Early access begins for ‘Gears 5’ Ultimate Edition owners and Xbox Game Pass Ultimate members | Windows Experience Blog

September 5, 2019 4:51 pm

By Athima Chansanchai / Writer, Windows Blog
Share Tweet Share Share Skype
“Gears 5” will be available Sept. 5 immediately following the television debut of its launch ad during the NFL season opener.
This begins the four-day early access period for “Gears 5” Ultimate Edition owners and Xbox Game Pass Ultimate members, who may begin playing four days before the game’s worldwide release on Sept. 10. For those eager to get started immediately the full game download is available now in advance of the game’s release.
As part of a special offer, new subscribers can join Xbox Game Pass Ultimate today and get their first two months for $2 now through Sept. 30.
Find out more on Xbox Wire.
Tags Gears 5 Xbox Game Pass Xbox Game Pass Ultimate
Share Tweet Share Share Skype

Announcing Windows 10 Insider Preview Build 18362.10019 (19H2) | Windows Experience Blog

Hello Windows Insiders!Today we are releasing 19H2 Build 18362.10019 to ALL Windows Insiders in the Slow ring.
IF you received Build 18362.10014 with 19H2 features turned OFF by default on 8/19 – you WILL receive Build 18362.10019 today with all 19H2 features turned ON.
IF you received Build 18362.10015 with 19H2 features turned ON by default on 8/19 – you WILL receive Build 18362.10019 today with all 19H2 features turned ON.
If you’re on the Windows 10 May 2019 Update and just joining your PC into the Slow ring to take 19H2 updates, you will also receive Build 18362.10019 with all 19H2 features turned on. Everyone in the Slow ring should be on the same build now with all the following 19H2 features turned on:
Windows containers require matched host and container version. This restricts customers and limits Windows containers from supporting mixed-version container pod scenarios This update includes 5 fixes to address this and allow the host to run down-level containers on up-level for process (Argon) isolation.
A fix to allow OEMs to reduce the inking latency based on the hardware capabilities of their devices rather than being stuck with latency selected on typical hardware configuration by the OS.
Key-rolling or Key-rotation feature enables secure rolling of Recovery passwords on MDM managed AAD devices upon on demand request from Microsoft Intune/MDM tools or upon every time recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
A change to enable third-party digital assistants to voice activate above the Lock screen.
You can now quickly create an event straight from the Calendar flyout on the Taskbar. Just click on the date and time at the lower right corner of the Taskbar to open the Calendar flyout and pick your desired date and start typing in the text box – you’ll now see inline options to set a time and location.
The navigation pane on the Start menu now expands when you hover over it with your mouse to better inform where clicking goes.
We have added friendly images to show what is meant by “banner” and “Action Center” when adjusting the notifications on apps in order to make these settings more approachable and understandable.
Notifications settings under Settings > System > Notifications will now default to sorting notification senders by most recently shown notification, rather than sender name. This makes it easier to find and configure frequent and recent senders. We have also added a setting to turn off playing sound when notifications appear.
We now show the options to configure and turn off notifications from an app/website right on the notification, both as a banner and in Action Center.
We have added a “Manage notifications” button to the top of Action Center that launches the main “Notifications & actions” Settings page.
We have added additional debugging capabilities for newer Intel processors. This is only relevant for hardware manufacturers.
We have made general battery life and power efficiency improvements for PCs with certain processors.
A CPU may have multiple “favored” cores (logical processors of the highest available scheduling class). To provide better performance and reliability, we have implemented a rotation policy that distributes work more fairly among these favored cores.
We have enabled Windows Defender Credential Guard for ARM64 devices for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations.
We have enabled the ability for enterprises to supplement the Windows 10 in S Mode policy to allow traditional Win32 (desktop) apps from Microsoft Intune.
We’re updating the search box in File Explorer to now be powered by Windows Search. This change will help integrate your OneDrive content online with the traditional indexed results. More details here.
We have added the ability for Narrator and other assistive technologies to read and learn where the FN key is located on keyboards and what state it is in (locked versus unlocked).
In addition to the 19H2 features being turned on for everyone in the Slow ring, this update also includes the general improvements for these features.
NOTE: For an explanation as to why the 19H2 build number in the Slow ring is different than the 19H2 build number in the Release Preview ring – see this blog post.  
As always, Insiders are encouraged to report any issues they experience with these updates through Feedback Hub.
Thanks,Dona and Brandon

The holidays come early at IFA 2019 | Windows Experience Blog

This week I had the pleasure of being in Berlin, Germany, for IFA 2019 to meet with our PC and IoT ecosystem partners. This is always an exciting time for me because I get to see all the new PCs and intelligent edge devices coming this holiday season. Over the last week, our partners Acer, ASUS, Dell, Lenovo and Razer have announced new Windows 10 PCs that both consumer and commercial customers are sure to want.
Modern PCs look different because they are different. They have better performance, innovative designs and new experiences. According to Microsoft research, people are happier when they get a modern PC. We have a lot of modern PCs in market already from all our device partners, and it’s great to see these benefits continuing to come to life in recently announced devices from our partners.
Better performance
Performance starts with a modern computer with solid-state drives (SSDs). SSDs make the computers fast, thin and light. Performance also considers how long the battery lasts and what processor is used. All these elements are critical for customers who want to use their device on the go and run multiple workloads at once. Today’s modern PCs are at least two times faster and can stay unplugged on average of 32% longer compared to HDD models. Intel’s recently announced 10th Generation Intel Core processors enhance the experience for many of these new devices with AI, Thunderbolt 3 and Intel Wi-Fi 6 technologies, all of which increase speed of connectivity.
A great example is the new Dell XPS 13 now with an Intel 10th Generation processor. Whether bingeing a video series or working on the go, this device delivers performance gains needed for compute-intensive, demanding, multi-thread workloads – while still efficiently displaying beautiful 4K content.

The latest Lenovo ThinkPad X1 Carbon laptops are great examples of devices engineered for an on-the-go workforce that needs higher performance to improve their workday productivity and security. These devices are optimized for long battery life and Wi-Fi 6 connectivity.

Razer announced the new Razer Blade Stealth 13 – the first gaming laptop with NVIDIA’s GeForce GTX 1650. Powered by Intel’s new 10th Generation processor, the new Razer Blade Stealth 13 delivers true gaming performance packed into an amazingly thin 15mm chassis weighing only 1.3 kgs.

Innovative designs
Being fast and powerful used to come at the expense of a beautiful device, but not anymore. Windows 10 PCs are designed to be shown off with touches like metallic finishes and backlit keyboards. Choice of form factors help you work the way you want with 2-in-1 convertibles, detachables and ultraslim designs.
The new ASUS Republic of Gamers demonstrates this attention to design. By offering a new Glacier Blue hue for select Zephyrus and Strix family laptops, the company is reimagining the look and feel of gaming machines for a widening audience of gamers who are also streamers and creative professionals who want more than a black machine.

Great design also comes with devices that are thin and light. The Acer Swift 5*, a super light 14-inch notebook that is 15.95 mm thin, only weighs 990 grams and comes with a new discrete NVIDIA GeForce MX250 graphics option for high-powered gaming.

New experiences
Finally, we want customers to have the best experiences with their hardware and software, and that begins with the applications and services that come with a Windows 10 PC. This includes multiple ways to interact, with ink and pen, voice and touch, and compatibility with other devices and applications. It also includes top-grade security with Windows Hello and the on-the-go productivity benefits in Office 365 enabled by the cloud. When it comes down to it, Windows 10 PCs help you achieve more.
With a modern PC you get speed, security, durability and great design. While there is a lot of focus on PCs at IFA, we also see a lot of innovation from our partners around the Intelligent Cloud and Intelligent Edge.
By 2020 analysts estimate that 20 billion devices will be connected to the cloud, and Microsoft and our ecosystem of partners offer a unique value proposition because our Intelligent Cloud and Intelligent Edge solutions are extra smart, secure and agile. For example, we have the Smart Home solution from digitalSTROM in our Microsoft booth where you can experience different ways to operate your Smart Home; e.g., order a cup of coffee from a robot or start the coffee machine with just a smile via a 3D Intel RealSense camera.
From the latest in modern, powerful Windows 10 PCs to cloud-connected services, I am constantly amazed by the innovative ways our partners are building on our platforms to deliver rich experiences to customers.  I think it’s going to be a great holiday season for Microsoft, our partners and our customers.
Check back on the Windows Blog for more updates in the coming months.
*Based on Acer’s internal survey as of August 29, 2019 of competing clamshell laptop designs available on the market, running Windows OS or OSX.

IFA 2019: Lenovo introduces smart features on new and refreshed Yoga laptops | Windows Experience Blog

At this week’s IFA event in Berlin, Lenovo introduced exclusive smart features that adapt to users’ performance needs on the new 14-inch Yoga C940 and Yoga S740: Super Resolution upscales video up to FHD 1080p on Windows Media Player [1] and Q-Control (named for device keys used to toggle modes), that has the potential to dynamically boost your PC’s battery life [2].
Lenovo Yoga C940

The 14-inch Lenovo Yoga C940 is the new 2-in-1 convertible laptop redefining smarter performance and design with its all-metal chassis and clever built-in features, like TrueBlock Privacy shutter, Windows Hello biometric authentication, and garaged pen with silo charging and Windows Ink. Enable Lenovo’s exclusive Q-Control [3] by pressing Function-Q to shift into Intelligent Cooling Mode for your PC to auto-adjust performance and optimize battery life based on tasks – up to 17.5 hours [4] in FHD and up to 10.5 hours [4] with a UHD display.
With a full range of intelligent features, the 14-inch Lenovo Yoga S740 is designed to help people save time. Powered by up to 10th Generation Intel Core processors, it has a hands-free IR camera login. That IR camera can also detect your absence after a few seconds and enable instant log-off, or if you’re watching a video and need to walk away for a few minutes, your PC is intuitive enough to pause the video and automatically resume upon your return. You can even opt to blur your background during video calls, so your cat doesn’t make a surprise appearance during your next online brainstorm. This device will also have a new child safety setting that reminds kids to limit their screen viewing time in one sitting.
The new Lenovo Yoga C940 (15-inch) is a 2-in-1 convertible with 9th Generation Intel Core processors, as well as a notched webcam bump on its lid for better grip, a garaged pen with silo charging, TrueBlock Privacy Shutter and Windows Hello biometric fingerprint authentication for confident security.
The Lenovo Yoga S740 (15-inch) comes stacked with up to 9th Generation Intel Core i9 mobile processor and more powerful NVIDIA GeForce GTX1650 GPUs, making this all-metal, ultra-slim laptop a portable and multi-tasking powerhouse. Combined with theater-like specs like a 15-inch FHD HDR display and a TrueBlock Privacy Shutter, this laptop also has a longer-lasting battery. Listen to music or watch videos in crystal-clear sound with Dolby Atmos Speaker System with Smart Amp, designed to boost voice and content audio in slim form factors.

Lenovo Yoga C740

The all-metal Lenovo Yoga C740 is available in a 14-inch or 15-inch screen size in Mica or Iron Grey. Flip smoothly from laptop to tablet mode and back. Lightweight with a color-matched keyboard, this 2-in-1 device has smart features that respond to your needs, including its TrueBlock Privacy Shutter and more secure fingerprint login.

Lenovo Yoga C740 in tablet mode

Finally, the 13-inch Lenovo Yoga C640 combines the performance of up to 10th Generation Intel Core i7 processing with the compact portability of a sleek 2-in-1, so you don’t feel anchored. This new convertible with optional integrated, ultra-fast 4G LTE frees users from reliance on hotspots and unsecured public Wi-Fi when on the go. Plus, it could provide up to 20 hours [4] of battery life, thanks to optimized CPU performance. You can also talk with Cortana [5] for instant help. Windows 10 Home OS is offered on both LTE and Wi-Fi-only models.

Lenovo Yoga C640

Go to Lenovo to find out more.
[1] Super Resolution on media players may vary in China and other markets. Super Resolution feature requires rolling auto-updates form Lenovo Vantage in Q4 2019.
[2] When the AI-enhanced Intelligent Cooling Mode is enabled it can monitor your device’s thermal attributes to better control its fan.
[3] Yoga devices with up to 10th Generation Intel Core i7 and the visual identifier for the Project Athena program are Lenovo Yoga S740 (14-inch) and Yoga C940 (14-inch) only. New, smarter features enabled with rolling auto-updates from Lenovo Vantage throughout the rest of the year, include, Q-Control, EyeCare (2.0) mode and Super Resolution via Windows Media Player all coming in Q4, 2019. For more info, visit https://www.intel.com/content/www/us/en/products/docs/devices-systems/laptops/laptop-innovation-program.html.
[4] All battery life claims are approximate and based on test results using the MobileMark 2014 ver 1.5 battery life benchmark test. Actual results will vary and depend on numerous factors including product configuration and usage, software, operating conditions, wireless functionality, power management settings, screen brightness and other factors. The maximum capacity of the battery will naturally decrease with time and usage. See https://bapco.com/products/mobilemark-2014/ for additional details.
[5] Cortana is accessible through the Windows 10 start menu.

How to Configure a Quorum Cloud Witness for Failover Clustering

Windows Server Failover Clusters are becoming commonplace through the industry as the high-availability solution for virtual machines (VMs) and other enterprise applications. I’ve been writing about clustering since 2007 when I joined the engineering team at Microsoft (here is one of the most referenced online articles about quorum from 2011). Even today, one of the concepts that many users continue to misunderstand is a quorum. Most admins know that is has something to do with keeping a majority of servers running, but this blog post will give more insight into why it is important to understand how it works. We will focus on the newest type of quorum configuration known as a cloud witness which was introduced in Windows Server 2016. This solution is designed to support both on-premises clusters and multi-site clusters, along with the guest clusters which can run entirely in the Microsoft Azure public cloud.

Failover Clustering Quorum Fundamentals

NOTE: This post covers quorum for Windows Server 2016 and 2019. You can also info related to quorum on an older version of Windows Server.

Outside of IT, the term “quorum” is defined in business practices as “the number of members of a group or organization required to be present to transact business legally, usually a majority” (Source: Dictionary.com). For Windows Server Failover Clustering, it means that there must be a majority of “cluster voters” online and in communication with each other for the cluster to operate. A cluster voter is either a cluster node or a disk which contains a copy of the cluster database.

The cluster database is a file which defines registry settings that identify the state of every element within the cluster, including all nodes, storage, networks, virtual machines (VMs) and applications. It also keeps track of which node should the sole owner running each application and which node can write to each disk within the cluster’s shared storage. This is so important because it prevents a “split-brain” scenario which can cause corruption in a cluster’s database. A split-brain happens when there is a network partition between two sets of clusters nodes, and they both try to run the same application and write to the same disk in an uncoordinated fashion, which can lead to disk corruption.  By designating one of these sets of cluster nodes as the authoritative servers, and forcing the secondary set to remain passive, it ensures that exactly one node runs each application and writes to each disk. The determination of which partition of clusters nodes stays online is based on which side of the partition has a majority of cluster voters, or which side has a quorum.

For this reason, you should always have an odd number of votes across your cluster, meaning 51% or more of voters.  Here is a breakdown of the behavior based on the number of voting nodes or disks:

  • 2 Votes: This configuration is never recommended because both voters must be active for the cluster to stay online. If you lose communicate between voters, the cluster stays passive and will not run any workloads until both voters (a majority) are operational and in communication with each other.
  • 3 Votes: This works fine because one voter can be lost, and the cluster will remain operational, provided that two of the three voters are healthy.
  • 4 Votes: This can only sustain the loss of one voter and three voters must be active. This is supported but requires extra hardware yet provides no additional availability benefit and a three-vote cluster.
  • 5, 7, 9 … 65 Voters: An odd number of voters are recommended to maximize availability by allowing you to lose half (rounded down) of your voters. For example, in a nine-node cluster, you can lose four voters and it will continue to operate as five voters are active.
  • 6, 8, 10 … 64 Voters: This is supported, yet you can only lose half minus one voter, so you are not maximizing your availability. In a ten-node cluster you can only four voters, so five must remain in communication with each other. This provides the same level of availability as the previous example with nine, yet requires an additional server.

Using a Disk Witness for a Quorum Vote

Based on Microsoft’s telemetry data, a majority of failover clusters around the world are deployed with two nodes, to minimize the hardware costs. Although these two nodes only provide two votes, a third vote is provided by a shared disk, known as a “disk witness”. This disk can be any dedicated drive on a shared storage configuration that is supported by the cluster and passes the Validate a Cluster tests. This disk will also contain a copy of the cluster’s database, and just like every other clustered disk, exactly one node will own access to it. It does so by creating an open file handle on that ClusDB file. In the event where there is a network partition between the two servers, then the partition that owns the disk witness will get the extra vote and run all workloads (since it has two of three votes for quorum), while the partition with a single vote will not run anything until it can communicate with the other nodes. This configuration has been supported for several releases, however, there is still a hardware cost to providing a shared storage infrastructure, which is why a cloud witness was introduced in Windows Server 2016.

Cloud Witness for a Failover Cluster

A cloud witness is designed to provide a vote to a Failover Cluster without requiring any physical hardware. It is a basically a disk running in Microsoft Azure which contains a copy of the ClusDB and is accessible by all cluster nodes. It uses Microsoft Azure Blob Storage, and a single Azure Storage Account can be used for multiple clusters, although each cluster requires it owns blob file. The cluster database file itself is very small, which means that the cost to operate this cloud-based storage is almost negligible. The configuration is fairly easy and well-documented by Microsoft in its guide to Deploy a Cloud Witness for a Failover Cluster.

You will notice that the cloud witness is fully integrated within Failover Cluster Manager’s utility, Configure Cluster Quorum Witness, where you can Configure a cloud witness.

Selecting a Cloud Witness to use in the Configure Cluster Quorum Wizard

Selecting a Cloud Witness to use in the Configure Cluster Quorum Wizard

Next, you enter the Azure storage account name, key, and service endpoint.

Entering Cloud Witness details in Configure Cluster Quorum Wizard

Entering Cloud Witness details in Configure Cluster Quorum Wizard

Now you have added an extra vote to your failover cluster with much less effort and cost than creating and managing on-premises shared storage.

Failover Clustering Cloud Witness Scenarios

To conclude this blog post we’ll summarize the ideal scenarios for using the Cloud Witness:

  • On-premises clusters with no shared storage – For any even-node clusters with no extra shared storage, then consider using a cloud witness as an odd vote to help you determine quorum. This configuration also works well with SQL Always-On clusters and Scale-Out File Server clusters which may have no shared storage.
  • Multi-site clusters – If you have a multi-site cluster for disaster recovery, you will usually have two or more nodes at each site. If these balanced sites lose connectivity with each other, you still need a cluster voter to determine which side has quorum. By placing this arbitrating vote in a third site (a cloud witness in Microsoft Azure), it can serve as a tie-breaker to determine the authoritative cluster site.
  • Azure Guest Clusters – Now that you can deploy a failover cluster entirely within Microsoft Azure using nested virtualization (also known as a “guest cluster”), you can utilize the cloud witness as an additional cluster vote. This provides you with an end-to-end high-availability solution in the cloud.

The cloud witness is a great solution provided by Microsoft to increase availability in Failover Clusters while reducing the cost to customers. It is now easy to operate a two-node cluster without having to pay for a third host or shared storage disk, whose only role is to provide a vote. Consider using the cloud witness for your cluster deployments and look for Microsoft to continue to integrate its on-premises Windows Server solutions with Microsoft Azure as the industry’s leading hybrid cloud provider.

Go to Original Article
Author: Symon Perriman

Learn to set up and use PowerShell SSH remoting

When Microsoft said PowerShell would become an open source project that would run on Windows, Linux and macOS in August 2016, there was an interesting wrinkle related to PowerShell remoting.

Microsoft said this PowerShell Core would support remoting over Secure Shell (SSH) as well as Web Services-Management (WS-MAN). You could always use the PowerShell SSH binaries, but the announcement indicated SSH support would be an integral part of PowerShell. This opened up the ability to perform remote administration of Windows and Linux systems easily using the same technologies.

A short history of PowerShell remoting

Microsoft introduced remoting in PowerShell version 2.0 in Windows 7 and Windows Server 2008 R2, which dramatically changed the landscape for Windows administrators. They could create remote desktop sessions to servers, but PowerShell remoting made it possible to manage large numbers of servers simultaneously.

Remoting in Windows PowerShell is based on WS-MAN, an open standard from the Distributed Management Task Force. But because WS-MAN-based remoting is Windows orientated, you needed to use another technology, usually SSH, to administer Linux systems.

Introducing SSH on PowerShell Core

We have grown accustomed to installing software on Windows using the wizards, but the installation of OpenSSH requires more background information and more work from the administrator.

SSH is a protocol for managing systems over a possibly unsecured network. SSH works in a client-server mode and is the de facto standard for remote administration in Linux environments.

PowerShell Core uses OpenSSH, a fork from SSH 1.2.12 which was released under an open source license. OpenSSH is probably the most popular SSH implementation.

The code required to use WS-MAN remoting is installed as part of the Windows operating system. You need to install OpenSSH manually.

Installing OpenSSH

We have grown accustomed to installing software on Windows using the wizards, but the installation of OpenSSH requires more background information and more work from the administrator. Without some manual intervention, many issues can arise.

The installation process for OpenSSH on Windows has improved over time, but it’s still not as easy as it should be. Working with the configuration file leaves a lot to be desired.

There are two options when installing PowerShell SSH:

  1. On Windows 10 1809, Windows Server 1809, Windows Server 2019 and later, OpenSSH is available as an optional feature.
  2. On earlier versions of Windows, you can download and install OpenSSH from GitHub.

Be sure your system has the latest patches before installing OpenSSH.

Installing the OpenSSH optional feature

You can install the OpenSSH optional feature using PowerShell. First, check your system with the following command:

Get-WindowsCapability -Online | where Name -like '*SSH*'
OpenSSH components
Figure 1. Find the OpenSSH components in your system.

Figure 1 shows the OpenSSH client software is preinstalled.

You’ll need to use Windows PowerShell for the installation unless you download the WindowsCompatibility module for PowerShell Core. Then you can import the Deployment Image Servicing and Management module from Windows PowerShell and run the commands in PowerShell Core.

Install the server feature:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~
Path :
Online : True
RestartNeeded : False

The SSH files install in the C:WindowsSystem32OpenSSH folder.

Download OpenSSH from GitHub

Start by downloading the latest version from GitHub. The latest version of the installation instructions are at this link.

After the download completes, extract the zip file into the C:Program FilesOpenSSH folder. Change location to C:Program FilesOpenSSH to install the SSH services:

[SC] SetServiceObjectSecurity SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS

Configuring OpenSSH

After OpenSSH installs, perform some additional configuration steps.

Ensure that the OpenSSH folder is included on the system path environment variable:

  • C:WindowsSystem32OpenSSH if installed as the Windows optional feature
  • C:Program FilesOpenSSH if installed via the OpenSSH download

Set the two services to start automatically:

Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic

If you installed OpenSSH with the optional feature, then Windows creates a new firewall rule to allow inbound access of SSH over port 22. If you installed OpenSSH from the download, then create the firewall rule with this command:

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' `
-Enabled True -Direction Inbound -Protocol TCP `
-Action Allow -LocalPort 22

Start the sshd service to generate the SSH keys:

Start-Service sshd

The SSH keys and configuration file reside in C:ProgramDatassh, which is a hidden folder. The default shell used by SSH is the Windows command shell. This needs to change to PowerShell:

New-ItemProperty -Path "HKLM:SOFTWAREOpenSSH" -Name DefaultShell `
-Value "C:Program FilesPowerShell6pwsh.exe" -PropertyType String -Force

Now, when you connect to the system over SSH, PowerShell Core will start and will be the default shell. You can also make the default shell Windows PowerShell if desired.

There’s a bug in OpenSSH on Windows. It doesn’t work with paths with a space, such as the path to the PowerShell Core executable! The workaround is to create a symbolic link that creates a path that OpenSSH can use:

New-Item -ItemType SymbolicLink -Path C:pwsh -Target 'C:Program FilesPowerShell6'

In the sshd_config file, un-comment the following lines:

PubkeyAuthentication yes
PasswordAuthentication yes

Add this line before other subsystem lines:

Subsystem  powershell C:pwshpwsh.exe -sshs -NoLogo -NoProfile

This tells OpenSSH to run PowerShell Core.

Comment out the line:

AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

After saving the changes to the sshd_config file, restart the services:

Restart-Service sshd
Start-Service ssh-agent

You need to restart the sshd service after any change to the config file.

Using PowerShell SSH remoting

Using remoting over SSH is very similar to remoting over WS-MAN. You can access the remote system directly with Invoke-Command:

Invoke-Command -HostName W19DC01 -ScriptBlock {Get-Process}
[email protected]@w19dc01's password:

You’ll get a prompt for the password, which won’t be displayed as you type it.

If it’s the first time you’ve connected to the remote system over SSH, then you’ll see a message similar to this:

The authenticity of host 'servername (' can't be established.
ECDSA key fingerprint is SHA256:().
Are you sure you want to continue connecting (yes/no)?

Type yes and press Enter.

You can create a remoting session:

$sshs = New-PSSession -HostName W19FS01
[email protected]@w19fs01's password:

And then use it:

Invoke-Command -Session $sshs -ScriptBlock {$env:COMPUTERNAME}

You can enter an OpenSSH remoting session using Enter-PSSession in the same way as a WS-MAN session. You can enter an existing session or use the HostName parameter on Enter-PSSession to create the interactive session.

You can’t disconnect an SSH based session; that’s a WS-MAN technique.

You can use WS-MAN and SSH sessions to manage multiple computers as shown in Figure 2.

The session information shows the different transport mechanism — WS-MAN and SSH, respectively — and the endpoint in use by each session.

Remote management sessions
Figure 2. Use WS-MAN and SSH sessions together to manage remote machines.

If you look closely at Figure 2, you’ll notice there was no prompt for the password on the SSH session because the system was set up with SSH key-based authentication.

Using SSH key-based authentication

Open an elevated PowerShell session. Change the location to the .ssh folder in your user area:

Set-Location -Path ~.ssh

Generate the key pair:

ssh-keygen -t ed25519

Add the key file into the SSH-agent on the local machine:

ssh-add id_ed25519

Once you’ve added the private key into SSH-agent, back up the private key to a safe location and delete the key from the local machine.

Copy the id_ed25519.pub file into the .ssh folder for the matching user account on the remote server. You can create such an account if required:

$pwd = Read-Host -Prompt 'Password' -AsSecureString
Password: ********
New-LocalUser -Name Richard -Password $pwd -PasswordNeverExpires
Add-LocalGroupMember -Group Administrators -Member Richard

On the remote machine, copy the contents of the key file into the authorized_keys file:

scp id_ed25519.pub authorized_keys

The authorized_keys file needs its permissions changed:

  • Open File Explorer, right click authorized_keys and navigate to Properties – Security – Advanced
  • Click Disable Inheritance.
  • Select Convert inherited permissions into explicit permissions on this object.
  • Remove all permissions except for SYSTEM and your user account. Both should have Full control.

Introduction to SSH with PowerShell Core.

You’ll see references to using the OpenSSHUtils module to set the permissions, but there’s a bug in the version from the PowerShell Gallery that makes the authorized_keys file unusable.

Restart the sshd service on the remote machine.

You can now connect to the remote machine without using a password as shown in Figure 2.

If you’re connecting to a non-domain machine from a machine in the domain, then you need to use the UserName parameter after enabling key-pair authentication:

$ss = New-PSSession -HostName W19ND01 -UserName Richard

You need the username on the remote machine to match your domain username. You won’t be prompted for a password.

WS-MAN or SSH remoting?

Should you use WS-MAN or SSH based remoting? WS-MAN remoting is available on all Windows systems and is enabled by default on Windows Server 2012 and later server versions. WS-MAN remoting has some issues, notably the double hop issue. WS-MAN also needs extra work to remote to non-domain systems.

SSH remoting is only available in PowerShell Core; Windows PowerShell is restricted to WS-MAN remoting. It takes a significant amount of work to install and configure SSH remoting. The documentation isn’t as good as it needs to be. The advantages of SSH remoting are that you can easily access non-domain machines and non-Windows systems where SSH is the standard for remote access.

Go to Original Article