server 2019 core

March 30, 2022January 19, 2025

Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic

#Install Microsoft OpenSSH.Server package from PowerShell and set SSHD service to Automatic

#Just the code:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Get-Service -Name sshd|Set-Service -StartupType 'Automatic'
Get-Service -Name sshd|Start-Service

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Get-Service -Name sshd|Set-Service -StartupType 'Automatic'

Get-Service -Name sshd|Start-Service

#The long story…

#Add OpenSSH Server capability to Windows 10 and Windows Server 2019

#OpenSSH Server needs to be installed via Remote Desktop Protocol (RDP) or from a local PowerShell session to allow incoming SSH connections and tunnels.

#OpenSSH Client is now included with Microsoft Windows 10 and Microsoft Windows Servers. This package only needs to be installed on the remote side of a tunnel. OpenSSH Client is required on the computer initiating the connections or tunnels and is installed by default in the latest version of Windows 10, Windows Server 2019 and Windows Server 2022.

#Add-WindowsCapability does not work for the OpenSSH.Server package via Enter-PSSession for some reason.

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

1	Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

#Set the SSHD service to Automatic

Get-Service -Name sshd|Set-Service -StartupType 'Automatic'

1	Get-Service -Name sshd\|Set-Service -StartupType 'Automatic'

#Start the SSHD service

Get-Service -Name sshd|Start-Service

1	Get-Service -Name sshd\|Start-Service

#Use this command to verify that OpenSSH Client is installed

(Get-WindowsCapability -Online|? Name -like 'OpenSSH.Client*').State

1	(Get-WindowsCapability -Online\|? Name -like 'OpenSSH.Client*').State

#Verify the incoming Windows Firewall rules for OpenSSH Server were properly created

Get-NetFirewallRule<span class="hljs-parameter"> -Name</span> <span class="hljs-string">"OpenSSH-Server-In-TCP"</span>

1	Get-NetFirewallRule<span class="hljs-parameter"> -Name</span> <span class="hljs-string">"OpenSSH-Server-In-TCP"</span>

March 30, 2022January 20, 2025

Use PowerShell to create an SSH tunnel for a Remote Desktop Connection (RDP) to another computer with OpenSSH-Server installed

#Use PowerShell to create an SSH tunnel for a Remote Desktop Connection (RDP) to another computer with OpenSSH-Server installed

#Just the code:

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open
(Read-Host 'Press Enter to continue...')|Out-Null
&amp;mstsc /V:127.0.0.3:13389 /prompt

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open

(Read-Host 'Press Enter to continue...')|Out-Null

&mstsc /V:127.0.0.3:13389 /prompt

#The Long Story…

#Remote Desktop Protocol (RDP) is great but it is not very secure. This is one way to make your RDP connections more secure using a Secure Shell (SSH) tunnel. This may work in Powershell 7 but isn’t the best way to do it.

#Install SSH Server on Windows 10 or Windows 2019

http://winrollup.com/install-microsoft-openssh-server-package-from-powershell-and-set-sshd-service-to-automatic

#Use PowerShell to open SSH in a cmd.exe window that will control the SSH tunnel.

Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open

1	Start-Process ssh -ArgumentList "-N -L 127.0.0.3:13389:10.4.0.12:3389 10.4.0.12 -l sshuser" -Verb open

#The commands will pause while you login to the SSH tunnel session. In this example 127.0.0.3:13889 is the tunnel entrance. 10.4.0.12:3389 is the tunnel destination and will most likely be different for you. In my case it is a Microsoft Windows Server 2019 server that I connect to from a Windows 10 Professional client.

#10.4.0.12 is the address of the SSH server and sshuser is an account on the destination machine. The account used doesn’t need additional rights beyond User rights on Windows 10 to create the tunnel but you will need additional rights to connect via RDP.

#Login to SSH tunnel

#Type in the password for sshuser

#The first time you connect to a new SSH host computer you must accept the SSH key that is presented. Type yes if prompted with a message similar to the text below.

The authenticity of host 'servername (10.04.00.02)' can't be established.
ECDSA key fingerprint is SHA256:(&lt;a large string&gt;).
Are you sure you want to continue connecting (yes/no)?

The authenticity of host 'servername (10.04.00.02)' can't be established.

ECDSA key fingerprint is SHA256:(<a large string>).

Are you sure you want to continue connecting (yes/no)?

ssh tunnel login screen

#Leave this window open. Minimize if you need to but it needs to stay running for the tunnel traffic to use.

#This will end with a window that looks like it hangs after you login. It is not hung. That window is where the tunnel runs through. Do not close it. Minimize the window and go back to your script. Press Enter to continue…

SSH tunnel active after a successful login win10 server2019

#Go back to the PowerShell window and press Enter to launch mstsc.exe and make a Remote Desktop Connection using the new SSH tunnel.

(Read-Host 'Press Enter to continue...')|Out-Null

1	(Read-Host 'Press Enter to continue...')\|Out-Null

setup ssh tunnel rdp powershell win10 server2019

#Launch mstsc.exe with the new loopback IP and made up port number

#Use the & call operator to force PowerShell to treat the string as a command to be executed and run mstsc.exe which is the Windows command to launch the Remote Desktop Services client also know as Microsoft Terminal Services client (mstsc).

&amp;mstsc /V:127.0.0.3:13389 /prompt]

1	&mstsc /V:127.0.0.3:13389 /prompt]

rdp ssh tunnel active win10 powershell

#I used code and knowledge from the page linked below to create this but the code I use is modified to combine techniques and concepts shown there when using PowerShell.

#This site has information on using Putty and Linux to create SSH tunnel connections as well.

https://www.saotn.org/tunnel-rdp-through-ssh/

February 20, 2022January 20, 2025

Setup a New Microsoft Windows Server 2019 Core Installation to Accept Incoming PowerShell Connections in a Workgroup

#Setup a New Microsoft Windows Server 2019 Core Installation to Accept Incoming PowerShell Remoting connections in a Workgroup

#You will not need to do this if you perform your PowerShell tasks directly from a domain connected computer. You need this if you have virtual machines or headless devices… or just plain lazy. Also not everyone has a domain controller and sometimes even a Hyper-V host computer will remain in a workgroup since it might host the domain controller and it is off topic… I work in PowerShell ISE for the most part and connect to where ever I need to.

#This is the first steps after a fresh clean install of Microsoft Windows Server 2019 Core to allow PowerShell Remoting and WSMan.

#Press Ctrl-Alt-Delete to begin configuring Microsoft Windows Server 2019 Core

#Press Enter to select OK to change password

#Set password for .\administrator

#This initial password is for the local administrator account .\administrator is also a way to access this account. It is not part of active directory and therefore doesn’t fall under the Active Directory password policy. Do not make it something easy to guess. The standard policy require 8 characters minimum with upper and lower case letters, numbers and symbols. I suggest you follow that as this password will be passed to your initial domain administrator account, where it will fail to work, so it is just best to avoid issues.

#This is cmd.exe start screen for Microsoft Windows Server 2019 Core. Type sconfig to bring up the cheater menu.

#Type powershell and press enter to start a PowerShell session directly in Microsoft Windows Server 2019 Core cmd.exe prompt.

#Type Enable-PSRemoting -Force to enable PowerShell Remoting. You can use -SkipNetworkProfileCheck to allow management requests on a network Microsoft Windows has categorized as Public such as Hotspots and new unrecognized networks.

Enable-PSRemoting <span style="font-family: terminal, monaco, monospace;">-SkipNetworkProfileCheck </span>-Force

1	Enable-PSRemoting <span style="font-family: terminal, monaco, monospace;">-SkipNetworkProfileCheck </span>-Force

#This will show you what computers you “trust” to connect remotely via PowerShell Remote, no remote hosts are allowed by default.

Get-Item WSMan:\localhost\Client\TrustedHosts

1	Get-Item WSMan:\localhost\Client\TrustedHosts

#This creates a list of computers you “trust” so that you wish to make outgoing PowerShell Remote connections. It doesn’t need a value if you don’t plan to connect to other computers from this new server and/or just use a management PC.

#This is not a list of computers that are allowed to use Enter-PSSession to connect to the new server and most likely you need to run this command on a Windows 10 management PC instead. You would include either the IP address of the new server, the computer name of the new server or ‘*’ if you want to be able to connect to anywhere.

Get-Item WSMan:\localhost\Client\TrustedHosts|Set-Item -Value '10.4.0.2,BEAKER'

1	Get-Item WSMan:\localhost\Client\TrustedHosts\|Set-Item -Value '10.4.0.2,BEAKER'

#The code below will add entries to the TrustedHosts rather than overwrite them:

# Retrieve the current TrustedHosts value
$currentTrustedHosts = (Get-Item WSMan:\localhost\Client\TrustedHosts).Value

# Define the new entries you want to add
$newEntries = "KERMIT,10.10.10.20"

# Check if currentTrustedHosts is empty and append new entries
if ([string]::IsNullOrEmpty($currentTrustedHosts)) {
    $updatedTrustedHosts = $newEntries
} else {
    # Split the current entries into an array to avoid duplicates
    $currentEntries = $currentTrustedHosts -split ','
    
    # Add new entries while avoiding duplicates
    $newEntriesArray = $newEntries -split ','
    $allEntries = $currentEntries + $newEntriesArray | Select-Object -Unique
    
    # Join the entries back into a single string
    $updatedTrustedHosts = ($allEntries -join ',')
}

# Set the updated TrustedHosts value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $updatedTrustedHosts -Force

# Optional: Output the updated TrustedHosts value for confirmation
Write-Host "Updated TrustedHosts: $updatedTrustedHosts"

# Retrieve the current TrustedHosts value

$currentTrustedHosts = (Get-Item WSMan:\localhost\Client\TrustedHosts).Value

# Define the new entries you want to add

$newEntries = "KERMIT,10.10.10.20"

# Check if currentTrustedHosts is empty and append new entries

if ([string]::IsNullOrEmpty($currentTrustedHosts)) {

$updatedTrustedHosts = $newEntries

} else {

# Split the current entries into an array to avoid duplicates

$currentEntries = $currentTrustedHosts -split ','

# Add new entries while avoiding duplicates

$newEntriesArray = $newEntries -split ','

$allEntries = $currentEntries + $newEntriesArray | Select-Object -Unique

# Join the entries back into a single string

$updatedTrustedHosts = ($allEntries -join ',')

}

# Set the updated TrustedHosts value

Set-Item WSMan:\localhost\Client\TrustedHosts -Value $updatedTrustedHosts -Force

# Optional: Output the updated TrustedHosts value for confirmation

Write-Host "Updated TrustedHosts: $updatedTrustedHosts"

#You can use either the server IP address or computer name if you need to perform this step. I choose to use both so I avoid any issues when connecting. You need to type y and press Enter to confirm. A value of ‘*’ allows the server to connect to any remote host.

#Now you can use Enter-PSSession to connect to your Microsoft Windows Sever 2019 Core install to configure it using PowerShell or RSAT tools.

#At this point you probably do not have Active Directory installed so you would use the command below to connect to the server. I use PowerShell ISE to open my list of common commands and just run them remotely from my desktop computer. After the -Cn is whatever IP address or computer name you added to WSMan:\localhost\Client\TrustedHosts

Enter-PSSession -Cn 10.4.0.2 -Credential administrator

1	Enter-PSSession -Cn 10.4.0.2 -Credential administrator

#If you are running Microsoft Windows 2019 Core on Hyper-V then you can connect the way shown above from anywhere. You could connect the way below, from the Hyper-V host, if that isn’t also a core installation. Be aware that connecting -VMName Vs. -ComputerName can cause some commands to behave differently or not at all.

Enter-PSSession -VMName Server2019 -Credential administrator

1	Enter-PSSession -VMName Server2019 -Credential administrator