Which Windows discovery requirements are irrelevant with MS JEA?

Marek Meres
Tera Expert

Hello Community,

I have been told by security that granting our discovery user local administrator permission on the Windows machines is out of question and we need to find an alternative. So I thought about MS JEA but after reading the documentation I am still not clear which part of the "regular" Windows discovery requirements still apply when using this approach. For instance admin$ share, access to WMI and registry keys... Or is it enough to follow the aforementioned docs page and referenced there KB0965705 in order to have (at least basic as stated there) discovery of the Windows machines?

Thanks in advance for sharing your experience!

Best regards,

Marek

1 ACCEPTED SOLUTION

Kedar6
ServiceNow Employee
ServiceNow Employee

Both approaches are having unique requirements except enabling PowerShell Remoting on the Target Servers.

1. For JEA, PowerShell 5.0 or Windows Management Framework 5.1 is required to be installed on Targets. Whereas for Regular discovery, PowerShell versions 3.0 to 5.1 are supported
2. The JEA credentials with non-administrator rights must be domain-level credentials. For Regular discovery, the credentials used in the discovery should have local admin access to targets.
3. For JEA, the MID Server and target server must be part of a Windows domain.
In Regular discovery, you can use multi-domain configuration. If you want the MID Server to use the credentials of its own Windows service, you will have to grant local admin access to that service account. Please refer to the section: "Configure Windows credentials for the MID Server" from the following: https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
4. CMDlets are restricted in JEA whereas in regular discovery, the user can run any cmdlets on the target.

I highly recommend you to go through the following DOCs/Articles for more details:

JEA discovery -
KB0782125
KB0697317
Windows JEA Discovery

Regular Windows Discovery -
Windows Credentials
Windows Probes and Permissions
Windows Discovery

View solution in original post

10 REPLIES 10

Kedar6
ServiceNow Employee
ServiceNow Employee

Both approaches are having unique requirements except enabling PowerShell Remoting on the Target Servers.

1. For JEA, PowerShell 5.0 or Windows Management Framework 5.1 is required to be installed on Targets. Whereas for Regular discovery, PowerShell versions 3.0 to 5.1 are supported
2. The JEA credentials with non-administrator rights must be domain-level credentials. For Regular discovery, the credentials used in the discovery should have local admin access to targets.
3. For JEA, the MID Server and target server must be part of a Windows domain.
In Regular discovery, you can use multi-domain configuration. If you want the MID Server to use the credentials of its own Windows service, you will have to grant local admin access to that service account. Please refer to the section: "Configure Windows credentials for the MID Server" from the following: https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
4. CMDlets are restricted in JEA whereas in regular discovery, the user can run any cmdlets on the target.

I highly recommend you to go through the following DOCs/Articles for more details:

JEA discovery -
[code]<a href='/kb?id=kb_article_view&sysparm_article=KB0697317' target="_blank">KB0697317 - ServiceNow Discovery with Microsoft JEA</a>[/code] - Perma Link [Customer]
[code]<a href='/kb?id=kb_article_view&sysparm_article=KB0782125' target="_blank">KB0782125 - Microsoft JEA Profiles for Discovery</a>[/code] - Perma Link [Customer]
https://community.servicenow.com/community?id=community_question&sys_id=b5927e74dbf6d0106621d9d968961988&view_source=searchResult

Regular Windows Discovery -
https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/discovery/reference/r_DiscoWinProbesAndPermissions.html
https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/discovery/reference/r_DataCollDiscoWindowsComputers.html

Kedar6
ServiceNow Employee
ServiceNow Employee

Both approaches are having unique requirements except enabling PowerShell Remoting on the Target Servers.

1. For JEA, PowerShell 5.0 or Windows Management Framework 5.1 is required to be installed on Targets. Whereas for Regular discovery, PowerShell versions 3.0 to 5.1 are supported
2. The JEA credentials with non-administrator rights must be domain-level credentials. For Regular discovery, the credentials used in the discovery should have local admin access to targets.
3. For JEA, the MID Server and target server must be part of a Windows domain.
In Regular discovery, you can use multi-domain configuration. If you want the MID Server to use the credentials of its own Windows service, you will have to grant local admin access to that service account. Please refer to the section: "Configure Windows credentials for the MID Server" from the following: https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
4. CMDlets are restricted in JEA whereas in regular discovery, the user can run any cmdlets on the target.

I highly recommend you to go through the following DOCs/Articles for more details:

JEA discovery -
KB0782125
KB0697317
Windows JEA Discovery

Regular Windows Discovery -
Windows Credentials
Windows Probes and Permissions
Windows Discovery

Hi,
I noticed in the following KB

Microsoft JEAv2 Profiles for Discovery

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0965705

It says 


Available starting with the ServiceNow Rome release, JEA version 2 enhances security by enforcing the “NoLanguage” mode and the ‘RestrictedRemoteServer’session type. The profile doesn’t have any visible cmdlets or providers, so everything must go through the JEAExecute-Script function. 

So if the there are no visible cmdlets or providers, where do one configure or find those cmdlets / parameters in the role capabilities file to be used by Discovery ?

Thanks.





ServiceNow Tec2
Mega Sage
This has been resolved by ServiceNow Technical Support. Please refer to KB0993289 for more information.