OpenSSH Bundled with Windows Server Receives Updates Only via Optional Feature Installation
The OpenSSH server bundled with Windows Server is not updated by Windows Update — administrators must manually install newer versions to get security fixes.
Vulnerabilities in OpenSSH can allow pre-authentication remote code execution (rare but historically observed) or authentication bypass. The SSH service is commonly internet-facing, making it a high-priority patching target.
Windows Server includes OpenSSH as an optional installable feature. The version bundled with the OS does not automatically receive updates when security vulnerabilities are discovered in upstream OpenSSH. Microsoft periodically releases updated OpenSSH via Windows Update or as a separate download, but organisations must actively check and update it. Many servers running OpenSSH are on significantly outdated versions.
Probably yes if any of these apply:
Affected OS versions
Many organisations enabled OpenSSH on Windows Server as a management convenience and then never updated it. Unlike IIS, there is no clear notification through Windows Update when a new version is available.
Manual remediation steps
⏱ 15–30 minutesCheck OpenSSH Installation and Version
# Check if OpenSSH is installed
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
# Check running version
ssh -V 2>&1
Get-Item 'C:\Windows\System32\OpenSSH\ssh.exe' | ForEach-Object { $_.VersionInfo.FileVersion }
Update OpenSSH
Method 1 — Windows Optional Features (Server 2019+)
# Check for available update
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Method 2 — GitHub Release (Latest Version)
Verification
ssh -V
# Compare to latest version at github.com/PowerShell/Win32-OpenSSH/releases
Get-Service sshd | Select-Object Name, Status
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.