All posts tagged Server Core

Application Compatibility Feature on Demand for Server Core

If you know me, you know that I’m a big fan of Windows Server Core. Server Core is a refactored and streamlined version of Windows Server that offers a smaller attack surface and reduced maintenance requirements. It’s ideally suited for roles like domain controllers (DCs), certification authority servers (CAs), DHCP and DNS servers, and file servers that can easily be managed remotely. Server Core lacks a Graphical User Interface (GUI), which can make administrative tasks more difficult. To support Server Core, administrators must have a firm grasp of the command line and PowerShell. Many organizations are reluctant to deploy Windows Server Core for this reason. For example, network interface configuration and disk management are common pain points for command-line administration. However, I’ve recently discovered something that might reduce this barrier to adoption.

GUI for Server Core?

I honestly don’t know how I missed this, but recently I learned of the Application Compatibility Feature on Demand for Windows Server Core. First introduced in October 2018 for Windows Server 2019 Core and supported through Windows Server 2025, the Application Compatibility Feature on Demand enables important GUI management consoles that help administrators configure and deploy Windows Server Core. It does not add the entire Windows Desktop Experience, of course, but it does introduce support for some critical GUI tools that administrators will find very helpful for installing and configuring various workloads on Server Core. Here are some examples.

Installation

To install the Application Compatibility Feature on Demand for Windows Server Core, open an elevated PowerShell command window and run the following PowerShell command.

Add-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~0.0.1.0

After running the command, restart the server to complete the installation.

Features and Capabilities

After installing the Application Compatibility Feature on Demand for Windows Server Core, administrators can perform local administration using many GUI tools they are already experienced with. Here are a few examples.

Network Control Panel

Having a GUI for network interface configuration is arguably the most essential benefit of this feature. Many administrators struggle with assigning IP addresses, DNS servers, DNS suffixes, and other network configuration-related tasks using the command line. Here, the classic Network Control Panel applet (ncpa.cpl) gives administrators the familiar GUI experience for managing network settings in Windows Server Core.

Disk Management

Right behind network configuration, disk configuration in Windows Server Core is one of the most challenging administrative tasks using the command line. The Application Compatibility Feature on Demand for Windows Server Core adds support for the well-known Disk Management GUI (diskmgmt.msc), which many administrators have used before.

Event Viewer

While using PowerShell is effective for parsing event log information on Windows Server Core, it’s sometimes easier to view event log information using the GUI (eventvwr.msc).

File Explorer

Copying files to and from a Windows Server Core instance is much easier with the Application Compatibility Feature on Demand for Windows Server Core installed. To perform file operations on Windows Server Core, simply open the Windows File Explorer (explorer.exe) as you would on Windows Server GUI.

Device Manager

Working with device drivers on Windows Server Core can be challenging even for the most experienced command-line administrators. Thankfully, the Application Compatibility Feature on Demand for Windows Server Core adds support for the Device Manager GUI (devmgmt.msc), which significantly simplifies this task.

Task Scheduler

Creating basic scheduled tasks using PowerShell isn’t terribly difficult. However, things become much more difficult when creating tasks with complicated requirements, such as odd schedules, and when using event-based triggers. The familiar Task Scheduler GUI (taskschd.msc) reduces this complexity, allowing administrators to use the GUI they are likely already experienced with.

Resource and Performance Monitor

Both the Resource Monitor (resmon.exe) and Performance Monitor (perfmon.exe) are essential tools for troubleshooting resource consumption and performance bottleneck issues on Windows Server. Both tools are included with this feature.

Resource Monitor (resmon.exe)

Performance Monitor (perfmon.exe)

What’s Missing

Sadly, installing the Application Compatibility Feature on Demand for Windows Server Core does not add GUI support for user and device certificate stores (certmgr.msc and certlm.msc, respectively). Administrators must continue to use certutil.exe or PowerShell to manage certificate stores on Windows Server Core. Alternatively, administrators can use a remote management workstation to perform these tasks using the GUI. However, even with this limitation, the Application Compatibility Feature on Demand greatly improves the Server Core administration experience.

Additional Tools

This feature update includes many other GUI tools in addition to the popular administrative GUI tools listed above. These are available ad hoc using the generic Microsoft Management Console (mmc.exe). Here are a few more GUI tools you might find helpful.

Routing and Remote Access Management Console – This will be especially helpful for Always On VPN administrators using RRAS in their environments.

Windows Firewall with Advanced Security – Managing Windows Firewall and IPsec Connection Security policies is now much easier using the same GUI included with Windows Server Desktop Experience.

Local Users and Groups – Local user and group administration tasks can now be performed using the same GUI that administrators are already comfortable with.

Group Policy, Security Policy, and Resultant Set of Policy (RSoP) – GUI management tools are now available for common local group and security policy administration. In addition, administrators have access to the RSoP policy GUI for GPO troubleshooting.

Other Tools – Administrators will also find the Hyper-V Manager and Failover Cluster Manager GUI consoles are included with this feature update.

Run mmc.exe at the command line and choose File > Add/Remove Snap-in to access these GUI tools.

Summary

Don’t let the lack of a full GUI stop you from deploying Server Core! The Application Compatibility Feature on Demand makes Server Core accessible without sacrificing its core benefits. If command-line concerns have held you back from deploying Server Core, this feature removes that barrier. Start with a test deployment on a non-critical server and experience how Server Core’s reduced attack surface and lower maintenance overhead can work in your environment—without abandoning the GUI tools you rely on.

Additional Information

Application Compatibility Feature on Demand for Windows Server Core

Always On VPN and RRAS on Windows Server Core

10 PowerShell Commands Always On VPN Administrators Should Know

1 Comment
by Richard M. Hicks on October 14, 2025  •  Permalink
Posted in administration, Microsoft, Server Core, systems management, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , ,

Posted by Richard M. Hicks on October 14, 2025

https://directaccess.richardhicks.com/2025/10/14/application-compatibility-feature-on-demand-for-server-core/

10 PowerShell Commands Always On VPN Administrators Should Know

Managing a secure and reliable VPN infrastructure is critical for supporting today’s highly mobile workforce. For Always On VPN administrators, PowerShell is an indispensable tool for achieving this goal. Not only can PowerShell be used to automate the installation and configuration of Windows Server Routing and Remote Access Service (RRAS) server, but it can also be used to audit configuration and monitor system health and user activity as well. In addition, it is highly recommended that the RRAS role be installed on Server Core for optimum security and performance. Administrators must be familiar with these PowerShell commands and more to support RRAS on Windows Server Core in their environment.

RemoteAccess Module

The RemoteAccess PowerShell module should be installed when the RRAS server is configured. There are 122 commands in this module, but only a subset of those pertain to the VPN server role. Here are ten popular commands for monitoring and managing an Always On VPN RRAS server.

Configuration Review

The following PowerShell commands are useful for reviewing the current RRAS server configuration.

Get-RemoteAccess – Displays the current configuration of the VPN server. Details include installation status, TLS certificate configuration, VPN client IP address assignment method, IPv4 and IPv6 addressing information (if using the static address assignment method), authentication type, and configured RADIUS servers.

Get-VpnAuthProtocol – Displays authentication configuration details such as accepted authentication types for both user and device connections, root certification authority (CA) certificate restrictions (if enabled), and certificate advertisement and EKU restrictions if enabled.

Get-VpnServerConfiguration – Displays additional VPN server configuration information, such as the IPsec configuration for IKEv2, the number of VPN ports configured, and more.

System Health

Get-RemoteAccessHealth – Displays the current health status of various VPN server services. The command’s default output is a little noisy. I recommend filtering it as follows:

Get-RemoteAccessHealth | Where-Object HealthState -NotMatch Disabled | Format-Table -AutoSize

User Activity

The following PowerShell commands can be used to view current and historical user activity details.

Get-RemoteAccessConnectionStatistics – Displays all active VPN connections on the server.

Get-RemoteAccessConnectionStatisticsSummary – Displays cumulative information about VPN connections on the server since the last service restart or reboot, such as the total number of connections, the number of unique users, the maximum number of concurrent connections, and the amount of data transferred.

Get-RemoteAccessUserActivity – Displays all active VPN connections for a specific user or device.

Management

The following PowerShell commands are helpful for reviewing authentication and logging settings.

Get-RemoteAccessRadius – Allows the administrator to view the currently configured RADIUS servers on the VPN server.

Get-RemoteAccessAccounting – Allows the administrator to view the current accounting repository (RADIUS or inbox) on the VPN server.

Clear-RemoteAccessInboxAccountingStore – Allows the administrator to remove log data from the Inbox Accounting database. Removing log data from the database can be helpful when transitioning a test server to production or to free up disk space by reducing the size of the logging database.

Additional Modules

In addition to the PowerShell commands above, Always On VPN administrators can leverage my custom PowerShell modules for advanced server and client configuration. These modules are published in the PowerShell Gallery.

AovpnTools – PowerShell module to configure and optimize Windows RRAS servers to support Always On VPN.

Install-Module -Name AovpnTools

InboxAccountingDatabaseManagement – PowerShell module to configure and manage the Inbox Accounting database for logging system information and user activity on the VPN server.

Install-Module -Name InboxAccountingDatabaseManagement

Additional Information

Always On VPN and RRAS on Windows Server Core

Inbox Accounting Database Management

AovpnTools PowerShell Module on GitHub

Inbox Accounting Database Module on GitHub

2 Comments
by Richard M. Hicks on November 2, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Enterprise, enterprise mobility, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Security, Server Core, systems management, troubleshooting, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 2, 2023

https://directaccess.richardhicks.com/2023/11/02/10-powershell-commands-always-on-vpn-administrators-should-know/

Always On VPN and RRAS on Windows Server Core

Windows Server Core is a refactored version of the full Windows Server operating system. Server Core does not include a Graphical User Interface (GUI) and must be managed via the command line or with PowerShell. The Routing and Remote Access Service (RRAS) is a supported workload on all supported versions of Windows Server including Windows Server 2022. Always On VPN administrators should consider installing and configuring RRAS on Windows Server Core to ensure their VPN infrastructure’s best security and performance.

Server Core Benefits

Windows Server Core is a minimal installation option of the Windows Server operating system that provides numerous benefits, particularly for environments where security, resource efficiency, and reduced maintenance overhead are essential. Here are some of the key benefits of using Windows Server Core.

Minimized Attack Surface – Windows Server Core has a smaller footprint compared to the full GUI version, which means fewer components and services are installed by default. This reduces the potential attack surface and minimizes security vulnerabilities.

Enhanced Security – With fewer components and a reduced attack surface, there are fewer potential vectors for malware or unauthorized access. This makes Windows Server Core a more secure choice for critical server roles like RRAS.

Reduced Maintenance – Since there are fewer components to update, patching and maintaining a Windows Server Core system is quicker and requires less effort. This is especially beneficial in large-scale server deployments.

Improved Stability – By removing the graphical user interface (GUI), Windows Server Core has fewer processes running in the background, leading to a more stable and predictable server environment.

Simplified Management – Windows Server Core is designed for remote administration. It allows the administrator to manage it using command-line tools, PowerShell, or remote management tools like the Remote Server Administration Tools (RSAT) and Windows Admin Center. This makes it easier to manage multiple servers from a single location.

Faster Reboots – Windows Servers require periodic reboots. With Windows Server Core, reboot times are considerably faster, resulting in less downtime during maintenance periods.

RSAT

The Remote Server Administration Tools (RSAT) can be installed on Windows clients and servers to enable remote administration using the familiar Routing and Remote Access Management console (rrasmgmt.msc) and Remote Access Management console (ramgmtui.exe) GUI tools.

Windows Client

To install the Remote Access Management tools on Windows client operating systems, navigate to Settings > Apps > Optional Features. Click Add a feature, select RSAT: Remote Access Management Tools, then click Install.

Optionally the Remote Access Management tools can be installed by running the following PowerShell command.

Add-WindowsCapability -Online -Name Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0

Windows Server

To install the Remote Access Management tools on Windows Server run the following PowerShell command.

Install-WindowsFeature -Name RSAT-RemoteAccess

Windows Admin Center

The Windows Admin Center is a free remote management tool from Microsoft for managing Windows Server (core and GUI) remotely. It is especially helpful for Server Core management as it provides a GUI for many common administrative tasks.

You can download Windows Admin Center here.

Additional Information

Windows Server Core Installation Option

Windows Server Core vs. Desktop

PowerShell Remote Server Administration

Windows Admin Center

2 Comments
by Richard M. Hicks on October 2, 2023  •  Permalink
Posted in Admin Center, administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, Remote Administration, routing, routing and remote access service, RRAS, RSAT, Security, Server Core, VPN, Windows 10, Windows 11, Windows Admin Center, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 2, 2023

https://directaccess.richardhicks.com/2023/10/02/always-on-vpn-and-rras-on-windows-server-core/

« Older Posts