SSH On Windows Server 2019

SSH PowerShell

Since the end of the last year, Windows Server 2019 and Windows 10 Build 1809 includes OpenSSH Server and Client as supported Feature-on-Demand. In this post, I will try to install and configure the OpenSSH Server on Windows Server 2019.

Installing OpenSSH on Windows Server

Open PowerShell Prompt as Administrator and run the following command to see if the OpenSSH installed already:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

As you can see in the picture above, OpenSSH.Server still Not Present, You need to install it with the PowerShell command below:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~~

Example output for the command above:

Path           :
Online : True
RestartNeeded : False

You may need to install all Windows Update before the server part would install (December 2018).

Start the OpenSSH server and make sure it starts up automatically using the command below:

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

You also need to configure the firewall port that you want to use for SSH.

Default Shell Prompt

The default prompt when you connected to Windows Server using SSH is cmd.exe. If you want to use PowerShell as your default Shell Prompt, you need to change the registry setting as below:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
SSH Systeminfo

OpenSSH Server Configuration

OpenSSH Server reads the configuration from %programdata%\ssh\sshd_config. You can use notepad or another editor to modify the value as you wish. If you already familiar with the SSH on Linux system, it would be easy to modify this OpenSSH configuration.

Below some configuration you can use/modify:

Specify which user/group to login via SSH:

AllowGroups "EXAMPLE\Domain Admins"
AllowUsers [email protected]
AllowGroups sshusers


PermitRootLogin is not applicable in Windows. To deny administrators from logging in via SSH, use a DenyGroups directive:

DenyGroups Administrators

If you like this article, please share, subscribe or you can follow our Facebook Page and Twitter.


Please enter your comment!
Please enter your name here