OpenClaw on Windows Server 2022: Enterprise AI Agent Deployment Guide
Who This Guide Is For: IT administrators, DevOps engineers, and enterprise architects who need to deploy OpenClaw on Windows Server 2022 or 2025 in a corporate environment. This guide covers PowerShell installation, NSSM Windows Service registration, IIS reverse proxy, Windows Firewall configuration, Active Directory (AD) domain integration, and VPN07 for reliable AI API access behind corporate proxies.
Why Windows Server for OpenClaw?
Most OpenClaw deployment guides focus on Linux or macOS. But thousands of enterprises run Windows Server as their primary server OS, and for good reason — deep Active Directory integration, familiar management tools (Server Manager, PowerShell), and compatibility with enterprise security products (Windows Defender, CrowdStrike, Microsoft Sentinel).
OpenClaw is a Node.js application, and Node.js runs perfectly on Windows Server. With the right configuration — especially NSSM for service management and IIS for reverse proxy — you can run a production-grade OpenClaw deployment on Windows Server that satisfies enterprise IT requirements.
Windows Server Versions Supported
- • Windows Server 2025 — Latest, best performance
- • Windows Server 2022 — Most widely deployed
- • Windows Server 2019 — Older but supported
- • Windows Server 2016 — Minimum (Node.js 22 works)
Enterprise Benefits
- • Active Directory / Entra ID for access control
- • Group Policy for configuration management
- • Windows Event Log for auditing
- • IIS for secure HTTPS reverse proxy
- • Windows Defender compatible (no conflicts)
Prerequisites
Windows Server 2022 or 2025 with Administrator access. Standard or Datacenter edition both work.
Minimum hardware: 2 vCPU, 4 GB RAM, 30 GB disk. For multi-agent workloads, 8 GB RAM is recommended.
PowerShell 5.1 or later (built into Windows Server). For the best experience, install PowerShell 7 via winget.
Outbound internet access to npm registry (registry.npmjs.org) and Anthropic API (api.anthropic.com). Corporate proxies must allow these.
Step 1 — Install Node.js 22 via winget or nvm-windows
Open PowerShell as Administrator and install Node.js using one of these methods:
Method A: winget (Recommended for servers)
# Install Node.js LTS via winget
winget install OpenJS.NodeJS.LTS
# Verify
node --version # v22.x.x
npm --version # 10.x.x
Method B: nvm-windows (for version management)
# Download nvm-windows installer from GitHub
# https://github.com/coreybutler/nvm-windows/releases
# Run nvm-setup.exe as Administrator, then:
nvm install 22.15.0
nvm use 22.15.0
node --version # v22.15.0
Windows Defender Note
After installing Node.js, Windows Defender may scan it. Add exclusions for the Node.js install directory and npm cache if scans are slowing down npm installs significantly: C:\Program Files\nodejs\ and C:\Users\USERNAME\AppData\Roaming\npm
Step 2 — Install OpenClaw
# Install OpenClaw globally (run as Administrator)
npm install -g openclaw
# Verify installation
openclaw --version
# Run onboarding wizard (configure API keys, Telegram, etc.)
openclaw onboard
Corporate Proxy During npm Install
If your company uses a web proxy, configure npm before installing:
npm config set proxy http://proxy.company.com:8080
npm config set https-proxy http://proxy.company.com:8080
npm install -g openclaw
Step 3 — Register OpenClaw as a Windows Service with NSSM
NSSM (Non-Sucking Service Manager) is the most reliable way to run OpenClaw as a Windows Service that starts automatically, restarts on failure, and logs to Windows Event Log.
Download NSSM from nssm.cc and extract to C:\nssm\. Then:
# Find the OpenClaw executable path
where openclaw
# Typically: C:\Users\Administrator\AppData\Roaming\npm\openclaw.cmd
# Install OpenClaw as a Windows Service
C:\nssm\win64\nssm.exe install OpenClaw
# In the NSSM GUI that opens:
# Path: C:\Program Files\nodejs\node.exe
# Startup directory: C:\openclaw-data
# Arguments: C:\Users\Administrator\AppData\Roaming\npm\node_modules\openclaw\dist\index.js start
Or use NSSM fully from the command line (better for automation):
# Set service properties via command line
C:\nssm\win64\nssm.exe set OpenClaw Application "C:\Program Files\nodejs\node.exe"
C:\nssm\win64\nssm.exe set OpenClaw AppDirectory "C:\openclaw-data"
C:\nssm\win64\nssm.exe set OpenClaw AppParameters "C:\Users\Administrator\AppData\Roaming\npm\node_modules\openclaw\dist\index.js start"
C:\nssm\win64\nssm.exe set OpenClaw DisplayName "OpenClaw AI Agent"
C:\nssm\win64\nssm.exe set OpenClaw Description "OpenClaw personal AI agent service"
C:\nssm\win64\nssm.exe set OpenClaw Start SERVICE_AUTO_START
C:\nssm\win64\nssm.exe set OpenClaw AppRestartDelay 10000
# Set environment variables
C:\nssm\win64\nssm.exe set OpenClaw AppEnvironmentExtra "ANTHROPIC_API_KEY=sk-ant-xxx" "NODE_ENV=production"
# Configure stdout/stderr logging
C:\nssm\win64\nssm.exe set OpenClaw AppStdout "C:\openclaw-data\logs\openclaw.log"
C:\nssm\win64\nssm.exe set OpenClaw AppStderr "C:\openclaw-data\logs\openclaw-err.log"
C:\nssm\win64\nssm.exe set OpenClaw AppRotateFiles 1
# Start the service
C:\nssm\win64\nssm.exe start OpenClaw
# Verify
sc query OpenClaw
NSSM Advantages
- • Automatically restarts on crash
- • Configurable restart delay
- • Log rotation built-in
- • Works with any executable, not just .exe
- • Service runs under any user account
Service Management Commands
- nssm start OpenClaw
- nssm stop OpenClaw
- nssm restart OpenClaw
- nssm status OpenClaw
- nssm remove OpenClaw confirm
Step 4 — IIS Reverse Proxy for HTTPS Access
If you want to expose OpenClaw's web interface over HTTPS (for team access or a web dashboard), IIS can proxy requests from port 443 to OpenClaw's local port 3000:
# Install IIS with ARR (Application Request Routing) module
# 1. Server Manager → Add Roles → Web Server (IIS)
# 2. Download and install ARR 3.0 from Microsoft:
# https://www.iis.net/downloads/microsoft/application-request-routing
# Enable proxy in ARR:
# IIS Manager → Server → Application Request Routing Cache
# → Server Proxy Settings → Enable proxy → Apply
# Create a new IIS site pointing to localhost:3000
# Add URL Rewrite rule:
# Pattern: (.*)
# Rewrite URL: http://localhost:3000/{R:1}
# For HTTPS: bind a SSL certificate to the site
# Use Let's Encrypt via win-acme (free certificate):
# https://www.win-acme.com/
The resulting URL structure allows enterprise users to access OpenClaw's interface at https://openclaw.yourdomain.com without exposing any ports directly.
Step 5 — Windows Firewall Configuration
# Allow OpenClaw outbound (Claude API, npm, Telegram)
New-NetFirewallRule -DisplayName "OpenClaw Outbound" -Direction Outbound -Protocol TCP -RemotePort 443 -Action Allow -Program "C:\Program Files\nodejs\node.exe"
# Allow IIS inbound for HTTPS (if using IIS reverse proxy)
New-NetFirewallRule -DisplayName "IIS HTTPS Inbound" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
# Block unnecessary inbound to Node.js directly
New-NetFirewallRule -DisplayName "Block Node Direct" -Direction Inbound -Protocol TCP -LocalPort 3000 -RemoteAddress Internet -Action Block
# Allow localhost-only for Node.js (IIS proxy only)
New-NetFirewallRule -DisplayName "Allow Node Localhost" -Direction Inbound -Protocol TCP -LocalPort 3000 -RemoteAddress 127.0.0.1 -Action Allow
Step 6 — Active Directory Integration
In a domain environment, you should run the OpenClaw service under a dedicated service account (not Administrator) to follow the principle of least privilege:
Create a Dedicated Service Account
New-ADUser -Name "svc-openclaw" -UserPrincipalName "[email protected]" -PasswordNeverExpires $true -CannotChangePassword $true -Enabled $true
Grant Minimal Required Permissions
- • Read/write access to
C:\openclaw-data\ - • "Log on as a service" right (Local Security Policy)
- • No local administrator rights needed
Update NSSM to Use Service Account
C:\nssm\win64\nssm.exe set OpenClaw ObjectName "DOMAIN\svc-openclaw" "ServicePassword123!"
PowerShell Deployment Script (Full Automation)
For automated deployment across multiple Windows Servers, use this PowerShell script:
# deploy-openclaw.ps1 - Run as Administrator
param(
[string]$ApiKey = $env:ANTHROPIC_API_KEY,
[string]$TelegramToken = $env:TELEGRAM_BOT_TOKEN,
[string]$ServiceUser = ".\LocalSystem"
)
# Install Node.js
winget install --id OpenJS.NodeJS.LTS --silent
# Install OpenClaw
& "C:\Program Files\nodejs\npm.cmd" install -g openclaw
# Create data directory
New-Item -ItemType Directory -Force -Path "C:\openclaw-data\logs"
# Download NSSM if not present
if (-not (Test-Path "C:\nssm\win64\nssm.exe")) {
Invoke-WebRequest "https://nssm.cc/release/nssm-2.24.zip" -OutFile "$env:TEMP\nssm.zip"
Expand-Archive "$env:TEMP\nssm.zip" -DestinationPath "C:\nssm-extract"
Copy-Item "C:\nssm-extract\nssm-2.24\win64" -Destination "C:\nssm\win64" -Recurse
}
# Register service
$nodePath = (Get-Command node).Source
$openclawPath = "C:\Users\$env:USERNAME\AppData\Roaming\npm\node_modules\openclaw\dist\index.js"
& C:\nssm\win64\nssm.exe install OpenClaw $nodePath "$openclawPath start"
& C:\nssm\win64\nssm.exe set OpenClaw AppDirectory "C:\openclaw-data"
& C:\nssm\win64\nssm.exe set OpenClaw AppEnvironmentExtra "ANTHROPIC_API_KEY=$ApiKey" "NODE_ENV=production"
& C:\nssm\win64\nssm.exe set OpenClaw Start SERVICE_AUTO_START
& C:\nssm\win64\nssm.exe start OpenClaw
Write-Host "OpenClaw deployed and started successfully!" -ForegroundColor Green
Step 7 — VPN07 for Corporate API Access
Enterprise environments frequently have web filtering, DLP systems, or regional restrictions that block AI API traffic. VPN07 is the reliable solution for Windows Server deployments:
Corporate Network Blockers
- • Squid proxy blocking api.anthropic.com
- • Palo Alto/Fortinet URL filtering
- • DLP policy flagging AI traffic
- • SSL inspection breaking TLS to Claude API
- • Regional blocks on AI services
VPN07 on Windows Server
- • Install VPN07 client on Windows Server
- • Configure as system-wide or per-process proxy
- • 1000Mbps — no AI workload throttling
- • Split tunneling: only AI API traffic through VPN
- • Bypasses SSL inspection for API calls
Configure VPN07 proxy settings in NSSM for OpenClaw specifically:
# Set proxy via NSSM environment variables
C:\nssm\win64\nssm.exe set OpenClaw AppEnvironmentExtra `
"ANTHROPIC_API_KEY=sk-ant-xxx" `
"NODE_ENV=production" `
"HTTPS_PROXY=http://127.0.0.1:1080" `
"HTTP_PROXY=http://127.0.0.1:1080"
# Restart service to apply
C:\nssm\win64\nssm.exe restart OpenClaw
Monitoring and Logging
Enterprise deployments need proper monitoring. Here's how to set it up on Windows Server:
Windows Event Log Integration
NSSM automatically logs service start/stop/crash events to Windows Event Log. Find them in Event Viewer → Windows Logs → System → Source: NSSM.
Real-Time Log Monitoring
Get-Content "C:\openclaw-data\logs\openclaw.log" -Wait -Tail 50
Health Check Script
$status = (Get-Service OpenClaw).Status
if ($status -ne "Running") {
Send-MailMessage -To "[email protected]" -Subject "OpenClaw DOWN" -Body "Service stopped on $env:COMPUTERNAME"
Start-Service OpenClaw
}
Multi-Server Deployment: Running OpenClaw at Scale
Enterprise environments sometimes need multiple OpenClaw instances — one per department, one per region, or one per use case. Windows Server makes multi-instance management straightforward:
Multiple Instances on One Server
Run different OpenClaw instances on different ports using separate NSSM services:
nssm install OpenClaw-HR "node.exe" "path\to\openclaw start --port 3001"
nssm install OpenClaw-Sales "node.exe" "path\to\openclaw start --port 3002"
nssm install OpenClaw-Dev "node.exe" "path\to\openclaw start --port 3003"
Deployment via Group Policy
Use Group Policy to distribute the NSSM installation script and OpenClaw configuration across multiple Windows Servers in the domain simultaneously. Configure once, deploy everywhere with GPO startup scripts.
Windows Server Core (Headless)
For production, use Windows Server Core (no GUI) — smaller attack surface, lower RAM usage. OpenClaw runs perfectly headless. Manage remotely via PowerShell Remoting or Windows Admin Center.
Real-World Enterprise Use Cases
🏦 Financial Services Automation
Deploy OpenClaw on Windows Server within your on-premises datacenter (no cloud required). AI-assisted report generation, compliance monitoring, and client communication — all staying within your firewall.
🏥 Healthcare Documentation
Run OpenClaw behind your hospital's VPN with Windows Server and Active Directory. Physicians interact with the AI agent via Teams/Slack to draft clinical notes — all data stays on-premises.
🏭 Manufacturing IT Operations
OpenClaw on Windows Server monitors production systems via OPC-UA integration, sends alerts when anomalies are detected, and automatically creates tickets in ServiceNow via its API skills.
🎓 Education IT Helpdesk
University IT runs OpenClaw on Windows Server behind Active Directory. Students and staff message the AI helpdesk bot 24/7 for password resets, software requests, and basic troubleshooting.
Troubleshooting Windows Server Issues
Service fails to start with "Error 1053"
Cause: Node.js path is wrong in NSSM config, or the OpenClaw module path is incorrect. Fix: Run where node and npm root -g to find exact paths, then update NSSM accordingly.
npm install fails with "EACCES" or proxy error
Fix for proxy: npm config set proxy http://proxy:8080. Fix for permissions: Run PowerShell as Administrator. Check that npm's global prefix is in a directory writable by the current user.
Claude API returns timeout errors
Cause: Corporate firewall blocking api.anthropic.com. Verify: Run Invoke-WebRequest https://api.anthropic.com -Method HEAD from PowerShell. If it fails, configure VPN07 proxy in NSSM environment variables.
Windows Defender quarantines npm packages
Fix: Add exclusions in Windows Security → Virus & threat protection → Exclusions: add the npm global modules folder and Node.js install directory. This is safe because npm packages come from the verified npm registry.
VPN07 — Enterprise Network for OpenClaw
1000Mbps · 70+ Countries · Trusted Since 2015
Enterprise Windows Server deployments face unique network challenges — corporate proxies, DLP systems, SSL inspection, and regional AI API restrictions. VPN07 cuts through all of it: our 1000Mbps network with 70+ global servers provides a clean, dedicated tunnel for your OpenClaw's AI API traffic. Unlike consumer VPNs, VPN07 has been running reliably for 10+ years, making it the trusted choice for enterprise-grade OpenClaw deployments. Just $1.5/month with a 30-day money-back guarantee.
Related Articles
OpenClaw Install on Windows 11: Step-by-Step Guide 2026
Complete beginner-friendly guide to installing OpenClaw on Windows 11 or Windows 10 desktop systems.
Read More →OpenClaw WSL2 + PowerShell Advanced Windows Setup
Advanced Windows configuration using WSL2 Linux subsystem alongside native PowerShell for maximum flexibility.
Read More →