Part 1: Install Windows Admin Center as a Designated Gateway on Windows Server Core


 

Updated 6/5 to include a web server cert.

At time of this entry the version of Windows Admin Center that was installed is 1804.25.  I'm going to attempt to cover multiple topics being asked around Windows Admin Center, This one will cover How to Install on Windows Server Core 2016 and how to add an Active Directory group to give console access for accounts that do not have Administrator rights on the Gateway Server.  In the very near future I will add how to configure just enough admin (JEA) for role based access (RBAC) and How to change Windows Admin Center console access to Azure Active Directory credentials.

On Windows 2016 Server Core Server

 

All of the instructions can be found here: Install on Server Core

Note: Outside of a lab I would want the endpoint url to be a friendly name like wac.contoso.com. Since I am using a self-generated certificate the url will be the name of the server. Recommendation is to use a cert with Subject alternate names defined and add a friendly dns name.

- Also -

Windows Admin Center Requires, WMF version 5.1 or higher to be installed on both the Gateway Server and all the managed servers.

Using Self Signed Cert

Download Windows Admin Center onto the Gateway Server.

  • msiexec /i WindowsAdminCenter1804.25.msi /qn /L*v log.txt SSL_CERTIFICATE_OPTION=generate

clip_image001

    • Or just type in the msi name and follow the prompts. Very Simple.

Using Cert

I use the same web server cert that I used in the Windows Hello for Business POC.

Configure an Internal Web Server Certificate template

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki#configure-an-internal-web-server-certificate-template

Once it's been published log back onto the server that will be running Windows Admin Center, and install the certificate.  This method I will use a friendly URL.

Get-Certificate -template "internalwebserver" -dnsname windowsadmincenter.contoso.com,wac.contoso.com cert:\localmachine\my

clip_image001

Get the thumbnail:

Get-ChildItem -path cert:\LocalMachine\My | where dnsnamelist -like "*windowsadmincenter*"

clip_image002

Run the msi: WindowsAdminCenter1804.25.msi

clip_image003clip_image004

Use the certificate thumbnail

clip_image005clip_image006

Once done verify it is installed

Verify Windows Admin Center Installed

Run start powershell

Run Get-CimInstance -ClassName Win32_softwarefeature | where productname -like "Windows Admin*" |fl

clip_image003

Run get-service serverman*

clip_image004

Run Test-netconnection -port 443 -ComputerName localhost

clip_image005

On a Windows Desktop

Try connecting to Windows Admin Center for the first time by opening up a non-Internet Explorer browser like Edge, Firefox, etc..

https://servername     * if cert warning appears bypass, this is due to the self signed certificate.

clip_image006

Grant Console Access to Non-Server Administrators

Lets control who has access to the console. By default all local administrators on the server I installed it on has rights.

In Active Directory create a group (in this demo I will call it "Windows Admin Center Access") this group will be used to give rights to log into the Windows Admin center. Add non server administrative users to the group.

In Windows Admin Center, select the settings button

clip_image007

Then select Gateway Access

clip_image008

Just going to cover Active Directory Groups for now, but could configure this to leverage Azure AD Groups and Accounts.

Under Gateway users, select Add, and type in the group name, then select save

clip_image009

The group has been added

clip_image010

For now I will leave the Gateway Administrators alone. Select Close.

Now try to logon with a user in the group that was given user access.

Should be able to log right in

clip_image011

If the account doesn’t have rights to Windows Admin Center expect a Not Authorized Error

clip_image012

 

Updated 6/11

Part 2: Configure Just Enough Admin to Manage Domain Joined Servers from Windows Admin Center

This is all for now stay tuned for for the other post.

-Chad


Comments (2)

  1. SteveMacNZ says:

    Thanks Chad, looking forward to your next post 🙂

  2. Please, remove a code that uses Win32_Product. That WMI class is bad. https://gregramsey.net/2012/02/20/win32_product-is-evil/

Skip to main content