Workspace Environment Management (WEM) 2311

Last Modified: Dec 20, 2023 @ 10:29 am

Navigation

This post covers Citrix Workspace Environment Management (WEM) versions 2311 and older.

💡 = Recently Updated

Change Log

Overview

Workspace Environment Management (WEM) is Citrix’s Performance Management and UEM (User Environment Management) tool for all XenApp/XenDesktop Enterprise or Platinum Customers with active Software Maintenance (Subscription Advantage is not sufficient). The WEM Agent is supported on XenApp 6.5, and XenApp/XenDesktop 7.x. Videos:

Note: WEM does not replace Citrix Profile Management. You usually implement both.

Citrix Blog Post User Experience on Steroids: Citrix Workspace Environment Management has a list of Frequently Asked Questions about WEM, including a drawing of the architecture.

From Hal Lange at Database sizing at Citrix Discussions: SQL Always On is fully supported.  In WEM 1909 and older, the ONE caveat is to remove from the Always On Availability Group before upgrading.

Here are the official calculations from the Norskale days on space needed on the SQL Server:

  • Reserve 1GB of RAM per 1,000 users deployed
  • RAM=1.5GB system + (1.5GB SQL + 1 GB per 1,000 users) for that SQL instance
  • Disk = 1GB per 10,000 users per year + 10 MB per WEM site configured

Upgrade WEM

There is no LTSR version of Citrix Workspace Environment Management (WEM), so you should always upgrade to the latest version of WEM.

From Upgrade a deployment at Citrix Docs: In-place upgrades from versions earlier than Workspace Environment Management 4.7 to version 1808 or later are not supported. To upgrade from any of those earlier versions, you need to upgrade to version 4.7 first and then upgrade to the target version.

If you want to upgrade a WEM deployment earlier than 2006 to 2209 or later: To avoid database upgrade failures, upgrade to 2103 first and then to 2209 or later.

CTA Marco Hofmann at CUGC: How-To: Update Citrix Workspace Environment Management (WEM) from 4.x to 4.7 (v4.07.00.00)

To upgrade Citrix WEM:

  1. In-place upgrade the Citrix Licensing Server. No special instructions.
    • Ensure the installed licenses a non-expired Subscription Advantage date.
  2. Before you upgrade, run WEM Infrastructure Service Configuration Utility and record all settings.
  3. In-place upgrade the WEM Server. No special instructions.
  4. Use the Database Maintenance tool to upgrade the WEM database.
    • In WEM 1909 and older, before upgrading the database that’s in a SQL Server Always On availability group, you must remove it from the availability group. This is no longer required in WEM 1912 and newer.
  5. You might have to run the WEM Infrastructure Service Configuration Utility on each Broker to point to the upgraded database. If the settings are still there, then just click Save Configuration.
  6. In-place upgrade the WEM Console. No special instructions.
  7. In-place upgrade the WEM Agents.

Install/Upgrade WEM Server (Broker Service)

There is no LTSR version of Citrix Workspace Environment Management (WEM), so you should always upgrade to the latest version of WEM.

The WEM Broker Service can be installed on one or more servers, including Delivery Controllers. The WEM Agent cannot be installed on the Broker Server.

A WEM Server with 4 vCPU and 8 GB RAM can support up to 3,000 users.

  1. Port 8288 – WEM 1912 and newer have a new port 8288 for WEM Agent Cache Synchronization. You’ll need to add this port to your load balancer and open it in your firewall.
    • Port 8285 is still available for WEM Agents 2012 and older connecting to newer WEM Servers.
    • Old port removed – The Cache synchronization port (8285) was removed from WEM Server 2103 and newer, so make sure your existing agents are a version that supports the newer Cached data synchronization port. WEM Agent 1912 and newer should be sufficient.
    • If your existing WEM Agents don’t support the new port number, then upgrade your WEM Server to version 2012 (or version 1912), upgrade your WEM Agents to the corresponding version, and then upgrade the WEM Server to a newer version.
  2. Download Workspace Environment Management 2311 and extract it.
  3. If you are upgrading, run WEM Infrastructure Service Configuration Utility and record all settings. These settings might be wiped out during the upgrade.
  4. Licenses – make sure your installed CVAD licenses have a CSS date that is later than the date required by your WEM version. The required CSS date is shown at the top of the WEM download page.
  5. Run the downloaded Citrix Workspace Environment Management Infrastructure Services Setup.exe from the 2311-01-00-01 folder.
  6. If installing WEM 2308 or newer:
    1. Check the box next to I agree to the license terms and click Install.
    2. In the Welcome to the Citrix Workspace Environment Management Infrastructure Services Setup Wizard page, click Next.  
    3. In the Destination Folder page, click Next.
    4. In the Ready to install Citrix Workspace Environment Management Infrastructure Services page, click Install.
    5. In the Completed the Citrix Workspace Environment Management Infrastructure Services Setup Wizard page, click Finish.
    6. Click Launch Database Management Utility.
  7. If installing WEM that is older than version 2308:
    1. If you see a prerequisites screen, then click Install to install the prerequisites.
    2. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Infrastructure Services page, click Next.
    3. In the License Agreement page, select I accept the terms, and click Next.
    4. In the Customer Information page, click Next.
    5. In the Setup Type page, click Next.
    6. In the Ready to Install the Program page, click Install.
    7. If you are upgrading, you might be prompted to restart applications.
    8. In the InstallShield Wizard Completed page, click Finish.
  8. AntivirusC:\Program Files (x86)\Citrix\Workspace Environment Management Infrastructure Services and C:\Program Files (x86)\Norskale\Norskale Infrastructure Services must be excluded from Antivirus scanning. Or exclude: Norskale Broker Service.exe; Norskale Broker Service Configuration Utility.exe; Norskale Database Management Utility.exe.
  9. If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured. Note: this folder seems to be missing in newer versions of WEM.
  10. Firewall – Ensure firewall allows the following ports to/from the WEM Broker servers. See Citrix Tech Zone Communication Ports Used by Citrix Technologies.
    • Agent Port – defaults to TCP 8286 – from WEM Agent to WEM Broker
    • AgentSyncPort – defaults to TCP 8285 – from WEM Agent to WEM Broker
    • Cached data synchronization port – defaults to TCP 8288 – from WEM Agent 1912 and newer to WEM Broker
    • AdminPort – defaults to TCP 8284 – from WEM Admin Console to WEM Broker
    • Monitoring Port – defaults to TCP 8287 – from Director to WEM Broker
    • AgentPort – defaults to TCP 49752 – from WEM Broker to WEM Agent
  11. See CTX218965 Error: “Server sent back a fault indicating it is too busy to process the request” and the WEM Agent fails to connect to the Broker Service if you need to throttle the number of connections if you have insufficient resources on the WEM Broker server.

Upgrade WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management 2103 SDK at Citrix Developer docs.

To upgrade the Workspace Environment Management database using the GUI tool:

  1. If this is a new install, skip to Create WEM Database.
  2. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  3. On the WEM server, run Database Management from the Start Menu.
  4. If upgrading, in the ribbon, click Upgrade Database.
  5. In WEM 1906 and newer, the fields might already be filled in. Otherwise:
    1. Enter the SQL Server Name.
    2. Enter the existing WEM Database Name.
    3. Configure the credentials for the WEM service account.
  6. If your account is not a sysadmin on SQL, then enter a SQL account in the Database Credentials fields.
  7. Click Upgrade.
  8. Click Yes when asked to proceed.
  9. Click OK when prompted that database upgraded successfully.
  10. Click Finish to close the Database Upgrade Wizard.
  11. Close the WEM Database Management Utility.
  12. Open services.msc and restart the Citrix WEM Infrastructure Service or restart Norskale Infrastructure Service.

After the database is upgraded, run the WEM Infrastructure Service Configuration Utility.

  1. If the upgrade preserved the settings, then simply click Save Configuration. The service won’t start unless you do this.
  2. In WEM older than version 1906, you might have to re-configure the settings.
    1. On the Licensing tab, configure the licensing server.
    2. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
    3. On the Advanced Settings tab:
      1. Enter the Infrastructure service account credentials.
      2. Enter the vuemUser SQL user account password.
      3. In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
      4. Make a choice regarding Google Analytics.
    4. The Advanced Settings tab will look something like this.
    5. On the Database Settings tab, enter the database server name and database name.
    6. In the ribbon, click Save Configuration.
  3. Click Yes to restart the Broker Service.
  4. Skip ahead to upgrade the WEM Administration Console.

Create WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management 2103 SDK at Citrix Developer docs.

To create the database using the GUI tool:

  1. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  2. Make sure SQL Server authentication (mixed mode) is enabled on the SQL server > Properties > Security. Even though the WEM Broker server runs as an AD account that is used login to SQL, WEM Broker also uses a SQL account named vuemUser, which means mixed mode must be enabled. Source = John Long at WEM new install, cannot connect to infrastructure server at Citrix Discussions.

  3. On the WEM server, run WEM Database Management Utility from the Start Menu.
  4. If a new install, in the ribbon, click Create Database.
  5. In the Create database Wizard page, click Next.
  6. In the Database Informations page, enter the SQL server name, and enter a new Database Name.
    1. Only enter an instance name if you have a named SQL instance.
    2. Only enter a port number if your SQL instance is listening on a static port number other than 1433.
    3. From Måns Hurtigh at Problem creating WEM 4.3 Database on SQL Server 2012 at Citrix Discussions: The database name cannot contain a dash.
  7. The paths might not be correct so double check them. Then click Next.
  8. In the Database Server Credentials page, if your account has sysadmin permissions, then leave the box checked. Otherwise, uncheck the box, and enter a SQL login that has sysadmin permissions. Click Next.
  9. In the VUEM Administrators section, click Browse, and select your Citrix Admins group.
  10. In the Database Security page, if you intend to load balance multiple WEM servers, then specify a Windows service account for database access. The Broker Service will run as this account. See the load balancing topic at Install the Citrix Workspace Environment Management Infrastructure Services at Citrix Docs.
  11. The Database Creation Wizard also creates a SQL account called vuemUser with an 8 character alphanumeric password. If you want it more complex, check the box and specify the password.
    • Note: if you intend to implement AlwaysOn Availability Group, then you must specify this password, since you’ll be asked for it again when adding the database to the Availability Group. Also see SQL Server Always On at Citrix Docs.

  12. Click Next.
  13. In the Database Information Summary page, click Create Database.
  14. Click OK when prompted that the database was created successfully.
  15. Click Finish to close the Database Creation Wizard.
  16. Close the WEM Database Management Utility.
  17. There is a log file at “C:\Program Files (x86)\Citrix\Workspace Environment Management Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log” or at “C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log”

WEM Infrastructure Services Configuration

  1. On the WEM Server, run WEM Infrastructure Service Configuration Utility from the Start Menu.
  2. On the Database Settings tab, enter the SQL Server name and database name.
  3. Switch to the Advanced Settings tab.
  4. If you intend to load balance WEM Servers, then Browse to a service account. This service account must have access to the database.

    • The service account must be in the local Administrators group on the WEM servers.
  5. Enter the vuemUser SQL user account password.
  6. In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
  7. Make a choice regarding Google Analytics.
  8. The Advanced Settings tab will look something like this.
  9. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
  10. On the Licensing tab, you can enter a Citrix License Server 11.14.0.1 or newer that has valid licenses. Or you can enter the license server later in the admin console.
  11. Click Save Configuration in the ribbon.
  12. Click Yes when asked to restart the Broker Service.
  13. Close the WEM Infrastructure Service Configuration utility.
  14. If you are load balancing WEM servers, then you must also create a Kerberos SPN, where [accountname] is the service account you are using for the Norskale service.
    setspn -U -S Norskale/BrokerService [accountname]

Install/Upgrade WEM Console

  1. Run Citrix Workspace Environment Management Console Setup.exe from the downloaded WEM 2311 (aka 2311-01-00-01) installation files.
  2. If installing WEM 2308 or newer:
    1. Check the box next to I agree to the license terms and click Install.
    2. In the Welcome to the Citrix Workspace Environment Management Console Setup Wizard page, click Next.
    3. In the Destination Folder page, click Next.
    4. In the Ready to install Citrix Workspace Environment Management Console page, click Install.
    5. In the Completed the Citrix Workspace Environment Management Console Setup Wizard page, click Finish.
    6. Click Close.
  3. If installing WEM older than 2308:
    1. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Console page, click Next.
    2. In the License Agreement page, select I accept the terms, and click Next.
    3. In the Customer Information page, click Next.
    4. In the Setup Type page, click Next.
    5. In the Ready to Install the Program page, click Install.
    6. In the InstallShield Wizard Completed page, click Finish.

Install/Upgrade WEM Web Console

Install or upgrade the WEM Web Console on the WEM Server. The WEM Web Console can use port 443 if nothing else is using that port.

  1. Right-click Citrix Workspace Environment Management Web Console.exe and click Run as administrator.
  2. Check the box next to I agree to the license terms and click Install.
  3. In the Welcome to the Citrix Workspace Environment Management Web Console Setup Wizard page, click Next.
  4. In the Destination Folder page, click Next.
  5. In the Ready to install the Citrix Workspace Environment Management Web Console Setup Wizard page, click Install.
  6. In the Completed the Citrix Workspace Environment Management Web Console Setup Wizard page, click Finish.
  7. Click Launch Web Console Configuration. This might not work if you didn’t run the installer elevated.

Web Console Configuration

  1. Create a file share for WEM and grant Modify permission to a service account.
  2. Create a service account and add it to WEM Console > Administration > Administrators as Global Admin with Full Access and not Disabled.
  3. Install a certificate in the Local Computer store (certlm.msc).
  4. From the Start Menu, right-click WEM Web Console Configuration, expand More, and click Run as administrator.
  5. Click Next.
  6. The Port number cannot conflict with other services already using the port, including IIS.
  7. The Infrastructure server name can be localhost if you installed the Web Console on the WEM Infrastructure Server.
  8. User name must be Global Admin inside WEM.
  9. Click Start service.
  10. Click Configure certificate.
  11. Browse to the local cert and then click Set up certificate.

  12. Click Finish.

  13. Launch the Web Console and login. 
  14. Click your name on the top-right and click Storage folder.
  15. Enter the UNC path to the file share for WEM.
  16. Check the box next to Require credentials and enter the service account. Click Done.

WEM Configuration Sets

Each WEM Agent belongs to one Configuration Set. Most actions in a Configuration Set can be filtered, but some settings are global to the Set. To handle global settings, you can create multiple Configuration Sets that apply to different WEM Agents.

In WEM Web Console (2308 and newer):

  1. On the left, click Configuration Sets.
  2. On the right, click Add configuration set.
  3. Give the set a name and click Save.

  4. Click a Configuration Set to create Actions and configure other settings.
  5. Use the drop-down menu on the top-left to switch to a different Configuration Set.
  6. Directory Objects lets you add individual computers or computer Organizational Units (OUs) and assign them to Configuration Sets.

  7. Back in the list of Configuration Sets, on the right, you can click Backup and Restore.
  8. Click Backup to perform a manual backup. Or click Manage automatic backup. The backups are stored in the SMB file share.
  9. Notice the Directory objects are not included in the backups.
  10. After you have a backup, you can Restore it to any Configuration Set. This is an easy way of copying one Set to another.

In WEM Classic Console:

  1. From the Start Menu, run WEM Administration Console.
  2. In the ribbon, click Connect.
  3. In the Database Broker Information window, enter the WEM Server name, and click Connect.
  4. Some WEM Console settings are global (every agent gets the same setting). So if you want different global settings for different agents, then you create multiple WEM Configuration sets. At the top of the window, in the ribbon, you can create a new WEM Configuration set. 
  5. WEM 1912 and newer can Backup and Restore entire Configuration Sets, which makes it easy to duplicate a Configuration Set.

    • When Restoring a Configuration Set, there’s no need to create a new empty Set. Just run the Restore wizard and WEM will try to use the original Configuration Set name. If the original Configuration Set already exists, then WEM will append _1 to the name, which you can then rename.
  6. Once you have multiple Configuration sets, you can use the drop-down to switch between them.
  7. A WEM Agent can only belong to one WEM Configuration set. Different Agents can belong to different WEM Configuration sets.
  8. In WEM 4.3 and newer, you add agents to the Configuration set at Active Directory Objects (workspace on bottom left) > Machines (node on top left). You can add OUs or individual objects (computers or computer groups).

Import Recommended Settings

If you have multiple WEM configuration sets, this process should be repeated for each new, empty WEM configuration set. This process is only available in the classic WEM Console.

  1. On the right side of the ribbon, click Restore.
  2. Select Settings and click Next.
  3. In the Settings Restore wizard, click Next.
  4. In the Restore from folder section, click Browse, and browse to the \Workspace-Environment-Management-v-2311-01-00-01\Configuration Templates\Default Recommended Settings folder that was included in the WEM download.
  5. In the Settings Type Selection section, check all available boxes, and click Next.
  6. In the Restore settings processing window, click Restore Settings.
  7. Click Yes when prompted to replace.
  8. Click Finish.

CTP James Kindon at WEM Hydration Kit has a collection of Applications, File System and Registry Actions that can be imported to WEM. CTP James Kindon recently added Environmental Settings to the Hydration Kit.

WEM 1909 and newer can Migrate your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.

WEM Administrators

This is only configurable in the Classic WEM Console.

  1. In the Administration Console, go to Administration (workspace on bottom left) > Administrators (node on top left).
  2. In the right pane, click Add, and specify an Active Directory group that can administer WEM.
  3. After adding a group or user, right-click the new administrator, and click Edit.
  4. Use the Permissions drop-down to select a role. The roles are detailed at Administrators at Citrix Docs.
  5. Then use the State drop-down to select Enabled. New administrators are initially disabled. Click OK to close the window.

WEM Agent Configuration

For configuration guidance, see CTP James Kindon WEM Advanced Guidance – 2023 at CUGC.

Most of these settings are available in the WEM Web Console.

  1. In the WEM Web Console, click a Configuration Set, expand Advanced Settings and click Agent Settings.

    1. In the WEM Classic Administration Console, in the Advanced Settings workspace (bottom left), there are several tabs for configuring the agent.
    2. On the bottom of each tab is an Apply button. Click this button periodically to save your configuration to the database.
  2. In Web Console, click Agent options.

    1. When making changes, make sure you click Apply changes periodically.
  3. Setting on these tabs are mostly self-explanatory. Feel free to change any as desired. If you imported a default configuration, then many of these might already be enabled. If not, then configure them manually.
  4. Check the Launch agent options. and Enable desktop compatibility mode. Web Console lets you configure launch exclusions.

    • In Classic Console these settings are on the Main Configuration tab.
  5. Enable automatic refresh.
  6. Enable Offline Mode and Use cache to accelerate actions processing. More info at Citrix Blog Post Workspace Environment Management agent caching explained.
  7. The Action processing section lets you select which modules should be refreshed on reconnect.

    • In the WEM Classic Console the settings are in the right pane on the Reconnection Actions tab.
  8. Scroll down and there are options to process printers and drives asynchronously.

    • In WEM Classic Console, the settings are on the Agent Options tab.
  9. Agent service options section has a setting for Bypass ie4uinit Check. Enabling this might eliminate a 2-minute delay before WEM Agent starts.

    1. In WEM Classic Console it’s on the Service Options tab.
  10. On the left is UI Agent Personalization. On the right is Appearance and interaction. You can change the UI agent theme. Other settings on this page let you hide the splash screen.

    1. In WEM Classic Console, on the top left, in the Advanced Settings workspace, there’s a UI Agent Personalization node.
    2. In the right pane, in the UI Agent Options tab
  11. The Helpdesk Options section lets you enable Screen Capture from the WEM Agent.

    1. WEM Classic Console has a Helpdesk Options tab.
    2. For the Enable Send to Support Option, to allow users to enter a message, add the text “##UserScreenCaptureComment##” to the Email Template box. (Source = MasterXen Workspace Environment Manager – Capture Screen)

System Optimization

  1. The System Optimization node lets you configure the various optimizations.

    1. WEM Classic Console has a System Optimization workspace (bottom left).
  2. On the top left, click the CPU Management node/section.
  3. CPU Spikes Protection gives processes equal access to the CPU.
    • There’s an option for Auto Prevent CPU Spikes.
    • From Hal Lange: “CPU Usage Limit should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU.  Example: if 2 CPU’s are available, the CPU setting should not be set above 49%, if 4 CPU’s are available, the CPU setting should not be set above 24%”
    • Hal Lange demonstrates Citrix WEM Performance Optimizations in a YouTube video.

  4. Other tabs/sections let you manually specify CPU priority and/or clamping.

  5. Web Console > Monitoring > Insights > Optimization Insights has a report showing CPU optimization.

    • From CTA Chris Schrameyer WEM – CPU LOGGING: WEM does not provide any built-in logs to determine when a CPU Spikes Protection action is taken. It would be nice to know what processes are often limited, so we can then add them to a CPU Clamping policy or identify why they are using so much CPU.
  6. Memory Management node, you can enable Optimize Memory Usage for Idle Processes to periodically reclaim memory from running processes. This feature tells processes to flush their memory to disk. In other words, you’re trading memory for disk.

    1. WEM 2206 adds an option for Optimize only if total available memory is less than (MB) or Do Not Optimize When Total Available Memory Exceeds (MB). In other words, WEM does not optimize memory until available memory drops below this value.
    2. WEM 2206 adds a Memory Usage Limit for Specific Processes. Dynamic means the process memory is not limited until available memory is low.
  7. In the I/O Management node, on the right, you can prioritize process IO. Use the slider on the far right to enable the feature.
  8. In the Fast Logoff node, in the right pane, enabling Fast Logoff disconnects a session immediately, and runs logoff processes in the background.
  9. WEM 2003 and newer have a Citrix Optimizer feature. If you enable it, then the WEM Agents will disable services and scheduled tasks according to the settings in the template. WEM comes with built-in templates, or you can add your own. Newer versions of WEM have newer templates. WEM 2311 and newer support Windows 11 and Windows Server 2022.

    • WEM 2012 and newer have an option to Automatically select Templates to Use.
    • The Monitoring > Administration > Agents section adds a Process Citrix Optimizer action to each agent.
  10. WEM 2112 and newer have a Multi-session Optimization feature that lowers the priority of processes running in disconnected sessions.

Security

This section is only available in the WEM Classic Console.

  1. Click the Security workspace. On the top left, click the Process Management node. In the right pane, in the Processes Management tab, enable Process Management. The other tabs are grayed out until you check this box.

    • You can BlackList processes. There’s also a WhiteList, but once something is added to the WhiteList, then all other processes are blocked.
  2. On the top left, click Application Security.
  3. You can use the top-left sub-nodes to configure AppLocker. See Application Security at Citrix Docs.

    1. If you click the Executable Rules sub-node, on the bottom right is a button to Add Default Rules.
    2. If you edit a rule…
    3. You can assign the rule to a user group.
    4. The list of user groups comes from Active Directory Objects (workspace on bottom left) > Users.
    5. On top of the right pane, set Rule enforcement to On or Audit.
    6. In the ribbon is a button to Import AppLocker Rules that were exported from a group policy.
    7. The other sub-nodes follow the same configuration pattern.
  4. WEM 2112 and newer have a Privilege Elevation feature under the Security workspace. You might have to scroll down to find it. On the right, check the box for Process Privilege Elevation Settings. Notice the setting for Do Not Apply to Windows Server OSs.

    1. On the left, click Executable Rules under Privilege Elevation. Then on the bottom right click Add Rule.
    2. Give the rule a name and select an assignment.
    3. There are options to restrict the elevation to specific parameters. For example, you can restrict cmd.exe so it can only elevate specific scripts. Click Next.
    4. Browse to the executable file and click Create.
    5. CTP David Wilkinson has more details on this feature.
  5. WEM 2203 adds a Self-elevation feature that lets users manually run processes elevated. See Citrix Docs for details.

  6. WEM 2006 adds Process Hierarchy Control, which lets you restrict or allow a parent process from launching specific child processes. See Citrix Docs for configuration details.

    1. On the agent side, you must enable Process Hierarchy Control by running elevated AppInfoViewer.exe from C:\Program Files (x86)\Citrix\Workspace Environment Management.
    2. Click Enable Process Hierarchy Control.
    3. Acknowledge that a restart is required.
  7. WEM has an audit log of the security features at Administration workspace > Logging node > Agent tab.

Policies and Profiles

  1. WEM Web Console > Profiles > Profile Management Settings lets you push Citrix Profile Management settings to WEM Agents
  2. On the top right you can click Quick setup to Start with template. Choose either File-based or Container-based.
  3. There’s an option to configure user-level settings instead of computer-level.
  4. See the Citrix Profile Management post for details on a recommended Profile Management configuration. Some of the newer settings might be missing from WEM.
  5. If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.
  6. In the WEM Classic Console, at Policies and Profiles > Citrix Profile Management Settings, in the right pane, the File System tab has a useful Profile Cleansing button to remove excluded folders from an existing UPM profile share. This function might not be necessary if you enable Logon Exclusion Check.

    • Adjust the Profiles Root Folder, click Scan Profiles Folder, and then click Cleanse Profile(s).
  7. To configure folder redirection in the WEM Classic Console, on the top left, click Microsoft USV Settings.
    1. On the right, on the Roaming Profiles Configuration tab, check the box to Process User State Virtualization Configuration.
    2. Then switch to the Folder Redirection tabs, and configure them as desired.
  8. For Environmental Settings, WEM Classic Console has the Policies and Profiles workspace (bottom left) with three nodes on the top left.
    1. In the Environmental Settings node (top left), in the right pane, you can enable Environmental Settings, and configure restrictions that are usually configured in group policy. Peruse the various tabs on the right. Administrators can be excluded from these restrictions. These settings are only in the WEM Classic Console. In WEM Web Console they are replaced by group policies.
    2. The Environmental Settings within the WEM Administration Console are per-machine, not per-user. This means that, by default, all the settings configured inside of a Configuration Set apply to every non-admin user that logs into that particular Agent machine. In order to have different Environmental Settings apply to different users/user groups, they would need to be applied to a separate WEM Agent machine, and all the settings would need to be configured inside a separate Configuration Set to which the WEM Agent Machine is bound. Source = CTX226487 Guidance on configuring WEM settings per user/user groups.

Scripted Tasks

Web Console lets you configure Scripted Tasks that run at the agent (computer) level.

  1. First, add the task/script to Scripted Tasks at the global le

    1. Scripted tasks are PowerShell scripts.
  2. Then go to a Configuration Set and click Scripted Task Settings.
  3. On the far right, click the … next to a scripted task and then click Configure.
  4. Enable the task and choose a Filter.
  5. The Triggers page lets you choose when the script should run. You can Create new trigger.
  6. One of the options is Scheduled.

WEM Agent Group Policy

  1. In the WEM Download, go to the \Workspace-Environment-Management-v-2311-01-00-01\Agent Group Policies\ADMX folder.
  2. Copy the .admx file, and the en-US folder to the clipboard.
  3. Go \\MyADDomain.com\sysvol\MyADDomain.com\Policies.
  4. If you have a PolicyDefinitions folder here, then paste the .admx file and folder.

    • If you don’t have PolicyDefinitions in Sysvol, then instead go to C:\Windows\PolicyDefinitions, and paste the .admx file and folder there.
  5. Look for older versions of the WEM .admx and .adml files (in the en-us subfolder) and delete them. Remove any WEM .admx and .adml files that have a version number.

  6. Edit a GPO that applies to the VDAs that will run the WEM Agent.
  7. In WEM 1906 and newer, go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Workspace Environment Management | Agent Host Configuration.
  8. On the right, double-click Infrastructure server.
  9. Enable the setting, enter the FQDN of the WEM server (or load balanced name), and click OK. Note: It must be FQDN.
  10. Assign Agents to a Configuration Set.
    1. In the WEM Web Console, go to Directory Objects and click Add object.
    2. In the WEM Classic Administration Console, choose a Configuration Set and then go to Active Directory Objects workspace (bottom left) > Machines node (top left), and in the right pane, add an OU or individual machines.
  11. It’s possible that an Agent might register with multiple Configuration sets. You can review the registrations in Web Console at Monitoring > Administration > Agents.

    1. Registrations tab (right pane) might show you Agents not registered with any Configuration Set. Add the Agent to Active Directory Objects > Machines.

Install/Upgrade WEM Agent

For command line unattended installation of WEM Agent, see Alain Assaf at Citrix Discussions.

  1. WEM agent upgrade task – WEM 2311 and newer can push Agent upgrades to existing agents. In a Configuration Set, configure a file share under App Package Delivery. Then import the WEM Agent to the share. Then create a Delivery task. More details at App Package Delivery at Citrix Docs.

  2. If App Layering, Citrix recommends installing the WEM Agent in the Platform Layer.
    • If you are installing the WEM Agent in a App Layer, see George Spiers to workaround an issue with the Netlogon service in a Platform Layer that has the Provisioning Services Target Device software installed.
  3. Use registry editor to confirm that the WEM GPO has applied to the Agent machine. Look for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host\BrokerSvcName.
  4. VDA installer – In VDA 2012 and newer, the WEM Agent is included with the VDA installer; however, this install method has been deprecated. You can instead install it separately as detailed in the next step.

  5. Manual install – On a VDA Master machine, run Citrix Workspace Environment Management Agent.exe from the downloaded WEM 2311 (aka 2311-01-00-01) installation files.
  6. In the Citrix Workspace Environment Management Agent window, check the box next to I agree to the license terms and click Install.
  7. In the Welcome to the Citrix Workspace Environment Management Agent Setup Wizard page, click Next.
  8. In the Destination Folder page, click Next.
  9. In the Deployment Type page, select On-premises Deployment and click Next.
  10. In the Infrastructure Service Configuration page, change the selection to Skip Configuration since you’ve already configured the group policy. Click Next. Note: In WEM 1912 and newer, the cache synchronization port changes from 8285 to 8288.
  11. In the Advanced Settings page, if this machine will be used with Citrix Provisioning and has a Provisioning cache disk, then you can optionally move the WEM Cache to the Provisioning cache disk. Click Next. WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
  12. In the Ready to install Citrix Workspace Environment Management Agent page, click Install.
  13. In the Completed the Citrix Workspace Environment Management Agent Setup Wizard page, click Finish.
  14. In the Installation Successfully Completed window, click Close.

WEM Agent Cache

  1. After installation, check the registry under HKLM\System\CurrentControlSet\Control\Norskale\Agent Host to verify your command line switches applied correctly.

  2. WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
  3. In WEM Agent 1909 and newer, the WEM Agent installation path is now C:\Program Files (x86)\Citrix\Workspace Environment Management Agent instead of C:\Program Files (x86)\Norskale\Norskale Agent Host and you might have to modify your WEM Agent Cache Refresh scripts with the new path. See CTP James Kindon Citrix WEM Updated Start-Up Scripts for more details.
  4. Citrix CTX219839 How to Enable Debug Logging on Workspace Environment Management Agent manually, if no connectivity to Broker exists. Set AgentDebugModeLocalOverride and AgentServiceDebugModeLocalOverride to 1. The Norskale Agent Host Service Debug.log file will be written to %ProgramFiles(x86)%\Norskale\Norskale Agent Host. The Agent Log file will be written to the User Profile (i.e., under %UserProfile%).
  5. Optionally, you can pre-build the Agent Cache by running AgentCacheUtility.exe, which is located in C:\Program Files (x86)\Citrix\Workspace Environment Management Agent (fresh WEM Agent 1909 and newer) or in C:\Program Files (x86)\Norskale\Norskale Agent Host.

  6. It needs the following switches:
    -refreshcache -brokername:MyWEMServer
  7. From Hal Lange: “AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:)  the broker name should always be in FQDN since this does use Kerberos for the authentication.”

  8. You can also use the Web Console at Monitoring > Administration > Agents to refresh an agent’s cache and perform other actions. The Synchronization column indicates if the cache is up to date or not. It takes a few minutes to update.
    • It’s also in WEM Classic Administration Console at Administration workspace (bottom left), Agents node (top left)
  9. From Hal Lange: “Need to optimize the client by running ngen for .NET optimizations in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
    C:\Windows\Microsoft.NET\Framework\v4.0.30319
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319
    ngen.exe update
    ngen.exe eqi 1
    ngen.exe eqi 3
  10. AntivirusC:\Program Files (x86)\Citrix\Workspace Environment Management Agent or C:\Program Files (x86)\Norskale\Norskale Agent Host must be excluded from Antivirus scanning. Or exclude Citrix.Wem.Agent.Service.exe; Norskale Agent Host Service.exe; VUEMUIAgent.exe; Agent Log Parser.exe; AgentCacheUtility.exe; AppsMgmtUtil.exe; PrnsMgmtUtil.exe; VUEMAppCmd.exe; VUEMAppCmdDbg.exe; VUEMAppHide.exe; VUEMCmdAgent.exe; VUEMMaintMsg.exe; VUEMRSAV.exe.
  11. If you use WEM to push UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.  Delete the machine cache, which is at the following registry location:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UsvMachineConfigurationSettings
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UpmConfigurationSettings

    This will force WEM to re-apply the per-machine settings (Microsoft USV or Citrix UPM settings, respectively).

  12. WEM Cache tends to break often. See CTP James Kindon Citrix WEM Cache Problems…. Again for a script to reset the cache periodically.
  13. CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.
  14. WEM Agent 2308 and newer have improved Event Viewer logging.

WEM Agent on Citrix Provisioning Target Device

From Citrix Discussions: create a computer startup script that deletes the WEM cache and refreshes it:

net stop "Citrix WEM Agent Host Service" /y
net stop "Norskale Agent Host Service" /y
del D:\WEMCache\ /S /F /q
net start "Citrix WEM Agent Host Service"
net start "Norskale Agent Host Service"
net start "Netlogon"
timeout /T 45 /nobreak
"C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache -brokername:XXXX
"C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshCache -brokerName:XXXX

From Julian Mooren Citrix Workspace Environment Management with PVS – Synchronization State “Unknown”: For Citrix Provisioning, schedule a task to run the following commands at Target Device boot (Trigger = At Startup).

"C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache
"C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshcache

From CTA David Ott at Using Citrix Workspace Environment Management to Redirect Folders via Symbolic Links – Speed Up Logon: before shutting down your maintenance/private mode vdisk to re-seal, kill the Citrix WEM Agent Host Service or Norskale Agent Host Service. For whatever reason if you don’t do this it can cause your vms in standard mode to take an obscenely long time to shutdown.

Base Image Script Framework (BIS-F) automates many image sealing tasks, including tasks for Workspace Environment Management. The script is configurable using Group Policy.

Monitoring

  1. WEM Web Console > Monitoring > Insights has some reporting, including a report showing disk space consumed by profile containers.
  2. In the WEM Classic Administration Console, the Monitoring workspace (bottom left) lets you see Logon Time and Boot Time reports.
  3. Double-click a category to see more info.

  4. Configuration node (top left) lets you configure Work Days Filtering for Login/Boot Time Reports.
  5. WEM 2203 adds a Profile Container Insights report for both FSLogix and UPM Profile Containers.
  6. When you make changes in the console, if agents are already installed, you can right-click the agent icon (by the clock), and Refresh.
  7. You can also go to the Administration workspace (bottom left) > Agents node (top left). In the right pane, right-click one or more Agents, and click the Refresh options.
  8. WEM 1811 and newer periodically run UPMConfigCheck every day, or whenever the Norskale Agent Service restarts. The AdministrationAgents node in the WEM Console has a visual indicator of the UPMConfigCheck results. For status details, check the file C:\Windows\Temp\UPMConfigCheckOutput.xml on each WEM Agent Machine.

WEM Actions Configuration

WEM Actions are similar to Group Policy Preferences.

The general process is as follows:

  • Create the Actions
  • Optionally create Action Groups
  • Add AD user groups to the WEM Console.
  • Assign Actions or Action Groups to user groups. Use Conditions and Rules to perform the Action (or Action Group) for only a subset of machines or users in the user group.

Create Actions

  1. In the WEM Console, use the Actions workspace to map drives, map printers, create shortcuts (Applications), set registry keys, etc. Each Action type is a separate node. Some Action Types are not yet available in the Web Console, but new features (e.g., group policy templates, JSON Files) are only available in the Web Console.
  2. WEM 1909 and newer can Migrate or Import your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.
    1. In Group Policy Management Console, back up the GPOs that you want to import to WEM.
    2. Go to the GPO Backup folder and zip everything.
    3. In WEM Console, go to Actions > Group Policy Settings and click Import.
    4. WEM 2209 and newer let you Import Registry File.
    5. WEM 2012 and newer let you edit the imported group policies.
    6. It seems to be a registry editor that doesn’t use ADMX templates.
  3. WEM Web Console lets you configure GPOs using traditional ADMX templates. Switch to the Template-based tab. Standard Windows templates are already built into the Web Console, but you can upload more templates. 

  4. In WEM Classic Console, some Actions, on the Options tab, have a Self-Healing option. To optimize performance, WEM only applies an action once. The Self-Healing option causes it to reapply at every logon.
  5. Network Drives have no field for selecting a drive letter. Instead, you configure the drive letter later when assigning the action as detailed below.
  6. External Tasks are scripts that are triggered at user logon, reconnect or other triggers. WEM 2203 adds triggers for Process start and Process end. WEM 2009 adds triggers for Disconnect, Lock, and Unlock.
  7. Applications (shortcuts)
    1. In the Actions pane, Applications have no option for placing a shortcut on the Desktop. Instead, you configure shortcut placement later when assigning the action as detailed below.
    2. You can pull icons from a StoreFront store.

    3. Arjan Mensch at Powershell Module for Citrix WEM – Part 3 – EnvironmentalSettings and MicrosoftUsvSettings from GPO and much, much more provides a PowerShell Module that can do several things to help setup WEM, including reading a bunch of shortcuts (e.g. from Start Menu), and converting them to an .xml file that can be imported into WEM. This simplifies Applications configuration.
    4. To prevent applications (shortcuts) from being created if the application isn’t installed, go to Advanced Settings > Agent Settings > Miscellaneous (or Advanced Settings > Configuration > Agent Options), and check the box next to Check Application Existence in the Extra Features section.
    5. To clean up extra shortcuts, go to Advanced Settings > Action Settings > Action cleanup (or Advanced Settings > Configuration > Cleanup Actions), and check the boxes in the Shortcuts deletion at startup section. Also see CTP James Kindon Citrix WEM, Modern Start Menus and Tiles.
    6. After you create Applications (Shortcuts), and assign them, on the agent, there’s a Manage Applications tool that lets users control where shortcuts are created, including pinning to Taskbar and Start Menu.

    7. Applications can be placed in Maintenance Mode. Edit an application, and find the Maintenance Mode setting on the Options tab.
    8. This causes the icon to change, and a maintenance message to be displayed to the user.

    9. The Applications node has a Start Menu View tab on the top right.

  8. For the Printers Action, there’s a Add from print server button or in the ribbon there’s a Import Network Print Server button.

    1. Web Console uses the WEM Tool Hub to browse the print server.


  9. JSON Files are Web Console only. This Action lets you configure Microsoft Teams settings.

    1. Click the Generate with template button.
    2. Choose your desired Microsoft Teams configurations.
  10. WEM 2311 and newer support Registry Entries in the Web Console. There’s an Import button that can import .reg files.

    • On the top right is a Settings button. 

    • If Registry Actions are not applying, delete HKEY_CURRENT_USER\Software\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\. (Source = Registry Entries not applied to users at Citrix Discussions)
  11. WEM 2311 and newer have File System Operations in the Web Console. There are several Action types.

    1. There’s a Settings button on the top right.

  12. WEM 2311 and newer have File Associations are available in the Web Console. It uses WEM Tool Hub to configure the FTAs.

  13. CTP James Kindon at File Type Association with WEM and SetUserFTA explains how to use WEM to run Christoph Kolbicz’s SetUserFTA utility to reliably set file type associations on Windows 2012 and newer.
  14. For variables that can be used in the Actions configurations, see CTP James Kindon WEM Variables, Dynamic Tokens, Hashtags and Strings.
  15. Action Groups are not yet available in Web Console. You can combine multiple Actions into an Action Group. Then you can later assign the entire Action Group to a user.

    1. Create an Action Group and name it.
    2. Double-click the Action Group to show the actions on the bottom.
    3. On the bottom, move Actions from the Available box to the Configured box.
    4. For more info, see Action Groups at Citrix Docs.

Create Conditions and Rules

Once the Actions and Action Groups are created, you then need to decide under what conditions the Actions are performed. One or more Conditions are later combined into a Filter (or Rule). The Filters (or Rules) are used later when assigning an Action to a user group.

  1. In Web Console, go to Assignments > Filters and click the Manage Conditions button and then click Create condition. Select one of the many condition types. 

    • Or in Classic Console, go to the Filters workspace (bottom left). On the top left, switch to the Conditions node. In the right pane, create Conditions.
  2. One of the interesting Conditions is User SBC Resource Type, which lets you run Actions for either Published Desktop or Published Application.
  3. CTP James Kindon at WEM filter conditions on OU and IP Address at Citrix Discussions says that the Active Directory Path Match condition requires a * at the end of the path.
  4. Then go back to Filters and click Create filter.

    1. Or in Classic Console, switch to the Rules node (top left) and create Rules in the right pane.
  5. If you add (by clicking the right arrow) multiple Conditions to a Rule, all (AND) Conditions must match. Web Console lets you click the circle icon to make it an OR operator, but this isn’t an option in the Classic Console. 

Add AD Groups to WEM Console

  1. In WEM Web Console, go to Assignments > Assignment Targets and click Add assignment target.

    • Or in Classic Console, go to the Active Directory Objects workspace (bottom left). With the Users node selected on the top left, in the right pane, add groups and/or users that will receive the Action assignments.
  2. Web Console also lets you add new targets when managing assignments for each action.

Assign Actions to User Groups

  1. You can assign multiple actions from one place by clicking an assignment target and then clicking the Manage assignments button.

    • In Classic Console, go to the Assignments workspace (bottom left) > Action Assignment node (top left). In the right pane, initially the bottom half is empty. Double-click a group to show the Actions that are available for assignment. 
  2. When you assign an action, you can choose a Filter.

    1. In Classic Console, move an available Action or Action Group from the left to the right. This assigns the Action (or Action Group) to the user group.
    2. You will be prompted to select a Filter, which contains one or more Conditions.
  3. When you select a Network Drive (or move a Network Drive to the right), you’re prompted to select a drive letter.

    • The list of drive letters is restricted based on the configuration at Advanced Settings workspace (bottom left) > Configuration node (top left) > Console Settings tab (right pane).
  4. Application assignment lets you choose where to create the icon.

    • In Classic Console, some Actions have additional options that you can right-click. For example, you can create shortcuts on the desktop.
  5. Web Console also lets you Manage assignments directly from each Action.

Actions Troubleshooting

WEM caches Actions executions under HKEY_CURRENT_USER\SOFTWARE\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\Tasks Exec Cache. Sometimes clearing these keys and values will fix Actions not applying.

CTP James Kindon at Selective Deletion of the WEM Actions Tracking Cache wrote a PowerShell script to selectively clear these registry keys and values.

Modeling Wizard

  1. In the Classic Console, in the Assignments workspace, you can use the Modeling Wizard node (top left) to see what Actions apply to a particular user.

Client Side Tools

CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.

Transformer

You can enable Transformer, which puts the WEM Agent in Kiosk mode. Users can only launch icons (e.g., Citrix icons). Everything else is hidden. This is an alternative to Workspace app Desktop Lock. The Transformer interface is customizable.

WEM 2308 and newer use Edge instead of Internet Explorer. Edge enables StoreFront to detect Workspace app and auto-launch desktops.

  1. In the WEM Classic Console, there’s a Transformer Settings workspace (bottom left) with two nodes on the top left: General and Advanced.
  2. Enable Transformer, and point it to your StoreFront URL. Note, this applies to all users and all agents in this WEM configuration set. You should probably have a new Configuration Set just for Kiosk devices.
  3. Other settings on the General Settings tab let you customize the appearance, and specify an unlock password. You probably want to disable the Clock. The Navigation Buttons are browser navigation.
  4. Transformer can be unlocked by pressing Ctrl+Alt+U and entering the unlock password.
  5. On the Site Settings tab, you can add website URLs that can be launched from within Transformer.
  6. At the top of the Transformer window is a Sites icon that lets you go to the sites listed in the WEM Console.
  7. The Advanced node lets you configure Transformer to launch a process other than a browser.
  8. The Advanced & Administration Settings tab lets you hide features from Transformer.
  9. To prevent users from accessing the local system, consider checking Hide Taskbar & Start Button.
  10. You probably want Log Off Screen Redirection to redirect users to the logon page when StoreFront logs off.
  11. The Logon/Logoff & Power Settings tab lets you configure the WEM Agent to autologon as a specific account. Transformer then displays the StoreFront webpage where the user enters his or her credentials.

548 thoughts on “Workspace Environment Management (WEM) 2311”

  1. Hi Carl,

    after setting up WEM 1811 I got following entries in the Citrix WEM Infrastructure Service Debug Log:
    Exception -> AdminBrokerService.CreateVuemADObject() : invalid column name “ADObjectId”
    and
    Warning -> AdminBrokerService.GetVuem “xxx” for each Get Function.

    Can´t add an AD-Object or OU – Admin Console will close after trying to add with an unhandled exception.

    Can you help here?

    1. Thanks for catching that. I updated the links. CUGC recently changed sites and the old links were broken.

  2. Hi, thx a lot for your blog!! I have some problems, I have make a update of the WEM, since i have some problems too publish a new shortcut. I can’t change the path from the application i must copy the shortcut on localhost for a good mapping.

  3. Hi Carl –

    I’m just setting up a WEM production environment after installing our WEM TST environment. We share a single AD Domain, i’m a little confused as to how these two WEM environments can exist side by side due to duplicate SPN’s for Norskale/BrokerService? When attempting to register the WEM PRD SPN I get duplicate SPN errors, likely because the WEM TST environment service account already has SPN registered for the Norskale/BrokerService.

    What is the recommendation for this?

      1. Security mandates that TST and PRD do not share service accounts, but I was considering writing a waiver as its the only way I can see this working.

      2. No unfortunately security dictates that TST and PRD systems not share service accounts, Healthcare and there is some pretty stringent requirements around security separation. Is there any other way to accomplish this?

  4. Hi Carl, would like to know best practices for an active-active XD site – whats are options for profile replication? is there full support from WEM? or is it with help of DFSR

  5. Hi Carl, I am struggling to lock Kiosk down well and Citrix Desktop Lock isn’t very good. Is there a way to just install WEM Transformer on the thin client end without a WEM Server Infrastructure?

      1. If budget wasnt a issue I would go dor ThinKiosk, However, wem is free with Platinum/Premium Citrix License. Is there ability to manage the thin clients in terms of write filter and use kiosk mode for local user accounts and is WEM Transformer supported in Citrix Cloud? We only want to use WEM for Thin Client endpoints only as we use appsense for vdi

  6. Hi Carl,

    we are ahving a problem with the broker service crashing in 4.3. This seems to be a known issue and Citrix recommends upgrading to 4.4 or newer.
    Do you know if it is possible to update the broker and leave the agents on 4.3 for a while? There is no way we can update all agents in time and would need to run some on the older version for a while… Can they still connect and get their settings?

  7. Hello Carl,

    I am a great fan of your articles and had been following you for almost a year now. I am setting up a new Citrix 7.15 XenApp/XenDesktop Farm with approx. 150 Server, 100 applications with over 3000 users.

    Our security team has just bought the whole suite for Ivanti products, however I am not very hands on with their products. Had been trying to configure the whole stuff but the support and available documentation is not even at par with your central repository of articles.

    What are your views : Shall I start around WEM or keep sticking to Ivanti?

    1. Ivanti gives you much control over user profiles and user policies. More control = more effort to configure it correctly. There are Ivanti consultants that can provide you a baseline configuration that can be tuned for your environment.

      I tend to favor simpler technologies, like Citrix Profile Management, because they are “set and forget”. But UPM doesn’t have cross-platform migration, and resetting the profile means resetting all settings, not just one application.

      For policies, I tend to use Group Policy Preferences because it’s a well-understood technology. WEM mostly only provides resource optimization (CPU/Memory). WEM can’t replace GPOs or UPM.

  8. Hi Carl, can we use multiple sites with XenApp 7.15 CU2 on Windows Server 2016 and XenDesktop 7.15 CU2 VDI environment?

    I get the issue Broker Server Name or Broker Port Error on the VDI? We use the same policy for WEM as for XenApp and there is no issue there.

    Please advise.

      1. Maybe Some aditional information. The environment is XenApp, but the Windows 10 LTSB 2016 desktop has the XenDesktop VDA. And yes IT did work with WEM 4.6. Only problem I had then was if we rebooted the VDI, the WEM agent did not launch.

        I will have a look at the log file today and let you know.

        Thanks.

  9. Hello Carl,

    I have 6 configuration sets in my infra. I made some changes in one configuration set, Is there any possible way that i can copy/replicate the same configuration to other configuration sets.

    Any thoughts please 🙂

  10. Hi Carl,

    We got some issues with getting a norskale toast message when people start their published applications.
    The error message It states:
    Norskale Vuem Agent
    An error occured while building your environment. Agent processing will now stop. Please contract your Administrator.

    In de log files we can only find this:
    12:44:14 Event -> AgentControllersHelper.OpenDataConnection() : Detected connection security -> Negociated
    12:44:14 Event -> MainController.InitializeConfiguration() : Reading Agent Initial Configuration…
    12:44:28 Exception -> MainController.InternalRun() : The creator of this fault did not specify a Reason.
    12:44:28 Exception -> AgentAutomaticRefresh.MainControllerEventListener() : Error While processing Silent Automatic Refresh

    You got any idea what could be failing? It happens a few times, but works correctly most of the time.

    1. Is this 4.6? If so, you might have to call Support since there are several bugs they have private fixes for.

  11. “Enabling this eliminates a 2 minute delay before WEM Agent starts.” This doesn’t seem to be a problem in WEM4.5

  12. Carl, any chance you know how WEM Memory management works with Dynamic Memory Control on XenServer for dedicated persistent Windows Desktop machines?

  13. Hi Carl,

    Great post!
    Question: We have a mixed environment. Citrix (windows Server 16) and Desktops (windows 10). Is there a way to use WEM and UPM to roam the profile settings between the Citrix and non-Citrix environment?
    Thanks and Regards

  14. hi, have wem 4.5 installed , got since yesterday the following popups at the users.

    11:41:58 Warning -> UiAgentController.OnConnectivityStateChangeReceived() : Connection State Change Detected. Agent is now : Offline
    11:46:58 Warning -> UiAgentController.OnConnectivityStateChangeReceived() : Connection State Change Detected. Agent is now : Online

    wem broker is installed on seperate machine, has no performance problems.

    can i disable the user popups on the wem agent?

  15. Hi Carl,
    Thanks again for another great post. Quick question: In your view, is Mandatory Profiles and WEM a workable (or desirable) solution for Profiles? Or not? Would love to know your reasons or broader thoughts on the topic. Thanks!

  16. Hi Carl –

    If the WEM database went offline or were otherwise unavailable, would that only impact the ability to log into the console and update or create configurations? Or would that also impact the agent’s ability to get its configuration from WEM?

  17. Hi Carl,

    Just wanted to see if you could update the article for Transformer that Desktop OS’s are supported by Citrix and that some of the features like power options are not available on Server OS

    1. Are you referring to Transformer auto-launch? If so, auto-launch definitely does not work today in Transformer.

      The Power Options in Transformer are for the endpoint machine, not the VDA. Is that what you mean?

      1. I recently had a case with Citrix support and they reported that users are unable to use any power function (Log off, restart, or shutdown) while transformer is enabled on a Server OS (in my case 2012 R2) and that the only supported OS’s for users to be able to log off of a session is Desktop OS’s (Win 7).

  18. Is there a way to force a complete resync of agent settings? For some reason, my new settings do not sync, even something as easy as enabling and disabling the explorer context menu.

    1. In the WEM Console, there’s an Agents node. You can right-click the agent to force a refresh. Does that work?

  19. There is a typo or misconfig in the screen that shows the SQL Server Name, Instance, Port and path.

    It should be

    Servername,port\instancename

    1. Thanks. I’m not sure it matters because the instance name should be ignored when a custom port number is specified.

  20. Hi all. I have implemented 2 wem servers load balanced. On the 1st server in the path “C:\program files(x86)\Norskale\Norskale Infrastructure Services\Licensing” i can see a licensing configuration setting file, which created after running 1st time the administration console. On the 2nd this file does not exists.
    What will happen if the 1st server is not available ?
    Do i have to copy it manually on the 2nd server?

    thanks.

    1. Where did you configure licensing? In the Infrastructure Service configuration tool? Or inside the console as part of the Configuration Set?

  21. I have successfully gotten WEM configured for UPM and it is working well. I have also configured applications and I am able to pin those items to the taskbar and the start menu. I am not having any luck with roaming pinned items though. When a user pins an item that they want pinned it will not roam with them so they have to re-pin the item each time they log in.
    In my research I am seeing where people have sync’d the following location
    C:\Users\(user-name)\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
    I have gotten this to sync properly with no issues. It also states that I need the following reg:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
    I have added this location into the registry for the UPM settings within WEM but it is not pulling over the correct pinned icons.

    Any thoughts on how I can get these items to roam?

  22. Hi Carl.

    The path of the GPO/WEM regkeys are incomplete. You forgot to put \Agent Host\ after \Norskale\

    Corrected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UsvMachineConfigurationSettings
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UpmConfigurationSettings

  23. I have noticed that for some reason Citrix WEM doesn’t treat local administrator user accounts as administrators when it applies the environmental settings.
    And yes, the “Exclude Administrators” option is activated.
    That is really annoying, especially when you set up Platform Layers wit CELM or have to check out or fix something using the local administrator user account.
    Is there any way to prevent that from happening?

  24. Hello Carl,
    We have WEM4.3 setup running with XA7.14.1 ina cross domain scenario. DCCs and WEM brokers are in one Domain and VDAs are in separate Domain having two-way trust. We are facing issue in the UPM setting replication issue. Either it takes longer time or sometimes does not replicate. Also We have incident where all user settings reverted to some Old policy and restricted the user access completely. Recreating the user profile resolved the issue but we are not able to find the root cause. Any pointers will be helpful.

    1. What do you mean by “setting replication”? Are you referring to WEM configuration Profile Management settings? I personally always use GPO to configure Profile Management because it’s much more reliable.

  25. Carl!

    Could be that the installation parameter is false?

    You write:

    “\\fs01\bin\Citrix\WEM\Workspace-Environment-Management-v-4-05-00\Citrix Workspace Environment Management Agent Setup.exe” /v”AgentCacheAlternateLocation=\”D:\WEMCache\” AgentServiceUseNonPersistentCompliantHistory=\”1\””

    In my environment between /v” and AgentCacheAlternateLocation should be a space, otherwise the installer interpret is as one string and in WEM 4.5 “AgentServiceUseNonPersistentCompliantHistory” doesn’t exists any more.

    https://docs.citrix.com/en-us/workspace-environment-management/current-release/whats-new.html

    1. I tried this exact command and it worked. No space after the /v. Yes, it should be one string after the /v. Any quotes inside the string need to be escaped (\”). The /v switch passes the entire string to the MSI file.

  26. Hi Carl,
    In PVS environments we can redirect the cache to the same disk that pvs uses for the cache, but how do we configure the WEM Agent in MCS environments?

  27. I am using PVS 7.14 with Windows 2012 OS Target Devices using “Cache in device RAM with Overflow on Hard Disk”

    I did install the WEM Agent with the Installer Switches that let you move the WEM cache file to the PvS cache disk: This cache disk is the same disk I use for the OS WriteCache D Drive.
    Somehow the WriteCache D Drive is filling up fast and cant find a way to stop the D drive to fill. Any ideas ?

        1. Use procmon to see what’s modifying the files on the C: drive. Maybe antivirus or backup or something like that. You can set the procmon filter to Category = Write.

  28. Hi Carl,

    as Citrix recommends in this article (https://support.citrix.com/article/CTX225997) to install the WEM Agent within the Platform Layer already. That way you also won’t have that Netlogon service related issue as both dependency entries reside in the Platform Layer by default.
    Maybe you want to point this out in your install guide above.
    As this article also gives some advices regarding creating the App-V user account in the OS Layer of CLM you might want to mention this in your CLM guide, too.

    Best Regards

    Ewald

  29. How do we install the wem agent on a machine that is created with MCS and non-persistent? I see the how to for PVS, but there is no option for a second disk.

  30. In did a fresh install in my lab. I do not see process management. I do see the other CPU, memory, and io. Thoughts?

  31. Is there a stand alone version of WEM available that can be installed on the end point to lock down the local OS without having to built the whole infrastructure (brokers/database/NS etc)

  32. Hi Carl, do you know if the backwards compatibility works the other way? I would like to upgrade the WEM infrastructure and console prior to deploying the new agent to our gold image, we heavily rely on WEM. will the 4.3 agents report in and function correctly on 4.4 infrastructure? Many thanks for all your amazing contributions to the community, your guides are always my first point of call!

  33. Hi Carl. I have installed the version 4.4.5 that includes application security. I have some hard time to get script rules to apply. I managed to get exe rules just fine but script rules will not. Any sugestions?

  34. Hi Carl,

    Can WEM do script executions [PS/VB]? is there a way to run custom action on disconnect/reconnect like closing a program etc..?

  35. Hi Carl,
    Wonder if you have some thoughts on this.
    XD 7.14. Windows 10 Enterprise VDA setup in Catalog with MCS. Implemented WEM for control of most everything including UPM Profiles and Redirected Folders. Created an application catalog for Word and Excel, currently just one Server 2016 standard edition also deployed with MCS (Wem agent VDA, and UPM agent installed). Desktop shortcuts show up. Applications will launch. Application association working just fine.
    User can log in and log out all day long as long as they don’t launch one of the shared applications. If they do all will seem just fine until they log out. When they log back in we get stuck at the “Critical Error , Start Menu and Cortana aren’t working…. “Sign out now”. Only way to get past the error is delete (or rename) the user’s Profile folder on the server. Our theory is something is going wrong with the shared application session and updates to the user’s profile.
    Hope you might have some thoughts or a good way to test what’s wrong.
    Thanks
    Kevin

    1. What do you mean by “shared application”? Do you mean “All Users” (or Public Desktop) shortcut? Or do you mean shortcut created by WEM. If you move the shortcut to a per user location, does that work?

      1. Hi Carl,
        Sorry my terminology is probably off. Not sure how to correctly make this reference. MS Word 2016 (and Excel) are installed on a Server 2016 R2 Server with the VDA and WEM agent installed. I’ve used MCS to create a 1 vm catalog, then a Delivery Group to share (“publish”) Word and Excel no desktops in this delivery group. My main desktop delivery group has Receiver with SSO enabled. When a user logs in to their virtual desktop session the Word and Excel icons show up on the desktop as I would expect. Both of these icons work, I can see the user’s additional sessions in Director. It’s fast, and has access to printers, and storage. Seems just perfect. Except for the subsequent logins which get the error message and leaves the user’s session useless.

        Also a funny discovery. I have “delete desktop icons” enable in WEM. I think this is why when I close Word or Excel the desktop icons for these apps disappear. If I uncheck this option then a new icon for each app shows up after each login.. labeled (1) and (2) and so on….

        I do think I’m dealing with an incompatibility between Win 10 and Server 2016 profiles (or redirected Start Menu). I’ve quickly spun up another Windows 10 Catalog and Delivery group to share Notepad. This works, and does not create the error message on subsequent logins.
        Hope this clarifies.

        Kevin

  36. Hi Carl,

    Thanks for the info. Is there any way to make the Actions / Filters / Assignments global? I would require some registry settings ,for example to be applied to all config sets, but would like not to manage each setting on a per set basis.

  37. Hi
    Have you seen issues with missing Application Security feature under Security in WEM Console after upgrade from 4.3 to 4.4??

    On a fresh install of 4.4 I have the feature under Security in the WEM Console.

    1. It was accidentally enabled in the install. They refreshed the installer so it no longer enables. Download it again and it should no longer enable on a fresh install.

      1. Just to understand, the feature was not ready for 4.4??
        Used the same installer for two environments, one was an upgrade from 4.3 to 4.4 and the other was a new install.

  38. Hi Carl,

    Love and appreciate all your work. I am having the same issue as David:

    Hi carl,

    I am having an issue with Transformer and hoping you can point me in the right direction. I have configured the
    policy and applied a GPO that points the agent to the broker and site. When I apply the GPO to a windows 10 XD
    VM I have, it works perfectly. When I apply it to a win 10 physical machine, it does not. WEM agent is installed
    and the GPO is applied to the machine. If I make a change to the transformer policy for the site and then update
    the WEM cache on the machine, it does get the update. Also, if I check the Agent info in WEM Console, it shows
    that machine is in the correct site. Is there something else that needs configured or applied? Does Citrix Receiver
    also need to be installed? This physical machine is a fresh install and has very few programs installed.

    I have an open ticket w/ support, but it’s been difficult due to how new this component is in the Citrix portfolio.

    To expound:

    The agent launches but doesn’t start transformer or the program configured to auto-launch. Reviews of the log so that Kiosk mode is enabled (True).

    A refresh from the client or server does not force transformer to work, however if I exit the agent and re-launch the Transformer works as expected.

    This is the last piece to iron out so we can use transformer to replace desktop lock, but we need the agent to start and run transformer and it’s configured application when a user logs in/upon restart etc.

    Tried using batch files and scheduled task as a work around, but this is kluge and doesn’t work.

    Any help would be greatly appreciated!

    Thank You!

    Derek Black

  39. Hello Carl,
    Manage Applications tool that lets users control where shortcuts are created, (QuickLaunch) is greyd is it possible to enable?
    with me application i am enabled already!!

  40. We just upgraded our Dev environment from 4.3 per this guide. When I updated the agent in our first PVS image (WEM cache on persistent disk) I found that I could not get a successful sync. This shows up in the debug logs:

    11:07:27 AM Exception -> AgentLocalCacheSync.() : Cannot apply changes because the local provider does not have adapters configured for the following tables that were received from the remote provider: VuemAppLockerRule, VUEMAppLockerRuleAssigments, VUEMPublisherRuleCondition, VUEMPathRuleCondition, VUEMHashRuleCondition, VUEMFileHash. Ensure that the correct adapters have been added to both providers for Scope ‘AgentCache’, and that any table mapping has been correctly configured.

    If I stop the agent service, delete the persistent WEM cache and start it back up I am able to sync successfully again. Has anyone else seen this? My fear is that we’ll have to reset the WEM cache on thousands of PVS target devices…

  41. Hello Carl,

    I have a problem when I run the agentcacheutility.exe i get the following error:

    C:\WINDOWS\system32>”C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe” -refreshcache -brokername:fgridctxwem01
    Citrix Workspace Environment Management Agent Cache Management Utility – By Citrix Systems, Inc – Version 4.3.0.0
    Broker Server Name or Broker Port Error
    Operation Completed with Errors

    Are there any special requirements which need to be met in order for agent registration to work? Firewall communication is allowed between the WEM broker server and the agent machine.

  42. Carl I’m curious as to what your take is on the WEM licensing model.

    I’m getting conflicting answers on the rules for number of WEM agents that are allowed per the XenApp entitlement. At Synergy, the WEM booth the guy told me I could have 1 WEM agent per XenApp license on any device (vda or non-vda). I went to double check with my Citrix rep this week and they are saying something different. They say if I have 500 XA licenses and 400 are in use, I could only install the WEM agent on 100 non-vda devices which would then act as an in use XenApp license. If you read what’s on the Citrix Licensing portal (https://www.citrix.fr/buy/licensing/product.html) that doesn’t sound right to me.

    “If you licensed XenApp Platinum Edition, you may use the WEM component to support physical desktops which are not part of a VDA deployment in addition to your VDA deployment, but total usage of WEM may not exceed total licenses purchased.”

    In my mind, that’s saying if I have 500 XenApp licenses, I can have 500 WEM agents, either VDA or non-VDA. No where in there does it say anything about concurrent users using XenApp or a WEM agent acting as a connected user taking up a license. The license server doesn’t reflect a connected WEM agent as a user either.

    What do you think (know)?

    1. My suspicion is that you can deploy WEM Agent to any machine accessed by a licensed Citrix user. I just asked the Product Managers for confirmation.

      1. From Citrix Discussion:
        “I’m the product manager for WEM and your REP is correct, the intent was to provide a clear message that you can use WEM on physicals if you had enough licenses.

        WEM + VDA = 1 License
        WEM = 1 License

        I will get the wording tightened up on the licensing page to make it clearer, you are correct this is a EULA only enforcement not a license server check at this time but we will be working on that.”

        1. So is it “per device”, or is it “per user”? If per user, I would expect unlimited devices (and VDA) for that user.

          1. The way I’m understanding it is that if I have 500 XenApp CCU licenses, and I have 400 licenses being used for active connections, then I can only have 100 non-vda WEM agents out in the environment. Which doesn’t make sense to me at all. If I’m using WEM to turn a PC into a Transformer kiosk type device to use Citrix Receiver, then it would seem I need a XenApp license for that device, and then another license for the user on that device using accessing the apps…which seems a bit excessive. I don’t really know at this point…but I think it could use some attention from Citrix to clear up when you can and can’t use WEM.

          2. It would be very complicated to handle CCU Licenses that are usually meant to assign one License for one user, who is acting on different devices, also as per device Licenses especially for WEM.
            This simply makes no sense and causes just troubles.
            Just think of a user who is working on a Windows Thin Client managed by WEM and accessing from there a XenDesktop VDA in a Data Center which is also managed by WEM. That would require two CCU licenses in that case.
            Or another example:
            A user is working on a PC managed by WEM and accessing from there a XenApp Host which is also managed by WEM. In that case I would have to reserve one CCU License per managed XenApp Host.

            @Citrix Licensing Team:
            Please keep such things in mind when you’re planning licensing stuff.
            CCU should usually be one License assigned per user, who is working commonly on more than just one device, especially when it comes to WEM or Citrix Profile Management!

          3. @Tyson Glaser:
            Based on the License statements it would mean the following based on your example:
            If you have 500 CCU licenses you are allowed to use WEM up to 500 times concurrently, as it was said explicitly “total usage” and not “total installations” in the License statements.
            However, this also includes the XenApp Hosts in this case, if they have WEM Agents installed.
            Therefore, if you have 12 XenApp hosts with WEM Agents installed that are running simultaneously in your farm, you can use WEM 488 times on other devices concurrently, like for example physical PCs or Notebooks.
            As long as you haven’t more than 488 other devices at all that have WEM Agents installed it won’t be a difficult task to obey the License Requirements there.
            But if the amount of your devices with WEM Agents installed exceeds 488, well, then this might become a difficult task, as the License Manager doesn’t check that either…

  43. Hi Carl,

    I am having an issue with Transformer and hoping you can point me in the right direction. I have added the policy and it worked perfectly on a XD win 10 vm I have. However, when I can’t get it to work correctly on a win10 physical machine. I have a GPO pointing the machine to the broker and the correct site. I have verified it is pulling down the settings, but when I login, transformer isn’t launching. The issue seems to be that VUEM Agent isn’t launching. If I manually launch it from program files (x86)…, transformer immediately launches. I just can’t for the life of me figure out why it isn’t launching automatically. I do have the Advanced Settings > Configuration > Launch Agent at Logon checked, which I did after it wasn’t working, but even after that, it still isn’t working.

    Any thoughts?

  44. Hi carl,

    I am having an issue with Transformer and hoping you can point me in the right direction. I have configured the policy and applied a GPO that points the agent to the broker and site. When I apply the GPO to a windows 10 XD VM I have, it works perfectly. When I apply it to a win 10 physical machine, it does not. WEM agent is installed and the GPO is applied to the machine. If I make a change to the transformer policy for the site and then update the WEM cache on the machine, it does get the update. Also, if I check the Agent info in WEM Console, it shows that machine is in the correct site. Is there something else that needs configured or applied? Does Citrix Receiver also need to be installed? This physical machine is a fresh install and has very few programs installed.

    Any guidance you can provide would be greatly appreciated.

  45. great article! Thanks Carl. Does WEM require its own server? or can it be installed on the same server as a delivery controller, or Director?

    1. It should work fine on a Controller. But for larger environments, it should be its own servers.

      1. Hi carl, with a customers environment (+1000) Users it should it more Brokerserver, right? IO Requirements? i Think, It is required to Loadbalance the broker service?

  46. Is there a way to trigger the WEM Agent “Refresh” in the context menu of the system tray icon with a command line ?

  47. Thanks Carl for this effective documentation.
    After upgrading an installation from 4.2 to 4.3, the Norskale Infrastructure Service crashed intermittently.
    There is a private hotfix available for this issue (Infrastructure Service v4.03.00.01), contact Citrix support for it.

  48. Hi Carl,

    For a PVS vDisk that was created via the ELM (Citrix App Layering), should the agent be installed as an application layer or in the platform layer similiar to the VDA. Also, should we use the install parameters to redirect the WEM cache to the overflow drive in any of those layers if that Overflow drive does not yet exist or ?

    1. Hi Willy Wonka,

      have a look at Carls Citrix App Layering guide here on this site.
      If I remember it correctly Citrix Best Practices recommend to install it into the Platform Layer, too.

Leave a Reply to james Cancel reply

Your email address will not be published. Required fields are marked *