Share via

Open SSH Server and Open SSH Client.

Lucas Peñaloza 531 Reputation points
2026-03-16T15:22:08.2133333+00:00

Dear,

I need to Install Open SSH Server and Client in Windows Server 2019 Datacenter.

But the installation ends:

User's image

So, how to install open ssh server and client in Windows Server 2019 Datacenter in a virtual machine without Internet access?.

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments

Answer accepted by question author

  1. VPHAN 31,020 Reputation points Independent Advisor
    2026-03-18T04:20:53.89+00:00

    Lucas Peñaloza

    The presence of two distinct OpenSSH services in your management console indicates a direct conflict likely caused by a previous manual installation attempt. The official Features on Demand installation natively creates the service named OpenSSH SSH Server. However, your system also shows an Openssh SSHD service currently configured with an automatic startup type under a custom local account. Because this rogue service is likely already running and listening on TCP port 22, the newly installed official Microsoft service immediately crashes with Error 1067 when it attempts to initialize and bind to that exact same port.

    To resolve this conflict, you must completely remove the remnants of the previous manual installation. Open an elevated PowerShell session and stop the conflicting service using the command Stop-Service -Name "Openssh SSHD", followed by the command sc.exe delete "Openssh SSHD" to permanently wipe its registration from the system. After removing the service, navigate to the hidden C:\ProgramData\ssh directory. This folder stores the host keys and configuration files, which currently hold conflicting settings or incorrect security permissions from the old installation. Delete all contents within this directory to ensure a clean slate.

    Once the rogue service is deleted and the configuration directory is cleared, you can safely start the official OpenSSH SSH Server service. The initial successful startup will automatically generate fresh host keys with the correct system permissions required for the service to function securely. If the official service still refuses to start after completing these cleanup steps, open the Event Viewer and navigate through Applications and Services Logs to the OpenSSH section. The Operational log will provide the precise technical reason for any remaining startup failures.

    2 people found this answer helpful.

Answer accepted by question author

  1. VPHAN 31,020 Reputation points Independent Advisor
    2026-03-17T14:57:41.92+00:00

    Lucas Peñaloza

    You're right, it will not work with that specific disk. The output you provided from the DISM command confirms that the ISO currently mounted on drive E is the base Windows Server 2019 installation media. That specific install.wim file contains the core operating system and the desktop experience interface, but it does not contain the optional Features on Demand repository.

    Because the OpenSSH binaries are classified as optional offline features, Microsoft packages them on a completely separate disk to keep the main installation ISO smaller. To successfully install the OpenSSH Client and Server without internet access, you must acquire the dedicated Windows Server 2019 Features on Demand ISO from your Microsoft Volume Licensing Service Center or your Visual Studio subscription portal. Once you download and mount that specific FoD ISO, you can run your Add-WindowsCapability command pointing to its new drive letter, and the offline installation will finally succeed.

    2 people found this answer helpful.

Answer accepted by question author

  1. VPHAN 31,020 Reputation points Independent Advisor
    2026-03-17T00:45:26.6733333+00:00

    Lucas Peñaloza

    The ISO you have mounted on drive G appears to be the standard Windows Server base operating system installation media rather than the dedicated Features on Demand ISO. The OpenSSH binaries are not packaged on the base OS disk; they are distributed entirely separately on the Features on Demand disk for Windows Server 2019, which you must download from your Microsoft Volume Licensing Service Center or visual studio subscription portal.

    Once you download and mount the correct Features on Demand ISO to your virtual machine, you also need to adjust your PowerShell command to explicitly block Windows from attempting to contact your local WSUS server. The 0x800f0954 error specifically triggers when Windows Update or WSUS is the default provider but cannot find the payload, rejecting the local source. You can override this behavior by appending the LimitAccess flag to force the system to only look at your mounted disk. Your revised command will be Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 -Source G:\ -LimitAccess once the correct ISO is mounted.

    If your environment uses strict Group Policy for updates, the command line override might still be blocked. To fix this permanently, open the Local Group Policy Editor and navigate to Computer Configuration, Administrative Templates, and then System. Enable the policy named Specify settings for optional component installation and component repair. Within that policy window, enter G:\ in the Alternate source file path box to ensure the local Feature on Demand files are recognized and prioritized by the servicing stack.

    VP

    2 people found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 31,020 Reputation points Independent Advisor
    2026-03-27T04:13:04.55+00:00

    Lucas Peñaloza

    You should not delete the contents of the C:\Windows\System32\OpenSSH directory or remove the OpenSSH Authentication Agent service shown in your images. The files and services you are looking at are not obsolete traces; they are the correct, legitimate components that were successfully deployed by your recent Add-WindowsCapability commands. The dates shown on those files simply reflect the official Microsoft compilation build date for that specific Features on Demand payload, and the Authentication Agent service is intentionally set to disabled by default in a native Windows Server environment.

    The only obsolete traces causing your issues are located in the hidden configuration directory at C:\ProgramData\ssh. The previous manual installation likely left behind host keys and configuration files with broken or incompatible security permissions. You must navigate to that specific ProgramData folder and delete all of its contents to clear the corruption. Do not touch the System32 directory.

    Once the C:\ProgramData\ssh folder is completely empty, simply start the OpenSSH SSH Server service from your services console. The native binaries located in your System32 folder will automatically detect the missing configuration, generate fresh host keys, and apply the correct NTFS permissions required for the service to stay running without throwing the 1067 error.

    VP

    2 people found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.