Jump to content
Welcome to our new Citrix community!

Applocker preventing Citrix from updating


Recommended Posts

Hi, I have enabled Applocker on some systems that use Citrix Gateway / Endpoint Analysis. I created a path whitelist for "C:\Users\*\AppData\Local\Citrix\AGEE" which fixed one issue but now I am receiving a new error:

Error creating process < cmd /c MOVE /Y * "%localappdata%\Citrix\AGEE\epaPackage">. Reason: This program is blocked by group policy

I believe it is because cmd is being called in the user context which is not allowed in my Applocker config, I am not sure if this is an automatic program update or not. Has anyone experienced similar and know of a workaround? I don't want to allow users to run cmd.


Many thanks

Link to comment
Share on other sites

Gateway plugins are updated upon connection to the ADC when the ADC firmware is updated.

So, the update is triggered when a user makes a gateway connection and the appliance detects the local client is not up to date with the firmware in use.


If you don't want the user to perform update, you would have to proactively deliver client update to users prior to connection through other software distribution options.

See software requirements and installation rights here:  https://docs.citrix.com/en-us/citrix-gateway/current-release/client-system-requirements.html

Note: plugin requires admin/root privileges .


Also, is the vpn plugin used with or with the Workspace App/Citrix Receiver?  There might be an effect of the vpn plugin integrates with the workspace app instead of displays separately.  The only reference I really found was to this:  https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about.html

I do not know if related. But also configuring the gateway client to "not integrate" with workspace app/citrix receiver in the session policy so they show up as two icons might work.

Link to comment
Share on other sites

  • 2 months later...



did you ever get this sorted?

On the assumption that all Citrix components are signed, you can try adding all apps that a signed by Citrix to be allocated within AppLocker.

Most users when configuring AppLocker use the path option to specify specific executables, but try selecting publisher and allowing the Citrix signature to control access?





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...