How to Install and Configure OpenSSH on Windows : Step-by-Step Guide

Introduction

OpenSSH brings native, secure SSH capabilities to Windows Server, enabling cross-platform remote management with minimal setup on Windows Server 2019, 2022, and 2025 and Windows 10 & 11.

In this article, we will cover how to install and configure OpenSSH on Windows.
The next part, explore common OpenSSH (sshd) troubleshooting steps on Windows, based on real time scenario and personal experience to help resolve services, connectivity and configuration issues.

What is OpenSSH

OpenSSH is the open-source implementation of Secure Shell (SSH). SSH is a popular protocol that allows secure remote management of systems.

It has long been a standard tool for Linux and other non-Windows platforms. It lets administrators manage servers across various environments.

With Windows 10 (build 1809) and Windows Server 2019, Microsoft made OpenSSH available as an optional feature that users can install on demand. This change helps IT professionals use familiar SSH-based workflows directly in Windows.

SSH uses a client-server model. The computer you are using acts as the client, while the remote system you want to manage serves as the server.

OpenSSH includes a set of tools and components that make secure connections, file transfers, and system administration tasks simpler.

How Does OpenSSH Work?

OpenSSH is a secure connectivity tool that allows remote sign-in using the SSH (Secure Shell) protocol. It ensures that all communication between the client and server is encrypted. This helps protect against risks like eavesdropping, session hijacking, and other security threats.

With an OpenSSH-compatible client, administrators can set up secure connections to both Windows Server machines and Windows client devices. This makes remote management safe and dependable.

OpenSSH is built on a client-server model.

• The client is the local computer you use to initiate the connection.
• The server is the remote system you want to access and manage.

With this model, administrators can create encrypted sessions for remote management, file transfers, and other secure tasks. OpenSSH includes several tools and utilities, offering a dependable way to carry out system administration across different platforms.

Default Install State of OpenSSH on Windows Versions

The table below highlights the default installation state of OpenSSH across different Windows Release .

Client and server components require:

• A supported Windows edition (Server 2019, 2022, 2025, Windows 10 & 11)
• Administrative privileges to install Windows features and modify registry or firewall rules
• Internet or repository access if installing via package management

Prerequisites

Before you proceed, make sure your system meets the following requirements:

Installing OpenSSH on Windows

Via Settings (Windows Server GUI)

1. Open Settings → Apps → Optional Features..
2. Click Add a feature, search for OpenSSH Server, and install.
3. Repeat for OpenSSH Client if needed.

Via Settings (Windows 11 GUI)

1. Open Settings → System → Optional Features .
2. Click Add an Optional Features, search for OpenSSH Server, and install

Via PowerShell (recommended):

1. Launch an elevated PowerShell prompt.
2. Install the server and client packages:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Confirm installation:

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Configuring and Starting the OpenSSH Service

This article discusses the Windows-specific setup for the OpenSSH Server (sshd).

For a full list of configuration options, OpenSSH has detailed documentation on its official website at OpenSSH.com.

1 . Enable and start the Openssh service:

Set-Service -Name sshd -StartupType Automatic
Start-Service sshd

From GUI : Go to Services.msc and start Openssh services

Note: OpenSSH Server (sshd) generates and reads the configuration file when the service starts. Any changes to the configuration file require the service to be restarted.

2. Open the firewall for SSH traffic:

if (!(Get-NetFirewallRule -Name 'SSH')) {
New-NetFirewallRule -Name 'SSH' -DisplayName 'OpenSSH SSH' `
-Enabled True -Direction Inbound -Protocol TCP -Action Allow `
-LocalPort 22
}

Note: Installing OpenSSH Server creates and enables a firewall rule named OpenSSH-Server-In-TCP. This rule allows inbound SSH traffic on port 22. If this rule isn’t enabled and this port isn’t open, connections are refused or reset.

SSH Configuration Files and Default Shell

OpenSSH has different configuration files for server and client settings. Since it is open-source, it became part of Windows Server and Windows client operating systems starting with Windows Server 2019 and Windows 10 (build 1809).

You can find detailed documentation for OpenSSH configuration files in the official resources. Refer to the ssh_config manual page for client configuration and the sshd_config manual page for server configuration details.

By default, the OpenSSH Server (sshd) loads its configuration from:

• Server config: %ProgramData%\ssh\sshd_config
• Client config: %ProgramData%\ssh\ssh_config, user-level in %UserProfile%\.ssh\config
• If sshd_config is missing, starting the service automatically creates default settings.

Default Shell:

• The Windows command prompt (cmd.exe) is the default shell.
• To change the shell for all users, add or update the DefaultShell string in the registry at HKLM:\SOFTWARE\OpenSSH, for example:

New-ItemProperty -Path 'HKLM:\SOFTWARE\OpenSSH' -Name DefaultShell `
-Value 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' `
-PropertyType String -Force

(Changes apply on next SSH session and only affect the server side) .

Key Management and Authentication

• Key generation: Use ssh-keygen on client or server.
• Key storage: User keys in ~/.ssh/authorized_keys; administrator keys in C:\ProgramData\ssh\administrators_authorized_keys (restrict permissions to SYSTEM and BUILTIN\Administrators) .
• Supported methods: password and publickey only. Microsoft Entra (Azure AD) authentication is not supported.

Windows-Specific SSHD Configuration Options

Several directives in sshd_config are designed for Windows servers:

Example: Deny the contoso\admin account from a host, block all Contoso users, and allow only members of specific groups.

DenyUsers contoso\admin@192.168.2.23
DenyUsers contoso\*
AllowGroups contoso\sshusers contoso\serveroperators

Verifying the Setup

1 . From a remote machine, test connectivity:

ssh username@windows-server-ip

2. Validate key-based auth:

ssh -i ~/.ssh/id_rsa username@windows-server-ip

3. Check the SSH service and logs:

Get-Service sshd
Get-Content '%ProgramData%\ssh\logs\sshd.log'

Conclusion

Implementing OpenSSH in Windows Server improves security and makes it work better with Unix/Linux systems. By following the steps above, which include installing the feature, configuring services, opening the firewall, and tuning sshd_config, administrators can set up a strong SSH environment on Windows.

Looking for solutions to common OpenSSH issues?
Check out our next part follow-up article: OpenSSH Troubleshooting on Windows: Proven Fix for Common sshd Errors .

FAQs

Q: Why is OpenSSH used?

A: OpenSSH provides a secure way to log into remote systems. It encrypts your data, protecting against eavesdropping, session hijacking, and similar attacks.

Q: Where is OpenSSH installed on Windows?

A: On most Windows systems, OpenSSH resides under C:\Windows\System32\OpenSSH.

Q: Is OpenSSH installed by default on Windows Server?

A: Starting with Windows Server 2019 and newer, including Windows Server 2025, OpenSSH is available as a built-in feature. You may need to enable it if it’s disabled by default.

Q: Is OpenSSH part of Windows 11?

A: Yes, like Windows 10, Windows 11 includes OpenSSH out of the box. The client is enabled by default; the server can be added via optional features .

Q: How do I check if OpenSSH is running on Windows?

A: Go to Settings → Apps → Optional Features. If “OpenSSH Client” appears under installed features, it’s enabled. Otherwise, click Add a feature and install it.

Q: Do I need an internet connection for SSH?

A: No. SSH works over port-based connections. As long as you can reach the right network port (commonly port 22), an internet connection isn’t strictly required.

Q: Does PowerShell include SSH?

A: Yes, PowerShell on modern Windows systems often includes the OpenSSH Client. You can use it to securely connect to remote servers.

Q: How can I see what version of OpenSSH is installed?

A: Run the command ssh -V (capital “V”) in Command Prompt or PowerShell it displays the installed version or Get-WindowsCapability -Online | Where-Object Name -like OpenSSH*) .

Q: Where is the SSH folder on Windows?

A: By default, OpenSSH files are located in C:\Windows\System32\OpenSSH.

Q: How do I connect to a server using SSH?

A: Open your terminal (PowerShell or Command Prompt on Windows; Terminal on macOS/Linux).
Enter ssh username@server_ip.
Accept the host key if prompted.
Log in using your password or your SSH key.
You’re connected!

Q: Which port does OpenSSH use by default?

A: It uses port 22 by default.

Q: Is PowerShell good for SSH?

A: PowerShell supports SSH well, it’s cross-platform and secure. However, tools like WinRM offer advanced management features that SSH lacks, such as JEA.

Q: Is SSH TCP or UDP?

A: SSH runs over TCP, which ensures reliable, ordered, and secure data transfer—perfect for remote connections and file transfers.

Q: How do I know if OpenSSH is running on the server?

A: Try ssh localhost. If it returns “Connection refused”, the SSH service likely isn’t running. On Windows, you can also check the “OpenSSH SSH Server” in Services and ensure sshd is started.

Q: What are the risks of SSH tunneling?

A: SSH tunneling can be misused for bypassing firewalls or hiding traffic, potentially allowing non-SSH traffic to traverse an open SSH port, widening your attack surface.

Explore more related articles on vlookuphub .