Windows Admin Center Setup Guide for Windows Server 2022

Tyler Maginnis | January 30, 2024

Windows Server 2022Windows Admin CenterManagementAdministration

Need Professional Windows Server 2022?

Get expert assistance with your windows server 2022 implementation and management. Tyler on Tech Louisville provides priority support for Louisville businesses.

Call Now: (202) 948-8888 Email for Quote

Same-day service available for Louisville area

Windows Admin Center Setup Guide for Windows Server 2022

Introduction

Windows Admin Center (WAC) is a locally deployed, browser-based management tool that provides a modern, simplified, and integrated experience for managing Windows servers, clusters, and PCs. This guide covers the complete installation, configuration, and usage of Windows Admin Center with Windows Server 2022.

Prerequisites

  • Windows Server 2022 or Windows 10/11 (for gateway installation)
  • Supported web browser (Edge, Chrome, Firefox, Safari)
  • Network connectivity to managed servers
  • Administrator privileges
  • .NET Framework 4.6.2 or later

1. Planning Your Deployment

Deployment Modes

  • Installed on a dedicated Windows Server
  • Accessible by multiple administrators
  • Best for managing multiple servers

Desktop Mode

  • Installed on Windows 10/11
  • Single-user access
  • Best for individual administrators

Server Mode

  • Installed directly on managed server
  • Not recommended for production
  • Useful for isolated environments

System Requirements

# Check system requirements
Get-ComputerInfo | Select-Object @{Name='OS';Expression={$_.OsName}}, 
                                @{Name='Version';Expression={$_.OsVersion}},
                                @{Name='Architecture';Expression={$_.OsArchitecture}},
                                @{Name='RAM (GB)';Expression={[math]::Round($_.CsTotalPhysicalMemory/1GB,2)}}

# Check .NET Framework version
Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\" | Select-Object Release, Version

2. Installation

Download Windows Admin Center

# Download latest version
$downloadUrl = "https://aka.ms/WindowsAdminCenter"
$installerPath = "C:\Downloads\WindowsAdminCenter.msi"

# Create download directory
New-Item -Path "C:\Downloads" -ItemType Directory -Force

# Download installer
Invoke-WebRequest -Uri $downloadUrl -OutFile $installerPath -UseBasicParsing

Install via PowerShell

# Install Windows Admin Center (Gateway Mode)
msiexec /i $installerPath /qn /L*v "C:\Downloads\WAC_Install.log" SME_PORT=443 SSL_CERTIFICATE_OPTION=generate

# Custom installation with specific certificate
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Subject -like "*admin.contoso.com*"}
msiexec /i $installerPath /qn SME_PORT=443 SME_THUMBPRINT=$($cert.Thumbprint) SSL_CERTIFICATE_OPTION=installed

Install via GUI

  1. Run the downloaded MSI installer
  2. Accept license terms
  3. Choose installation type:
  4. Gateway mode: For server installations
  5. Desktop mode: For Windows 10/11
  6. Configure port (default: 443)
  7. Choose certificate option:
  8. Generate self-signed certificate
  9. Use existing certificate
  10. Complete installation

3. Post-Installation Configuration

Configure Trusted Hosts

# View current trusted hosts
Get-Item WSMan:\localhost\Client\TrustedHosts

# Add trusted hosts (for non-domain environments)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server1,Server2,192.168.1.*" -Force

# Or trust all hosts (not recommended for production)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

Configure Firewall

# Create firewall rule for WAC
New-NetFirewallRule -DisplayName "Windows Admin Center" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

# Verify firewall rule
Get-NetFirewallRule -DisplayName "Windows Admin Center" | Format-List

Configure Authentication

# Enable CredSSP for delegation (if needed)
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "wac.contoso.com" -Force

# Configure Kerberos delegation
$wacComputer = Get-ADComputer -Identity "WAC-Server"
Set-ADComputer -Identity $wacComputer -TrustedForDelegation $true

4. SSL Certificate Configuration

Install Trusted Certificate

# Import certificate
$certPath = "C:\Certificates\wac.contoso.com.pfx"
$certPassword = ConvertTo-SecureString -String "P@ssw0rd" -Force -AsPlainText
$cert = Import-PfxCertificate -FilePath $certPath -CertStoreLocation "Cert:\LocalMachine\My" -Password $certPassword

# Bind certificate to WAC
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=$($cert.Thumbprint) appid="{00000000-0000-0000-0000-000000000000}"

Configure Certificate Auto-Renewal

# Create scheduled task for certificate renewal
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Renew-WACCertificate.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At "2:00AM"
$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable
Register-ScheduledTask -TaskName "WAC Certificate Renewal" -Action $action -Trigger $trigger -Settings $settings -User "SYSTEM"

5. User Access Configuration

Configure Role-Based Access

# Create AD groups for WAC access
New-ADGroup -Name "WAC-Administrators" -GroupScope Global -Description "Full access to Windows Admin Center"
New-ADGroup -Name "WAC-Operators" -GroupScope Global -Description "Limited access to Windows Admin Center"
New-ADGroup -Name "WAC-Readers" -GroupScope Global -Description "Read-only access to Windows Admin Center"

# Add users to groups
Add-ADGroupMember -Identity "WAC-Administrators" -Members "AdminUser1", "AdminUser2"

Configure Gateway Access

# Set access control
$wacPath = "C:\Program Files\Windows Admin Center"
$acl = Get-Acl $wacPath
$permission = "CONTOSO\WAC-Administrators","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl $wacPath $acl

6. Adding and Managing Connections

Add Servers via PowerShell

# Import WAC PowerShell module
Import-Module "$env:ProgramFiles\Windows Admin Center\PowerShell\Modules\ConnectionTools"

# Add single server
Add-WacConnection -GatewayEndpoint "https://wac.contoso.com" -ConnectionName "Server1" -ConnectionType "msft.sme.connection-type.server"

# Add multiple servers
$servers = @("Server1", "Server2", "Server3")
foreach ($server in $servers) {
    Add-WacConnection -GatewayEndpoint "https://wac.contoso.com" -ConnectionName $server -ConnectionType "msft.sme.connection-type.server"
}

Import Connections from Active Directory

# Get all Windows Servers from AD
$servers = Get-ADComputer -Filter {OperatingSystem -like "*Windows Server*"} | Select-Object -ExpandProperty Name

# Create import file
$importData = @()
foreach ($server in $servers) {
    $importData += [PSCustomObject]@{
        name = $server
        type = "msft.sme.connection-type.server"
        tags = @("production", "windows-server-2022")
    }
}

# Export to JSON
$importData | ConvertTo-Json | Out-File "C:\WAC\server-import.json"

7. Extension Management

Install Extensions via PowerShell

# List available extensions
$extensions = Invoke-RestMethod -Uri "https://wac.contoso.com/api/extensions" -UseDefaultCredentials

# Install specific extension
$extensionId = "msft.sme.containers"
Invoke-RestMethod -Method Post -Uri "https://wac.contoso.com/api/extensions/install" -Body (@{id=$extensionId} | ConvertTo-Json) -ContentType "application/json" -UseDefaultCredentials

Configure Extension Settings

# Configure update settings
$settings = @{
    automaticUpdates = $true
    updateCheckInterval = 86400  # Daily
    allowPrerelease = $false
}

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Admin Center\Extensions" -Name "Settings" -Value ($settings | ConvertTo-Json)

8. Performance Optimization

Configure Connection Limits

# Set connection pool settings
$configPath = "$env:ProgramFiles\Windows Admin Center\configuration.json"
$config = Get-Content $configPath | ConvertFrom-Json
$config.connectionPool = @{
    maxConnections = 100
    connectionTimeout = 300
    idleTimeout = 900
}
$config | ConvertTo-Json -Depth 10 | Set-Content $configPath

# Restart WAC service
Restart-Service ServerManagementGateway

Enable Caching

# Configure Redis cache (if using external cache)
$config.cache = @{
    provider = "redis"
    connectionString = "redis-server.contoso.com:6379"
    defaultExpiration = 3600
}

9. High Availability Configuration

Deploy WAC in HA Mode

# Install on multiple servers
$wacServers = @("WAC1", "WAC2")
foreach ($server in $wacServers) {
    Invoke-Command -ComputerName $server -ScriptBlock {
        # Install WAC
        msiexec /i "C:\Downloads\WindowsAdminCenter.msi" /qn SME_PORT=443 SSL_CERTIFICATE_OPTION=installed SME_THUMBPRINT=$using:certThumbprint
    }
}

# Configure load balancer health check
$healthCheckUrl = "https://wac.contoso.com/api/health"

Configure Shared Database

# Configure SQL Server connection
$connectionString = "Server=SQL01;Database=WindowsAdminCenter;Integrated Security=true"
$config.database = @{
    provider = "sqlserver"
    connectionString = $connectionString
}

10. Security Hardening

Enable Multi-Factor Authentication

# Configure Azure AD integration
$config.authentication = @{
    provider = "AzureAD"
    tenantId = "your-tenant-id"
    clientId = "your-client-id"
    requireMFA = $true
}

Configure Session Security

# Set session timeout
$config.security = @{
    sessionTimeout = 900  # 15 minutes
    maxFailedLogins = 3
    lockoutDuration = 1800  # 30 minutes
    requireHttps = $true
}

Enable Audit Logging

# Configure audit settings
$config.auditing = @{
    enabled = $true
    logPath = "C:\WAC\Logs\Audit"
    retentionDays = 90
    logLevel = "Information"
}

# Create audit log directory
New-Item -Path $config.auditing.logPath -ItemType Directory -Force

11. Monitoring and Maintenance

Configure Monitoring

# Create performance counters
$counters = @(
    "\Windows Admin Center\Active Connections",
    "\Windows Admin Center\Failed Logins",
    "\Windows Admin Center\Average Response Time"
)

# Create data collector set
$datacollector = New-Object -ComObject Pla.DataCollectorSet
$datacollector.DisplayName = "WAC Performance"
$datacollector.Duration = 300
$datacollector.SubdirectoryFormat = 1
$datacollector.RootPath = "C:\PerfLogs\WAC"

$collector = $datacollector.DataCollectors.CreateDataCollector(0)
$collector.FileName = "WAC_Performance"
$collector.FileNameFormat = 0
$collector.PerformanceCounters = $counters
$datacollector.DataCollectors.Add($collector)
$datacollector.Commit("WAC Performance", $null, 0x0003)

Backup Configuration

# Backup WAC configuration
$backupPath = "C:\Backups\WAC"
New-Item -Path $backupPath -ItemType Directory -Force

# Create backup script
$backupScript = @'
$date = Get-Date -Format "yyyy-MM-dd"
$backupFolder = "C:\Backups\WAC\$date"
New-Item -Path $backupFolder -ItemType Directory -Force

# Backup configuration
Copy-Item "$env:ProgramFiles\Windows Admin Center\configuration.json" -Destination $backupFolder
Copy-Item "HKLM:\SOFTWARE\Microsoft\Windows Admin Center" -Destination "$backupFolder\registry.reg" -Recurse

# Backup certificates
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*WAC*"} | Export-Certificate -FilePath "$backupFolder\certificates.cer"

# Compress backup
Compress-Archive -Path $backupFolder -DestinationPath "$backupFolder.zip"
Remove-Item $backupFolder -Recurse -Force
'@

$backupScript | Out-File "C:\Scripts\Backup-WAC.ps1"

# Schedule backup
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Backup-WAC.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At "3:00AM"
Register-ScheduledTask -TaskName "WAC Backup" -Action $action -Trigger $trigger -User "SYSTEM"

12. Troubleshooting

Common Issues and Solutions

# Check service status
Get-Service ServerManagementGateway | Format-List

# View event logs
Get-WinEvent -LogName "Microsoft-Windows-WindowsAdminCenter*" | Where-Object {$_.Level -le 3} | Select-Object -First 20

# Test connectivity
Test-NetConnection -ComputerName "wac.contoso.com" -Port 443

# Reset configuration
Reset-WacConfiguration -Confirm:$false

# Repair installation
msiexec /fa "C:\Downloads\WindowsAdminCenter.msi" /qn

Performance Diagnostics

# Check resource usage
Get-Process ServerManagementGateway | Select-Object CPU, WorkingSet, Handles

# Analyze connection issues
$logs = Get-Content "$env:ProgramFiles\Windows Admin Center\Logs\ServerManagementGateway.log" -Tail 100
$logs | Where-Object {$_ -match "ERROR|WARN"}

Best Practices

  1. Security
  2. Use trusted SSL certificates
  3. Enable MFA for administrative access
  4. Regularly update WAC and extensions

  5. Implement network segmentation

  6. Performance

  7. Deploy on dedicated server for production
  8. Monitor resource usage
  9. Configure appropriate connection limits

  10. Use SSD storage for better performance

  11. Availability

  12. Implement HA deployment for critical environments
  13. Regular backups of configuration
  14. Monitor service health

  15. Document custom configurations

  16. Management

  17. Use tags to organize connections
  18. Implement RBAC for different admin levels
  19. Automate common tasks with PowerShell
  20. Regular audit of access logs

Additional Resources