How to Set Up File and Storage Services on Windows Server 2022

How to Set Up and Use Windows Admin Center on Windows Server 2022

Windows Admin Center (WAC) is Microsoft’s browser-based management platform for Windows Server, Windows 10/11, failover clusters, and Azure hybrid services. It replaces many of the fragmented MMC snap-ins — Server Manager, Disk Management, Device Manager, Services, Task Manager — with a unified web application that runs entirely on-premises without requiring an internet connection. WAC is free, ships separately from Windows Server, and integrates deeply with Azure Arc for hybrid management scenarios. This guide covers downloading and installing WAC, configuring it for production use, connecting and managing servers, and troubleshooting connectivity problems.

Downloading Windows Admin Center

WAC is not included in the Windows Server 2022 ISO. Download the installer from the Microsoft Evaluation Center or the official Windows Admin Center download page at aka.ms/WindowsAdminCenter. The installer is a single .msi file, typically around 60–80 MB. Always download the latest version, as Microsoft releases updates frequently with new features and security fixes. As of early 2026, WAC 2311 is the current stable release. Check the release notes at docs.microsoft.com/windows-server/manage/windows-admin-center/overview before installing.

Deployment Modes: Desktop Mode vs. Gateway Mode

Desktop mode: WAC installs as a local application on a Windows 10/11 or Windows Server with Desktop Experience workstation. It creates a local HTTPS listener on a random high port (default 6516) and can only be accessed from that same machine. This is suitable for individual administrators who manage a few servers from their own workstation. No additional network configuration is needed.

Gateway mode: WAC installs on a dedicated Windows Server (usually Server 2022) and creates an HTTPS listener — typically on port 443 — that any browser on the network can reach. All management traffic passes through the gateway; the gateway connects to managed servers using WinRM (port 5985/5986) and other management protocols. Gateway mode is the correct choice for team environments and production deployments.

Microsoft recommends NOT installing WAC on a domain controller. Use a dedicated member server or management workstation as the gateway.

Installing Windows Admin Center

Run the installer on the server that will act as the WAC gateway. Launch the .msi with elevated privileges:

msiexec /i WindowsAdminCenter.msi /qn /L*v C:LogsWAC-Install.log SME_PORT=443 SSL_CERTIFICATE_OPTION=generate

The key parameters are:

SME_PORT=443 — Sets the HTTPS listening port. Port 443 requires administrator privileges and means you do not need to type a port number in the browser URL.

SSL_CERTIFICATE_OPTION=generate — Instructs the installer to create a self-signed certificate. For production, use SSL_CERTIFICATE_OPTION=installed and provide a thumbprint with SME_THUMBPRINT=<thumbprint>.

For an interactive installation, simply double-click the .msi file and follow the wizard. The wizard will ask for the port number and certificate option.

After installation, the Windows Admin Center service (ServerManagementGateway) starts automatically. Verify it:

Get-Service ServerManagementGateway | Select-Object Status, StartType, DisplayName

Accessing the WAC Interface

Open a modern browser (Edge or Chrome — Internet Explorer is not supported) and navigate to the gateway server’s address:

https://wac-gateway.corp.example.com

If you used a self-signed certificate, the browser will show a certificate warning. You can dismiss it for initial testing, but for production you should install a certificate from your internal CA or a public CA. On first access, WAC prompts for credentials. Use a domain account that has local administrator rights on the servers you intend to manage.

Configuring a Trusted Certificate for WAC

Replace the self-signed certificate with one from your internal Certificate Authority (CA). First, request and obtain the certificate and export it to a PFX file with the private key. Then reconfigure WAC to use it:

# Import the certificate into the local machine store
Import-PfxCertificate `
    -FilePath "C:Certswac-gateway.pfx" `
    -CertStoreLocation Cert:LocalMachineMy `
    -Password (Read-Host -AsSecureString "PFX Password")

# Get the thumbprint of the imported certificate
Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -match "wac-gateway"} |
    Select-Object Thumbprint, Subject, NotAfter

# Reinstall WAC with the new certificate thumbprint
msiexec /i WindowsAdminCenter.msi /qn ^
    SME_PORT=443 ^
    SSL_CERTIFICATE_OPTION=installed ^
    SME_THUMBPRINT=A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2

Adding and Connecting Servers

After logging in to WAC, the home screen shows a list of managed connections. Click “Add” to add servers, clusters, or Windows PCs. You can add servers one by one by typing their names, import a list from a text file (one hostname per line), or import from Active Directory.

For WAC to connect to managed servers, the following must be true:

1. WinRM must be enabled on the target server (Enable-PSRemoting -Force).

2. The WAC gateway’s computer account (or the user credential used to manage the server) must be a local administrator on the target server.

3. The firewall on the target server must allow WinRM inbound (TCP 5985 for HTTP, TCP 5986 for HTTPS).

# On the managed server: enable WinRM
Enable-PSRemoting -Force

# Verify WinRM is listening
netstat -an | findstr :5985

# Confirm the WAC gateway can reach the managed server
Test-NetConnection -ComputerName managed-server01 -Port 5985

Managing Services, Processes, and Storage

Once connected to a server in WAC, the left navigation pane shows all available management tools. Click “Services” to view, start, stop, pause, and configure services — equivalent to services.msc but without opening a separate snap-in. The “Processes” tool shows running processes with CPU, memory, and PID, equivalent to Task Manager’s Details tab. You can end processes directly from the browser.

The “Storage” tool shows physical disks, volumes, and storage spaces. You can initialize disks, create volumes, extend volumes, and configure Storage Spaces directly through WAC without touching Disk Management (diskmgmt.msc).

The “Registry” tool provides a browsable registry editor. The “Scheduled Tasks” tool shows all tasks on the server. The “Certificates” tool shows the local certificate store. All of these tools work identically for servers in the Server Core configuration, which is one of WAC’s primary value propositions — it provides GUI-equivalent management for headless servers.

Running PowerShell Sessions from WAC

WAC includes a built-in PowerShell terminal that establishes a remote PowerShell session to the connected server. Click the “PowerShell” tool in the left pane to open a browser-based terminal. Commands you run execute on the remote server via WinRM, exactly like Enter-PSSession.

This is particularly useful for Server Core management: you can open a PowerShell session to any Core server from WAC without RDP and without needing to configure RSAT on a separate management workstation. The session persists as long as the browser tab is open.

Installing WAC Extensions

WAC supports a first-party and third-party extension ecosystem. Extensions add new management tools — Dell OpenManage, HPE, Lenovo XClarity, Fujitsu ServerView — or extend existing tools. To manage extensions, click the Settings gear icon (top right) and select Extensions.

# Install an extension via PowerShell on the gateway server
# Extensions are installed through the WAC UI, but you can manage the feeds via PowerShell

# View current WAC settings and gateway status
$url = "https://localhost/api/manifest"
Invoke-RestMethod -Uri $url -UseDefaultCredentials

Microsoft regularly publishes updates to extensions through the WAC extension feed. In the Extensions panel, the “Installed” tab shows current extensions with their version numbers, and “Available” shows extensions you can add. The “Updates” tab flags extensions that have newer versions available.

WAC with Azure Hybrid Services

WAC integrates with Azure services through the “Azure hybrid services” tool in the left pane. From here you can register the gateway with Azure Arc, enable Azure Backup, configure Azure Monitor, set up Azure Update Management, and connect to Azure Security Center. These integrations require an Azure subscription and registering the WAC gateway with Azure Active Directory.

# Register the WAC gateway with Azure from PowerShell (alternative to GUI)
# First, sign in with an Azure account that has Contributor rights
Connect-AzAccount

# Get your subscription and tenant IDs
Get-AzSubscription | Select-Object Name, Id, TenantId

Updating Windows Admin Center

WAC updates are released as new full MSI installers, not as Windows Update patches. WAC will notify you in the interface when a new version is available (Settings → Extensions → Windows Admin Center platform). To update, download the new MSI and run it over the existing installation — it detects the previous installation and upgrades in place while preserving your connection list and settings.

# Check the current WAC version
Get-ItemProperty "HKLM:SOFTWAREMicrosoftServerManagementGateway" |
    Select-Object InstallVersion, InstallDate, InstallLocation

Troubleshooting WAC Connectivity

The most common issue is “Can’t connect to this server” when trying to manage a remote server. Work through this checklist:

# 1. Confirm WinRM is running on the TARGET server
Invoke-Command -ComputerName managed-server01 -ScriptBlock {Get-Service WinRM}

# 2. Test network connectivity from the WAC GATEWAY to the managed server
Test-NetConnection -ComputerName managed-server01 -Port 5985

# 3. Check that the firewall rule on the managed server allows WinRM
Invoke-Command -ComputerName managed-server01 -ScriptBlock {
    Get-NetFirewallRule -Name "WINRM-HTTP-In-TCP" | Select-Object Enabled, Action
}

# 4. Check the WAC gateway service logs
Get-EventLog -LogName Application -Source "Microsoft.ServerManagementExperience*" -Newest 20

# 5. Restart the WAC gateway service after configuration changes
Restart-Service ServerManagementGateway

# 6. Verify the certificate binding on the WAC gateway port
netsh http show sslcert ipport=0.0.0.0:443

If WAC shows “CredSSP not enabled” errors, you may need to configure CredSSP delegation for double-hop scenarios (for example, managing Hyper-V hosts where WAC needs to authenticate to storage using the logged-in user’s credentials). Enable CredSSP from the WAC Settings page, or configure it via Group Policy: Computer Configuration → Administrative Templates → System → Credentials Delegation → Allow delegating fresh credentials.

If the browser shows a blank page or a gateway error after upgrading, clear the browser cache and cookies for the WAC hostname, then try in a private browsing session. If the issue persists, check the Windows Event Log on the gateway server in Applications and Services Logs → Microsoft → ServerManagementExperience for detailed error codes.