Amend IIS machine.config XML type file

In the production we have identified issue preventing the application hosted by IIS to work properly. The solution is to disable the Certificate Revocation List (CRL) lookup since they boxes are not connected on the internet.

According to in order to disable CRL lookups on the Symantec Management Platform computer, you need to edit the machine.config file on the computer, as follows:

  1. Open the machine.config file in a text editor. (If you run in a x64 environment you will need to edit the x64 framework file)
    (x86) The machine.config file is located at %runtime install path%\Config\machine.config, where the runtime install path is usually C:\Windows\Microsoft.NET\Framework\v2.0.50727.
    (x64) The machine.config file is located at %runtime install path%\Config\machine.config, where the runtime install path is usually C:\Windows\Microsoft.NET\Framework64\v2.0.50727.
  2. Look for in the machine.config file and change to this:

3.Save the machine.config file.
4.Open a command prompt with Administrator rights, and type iisreset.

I need to do it for over 140 servers.
I am having a little trouble manipulating the XML object. Following the example from I managed to create the following code.

[string]$ComputerName = 'TestServer'

#Detect system type
$SystemType = Get-WmiObject Win32_ComputerSystem -ComputerName $ComputerName | select -ExpandProperty systemtype

#Get content from remote server
$MachineConfig =  switch ($SystemType)
    'x86-based PC' {"\\$ComputerName\c$\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config"}
    'x64-based PC' {"\\$ComputerName\c$\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config"}

#XML document creation
$xmlDoc =[xml](Get-Content $MachineConfig)

# Creation of a node and its text
$xmlElt = $xmlDoc.CreateElement("Runtime")

# Creation of a sub node
$xmlSubElt = $xmlDoc.CreateElement("generatePublisherEvidence")

# Creation of an attribute in the principal node
$xmlAtt = $xmlDoc.CreateAttribute("enabled")
$xmlAtt.Value = "false"

# Add the node to the document

# Store to a file 

#Backup the original file and copy the modified file
#Copy-Item -Path $MachineConfig "\\$ComputerName\c$\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config.backup"
#Copy-Item -Path "C:\temp\machine.config" -Destination $MachineConfig -Force

#Retart IIS on remote server
#Get-Service -ComputerName $ComputerName -DisplayName 'IIS Admin Service' | Restart-Service -Force

The troubles I am facing are:

  1. It adds element at the end of document. How to add the entry just after xml section configProtectedData in document?
  2. Some files already contain empty section. In such scenario I end up having to entries: at end of document
    and original empty ones
  3. How to check if the node exists. When I use Get-Member it list Haschildnodes but when it run does not work.
Method invocation failed because [System.Xml.XmlElement] does not contain a method named 'HasChildNodes'.
At line:1 char:1
+ $xmlDoc.configuration.HasChildNodes('runtime')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (HasChildNodes:String) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFoundpre]

So the code I am going to develop should check if
If runtime exists
If does, check if entry is correct then amend accordingly.
If not exist add runtime section

Thank you for any hints in advance.

The forum eats XML, so we can’t see your example. I’ve been working with XML this week too in this post:

I would try using SelectSingleNode and appending that way:

$configProtectedData = $xmlDoc.SelectSingleNode("//configProtectedData")

I was also trying to figure out if a Node existed yesterday and I did it more with Powershell than XML, so be curious to see if there is an XML method. I basically just looped thru the child nodes and generated an array to check against:

           $currentConfig = @{}

            if ($configProtectedData.HasChildNodes -eq $false) {
               #This is what I needed assistance with from the other forum
               #which is appending from another file\source into the doc
               #but you could do a standard AppendChild
                $null = $configProtectedData.AppendChild($xmlDoc.ImportNode($template.param, $true))
            else {
                $currentConfig = $configProtectedData.param | foreach{$_.Name}

Then I would loop through the items I was inserting…

foreach($item in $itemsInserting) {
    if ($currentConfig -notcontains $item) {
        #item doesn't exist, do X
    else {
       #item already there, don't do anything


Have you tried the IIS provider before you go editing the XML directly? Because IIS will have that file locked while IIS is running and you have to do some things to IIS to enable direct editing of the config files.

It’s far better to use the WebAdministration module to explore other ways first before resorting to editing the XML.

Import-Module WebAdministration -Verbose


The files the OP is referring to aren’t actually IIS files. They exist on all computers.

Thank you for all your replies.

@Rob, the ‘SelecSingleNode’ worked fine for me. Additionally I learned a little about XPath syntax.

@Vem, I did not try the IIS provider. First not all my servers run 2008 or higher. Secondly I do not even know where to set this value in graphical interface not mention WebAdministration cmdlet. But thank you for the suggestion anyway.

@Dave you are correct. I found the file even on my ordinary Windows 8.1 client.

I liked the forum. The view is so clean. The people are polite and do not look down on you, if you are not familiar with something.
The are not too many unanswered posts. The replies appear in matter of hours.

The attached are 2 scripts I finally developed:
[ol]Get-MachineConfigStatus - check the values in the file and saves the current values in csv file[/ol]
[ol]Set-MachineConfig - sets the desired values for targeted computers[/ol]

Thanks again for your help

Check this one…Difference between Machine.config and web.config