Ryan Puffer

My feedback

  1. 3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    survey  ·  1 comment  ·  PowerShell » WinRM  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Hi Martin,

    Thanks for sharing this feedback. To provide some background context: Get-PSSessionCapability is designed to show you which cmdlets someone would have access to IF they were able to connect to the endpoint. It does not actually check if the user has access to the endpoint. Users who don't have access to the endpoint will see the basic 8 commands included in any JEA session. The RoleDefinition field itself is actually optional -- while we recommend you use PSRC files to define your roles, you could also just declare the visible cmdlets and functions in the PSSC file (meaning everyone belongs to the same role).

    We'd like to survey the forum to see how others feel about having Get-PSSessionCapability return an error or empty set if the specified user does not have access to the endpoint. Let us know in the comments and with the Vote button if you also desire this or another behavior of Get-PSSessionCapability.

    Ryan

  2. 6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    In Queue  ·  4 comments  ·  PowerShell » WinRM  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Thanks for the feedback, Matthew.

    We agree and are already looking into ways to bring tab completion to JEA sessions in a future release. I can't commit to a timeline, but promise it's on our radar.

    Ryan

  3. 1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    survey  ·  4 comments  ·  PowerShell » Other PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Thanks for the additional details, Arie.

    I see where you're coming from and agree there is a potential for misuse here. My next question stems from the observation you made here: "but at the same time he can swap it to his own executable with say similar name." If filenames are not sufficient to filter out "allowable" files, what would you use instead?

    For such a security sensitive operation as allowing JEA users to run EXEs in their user drive, I might propose an alternate solution: create a second function in your JEA session that pulls known good binaries from a trusted source and verify the package's authenticity in a way that makes sense for your organization (check if it's signed by your enterprise CA, query a database of trusted binaries, etc.)

    I'm happy to help brainstorm some ideas here -- feel free to shoot me an email if you're interested. My email address is first.last@microsoft.com

    Ryan

    Ryan Puffer commented  · 

    Hi Arie,

    Thanks for the suggestion! Could you help us understand how you would use this feature? For example, what types of files would you restrict?

    We'll keep this in the back of our minds as we continue to improve JEA and will keep following this thread to gauge interest in this feature to help us prioritize our work.

    Thanks!

    Ryan

  4. 11 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    survey  ·  1 comment  ·  PowerShell » Other PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Thanks for the feedback, Ben. I can definitely see where this could save time when authoring a JEA endpoint. We'll monitor this thread to gauge support and determine whether to add this feature to a future version of JEA.

  5. 6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  PowerShell » Other PowerShell  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Thank you for the feedback, Jason and Matthew. We're currently taking a look into what it would take to add this capability to PSSC files. Regarding the mapping of role capability names to PSRC files, I will add some clarifying text in the documentation in our next documentation update.

    Ryan

  6. 1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  PowerShell » PowerShell Engine  ·  Flag idea as inappropriate…  ·  Admin →
    planned  ·  Zachary Alexander responded

    Per Ryan’s response:
    “This is a known issue in WMF 5.0 and Windows Server 2016 Technical Preview. We are working to get this fixed in a future release, but until then you can only use virtual accounts in JEA on domain-joined machines.”

    Ryan Puffer commented  · 

    Hi Greg,

    Just so I understand you correctly: are you saying you are seeing this error on 2012 R2, or that it works on 2012 R2 but not 2016?

    Ryan

    Ryan Puffer commented  · 

    Hi Greg,

    This is a known issue in WMF 5.0 and Windows Server 2016 Technical Preview. We are working to get this fixed in a future release, but until then you can only use virtual accounts in JEA on domain-joined machines.

    Apologies for the inconvenience!

    Ryan

  7. 3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  PowerShell » ISE and tooling  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer supported this idea  · 
  8. 2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  PowerShell » PowerShell Engine  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Hi Greg,

    Thank you for sharing your repro steps. We've identified this as a bug and are actively working to fix this.

    Ryan

  9. 2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  PowerShell » PowerShell Engine  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Hi Greg,

    Can you share more information on how you configured this endpoint? For instance, how did you register this PSSC file?

    One thing to note is that editing the PSSC in the System32 folder is not supported. Instead, to update a JEA endpoint you should unregister the endpoint and re-register the updated PSSC file so that the appropriate WinRM cleanup and configuration procedures can take place.

    Ryan

  10. 3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  PowerShell » PowerShell Engine  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Hi Greg,

    Thank you for sharing your findings. We've identified this as a bug and will have a fix in the next release of JEA/WMF.

    Ryan

  11. 5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  PowerShell » Documentation  ·  Flag idea as inappropriate…  ·  Admin →
    Ryan Puffer commented  · 

    Hi Greg,

    Thanks for pointing this out and I apologize for the gap in our help content. We'll update the documentation shortly with details on this and any other missing parameters.

    In the meantime, I encourage you to check out the JEA Experience Guide at http://aka.ms/JEA. This guide may be able to answer some of your questions about how these new features are used.

    Ryan

Feedback and Knowledge Base