If you haven't already, set up authentication.
Authentication verifies your identity for access to Google Cloud services and APIs. To run
code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and
APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI.
After installation,
initialize the Google Cloud CLI by running the following command:
SSH for Windows is supported on
Windows Server images running
the guest agent (GCEGuestAgent) version 20220527.00 or later and OpenSSH
version 8.6 or later.
Enable SSH for Windows VMs
To enable SSH connections to Windows VMs, install the
google-compute-engine-ssh package and set the enable-windows-ssh key to
TRUE in project or instance metadata. Enabling SSH for Windows in project
metadata enables SSH for all Windows VMs in your project. Enabling SSH for
Windows in instance metadata enables SSH for a single VM and overrides the value
set in project metadata.
Enable SSH for Windows while creating a VM
Enable SSH for Windows while creating a VM using the Google Cloud console or the
Google Cloud CLI.
In the Advanced options section, expand the
Management section.
In the Metadata section, click Add item. Add a startup script
that installs the google-compute-engine-ssh package by entering the
following metadata key-value pair:
In the Metadata section, click Add item. Set enable-windows-ssh
to TRUE by entering the following metadata key-value pair:
Key:enable-windows-ssh
Value:TRUE
Click Create to create and start the VM.
gcloud
Run the following
gcloud compute instances create command
to create a Windows Server VM that installs the google-compute-engine-ssh
package and enables SSH on startup:
IMAGE_FAMILY: a
Windows Server image family.
This creates the VM from the most recent non-deprecated Windows Server
image.
Enable SSH for Windows on a running VM
To enable SSH on a running Windows VM, do one of the following, depending on
whether you can use RDP to access your VM or if your workload can tolerate a
reboot:
RDP access required: Connect to the VM using RDP and install the SSH
package
Reboot required: Use a startup script to install the SSH package
RDP
If you can access your VM using RDP, enable SSH by doing the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document provides instructions on how to connect to Windows virtual machine (VM) instances using SSH, as an alternative to RDP or PowerShell connections.\u003c/p\u003e\n"],["\u003cp\u003eTo enable SSH for Windows VMs, you must install the \u003ccode\u003egoogle-compute-engine-ssh\u003c/code\u003e package and set the \u003ccode\u003eenable-windows-ssh\u003c/code\u003e key to \u003ccode\u003eTRUE\u003c/code\u003e in either project or instance metadata.\u003c/p\u003e\n"],["\u003cp\u003eWhen creating a new Windows VM, you can enable SSH during setup by adding a startup script to install the SSH package and setting the \u003ccode\u003eenable-windows-ssh\u003c/code\u003e metadata key to \u003ccode\u003eTRUE\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eFor existing running Windows VMs, SSH can be enabled by either connecting via RDP to install the package or by stopping the VM, adding metadata for a startup script to install the package, and setting the \u003ccode\u003eenable-windows-ssh\u003c/code\u003e key, followed by restarting the VM.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud compute ssh\u003c/code\u003e command is used to establish an SSH connection to a Windows VM, and for VMs using Active Directory, the command needs to include the domain and username in the format \u003ccode\u003eDOMAIN\\USERNAME@VM_NAME\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Connect to Windows VMs using SSH\n\nWindows\n\n*** ** * ** ***\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document describes how to connect to Windows virtual machine (VM)\ninstances using SSH. For other ways to connect to Windows VMs, see\n[Connect to Windows VMs using RDP](/compute/docs/instances/connecting-to-windows)\nand\n[Connect to Windows VMs using PowerShell](/compute/docs/instances/windows/connecting-powershell).\nTo learn about how SSH works in Compute Engine, see\n[About SSH connections](/compute/docs/instances/ssh).\n| **Note:** When a user connects to a VM, that user can use all of the IAM permissions granted to the service account attached to the VM.\n\nBefore you begin\n----------------\n\n- If you haven't already, set up [authentication](/compute/docs/authentication). Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:\n\n Select the tab for how you plan to use the samples on this page: \n\n ### Console\n\n\n When you use the Google Cloud console to access Google Cloud services and\n APIs, you don't need to set up authentication.\n\n ### gcloud\n\n 1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n After installation,\n [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command:\n\n ```bash\n gcloud init\n ```\n\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n 2. [Set a default region and zone](/compute/docs/gcloud-compute#set_default_zone_and_region_in_your_local_client).\n\nSupported images\n----------------\n\nSSH for Windows is supported on\n[Windows Server images](/compute/docs/images/os-details#windows_server) running\nthe guest agent (`GCEGuestAgent`) version `20220527.00` or later and OpenSSH\nversion `8.6` or later.\n\nEnable SSH for Windows VMs\n--------------------------\n\nTo enable SSH connections to Windows VMs, install the\n`google-compute-engine-ssh` package and set the `enable-windows-ssh` key to\n`TRUE` in project or instance metadata. Enabling SSH for Windows in project\nmetadata enables SSH for all Windows VMs in your project. Enabling SSH for\nWindows in instance metadata enables SSH for a single VM and overrides the value\nset in project metadata.\n| **Note:** If you enable SSH for Windows on a VM running as an Active Directory (AD) controller or in a project that contains an AD controller, the AD controller VM's Guest agent provisions AD users based on SSH keys added to project and instance metadata. You can prevent unintended AD user provisioning by [disabling the account manager](/compute/docs/instances/windows/creating-managing-windows-instances#disable_the_account_manager) on the AD controller VM.\n\n### Enable SSH for Windows while creating a VM\n\nEnable SSH for Windows while creating a VM using the Google Cloud console or the\nGoogle Cloud CLI. \n\n### Console\n\n[Create a VM from a public image](/compute/docs/instances/create-start-instance#publicimage)\nthat installs the `google-compute-engine-ssh` package and enables SSH on\nstartup:\n\n1. Specify the following **Boot disk** properties:\n\n - **Operating system:** Windows Server\n - **Version:** Any version\n2. In the **Advanced options** section, expand the\n **Management** section.\n\n3. In the **Metadata** section, click **Add item** . Add a startup script\n that installs the `google-compute-engine-ssh` package by entering the\n following metadata key-value pair:\n\n - **Key:** `sysprep-specialize-script-cmd`\n - **Value:** `googet -noconfirm=true install google-compute-engine-ssh`\n4. In the **Metadata** section, click **Add item** . Set `enable-windows-ssh`\n to `TRUE` by entering the following metadata key-value pair:\n\n - **Key:** `enable-windows-ssh`\n - **Value:** `TRUE`\n5. Click **Create** to create and start the VM.\n\n### gcloud\n\nRun the following\n[`gcloud compute instances create` command](/sdk/gcloud/reference/compute/instances/create)\nto create a Windows Server VM that installs the `google-compute-engine-ssh`\npackage and enables SSH on startup: \n\n```\ngcloud compute instances create VM_NAME \\\n --image-family=IMAGE_FAMILY \\\n --image-project=windows-cloud \\\n --metadata sysprep-specialize-script-cmd=\"googet -noconfirm=true install google-compute-engine-ssh\",enable-windows-ssh=TRUE\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e: the name of the new VM.\n- \u003cvar translate=\"no\"\u003eIMAGE_FAMILY\u003c/var\u003e: a [Windows Server image family](/compute/docs/images/os-details#windows_server). This creates the VM from the most recent non-deprecated Windows Server image.\n\n### Enable SSH for Windows on a running VM\n\nTo enable SSH on a running Windows VM, do one of the following, depending on\nwhether you can use RDP to access your VM or if your workload can tolerate a\nreboot:\n\n- **RDP access required**: Connect to the VM using RDP and install the SSH package\n- **Reboot required**: Use a startup script to install the SSH package\n\n### RDP\n\nIf you can access your VM using RDP, enable SSH by doing the following:\n\n1. [Connect to the VM using RDP](/compute/docs/instances/connecting-to-windows#connecting_to_windows_vms_by_using_rdp).\n\n2. Open an administrator Command Prompt session by doing the following:\n\n 1. Open the **Start** menu.\n\n 2. Navigate to **Command Prompt**.\n\n 3. Right-click **Command Prompt** and select **Run as administrator**.\n\n If you are prompted to allow Command Prompt to make changes to your device,\n select **Yes**.\n3. Download and install the `google-compute-engine-ssh` package by running the\n following command:\n\n ```\n googet -noconfirm=true install google-compute-engine-windows && googet -noconfirm=true install google-compute-engine-ssh\n ```\n4. Close the RDP session.\n\n5. Enable Windows SSH in metadata by setting the `enable-windows-ssh` key to\n `TRUE`. For more information about setting metadata, see\n [Set custom metadata](/compute/docs/metadata/setting-custom-metadata).\n\n### Startup script\n\nIf you can't access your VM using RDP, enable SSH by doing the following:\n\n1. [Stop the VM](/compute/docs/instances/stop-start-instance#stop-vm).\n\n2. Set the following metadata key-value pairs on the VM to enable SSH. For\n more information about setting metadata, see\n [Set custom metadata](/compute/docs/metadata/setting-custom-metadata).\n\n - SSH package installation metadata:\n\n - **Key** : `windows-startup-script-cmd`\n - **Value** : `googet -noconfirm=true update && googet -noconfirm=true install google-compute-engine-ssh`\n - SSH enablement metadata:\n\n - **Key** : `enable-windows-ssh`\n - **Value** : `TRUE`\n3. [Start the VM](/compute/docs/instances/stop-start-instance#starting_a_stopped_instance).\n The VM might take a few minutes to reboot.\n\nConnect to VMs using SSH\n------------------------\n\nConnect to VMs using the\n[`gcloud compute ssh` command](/sdk/gcloud/reference/compute/ssh): \n\n```\ngcloud compute ssh VM_NAME\n```\n\nReplace \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e with the name of the Windows VM that\nyou want to connect to.\n\n### Connect to VMs that use AD\n\nIf the VM you're connecting to uses Active Directory (AD), connect using the\nfollowing command: \n\n```\ngcloud compute ssh DOMAIN\\USERNAME@VM_NAME\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eDOMAIN\u003c/var\u003e: your AD domain. For example the domain of the `ad.example.com` AD, is `example`.\n- \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e: your AD username. For example, `cloudysanfrancisco`.\n- \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e: the name of the Windows VM that you want to connect to.\n\nWhat's next?\n------------\n\n- Learn how to [troubleshoot SSH connections](/compute/docs/troubleshooting/troubleshooting-ssh#windows-errors).\n- Learn how to [Add SSH keys to VMs](/compute/docs/connect/add-ssh-keys)\n- Learn how to [Restrict SSH keys from VMs](/compute/docs/connect/restrict-ssh-keys)."]]
