Citrix Endpoint Management

Windows Agent device policy

Use the Windows Agent device policy to run PowerShell scripts on managed Windows desktops and tablets. You can point to script files uploaded to Citrix Endpoint Management as an enterprise app and to other servers that host scripts. For information about adding enterprise apps, see Add apps.

All scripts run under privileged status, you don’t need to run scripts as an administrator.

After deploying and running the script, you can configure automated actions based on the results of the script. For instance, you run a script that monitors a registry key and returns a result. Based on the returned result, an automated action runs. The action grants or denies access to an app, marks the device as out of compliance, or has other effects.

You can also use this policy to deploy customized MSI installers by configuring a PowerShell script that points to an .msi file and an .mst file.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Windows Desktop and Tablet settings

Device Policies configuration screen

Device Policies configuration screen

  • Config name: Type a descriptive name for your configuration.

  • Task type: Select PowerShell.

  • Script type: Select Uploaded script for scripts that you’ve uploaded to Citrix Endpoint Management or select Script location (URL) for scripts hosted externally. For more information on how to upload a script to Citrix Endpoint Management, see Add Win32 apps as Enterprise apps.

    • Select script: If you chose Uploaded script, select the script to run.

    • Script location (URL): If you chose Script location (URL), enter the location of the script to run. This URL must deliver the script as a payload. Citrix Endpoint Management doesn’t support URLs that deliver scripts as a JavaScript download. The script must also be publicly available.

  • Schedule: Select Run once to run the selected script one time or select Run on a recurring basis to run the script regularly.

    • Run every (hours): Type the number of hours between script runs.

To check on the status of a script, navigate to Manage > Devices in your console. Select the device on which you want to check the script status and click Edit. Under Properties, you can check the status of your scripts by clicking Download under the Windows Agent heading.

Deploy a PowerShell script to trigger an automated action

  1. Create a PowerShell script to monitor a registry key. The following PowerShell script checks to see if the firewall is enabled.

    $body = @{}
    $firewallEnabled = Get-ItemPropertyValue HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -Name EnableFirewall
    if($firewallEnabled -eq 1){
    } else {
    $body | ConvertTo-Json -Depth 10

    This script returns a value of either

        "firewallEnabled":  "true"


        "firewallEnabled":  "false"
  2. Upload the script to the Citrix Endpoint Management console as an enterprise app or host the script at an accessible URL.
  3. Configure the Windows Agent device policy described in this article. Make sure that the script is scheduled to run immediately.

  4. After the script runs, determine the script status.
    1. Navigate to Manage > Devices in your console.
    2. Select the device to check its script status and then click Edit.
    3. Click Download under the Windows Agent heading.
  5. Configure an automated action based on the status received. For more information on configuring automated actions, see Create an automated action based on a Windows Agent device policy result. That section shows the specific automated actions created for the example script and Windows Agent device policy.
Windows Agent device policy