Sometimes you just know “it will not be that easy”. In this case it is Windows Server 2019 OpenSSH Installation.
Wanting to configure an SFTP server I had reviewed instructions Get Started with OpenSSH at Microsoft a couple of sites and within the Microsoft Tech Community referenced Orin Thomas’ page on this topic.
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Seems so simple !
Add-WindowsCapability failed. Error code = 0x800f0954
So that is broken. Why? Apparently it is related to permissions for downloading updates or software directly from the interwebs.
A quick search reveals a couple of solution pages including this one at thesysadminchannel which suggests a group policy edit:
- Open gpedit.msc
- Go to Computer Configuration -> Administrative Templates -> System
- Open Specify settings for optional component installation and component repair
- Set to Enabled
- Check the box for Download Repair Content…. (directly rather than from WSUS)
- Finally, exit gpedit and back in Power Shell run gpupdate /force
So that made sense, but now I get this error:
- Open regedit
- Navigate to
UseWUServer = 0x00000000 (0)
Josh also suggested a server restart, which I did not do, and the change in the setting was apparently sufficient as the server would now accept the command and not spit it back at me.
As a final check, before continuing with configuration of the OpenSSH server, I ran this PowerShell command to check if it was installed as expected:
PS C:\windows\system32> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*' Name : OpenSSH.Client~~~~0.0.1.0 State : Installed Name : OpenSSH.Server~~~~0.0.1.0 State : Installed
So that now looks better than the red error lines. Now to get on with configuring.
Final thoughts: Why would WSUS be configured for a stand-alone server? and if it is then surely it is just a proxy for getting updates in any case, and should be used auto-magically. Apparently what is happening here is that in the Microsoft ‘user-friendly pretty picture interface’ WSUS works quietly in the background doing the updates, but if we step into the dark-side of command lines, the ‘GetWindowsCapability’ command is not intelligent enough to know that it might want to check-in with WSUS first before doing a dummy-spit.
Related topics are: