Back to blog

How to Configure SSH on Windows Server — Step by Step

3 min read By Signifium

Guides

Windows ServerOpenSSHPowerShellremote administrationWinPulse

OpenSSH on Windows Server lets you connect over SSH (port 22) for administration and automation. This guide walks through installing OpenSSH Server, starting the service, opening the firewall, setting PowerShell as the default shell (instead of cmd.exe), and verifying from another machine. These steps align with gateway-style tools such as WinPulse, which connect to a Windows gateway over SSH.

Step 1: Install OpenSSH Server

  • Log in as Administrator.
  • Open Settings.
  • Go to AppsOptional features.
  • Click Add a feature.
  • Search for OpenSSH Server.
  • Select it and click Install.
  • Wait for installation to complete.

Step 2: Start and Enable SSH Service

  • Press Win + R, type services.msc, press Enter.
  • Locate OpenSSH SSH Server (sshd).
  • Right-click → Start.
  • Right-click again → Properties.
  • Set Startup type to Automatic.
  • Click ApplyOK.

Step 3: Allow SSH Through Windows Firewall

  • Open Windows Defender Firewall with Advanced Security.
  • Click Inbound Rules.
  • Look for OpenSSH Server (Inbound).
  • Ensure it is Enabled.

If the rule is not present:

  • Click New Rule.
  • Select Port.
  • Choose TCP and enter 22.
  • Allow the connection.
  • Apply to the required profiles.
  • Name it OpenSSH Server (Inbound).

Step 4: Set PowerShell as the Default SSH Shell (GUI)

By default, SSH sessions may open cmd.exe. To use PowerShell:

4.1 Open Registry Editor

  • Press Win + R.
  • Type regedit and press Enter.
  • Click Yes if prompted by UAC.

4.2 Navigate to the OpenSSH Key

  • Go to: HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH

If the OpenSSH key does not exist:

  • Right-click SOFTWARENewKey.
  • Name it: OpenSSH.

4.3 Create the DefaultShell Value

  • Select the OpenSSH key.

  • Right-click in the right pane → NewString Value.

  • Name it: DefaultShell.

  • Double-click DefaultShell.

  • Set Value data to:

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

  • Click OK.

WinPulse: The WinPulse gateway expects PowerShell to be the default shell for SSH sessions on the gateway server. If DefaultShell points to cmd.exe (or is missing so Windows falls back to cmd), gateway behavior may not match the WinPulse gateway setup guide. Set DefaultShell to powershell.exe (or PowerShell 7’s pwsh.exe if that is your standard) before relying on WinPulse in production.

Optional — PowerShell 7: If PowerShell 7 is installed and you use it as your default for SSH, set Value data to:

C:\Program Files\PowerShell\7\pwsh.exe

Step 5: Restart the SSH Service

  • Open Services (services.msc).
  • Right-click OpenSSH SSH Server.
  • Click Restart.

Step 6: Verify

From another machine:

ssh username@SERVER_IP

You should land in PowerShell instead of cmd.

Best Practices

  • Restrict who can SSH in (firewall scope, jump hosts, or VPN) so port 22 is not exposed broadly to the internet without controls.
  • Use key-based authentication where possible; enforce strong passwords if you use password auth.
  • After major updates, confirm the service is still Automatic and the firewall rule is still enabled.

FAQ

Does this replace RDP?
No. SSH gives you a shell session; RDP is graphical. Many admins use SSH for scripting, file transfer (SFTP/SCP), and gateway-style access.

Why set PowerShell as DefaultShell?
Tools and scripts that expect PowerShell (including WinPulse’s gateway model) work without an extra powershell launch step.

Where can I read more about WinPulse and the gateway?
See the WinPulse product page, WinPulse security and architecture, and the gateway section on the product page: WinPulse gateway setup.

This article is for general guidance. Test changes in a non-production environment first.