JEA - Securing Endpoints

This topic contains 6 replies, has 4 voices, and was last updated by  Liam Kemp 2 years, 1 month ago.

  • Author
  • #38833

    Rhys Gottwald

    I want to start with JEA, I just cannot seem to find out how to allow, or disallow users from connecting to the Toolkit.

    Then as a side note, when they say that JEA with delete all existing endpoints, will that disable things like PSWA and remoting, or are these not seen as an endpoint.


  • #38859

    Don Jones

    JEA won't delete the default endpoints. JEA _uses_ Remoting, so it's obviously not going to entirely disable Remoting. PSWA can use whatever endpoint you tell it to, and it defaults to the default endpoint.

    Depending on which version of JEA you're using, you specify an SDDL (Security Descriptor Definition Language) to specify who can connect.

  • #38885

    Rhys Gottwald

    Thank you Don, just a follow up on your reply,
    1. How do I set who can connect,
    2. From PSWA, is the default endpoint the "sys admin", fill access endpoint?

    Thank you

  • #38890

    Don Jones

    There is no "sys admin" endpoint, no. If you run Get-PSSessionConfiguration on a computer, you should see a session configuration (endpoint) named "Microsoft.PowerShell,' I think. That's the default endpoint. If you mean, "is this the default endpoint that's wide-open that sys admins usually use," then yes.

    "How do I set who can connect" is different in different versions of JEA. For one, you might consider using the JEA Toolkit Helper (, which GUIs this a bit. This will lt you specify users and groups, and translate them to the necessary SDDL that JEA needs. If you aren't familiar with SDDL, you should use this.

    If you look at, the "SecurityDescriptorSddl" property is how you control who can connect. As you can see, this is a lot more complex than just listing a user name or group name, which is why people like using the GUI helper.

  • #38908

    Ryan Puffer

    Hi Rhys,

    Which version of PowerShell are you using? Don's suggestions apply to all versions of JEA, but if you're using the latest version (Windows 10, Windows Server 2016 TP4+, or an older system with Windows Management Framework 5.0 installed), specifying who has access to your JEA endpoint is much easier. We split the configuration into two distinct files: role capabilities (what someone can do if they are assigned this role) and session configurations (who has access to which roles). In the session configuration file, you can simply include your user->role mappings in the RoleDefinitions field:

    RoleDefinitions = @{ 'domain\group' = @{ RoleCapabilities = 'Role1', 'Role2' } }

    We handle the SDDL string creation from there when you run Register-PSSessionConfiguration. A detailed walkthrough that can help you get started with JEA is available at

    Let me know if you have any other questions or need more help with the SDDL/RoleDefinitions field. I'd be happy to assist.


  • #38921

    Rhys Gottwald

    Thank you for the feedback, I will play with this all a bit more during the week and come back to you. It is making sense now.

    Ryan I am on W2012R2 and WMF5

  • #41591

    Liam Kemp

    Hi Rhys,
    I'm also getting started with JEA – As Ryan said, the latest incarnation, which you have – is much easier than the prior ones. It's even easier if you watch Ryan's Play-by-Play on pluralsight that was released only a week or so ago (If you aren't pluralsight customer – I'd really recommend signing up for the trial at the very least, just to watch this.)

    • This reply was modified 2 years, 1 month ago by  Liam Kemp.

You must be logged in to reply to this topic.