How to set Require SSL for an IIS web site using Powershell IISAdministration module on Windows 2016

Answering my own question for posterity.

IISAdministration's New-IISSiteBinding cmdlet really confused me.

1. To start with, this was not part of my default Windows 2016 (loaded from an aws image), so I had to update to IISAdministration 1.1 by first doing Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force and then Install-Module -Name IISAdministration -Force. You cannot use Update-Module as IISAdministration 1.0 wasn't installed with NuGet, it's part of Win 2016.

2. Second, the SslFlag attribute on this has NOTHING to do with the SslFlags for Require Ssl. SslFlag on New-IISSiteBinding can be set to None, Sni, CentralCertStore. In IIS Manager, it is equivalent to clicking on a website, then Bindings link on the right, then Add/Edit, and the checkbox "Require Server Name Indication".

IISAdministration cmdlet Get-IISConfigSection is what's needed. The following code sets Require Ssl on a web site (equivalent in IIS Manager to clicking on a website, then SSL Settings icon, "Require SSL" checkbox):

Import-Module IISAdministration$ConfigSection = Get-IISConfigSection -SectionPath "system.webServer/security/access" -Location "MyWebSite"#to set:Set-IISConfigAttributeValue -AttributeName sslFlags -AttributeValue Ssl -ConfigElement $ConfigSection#to read:Get-IISConfigAttributeValue -ConfigElement $ConfigSection -AttributeName sslFlags

These can be piped too. The possible values of this sslFlags are: None, Ssl, SslNegotiateCert, SslRequireCert, SslMapCert, Ssl128 (See Access Security access)

For those that require a client certificate the appropriate setting is "Ssl, SslNegotiateCert, SslRequireCert"

    <system.webServer>        <security>            <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />        </security>    </system.webServer>