Microsoft 2026: PowerShell OpenSSH and DSC Modernize Windows Automation

Microsoft's engineering teams are quietly reshaping the Windows server and automation stack in 2026, directing focused investment into PowerShell, Windows OpenSSH, and Desired State Configuration (DSC) to prioritize security, reliability, and modern authentication—changes that matter to administrators, devops engineers, and power users who depend on secure remote access and predictable automation at scale.

Background​

PowerShell, OpenSSH for Windows, and DSC are integral to how Windows environments are managed today. PowerShell serves both interactive administration and scripted automation; Windows OpenSSH provides the secure remote shell that many organizations use for cross-platform management; and DSC offers a declarative mechanism to enforce configuration at scale. Over the last several years Microsoft has shifted some of these components out of the opaque in-box servicing model and into more frequently updated channels—both to accelerate fixes and to reduce the risk of shipping outdated cryptography and protocols inside the OS. That shift underpins many of the 2026 investments.
Security-driven maintenance has been a recurring theme: high-severity OpenSSH vulnerabilities in 2024–2025 prompted rapid patches and highlighted the danger of long-lived in-box components that lag upstream OpenSSH releases. Those incidents help explain why Microsoft is explicitly prioritizing security work and more responsive update flows in 2026.

---

What Microsoft announced for 2026 — the essentials​

1) Team investments and priorities​

Microsoft’s PowerShell team published a clear, year-long investments post laying out their 2026 focus areas. The public roadmap emphasizes three cross-cutting priorities:

• Security first: continued prioritization of security fixes and compliance-related work that may not be visible to end users but is crucial for trustworthiness.
• Reliability and performance for package tooling: major work on PSResourceGet to enable concurrent downloads and installations, reducing setup time for module-rich environments.
• Platform and tooling improvements: continued work on PowerShell Gallery, improved Windows Update integration for PowerShell updates, and DSC v3 releases with a Python adapter for Linux scenarios.

These are not minor feature tweaks: they reflect architectural changes intended to make automation both faster and safer at enterprise scale.

2) Windows OpenSSH: EntraID authentication and modernization​

Arguably the most forward-looking promise is exploration of EntraID (Azure AD) authentication for Windows OpenSSH. EntraID support would let organizations leverage centralized identity and conditional access for SSH sessions in a way that integrates with modern enterprise identity controls—reducing reliance on static SSH keys and improving auditability. The PowerShell team lists EntraID authentication support as an active exploration for the Windows OpenSSH fork maintained by Microsoft.
Why this matters:

• It aligns SSH access with corporate identity policies and conditional access, enabling risk-aware session gating.
• It reduces key-management friction for large fleets, particularly where ephemeral or certificate-based approaches are preferred.
• It paves the way for better integration with privileged identity workflows (for example, just-in-time access patterns).

3) DSC v3.x progression and cross-platform adapters​

DSC (Desired State Configuration) receives continued investment in 2026, with a targeted DSC v3.2 GA window in the first half of the year and ongoing work on DSC v3.3 immediately afterward. Microsoft is also previewing a Python adapter to simplify resource development on Linux, which indicates a push to make DSC more attractive in mixed Windows/Linux estates. For administrators using configuration-as-code, those releases promise greater parity and easier cross-platform adoption.

---

Deep dive: PowerShell improvements​

PSResourceGet — concurrency and user experience​

One of the more tangible developer-experience investments is concurrency for PSResourceGet. Currently, sequential installs can create long agent startup times in environments that must deploy many interdependent modules at once—common in large automation deployments and containerized images.
Planned changes include:

• Concurrent downloads/installs to speed provisioning.
• Improved failure handling and retry logic to increase reliability on flaky networks.
• Better telemetry to diagnose installation bottlenecks.

For customers automating image builds or provisioning developer workstations, these changes may significantly reduce bootstrap times and make large-scale rollouts less brittle.

Gallery reliability and Microsoft Update integration​

Microsoft will continue improving the PowerShell Gallery—not just as a feed, but as an operational surface that needs scale, resilience, and security. There’s been steady progress on making PowerShell core updates manageable via Microsoft Update (MU) to give enterprise admins better control of update cadence while ensuring critical fixes propagate. This reflects lessons learned from shipping in-box components that fall out of sync with community releases.

---

Deep dive: Windows OpenSSH changes and implications​

Exploring EntraID authentication​

EntraID-backed SSH authentication represents a meaningful architectural shift. Traditional SSH models rely heavily on public/private keypairs or certificate authorities that are managed separately from corporate identity systems. EntraID support promises:

• Centralized policy control over SSH access.
• Easier adoption of modern MFA and conditional access features for SSH sessions.
• Potentially simpler deprovisioning when employees change roles or leave.

That said, it is an exploration rather than an immediate release; engineering and interoperability details (such as session token lifetime, offline access, key escrow, and agentless vs agent-based flows) remain open. Administrators should treat EntraID-based SSH as a strategic direction with potential, but expect cautious rollout and compatibility testing.

Upgrading the in-box OpenSSH vs GitHub releases​

Microsoft’s guidance and documentation continue to recommend upgrading the in-box OpenSSH component to GitHub (Win32-OpenSSH) releases where customers need the latest algorithms, logging, and security hardening. Practical upgrade options include MSI installers or ZIP-based deployments, and Microsoft outlines safe upgrade steps that preserve configuration while replacing binaries. This is significant: keeping OpenSSH current reduces exposure to vulnerabilities that may be fixed faster upstream than in OS servicing.

Why Microsoft is doubling down on OpenSSH security​

The prioritization of security work for OpenSSH is not theoretical. The public CVE history—most notably elevation-of-privilege vulnerabilities patched in 2024–2025—showcases the operational risk of letting SSH components age inside an OS image. Microsoft’s 2026 investments explicitly place security top of the backlog, showing a pragmatic acceptance that continuous update channels and active maintenance are essential. If you manage SSH at scale, this is a welcome, necessary posture.

---

DSC and cross-platform management​

DSC v3.2 and v3.3: practical outcomes​

DSC v3.2 aims for GA in the first half of 2026. The release candidate cadence and feature list indicate attention to:

• Operational stability for large deployments.
• Enhanced resource authoring and discovery.
• Better integration with pipeline tooling and Windows Update resources.

The promised Python adapter for Linux targets a real pain point: authoring DSC resources on non-Windows platforms has been awkward. A Python adapter lowers the barrier for Linux-centric teams to adopt DSC as part of an organization-wide desired-state strategy. Administrators should plan proof-of-concepts early, but expect a maturation period as adapters and resource ecosystems grow.

---

What this means for administrators and security teams​

Immediate action items​

• Evaluate OpenSSH update posture: If your environment still relies on the in-box OpenSSH version, plan an upgrade path to the latest Win32-OpenSSH releases for critical servers, following Microsoft’s documented steps.
• Watch EntraID SSH previews: Treat EntraID SSH as a strategic modernization path for environments that already use EntraID for access control. Start testing conditional access policies and identity workflows in isolated environments.
• Prepare DSC compatibility tests: If you use DSC, allocate resources to validate DSC v3.2 previews and the Python adapter in dev/test. This reduces migration friction once GA is announced.
• Upgrade PowerShell deployment flows: Leverage expected PSResourceGet concurrency improvements by revisiting bootstrap scripts and CI/CD workers that install many modules concurrently.

Long-term considerations​

• Identity-first SSH is transformational: Moving SSH into the identity plane can materially reduce administrative overhead and security risk—but it requires operational changes: identity lifecycle integration, certificate handling, and auditing pipelines must be mature.
• In-box vs out-of-band updates: Microsoft’s continued guidance to upgrade in-box components (OpenSSH) and to use Microsoft Update for managed PowerShell updates suggests the long-term model will favor out-of-band delivery for fast-turnaround fixes.
• Third-party integration will matter: Vendors and third-party tools that still assume SSH keys or legacy DSC behaviors will need to accomodate these changes or provide mitigations.

---

Strengths in Microsoft’s 2026 approach​

• Security-first prioritization: Explicitly prioritizing security work (including fixes that are not feature-visible) is the right engineering posture for infrastructure tooling. Security-driven triage reduces blast radius from zero-day issues.
• Identity integration ambition: Exploring EntraID for SSH shows Microsoft is aligning remote access with its broader identity story—this is strategically coherent and beneficial for customers already standardized on EntraID.
• Performance and tooling improvements: PSResourceGet concurrency, gallery hardening, and improved update mechanisms reduce friction for administrators and developers and are pragmatic, high-leverage investments.
• Cross-platform commitments: DSC Python adapters and cross-platform DSC work lower the bar for Linux adoption and reflect real-world heterogeneous datacenter needs.

---

Risks, unknowns, and cautionary notes​

• Exploration vs guaranteed delivery: Many of the most exciting items—EntraID support for OpenSSH, DSC v3.2/3.3 timelines, and certain performance improvements—are described as investments or explorations. That means dates, exact capabilities, and operational mechanics could shift as engineering uncovers real-world complexities. Administrators should budget time for pilot programs and compatibility testing rather than expecting immediate drop-in replacements.
• Operational complexity of identity-backed SSH: Moving from key-based SSH to identity-backed models introduces new operational surfaces—token lifetimes, offline access, delegated provisioning, and certificate rotation strategies will all need solid tooling and runbooks.
• Upgrade and compatibility friction: Upgrading in-box components (like OpenSSH) is recommended, but upgrades can temporarily disrupt active sessions and require careful orchestration. Microsoft’s guidance warns administrators to back up configuration and schedule reboots or service restarts appropriately.
• The danger of opaque defaults: If Microsoft pushes certain defaults (for example, shifting update channels or preferring certain authentication flows), organizations must track these changes closely or risk silent behavioral shifts in their estates.

---

Practical checklist for IT teams (step-by-step)​

• Inventory: Identify all systems that run PowerShell automation, OpenSSH servers, and DSC configurations.
• Test upgrades: On a staging environment, upgrade OpenSSH to the latest Win32-OpenSSH release and validate scripts, key handling, and service restart behavior. Follow the Microsoft upgrade steps to preserve configuration.
• Pilot EntraID SSH: If you use EntraID, create a small pilot to test conditional access policies for SSH scenarios and evaluate authentication UX for administrators and CI systems.
• Update CI/CD and bootstrap flows: Prepare for PSResourceGet concurrency by ensuring your build agents and pipeline steps can handle concurrent installs safely.
• DSC validation: Install DSC v3.2 previews in a test cluster; validate existing resources and try authoring a simple resource using the Python adapter preview.
• Monitoring and telemetry: Enhance logging and monitoring for SSH session events and PowerShell module install telemetry so regressions are detected early.
• Communicate change: Update runbooks and communicate expected changes to teams, emphasizing the need for staged rollouts and compatibility testing.

---

Final assessment​

Microsoft’s 2026 plan for PowerShell, Windows OpenSSH, and DSC is measured and operationally pragmatic. It places security and reliability first while also investing in modern identity integration and developer ergonomics. The most impactful items—EntraID-backed SSH and DSC cross-platform parity—would directly reduce operational friction and risk if executed well.
Administrators should treat these investments as an invitation to modernize: start small, run pilots, and validate that tooling and processes can absorb identity-based authentication for SSH and faster PowerShell module provisioning. The road ahead will include rough edges—explorations are not product releases—but the direction is sound: align remote access with identity, make automation faster and safer, and keep long-lived components up to date.
Prepare for incremental change, prioritize testing, and treat Microsoft’s 2026 investments as a strategic opportunity to harden and modernize Windows-centric automation and remote access in a way that reflects how enterprise infrastructure is managed today.

---

Source: Neowin Here is how Microsoft is improving PowerShell and Windows OpenSSH in 2026