Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic

#Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic


#Just the code:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Get-Service -Name sshd|Set-Service -StartupType 'Automatic'
Get-Service -Name sshd|Start-Service

#The long story…

#Add OpenSSH.Server capability to Windows 10 and Windows Server 2019

#OpenSSH Server needs to be installed via Remote Desktop Protocol (RDP) or from a local PowerShell session to allow SSH connections and tunnels.

#It is now included with Microsoft Windows 10 and Microsoft Windows Servers. This package only needs to be installed on the host side of a tunnel. OpenSSH Client is required on the computer initiating the connections or tunnels and is installed by default in the latest version of Windows 10, Windows Server 2019 and Windows Server 2022.

#Add-WindowsCapability does not work for the OpenSSH.Server package via Enter-PSSession for some reason.

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

#Set the SSHD service to Automatic

Get-Service -Name sshd|Set-Service -StartupType 'Automatic'

#Start the SSHD service

Get-Service -Name sshd|Start-Service

#Use this command to verify that OpenSSH.Client is installed

(Get-WindowsCapability -Online|? Name -like 'OpenSSH.Client*').State

#Verify the incoming Windows Firewall rules for OpenSSH Server were properly created

Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP"

Use PowerShell to create an SSH tunnel for a Remote Desktop Connection (RDP) to another computer with OpenSSH-Server installed

#Use PowerShell to create an SSH tunnel for a Remote Desktop Connection (RDP) to another computer with OpenSSH-Server installed


#Just the code:

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open
(Read-Host 'Press Enter to continue...')|Out-Null
&mstsc /V:127.0.0.3:13389 /prompt

#The Long Story…

#Remote Desktop Protocol (RDP) is great but it is not very secure. This is one way to make your RDP connections more secure using a Secure Shell (SSH) tunnel.

#Install SSH Server on Windows 10 or Windows 2019

Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic

#Use PowerShell to open SSH in a cmd.exe window that will control the SSH tunnel.

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open

#The commands will pause while you login to the SSH tunnel session. In this example 127.0.0.3:13889 is the tunnel entrance. 10.4.0.12:3389 is the tunnel destination and will most likely be different for you. In my case it is a Microsoft Windows Server 2019 server that I connect to from a Windows 10 Professional client.

#10.4.0.12 is the address of the SSH server and sshuser is an account on the destination machine. The account used doesn’t need additional rights beyond User rights on Windows 10 to create the tunnel but you will need additional rights to connect via RDP.

#Login to SSH tunnel

#Type in the password for sshuser

#The first time you connect to a new SSH host computer you must accept the SSH key that is presented. Type yes if prompted with a message similar to the text below.

The authenticity of host 'servername (10.04.00.02)' can't be established.
ECDSA key fingerprint is SHA256:(<a large string>).
Are you sure you want to continue connecting (yes/no)?

ssh tunnel login screen

#Leave this window open. Minimize if you need to but it needs to stay running for the tunnel traffic to use.

#This will end with a window that looks like it hangs after you login. It is not hung. That window is where the tunnel runs through. Do not close it. Minimize the window and go back to your script. Press Enter to continue…

SSH tunnel active after a successful login win10 server2019

#Go back to the PowerShell window and press Enter to launch mstsc.exe and make a Remote Desktop Connection using the new SSH tunnel.

(Read-Host 'Press Enter to continue...')|Out-Null

setup ssh tunnel rdp powershell win10 server2019

#Launch mstsc.exe with the new loopback IP and made up port number

#Use the & call operator to force PowerShell to treat the string as a command to be executed and run mstsc.exe which is the Windows command to launch the Remote Desktop Services client also know as Microsoft Terminal Services client (mstsc).

&mstsc /V:127.0.0.3:13389 /prompt

rdp ssh tunnel active win10 powershell


#I used code and knowledge from the page linked below to create this but the code I use is modified to combine techniques and concepts shown there when using PowerShell. 

#This site has information on using Putty and Linux to create SSH tunnel connections as well.

Tunnel RDP through SSH & PuTTY

 

 

 

Setup a New Microsoft Windows Server 2019 Core Installation to Accept Incoming PowerShell Connections in a Workgroup

#Setup a New Microsoft Windows Server 2019 Core Installation to Accept Incoming PowerShell Remoting connections in a Workgroup


#You will not need to do this if you perform your PowerShell tasks directly from your server.  You need this if you have virtual machines or headless devices… or just plain lazy. Also not everyone has a domain controller and sometimes even a Hyper-V host computer will remain in a workgroup since it might host the domain controller and it is off topic… I work in PowerShell ISE for the most part and connect to where ever I need to.


#This is the first steps after a fresh clean install of Microsoft Windows Server 2019 Core to allow PowerShell Remoting and WSMan.

#Press Ctrl-Alt-Delete to begin configuring Microsoft Windows Server 2019 Core

Initial Screen Ctrl, Alt,_Del_Server 2019 Core

#Press Enter to select OK to change password

Change password before signing in Server 2019 Core

#Set password for .\administrator

Set local administrator password Server 2019 Core

#This initial password is for the local administrator account .\administrator is also a way to access this account. It is not part of active directory and therefore doesn’t fall under the Active Directory password policy. Do not make it something easy to guess. The standard policy require 8 characters minimum with upper and lower case letters, numbers and symbols. I suggest you follow that as this password will be passed to your initial domain administrator account, where it will fail to work, so it is just best to avoid issues.

Your password has been changed Server 2019 Core

#This is cmd.exe start screen for Microsoft Windows Server 2019 Core. Type sconfig to bring up the cheater menu.

Microsoft Windows Server 2019 Core command prompt Server 2019 Core

#Type powershell and press enter to start a PowerShell session directly in Microsoft Windows Server 2019 Core cmd.exe prompt.

Run Powershell Server 2019 Core

#Type Enable-PSRemoting -Force to enable PowerShell Remoting. You can use -SkipNetworkProfileCheck to allow management requests on a network Microsoft Windows has categorized as Public such as Hotspots and new unrecognized networks.

Enable-PSRemoting -Force Server 2019 Core

Enable-PSRemoting -Force

#This will show you what computers you “trust” to connect remotely via PowerShell Remote, no remote hosts are allowed by default.

Get-Item WSMan clients trustedhosts Server 2019 Core

Get-Item WSMan:\localhost\Client\TrustedHosts

#This adds the computers you “trust” to make PowerShell Remote connections to. It doesn’t need a value if you don’t connect to other computers from the server and just have a management PC you use to connect remotely to the server. This is not to allow client PCs to use Enter-PSSession to connect to the server and most likely you need to run this command on a Windows 10 computer instead.

Set-Item -Value IP addresses and computer names verify Server 2019 Core

Get-Item WSMan:\localhost\Client\TrustedHosts|Set-Item -Value '10.4.0.2,BEAKER'

#You can use either the server IP address or computer name if you need to perform this step.  I choose to use both so I avoid any issues when connecting. You need to type y and press Enter to confirm.  A value of ‘*’ allows the server to connect to any remote host.

You can now connect via Eter-PSSession Server 2019 Core

#Now you can use Enter-PSSession to connect to your Microsoft Windows Sever 2019 Core install to configure it using PowerShell or RSAT tools.


#At this point you should not have Active Directory installed so you would use this command to connect. I use PowerShell ISE to open my command list and run them remotely.

Enter-PSSession -Cn 10.4.0.2 -Credential administrato

#If you are running you Microsoft Windows 2019 Core on Hyper-V then you can connect this way above and to perform these steps you could connect this way first rather than using the server console.  Be aware that connecting -VMName Vs. -ComputerName can cause some commands to behave differently or not at all.

Enter-PSSession -VMName Server2019 -Credential administrator

Installing and configuring PowerShell 7.2.1 on 64-bit Server 2019 and Windows 10

#Installing and configuring PowerShell 7.2.1 on 64-bit Server 2019 and Windows 10

#The installation commands shown here are for the latest stable release of PowerShell 7

#To be honest I don’t recommend upgrading if you plan to keep using all your existing scripts and commands without issue.  That most likely will not happen. PowerShell 7 doesn’t work well with Microsoft 365 and Microsoft Azure.  The login command fails, for example.  There might be a work around using the Microsoft Graph API but I haven’t managed to get that working.  The differences between PowerShell 5 and PowerShell 7 are discussed here.

 #I need to use the older Microsoft only releases of PowerShell for most of what I do.  PowerShell 7 does work on many non-Windows platforms but do not expect to use PowerShell 7 to manage your hard drives in Linux.  PowerShell 5.x and PowerShell 6.x only work on Microsoft Windows-based computers.

#It should also be mentioned that PowerShell 5 and PowerShell 7 run along side each other and is determined by which shell you choose to work in.  Another problem is that PowerShell ISE is not designed to work with PowerShell 7 and not included.


From Microsoft: 

#Is PowerShell ISE going away?

 
The PowerShell ISE is no longer in active feature development. As a shipping component of Windows, it continues to be officially supported for security and high-priority servicing fixes. … Users looking for replacement for the ISE should use Visual Studio Code with the PowerShell Extension.
 

 

PowerShell 7.2.1 can be downloaded for 64-bit Windows-based operating systems from the link below: 

https://github.com/PowerShell/PowerShell/releases/download/v7.2.1/PowerShell-7.2.1-win-x64.msi

Get more information about the latest version of Microsoft PowerShell 7.2 LTS from the link below:

https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2


#Open firewall to allow PowerShell access to and from other computers on your network:

Set-NetConnectionProfile -NetworkCategory Private
Enable-PSRemoting

 

Download And Install Remote Server Administration Tools for Windows 10 On Windows 10 Creators Edition Using PowerShell

#Download And Install Remote Server Administration Tools for Windows 10 On Windows 10 Creators Edition Using PowerShell

#Just the code to install Remote Server Administration Tools x64

$MSUPath = 'c:\RSAT' #Set temp path
New-Item -ItemType Directory -Path $MSUPath -Verbose #Create temp folder
Start-BitsTransfer -Source 'https://download.microsoft.com/download/1/D/8/1D8B5022-5477-4B9A-8104-6A71FF9D98AB/WindowsTH-RSAT_WS2016-x64.msu' -Destination $MSUPath\WindowsTH-RSAT_WS2016-x64.msu -Verbose #Download 64-bit RSAT tools
$ExpandOpt='-f:* "'+$MSUPath+'\WindowsTH-RSAT_WS2016-x64.msu" '+$MSUPath #Create argument list for expand.exe
$DismOpt="/Online /Add-Package /PackagePath:$MSUPath\WindowsTH-KB2693643-x64.cab" #Set dism.exe argument options
Start-Process -FilePath expand.exe -ArgumentList $ExpandOpt -PassThru -Wait #Expand RSAT installation files
Start-Process -FilePath dism.exe -ArgumentList $DismOpt -PassThru -Wait #Run dism with argument options. Takes a few minutes to install.

#Use the next command with care if you changed the temporary folder from c:\RSAT to something else

Remove-Item -Path $MSUPath -Recurse -Verbose

#The Longer Story…

#This was a real pain in the ass. .MSU files are not ideal to deal with in PowerShell and far different from .MSI installs. It is possible that Remote Server Administration Tools for Windows 10 can’t be installed remotely using wusa.exe. There are security issues with wusa.exe and Windows 10 for sure. The wusa.exe /extract option doesn’t work in Windows 10 either, due to the same security concerns.

#Set temporary path for installation

#Set this to whatever path you want. I prefer to use a empty new folder but any temporary folder will do. Watch out for the Remove-Item command later on though if you use an existing folder for your download location.

$MSUPath = 'c:\RSAT' #Set temp path
$MSUPath = 'c:\RSAT'
$MSUPath = ‘c:\RSAT’

#Create temporary folder

#Create the folder c:\RSAT or as set in the previous command. Skip this step if you plan to use an existing folder.

New-Item -ItemType Directory -Path $MSUPath -Verbose #Create temp folder
New-Item -ItemType Directory -Path $MSUPath -Verbose
New-Item -ItemType Directory -Path $MSUPath -Verbose

#Download 64-bit version of Remote Server Administration Tools for Windows 10

#I am dealing with the 64-bit version only. I don’t know why you would even have a 32-bit version of Windows 10 Creators Edition but I’m guessing there are people doing it. You need to figure out the link yourself or download the RSAT package some other way. This command only works in PowerShell and PowerShell Remote but not in PowerShell Direct since it uses BITS.

#Download Page: https://www.microsoft.com/en-us/download/details.aspx?id=45520

Start-BitsTransfer -Source 'https://download.microsoft.com/download/1/D/8/1D8B5022-5477-4B9A-8104-6A71FF9D98AB/WindowsTH-RSAT_WS2016-x64.msu' -Destination $MSUPath\WindowsTH-RSAT_WS2016-x64.msu -Verbose #Download 64-bit RSAT tools for Win10
Start-BitsTransfer -Source 'https://download.microsoft.com/download/1/D/8/1D8B5022-5477-4B9A-8104-6A71FF9D98AB/WindowsTH-RSAT_WS2016-x64.msu' -Destination $MSUPath\WindowsTH-RSAT_WS2016-x64.msu -Verbose
Start-BitsTransfer -Source ‘https://download.microsoft.com/download/1/D/8/1D8B5022-5477-4B9A-8104-6A71FF9D98AB/WindowsTH-RSAT_WS2016-x64.msu’ -Destination $MSUPath\WindowsTH-RSAT_WS2016-x64.msu -Verbose

#Set expand.exe options

#wusa.exe /extract does not work in Windows 10 so expand.exe must be used. These are the -ArgumentList options I had to set using a variable due to the really appalling quote and double quote bullshit that needs to happen to get some of these commands to work. I do not recommend trying to use the wusa.exe method of installing Remote Server Administration Tools for Windows 10 if even just to be stubborn as wusa.exe is just not designed to work properly when installing .MSU files via PowerShell in Windows 10.

$ExpandOpt='-f:* "'+$MSUPath+'\WindowsTH-RSAT_WS2016-x64.msu" '+$MSUPath #Create argument list for expand.exe
$ExpandOpt='-f:* "'+$MSUPath+'\WindowsTH-RSAT_WS2016-x64.msu" '+$MSUPath
$ExpandOpt=’-f:* “‘+$MSUPath+’\WindowsTH-RSAT_WS2016-x64.msu” ‘+$MSUPath

#Set options for Dism.exe

#Set -ArgumentList for Start-Process to launch the dism.exe command. Using dism.exe is just another crutch to get Remote Server Administration Tools for Windows 10 installed remotely using PowerShell Remote. There is not an equivalent native PowerShell command to replace dism.exe yet.

$DismOpt="/Online /Add-Package /PackagePath:$MSUPath\WindowsTH-KB2693643-x64.cab" #Set dism.exe argument options
$DismOpt="/Online /Add-Package /PackagePath:$MSUPath\WindowsTH-KB2693643-x64.cab"
$DismOpt=”/Online /Add-Package /PackagePath:$MSUPath\WindowsTH-KB2693643-x64.cab”

#Expand the .MSU file using expand.exe

#As I already mentioned… WUSA.exe – Extract option is gone in Windows 10

Start-Process -FilePath expand.exe -ArgumentList $ExpandOpt -PassThru -Wait #Expand RSAT installation files
Start-Process -FilePath expand.exe -ArgumentList $ExpandOpt -PassThru -Wait
Start-Process -FilePath expand.exe -ArgumentList $ExpandOpt -PassThru -Wait

#Install RSAT .CAB file using dism.exe

#Dism.exe is what actually works and is the method I recommend but it is slow. Takes about 5 minutes to install with my setup. You will have to wait. I have had varying degrees of success using pkgmgr.exe to install also but also I get a message in certain instances that pkgmgr.exe is depreciated so I have stayed away from using that method to install RSAT.

Start-Process -FilePath dism.exe -ArgumentList $DismOpt -PassThru -Wait #Run dism with argument options. Takes a few minutes to install.
Start-Process -FilePath dism.exe -ArgumentList $DismOpt -PassThru -Wait
Start-Process -FilePath dism.exe -ArgumentList $DismOpt -PassThru -Wait

#Remove c:\RSAT once install of WindowsTH-RSAT_WS2016-x64.msu has completed

#If you changed $MSUPath then pay attention here. You don’t want to delete a folder with other data in it. The RSAT install files are no longer needed though and can be safely deleted.

Remove-Item -Path $MSUPath -Recurse -Verbose
Remove-Item -Path $MSUPath -Recurse -Verbose
Remove-Item -Path $MSUPath -Recurse -Verbose

#You do not have to do anything else but here is the command to verify what features are currently installed.

#All Remote Server Administration Tool features are installed and enabled by default. Also you no longer need dism.exe to manage the RSAT package features. Instead Enable-WindowsOptionalFeature and Disable-WindowsOptionalFeature should be used at this point. The command below should get you started if you need to tweak available installed features. The list is too long to screen shot all at once so a snip is not included.

Get-WindowsOptionalFeature -Online -FeatureName *RSAT*|ft -a

#The Remote Server Administration Tools icons are there under Control Panel and then Administrative Tools.

#The image below shows what the default installation should look like in Windows 10.