How do I securely connect to Windows machines with Jenkins with as few plugins on the servers receiving the Jenkins builds as possible?

[Kiran]

I need secure authentication from my Jenkins server to the servers it will push code to.  The password for the username cannot be in plain text.  I have two networks that will have one Jenkins instance each.  All the servers are variations of Windows. The networks have one relevant difference: there is no A.D. governing one of them.  I have a workgroup of Windows servers.  The other network has all the machines connected to A.D.

I want to install as few agents, dependencies and packages as possible. 

Is there a way around installing the JRE, the JNLP (or the slave.war file) and the permanent agent?  For example, I have not used the A.D. plugin before. I would think that this could allow secure authentication with an administrator login.  Then could I not have to install anything?

[Simona Avornicesei]

Are you referring to servers where you want to deploy code (e.g. web servers) or machines where to run your builds/Jenkins jobs?

In the first case you have several options like psexec, ssh, signed powershell scripts (those require 2 win services to be started).
In the second case, you need the Jenkins slave/agent on that machine and to set it up as a slave in Jenkins.

[Kiran]

I'm referring to the first case.

For SSH to work, do you recommend OpenSSH? 

Which of the options you listed have the fewest things to install on the machines that will receive the builds (the servers other than the Jenkins server) ?

Of the three options you mentioned, would I need licenses for enterprise usage?