Part 1: Install Windows Admin Center as a Designated Gateway on Windows Server Core


Updated 6/5 to include a web server cert.

At time of this entry the version of Windows Admin Center that was installed is 1804.25.  I'm going to attempt to cover multiple topics being asked around Windows Admin Center, This one will cover How to Install on Windows Server Core 2016 and how to add an Active Directory group to give console access for accounts that do not have Administrator rights on the Gateway Server.  In the very near future I will add how to configure just enough admin (JEA) for role based access (RBAC) and How to change Windows Admin Center console access to Azure Active Directory credentials.

On Windows 2016 Server Core Server


All of the instructions can be found here: Install on Server Core

Note: Outside of a lab I would want the endpoint url to be a friendly name like Since I am using a self-generated certificate the url will be the name of the server. Recommendation is to use a cert with Subject alternate names defined and add a friendly dns name.

- Also -

Windows Admin Center Requires, WMF version 5.1 or higher to be installed on both the Gateway Server and all the managed servers.

Using Self Signed Cert

Download Windows Admin Center onto the Gateway Server.

  • msiexec /i WindowsAdminCenter1804.25.msi /qn /L*v log.txt SSL_CERTIFICATE_OPTION=generate


    • Or just type in the msi name and follow the prompts. Very Simple.

Using Cert

I use the same web server cert that I used in the Windows Hello for Business POC.

Configure an Internal Web Server Certificate template

Once it's been published log back onto the server that will be running Windows Admin Center, and install the certificate.  This method I will use a friendly URL.

Get-Certificate -template "internalwebserver" -dnsname, cert:\localmachine\my


Get the thumbnail:

Get-ChildItem -path cert:\LocalMachine\My | where dnsnamelist -like "*windowsadmincenter*"


Run the msi: WindowsAdminCenter1804.25.msi


Use the certificate thumbnail


Once done verify it is installed

Verify Windows Admin Center Installed

Run start powershell

Run Get-CimInstance -ClassName Win32_softwarefeature | where productname -like "Windows Admin*" |fl


Run get-service serverman*


Run Test-netconnection -port 443 -ComputerName localhost


On a Windows Desktop

Try connecting to Windows Admin Center for the first time by opening up a non-Internet Explorer browser like Edge, Firefox, etc..

https://servername     * if cert warning appears bypass, this is due to the self signed certificate.


Grant Console Access to Non-Server Administrators

Lets control who has access to the console. By default all local administrators on the server I installed it on has rights.

In Active Directory create a group (in this demo I will call it "Windows Admin Center Access") this group will be used to give rights to log into the Windows Admin center. Add non server administrative users to the group.

In Windows Admin Center, select the settings button


Then select Gateway Access


Just going to cover Active Directory Groups for now, but could configure this to leverage Azure AD Groups and Accounts.

Under Gateway users, select Add, and type in the group name, then select save


The group has been added


For now I will leave the Gateway Administrators alone. Select Close.

Now try to logon with a user in the group that was given user access.

Should be able to log right in


If the account doesn’t have rights to Windows Admin Center expect a Not Authorized Error



Updated 6/11

Part 2: Configure Just Enough Admin to Manage Domain Joined Servers from Windows Admin Center

This is all for now stay tuned for for the other post.


Comments (3)
  1. SteveMacNZ says:

    Thanks Chad, looking forward to your next post 🙂

  2. Please, remove a code that uses Win32_Product. That WMI class is bad.

  3. jrauman says:

    thank you for this. btw, I get prompted to login to WAC when I first open the URL. How do I tell WAC to just use my current credentials (instead of making me type them in – which works when I do type them in, so it’s not a rights issue).?

Comments are closed.

Skip to main content