In a secure or air-gapped environment, installing Windows features that normally require an internet connection can be a challenge. A common example is the OpenSSH Server, which is essential for secure remote management. When you run Add-WindowsCapability, Windows typically downloads the package from Microsoft Update.
This guide provides two reliable methods for installing the OpenSSH Server on an offline Windows machine (Server 2019/2022 or Windows 10/11), ensuring you can maintain security and manageability even without internet access.
Method 1: Using the Official CAB File from a Features on Demand (FOD) ISO
This is the official Microsoft method and ensures that the installed version perfectly matches your Windows build.
Step 1: Obtain the FOD ISO (Online Machine)
- On a machine with internet access, go to the Microsoft Evaluation Center or your Volume Licensing Service Center.
- Download the Language and Optional Features (FOD) ISO that corresponds to your exact Windows version (e.g., “Windows Server 2022 Language and Optional Features ISO”).
- Mount the ISO (right-click → Mount).
- Navigate to the
amd64_mlcdirectory and find the OpenSSH Server package. It will be named something like:OpenSSH-Server-Package~31bf3856ad364e35~amd64~~.cab - Copy this
.cabfile to a USB drive or other removable media.
Step 2: Install the CAB File (Offline Machine)
-
Transfer the
.cabfile to the offline machine (e.g., toC:\Temp). -
Open PowerShell as an Administrator and run the following command:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 -Source C:\TempIf the command succeeds, the output will show
Online: TrueandRestartNeeded: False.Troubleshooting: If you get an error like
0x800f081f (source not found), it means the CAB file version does not match your Windows build. You must use the FOD ISO for your specific OS version.
Step 3: Configure and Start the SSHD Service
Once installed, you need to start the sshd service and set it to start automatically.
Start-Service -Name sshd
Set-Service -Name sshd -StartupType Automatic
Get-Service -Name sshdMethod 2: Using the MSI Installer from GitHub
This method is often simpler as it doesn’t require a large ISO download and is not tied to a specific Windows build.
Step 1: Download the MSI (Online Machine)
- On a machine with internet access, go to the Win32-OpenSSH GitHub releases page.
- Download the latest
OpenSSH-Win64-vX.X.X.X.msifile. - Copy the
.msifile to your removable media.
Step 2: Install the MSI (Offline Machine)
- Transfer the
.msifile to the offline machine (e.g., toC:\Temp). - Open PowerShell as an Administrator and run the silent installation:
This will install OpenSSH to
msiexec /i "C:\Temp\OpenSSH-Win64-v9.5.0.0p1-Beta.msi" /quiet /log "C:\Temp\install.log"C:\Program Files\OpenSSHand create thesshdservice.
Step 3: Configure and Start the Service
The MSI installer does not always start the service automatically.
Start-Service -Name sshd
Set-Service -Name sshd -StartupType AutomaticPost-Installation: Firewall Configuration
By default, the Windows Defender Firewall will block incoming SSH connections. You must create a firewall rule to allow traffic on the SSH port (default is 22).
Run this command in an elevated PowerShell prompt on the offline server:
New-NetFirewallRule -Name "OpenSSH Server (sshd)" -DisplayName "OpenSSH Server (sshd)" `
-Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22Verification
After installation and configuration, you should test that the SSH server is running and accessible.
On the server:
# Check that the service is running
Get-Service sshd
# Check that the server is listening on port 22
netstat -an | findstr ":22"From a client machine:
ssh username@your-server-ipComparison of Methods
| Aspect | CAB / FOD Method | MSI / GitHub Method |
|---|---|---|
| Source | Official Windows component | Official Microsoft open-source project |
| Compatibility | Must match Windows build exactly | Works on any supported Windows version |
| Download Size | Large (~5 GB ISO) | Small (~4 MB MSI) |
| Updates | Managed by Windows Update | Requires manual reinstallation |
| Best For | Strictly controlled enterprise environments | Quick and simple offline setups |
Conclusion
Installing OpenSSH Server on an offline Windows system is a straightforward process once you have the correct installation files.
- For enterprise environments that require official Windows components, the CAB/FOD method is the most compliant approach.
- For simplicity and ease of use, the MSI from GitHub is a faster and more flexible option.
By following these steps, you can enable secure SSH access to your air-gapped Windows servers, improving manageability without compromising security.