Citrix EPA issue with Chrome/Edge 98 – Fixed with Microsoft Endpoint Manager

Due to a new security feature in both Chrome and Edge version 98 (they both share the Chromium code), EPA (Endpoint Analysis) will no longer launch through the browser.

Citrix released this article: EPA fails after Chrome/Edge version 98 upgrade (citrix.com)

The article states that the work around is to add your gateway FQDN to the “InsecurePrivateNetworkRequestsAllowedForUrls” policy for both Chrome and Edge.

While this sounds easy enough, the change needs to be made on a remote machine (presumably an asset as that is how most are using EPA policies). But the machine can’t connect to the VPN to receive a GPO or other methods to make this change.

To address this, Gotham rolled out this change quickly using Microsoft Endpoint Manager (Intune). There are a few ways accomplish this, but the simplest is to put everything into a PowerShell script, and have MEM deploy it to the users. Since MEM will deploy the script whether user is on VPN or not (cloud based), it ensures the user gets the change wherever they are.

Below is a sample PowerShell script we used to deploy the policies:

# Edge Fix

$RegistryPath = 'HKCU:\Software\Policies\Microsoft\Edge\InsecurePrivateNetworkRequestsAllowedForUrls'

$Name         = '1'

$Value        = 'gateway.customer.com'

# Create the key if it does not exist

If (-NOT (Test-Path $RegistryPath)) {

  New-Item -Path $RegistryPath -Force | Out-Null

} 

# Now set the value

New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType String -Force

# Chrome Fix

$RegistryPath = 'HKCU:\Software\Policies\Google\Chrome\InsecurePrivateNetworkRequestsAllowedForUrls'

$Name         = '1'

$Value        = 'gateway.customer.com'

# Create the key if it does not exist

If (-NOT (Test-Path $RegistryPath)) {

  New-Item -Path $RegistryPath -Force | Out-Null

} 

# Now set the value

New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType String -Force

1. Create a similar file and save it with a new name, such as CitrixEPABrowserFix.ps1. Then go to the MEM console and add the PowerShell script.
2. From Home->Devices->Windows, click PowerShell scripts, then click Add. Under Basics give it a name, then click Next.
3. Under Settings, click the Script location folder and select the CitrixEPABrowserFix.ps1 file you created. Also make sure to check Run this script using the logged on credentials, and Run script in 64 bit PowerShell Host. Click Next when done.
4. Under Assignments, you can apply this to All users, or add specific users/groups, then click Next.
5. Under Review + add click Add.

On the next check in, the registry changes should be made on the user’s profile and EPA should function again (browser restart likely required).

Hope this helps you remediate this and future issues with MEM!