Share via

Open SSH Server and Open SSH Client.

Lucas Peñaloza 421 Reputation points
2026-03-16T15:22:08.2133333+00:00

Dear,

I need to Install Open SSH Server and Client in Windows Server 2019 Datacenter.

But the installation ends:

User's image

So, how to install open ssh server and client in Windows Server 2019 Datacenter in a virtual machine without Internet access?.

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 29,205 Reputation points Independent Advisor
    2026-03-18T04:20:53.89+00:00

    Lucas Peñaloza

    The presence of two distinct OpenSSH services in your management console indicates a direct conflict likely caused by a previous manual installation attempt. The official Features on Demand installation natively creates the service named OpenSSH SSH Server. However, your system also shows an Openssh SSHD service currently configured with an automatic startup type under a custom local account. Because this rogue service is likely already running and listening on TCP port 22, the newly installed official Microsoft service immediately crashes with Error 1067 when it attempts to initialize and bind to that exact same port.

    To resolve this conflict, you must completely remove the remnants of the previous manual installation. Open an elevated PowerShell session and stop the conflicting service using the command Stop-Service -Name "Openssh SSHD", followed by the command sc.exe delete "Openssh SSHD" to permanently wipe its registration from the system. After removing the service, navigate to the hidden C:\ProgramData\ssh directory. This folder stores the host keys and configuration files, which currently hold conflicting settings or incorrect security permissions from the old installation. Delete all contents within this directory to ensure a clean slate.

    Once the rogue service is deleted and the configuration directory is cleared, you can safely start the official OpenSSH SSH Server service. The initial successful startup will automatically generate fresh host keys with the correct system permissions required for the service to function securely. If the official service still refuses to start after completing these cleanup steps, open the Event Viewer and navigate through Applications and Services Logs to the OpenSSH section. The Operational log will provide the precise technical reason for any remaining startup failures.

  2. VPHAN 29,205 Reputation points Independent Advisor
    2026-03-17T14:57:41.92+00:00

    Lucas Peñaloza

    You're right, it will not work with that specific disk. The output you provided from the DISM command confirms that the ISO currently mounted on drive E is the base Windows Server 2019 installation media. That specific install.wim file contains the core operating system and the desktop experience interface, but it does not contain the optional Features on Demand repository.

    Because the OpenSSH binaries are classified as optional offline features, Microsoft packages them on a completely separate disk to keep the main installation ISO smaller. To successfully install the OpenSSH Client and Server without internet access, you must acquire the dedicated Windows Server 2019 Features on Demand ISO from your Microsoft Volume Licensing Service Center or your Visual Studio subscription portal. Once you download and mount that specific FoD ISO, you can run your Add-WindowsCapability command pointing to its new drive letter, and the offline installation will finally succeed.

  3. VPHAN 29,205 Reputation points Independent Advisor
    2026-03-17T00:45:26.6733333+00:00

    Lucas Peñaloza

    The ISO you have mounted on drive G appears to be the standard Windows Server base operating system installation media rather than the dedicated Features on Demand ISO. The OpenSSH binaries are not packaged on the base OS disk; they are distributed entirely separately on the Features on Demand disk for Windows Server 2019, which you must download from your Microsoft Volume Licensing Service Center or visual studio subscription portal.

    Once you download and mount the correct Features on Demand ISO to your virtual machine, you also need to adjust your PowerShell command to explicitly block Windows from attempting to contact your local WSUS server. The 0x800f0954 error specifically triggers when Windows Update or WSUS is the default provider but cannot find the payload, rejecting the local source. You can override this behavior by appending the LimitAccess flag to force the system to only look at your mounted disk. Your revised command will be Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 -Source G:\ -LimitAccess once the correct ISO is mounted.

    If your environment uses strict Group Policy for updates, the command line override might still be blocked. To fix this permanently, open the Local Group Policy Editor and navigate to Computer Configuration, Administrative Templates, and then System. Enable the policy named Specify settings for optional component installation and component repair. Within that policy window, enter G:\ in the Alternate source file path box to ensure the local Feature on Demand files are recognized and prioritized by the servicing stack.

    VP

  4. VPHAN 29,205 Reputation points Independent Advisor
    2026-03-16T15:57:31.7366667+00:00

    Hi Lucas Peñaloza,

    The failure shown in your image occurs because the Windows graphical interface defaults to downloading the OpenSSH payload from the public Windows Update servers. In an air-gapped environment, this results in error code 0x800f0954, as the system cannot reach the online metadata. To resolve this natively on Windows Server 2019 without internet access, you must obtain the official Windows Server 2019 Features on Demand (FoD) ISO from your organization's licensing portal. Once this ISO is mounted to your virtual machine, you can point the installation process to the local disk rather than a remote server.

    You should perform the installation using an elevated PowerShell session to ensure the feature is correctly integrated into the system's servicing stack. By running the command Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 -Source D:\, where D is the drive letter of your mounted ISO, you bypass the internet requirement. This installs the server components into the C:\Windows\System32\OpenSSH directory. After the installation finishes, the sshd service remains disabled by default; you will need to set its start type to automatic and manually start the service. Additionally, verify that the inbound firewall rule for TCP port 22 is enabled to allow incoming connections to the server.

    Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VP

  5. Q&A Assist
    2026-03-16T15:22:34.1566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    On a Windows Server 2019 Datacenter VM without internet access, OpenSSH must be installed from a Features on Demand (FoD) source instead of Windows Update.

    Follow these steps from a machine that does have internet, then use that content inside the offline VM:

    1. Verify prerequisites on the target VM
      In an elevated PowerShell session on the Server 2019 VM:
      • Confirm OS/build: run winver.exe and ensure it is Windows Server 2019 (build 1809 or later).
      • Confirm PowerShell version: run $PSVersionTable.PSVersion and verify Major ≥ 5 and Minor ≥ 1.
      • Confirm admin rights: 
             (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
    2. Download the FoD ISO packages on an internet-connected machine
      On a separate machine with internet access:
      • Check its Windows version with winver.exe.
      • Download the matching Features on Demand (FoD) ISO packages from one of the supported sources (for example Microsoft 365 Admin Portal, OEM, Evaluation Center, MSDN-Platforms, or the GitHub OpenSSH packages) as described in the FoD section.
      • For Windows Server 2019 specifically, download:
        • The FoD ISO for the matching Windows Server 2019 version, and
        • The FoD ISO for the matching Windows 10 version (for example, Windows 10, version 1809 for Windows Server 2019, version 1809).
    3. Prepare a FoD folder for Windows Server 2019
      On the internet-connected machine (or any machine that can access the ISOs):
      1. Create a folder, for example C:\FOD.
      2. Extract the contents of the Windows Server 2019 FoD package into C:\FOD.
      3. Mount the Windows 10 FoD ISO (right‑click → Mount).
      4. From the mounted Windows 10 FoD, copy these CAB files into C:\FOD:
        • OpenSSH-Client-Package~31bf3856ad364e35~amd64~~.cab
        • OpenSSH-Server-Package~31bf3856ad364e35~amd64~~.cab
      5. Copy the entire C:\FOD folder to removable media or a network share accessible from the offline Server 2019 VM.
    4. Mount the FoD source on the offline Server 2019 VM
      On the offline VM:
      • Copy C:\FOD locally or mount the FoD ISO / share as a drive (for example E:).
      • Ensure the CAB files listed above are present in that location.
    5. Install OpenSSH Client and Server from the FoD source
      In an elevated Command Prompt on the offline VM, run (replace <Drive> with the drive letter or folder path containing the CAB files, such as E: or C:\FOD): 
         dism /online /add-capability /capabilityname:OpenSSH.Client~~~~0.0.1.0 /source:<Drive>
   dism /online /add-capability /capabilityname:OpenSSH.Server~~~~0.0.1.0 /source:<Drive>
      Each command should return output similar to: 
         Path          :
   Online        : True
   RestartNeeded : False
    6. Start and configure the OpenSSH Server service
      After installation completes, configure the service (same steps for all supported Windows versions):
      1. Open Services (services.msc).
      2. Locate OpenSSH SSH Server.
      3. Open its properties, set Startup type to Automatic, select OK.
      4. Select Start to start the service.
      Installing OpenSSH Server creates and enables the firewall rule OpenSSH-Server-In-TCP, which allows inbound SSH on port 22. If this rule is disabled or port 22 is blocked by other firewalls, inbound SSH connections will fail.
    7. Verify installation status
      In an elevated PowerShell session on the VM: 
         Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
      The state for OpenSSH.Client~~~~0.0.1.0 and OpenSSH.Server~~~~0.0.1.0 should be Installed.
    8. Test SSH connectivity
      From a client with the OpenSSH client installed, run: 
         ssh domain\username@servername
      Confirm that the connection prompt appears and that sign-in works.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.