After reviewing a Proof of Concept (PoC) environment for Citrix Virtual Apps and Desktops, the corporate security team advises that user access to Regedit, command line, and PowerShell must be disabled.
Which technology can a Citrix Architect use to address this requirement with the least amount of effort?
Citrix Workspace Environment Management (WEM) is specifically designed to optimize the performance of Citrix environments and manage user environments efficiently. It allows administrators to apply system and user-defined settings to control access to applications, including Regedit, command line, and PowerShell. While Citrix policies and ADMX templates can manage some aspects of user environment settings, they are not as comprehensive or straightforward for enforcing application restrictions as WEM. Therefore, to meet the requirement of disabling access to specific applications with minimal effort, WEM is the most suitable choice.
I think E is correct
You could do it with MS GPOs but the right answer is E!
I am not a WEM fan, but here there is no other option, agreed with E
Gino_ is 100% correct. Thank you Gino_ Look at this gem that I found, it confirms its WEM https://docs.citrix.com/en-us/workspace-environment-management/current-release/reference/environmental-settings-registry-values.html
GPO would have been the best answer, but its not in the list, so the next best answer is WEM (I hate this type of question, as it mentioned "least effort"). WEM requires lots of effort (WEM broker, agent, sql, ).
I am not a WEM fan also, but here there is no other option, agreed with E
WEM correct answare
I see comments saying that GPO isn't an option, but ADMX templates are designed to go into a GPO, so wouldn't that be an easier option than setting up WEM?
The point is that there aren't Citrix policies alone can't do this, you also need MS GPOs. Since "Citrix Policies & MS GPO" isn't an answer, it has to be WEM.
Citrix policies aren't Microsoft Group Policies (GPO)
I think that E is the best answer since Citrix policies are not the same of GPO.....Correct me if I'm wrong but I can't find a way to block these three apps from Citrix Policies....
It's E, Citrix Policy cant enforce regedit and cmd execution. if there is no Windows GPO so WEM is the BEST (E)
For WEM the AppLocker feature just apply security rules to Windows, such as you block the PS to run, and then the Windows will block powershell.exe to launch from anyway.
Answer is B since they are asking "with the least amount of effort?" all other options would require you to do something and/or implement something.
You cannot enforce this with Citrix Policies. There is no such setting. You can configure it with MS GPO, but this option is not available. WEM is the only available option.
Can be B and E. It is debatable. "Least amount of effort" implies Policies (B) since you already have a Windows environment. Thinking in the Citrix way implies E where you can easily mark those features as not accessible to users. But you have to install a WEm Infrastructure server and configure it. I would go for B.
There is no way to tune any regedit & pwsh start options in ctx policies Agreed that 'least amount of effort' is not about wem, but as we have no ado option, wem in more reliable. Answer is E [assuming we have wem in our infra already)]