🟑 Medium   ⏱ 5–30 min  Last verified: 02 April 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Just Enough Administration (JEA) endpoint registration fails on Windows Server 2012 R2 with errors about missing role capability files or unreadable module paths, preventing delegated admin endpoints from being usable.

Environment & Reproduction

Reproducible when JEA modules are placed outside `$env:ProgramFilesWindowsPowerShellModules`.

Get-PSSessionConfiguration
Get-Module -ListAvailable -Name JeaModule

Root Cause Analysis

JEA requires role capability files inside a module discoverable via PSModulePath.

Quick Triage

Inspect endpoint and module layout.

Get-PSSessionConfiguration | Select Name,Permission,RunAsUser
Test-Path 'C:Program FilesWindowsPowerShellModulesJeaModuleRoleCapabilitiesHelpDesk.psrc'
$env:PSModulePath -split ';'

Step-by-Step Diagnosis

Validate session configuration file syntax.

Test-PSSessionConfigurationFile -Path 'C:JeaHelpDesk.pssc'
Get-Content 'C:JeaHelpDesk.pssc' | Select-String RoleDefinitions
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
Register-PSSessionConfiguration error β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Move module into the correct path and re-register.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Copy-Item -Recurse -Force C:JeaJeaModule 'C:Program FilesWindowsPowerShellModules'
Unregister-PSSessionConfiguration -Name HelpDesk -Force -ErrorAction SilentlyContinue
Register-PSSessionConfiguration -Name HelpDesk -Path C:JeaHelpDesk.pssc
Illustrative mockup for windows-server-2012-r2 β€” error_dialog
JEA endpoint listing β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use New-PSRoleCapabilityFile and a versioned module for production.

New-PSRoleCapabilityFile -Path 'C:Program FilesWindowsPowerShellModulesJeaModuleRoleCapabilitiesHelpDesk.psrc' -VisibleCmdlets Restart-Service

Verification & Acceptance Criteria

JEA endpoint accepts connections and allows only configured cmdlets.

Enter-PSSession -ComputerName srv01 -ConfigurationName HelpDesk
Get-PSSessionConfiguration HelpDesk

Rollback Plan

Unregister the endpoint to revert to default WinRM behavior.

Unregister-PSSessionConfiguration -Name HelpDesk -Force

Prevention & Hardening

Version JEA modules in source control, sign role capability files, and audit endpoint usage.

Get-PSSessionConfiguration | Export-Clixml C:Tempjea-endpoints.xml

Linked with RunAs/JIT admin and admin tier model.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Just Enough Administration overview.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.