- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2022 05:21 AM
Hello Community,
I have been told by security that granting our discovery user local administrator permission on the Windows machines is out of question and we need to find an alternative. So I thought about MS JEA but after reading the documentation I am still not clear which part of the "regular" Windows discovery requirements still apply when using this approach. For instance admin$ share, access to WMI and registry keys... Or is it enough to follow the aforementioned docs page and referenced there KB0965705 in order to have (at least basic as stated there) discovery of the Windows machines?
Thanks in advance for sharing your experience!
Best regards,
Marek
Solved! Go to Solution.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2022 02:53 AM
Both approaches are having unique requirements except enabling PowerShell Remoting on the Target Servers.
1. For JEA, PowerShell 5.0 or Windows Management Framework 5.1 is required to be installed on Targets. Whereas for Regular discovery, PowerShell versions 3.0 to 5.1 are supported
2. The JEA credentials with non-administrator rights must be domain-level credentials. For Regular discovery, the credentials used in the discovery should have local admin access to targets.
3. For JEA, the MID Server and target server must be part of a Windows domain.
In Regular discovery, you can use multi-domain configuration. If you want the MID Server to use the credentials of its own Windows service, you will have to grant local admin access to that service account. Please refer to the section: "Configure Windows credentials for the MID Server" from the following: https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
4. CMDlets are restricted in JEA whereas in regular discovery, the user can run any cmdlets on the target.
I highly recommend you to go through the following DOCs/Articles for more details:
JEA discovery -
KB0782125
KB0697317
Windows JEA Discovery
Regular Windows Discovery -
Windows Credentials
Windows Probes and Permissions
Windows Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2022 02:49 AM
Both approaches are having unique requirements except enabling PowerShell Remoting on the Target Servers.
1. For JEA, PowerShell 5.0 or Windows Management Framework 5.1 is required to be installed on Targets. Whereas for Regular discovery, PowerShell versions 3.0 to 5.1 are supported
2. The JEA credentials with non-administrator rights must be domain-level credentials. For Regular discovery, the credentials used in the discovery should have local admin access to targets.
3. For JEA, the MID Server and target server must be part of a Windows domain.
In Regular discovery, you can use multi-domain configuration. If you want the MID Server to use the credentials of its own Windows service, you will have to grant local admin access to that service account. Please refer to the section: "Configure Windows credentials for the MID Server" from the following: https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
4. CMDlets are restricted in JEA whereas in regular discovery, the user can run any cmdlets on the target.
I highly recommend you to go through the following DOCs/Articles for more details:
JEA discovery -
[code]<a href='/kb?id=kb_article_view&sysparm_article=KB0697317' target="_blank">KB0697317 - ServiceNow Discovery with Microsoft JEA</a>[/code] - Perma Link [Customer]
[code]<a href='/kb?id=kb_article_view&sysparm_article=KB0782125' target="_blank">KB0782125 - Microsoft JEA Profiles for Discovery</a>[/code] - Perma Link [Customer]
https://community.servicenow.com/community?id=community_question&sys_id=b5927e74dbf6d0106621d9d968961988&view_source=searchResult
Regular Windows Discovery -
https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/discovery/reference/r_DiscoWinProbesAndPermissions.html
https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/discovery/reference/r_DataCollDiscoWindowsComputers.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2022 02:53 AM
Both approaches are having unique requirements except enabling PowerShell Remoting on the Target Servers.
1. For JEA, PowerShell 5.0 or Windows Management Framework 5.1 is required to be installed on Targets. Whereas for Regular discovery, PowerShell versions 3.0 to 5.1 are supported
2. The JEA credentials with non-administrator rights must be domain-level credentials. For Regular discovery, the credentials used in the discovery should have local admin access to targets.
3. For JEA, the MID Server and target server must be part of a Windows domain.
In Regular discovery, you can use multi-domain configuration. If you want the MID Server to use the credentials of its own Windows service, you will have to grant local admin access to that service account. Please refer to the section: "Configure Windows credentials for the MID Server" from the following: https://docs.servicenow.com/bundle/sandiego-servicenow-platform/page/product/credentials/reference/r_WindowsCredentialsForm.html#config-win-credentials-mid-server
4. CMDlets are restricted in JEA whereas in regular discovery, the user can run any cmdlets on the target.
I highly recommend you to go through the following DOCs/Articles for more details:
JEA discovery -
KB0782125
KB0697317
Windows JEA Discovery
Regular Windows Discovery -
Windows Credentials
Windows Probes and Permissions
Windows Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2022 03:14 AM
Hi,
I noticed in the following KB
Microsoft JEAv2 Profiles for Discovery
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0965705
It says
Available starting with the ServiceNow Rome release, JEA version 2 enhances security by enforcing the “NoLanguage” mode and the ‘RestrictedRemoteServer’session type. The profile doesn’t have any visible cmdlets or providers, so everything must go through the JEAExecute-Script function.
So if the there are no visible cmdlets or providers, where do one configure or find those cmdlets / parameters in the role capabilities file to be used by Discovery ?
Thanks.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2022 02:29 AM