Installing, testing and uninstalling an OpenSSH-based SFTP server in Windows
This guide applies to Windows Server 2019, 2022, and 2025, which include OpenSSH Server as a built-in optional feature. No third-party download is required.
Step by step guide
Installing the OpenSSH Server feature
1) Launch PowerShell as Administrator: Start, type "PowerShell" → right-click on "PowerShell" → Run as Administrator.
2) Check whether the OpenSSH Server feature is already installed:
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*' | Select-Object Name, State
Note: This lists both OpenSSH.Client and OpenSSH.Server. Make sure you check the state of OpenSSH.Server specifically, the client component may already be installed and is not what this guide covers.
If OpenSSH.Server shows State : NotPresent, install it:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Note: Windows installs the built-in OpenSSH Server feature to C:\Windows\System32\OpenSSH\. Do not install OpenSSH manually to C:\Windows directly, this violates Windows directory conventions and may cause permission issues.
3) Start the sshd service and set it to start automatically:
Start-Service sshd Set-Service -Name sshd -StartupType 'Automatic'
4) Verify the service is running:
Get-Service sshd
The Status field should show Running. To also confirm the startup type is set to Automatic:
Get-CimInstance Win32_Service -Filter "Name='sshd'" | Select-Object StartMode
5) Check the installed OpenSSH binary location and version info:
Get-Command sshd | Select-Object Source (Get-Command sshd).FileVersionInfo
The Source field confirms the installation path matches C:\Windows\System32\OpenSSH\sshd.exe; FileVersionInfo shows the OpenSSH version (for example, OpenSSH_8.1p1, FileVersion 8.1.0.1 on Windows Server 2022).
Opening the firewall port
By default, installing the OpenSSH Server feature normally creates an inbound firewall rule named OpenSSH-Server-In-TCP automatically. Confirm it exists and is enabled:
Get-NetFirewallRule -Name *OpenSSH-Server*
If the rule is missing, create it manually (note the different rule name, this manually created rule is separate from the auto-generated OpenSSH-Server-In-TCP rule):
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Verify the port is actually open and listening:
Test-NetConnection -ComputerName localhost -Port 22
A TcpTestSucceeded : True result confirms the service is listening locally. This does not confirm the firewall is passing traffic from outside, to fully verify, run the same command from a different machine on the network, replacing localhost with the server's IP address.
Configuring sshd_config for SFTP
The configuration file is located at:
C:\ProgramData\ssh\sshd_config
Open it in a text editor with administrator rights (for example, Notepad run as Administrator) and confirm that the following settings are present (or configured as needed):
Port 22 PasswordAuthentication yes Subsystem sftp sftp-server.exe
Security note: PasswordAuthentication yes is shown here to keep this guide simple, but for a production server exposed to the internet, key-based authentication with PasswordAuthentication no is the safer choice. See the optional AuthorizedKeysFile setting below if you plan to use key-based authentication.
Important: The Subsystem sftp line defines which binary handles SFTP sessions. Without this line present and uncommented, SSH connections will work but SFTP file transfer will fail.
By default, this line is already present and uncommented in the built-in feature's configuration file. If it is missing or commented out with #, add or uncomment it, then save the file.
Note: Newer OpenSSH versions also support Subsystem sftp internal-sftp, a built-in handler that does not call an external binary:
Subsystem sftp internal-sftp
Either sftp-server.exe or internal-sftp works; this guide uses sftp-server.exe since it is the value shipped by default.
Optional settings you may also want in sshd_config:
# Default value, already set; shown here for reference if key-based authentication isn't working # AuthorizedKeysFile .ssh/authorized_keys # Restrict access to specific users (optional) # AllowUsers username1 username2 # Logging SyslogFacility LOCAL0 LogLevel INFO
Note: For accounts that are members of the local Administrators group, the Windows port of OpenSSH uses a different file: C:\ProgramData\ssh\administrators_authorized_keys, not .ssh\authorized_keys in the user's profile. If key-based authentication for an administrator account does not work as expected, check this file instead.
After any change to sshd_config, restart the service to apply it:
Restart-Service sshd
Checking the SFTP connection using WinSCP
Install and run the free WinSCP client. In the connection settings window, select the SFTP file transfer protocol, enter the server's hostname or IP address in the Host name field, leave the Port number field at 22 (unless you configured a different port), and enter the credentials of the Windows account you are connecting with.
If everything is set up correctly, the client connects to the SFTP server and displays the contents of the user's home directory (the default profile directory). By default, the user lands in C:\Users\<username>. Files can then be transferred securely between the server and the client over the SFTP protocol.
Uninstalling the OpenSSH Server feature
1) Launch PowerShell as Administrator.
2) Stop the sshd service before removing the feature, removing it while the service is still running or in active use can fail or hang:
Stop-Service sshd
3) Remove the feature:
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
4) (Optional) Remove the firewall rule. This covers both the auto-created rule and the manually created one, in case either exists:
Remove-NetFirewallRule -Name OpenSSH-Server-In-TCP -ErrorAction SilentlyContinue Remove-NetFirewallRule -DisplayName 'OpenSSH Server (sshd)' -ErrorAction SilentlyContinue
5) (Optional) Removing configuration: you can remove just the configuration file, or do a full cleanup including host keys.
To remove just sshd_config without touching host keys:
Remove-Item -Path 'C:\ProgramData\ssh\sshd_config' -Force
For a full cleanup including host keys, remove the entire configuration folder instead:
Remove-Item -Path 'C:\ProgramData\ssh' -Recurse -Force
Warning: Removing the entire folder also deletes the server's host keys permanently. Clients connecting after reinstallation will treat the server as a new, unrecognized SSH host. Only do this if you do not plan to reinstall OpenSSH Server with the same configuration later.
