Navigation
This post covers Citrix Workspace Environment Management (WEM) versions 2411 and older.
- Change Log
- Overview
- WEM Infrastructure Install/Upgrade:
- WEM Configuration Sets
- Import Recommended Settings
- WEM Administrators
- WEM Agents:
- WEM Actions Configuration:
- Transformer
💡 = Recently Updated
Change Log
- 2024 Dec 4 – Group Policy Migration Tool
- 2024 Dec 4 – Updated Install sections for version 2411
- 2023 Sept 16 – updated entire article for WEM Web Console
- 2308 Transformer can detect Workspace app
- 2023 June 2 – Group Managed Service Account at Citrix Docs
- 2023 May 30 – added link to CTP James Kindon WEM Advanced Guidance – 2023 at CUGC
Overview
Workspace Environment Management (WEM) is Citrix’s Performance Management and UEM (User Environment Management) tool for all XenApp/XenDesktop Enterprise or Platinum Customers with active Software Maintenance (Subscription Advantage is not sufficient). The WEM Agent is supported on XenApp 6.5, and XenApp/XenDesktop 7.x. Videos:
- Hal Lange demonstrates Citrix WEM Performance Optimizations in a YouTube video
- YouTube video XenTegra Citrix Workspace Environment Management (WEM) Webinar
- CUGC Welcome to Citrix Workspace Environment Management (WEM) – Hal Lange, CTP Steve Greenberg, CTP Carl Webster
Note: WEM does not replace Citrix Profile Management. You usually implement both.
Citrix Blog Post User Experience on Steroids: Citrix Workspace Environment Management has a list of Frequently Asked Questions about WEM, including a drawing of the architecture.
From Hal Lange at Database sizing at Citrix Discussions: SQL Always On is fully supported. In WEM 1909 and older, the ONE caveat is to remove from the Always On Availability Group before upgrading.
Here are the official calculations from the Norskale days on space needed on the SQL Server:
- Reserve 1GB of RAM per 1,000 users deployed
- RAM=1.5GB system + (1.5GB SQL + 1 GB per 1,000 users) for that SQL instance
- Disk = 1GB per 10,000 users per year + 10 MB per WEM site configured
Upgrade WEM
There is no LTSR version of Citrix Workspace Environment Management (WEM), so you should always upgrade to the latest version of WEM.
From Upgrade a deployment at Citrix Docs: In-place upgrades from versions earlier than Workspace Environment Management 4.7 to version 1808 or later are not supported. To upgrade from any of those earlier versions, you need to upgrade to version 4.7 first and then upgrade to the target version.
If you want to upgrade a WEM deployment earlier than 2006 to 2209 or later: To avoid database upgrade failures, upgrade to 2103 first and then to 2209 or later.
CTA Marco Hofmann at CUGC: How-To: Update Citrix Workspace Environment Management (WEM) from 4.x to 4.7 (v4.07.00.00)
To upgrade Citrix WEM:
- In-place upgrade the Citrix Licensing Server. No special instructions.
- Ensure the installed licenses a non-expired Subscription Advantage date.
- Before you upgrade, run WEM Infrastructure Service Configuration Utility and record all settings.
- In-place upgrade the WEM Server. No special instructions.
- Use the Database Maintenance tool to upgrade the WEM database.
- In WEM 1909 and older, before upgrading the database that’s in a SQL Server Always On availability group, you must remove it from the availability group. This is no longer required in WEM 1912 and newer.
- You might have to run the WEM Infrastructure Service Configuration Utility on each WEM Server to point to the upgraded database. If the settings are still there, then just click Save Configuration.
- In-place upgrade the WEM Console. No special instructions.
- In-place upgrade the WEM Agents.
- Srinivasan Shanmugam at WEM Agent v4.5 Upgrade Issues at CUGC mentioned that you might have to delete Agent’s local database.
- Srinivasan Shanmugam at WEM Agent v4.5 Upgrade Issues at CUGC mentioned that you might have to delete Agent’s local database.
Install/Upgrade WEM Server (Infrastructure Service)
There is no LTSR version of Citrix Workspace Environment Management (WEM), so you should always upgrade to the latest version of WEM.
The WEM Infrastructure Service can be installed on one or more servers, but Citrix says don’t install it on Delivery Controllers. The WEM Agent cannot be installed on the Infrastructure Service server.
- Another option: CTP James Kindon explains how to install WEM Server on Windows Server Core
A WEM Server with 4 vCPU and 8 GB RAM can support up to 3,000 users.
- Port 8288 – WEM 1912 and newer have a new port 8288 for WEM Agent Cache Synchronization. You’ll need to add this port to your load balancer and open it in your firewall.
- Port 8285 is still available for WEM Agents 2012 and older connecting to newer WEM Servers.
- Old port removed – The Cache synchronization port (8285) was removed from WEM Server 2103 and newer, so make sure your existing agents are a version that supports the newer Cached data synchronization port. WEM Agent 1912 and newer should be sufficient.
- If your existing WEM Agents don’t support the new port number, then upgrade your WEM Server to version 2012 (or version 1912), upgrade your WEM Agents to the corresponding version, and then upgrade the WEM Server to a newer version.
- Port 8285 is still available for WEM Agents 2012 and older connecting to newer WEM Servers.
- Download Workspace Environment Management 2411 and extract it.
- If you are upgrading, run WEM Infrastructure Service Configuration Utility and record all settings. These settings might be wiped out during the upgrade.
- Licenses – make sure your installed CVAD licenses have a CSS date that is later than the date required by your WEM version. The required CSS date is shown at the top of the WEM download page.
- Run the downloaded Citrix Workspace Environment Management Infrastructure Services Setup.exe from the 2411-01-100-01 folder.
- Check the box next to I agree to the license terms and click Install.
- In the Welcome to the Citrix Workspace Environment Management Infrastructure Services Setup Wizard page, click Next.
- In the Destination Folder page, click Next.
- In the Ready to install Citrix Workspace Environment Management Infrastructure Services page, click Install.
- In the Completed the Citrix Workspace Environment Management Infrastructure Services Setup Wizard page, click Finish.
- Click Launch Database Management Utility.
- Antivirus – C:\Program Files (x86)\Citrix\Workspace Environment Management Infrastructure Services and C:\Program Files (x86)\Norskale\Norskale Infrastructure Services must be excluded from Antivirus scanning. Or exclude: Norskale Broker Service.exe; Norskale Broker Service Configuration Utility.exe; Norskale Database Management Utility.exe.
- If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured. Note: this folder seems to be missing in newer versions of WEM.
- Firewall – Ensure firewall allows the following ports to/from the WEM Infrastructure Service servers. See Citrix Tech Zone Communication Ports Used by Citrix Technologies.
- Agent Port – defaults to TCP 8286 – from WEM Agent to WEM Infrastructure Service
- AgentSyncPort – defaults to TCP 8285 – from WEM Agent to WEM Infrastructure Service
- Cached data synchronization port – defaults to TCP 8288 – from WEM Agent 1912 and newer to WEM Infrastructure Service
- AdminPort – defaults to TCP 8284 – from WEM Admin Console to WEM Infrastructure Service
- Monitoring Port – defaults to TCP 8287 – from Director to WEM Infrastructure Service
- AgentPort – defaults to TCP 49752 – from WEM Infrastructure Service to WEM Agent
Upgrade WEM Database
Workspace Environment Management has PowerShell commands. For details, see Citrix Workspace Environment Management SDK at Citrix Developer docs.
To upgrade the Workspace Environment Management database using the GUI tool:
- If this is a new install, skip to Create WEM Database.
- The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
- On the WEM server, run Database Management from the Start Menu.
- If upgrading, in the ribbon, click Upgrade Database.
- In WEM 1906 and newer, the fields might already be filled in. Otherwise:
- Enter the SQL Server Name.
- Enter the existing WEM Database Name.
- Configure the credentials for the WEM service account.
- If your account is not a sysadmin on SQL, then enter a SQL account in the Database Credentials fields.
- Click Upgrade.
- Click Yes when asked to proceed.
- Click OK when prompted that database upgraded successfully.
- Click Finish to close the Database Upgrade Wizard.
- Close the WEM Database Management Utility.
- Open services.msc and restart the Citrix WEM Infrastructure Service or restart Norskale Infrastructure Service.
After the database is upgraded, run the WEM Infrastructure Service Configuration Utility.
- If the upgrade preserved the settings, then simply click Save Configuration. The service won’t start unless you do this.
- In WEM older than version 1906, you might have to re-configure the settings.
- On the Licensing tab, configure the licensing server.
- On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
- On the Advanced Settings tab:
- Enter the Infrastructure service account credentials.
- Enter the vuemUser SQL user account password.
- In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
- Make a choice regarding Google Analytics.
- The Advanced Settings tab will look something like this.
- On the Database Settings tab, enter the database server name and database name.
- In the ribbon, click Save Configuration.
- On the Licensing tab, configure the licensing server.
- Click Yes to restart the Broker Service.
- Skip ahead to upgrade the WEM Administration Console.
Create WEM Database
Workspace Environment Management has PowerShell commands. For details, see Citrix Workspace Environment Management SDK at Citrix Developer docs.
To create the database using the GUI tool:
- The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
- Make sure SQL Server authentication (mixed mode) is enabled on the SQL server > Properties > Security. Even though the WEM Infrastructure Service server runs as an AD account that is used login to SQL, WEM Infrastructure Service also uses a SQL account named vuemUser, which means mixed mode must be enabled. Source = John Long at WEM new install, cannot connect to infrastructure server at Citrix Discussions.
- On the WEM server, run WEM Database Management Utility from the Start Menu.
- If a new install, in the ribbon, click Create Database.
- In the Create database Wizard page, click Next.
- In the Database Information page, enter the SQL server name, and enter a new Database Name.
- Only enter an instance name if you have a named SQL instance.
- Only enter a port number if your SQL instance is listening on a static port number other than 1433.
- From Måns Hurtigh at Problem creating WEM 4.3 Database on SQL Server 2012 at Citrix Discussions: The database name cannot contain a dash.
- The paths might not be correct so double check them. Then click Next.
- In the Database Server Credentials page, if your account has sysadmin permissions, then leave the box checked. Otherwise, uncheck the box, and enter a SQL login that has sysadmin permissions. Click Next.
- In the VUEM Administrators section, click Browse, and select your Citrix Admins group.
- In the Database Security page, if you intend to load balance multiple WEM servers, then specify a Windows service account for database access. The WEM Infrastructure Service will run as this account. See the load balancing topic at Install the Citrix Workspace Environment Management Infrastructure Services at Citrix Docs.
- WEM 2305 and newer support group Managed Service Account (gMSA). See Group Managed Service Account at Citrix Docs.
- The Database Creation Wizard also creates a SQL account called vuemUser with an 8 character alphanumeric password. If you want it more complex, check the box and specify the password.
- Note: if you intend to implement AlwaysOn Availability Group, then you must specify this password, since you’ll be asked for it again when adding the database to the Availability Group. Also see SQL Server Always On at Citrix Docs.
- Note: if you intend to implement AlwaysOn Availability Group, then you must specify this password, since you’ll be asked for it again when adding the database to the Availability Group. Also see SQL Server Always On at Citrix Docs.
- Click Next.
- In the Database Information Summary page, click Create Database.
- Click OK when prompted that the database was created successfully.
- Click Finish to close the Database Creation Wizard.
- Close the WEM Database Management Utility.
- There is a log file at “C:\Program Files (x86)\Citrix\Workspace Environment Management Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log” or at “C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log”
WEM Infrastructure Services Configuration
- On the WEM Server, run WEM Infrastructure Service Configuration Utility from the Start Menu.
- On the Database Settings tab, enter the SQL Server name and database name.
- Switch to the Advanced Settings tab.
- If you intend to load balance WEM Servers, then Browse to a service account. This service account must have access to the database.
- The service account must be in the local Administrators group on the WEM servers.
- The service account must be in the local Administrators group on the WEM servers.
- Enter the vuemUser SQL user account password.
- In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
- Make a choice regarding Google Analytics.
- The Advanced Settings tab will look something like this.
- On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
- On the Licensing tab, you can enter a Citrix License Server 11.14.0.1 or newer that has valid licenses. Or you can enter the license server later in the admin console.
- Click Save Configuration in the ribbon.
- Click Yes when asked to restart the Broker Service.
- Close the WEM Infrastructure Service Configuration utility.
- If you are load balancing WEM servers, then you must also create a Kerberos SPN, where
[accountname]
is the service account you are using for the Norskale service. If you have multiple WEM deployments in a single forest, then WEM 2411 and newer let you specify an alternative SPN as detailed at Citrix Docs.
setspn -U -S Norskale/BrokerService [accountname]
Install/Upgrade WEM Console
- Run Citrix Workspace Environment Management Console Setup.exe from the downloaded WEM 2411 (aka 2411-01-100-01) installation files.
- Check the box next to I agree to the license terms and click Install.
- In the Welcome to the Citrix Workspace Environment Management Console Setup Wizard page, click Next.
- In the Destination Folder page, click Next.
- In the Ready to install Citrix Workspace Environment Management Console page, click Install.
- In the Completed the Citrix Workspace Environment Management Console Setup Wizard page, click Finish.
- Click Close.
Install/Upgrade WEM Web Console
Install or upgrade the WEM Web Console on the WEM Server. The WEM Web Console can use port 443 if nothing else is using that port.
- In the extracted WEM 2411 folder, right-click Citrix Workspace Environment Management Web Console.exe and click Run as administrator.
- Check the box next to I agree to the license terms and click Install.
- In the Welcome to the Citrix Workspace Environment Management Web Console Setup Wizard page, click Next.
- In the Destination Folder page, click Next.
- In the Ready to install the Citrix Workspace Environment Management Web Console Setup Wizard page, click Install.
- In the Completed the Citrix Workspace Environment Management Web Console Setup Wizard page, click Finish.
- Click Launch Web Console Configuration. This might not work if you didn’t run the installer elevated.
Web Console Configuration
- Create a file share for WEM and grant Modify permission to a service account.
- Create a service account and add it to WEM Console > Administration > Administrators as Global Admin with Full Access and not Disabled.
- Install a certificate in the Local Computer store (certlm.msc).
- From the Start Menu, right-click WEM Web Console Configuration, expand More, and click Run as administrator.
- Click Next.
- The Port number cannot conflict with other services already using the port, including IIS.
- The Infrastructure server name can be localhost if you installed the Web Console on the WEM Infrastructure Server.
- User name must be Global Admin inside WEM.
- Click Start service.
- Click Configure certificate.
- Browse to the local cert and then click Set up certificate.
- Click Finish.
- Launch the Web Console and login.
- Click your name on the top-right and click Storage folder.
- Enter the UNC path to the file share for WEM.
- Check the box next to Require credentials and enter the service account. Click Done.
WEM Configuration Sets
Each WEM Agent belongs to one Configuration Set. Most actions in a Configuration Set can be filtered, but some settings are global to the Set. To handle global settings, you can create multiple Configuration Sets that apply to different WEM Agents.
In WEM Web Console (2308 and newer):
- On the left, click Configuration Sets.
- On the right, click Add configuration set.
- Give the set a name and click Save.
- Click a Configuration Set to create Actions and configure other settings.
- Use the drop-down menu on the top-left to switch to a different Configuration Set.
- Directory Objects lets you add individual computers or computer Organizational Units (OUs) and assign them to Configuration Sets.
- Back in the list of Configuration Sets, on the right, you can click Backup and Restore.
- Click Backup to perform a manual backup. Or click Manage automatic backup. The backups are stored in the SMB file share. In WEM 2407 and newer, automatic backups can keep up to 25 backups.
- Notice the Directory objects are not included in the backups.
- After you have a backup, you can Restore it to any Configuration Set. This is an easy way of copying one Set to another.
In WEM Classic Console:
- From the Start Menu, run WEM Administration Console.
- In the ribbon, click Connect.
- In the Infrastructure Server Connection window, enter the WEM Server name, and click Connect.
- Some WEM Console settings are global (every agent gets the same setting). So if you want different global settings for different agents, then you create multiple WEM Configuration sets. At the top of the window, in the ribbon, you can create a new WEM Configuration set.
- WEM 1912 and newer can Backup and Restore entire Configuration Sets, which makes it easy to duplicate a Configuration Set.
- When Restoring a Configuration Set, there’s no need to create a new empty Set. Just run the Restore wizard and WEM will try to use the original Configuration Set name. If the original Configuration Set already exists, then WEM will append _1 to the name, which you can then rename.
- When Restoring a Configuration Set, there’s no need to create a new empty Set. Just run the Restore wizard and WEM will try to use the original Configuration Set name. If the original Configuration Set already exists, then WEM will append _1 to the name, which you can then rename.
- Once you have multiple Configuration sets, you can use the drop-down to switch between them.
- A WEM Agent can only belong to one WEM Configuration set. Different Agents can belong to different WEM Configuration sets.
- In WEM 4.3 and newer, you add agents to the Configuration set at Active Directory Objects (workspace on bottom left) > Machines (node on top left). You can add OUs or individual objects (computers or computer groups).
Import Recommended Settings
If you have multiple WEM configuration sets, this process should be repeated for each new, empty WEM configuration set. This process is only available in the classic WEM Console.
- On the right side of the ribbon, click Restore.
- Select Settings and click Next.
- In the Settings Restore wizard, click Next.
- In the Restore from folder section, click Browse, and browse to the \Workspace-Environment-Management-v-2411-01-100-01\Configuration Templates\Default Recommended Settings folder that was included in the WEM download.
- In the Settings Type Selection section, check all available boxes, and click Next.
- In the Restore settings processing window, click Restore Settings.
- Click Yes when prompted to replace.
- Click Finish.
CTP James Kindon at WEM Hydration Kit has a collection of Applications, File System and Registry Actions that can be imported to WEM. CTP James Kindon recently added Environmental Settings to the Hydration Kit.
WEM 1909 and newer can Migrate your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.
WEM Administrators
This is only configurable in the Classic WEM Console.
- In the Administration Console, go to Administration (workspace on bottom left) > Administrators (node on top left).
- In the right pane, click Add, and specify an Active Directory group that can administer WEM.
- After adding a group or user, right-click the new administrator, and click Edit.
- Use the Permissions drop-down to select a role. The roles are detailed at Administrators at Citrix Docs.
- Then use the State drop-down to select Enabled. New administrators are initially disabled. Click OK to close the window.
WEM Agent Configuration
For configuration guidance, see CTP James Kindon WEM Advanced Guidance – 2023 at CUGC.
Most of these settings are available in the WEM Web Console.
- In the WEM Web Console, click a Configuration Set, expand Advanced Settings and click Agent Settings.
- Click Agent options.
- When making changes, make sure you click Apply changes periodically.
- When making changes, make sure you click Apply changes periodically.
- Setting on these tabs are mostly self-explanatory. Feel free to change any as desired. If you imported a default configuration, then many of these might already be enabled. If not, then configure them manually.
- Check the Launch agent options. and Enable desktop compatibility mode. Web Console lets you configure launch exclusions.
- Enable automatic refresh.
- Enable Offline Mode and Use cache to accelerate actions processing. More info at Citrix Blog Post Workspace Environment Management agent caching explained.
- The Action processing section lets you select which modules should be refreshed on reconnect.
- Scroll down and there are options to process printers and drives asynchronously.
- Agent service options section has a setting for Bypass ie4uinit Check. Enabling this might eliminate a 2-minute delay before WEM Agent starts.
- On the left is UI Agent Personalization. On the right is Appearance and interaction. You can change the UI agent theme. Other settings on this page let you hide the splash screen.
- The Helpdesk Options section lets you enable Screen Capture from the WEM Agent.
- At Advanced Settings > Monitoring Preferences, in WEM 2407 and newer, expand Profile container insights and you can Enable large file scanning.
- Then you can run the report at Monitoring > Profile Container Insights.
- Then you can run the report at Monitoring > Profile Container Insights.
System Optimization
- The System Optimization node lets you configure the various optimizations.
- WEM Classic Console has a System Optimization workspace (bottom left).
- WEM Classic Console has a System Optimization workspace (bottom left).
- On the top left, click the CPU Management node/section.
- CPU Spikes Protection gives processes equal access to the CPU.
- There’s an option for Auto Prevent CPU Spikes.
- From Hal Lange: “CPU Usage Limit should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU. Example: if 2 CPU’s are available, the CPU setting should not be set above 49%, if 4 CPU’s are available, the CPU setting should not be set above 24%”
- Hal Lange demonstrates Citrix WEM Performance Optimizations in a YouTube video.
- Other tabs/sections let you manually specify CPU priority and/or clamping.
- CTX230843 WEM protection and Skype for Business + Real Time Optimization Pack has a list of processes that should be excluded from WEM CPU Spikes protection.
- CTX230843 WEM protection and Skype for Business + Real Time Optimization Pack has a list of processes that should be excluded from WEM CPU Spikes protection.
- Web Console > Monitoring > Insights > Optimization Insights has a report showing CPU optimization.
- From CTA Chris Schrameyer WEM – CPU LOGGING: WEM does not provide any built-in logs to determine when a CPU Spikes Protection action is taken. It would be nice to know what processes are often limited, so we can then add them to a CPU Clamping policy or identify why they are using so much CPU.
- From CTA Chris Schrameyer WEM – CPU LOGGING: WEM does not provide any built-in logs to determine when a CPU Spikes Protection action is taken. It would be nice to know what processes are often limited, so we can then add them to a CPU Clamping policy or identify why they are using so much CPU.
- Memory Management node, you can enable Optimize Memory Usage for Idle Processes to periodically reclaim memory from running processes. This feature tells processes to flush their memory to disk. In other words, you’re trading memory for disk.
- WEM 2206 adds an option for Optimize only if total available memory is less than (MB) or Do Not Optimize When Total Available Memory Exceeds (MB). In other words, WEM does not optimize memory until available memory drops below this value.
- WEM 2206 adds a Memory Usage Limit for Specific Processes. Dynamic means the process memory is not limited until available memory is low.
- In the I/O Management node, on the right, you can prioritize process IO. Use the slider on the far right to enable the feature.
- In the Fast Logoff node, in the right pane, enabling Fast Logoff disconnects a session immediately, and runs logoff processes in the background.
- WEM 2003 and newer have a Citrix Optimizer feature. If you enable it, then the WEM Agents will disable services and scheduled tasks according to the settings in the template. WEM comes with built-in templates, or you can add your own. Newer versions of WEM have newer templates. WEM 2311 and newer support Windows 11 and Windows Server 2022.
- WEM 2012 and newer have an option to Automatically select Templates to Use.
- The Monitoring > Administration > Agents section adds a Process Citrix Optimizer action to each agent.
- WEM 2012 and newer have an option to Automatically select Templates to Use.
- WEM 2112 and newer have a Multi-session Optimization feature that lowers the priority of processes running in disconnected sessions.
Security
This section is only available in the WEM Classic Console.
- Click the Security workspace. On the top left, click the Process Management node. In the right pane, in the Processes Management tab, enable Process Management. The other tabs are grayed out until you check this box.
- You can BlackList processes. There’s also a WhiteList, but once something is added to the WhiteList, then all other processes are blocked.
- You can BlackList processes. There’s also a WhiteList, but once something is added to the WhiteList, then all other processes are blocked.
- On the top left, click Application Security.
- WEM database query from CTX233578 Application Security rules might not be enforced properly when multiple users simultaneously log on to the same server OS machine:
UPDATE VUEMSystemUtilities SET Value='0' WHERE Name='AppLockerControllerReplaceModeOn' AND idSite=[idSite];
- WEM database query from CTX233578 Application Security rules might not be enforced properly when multiple users simultaneously log on to the same server OS machine:
- You can use the top-left sub-nodes to configure AppLocker. See Application Security at Citrix Docs.
- If you click the Executable Rules sub-node, on the bottom right is a button to Add Default Rules.
- If you edit a rule…
- You can assign the rule to a user group.
- The list of user groups comes from Active Directory Objects (workspace on bottom left) > Users.
- On top of the right pane, set Rule enforcement to On or Audit.
- In the ribbon is a button to Import AppLocker Rules that were exported from a group policy.
- The other sub-nodes follow the same configuration pattern.
- If you click the Executable Rules sub-node, on the bottom right is a button to Add Default Rules.
- WEM 2112 and newer have a Privilege Elevation feature under the Security workspace. You might have to scroll down to find it. On the right, check the box for Process Privilege Elevation Settings. Notice the setting for Do Not Apply to Windows Server OSs.
- On the left, click Executable Rules under Privilege Elevation. Then on the bottom right click Add Rule.
- Give the rule a name and select an assignment.
- There are options to restrict the elevation to specific parameters. For example, you can restrict cmd.exe so it can only elevate specific scripts. Click Next.
- Browse to the executable file and click Create.
- CTP David Wilkinson has more details on this feature.
- On the left, click Executable Rules under Privilege Elevation. Then on the bottom right click Add Rule.
- WEM 2203 adds a Self-elevation feature that lets users manually run processes elevated. See Citrix Docs for details.
- WEM 2006 adds Process Hierarchy Control, which lets you restrict or allow a parent process from launching specific child processes. See Citrix Docs for configuration details.
- On the agent side, you must enable Process Hierarchy Control by running elevated AppInfoViewer.exe from C:\Program Files (x86)\Citrix\Workspace Environment Management.
- Click Enable Process Hierarchy Control.
- Acknowledge that a restart is required.
- On the agent side, you must enable Process Hierarchy Control by running elevated AppInfoViewer.exe from C:\Program Files (x86)\Citrix\Workspace Environment Management.
- WEM has an audit log of the security features at Administration workspace > Logging node > Agent tab.
Policies and Profiles
- WEM Web Console > Profiles > Profile Management Settings lets you push Citrix Profile Management settings to WEM Agents
- On the top right you can click Quick setup to Start with template. Choose either File-based or Container-based.
- There’s an option to configure user-level settings instead of computer-level.
- See the Citrix Profile Management post for details on a recommended Profile Management configuration. Some of the newer settings might be missing from WEM.
- If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.
- In the WEM Classic Console, at Policies and Profiles > Citrix Profile Management Settings, in the right pane, the File System tab has a useful Profile Cleansing button to remove excluded folders from an existing UPM profile share. This function might not be necessary if you enable Logon Exclusion Check.
- Adjust the Profiles Root Folder, click Scan Profiles Folder, and then click Cleanse Profile(s).
- Adjust the Profiles Root Folder, click Scan Profiles Folder, and then click Cleanse Profile(s).
- To configure folder redirection in the WEM Classic Console, on the top left, click Microsoft USV Settings.
- On the right, on the Roaming Profiles Configuration tab, check the box to Process User State Virtualization Configuration.
- Then switch to the Folder Redirection tabs, and configure them as desired.
- On the right, on the Roaming Profiles Configuration tab, check the box to Process User State Virtualization Configuration.
- For Environmental Settings, WEM Classic Console has the Policies and Profiles workspace (bottom left) with three nodes on the top left.
- In the Environmental Settings node (top left), in the right pane, you can enable Environmental Settings, and configure restrictions that are usually configured in group policy. Peruse the various tabs on the right. Administrators can be excluded from these restrictions. These settings are only in the WEM Classic Console. In WEM Web Console they are replaced by group policies.
- The Environmental Settings within the WEM Administration Console are per-machine, not per-user. This means that, by default, all the settings configured inside of a Configuration Set apply to every non-admin user that logs into that particular Agent machine. In order to have different Environmental Settings apply to different users/user groups, they would need to be applied to a separate WEM Agent machine, and all the settings would need to be configured inside a separate Configuration Set to which the WEM Agent Machine is bound. Source = CTX226487 Guidance on configuring WEM settings per user/user groups.
Scripted Tasks
Web Console lets you configure Scripted Tasks that run at the agent (computer) level.
- First, add the task/script to Scripted Tasks at the global le
- Scripted tasks are PowerShell scripts.
- Scripted tasks are PowerShell scripts.
- Then go to a Configuration Set and click Scripted Task Settings.
- On the far right, click the … next to a scripted task and then click Configure.
- Enable the task and choose a Filter.
- The Triggers page lets you choose when the script should run. You can Create new trigger.
- One of the options is Scheduled.
WEM Agent Group Policy
- In the WEM Download, go to the \Workspace-Environment-Management-v-2411-01-100-01\Agent Group Policies\ADMX folder.
- Copy the .admx file, and the en-US folder to the clipboard.
- Go \\MyADDomain.com\sysvol\MyADDomain.com\Policies.
- If you have a PolicyDefinitions folder here, then paste the .admx file and folder.
- If you don’t have PolicyDefinitions in Sysvol, then instead go to C:\Windows\PolicyDefinitions, and paste the .admx file and folder there.
- If you don’t have PolicyDefinitions in Sysvol, then instead go to C:\Windows\PolicyDefinitions, and paste the .admx file and folder there.
- Look for older versions of the WEM .admx and .adml files (in the en-us subfolder) and delete them. Remove any WEM .admx and .adml files that have a version number.
- Edit a GPO that applies to the VDAs that will run the WEM Agent.
- In WEM 1906 and newer, go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Workspace Environment Management | Agent Host Configuration.
- On the right, double-click Infrastructure server.
- Enable the setting, enter the FQDN of the WEM server (or load balanced name), and click OK. Note: It must be FQDN.
- Assign Agents to a Configuration Set.
- In the WEM Web Console, go to Directory Objects and click Add object.
- In the WEM Classic Administration Console, choose a Configuration Set and then go to Active Directory Objects workspace (bottom left) > Machines node (top left), and in the right pane, add an OU or individual machines.
- In the WEM Web Console, go to Directory Objects and click Add object.
- It’s possible that an Agent might register with multiple Configuration sets. You can review the registrations in Web Console at Monitoring > Administration > Agents.
- Registrations tab (right pane) might show you Agents not registered with any Configuration Set. Add the Agent to Active Directory Objects > Machines.
- Registrations tab (right pane) might show you Agents not registered with any Configuration Set. Add the Agent to Active Directory Objects > Machines.
Install/Upgrade WEM Agent
For command line unattended installation of WEM Agent, see Alain Assaf at Citrix Discussions.
- WEM agent upgrade task – WEM 2311 and newer can push Agent upgrades to existing agents. In a Configuration Set, configure a file share under App Package Delivery. Then import the WEM Agent to the share. Then create a Delivery task. More details at App Package Delivery at Citrix Docs.
- If App Layering, Citrix recommends installing the WEM Agent in the Platform Layer.
- If you are installing the WEM Agent in a App Layer, see George Spiers to workaround an issue with the Netlogon service in a Platform Layer that has the Provisioning Services Target Device software installed.
- If you are installing the WEM Agent in a App Layer, see George Spiers to workaround an issue with the Netlogon service in a Platform Layer that has the Provisioning Services Target Device software installed.
- Use registry editor to confirm that the WEM GPO has applied to the Agent machine. Look for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host\BrokerSvcName.
- VDA installer – In VDA 2012 and newer, the WEM Agent is included with the VDA installer; however, this install method has been deprecated. You can instead install it separately as detailed in the next step.
- Manual install – On a VDA Master machine, run Citrix Workspace Environment Management Agent.exe from the downloaded WEM 2411 (aka 2411-01-100-01) installation files.
- In the Citrix Workspace Environment Management Agent window, check the box next to I agree to the license terms and click Install.
- In the Welcome to the Citrix Workspace Environment Management Agent Setup Wizard page, click Next.
- In the Destination Folder page, click Next.
- In the Deployment Type page, select On-premises Deployment and click Next. Basic Deployment in WEM 2407 and newer does not need any infrastructure. See Citrix Docs.
- In the Infrastructure Service Configuration page, change the selection to Skip Configuration since you’ve already configured the group policy. Click Next. Note: In WEM 1912 and newer, the cache synchronization port changes from 8285 to 8288.
- In the Advanced Settings page, if this machine will be used with Citrix Provisioning and has a Provisioning cache disk, then you can optionally move the WEM Cache to the Provisioning cache disk. Click Next. WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
- In the Ready to install Citrix Workspace Environment Management Agent page, click Install.
- In the Completed the Citrix Workspace Environment Management Agent Setup Wizard page, click Finish.
- In the Installation Successfully Completed window, click Close.
WEM Agent Cache
- After installation, check the registry under HKLM\System\CurrentControlSet\Control\Norskale\Agent Host to verify your command line switches applied correctly.
- WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
- In WEM Agent 1909 and newer, the WEM Agent installation path is now C:\Program Files (x86)\Citrix\Workspace Environment Management Agent instead of C:\Program Files (x86)\Norskale\Norskale Agent Host and you might have to modify your WEM Agent Cache Refresh scripts with the new path. See CTP James Kindon Citrix WEM Updated Start-Up Scripts for more details.
- Optionally, you can pre-build the Agent Cache by running AgentCacheUtility.exe, which is located in C:\Program Files (x86)\Citrix\Workspace Environment Management Agent (fresh WEM Agent 1909 and newer) or in C:\Program Files (x86)\Norskale\Norskale Agent Host.
- It needs the following switches:
-refreshcache -brokername:MyWEMServer
- From Hal Lange: “AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:) the broker name should always be in FQDN since this does use Kerberos for the authentication.”
- You can also use the Web Console at Monitoring > Administration > Agents to refresh an agent’s cache and perform other actions. The Synchronization column indicates if the cache is up to date or not. It takes a few minutes to update.
- It’s also in WEM Classic Administration Console at Administration workspace (bottom left), Agents node (top left)
- It’s also in WEM Classic Administration Console at Administration workspace (bottom left), Agents node (top left)
- From Hal Lange: “Need to optimize the client by running ngen for .NET optimizations in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
C:\Windows\Microsoft.NET\Framework\v4.0.30319 C:\Windows\Microsoft.NET\Framework64\v4.0.30319 ngen.exe update ngen.exe eqi 1 ngen.exe eqi 3
- Antivirus – C:\Program Files (x86)\Citrix\Workspace Environment Management Agent or C:\Program Files (x86)\Norskale\Norskale Agent Host must be excluded from Antivirus scanning. Or exclude Citrix.Wem.Agent.Service.exe; Norskale Agent Host Service.exe; VUEMUIAgent.exe; Agent Log Parser.exe; AgentCacheUtility.exe; AppsMgmtUtil.exe; PrnsMgmtUtil.exe; VUEMAppCmd.exe; VUEMAppCmdDbg.exe; VUEMAppHide.exe; VUEMCmdAgent.exe; VUEMMaintMsg.exe; VUEMRSAV.exe.
- If you use WEM to push UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings. Delete the machine cache, which is at the following registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UsvMachineConfigurationSettings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UpmConfigurationSettings
This will force WEM to re-apply the per-machine settings (Microsoft USV or Citrix UPM settings, respectively).
- WEM Cache tends to break often. See CTP James Kindon Citrix WEM Cache Problems…. Again for a script to reset the cache periodically.
- CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.
- WEM Agent 2308 and newer have improved Event Viewer logging.
WEM Agent on Citrix Provisioning Target Device
From Citrix Discussions: create a computer startup script that deletes the WEM cache and refreshes it:
net stop "Citrix WEM Agent Host Service" /y net stop "Norskale Agent Host Service" /y del D:\WEMCache\ /S /F /q net start "Citrix WEM Agent Host Service" net start "Norskale Agent Host Service" net start "Netlogon" timeout /T 45 /nobreak "C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache -brokername:XXXX "C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshCache -brokerName:XXXX
From Julian Mooren Citrix Workspace Environment Management with PVS – Synchronization State “Unknown”: For Citrix Provisioning, schedule a task to run the following commands at Target Device boot (Trigger = At Startup).
"C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache "C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshcache
From CTA David Ott at Using Citrix Workspace Environment Management to Redirect Folders via Symbolic Links – Speed Up Logon: before shutting down your maintenance/private mode vdisk to re-seal, kill the Citrix WEM Agent Host Service or Norskale Agent Host Service. For whatever reason if you don’t do this it can cause your vms in standard mode to take an obscenely long time to shutdown.
Base Image Script Framework (BIS-F) automates many image sealing tasks, including tasks for Workspace Environment Management. The script is configurable using Group Policy.
Monitoring
- WEM Web Console > Monitoring > Insights has some reporting, including a report showing disk space consumed by profile containers.
- In the WEM Classic Administration Console, the Monitoring workspace (bottom left) lets you see Logon Time and Boot Time reports.
- Double-click a category to see more info.
- Configuration node (top left) lets you configure Work Days Filtering for Login/Boot Time Reports.
- WEM 2203 adds a Profile Container Insights report for both FSLogix and UPM Profile Containers.
- When you make changes in the console, if agents are already installed, you can right-click the agent icon (by the clock), and Refresh.
- You can also go to the Administration workspace (bottom left) > Agents node (top left). In the right pane, right-click one or more Agents, and click the Refresh options.
- WEM 1811 and newer periodically run UPMConfigCheck every day, or whenever the Norskale Agent Service restarts. The Administration > Agents node in the WEM Console has a visual indicator of the UPMConfigCheck results. For status details, check the file C:\Windows\Temp\UPMConfigCheckOutput.xml on each WEM Agent Machine.
WEM Actions Configuration
WEM Actions are similar to Group Policy Preferences.
The general process is as follows:
- Create the Actions
- Optionally create Action Groups
- Add AD user groups to the WEM Console.
- Assign Actions or Action Groups to user groups. Use Conditions and Rules to perform the Action (or Action Group) for only a subset of machines or users in the user group.
Create Actions
- WEM Tool Hub 2411 has a new tool for Group Policy Migration. More details at Citrix Docs.
- In the WEM Console, use the Actions workspace to map drives, map printers, create shortcuts (Applications), set registry keys, etc. Each Action type is a separate node. New features (e.g., group policy templates, JSON Files, INI files, Ports, User DSNs) are only available in the Web Console.
- WEM 1909 and newer can Migrate or Import your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.
- In Group Policy Management Console, back up the GPOs that you want to import to WEM.
- Go to the GPO Backup folder and zip everything.
- In WEM Console, go to Actions > Group Policy Settings and click Import.
- WEM 2209 and newer let you Import Registry File.
- WEM 2012 and newer let you edit the imported group policies.
- It seems to be a registry editor that doesn’t use ADMX templates.
- In Group Policy Management Console, back up the GPOs that you want to import to WEM.
- WEM Web Console lets you configure GPOs using traditional ADMX templates. Switch to the Template-based tab. Standard Windows templates are already built into the Web Console, but you can upload more templates.
- In WEM Classic Console, some Actions, on the Options tab, have a Self-Healing option. To optimize performance, WEM only applies an action once. The Self-Healing option causes it to reapply at every logon.
- Network Drives have no field for selecting a drive letter. Instead, you configure the drive letter later when assigning the action as detailed below.
- External Tasks are scripts that are triggered at user logon, reconnect or other triggers. WEM 2203 adds triggers for Process start and Process end. WEM 2009 adds triggers for Disconnect, Lock, and Unlock.
- Applications (shortcuts)
- In the Actions pane, Applications have no option for placing a shortcut on the Desktop. Instead, you configure shortcut placement later when assigning the action as detailed below.
- You can pull icons from a StoreFront store.
- In Web Console, you’ll need to add the StoreFront URL by clicking the Settings button on the top right, or in Classic Console go to Advanced Settings (workspace) > Configuration (node) > StoreFront (tab).
- Get published app resource info by downloading the WEM Tool Hub and using it to copy the resource info. Or Classic Console lets you Browse when creating an Actions > Application and selecting a Store URL.
- Links:
- CTX233638 How to configure, deploy, and troubleshoot StoreFront-based assigned application actions in Workspace Environment Management (WEM)
- CTP James Kindon Storefront Resource Integration with WEM 4.6 – explains how to change the icon
- In Web Console, you’ll need to add the StoreFront URL by clicking the Settings button on the top right, or in Classic Console go to Advanced Settings (workspace) > Configuration (node) > StoreFront (tab).
- Arjan Mensch at Powershell Module for Citrix WEM – Part 3 – EnvironmentalSettings and MicrosoftUsvSettings from GPO and much, much more provides a PowerShell Module that can do several things to help setup WEM, including reading a bunch of shortcuts (e.g. from Start Menu), and converting them to an .xml file that can be imported into WEM. This simplifies Applications configuration.
- To prevent applications (shortcuts) from being created if the application isn’t installed, go to Advanced Settings > Agent Settings > Miscellaneous (or Advanced Settings > Configuration > Agent Options), and check the box next to Check Application Existence in the Extra Features section.
- To clean up extra shortcuts, go to Advanced Settings > Action Settings > Action cleanup (or Advanced Settings > Configuration > Cleanup Actions), and check the boxes in the Shortcuts deletion at startup section. Also see CTP James Kindon Citrix WEM, Modern Start Menus and Tiles.
- After you create Applications (Shortcuts), and assign them, on the agent, there’s a Manage Applications tool that lets users control where shortcuts are created, including pinning to Taskbar and Start Menu.
- Applications can be placed in Maintenance Mode. Edit an application, and find the Maintenance Mode setting on the Options tab.
- This causes the icon to change, and a maintenance message to be displayed to the user.
- The Applications node has a Start Menu View tab on the top right.
- For the Printers Action, there’s a Add from print server button or in the ribbon there’s a Import Network Print Server button.
- Web Console uses the WEM Tool Hub to browse the print server.
- Web Console uses the WEM Tool Hub to browse the print server.
- JSON Files are Web Console only. This Action lets you configure Microsoft Teams settings and Windows 11 Start Menu.
- WEM Tool Hub in WEM 2407 and newer has a Start Menu Configurator for Windows 11.
- For Teams, click Add JSON object and select Standard.
- Click the Generate with template button.
- Choose your desired Microsoft Teams configurations.
- WEM Tool Hub in WEM 2407 and newer has a Start Menu Configurator for Windows 11.
- WEM 2311 and newer support Registry Entries in the Web Console. There’s an Import button that can import .reg files.
- On the top right is a Settings button.
- If Registry Actions are not applying, delete HKEY_CURRENT_USER\Software\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\. (Source = Registry Entries not applied to users at Citrix Discussions)
- On the top right is a Settings button.
- WEM 2311 and newer have File System Operations in the Web Console. There are several Action types.
- There’s a Settings button on the top right.
- There’s a Settings button on the top right.
- WEM 2311 and newer have File Associations are available in the Web Console. It uses WEM Tool Hub to configure the FTAs.
- WEM 2402 and newer have INI Files, Ports, and User DSNs.
- CTP James Kindon at File Type Association with WEM and SetUserFTA explains how to use WEM to run Christoph Kolbicz’s SetUserFTA utility to reliably set file type associations on Windows 2012 and newer.
- For variables that can be used in the Actions configurations, see CTP James Kindon WEM Variables, Dynamic Tokens, Hashtags and Strings.
- Action Groups are not yet available in Web Console. You can combine multiple Actions into an Action Group. Then you can later assign the entire Action Group to a user.
- Create an Action Group and name it.
- Double-click the Action Group to show the actions on the bottom.
- On the bottom, move Actions from the Available box to the Configured box.
- For more info, see Action Groups at Citrix Docs.
Create Conditions and Rules
Once the Actions and Action Groups are created, you then need to decide under what conditions the Actions are performed. One or more Conditions are later combined into a Filter (or Rule). The Filters (or Rules) are used later when assigning an Action to a user group.
- In Web Console, go to Assignments > Filters and click the Manage Conditions button and then click Create condition. Select one of the many condition types.
- Or in Classic Console, go to the Filters workspace (bottom left). On the top left, switch to the Conditions node. In the right pane, create Conditions.
- One of the interesting Conditions is User SBC Resource Type, which lets you run Actions for either Published Desktop or Published Application.
- CTP James Kindon at WEM filter conditions on OU and IP Address at Citrix Discussions says that the Active Directory Path Match condition requires a
*
at the end of the path.
- Then go back to Filters and click Create filter.
- Or in Classic Console, switch to the Rules node (top left) and create Rules in the right pane.
- If you add (by clicking the right arrow) multiple Conditions to a Rule, all (AND) Conditions must match. Web Console lets you click the circle icon to make it an OR operator, but this isn’t an option in the Classic Console.
Add AD Groups to WEM Console
- In WEM Web Console, go to Assignments > Assignment Targets and click Add assignment target.
- Or in Classic Console, go to the Active Directory Objects workspace (bottom left). With the Users node selected on the top left, in the right pane, add groups and/or users that will receive the Action assignments.
- Web Console also lets you add new targets when managing assignments for each action.
Assign Actions to User Groups
- You can assign multiple actions from one place by clicking an assignment target and then clicking the Manage assignments button.
- In Classic Console, go to the Assignments workspace (bottom left) > Action Assignment node (top left). In the right pane, initially the bottom half is empty. Double-click a group to show the Actions that are available for assignment.
- When you assign an action, you can choose a Filter.
- In Classic Console, move an available Action or Action Group from the left to the right. This assigns the Action (or Action Group) to the user group.
- You will be prompted to select a Filter, which contains one or more Conditions.
- In Classic Console, move an available Action or Action Group from the left to the right. This assigns the Action (or Action Group) to the user group.
- When you select a Network Drive (or move a Network Drive to the right), you’re prompted to select a drive letter.
- The list of drive letters is restricted based on the configuration at Advanced Settings workspace (bottom left) > Configuration node (top left) > Console Settings tab (right pane).
- The list of drive letters is restricted based on the configuration at Advanced Settings workspace (bottom left) > Configuration node (top left) > Console Settings tab (right pane).
- Application assignment lets you choose where to create the icon.
- In Classic Console, some Actions have additional options that you can right-click. For example, you can create shortcuts on the desktop.
- In Classic Console, some Actions have additional options that you can right-click. For example, you can create shortcuts on the desktop.
- Web Console also lets you Manage assignments directly from each Action.
Actions Troubleshooting
WEM caches Actions executions under HKEY_CURRENT_USER\SOFTWARE\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\Tasks Exec Cache. Sometimes clearing these keys and values will fix Actions not applying.
CTP James Kindon at Selective Deletion of the WEM Actions Tracking Cache wrote a PowerShell script to selectively clear these registry keys and values.
Modeling Wizard
- In the Classic Console, in the Assignments workspace, you can use the Modeling Wizard node (top left) to see what Actions apply to a particular user.
Client Side Tools
CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.
Transformer
You can enable Transformer, which puts the WEM Agent in Kiosk mode. Users can only launch icons (e.g., Citrix icons). Everything else is hidden. This is an alternative to Workspace app Desktop Lock. The Transformer interface is customizable.
WEM 2308 and newer use Edge instead of Internet Explorer. Edge enables StoreFront to detect Workspace app and auto-launch desktops.
- In the WEM Classic Console, there’s a Transformer Settings workspace (bottom left) with two nodes on the top left: General and Advanced.
- Enable Transformer, and point it to your StoreFront URL. Note, this applies to all users and all agents in this WEM configuration set. You should probably have a new Configuration Set just for Kiosk devices.
- Other settings on the General Settings tab let you customize the appearance, and specify an unlock password. You probably want to disable the Clock. The Navigation Buttons are browser navigation.
- Transformer can be unlocked by pressing Ctrl+Alt+U and entering the unlock password.
- On the Site Settings tab, you can add website URLs that can be launched from within Transformer.
- At the top of the Transformer window is a Sites icon that lets you go to the sites listed in the WEM Console.
- The Advanced node lets you configure Transformer to launch a process other than a browser.
- The Advanced & Administration Settings tab lets you hide features from Transformer.
- To prevent users from accessing the local system, consider checking Hide Taskbar & Start Button.
- You probably want Log Off Screen Redirection to redirect users to the logon page when StoreFront logs off.
- The Logon/Logoff & Power Settings tab lets you configure the WEM Agent to autologon as a specific account. Transformer then displays the StoreFront webpage where the user enters his or her credentials.
Excellent article!
I’m testing WEM 4.0.1 with XD 7.12 and MS Server 2016. The main purpose to use WEM is to build the Windows Start Menu and probably use the System Optimization stuff.
When I log in with a new user it happens sometimes that I cannot click on the WEM-created folders or icons.
After I logoff and logon again, the Start Menu is working fine.
Did someone have this problem also? Do you think it’s a server 2016 or a WEM issue?
If it’s a WEM problem then this product is not ready to use for production =/
Any help is very appreciated!
Anyone? Carl?
I have not seen this problem yet. Have you opened a case with Citrix Support?
No, not yet. I’m still doing my tests and try to figure out by myself if it’s maybe a server Problem or for example because the published apps from Receiver also are copied to the start menu.
But I’ll open a case with Citrix Support.
Was just hoping that I’m not the only/first one with this problem 🙂
UPM had an issue with Start Menu not working when usrclass.dat was roamed. But that should be fixed now. Or usrclass.dat needs to be excluded from roaming.
Hello Carl,
So it seems that all of my research shows the before citrix took over this product it worked 100 percent. Once citrix got ahold of it re-programed things things break and are not smooth. One of the biggest questions clients ask me is why? They have great products but everyone something the market about that is a huge change and can help. It’s always buggy.
How do u answer this lol. More of a what do u do senario?
Ray Davis
Hey, I have two questions. Today I did a complete install of XenApp 7.12 and WEM with Server 2012R2 Worker. I tried to configure both UPM and folder redirection through WEM, but only the folder redirection gets applied. The UPM settings are completely ignored. Any hint where I could look for the problem?
Second, the WEM Agent starts only about 30-90 seconds after the user login. I did a PoC of Norskale about a year ago, and there it started immediately at the user logon. Any idea why?
There’s a private hotfix for the WEM Agent issue.
Do you see UPM settings at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UpmConfigurationSettings?
I have tried the new DLL, the WEM agent still doens’t start at the user logon. It still takes 30-60 seconds before the agent starts. I filed a call, but still wait for feedback.
I found the settings at the registry hive, but whey were from my disabled MS GPO. I then found out, that I can reset the UPM settings through the WEM console, this solved the UPM issues. Thanks for the hint.
Just to help other people, we found the solution to the 2 minute delay of the WEM agent in the Agent Host Log (enabled via registry):
———–
17:49:47 Warning -> LogonController.Processie4UinitChecks() : Starting ie4uinit Wait Loop for Domain\Marco.Hofmann : User Version -> / Computer Version -> 11,0,9600,0
17:51:57 Warning -> LogonController.Processie4UinitChecks() : Exiting ie4uinit Loop for Domain\Marco.Hofmann
———–
I enabled the following feature in the WEM Console:
Bypass ie4uinit Check: by default, the Agent service will wait for ie4uinit to run before launching the Agent executable. This setting forces the Agent service to not wait for ie4uinit.
Hey Carl! Have you managed to get the Transformer agent working with StoreFront and Receiver. Specifically, single sign-on? Do you know if single sign-on is supported at all?
When we point it at our StoreFront 3.8 servers, the Transformer specifically requests explicit authentication. If we alt-tab out of the Transformer, we can point Internet Explorer at the exact same address and SSO works no problem. If we disable expliict auth on the store (and just leave SSO), then the Transformer fails loading StoreFront, stating there are no longon methods available. The StoreFront logs show the Transformer requesting explicit auth so that is expected. We’ve tried the ‘wait for Receiver to launch’ setting but that doesn’t work either.
It seems like this component, which was licensed by ThinkKiosk to Norskale (http://thinscaletechnology.com/norskale-transformer-is-ready-2/), is pretty out of date with what is available via ThinKiosk (http://thinscaletechnology.com/thinkiosk-gets-citrix-netscaler-support/).
Thanks mate.
SSON does not appear to work at this time.
Thanks mate, we’ve got a support ticket open about this.
Citrix support has advised it does not work and a code update is required. There is no specified ETA for implementation, however “it is expected to be available by the end of this year” [2017].
Wow.
Case number is 72263608 in case anyone needs it. Time to look at something else!
Also note that SSO does work with Web Interface.
i get some Errors on the wem agent host system.
The creator of this fault did not specify a Reason.
and “No matching Site Found … Exiting.”
But i have create a GPO with the Sitename and the broker address.
can anybody help me?
Check HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host to make sure GPO applied correctly.
yes “SiteName” and “BrokerSvcName” is correctly set. the third value is “(Default)” and is not set.
SiteName matches a site configured in the WEM Console?
now it works, i have set the port for the agents via gpo too
Just ran into the “broker machine error or port error” message on running the ‘AgentCacheUtility.exe -RefreshCache -brokermachine wem.corp.com’ command.
Solution was to first create the Agent GPO with the broker machine name and link it to the VDA OU 🙂
So keep in mind to first built and apply the agent GPO before trying to refresh the cache.
This helps
https://www.youtube.com/watch?v=D6_xbRYSq3I
Long but helped. Login optimization around 1 hour 4 mintues into it help me.
On slow networks like WAN links the agent is starting as always, but the configured actions are not carried out. If we wait until the desktop has settled and then do a manual refresh, all the missing printers, drive mapings etc. appear.
Seems that either the slow WAN link is leading to this or the agent is loading too early end the configured actions can not be carried out that early?
Tried to set the network “agent options-timeout value” higher and also the “service options-agent extra launch delay”, but neither of them helped. Any insights on this?
Hello Carl,
I have some question around Actions and assignments.
One thing I see is you are adding the action items that include printer, Drive mappings, Reg tuning ect here. Then you made sure the Filter is applied for AD group match. The assigned to the farm name.
Then you set the user you wanted it to apply to under configured users. Example Domain Users
Does this mean that they will get all the assigned action items? Or that it’s available to them, and I have to move it over to the assigned area on the right side?
Are the action settings a global thing? Or is each action item you set for the configured user to applied it to as a whole? This is In the action tab and configured tab I am referring to.
I am just confused on actions, the available, and assigned.
You assign Actions to an AD group first. You double-click any AD group you added to the console. In the Available box, you see the Actions not yet assigned to this AD group. You move them to the right so that the Actions are performed for members of this AD group. If you use the Always True filter, then the Action occurs for every user in the group, on every machine. You can use Filters to reduce the machines the Action runs on. It’s interesting that you can only apply one Filter per action per AD group.
We have A LOT of GPOs which take quite a long time on each and every boot and especially logon and we’d like to speed this up with WEM.
Only the big question is how to “convert” all these GPOs and if WEM is able to replace any GPO, no matter which kind?
I’m surprised that I could not find anything on this issue in any documentation and the posts here.
If we all needed to “clone” all the functionalities manually without any automatic conversion, it would take us ages and I’m sure that this would be a real problem for almost all other admins with real Citrix environments also?
It’s not possible to import .ADMX files to WEM.
The logon time savings come from moving Actions from Group Policy Preferences to WEM. Actions include: drive mappings, printer mappings, etc. WEM runs them in the background.
That means WEM can only handle GPPreferences and all so the majority of all other GPOswill always have to stay within standard admx/GPOs still?
And regarding drive/printer mappings: Since they are run asynchronously in WEM, I can never be sure when they have been applied, just as if I would run logon scripts asynchronously, which is possible with standard GPOs already, but causes more trouble than advantages in many respects?
There are some GPO ADMX settings. But you can’t import ADMX.
The idea is faster logons. Citrix Session Printing also runs asynchronously. Group Policy Preferences runs synchronous.
it’s possible to disable async at Advanced Settings > Agent Options > Async Printers Processing.
i think you can only convert the User section of your GPOs not the Computer section
Any idea how to assign the drive letter “B” to a network drive? when i try to assign it is is greyed out. Others are fine such as “E” upwards…
Hi Carl,
Great article!
What would be the recommendation for the agent cache when using server session hosts (VDAs) with MCS?
Leave it on the C: drive and pre-load it. Also see http://www.citrixirc.com/?p=789
I have followed your guide. My lab setup is a Windows 2016 domain / Xendesktop 7.12.
WEM is using the Default site, i have added one application and 1 network drive in the WEM console, but when i log into the VDI client or Xenapp server i dont see my test applicaton or network drive mapping….Both the application and network drive is enabled in the WEM console.
I can see the VDI client and Xenapp server under Agents in the WEM console. Anyone else experienced this?
Did you assign the actions to a user group using a rule/condition?
Hello, we use XenApp 7.6 and publish full desktops to users. We find users can consume a lot of the CPU/Mem when running videos on IE/Chrome like YouTube. I think WEM can help with this but we also have AppSense coming in to show us how it can help. We are the differences between WEM and Appsense, This would be a great article I think.
Hey, From my Experience with AppSense Suite, you get 3 products, one for Software Restriction and Security (Application Manager), one for System Optimization (Performance Manager) and UEV (Environment Manager) – up until the release of WEM by Citrix, you have only UPM, with WEM you now have UEV and System Optimization, what Appsense gives is the additinal SRP and Security which Citrix lacks a product for.
If you consider Appsense, I would check out RES Workspace as wel. Both solutions have a far more holistic approach to User Environment Management opposed to WEM which barely scratches the surface of what the others are capable of. Think about user centric security for example.
The main areas we are looking for is improving performance and logon times to our XenApp desktops. So stop users consuming all the CPU/mem on a VDA and we use a UPM for our user profiles and group policies so ways around speed that up.
We would also like to control what applications users have access too.
Hi Carl,
I’m having another look at it – and unless I am mistaken (very probably), there is no place I can see to apply certain ADMX group policy settings. e.g. setting MS-word file paths etc. So for certain things we need to do it via GP and others via WEM. Is this correct?
thanks
Dave
Hey, I was wondering did anyone add any excluded processes to system optimization cpu management feature? i’m wondering because i’m thinking that if i see this message in the norskale event log:
Initializing process limitation thread for process : UserProfileManager with ID : 2104 [detected average of 12.42857%]
then does this mean, i’m actually causing my UPM agent to run slower? (the UPM reached this CPU when i logged off 30+ users at once during a load test),
what do you guys think?
The 7.11 director issue has nothing to do with WEM. It is a known bug that there is a private hotfix for.
Hello! Just found your amazing post. Tried to work it out with the documentation in the download – which really sucks.
Question – does wsm replaces profile manager or should you use both? I’m setting up a completely new xenapp / xendesktop environment.
WEM does not replace UPM. You should use both.
Has anyone else had an issue with Director failing to report Average Login Duration for delivery groups that have WEM agent installed? Environment is XD 7.11, w10vdi and w16sbc guests.
@jjh there is a bug in Director 7.11 with this. However citrix does offer a private fix. But I was told by a escalation engineer to upgrade to 7.12 director to rectify the bug. I was one of there dev testing sites for the bug. So they rolled it into 7.12 director.
Hi Carl, we have a pretty strict SQL policy, i can’t use the name VUEMUser and the DB is in another AD forest so i can’t use AD account during DB creation, do you know of a way to change the name of the default VUEMUser in the DB?
Hallo Carl
How can i create Default Printers in Citrix Workspace Enviroment Management? I created for every Printer-Tray a Printer in the Citrix Workspace Enviroment Management. I created also a AD-Group for every Printer and on for the Default Printer.
Example: User1 is in the AD-Group Printer01, Printer02 and Printer02_Default => now all Printer-Tray from Printer01 and Printer02 should be mapping and set the default Printer-Tray from Printer02.
User2 is in the AD-Group Printer01, Printer02 and Printer01_Default => now all Printer-Tray from Printer01 and Printer02 should be mapping and set the default Printer-Tray from Printer01. How can do this
How can do this in the Citrix Workspace Enviroment Management, that the user have at the end the right default printer?
The Printer-Mapping works very well.
Sorry for my bad english. I hope you unterstand my questions. Thanks for your help
Are you asking how to mark a printer as the default? You add the AD group to the WEM Console. Then you assign the printer to the AD group. During assignment there’s a drop-down to make the printer the default.
I see that you can setup this with load balancing. But if you only have two brokers in HA, how do you proceed then?
I’m not sure what you’re asking. You can load balance the WEM Servers on the ports they are listening on. Then point the Agents to the DNS name that resolves to the Load Balancing VIP.
I have currently have two xendesktop controllers setup in HA, but without any netscaler loadbalancing vip. I guess I need too install the WEM server on both the controllers?
WEM is completely separate from XenDesktop. WEM is it’s own server. You can build two WEM servers and load balance them. There is no connection to the XenDesktop Brokers. WEM also calls itself a broker.
oh! That explains a lot. I thought it had to be installed on the brokers to function. Thanks for clarifying that.
As usual great article.
Hi Carl,
Great article.
Has anyone tried to setup the “Send to Support” option under Advanced Settings, UI Agent Personalization?
It does not seem to work with Outlook 2016 MAPI profile.
Is Outlook 2016 supported for this feature?
Agent log reveals the following error: “No valid default MAPI profile found”, the Outlook 2016 client is correctly configured.
did you ever get a solution for this? I am running into the same issue myself.
Same here – any suggestions?
I’d like to know if anyone has extensive real-world experience with the CPU and IO Management features. I’ve started with the basic configuration in Hal’s video, only to find that intensive logon operations such as the App-V client refreshing take significantly longer. I then find myself trying increasingly complex combinations of process exclusion, priority/affinity/claming, changing the CPU usage limit and IO management with widely varied results. I’d like to see some tuning advice from someone who’s implemented this in a production environment similar to ours (Win7 pooled desktops, App-V 5 in SCS mode, Symantec Endpoint Protection, XenDesktop 7.11 with UPM).
II have installed the agent on windows server 2012R2 . To succesful install,u need to create the local user before running the installer. Otherwise the installer fails on password complexity with the creation of the local user.
or if you use these /v switches your are able to set your password and it will install :
/v”AgentCacheAlternateLocation=\”D:\WEMCache\” AgentServiceUseNonPersistentCompliantHistory=\”1\” VuemLocalUserPassword=\”Mylongpassword\””
Carl I think the command line to install with the cache on an alternate drive is slightly wrong need an extra “/v” switch (http://www.jgspiers.com/citrix-workspace-environment-manager/).
“Citrix Workspace Environment Management Agent Setup.exe” /v”AgentCacheAlternateLocation=\”D:\WEMCache\”” /v”AgentServiceUseNonPersistentCompliantHistory=\”1\””
I just tried it with my original command and the registry keys are set correctly.
I am seeing a couple of issues with WEM.
1. Citrix Profile Management settings do not work unless you restart the service before a user logs on (I’m seeing this on a Windows 7 VDA). Even refreshing the cache via startup script does not correct this issue… the only way I have found thus far is to remotely restart the Norskale/netlogon services. Which that is easily scripted if need be… personally I’ll just keep those settings in a Citrix policy.
2. WEM seems to hang the shutdown process. What ends up happening is the user logs off of the desktop, the machine is sent a shutdown command, and it sits there spinning the Shutdown logo. While that is going on the machine appears on and registered with no active user on it – which that could lead to logon issues. I wrote a script to kill the service and set it to go off by the System 1074 event (shutdown initiated). This allows the machine to shutdown quickly.
Citrix is asking you to open a support case, especially for the 2nd issue.
David, Did you every find a resolution to item 1.? I am seeing this in xenapp 7.9 2008 R2 environment. Have to restart the service one time on a new vm to get the agent to launch on for users. After that the server can be rebooted and the agent will continue to launch.
Bill Flink
I found a solution to both problems.
1. I have a startup script which activates windows/office, starts antivirus services etc. I just added a refesh of the cache followed by a forced restart of the norskale service (also remember to start netlogon)
2. When editing the image I decided to stop the norskale service before shutdown in maintenance mode. After that when running in standard mode there is no hang while shutting down.
I.have got the problem. I solve it by creating the cache first time with agentcacheutility.exe
Hi,
If the cache is not redirected or updated before the golden image is resealed the service can start with incorrect values leading to configuration inconsistencies.
1) Make sure the cache is up to date before any image reseal
2) Redirect the cache to a persistent location to avoid any discrepancies.
3) Make sure the configuration GPO is applied correctly (registry values are inside the image) before resealing
David,
Did you ever get a resolution for issue 1?
I’m seeing the same thing however mine is a little worse.
The WEM agent doesn’t start unless the Norskale service is restarted at each reboot when the VDA has been promoted to production (PVS machine).
The Maintenance machine seems to start fine every reboot but with the prod versions the WEM Agent doesn’t start.
I just noticed this – Error: The Citrix WEM Agent Host Service service hung on starting, preventing Netlogon from starting – https://support.citrix.com/article/CTX218963
Hi Carl,
I’ve checked and that value is already in the registry.
So no luck on that one.
Excellent article Carl. A always!
As for WEM itself, I hope this is going to be better integrated into XA/XD’s management framework over time. Having to deploy separate SQL instances, brokers, consoles in order to control just one or two additional aspects of the infrastructure simply doesn’t make sense to me.
Hi Carl. Do you know what size should be taken for the cache files? is 1GB enough? Thank you and Regards, Roberto
Has anyone had issues importing printers from a network print server? I am able to from a test server, but from our production server I receiver an error attempting to pull in the printers.
Carl, do you know if there is a list of accepted variables for drive mappings? I tested and %username% and %LogonUser% don’t seem to work in WEM. I can confirm that %LogonUser% works as part of a GPO… but not in WEM.
Hi Michael,
%USERNAME% should work.
I am going to answer a few posts here. This does replace the USER based GPO’s and GPP’s… not machine based. it does add a performance enhancement to policies as it runs most all in parallel and not serial.
As far as if your environment is running well, do you need WEM. No…. I would not use it for the policy aspect. I would however turn on the performance optimizations. By turning on RAM/CPU/IOPS optimizations, all you will see is a huge performance gain. To turn it on with basic tuning, check out. https://www.youtube.com/watch?v=54Y7gdhc0mU
Hi Hal/Carl, We have several User OU’s and mostly use GPP’s for login drive mappings. Can we configure WEM to use the existing drive mappings from GPP’s based on user OU’s or do we have manually create each drive mapping for every single GPP/GPO?
Hey Carl, have you tried deploying any of the “Policies and Profiles\Environmental Settings” specifically the Control Panel? I’m trying to deploy this at the moment and notice that it’s not Locking down the applets like I’m defining. The Norskale log indicates that Login failure: the user has not been granted the requested logon type at this computer for the VuemEnvironmentSettingsController. I’m suspecting this is associated to the account vuemLocalUser that exists on the machine. I’m guessing that this account needs some type of “Allow Log On locally” access, but am waiting to hear back from support before I start making a bunch of changes.
I have deployed the Environment Settings for the Control Panel countless times without issue. How is your environment setup. Are you using a service account on the broker? Are you trying to use a service account for the Agent?
Hal, I did setup a Service account for the Broker. Does that same account need logon rights to the device as well, and if so what rights would it specifically need?
No…. the service account does not need any rights to the target device.
Hi,
Might be an issue with the vuemLocalUser account not allowed to logon locally.
4.1 will remove the local user.
Hi Carl,
Do you know if environment variables can be used in WEM for registry items?
Maybe I’m using the wrong variables but %username% doesn’t seem to work. It just adds %username% as the value for the REG_SZ that I’m trying to set.
From what i have found you are unable to expand a variable into the registry. It takes the text and dumps it directly to the registry. The workaround is to expand it via a script and insert it that way. Use the External Tasks to perform the script.
Thanks Hal,
I managed to find a solution. If you use a REG_EXPAND_SZ instead of a regular REG_SZ registry key you can use environment variables.
This is now working perfectly for me.
Hi, If you need to expand an environment variable you can use the Expand dynamic token (details in Administration Guide).
I am still trying to figure out exactly where this product fits in – if I have a farm that already runs well and has no specific performance issues, will it be of benefit?
If no performance problems, then don’t deploy it. But you probably already own it so there’s no harm it trying it.
It’s Actions functionality is the similar to Group Policy Preferences, but it has more condition filters.
Carl I assume that if you are trying to get the most out of performance you would use WEM to replaced both Computer and User Windows Policies?
WEM Actions appear faster than GPP because WEM runs them in the background so users can login quickly.
Is there any way to use WEM for HKLM registry items?
I can only make it work for HKCU items.
Hi Carl,
I’m new to this – but I had a small funny with it when setting the GPO for the agent – it didn’t like a shortname for the server, it needed to be FQDN. I got the error “invalid broker connection settings!” in the event log, but once i changed it in GPO editor to be the FQDN of the server it started to work. Not sure if just me or not…maybe helps someone.
Cheers
Dave
Thanks. I just changed the text to emphasize that.
A video posted by Norskale
https://www.youtube.com/watch?v=cEbBtVaKYDc
HI Carl
well, asking myself how to setup a test/lab if SW maint, is a requirement.. or does WEM will be in a grace period if no proper license file is found ?
Read the papers delivered and seems like as if SQL Express is not supported ?
To have multiple “Environment Settings” for different use cases, do we need to create new sites?
Yes. It looks like GPO can configure the Agent to use a particular site.
Im having a bit of trouble with getting the VUEM agent to refresh. The agent is installed on client and when running a manual refresh i get the message “An error occrured while building your environment.Agent processing will now stop. Please contact your Administrator.” Also inside of the console the agent doesnt show up for that machine or user under the Administration tab.
Did you configure the group policy? Is the group policy applying correctly?
There are agent logs in %userprofile%. And there’s a Log Parser in the WEM Agent Install directory.
Yeah the GPO is in place and applied. The log parser shows this message “10:10:12 AM Exception -> MainController.InternalRun() : VUEM Configured Items Retrieval Failed … Exiting.”
Seems to happen everytime i manually attempt to run a refresh.
Check your registry on the Agent for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host\BrokerSvcName and make sure it’s set to the FQDN of the WEM Server.
run the command agentcacheutility -r -b: and then try again. you tend to get the error if your cache is not filled and the agent is starting before the network has fully been initialized.
Hi Carl,
Great article as always, thank you. Just a few things to clarify the usage of WEM:
1: Is it correct that the 2 components “Infrastructure Services” and “Console” can both be installed on a Citrix Delivery Controller and the “Agent” needs to be installed on all the VDA enabled Terminal Servers (or VDI VMs) which should be optimized with WEM? And no additional components are needed (apart from rolling out the GPO templates)?
2: And can WEM also be used for resource optimzation only, without any “WIN Native GPO replacements” like printer/ drive mapping and other stuff we are already controlling via GPOs we don’t want to touch or replace with WEM?
3: And what are the advantages of using WEM as GPO replacement anyway and what are the limitations?
Thank you!
1. If the Delivery Controller is sized for both components, then it should work.
2. Yes. You don’t have to enable Environment Settings or Actions.
3. Actions in WEM can be applied to a large variety of conditions. Compare with Group Policy Preferences. Otherwise, UEM policy management is typically used in environments where AD administrators are barriers to using group policy. 🙂
Is there any special Configuration needed in a PVS Environment.?
Alex,
I am curious to know the answer to this as well. Thanks.
There are two Agent installer properties:
AgentCacheAlternateLocation = path on PvS cache disk
AgentServiceUseNonPersistentCompliantHistory = 1
There are a few things missing from here….. the easy one is the AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:) the broker name should always be in FQDN since this does use Kerberos for the authentication.
Need to register the SPN based on the service account that you are utilizing for the broker service. Setspn -U -S Norskale/BrokerService [accountname]
Need to optimize the client by running ngen for .NET optimizations
in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
ngen.exe update
ngen.exe eqi 1
ngen.exe eqi 3
CPU should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU. Example
if 2 CPU’s are available the CPU setting should not be set above 49%
if 4 CPU’s are available the CPU setting should not be set above 24%
There are many other fine tunings that can be completed, but those are on a per environment basis
Thanks Hal. I’ll incorporate these into the main article. Let me know if you post your own documentation, or want me to add something.
Thanks Carl, I am creating a couple of videos to show the reasons to use as well as configuration/installation.
Hi Carl, is there some special requirement for the license server? I Receive the following error: “A valid license server with appropriate licenses needs to be configured before you can start using Citrix Workspace Environment Management”
I think it needs to be 11.14.1. Also, licenses must have active “Software Maintenance”. “Subscription Advantage” isn’t good enough.
Hi, I’ve done the upgrade off our license server and it’s working now. Thx Dimitri
Hi Carl, great article, thanks! You are the first and only hit on Google with proper installation instructions.
Do you know if it is possible to install the WEM server on the DDC, or do you recommend to install it on a separate server?
The Install Guide says 4 vPCU, 8 GB RAM can handle 3,000 users. If you put it on a DDC, that would be in addition to whatever specs the DDC needs.
Hi Carl,
Great post, had a small query here.
The settings we are configuring under System Optimization (Memory & CPU) will work against the Agents ? If Yes Can we get the reports for CPU & Memory like how we are getting for logon time.
I don’t see any CPU/Memory reporting. That’s what Director 7.11 is for. 🙂
But it’s a simple install, so you’re welcome to install it yourself and try it.
Hi Carl, Have you noticed any genuine performance benefits of putting this in and enabling the default optimisations? I have been watching this product for a while, and given its simplicity and now availability, I am thinking this should become a standard part of any Citrix deployment if the optimisations are genuine – i like the environment management concept far more than managing policies and preferences etc, this could be a significant change in the way non-app sense style customers operate
CTP Steve Greenberg’s team has deployed Norskale many times and they definitely see the benefits. I’m hoping to see more literature on this soon.
here is a blog written a few years ago about the performance aspect and what one of our customers saw with VUEM
http://www.thinclient.net/blog/?p=327
Is this being aimed at Citrix VDI and RDS deployments only? Or can it be used to target standard Windows OS deployments like AppSense does as well?
Our team have been looking at UEM’s so we can provide a single user experience across multiple platforms and as we already have the required subscription level and XenApp 7.6 LTSR, this could potentially save us a lot of money.
It definitely works on VDI too. But yes, the idea is to deploy on every Citrix infrastructure.
The client works across desktops as well. The Norskale product was aimed for all Windows platforms. Citrix is still working out the licensing for the desktop version
Wow this is neat. Looks like we can use this for printing mappings, drives, and set upm settings. If we used this i assume it is replaces studio policies in some area?
These are Windows policies, not Citrix policies. The more important feature is performance management.