are doing. Read the related Github articles (linked below) in their entirety.
Symptom
PSU servers that are disconnected from the internet (offline) have slow dashboard start-up times.
Root Cause
PowerShell Core is attempting to download the Certificate Revocation List from Microsoft and is timing out
Related Links
Workaround #1 (confirmed)
You can reduce the timeout value for the Revocation List check to 1 second by modifying the registry keys per below PowerShell script. After applying, restart the PowerShell Universal service or IIS web site.
Only enable these settings if your machine isn't exposed to the Internet or doesn't have access to a Certificate Revocation List! Please also keep in mind that this is not a global solution. The problem with CRL checking is different from application to application, from server to server! Please also always think about how to provide your servers with the latest root certificates as well as an up-to-date Certificate Revocation List.
# Create the keys if missing If((Test-Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine') -eq $false ) { New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine' -Force -ErrorAction SilentlyContinue } If((Test-Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config') -eq $false ) { New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config' -Force -ErrorAction SilentlyContinue } # Set Timeout values to 1 second (1000 ms) New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config" -Name ChainUrlRetrievalTimeoutMilliseconds -Value 1000 -PropertyType DWORD -Force New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config" -Name ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds -Value 1000 -PropertyType DWORD -Force |
Workaround #2 (unconfirmed)
You can try allowing the server to connect to http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Acknowledgements
Related Articles
KB0003 - Slow Endpoints and TLS Settings
Be advised that if the TLS settings on a Windows Server are modified, this can result in a severe performance degradation Symptom #1 In the Event Viewer (System Log) there are errors with source Schannel indicating that a "fatal error that occurred ...KB0013 - Moving PSU to another server
Below are Adam's comments on this topic from August 2nd, 2022: The configuration for PowerShell Universal, including the license, is stored as PS1 files in the repository directory. https://docs.powershelluniversal.com/config/repository We recommend ...KB0011 - Are licenses different between Production, QA and Test/Development servers?
Update January 24th, 2023 Adam recently summarized the Developer's license per below: The only real limitation on the developer license is that it cannot be accessed remotely. The server is only available on loopback when using the dev license. If ...KB0014 - Enterprise versus per-server licensing FAQ
Below are some questions commonly asked about the benefits of purchasing an Enterprise license vs. individual per-server licenses. Q: What is the benefit of an Enterprise license vs. a Per Server license? A: The Enterprise license allows an unlimited ...KB0025 - Universal Server fails to start automatically
Applicability This article applies to PowerShell Universal (Kestrel version*) running on Windows. If you have PowerShell Universal running under IIS or another OS then this article does not apply. Symptom Even though the PowerShell Universal service ...