Deploy vScope Windows discovery with gMSA and JEA

Use this guide to set up vScope so it can scan Windows servers securely with a group Managed Service Account (gMSA) and Just Enough Administration (JEA).

Note

To obtain these scripts, please contact customersuccess@vscope.net

Before You Start

You will work from three places:

Domain Controller or AD admin server
Create the gMSA.

vScope server
Configure the vScope service to run as the gMSA.

Target servers
Deploy the JEA endpoint that vScope will use for discovery.

Start with one test target server. After a successful vScope rediscovery, deploy the JEA endpoint to more target servers through Group Policy.

You need these scripts:

01-New-vScopeGmsa.ps1
02-Configure-vScopeServiceForGmsa.ps1
03-Test-vScopeGmsaDeployment.ps1
04-Deploy-vScopeJEAEndpoint.ps1

Example Values

The examples in this guide use:

Domain FQDN:       vscope.local
Domain NetBIOS:   VSCOPE
gMSA name:        gmsa-vscope
gMSA logon name:  vscope.local\gmsa-vscope$
vScope service:   vScope Server Service
Service name:     vScopeServer
JEA endpoint:     vScopeScan
JEA role:         vScopeJEA

Replace these with the customer’s real values where needed.

Step 1: Create The gMSA

Run this step on a Domain Controller or an AD admin server with the Active Directory PowerShell module.

Open PowerShell as Administrator.

Edit 01-New-vScopeGmsa.ps1:

$GmsaName = "<gMSA-name-without-trailing-dollar-sign>"
$AuthorizedHostGroupName = "<AD-security-group-name-for-authorized-vScope-hosts>"
$AuthorizedHostGroupPath = "<distinguished-name-of-OU-for-authorized-host-group>"
$VScopeServerComputerName = "<vScope-server-computer-name-without-trailing-dollar-sign>"

Example:

$GmsaName = "gmsa-vscope"
$AuthorizedHostGroupName = "GG-gMSA-vScope-Hosts"
$AuthorizedHostGroupPath = "OU=Service Accounts,OU=Groups,DC=vscope,DC=local"
$VScopeServerComputerName = "VSCOPE-SERVER01"

Run the script:

.\01-New-vScopeGmsa.ps1

If the script creates the first KDS root key, wait before continuing. Microsoft states that a new KDS root key can require up to 10 hours before it is usable across the domain.

Restart the vScope server after this step so the server receives its new AD group membership.

Step 2: Configure The vScope Service

Run this step on the vScope server.

Open PowerShell as Administrator.

If the ActiveDirectory module is missing, install it:

Install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Get-Command Install-ADServiceAccount

Find the vScope service display name:

Get-Service | Where-Object DisplayName -Like "*vScope*"

Example output:

Status   Name          DisplayName
------   ----          -----------
Running  vScopeServer  vScope Server Service

Edit 02-Configure-vScopeServiceForGmsa.ps1:

$GmsaName = "<gMSA-name-without-trailing-dollar-sign>"
$DomainNetBIOSName = "<AD-domain-NetBIOS-name>"
$VScopeServiceDisplayName = "<vScope-service-display-name>"

Example:

$GmsaName = "gmsa-vscope"
$DomainNetBIOSName = "VSCOPE"
$VScopeServiceDisplayName = "vScope Server Service"

Run the script:

.\02-Configure-vScopeServiceForGmsa.ps1

Expected successful output includes:

[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
StartName      : vscope.local\gmsa-vscope$
State          : Running
GmsaTestPassed : True

Step 3: Validate The gMSA Service Setup

Run this step on the vScope server.

Edit 03-Test-vScopeGmsaDeployment.ps1 and use the same values as in Step 2:

$GmsaName = "gmsa-vscope"
$DomainNetBIOSName = "VSCOPE"
$VScopeServiceDisplayName = "vScope Server Service"

Run the validation:

.\03-Test-vScopeGmsaDeployment.ps1

Expected result:

All validation tests passed.

For a stronger test during a maintenance window, restart the service as part of the validation:

.\03-Test-vScopeGmsaDeployment.ps1 -RestartService

Step 4: Deploy JEA On One Test Target Server

Run this step on one Windows server that vScope should scan.

Do not run this on the vScope server unless the vScope server itself should also be scanned through JEA.

Open PowerShell as Administrator on the target server.

Edit 04-Deploy-vScopeJEAEndpoint.ps1:

$VscopeAccount = 'vscope.local\gmsa-vscope$'
$EndpointName  = 'vScopeScan'
$RoleName      = 'vScopeJEA'

$VscopeAccount must be the same gMSA that runs the vScope service.

If the environment uses the NetBIOS format, use that instead:

$VscopeAccount = 'VSCOPE\gmsa-vscope$'

Run the script:

.\04-Deploy-vScopeJEAEndpoint.ps1

Expected successful output includes:

Name                : vScopeScan
SessionType         : RestrictedRemoteServer
RunAsVirtualAccount : True
Enabled             : True
RoleDefinitions     : {vscope.local\gmsa-vscope$}
Permission          : VSCOPE\gmsa-vscope$ AccessAllowed

Step 5: Validate JEA On The Test Target Server

Run this on the target server:

Get-PSSessionConfiguration -Name vScopeScan

Check that the endpoint is enabled and that the gMSA has access:

Name                : vScopeScan
SessionType         : RestrictedRemoteServer
RunAsVirtualAccount : True
Enabled             : True
Permission          : <gMSA> AccessAllowed

Validate the session configuration file:

Test-PSSessionConfigurationFile -Path "$env:ProgramData\vScopeJEA\vScopeJEA.pssc"

Expected result:

True

Step 6: Configure vScope

Do this in the vScope UI.

Create or update the Windows PowerShell credential:

Credential Type: No Authentication
JEA endpoint name: vScopeScan

Run a rediscovery against the test target server.

If the rediscovery works, the gMSA and JEA setup is working.

Step 7: Deploy JEA To More Target Servers With GPO

Only continue after the manual test target works.

Run this step from a Domain Controller or a Group Policy management server.

Prepare The OU

Create or select an OU that contains the servers that should become JEA targets.

Example:

OU=vScope JEA Targets,OU=Servers,DC=vscope,DC=local

Start with a test OU. Do not link the GPO to a broad production server OU until testing is complete.

Create The GPO

In Group Policy Management:

1. Right-click the target-server OU.
2. Select Create a GPO in this domain, and Link it here.
3. Name the GPO, for example:

vScope - Deploy JEA Endpoint

4. Edit the GPO.
5. Go to:

Computer Configuration
  > Policies
  > Windows Settings
  > Scripts (Startup/Shutdown)
  > Startup

6. Double-click Startup.
7. Open the PowerShell Scripts tab.
8. Select Show Files.
9. Copy 04-Deploy-vScopeJEAEndpoint.ps1 into that folder.
10. Add the script as a startup PowerShell script.

Apply The GPO

Restart one test target server, or trigger a computer policy update with reboot:

Invoke-GPUpdate `
    -Computer "<target-server-name>" `
    -Target Computer `
    -Force `
    -Boot

After reboot, validate on the target server:

gpresult.exe /scope computer /r
Get-PSSessionConfiguration -Name vScopeScan

Then run a vScope rediscovery against that target.

After Deployment

The JEA script unregisters and registers the endpoint when it runs. This can restart WinRM and interrupt active PowerShell or WMI sessions.

After deployment has succeeded:

1. Confirm vScope rediscovery works.
2. Remove the startup script assignment from the GPO, or update the script so it only re-registers JEA when the configuration changes.
3. Keep the GPO and script available for controlled future updates.

Troubleshooting Checks

On the vScope server, check the gMSA service setup:

Test-ADServiceAccount -Identity gmsa-vscope

Get-CimInstance Win32_Service -Filter "Name='vScopeServer'" |
    Select-Object Name, StartName, State

sc.exe qmanagedaccount vScopeServer

Expected:

Test-ADServiceAccount: True
StartName: vscope.local\gmsa-vscope$
ACCOUNT MANAGED : TRUE
State: Running

On a target server, check the JEA endpoint:

Get-PSSessionConfiguration -Name vScopeScan

Test-PSSessionConfigurationFile -Path "$env:ProgramData\vScopeJEA\vScopeJEA.pssc"

If GPO deployment fails, check:

Applications and Services Logs/Microsoft/Windows/GroupPolicy/Operational
Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
Applications and Services Logs/Microsoft/Windows/WinRM/Operational

If vScope discovery fails, check:

• The vScope service runs as the gMSA.
• The vScope credential uses No Authentication.
• The JEA endpoint name is vScopeScan.
• The target server has the JEA endpoint registered.
• The endpoint permission includes the gMSA.
• DNS forward and reverse lookup work.
• Kerberos/SPN resolution works for WinRM.
• WinRM traffic is allowed through the firewall.

Security Notes

• Do not make the gMSA a local administrator on JEA target servers.
• The gMSA only needs access to the JEA endpoint on target servers.
• The JEA endpoint uses RunAsVirtualAccount = $true for local execution.
• Protect the JEA script, JEA module folder, and GPO from unauthorized edits.
• Test changes in a small OU before production rollout.

Related Documentation

• Microsoft: Manage group Managed Service Accounts
  • https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts
• Microsoft: JEA role capabilities
  • https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/jea/role-capabilities
• Microsoft: JEA session configurations
  • https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/jea/session-configurations
• Microsoft: Registering JEA configurations
  • https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/jea/register-jea
• vScope: Windows PowerShell discovery, gMSA, and JEA
  • https://support.vscope.net/datasources/windows/