How to Set Up and Use Windows Admin Center on Windows Server 2025
Windows Admin Center (WAC) is Microsoft’s browser-based management platform for Windows Server, designed to replace the fragmented collection of individual MMC snap-ins and remote tools that administrators have historically juggled. On Windows Server 2025, WAC is the recommended central management interface for server fleets, Hyper-V clusters, Azure Arc-enabled resources, and even Windows PCs. It delivers a unified web UI — accessible over HTTPS from any modern browser — through which you can monitor performance, manage storage, configure firewall rules, browse event logs, open a PowerShell session, and connect via Remote Desktop, all without installing RSAT or navigating multiple disconnected tools. This tutorial covers downloading, installing, and using Windows Admin Center in Gateway mode on Windows Server 2025.
Prerequisites
- Windows Server 2025 server to host the WAC Gateway service (separate from the servers you will manage — this is best practice)
- Alternatively: install WAC locally on a Windows 11 workstation for single-machine management
- Administrator account on the Gateway server
- Outbound HTTPS access for downloading the WAC installer (or download on a separate machine and transfer)
- A valid SSL certificate or willingness to use a self-signed certificate for the WAC HTTPS endpoint
- WinRM enabled on all managed servers (enabled by default on domain-joined Windows Server 2025)
Step 1: Download Windows Admin Center
Download the latest Windows Admin Center installer from the official Microsoft download page. On the Gateway server, use PowerShell:
# Download the latest Windows Admin Center MSI
$url = "https://aka.ms/WACDownload"
$dest = "C:SetupWindowsAdminCenter.msi"
New-Item -ItemType Directory -Path "C:Setup" -Force
Invoke-WebRequest -Uri $url -OutFile $dest -UseBasicParsing
# Verify the download completed
Get-Item $dest | Select-Object Name, Length, LastWriteTime
Alternatively, visit https://aka.ms/WACDownload in a browser and download the MSI manually. As of Windows Server 2025 GA, Windows Admin Center 2410 or later is the recommended version — check the Microsoft documentation for the current release.
Step 2: Install Windows Admin Center as a Gateway Service
Gateway mode runs WAC as a Windows service accessible over the network — multiple administrators can connect simultaneously from their browsers. This is the production-recommended deployment mode.
# Silent install on port 443 (HTTPS) with a self-signed certificate
msiexec /i C:SetupWindowsAdminCenter.msi `
/qn `
/L*v C:Setupwac-install.log `
SME_PORT=443 `
SSL_CERTIFICATE_OPTION=generate
# Verify the service started
Get-Service -Name "ServerManagementGateway" | Select-Object Status, DisplayName, StartType
If you have a CA-issued certificate in the local machine certificate store, specify it by thumbprint instead:
# Find the thumbprint of your certificate
Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*wac.contoso.local*"} |
Select-Object Subject, Thumbprint, NotAfter
# Install WAC using the existing certificate
msiexec /i C:SetupWindowsAdminCenter.msi `
/qn `
SME_PORT=443 `
SME_THUMBPRINT="ABC123DEF456..." `
SSL_CERTIFICATE_OPTION=installed
The installer configures a Windows service, creates HTTPS bindings, and sets up the WinRM listener. The install typically completes in 2–5 minutes.
Step 3: Access the Windows Admin Center Web Interface
Open a modern browser (Microsoft Edge or Google Chrome) and navigate to:
https://<GatewayServerName>
If using a self-signed certificate, your browser will show a certificate warning. Proceed past it for lab environments, or install the self-signed cert in your browser’s Trusted Root store. For production, always use a CA-issued certificate.
On first launch, WAC presents an All Connections dashboard. You will be authenticated using your Windows credentials (Kerberos or NTLM) automatically if accessing from a domain-joined machine.
Step 4: Add Servers to Windows Admin Center
From the All Connections screen, click + Add and choose the connection type:
- Windows Server — Add by hostname, FQDN, or IP address
- Windows PC — Manage a workstation
- Failover Cluster — Manage a Windows Server Failover Cluster
- Azure Stack HCI — Manage hyper-converged infrastructure
You can also add servers in bulk via PowerShell by importing from Active Directory:
# Import servers from an AD OU and register them with WAC via its REST API
# (WAC also supports CSV import from the GUI: Settings > Connections > Import)
$servers = Get-ADComputer -Filter * -SearchBase "OU=Servers,DC=contoso,DC=local" |
Select-Object -ExpandProperty DNSHostName
# Export to CSV for WAC bulk import
$servers | ForEach-Object {[PSCustomObject]@{name=$_; type="msft.sme.connection-type.server"; tags=""}} |
Export-Csv -Path C:Setupwac-servers.csv -NoTypeInformation
Step 5: Key Tools Available in Windows Admin Center
Once connected to a server, the left-hand navigation panel exposes all management tools. The most important ones for daily administration:
Overview and Performance Monitor
The Overview panel shows real-time CPU, memory, disk, and network utilization. Click Performance Monitor to view historical graphs and customize counters — equivalent to perfmon.exe but browser-accessible from anywhere.
Storage
The Storage tool provides a visual interface for managing disks, volumes, file shares, and Storage Spaces. You can bring disks online, format volumes, create shares, and manage iSCSI targets without PowerShell.
Roles and Features
Add or remove Windows Server roles and features through the browser — equivalent to Install-WindowsFeature but with a GUI. This works for both Desktop Experience and Server Core managed servers.
Firewall
The Firewall tool lists all firewall rules with their status, direction, and port details. You can enable, disable, and add rules directly from the browser.
Certificates
Browse and manage the local certificate stores (Personal, Trusted Root, etc.) for any managed server. Useful for auditing certificate expiry dates without RDP.
PowerShell
The PowerShell tool opens an interactive PowerShell session in the browser — a full WinRM-backed session. This is especially powerful for Server Core machines where RDP is not available:
# Example: from within the WAC PowerShell tool connected to a Server Core machine
Get-WindowsFeature | Where-Object {$_.InstallState -eq "Installed"}
Get-Service | Where-Object {$_.Status -eq "Stopped" -and $_.StartType -eq "Automatic"}
Remote Desktop
The Remote Desktop tool embeds an RDP session directly in the browser tab — no RDP client required on the management workstation. This uses the HTML5 RDP gateway built into WAC.
Events
Browse and filter Windows Event Logs directly from the browser, including the Security, System, and Application logs.
Step 6: Configure the HTTPS Certificate Properly
For production use, replace the self-signed certificate with one issued by your internal CA or a public CA. After installation:
# Find the WAC self-signed cert thumbprint currently in use
Get-Item Cert:LocalMachineMy | Where-Object {$_.Subject -like "*Windows Admin Center*"}
# Import a new certificate from a PFX file
Import-PfxCertificate `
-FilePath "C:Certswac.contoso.local.pfx" `
-CertStoreLocation Cert:LocalMachineMy `
-Password (ConvertTo-SecureString -String "PfxPassword" -AsPlainText -Force)
# Update WAC to use the new certificate by modifying the registry
$newThumbprint = "NEWCERT_THUMBPRINT_HERE"
Set-ItemProperty `
-Path "HKLM:SOFTWAREMicrosoftServerManagementGateway" `
-Name "SslCertificateThumbprint" `
-Value $newThumbprint
# Restart the WAC service to apply
Restart-Service -Name "ServerManagementGateway"
Step 7: Manage WAC Extensions
Windows Admin Center supports a marketplace of first-party and third-party extensions. Access the extension manager from Settings > Extensions within the WAC web interface. Available extensions include:
- Azure Arc — Onboard and manage Azure Arc-enabled servers
- Azure Backup — Configure and monitor Azure Backup from WAC
- Azure Site Recovery — Set up DR replication
- Storage Migration Service — Migrate file server data
- Lenovo XClarity / HPE iLO / Dell OpenManage — Vendor-specific hardware management
# Via PowerShell: list installed WAC extensions
# WAC extensions are managed in %ProgramFiles%Windows Admin CenterServernode_modules
# Or use the WAC REST API to query installed packages:
Invoke-RestMethod `
-Uri "https://localhost/api/extensions" `
-UseDefaultCredentials
Step 8: Secure the WAC Gateway
Limit access to the WAC Gateway using Windows Firewall and local group configuration:
# Restrict WAC port 443 to management subnet only
New-NetFirewallRule `
-DisplayName "Allow WAC from Management Network" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-RemoteAddress "10.10.0.0/24" `
-Action Allow
# Optionally block all other inbound to 443 on this server
New-NetFirewallRule `
-DisplayName "Block WAC from Untrusted" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-Action Block `
-Priority 2000
Also configure which AD groups can access WAC under Settings > Access in the WAC web interface, restricting the Gateway Administrator role to your server administration group.
Conclusion
Windows Admin Center transforms server management by consolidating dozens of previously disconnected tools — perfmon, eventvwr, diskmgmt, certmgr, firewall, Server Manager — into a single browser-accessible interface backed by the reliability of WinRM and PowerShell. On Windows Server 2025, WAC is the recommended starting point for managing both Desktop Experience and Server Core deployments, and its extension ecosystem connects it to Azure services and vendor-specific hardware tools. Deploy it in Gateway mode on a dedicated management server, protect it with a valid certificate and subnet-restricted firewall rules, and your entire server fleet becomes manageable from any browser without direct RDP access.
