gMSA and JEA Deployment guide

Objective: Help administrators set up vScope so it can scan Windows servers securely using a gMSA account together with JEA.

This guide walks you through setting up vScope so that:

The vScope service runs as a gMSA.
vScope connects to target servers using No Authentication.
Target servers expose a JEA endpoint named vScopeScan.
The same gMSA that runs the vScope service is allowed to use the JEA endpoint.

The setup has three places where work is done:

1. Domain Controller / AD admin server
   Create the gMSA.

2. vScope server
   Configure the vScope service to run as the gMSA.

3. Target servers
   Deploy the JEA endpoint that vScope will connect to.

Use one test target server first. When that works, deploy JEA to more target servers through GPO.

Files Used

The deployment uses the following scripts:

01-New-vScopeGmsa.ps1
02-Configure-vScopeServiceForGmsa.ps1
03-Test-vScopeGmsaDeployment.ps1
04-Deploy-vScopeJEAEndpoint.ps1

All customer-specific values are either already filled in or marked with placeholders such as <value-to-replace>.

Example Values Used In This Guide

These examples match the tested setup:

Domain FQDN:       vscope.local
Domain NetBIOS:   VSCOPE
gMSA name:        gmsa-vscope
gMSA logon name:  vscope.local\gmsa-vscope$
vScope service:   vScope Server Service
Service name:     vScopeServer
JEA endpoint:     vScopeScan
JEA role:         vScopeJEA

If the customer environment uses different names, replace the examples with the customer’s real values.

Step 1: Create the gMSA

Run this step on:

Domain Controller
or
AD management server with the Active Directory PowerShell module

Run PowerShell as Administrator.

Script

Use:

01-New-vScopeGmsa.ps1

Values To Change

Open the script and edit these lines:

$GmsaName = "<gMSA-name-without-trailing-dollar-sign>"
$AuthorizedHostGroupName = "<AD-security-group-name-for-authorized-vScope-hosts>"
$AuthorizedHostGroupPath = "<distinguished-name-of-OU-for-authorized-host-group>"
$VScopeServerComputerName = "<vScope-server-computer-name-without-trailing-dollar-sign>"

Example:

$GmsaName = "gmsa-vscope"
$AuthorizedHostGroupName = "GG-gMSA-vScope-Hosts"
$AuthorizedHostGroupPath = "OU=Service Accounts,OU=Groups,DC=vscope,DC=local"
$VScopeServerComputerName = "VSCOPE-SERVER01"

What the values mean:

$GmsaName
The gMSA account name. Do not include the trailing $.

$AuthorizedHostGroupName
The AD group containing servers that are allowed to use the gMSA.

$AuthorizedHostGroupPath
The OU where the AD group should be created.
This must be a distinguished name.

$VScopeServerComputerName
The computer name of the server running the vScope service.
Do not include the trailing $.

Run The Script

.\01-New-vScopeGmsa.ps1

The script creates:

The KDS root key if missing.
A security group for servers allowed to retrieve the gMSA password.
Membership for the vScope server computer account.
The gMSA account.

Important

If the script creates the first KDS root key, wait before continuing. Microsoft states that a new KDS root key can require up to 10 hours before it is usable across the domain.

After this step, restart the vScope server. This lets the server receive its new AD group membership.

Step 2: Configure The vScope Service To Run As The gMSA

Run this step on:

vScope server

Run PowerShell as Administrator.

Install The AD PowerShell Module If Needed

If the script says the ActiveDirectory module is missing, install it:

Install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Get-Command Install-ADServiceAccount

Script

Use:

02-Configure-vScopeServiceForGmsa.ps1

Values To Change

Open the script and edit:

$GmsaName = "<gMSA-name-without-trailing-dollar-sign>"
$DomainNetBIOSName = "<AD-domain-NetBIOS-name>"
$VScopeServiceDisplayName = "<vScope-service-display-name>"

Example:

$GmsaName = "gmsa-vscope"
$DomainNetBIOSName = "VSCOPE"
$VScopeServiceDisplayName = "vScope Server Service"

To find the vScope service display name:

Get-Service | Where-Object DisplayName -Like "*vScope*"

Expected example output:

Status   Name          DisplayName
------   ----          -----------
Running  vScopeServer  vScope Server Service

Run The Script

.\02-Configure-vScopeServiceForGmsa.ps1

The script:

Installs the gMSA on the vScope server.
Tests that the server can use the gMSA.
Adds the gMSA to the local Administrators group, which vScope requires for product updates.
Configures the vScope service to run as the gMSA.
Configures the service to use a managed password.
Starts the vScope service.

Expected successful output includes:

[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
StartName      : vscope.local\gmsa-vscope$
State          : Running
GmsaTestPassed : True

Step 3: Validate The gMSA Service Setup

Run this step on:

vScope server

Run PowerShell as Administrator.

Script

Use:

03-Test-vScopeGmsaDeployment.ps1

Values To Change

Use the same values as in Step 2:

$GmsaName = "gmsa-vscope"
$DomainNetBIOSName = "VSCOPE"
$VScopeServiceDisplayName = "vScope Server Service"

Run The Validation

.\03-Test-vScopeGmsaDeployment.ps1

Expected result:

All validation tests passed.

The test confirms:

The server is domain joined.
The gMSA exists and is enabled.
Test-ADServiceAccount passes.
The gMSA is local administrator on the vScope server.
The vScope service runs as the gMSA.
The service uses a managed password.
The service is running.

For a stronger test during a maintenance window:

.\03-Test-vScopeGmsaDeployment.ps1 -RestartService

This proves the service can restart while running as the gMSA.

Step 4: Deploy JEA On One Test Target Server

Run this step on:

One target server that vScope should inventory

This is not normally the vScope server. Only run it on the vScope server if the vScope server itself should also be inventoried as a JEA target.

Run PowerShell as Administrator.

Script

Use:

04-Deploy-vScopeJEAEndpoint.ps1

Values To Change

Open the script and check these values:

$VscopeAccount = 'vscope.local\gmsa-vscope$'
$EndpointName  = 'vScopeScan'
$RoleName      = 'vScopeJEA'

The important value is $VscopeAccount.

It must be the same gMSA that runs the vScope service.

Example:

$VscopeAccount = 'vscope.local\gmsa-vscope$'

or, if the environment uses the NetBIOS name:

$VscopeAccount = 'VSCOPE\gmsa-vscope$'

Both formats can appear in Windows output. Use the format that resolves correctly in the customer domain.

Run The Script On The Target Server

.\04-Deploy-vScopeJEAEndpoint.ps1

The script:

Enables PowerShell remoting.
Creates a PowerShell module named vScopeJEA.
Creates the JEA role capability.
Creates a session configuration file.
Allows the gMSA to use the JEA endpoint.
Registers the endpoint as vScopeScan.

Expected successful output includes:

Name                : vScopeScan
SessionType         : RestrictedRemoteServer
RunAsVirtualAccount : True
Enabled             : True
RoleDefinitions     : {vscope.local\gmsa-vscope$}
Permission          : VSCOPE\gmsa-vscope$ AccessAllowed

Step 5: Validate JEA On The Test Target Server

Run this on the target server:

Get-PSSessionConfiguration -Name vScopeScan

Check that:

Name                : vScopeScan
SessionType         : RestrictedRemoteServer
RunAsVirtualAccount : True
Enabled             : True
Permission          : <gMSA> AccessAllowed

Also run:

Test-PSSessionConfigurationFile -Path "$env:ProgramData\vScopeJEA\vScopeJEA.pssc"

If it returns True, the JEA configuration file is valid.

Step 6: Configure vScope

Do this in the vScope UI.

Create or update the Windows PowerShell credential:

Credential Type: No Authentication
JEA endpoint name: vScopeScan

Then run a rediscovery against the test target server.

This is the real end-to-end test:

vScope service
  -> runs as gMSA
  -> authenticates with Kerberos / No Authentication
  -> connects to target server
  -> enters JEA endpoint vScopeScan
  -> runs only the commands allowed by the JEA role

If the rediscovery works, the gMSA + JEA setup is working.

Step 7: Deploy JEA To More Target Servers With GPO

Only do this after the manual test target works.

Run this step from:

Domain Controller
or
Group Policy management server

Prepare The OU

Create or select an OU that contains the servers that should become JEA targets.

Example:

OU=vScope JEA Targets,OU=Servers,DC=vscope,DC=local

Start with a test OU. Do not link the GPO to a broad production server OU until testing is complete.

Create The GPO

In Group Policy Management:

Right-click the target-server OU.
Select Create a GPO in this domain, and Link it here.
Name it, for example:

vScope - Deploy JEA Endpoint

Edit the GPO.
Go to:

Computer Configuration
  > Policies
  > Windows Settings
  > Scripts (Startup/Shutdown)
  Doubble-click on Startup
  > Startup

Open the PowerShell Scripts tab.
Select Show Files.
Copy 04-Deploy-vScopeJEAEndpoint.ps1 into that folder.
Add the script as a startup PowerShell script.

Startup scripts run as Local System, which is suitable for creating the local module files and registering the JEA endpoint.

Apply The GPO

Restart one test target server, or trigger a computer policy update with reboot:

Invoke-GPUpdate `
    -Computer "<target-server-name>" `
    -Target Computer `
    -Force `
    -Boot

After reboot, validate:

gpresult.exe /scope computer /r
Get-PSSessionConfiguration -Name vScopeScan

Then test rediscovery from vScope.

Important GPO Note

The JEA script unregisters and registers the endpoint when it runs. This can restart WinRM and interrupt active PowerShell or WMI sessions.

Recommended approach:

1. Deploy to a test OU.
2. Confirm vScope rediscovery works.
3. Deploy to a controlled production OU during a maintenance window.
4. Remove the startup script assignment after successful deployment,
   or update the script so it only re-registers JEA when the config changes.

Troubleshooting

gMSA service problems on the vScope server

Check:

Test-ADServiceAccount -Identity gmsa-vscope

Get-CimInstance Win32_Service -Filter "Name='vScopeServer'" |
    Select-Object Name, StartName, State

sc.exe qmanagedaccount vScopeServer

Expected:

Test-ADServiceAccount: True
StartName: vscope.local\gmsa-vscope$
ACCOUNT MANAGED : TRUE
State: Running

JEA endpoint problems on a target server

Check:

Get-PSSessionConfiguration -Name vScopeScan

Test-PSSessionConfigurationFile -Path "$env:ProgramData\vScopeJEA\vScopeJEA.pssc"

Also check these event logs:

Applications and Services Logs/Microsoft/Windows/GroupPolicy/Operational
Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
Applications and Services Logs/Microsoft/Windows/WinRM/Operational

vScope discovery problems

Check:

The vScope service runs as the gMSA.
The vScope credential uses No Authentication.
The JEA endpoint name is vScopeScan.
The target server has the JEA endpoint registered.
The endpoint permission includes the gMSA.
DNS forward and reverse lookup work.
Kerberos/SPN resolution works for WinRM.
WinRM traffic is allowed through the firewall.

Security Notes

Do not make the gMSA a local administrator on JEA target servers.
The gMSA only needs access to the JEA endpoint on target servers.
The JEA endpoint uses RunAsVirtualAccount = $true for local execution.
Protect the JEA script, JEA module folder, and GPO from unauthorized edits.
Test changes in a small OU before production rollout.

References

Microsoft: Manage group Managed Service Accounts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts
Microsoft: JEA role capabilities
- https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/jea/role-capabilities
Microsoft: JEA session configurations
- https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/jea/session-configurations
Microsoft: Registering JEA configurations
- https://learn.microsoft.com/en-us/powershell/scripting/security/remoting/jea/register-jea
vScope: Windows PowerShell discovery, gMSA, and JEA
- https://support.vscope.net/datasources/windows/