Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!

How to Lock Down a Remote PowerShell with a Constrained Endpoint

How can I use constrained endpoints to lock down remote PowerShell access?

When considering whether to allow PowerShell to run on servers, security has been a concern for some system administrators. Despite its powerful and wide-reaching feature set, PowerShell was designed with security in mind from the bottom up, and it is the most secure means of managing Windows Server. In this article, I’m going to show you how to configure a constrained endpoint on Windows Server 2012 to make sure users can only perform a limited set of tasks when connecting to PowerShell remotely.

PowerShell remoting is enabled in Windows Server 2012 out-of-the-box, and by default only users with local administrator privileges can connect to the default endpoint. An endpoint is a set of configuration parameters that determine what permissions and features are available to users connecting to PowerShell across the network. Luckily, it’s possible to create your own custom endpoints. For instance, you might like to create an endpoint that allows helpdesk users to connect remotely to a server without local administrator permissions, and to restrict users to performing a limited set of tasks.

Create a New Endpoint

Login to your server with an account that has local administrator permissions and follow the instructions:

  • Right-click the blue PowerShell icon on the desktop taskbar and select Run as Administrator from the menu.
  • In the PowerShell console, type Get-PSSessionConfiguration and press Enter. This will show you all the existing endpoints on the server. You’ll see the microsoft.powershell endpoint requires users to be a member of the built-in Administrators or Remote Management Users group.
  • To create a new endpoint for your helpdesk, type Register-PSSessionConfiguration -Name “Helpdesk” in the PowerShell window and press Enter. Type Y and press Enter to confirm the action.
  • Type Y and press Enter again to confirm restarting the WinRM service.
  • Now we need to set permissions on the new endpoint. Type Set-PSSessionConfiguration –Name Helpdesk –ShowSecurityDescriptorUI and press Enter. Type Y and press Enter to confirm the action.
  • A new window will appear allowing you to set permissions using the GUI. In this case I’m going to give an AD group called Helpdesk full access to the new endpoint. Click OK in the permissions dialog when you’re done.

Configure Constrained Endpoints for Remote PowerShell Access: permissions

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

  • Type Y and press Enter again to confirm restarting the WinRM service.
  • Type Get-PSSessionConfiguration and press Enter again, and you’ll see your new endpoint listed.

PowerShell is security transparent, so when users who are only a member of the Helpdesk group connect to the endpoint, they will only be able to perform tasks which their Windows permissions permit.

Connect to the new endpoint

To make a connection to the new endpoint, open PowerShell on a remote computer and type Enter-PSSession -ComputerName <servername> -ConfigurationName Helpdesk and press Enter, replacing <servername> with the name of the remote server where the new endpoint was created.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (3)

3 responses to “How to Lock Down a Remote PowerShell with a Constrained Endpoint”

  1. PowerShell Remoting: Restricting User Commands

    [...] my previous article, "How to Lock Down a Remote PowerShell with a Constrained Endpoint?," I described how you can create a new remote PowerShell endpoint that doesn’t require users to [...]
  2. Eric Maynard

    Thank you for this article - is it possible to accomplish something similar for local users? I'd like to restrict a specific local user account to only performing the types of tasks described in this article.

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By