How to Set Up Windows Admin Center on Windows Server 2019
Windows Admin Center (WAC) is a modern, browser-based management tool from Microsoft that provides a unified interface for managing Windows Server 2019, Windows 10/11, Hyper-V clusters, and Azure hybrid services. It replaces many traditional MMC snap-ins and Server Manager consoles with a responsive web application that works from any modern browser without requiring additional client software. WAC includes tools for server management, performance monitoring, storage management, networking, virtual machine management, and Azure integration.
WAC Deployment Modes
Windows Admin Center can be deployed in three configurations. Desktop mode installs on a Windows 10/11 workstation and runs as a local application on port 6516 — ideal for individual administrator use. Gateway mode installs on a Windows Server and serves WAC to multiple administrators via a web browser — the recommended enterprise deployment. Integrated mode installs on each managed Windows Server and is accessed via the Server Manager interface. This guide focuses on the Gateway mode deployment on Windows Server 2019.
Prerequisites
WAC Gateway Server requirements: Windows Server 2019, 2016, or 2022 (Server Core or Desktop Experience), minimum 4 GB RAM, a valid SSL certificate for HTTPS access, and WinRM enabled on managed servers. WAC requires a modern browser: Microsoft Edge, Google Chrome, or Mozilla Firefox. Internet Explorer is not supported.
# Prepare the WAC Gateway server
# Install prerequisites
Install-WindowsFeature -Name NET-Framework-45-Features
Install-WindowsFeature -Name Web-Server -IncludeManagementTools
# Enable WinRM for remote management
Enable-PSRemoting -Force
Set-Item WSMan:localhostClientTrustedHosts -Value "*" -Force
# Ensure the machine has a valid certificate for HTTPS
# Check existing certificates
Get-ChildItem Cert:LocalMachineMy | Select-Object Subject, Thumbprint, NotAfterDownloading and Installing Windows Admin Center
# Download Windows Admin Center MSI
# Download URL: https://aka.ms/WACDownload
# Or use PowerShell to download:
$WACUrl = "https://aka.ms/WACDownload"
Invoke-WebRequest -Uri $WACUrl -OutFile "C:TempWindowsAdminCenter.msi"
# Install Windows Admin Center in gateway mode with a self-signed certificate
# For production, use the -SslCertificateThumbprint parameter
msiexec.exe /i "C:TempWindowsAdminCenter.msi" /qn /L*v "C:TempWAC-Install.log" `
SME_PORT=443 `
SSL_CERTIFICATE_OPTION=generate
# Install with an existing certificate thumbprint
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*wac.corp.example.com*"}
msiexec.exe /i "C:TempWindowsAdminCenter.msi" /qn /L*v "C:TempWAC-Install.log" `
SME_PORT=443 `
SME_THUMBPRINT=$($cert.Thumbprint) `
SSL_CERTIFICATE_OPTION=installed
# Verify WAC service is running
Get-Service ServerManagementGatewayAccessing Windows Admin Center
After installation, open a supported browser and navigate to the WAC URL. Add the WAC gateway server to the trusted sites zone in Internet Explorer or Edge for seamless Windows Authentication:
# The WAC URL format:
# https://wac.corp.example.com (if using a domain name)
# https://192.168.1.50 (if using IP address with self-signed cert)
# On the WAC server, check the configured port and certificate
Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftServerManagementGateway" | `
Select-Object Port, SslCertificateThumbprint, UpdateMode
# View WAC service status and logs
Get-Service ServerManagementGateway
Get-WinEvent -LogName "Microsoft-ServerManagementExperience" -MaxEvents 20Adding Servers to Windows Admin Center
Once logged in to the WAC web interface, add servers for management. WAC discovers servers via Active Directory, manual IP/FQDN entry, or bulk import from a CSV file:
# WAC server connections can also be managed via API or pre-populated
# Create a connections.json file for bulk import to WAC
$connections = @(
@{id="wac.corp.example.com"; type="msft.sme.connection-type.server"; name="WAC-Server"},
@{id="dc01.corp.example.com"; type="msft.sme.connection-type.server"; name="DC01"},
@{id="web01.corp.example.com"; type="msft.sme.connection-type.server"; name="WEB01"},
@{id="fs01.corp.example.com"; type="msft.sme.connection-type.server"; name="FS01"}
) | ConvertTo-Json
$connections | Out-File "C:Tempwac-connections.json"
# Import via WAC's import connections feature in the GUI
# Settings > Server Connections > Import connectionsConfiguring RBAC (Role-Based Access Control)
WAC uses Windows authentication and role-based access control to determine which tools and actions each user can perform. Configure access control through local groups or domain groups:
# WAC Gateway users: can access the gateway and manage servers
# WAC Gateway Administrators: can manage the gateway itself
# The local groups on the WAC gateway server control access:
# "Windows Admin Center Administrators" - full gateway access
# "Windows Admin Center Users" - standard user access
# View current membership
Get-LocalGroupMember -Group "Users"
# Add a domain group to WAC Users
Add-LocalGroupMember -Group "Users" -Member "CORPIT-Helpdesk"
# For just-enough-administration (JEA) on managed servers,
# configure the WAC endpoint role on each managed server:
# WAC uses the "SMEGateway" JEA endpoint
# View JEA endpoints on a managed server
Get-PSSessionConfiguration | Where-Object {$_.Name -like "*sme*"}Configuring Trusted Hosts for WinRM
WAC uses PowerShell remoting (WinRM) to communicate with managed servers. In workgroup environments or cross-domain scenarios, configure trusted hosts:
# On the WAC gateway server, add managed servers to trusted hosts
Set-Item WSMan:localhostClientTrustedHosts -Value "server01,server02,192.168.1.*" -Force
# Or add all hosts (use only in trusted internal networks)
Set-Item WSMan:localhostClientTrustedHosts -Value "*" -Force
# Verify trusted hosts configuration
Get-Item WSMan:localhostClientTrustedHosts
# Test WinRM connectivity to a managed server
Test-WSMan -ComputerName "web01.corp.example.com" -Credential (Get-Credential)Installing WAC Extensions
WAC supports extensions that add functionality for specific roles and vendors. Microsoft ships extensions for Azure, DNS, DHCP, Active Directory, and third-party vendors provide extensions for their products:
# WAC extensions are managed through the WAC interface:
# Settings > Extensions > Available Extensions
# To allow WAC to download extensions, ensure the gateway server has internet access
# Or configure an offline feed for air-gapped environments:
# Settings > Extensions > Feeds > Add feed (NuGet feed URL or local path)
# Check WAC extension directory
Get-ChildItem "C:Program FilesWindows Admin Centernode_modules@msft-sme" | `
Select-Object Name, LastWriteTime
# View WAC logs for extension errors
Get-Content "C:ProgramDataServer Management ExperienceLogssme.log" | Select-Object -Last 50Configuring Azure Integration
WAC integrates with Azure services to provide hybrid management capabilities including Azure Arc, Azure Backup, Azure Site Recovery, and Azure Monitor:
# Register WAC with Azure (done in the WAC Settings > Azure > Register)
# This requires an Azure subscription and appropriate permissions
# After registration, WAC can:
# - Enable Azure Arc for managed servers
# - Connect to Azure Backup for cloud backup
# - Set up Azure Monitor for centralized monitoring
# - Deploy Azure File Sync for hybrid file sharing
# Pre-requisite: Ensure the WAC server can reach Azure endpoints
Test-NetConnection -ComputerName "management.azure.com" -Port 443
Test-NetConnection -ComputerName "login.microsoftonline.com" -Port 443Monitoring and Troubleshooting WAC
# Check WAC gateway service logs
$logPath = "C:ProgramDataServer Management ExperienceLogs"
Get-ChildItem $logPath | Sort-Object LastWriteTime -Descending
# View real-time gateway log
Get-Content "$logPathsme.log" -Tail 50 -Wait
# Check WAC gateway event log
Get-WinEvent -LogName "Microsoft-ServerManagementExperience" | `
Select-Object TimeCreated, LevelDisplayName, Message | Select-Object -First 30
# Restart WAC gateway service if unresponsive
Restart-Service ServerManagementGateway
# Check if port 443 is listening
netstat -an | findstr ":443"
# Test WAC accessibility
Test-NetConnection -ComputerName "wac.corp.example.com" -Port 443Updating Windows Admin Center
# Check current WAC version
$WACReg = Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftServerManagementGateway"
$WACReg.ProductVersion
# Or check in WAC: Settings > About
# Download the latest MSI and run the installer to update
# The installer detects an existing installation and upgrades it
msiexec.exe /i "C:TempWindowsAdminCenter-Latest.msi" /qn /L*v "C:TempWAC-Upgrade.log" `
SME_PORT=443 `
SME_THUMBPRINT=$($cert.Thumbprint) `
SSL_CERTIFICATE_OPTION=installed
# Verify service starts after update
Get-Service ServerManagementGatewayWindows Admin Center represents Microsoft’s vision for the future of Windows Server management. Its extension model allows it to grow and incorporate new functionality without requiring a new server management product. Use it as your primary management interface to reduce reliance on RDP sessions, leverage its built-in performance monitoring and event viewer, and take advantage of the Azure integration features to build a true hybrid infrastructure management solution. Keep WAC updated as Microsoft releases frequent improvements and new features to this actively developed platform.
