Workspace Environment Management (WEM) 2303

Last Modified: May 30, 2023 @ 2:05 pm


This post covers Citrix Workspace Environment Management (WEM) versions 2303, 1912, and 4.7 through 4.1.

ūüí° = Recently Updated

Change Log


Workspace Environment Management¬†(WEM) is Citrix’s Performance Management and UEM (User Environment Management) tool for all XenApp/XenDesktop Enterprise or Platinum Customers with active Software Maintenance (Subscription Advantage is not sufficient). The WEM Agent is supported on XenApp 6.5, and XenApp/XenDesktop 7.x. Videos:

Note: WEM does not replace Citrix Profile Management. You usually implement both.

Citrix Blog Post User Experience on Steroids: Citrix Workspace Environment Management has a list of Frequently Asked Questions about WEM, including a drawing of the architecture.

From Hal Lange at Database sizing at Citrix Discussions: SQL Always On is fully supported.  In WEM 1909 and older, the ONE caveat is to remove from the Always On Availability Group before upgrading.

Here are the official calculations from the Norskale days on space needed on the SQL Server:

  • Reserve 1GB of RAM per 1,000 users deployed
  • RAM=1.5GB system + (1.5GB SQL + 1 GB per 1,000 users) for that SQL instance
  • Disk = 1GB per 10,000 users per year + 10 MB per WEM site configured

Upgrade WEM

There is no LTSR version of Citrix Workspace Environment Management (WEM), so you should always upgrade to the latest version of WEM.

From Upgrade a deployment at Citrix Docs: In-place upgrades from versions earlier than Workspace Environment Management 4.7 to version 1808 or later are not supported. To upgrade from any of those earlier versions, you need to upgrade to version 4.7 first and then upgrade to the target version.

If you want to upgrade a WEM deployment earlier than 2006 to 2209 or later: To avoid database upgrade failures, upgrade to 2103 first and then to 2209 or later.

CTA Marco Hofmann at CUGC: How-To: Update Citrix Workspace Environment Management (WEM) from 4.x to 4.7 (v4.07.00.00)

To upgrade Citrix WEM:

  1. In-place upgrade the Citrix Licensing Server. No special instructions.
    • Ensure the installed licenses a non-expired Subscription Advantage date.
  2. Before you upgrade, run WEM Infrastructure Service Configuration Utility and record all settings.
  3. In-place upgrade the WEM Server. No special instructions.
  4. Use the Database Maintenance tool to upgrade the WEM database.
    • In WEM 1909 and older, before upgrading the database that’s in a SQL Server Always On availability group, you must remove it from the availability group. This is no longer required in WEM 1912 and newer.
  5. You might have to run the WEM Infrastructure Service Configuration Utility on each Broker to point to the upgraded database. If the settings are still there, then just click Save Configuration.
  6. In-place upgrade the WEM Console. No special instructions.
  7. In-place upgrade the WEM Agents.

Install/Upgrade WEM Server (Broker Service)

There is no LTSR version of Citrix Workspace Environment Management (WEM), so you should always upgrade to the latest version of WEM.

The WEM Broker Service can be installed on one or more servers, including Delivery Controllers. The WEM Agent cannot be installed on the Broker Server.

A WEM Server with 4 vCPU and 8 GB RAM can support up to 3,000 users.

  1. Port 8288 – WEM 1912 and newer have a new port 8288 for WEM Agent Cache Synchronization. You’ll need to add this port to your load balancer and open it in your firewall.
    • Port 8285 is still available for WEM Agents 2012 and older connecting to newer WEM Servers.
    • Old port removed – The Cache synchronization port (8285) was removed from WEM Server 2103 and newer, so make sure your existing agents are a version that supports the newer Cached data synchronization port. WEM Agent 1912 and newer should be sufficient.
    • If your existing WEM Agents don’t support the new port number, then upgrade your WEM Server to version 2012 (or version 1912), upgrade your WEM Agents to the corresponding version, and then upgrade the WEM Server to a newer version.
  2. Download Workspace Environment Management 2303 and extract it.
  3. If you are upgrading, run WEM Infrastructure Service Configuration Utility and record all settings. These settings might be wiped out during the upgrade.
  4. Licenses – make sure your installed CVAD licenses have a CSS date that is later than the date required by your WEM version. The required CSS date is shown at the top of the WEM download page.
  5. Run the downloaded Citrix Workspace Environment Management Infrastructure Services Setup.exe from the 2303-01-00-01 folder.
  6. If you see a prerequisites screen, then click Install to install the prerequisites.
  7. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Infrastructure Services page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Customer Information page, click Next.
  10. In the Setup Type page, click Next.
  11. In the Ready to Install the Program page, click Install.
  12. If you are upgrading, you might be prompted to restart applications.
  13. In the InstallShield Wizard Completed page, click Finish.
  14. Antivirus –¬†C:\Program Files (x86)\Norskale\Norskale Infrastructure Services must be excluded from Antivirus scanning. Or exclude: Norskale Broker Service.exe; Norskale Broker Service Configuration Utility.exe; Norskale Database Management Utility.exe.
  15. If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured. Note: this folder seems to be missing in newer versions of WEM.
  16. Firewall – Ensure firewall allows the following ports to/from the WEM Broker servers. See Citrix Tech Zone Communication Ports Used by Citrix Technologies.
    • Agent Port – defaults to TCP 8286 – from WEM Agent to WEM Broker
    • AgentSyncPort – defaults to TCP 8285 – from WEM Agent to WEM Broker
    • Cached data synchronization port – defaults to TCP 8288 – from WEM Agent 1912 and newer to WEM Broker
    • AdminPort – defaults to TCP 8284 – from WEM Admin Console to WEM Broker
    • Monitoring Port – defaults to TCP 8287 – from Director to WEM Broker
    • AgentPort – defaults to TCP 49752 – from WEM Broker to WEM Agent
  17. See¬†CTX218965¬†Error: “Server sent back a fault indicating it is too busy to process the request” and the WEM Agent fails to connect to the Broker Service if you need to throttle the number of connections if you have insufficient resources on the WEM Broker server.

Upgrade WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management 2103 SDK at Citrix Developer docs.

To upgrade the Workspace Environment Management database using the GUI tool:

  1. If this is a new install, skip to Create WEM Database.
  2. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  3. On the WEM server, run Database Management from the Start Menu.
  4. If upgrading, in the ribbon, click Upgrade Database.
  5. In WEM 1906 and newer, the fields might already be filled in. Otherwise:
    1. Enter the SQL Server Name.
    2. Enter the existing WEM Database Name.
    3. Configure the credentials for the WEM service account.
  6. If your account is not a sysadmin on SQL, then enter a SQL account in the Database Credentials fields.
  7. Click Upgrade.
  8. Click Yes when asked to proceed.
  9. Click OK when prompted that database upgraded successfully.
  10. Click Finish to close the Database Upgrade Wizard.
  11. Close the WEM Database Management Utility.
  12. Open services.msc and restart the Norskale Infrastructure Service.

After the database is upgraded, run the WEM Infrastructure Service Configuration Utility.

  1. If the upgrade preserved the settings, then simply click Save Configuration. The service won’t start unless you do this.
  2. In WEM older than version 1906, you might have to re-configure the settings.
    1. On the Licensing tab, configure the licensing server.
    2. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
    3. On the Advanced Settings tab:
      1. Enter the Infrastructure service account credentials.
      2. Enter the vuemUser SQL user account password.
      3. In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
      4. Make a choice regarding Google Analytics.
    4. The Advanced Settings tab will look something like this.
    5. On the Database Settings tab, enter the database server name and database name.
    6. In the ribbon, click Save Configuration.
  3. Click Yes to restart the Broker Service.
  4. If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured. This folder doesn’t exist in newer versions of WEM.
  5. Skip ahead to upgrade the WEM Administration Console.

Create WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management 2103 SDK at Citrix Developer docs.

To create the database using the GUI tool:

  1. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  2. Make sure SQL Server authentication (mixed mode) is enabled on the SQL server > Properties > Security. Even though the WEM Broker server runs as an AD account that is used login to SQL, WEM Broker also uses a SQL account named vuemUser, which means mixed mode must be enabled. Source = John Long at WEM new install, cannot connect to infrastructure server at Citrix Discussions.

  3. On the WEM server, run WEM Database Management Utility from the Start Menu.
  4. If a new install, in the ribbon, click Create Database.
  5. In the Create database Wizard page, click Next.
  6. In the Database Informations page, enter the SQL server name, and enter a new Database Name.
    1. Only enter an instance name if you have a named SQL instance.
    2. Only enter a port number if your SQL instance is listening on a static port number other than 1433.
    3. From Måns Hurtigh at Problem creating WEM 4.3 Database on SQL Server 2012 at Citrix Discussions: The database name cannot contain a dash.
  7. The paths might not be correct so double check them. Then click Next.
  8. In the Database Server Credentials page, if your account has sysadmin permissions, then leave the box checked. Otherwise, uncheck the box, and enter a SQL login that has sysadmin permissions. Click Next.
  9. In the VUEM Administrators section, click Browse, and select your Citrix Admins group.
  10. In the Database Security page, if you intend to load balance multiple WEM servers, then specify a Windows service account for database access. The Broker Service will run as this account. See the load balancing topic at Install the Citrix Workspace Environment Management Infrastructure Services at Citrix Docs.
  11. The Database Creation Wizard also creates a SQL account called vuemUser with an 8 character alphanumeric password. If you want it more complex, check the box and specify the password.
    • Note: if you intend to implement AlwaysOn Availability Group, then you must specify this password, since you’ll be asked for it again when adding the database to the Availability Group. Also see SQL Server Always On at Citrix Docs.

  12. Click Next.
  13. In the Database Information Summary page, click Create Database.
  14. Click OK when prompted that the database was created successfully.
  15. Click Finish to close the Database Creation Wizard.
  16. Close the WEM Database Management Utility.
  17. There is a log file at¬†“C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log”

WEM Infrastructure Services Configuration

  1. On the WEM Server, run WEM Infrastructure Service Configuration Utility from the Start Menu.
  2. On the Database Settings tab, enter the SQL Server name and database name.
  3. Switch to the Advanced Settings tab.
  4. If you intend to load balance WEM Servers, then Browse to a service account. This service account must have access to the database.

    • The service account must be in the¬†local Administrators group on the WEM servers.
  5. Enter the vuemUser SQL user account password.
  6. In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
  7. Make a choice regarding Google Analytics.
  8. The Advanced Settings tab will look something like this.
  9. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
  10. On the Licensing tab, you can enter a Citrix License Server or newer that has valid licenses. Or you can enter the license server later in the admin console.
  11. Click Save Configuration in the ribbon.
  12. Click Yes when asked to restart the Broker Service.
  13. Close the WEM Infrastructure Service Configuration utility.
  14. If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured.
  15. If you are load balancing WEM servers, then you must also create a Kerberos SPN, where [accountname] is the service account you are using for the Norskale service.
    setspn -U -S Norskale/BrokerService [accountname]

Install/Upgrade WEM Console

  1. Run Citrix Workspace Environment Management Console Setup.exe from the downloaded WEM 2303 (aka 2303-01-00-01) installation files.
  2. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Console page, click Next.
  3. In the License Agreement page, select I accept the terms, and click Next.
  4. In the Customer Information page, click Next.
  5. In the Setup Type page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the InstallShield Wizard Completed page, click Finish.

WEM Configuration Sets (formerly known as Sites)

In WEM 4.3, Sites was renamed to Configuration Sets.

  1. From the Start Menu, run WEM Administration Console.
  2. In the ribbon, click Connect.
  3. In the Database Broker Information window, enter the WEM Server name, and click Connect.
  4. Some WEM Console settings are global (every agent gets the same setting). So if you want different global settings for different agents, then you create multiple WEM Configuration sets. At the top of the window, in the ribbon, you can create a new WEM Configuration set. 
  5. WEM 1912 and newer can Backup and Restore entire Configuration Sets, which makes it easy to duplicate a Configuration Set.

    • When Restoring a Configuration Set, there’s no need to create a new empty Set. Just run the Restore wizard and WEM will try to use the original Configuration Set name. If the original Configuration Set already exists, then WEM will append _1 to the name, which you can then rename.
  6. Once you have multiple Configuration sets, you can use the drop-down to switch between them.
  7. A WEM Agent can only belong to one WEM Configuration set. Different Agents can belong to different WEM Configuration sets.
  8. In WEM 4.3 and newer, you add agents to the Configuration set at Active Directory Objects (workspace on bottom left) > Machines (node on top left). You can add OUs or individual objects (computers or computer groups).
  9. In WEM 4.2 and older:
    1. The WEM Group Policy template has a GPO setting to specify the WEM Site name that an agent should use.

Import Recommended Settings

If you have multiple WEM configuration sets, this process should be repeated for each new, empty WEM configuration set.

  1. In WEM 4.4 and newer, on the right side of the ribbon, click Restore.

    • In WEM 4.3 and older, on the right side of the ribbon, click Import Settings.
  2. In WEM 4.4 and newer, select Settings, and click Next.
  3. In the Settings Restore wizard, click Next.
  4. In the Restore from folder section, click Browse, and browse to the \Workspace-Environment-Management-v-2303-01-00-01\Configuration Templates\Default Recommended Settings folder that was included in the WEM download.
  5. In the Settings Type Selection section, check all available boxes, and click Next.
  6. In the Restore settings processing window, click Restore Settings.
  7. Click Yes when prompted to replace.
  8. Click Finish.

CTP James Kindon at WEM Hydration Kit has a collection of Applications, File System and Registry Actions that can be imported to WEM. CTP James Kindon recently added Environmental Settings to the Hydration Kit.

WEM 1909 and newer can Migrate your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.

WEM Administrators

  1. In the Administration Console, go to Administration (workspace on bottom left) > Administrators (node on top left).
  2. In the right pane, click Add, and specify an Active Directory group that can administer WEM.
  3. After adding a group or user, right-click the new administrator, and click Edit.
  4. Use the Permissions drop-down to select a role. The roles are detailed at Administrators at Citrix Docs.
  5. Then use the State drop-down to select Enabled. New administrators are initially disabled. Click OK to close the window.

WEM Agent Configuration

For configuration guidance, see CTP James Kindon WEM Advanced Guidance ‚Äď 2023¬†at CUGC.

  1. In the WEM Administration Console, in the Advanced Settings workspace (bottom left), there are several tabs for configuring the agent.
  2. On the bottom of each tab is an Apply button. Click this button periodically to save your configuration to the database.
  3. Setting on these tabs are mostly self-explanatory. Feel free to change any as desired.
  4. On the Main Configuration tab, one option you might want to enable is Launch Agent for admins.
  5. Also consider enabling Launch Agent at Reconnect.
  6. In the right pane, on the Reconnection Actions tab, you can select which modules should be refreshed on reconnect.
  7. The Agent Options tab defaults to processing printers and drives asynchronously.
  8. If WEM in Citrix Cloud, consider enabling Offline Mode and Use Cache to Accelerate Actions Processing. More info at Citrix Blog Post Workspace Environment Management agent caching explained.
  9. The Service Options tab has a setting for Bypass ie4uinit Check. Enabling this might eliminate a 2 minute delay before WEM Agent starts.
  10. On the top left, in the Advanced Settings workspace, there’s a¬†UI Agent Personalization node.
  11. In the right pane, in the UI Agent Options tab, you can change the Agent skin, and Preview it.
  12. Other settings on this page let you hide the splash screen.
  13. The Helpdesk Options tab lets you enable Screen Capture.

System Optimization

  1. The System Optimization workspace (bottom left) lets you configure the various optimizations.
  2. On the top left, click the CPU Management node.
  3. CPU Spikes Protection gives processes equal access to the CPU.
    • WEM 1909 and newer have an option for Auto Prevent CPU Spikes.
    • From Hal Lange: “CPU Usage Limit should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU.¬† Example:¬†if 2 CPU’s are available, the CPU setting should not be set above 49%,¬†if 4 CPU’s are available, the CPU setting should not be set above 24%”
    • Hal Lange demonstrates¬†Citrix WEM Performance Optimizations in a YouTube video.
  4. Other tabs on the right let you manually specify CPU priority and/or clamping.

    • CTX230843¬†WEM protection and Skype for Business + Real Time Optimization Pack has a list of processes that should be excluded from WEM¬†CPU Spikes protection.
    • From CTA Chris Schrameyer¬†WEM ‚Äď CPU LOGGING:¬†WEM does not provide any built-in logs to determine when a CPU Spikes Protection action is taken. It would be nice to know what processes are often limited, so we can then add them to a CPU Clamping policy or identify why they are using so much CPU.
  5. On the top left, click the Memory Management node.¬†In the right pane, you can enable¬†Optimize Memory Usage for Idle Processes¬†to periodically reclaim memory from running processes. This feature tells processes to flush their memory to disk. In other words, you’re trading memory for disk.

    1. WEM 2206 adds an option for Do Not Optimize When Total Available Memory Exceeds (MB). In other words, WEM does not optimize memory until available memory drops below this value.
    2. WEM 2206 adds a Memory Usage Limit for Specific Processes. Dynamic means the process memory is not limited until available memory is low.
  6. On the top left, click the I/O Management node. On the right, you can prioritize process IO.
  7. On the top left, click the Fast Logoff node. In the right pane, enabling Fast Logoff disconnects a session immediately, and runs logoff processes in the background.
  8. WEM 2003 and newer have a Citrix Optimizer feature. If you enable it, then the WEM Agents will disable services and scheduled tasks according to the settings in the template. WEM comes with built-in templates, or you can add your own. Only one template can be assigned to an operating system version.
    • WEM 2012 and newer have an option to¬†Automatically select Templates to Use.
    • Newer versions of WEM have newer templates.
    • The Administration > Agents section adds a¬†Process Citrix Optimizer action to each agent.
  9. WEM 2112 and newer have a Multi-session Optimization feature that lowers the priority of processes running in disconnected sessions.


  1. Click the Security workspace.
  2. On the top left, click the Process Management node.
  3. In the right pane, in the Processes Management tab, enable Process Management. The other tabs are grayed out until you check this box.

    • You can BlackList processes. There’s also a WhiteList, but once something is added to the WhiteList, then all other processes are blocked.
  4. On the top left, click Application Security.
  5. You can use the top-left sub-nodes to configure AppLocker. See Application Security at Citrix Docs.

    1. If you click the Executable Rules sub-node, on the bottom right is a button to Add Default Rules.
    2. If you edit a rule…
    3. You can assign the rule to a user group.
    4. The list of user groups comes from Active Directory Objects (workspace on bottom left) > Users.
    5. On top of the right pane, set Rule enforcement to On or Audit.
    6. In the ribbon is a button to Import AppLocker Rules that were exported from a group policy.
    7. The other sub-nodes follow the same configuration pattern.
  6. WEM 2112 and newer have a Privilege Elevation feature under the Security workspace. You might have to scroll down to find it. On the right, check the box for Process Privilege Elevation Settings. Notice the setting for Do Not Apply to Windows Server OSs.

    1. On the left, click Executable Rules under Privilege Elevation. Then on the bottom right click Add Rule.
    2. Give the rule a name and select an assignment.
    3. There are options to restrict the elevation to specific parameters. For example, you can restrict cmd.exe so it can only elevate specific scripts. Click Next.
    4. Browse to the executable file and click Create.
    5. CTP David Wilkinson has more details on this feature.
  7. WEM 2203 adds a Self-elevation feature that lets users manually run processes elevated. See Citrix Docs for details.

  8. WEM 2006 adds Process Hierarchy Control, which lets you restrict or allow a parent process from launching specific child processes. See Citrix Docs for configuration details.

    1. On the agent side, you must enable Process Hierarchy Control by running elevated AppInfoViewer.exe from C:\Program Files (x86)\Citrix\Workspace Environment Management.
    2. Click Enable Process Hierarchy Control.
    3. Acknowledge that a restart is required.
  9. WEM has an audit log of the security features at Administration workspace > Logging node > Agent tab.

Policies and Profiles

  1. The Policies and Profiles workspace (bottom left) has four nodes on the top left.
  2. In the Environmental Settings node (top left), in the right pane, you can enable Environmental Settings, and configure restrictions that are usually configured in group policy. Peruse the various tabs on the right. Administrators can be excluded from these restrictions.
  3. The Environmental Settings within the WEM Administration Console are per-machine, not per-user. This means that, by default, all the settings configured inside of a Configuration Set apply to every non-admin user that logs into that particular Agent machine. In order to have different Environmental Settings apply to different users/user groups, they would need to be applied to a separate WEM Agent machine, and all the settings would need to be configured inside a separate Configuration Set to which the WEM Agent Machine is bound. Source = CTX226487 Guidance on configuring WEM settings per user/user groups.
  4. If you switch to the Citrix Profile Management Settings node, you can use WEM to configure Citrix Profile Management. See the Citrix Profile Management post for details on a recommended configuration.

    • Newer Profile Management features requires newer Virtual Delivery Agents (VDA).
    • WEM 2106 and newer with UPM 2106 and newer have the Accelerate Folder Mirroring setting on the Synchronization tab.
    • WEM 2103 and newer with UPM 2103 and newer have Streamed User Profiles > Enable Profile Streaming for Folders, which should speed up logons.
    • WEM 2103 and newer with UPM 2103 and newer have Advanced Settings > Enable multi-session write-back for profile containers, which applies to both UPM Profile Containers and Microsoft FSLogix Profile Containers. WEM 2209 adds OneDrive container.
    • WEM 2103 and newer with UPM 2103 and newer have Profile Container Settings > Enable Local Cache for Profile Container.
    • WEM 2009 and newer have the Profile Container Settings tab that lets you store the entire profile in the container.
    • WEM 2003 and newer can configure the¬†multi-session write-back for FSLogix Profile Container feature in VDA 2003 and newer.
    • WEM 1909 and newer can configure UPM 1909 features, including¬†Migrate user store.
    • WEM 1906 and newer can configure UPM 1903 features, including Enable Profile Container on the Synchronization tab.
    • WEM 1808 and newer can configure UPM 1808 features, including Outlook Search Index Roaming on the Advanced Settings tab.
    • WEM 4.4 and newer can configure UPM 5.8 and 7.15 features, including Enable Logon Exclusion Check.
    • WEM 4.2 and newer can configure UPM 5.5 and 5.6 features, including: Active Write Back Registry, NTUSER.DAT Backup, and Default Exclusion Lists.
  5. If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.
  6. In the right pane, the File System tab has a useful Profile Cleansing button to remove excluded folders from an existing UPM profile share. This function might not be necessary if you enable Logon Exclusion Check.

    • Adjust the Profiles Root Folder, click¬†Scan Profiles Folder, and then click¬†Cleanse Profile(s).
  7. To configure folder redirection, on the top left, click Microsoft USV Settings.
  8. On the right, on the Roaming Profiles Configuration tab, check the box to Process User State Virtualization Configuration.
  9. Then switch to the Folder Redirection tabs, and configure them as desired.

WEM Agent Group Policy

  1. In the WEM Download, go to the \Workspace-Environment-Management-v-2303-01-00-01\Agent Group Policies\ADMX folder.
  2. Copy the .admx file, and the en-US folder to the clipboard.
    • In WEM 4,3, 4.4, and 4.5, the .admx file is suffixed with “v4.3”.
    • In WEM 1808, the .admx file is suffixed with “v1808”.
    • WEM 4.6, WEM 4.7, WEM 1903 and newer do not include the version number in the .admx file name.
  3. Go \\\sysvol\\Policies.
  4. If you have a PolicyDefinitions folder here, then paste the .admx file and folder.

    • If you don’t have PolicyDefinitions in Sysvol, then instead go to¬†C:\Windows\PolicyDefinitions, and paste the .admx file and folder there.
  5. Look for older versions of the .admx and .adml files (in the en-us subfolder), and delete them.
    • In WEM 4.6, WEM 4.7, WEM 1903 and newer, the .admx and .adml files no longer have a version designation, so remove any .admx and .adml files that have a version number.
    • The WEM 1808 .admx and .admx files have v1808 in their names, so remove any .admx and .adml files that don’t have a version number.

  6. Edit a GPO that applies to the VDAs that will run the WEM Agent.
  7. In WEM 1906 and newer, go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Workspace Environment Management | Agent Host Configuration.
    • In WEM 1903 and older, go to Computer Configuration | Policies | Administrative Templates | Citrix | Workspace Environment Management | Agent Host Configuration.
  8. On the right, double-click Infrastructure server.
  9. Enable the setting, enter the FQDN of the WEM server (or load balanced name), and click OK. Note: It must be FQDN.
  10. In WEM 4.3 and newer, assign Agents to a Configuration Set (formerly known as Site). In the WEM Administration Console, go to Active Directory Objects workspace (bottom left) > Machines node (top left), and in the right pane, add an OU or individual machines.
  11. It’s possible that an Agent might register with multiple Configuration sets. You can review the registrations at¬†Administration¬†workspace (bottom left) > Agents¬†node (top left) >¬†Registrations¬†tab (right pane).
  12. It also might show you Agents not registered with any Configuration Set. Add the Agent to Active Directory Objects > Machines.
  13. If WEM 4.2 or older:
    1. You can configure the WEM Agents to connect to a non-default WEM site by editing the Site Name GPO setting.

Install/Upgrade WEM Agent

For command line unattended installation of WEM Agent 1909, see Alain Assaf at Citrix Discussions.

  1. If App Layering, Citrix recommends installing the WEM Agent in the Platform Layer.
    • If you are installing the WEM Agent in a App Layer, see George Spiers to workaround an issue with the Netlogon service in a Platform Layer that has the Provisioning Services Target Device software installed.
  2. Use registry editor to confirm that the WEM GPO has applied. Look for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host\BrokerSvcName.
  3. In VDA 2012 and newer, the WEM Agent is included with the VDA installer; however, this install method has been deprecated. You can instead install it separately as detailed in the next step.

  4. On a VDA Master machine, run Citrix Workspace Environment Management Agent.exe from the downloaded WEM 2303 (aka 2303-01-00-01) installation files.
  5. In the Citrix Workspace Environment Management Agent window, check the box next to I agree to the license terms and click Install.
  6. In the Welcome to the Citrix Workspace Environment Management Agent Setup Wizard page, click Next.
  7. In the Destination Folder page, click Next.
  8. In the Deployment Type page, select On-premises Deployment and click Next.
  9. In the Infrastructure Service Configuration page, change the selection to Skip Configuration since you’ve already configured the group policy. Click Next. Note: In WEM 1912 and newer, the cache synchronization port changes from 8285 to 8288.
  10. In the Advanced Settings page, if this machine will be used with Citrix Provisioning and has a Provisioning cache disk, then you can optionally move the WEM Cache to the Provisioning cache disk. Click Next. WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
  11. In the Ready to install Citrix Workspace Environment Management Agent page, click Install.
  12. In the Completed the Citrix Workspace Environment Management Agent Setup Wizard page, click Finish.
  13. In the Installation Successfully Completed window, click Close.

WEM Agent Cache

  1. After installation, check the registry under HKLM\System\CurrentControlSet\Control\Norskale\Agent Host to verify your command line switches applied correctly.

  2. WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
  3. In WEM Agent 1909 and newer, the WEM Agent installation path is now C:\Program Files (x86)\Citrix\Workspace Environment Management Agent instead of C:\Program Files (x86)\Norskale\Norskale Agent Host and you might have to modify your WEM Agent Cache Refresh scripts with the new path. See CTP James Kindon Citrix WEM Updated Start-Up Scripts for more details.
  4. Citrix CTX219839 How to Enable Debug Logging on Workspace Environment Management Agent manually, if no connectivity to Broker exists. Set AgentDebugModeLocalOverride and AgentServiceDebugModeLocalOverride to 1. The Norskale Agent Host Service Debug.log file will be written to %ProgramFiles(x86)%\Norskale\Norskale Agent Host. The Agent Log file will be written to the User Profile (i.e. under %UserProfile%).
  5. Srinivasan Shanmugam at¬†WEM Agent v4.5 Upgrade Issues at CUGC mentioned that you might have to delete the upgraded Agent’s local database.
  6. Optionally, you can pre-build the Agent Cache by running AgentCacheUtility.exe, which is located in C:\Program Files (x86)\Citrix\Workspace Environment Management Agent (fresh WEM Agent 1909 and newer) or in C:\Program Files (x86)\Norskale\Norskale Agent Host.

  7. It needs the following switches:
    -refreshcache -brokername:MyWEMServer
  8. From Hal Lange: “AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:)¬† the broker name should always be in FQDN since this does use Kerberos for the authentication.”

  9. You can also use the WEM Administration Console at Administration workspace (bottom left), Agents node (top left), to refresh the cache. The Synchronization column indicates if the cache is up to date or not. It takes a few minutes to update.
  10. From Hal Lange: “Need to optimize the client by running ngen for .NET optimizations¬†in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
    ngen.exe update
    ngen.exe eqi 1
    ngen.exe eqi 3
  11. AntivirusC:\Program Files (x86)\Citrix\Workspace Environment Management Agent or C:\Program Files (x86)\Norskale\Norskale Agent Host must be excluded from Antivirus scanning. Or exclude Citrix.Wem.Agent.Service.exe; Norskale Agent Host Service.exe; VUEMUIAgent.exe; Agent Log Parser.exe; AgentCacheUtility.exe; AppsMgmtUtil.exe; PrnsMgmtUtil.exe; VUEMAppCmd.exe; VUEMAppCmdDbg.exe; VUEMAppHide.exe; VUEMCmdAgent.exe; VUEMMaintMsg.exe; VUEMRSAV.exe.
  12. After Agents are installed, the Administration workspace (bottom left), Agents node (top left), shows the list of Agents, allowing you to perform actions against an Agent. For example, if UPM settings are not applying to your Agents, you can right-click the Agent, and click Reset Profile Management Settings. WEM 1912 and newer let you Reset Actions. You might have to click the Refresh button on the bottom right. See Workspace Environment Manager UPM at Citrix Discussions.
  13. If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.  Delete the machine cache, which is at the following registry location:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UsvMachineConfigurationSettings
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UpmConfigurationSettings

    This will force WEM to re-apply the per-machine settings (Microsoft USV or Citrix UPM settings, respectively).

  14. WEM Cache tends to break often. See CTP James Kindon Citrix WEM Cache Problems…. Again for a script to reset the cache periodically.
  15. CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.

WEM Agent on Citrix Provisioning Target Device

From Citrix Discussions: create a computer startup script that deletes the WEM cache and refreshes it:

net stop "Citrix WEM Agent Host Service" /y
net stop "Norskale Agent Host Service" /y
del D:\WEMCache\ /S /F /q
net start "Citrix WEM Agent Host Service"
net start "Norskale Agent Host Service"
net start "Netlogon"
timeout /T 45 /nobreak
"C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache -brokername:XXXX
"C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshCache -brokerName:XXXX

From Julian Mooren Citrix Workspace Environment Management with PVS ‚Äď Synchronization State ‚ÄúUnknown‚ÄĚ: For Citrix Provisioning, schedule a task to run the following commands at Target Device boot (Trigger = At Startup).

"C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache
"C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshcache

From CTA David Ott at Using Citrix Workspace Environment Management to Redirect Folders via Symbolic Links ‚Äď Speed Up Logon:¬†before shutting down your maintenance/private mode vdisk to re-seal, kill the Citrix WEM Agent Host Service or Norskale Agent Host Service. For whatever reason if you don‚Äôt do this it can cause your vms in standard mode to take an obscenely long time to shutdown.

Base Image Script Framework (BIS-F) automates many image sealing tasks, including tasks for Workspace Environment Management. The script is configurable using Group Policy.


  1. In the WEM Administration Console, the Monitoring workspace (bottom left) lets you see Logon Time and Boot Time reports.
  2. Double-click a category to see more info.

  3. Configuration node (top left) lets you configure Work Days Filtering for Login/Boot Time Reports.
  4. WEM 2203 adds a Profile Container Insights report for both FSLogix and UPM Profile Containers.
  5. When you make changes in the console, if agents are already installed, you can right-click the agent icon (by the clock), and Refresh.
  6. You can also go to the Administration workspace (bottom left) > Agents node (top left). In the right pane, right-click one or more Agents, and click the Refresh options.
  7. WEM 1811 and newer periodically run UPMConfigCheck every day, or whenever the Norskale Agent Service restarts. The Administration > Agents node in the WEM Console has a visual indicator of the UPMConfigCheck results. For status details, check the file C:\Windows\Temp\UPMConfigCheckOutput.xml on each WEM Agent Machine.

WEM Actions Configuration

WEM Actions are similar to Group Policy Preferences.

The general process is as follows:

  • Create the Actions
  • Optionally create Action Groups (WEM 1906 and newer)
  • Add AD user groups to the WEM Console.
  • Assign Actions or Action Groups to user groups. Use Conditions and Rules to perform the Action (or Action Group) for only a subset of machines or users in the user group.

Create Actions

  1. In the WEM Console, use the Actions workspace to map drives, map printers, create shortcuts (Applications), set registry keys, etc. Each Action type is a separate node.
  2. WEM 1909 and newer can Migrate or Import your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.
    1. In Group Policy Management Console, back up the GPOs that you want to import to WEM.
    2. Go to the GPO Backup folder and zip everything.
    3. In WEM Console, go to Actions > Group Policy Settings and click Import.
    4. WEM 2209 and newer let you Import Registry File.
    5. WEM 2012 and newer let you edit the imported group policies.
    6. It seems to be a registry editor that doesn’t use ADMX templates.
  3. On the left, select an Action Type. In the right pane, click the Add button to add actions. These Actions are self explanatory.
  4. Some Actions, on the Options tab, have a Self-Healing option. To optimize performance, WEM only applies an action once. The Self Healing option causes it reapply at every logon.
  5. Network Drives have no field for selecting a drive letter. Instead, you configure the drive letter later when assigning the action as detailed below.
  6. External Tasks are scripts that are triggered at user logon, reconnect or other triggers. WEM 2203 adds triggers for Process start and Process end. WEM 2009 adds triggers for Disconnect, Lock, and Unlock.
  7. Applications (shortcuts)
    1. In the Actions pane, Applications have no option for placing a shortcut on the Desktop. Instead, you configure shortcut placement later when assigning the action as detailed below.
    2. WEM 4.6 and newer let you pull icons from a StoreFront store.

    3. Arjan Mensch at Powershell Module for Citrix WEM ‚Äď Part 3 ‚Äď EnvironmentalSettings and MicrosoftUsvSettings from GPO and much, much more¬†provides a PowerShell Module that can do several things to help setup WEM, including reading a bunch of shortcuts (e.g. from Start Menu), and converting them to an .xml file that can be imported into WEM. This simplifies Applications configuration.
    4. To prevent applications (shortcuts) from being created if the application isn’t installed, go to¬†Advanced Settings > Configuration > Agent Options, and check the box next to¬†Check Application Existence in the¬†Extra Features section.
    5. To clean up extra shortcuts, go to Advanced Settings > Configuration > Cleanup Actions, and check the boxes in the Shortcuts deletion at startup section. Also see CTP James Kindon Citrix WEM, Modern Start Menus and Tiles.
    6. After you create Applications (Shortcuts), and assign them, on the agent, there’s a¬†Manage Applications tool that lets users control where shortcuts are created, including pinning to Taskbar and Start Menu.

    7. Applications can be placed in Maintenance Mode. Edit an Application, and find the Maintenance Mode setting on the Options tab.
    8. This causes the icon to change, and a maintenance message to be displayed to the user.

    9. The Applications node has a Start Menu View tab on the right.
  8. For the¬†Printers Action, in the ribbon, there’s a Import Network Print Server button.

  9. For the Registry Entries Action, in the ribbon, there’s an¬†Import Registry File button.

    • If Registry Actions are not applying, delete¬†HKEY_CURRENT_USER\Software\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\. (Source = Registry Entries not applied to users at Citrix Discussions)
  10. For File System Operations, each Action has an Options tab that lets you set the Type of Action.
  11. For File Associations, “Command” is just the parameters without the executable.
  12. CTP James Kindon at File Type Association with WEM and SetUserFTA¬†explains how to use WEM to run¬†Christoph Kolbicz’s¬†SetUserFTA utility to reliably set file type associations on Windows 2012 and newer.
  13. For variables that can be used in the Actions configurations, see CTP James Kindon WEM Variables, Dynamic Tokens, Hashtags and Strings.
  14. The WEM Cloud Service has native support for importing group policies and converting them to WEM Actions and other WEM configurations. See CTP James Kindon Migrating GPO settings to WEM.
  15. WEM 1906 and newer let you combine multiple Actions into an Action Group. Then you can later assign the entire Action Group to a user.

    1. Create an Action Group and name it.
    2. Double-click the Action Group to show the actions on the bottom.
    3. On the bottom, move Actions from the Available box to the Configured box.
    4. For more info, see Action Groups at Citrix Docs.

Create Conditions and Rules

  1. Once the Actions and Action Groups are created, you then need to decide under what conditions the Actions are performed. Go to the Filters workspace (bottom left).
  2. On the top left, switch to the Conditions node.
  3. In the right pane, create Conditions. One or more Conditions are later combined into a Rule.
  4. One of the interesting Conditions is User SBC Resource Type, which lets you run Actions for either Published Desktop or Published Application.

  5. CTP James Kindon at WEM filter conditions on OU and IP Address at Citrix Discussions says that the Active Directory Path Match condition requires a * at the end of the path.
  6. Then switch to the Rules node (top left) and create Rules in the right pane.
  7. If you add (by clicking the right arrow)¬†multiple Conditions to a Rule, all (AND) Conditions must match. There doesn’t appear to be an OR option. The Rules are used later when assigning an Action to a user group.

Add AD Groups to WEM Console

  1. Go to the Active Directory Objects workspace (bottom left).
  2. With the Users node selected on the top left, in the right pane, add groups and/or users that will receive the Action assignments.

Assign Actions to User Groups

  1. Go to the Assignments workspace (bottom left) > Action Assignment node (top left).
  2. In the right pane, initially the bottom half is empty. Double-click a group to show the Actions that are available for assignment. WEM 1808 and newer has a built-in Everyone group.
  3. Move an available Action or Action Group from the left to the right. This assigns the Action (or Action Group) to the user group.
  4. You will be prompted to select a Filter, which contains one or more Conditions.
  5. When you move a Network Drive to the right, you’re prompted to select a drive letter.

    • The list of drive letters is restricted based on the configuration at¬†Advanced Settings¬†workspace (bottom left) > Configuration¬†node (top left) > Console Settings¬†tab (right pane).
  6. Back in the Assignments workspace, on the right, some Actions have additional options that you can right-click. For example, you can create shortcuts on the desktop.

Actions Troubleshooting

WEM caches Actions executions under HKEY_CURRENT_USER\SOFTWARE\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\Tasks Exec Cache. Sometimes clearing these keys and values will fix Actions not applying.

CTP James Kindon at Selective Deletion of the WEM Actions Tracking Cache wrote a PowerShell script to selectively clear these registry keys and values.

Modeling Wizard

  1. In the Assignments workspace, you can use the Modeling Wizard node (top left) to see what Actions apply to a particular user.

Client Side Tools

CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.


In WEM 4.1 and newer, you can enable Transformer, which puts the WEM Agent in Kiosk mode. Users can only launch icons (e.g. Citrix icons). Everything else is hidden. This is an alternative to Receiver Desktop Lock. The Transformer interface is customizable. Note: desktops currently will not auto-launch from Transformer.

  1. In the WEM Console, there’s a¬†Transformer Settings workspace (bottom left) with two nodes on the top left:¬†General and¬†Advanced.
  2. Enable Transformer, and point it to your StoreFront URL. Note, this applies to all users and all agents in this WEM configuration set. You should probably have a new Configuration Set just for Kiosk devices.
  3. Other settings on the General Settings tab let you customize the appearance, and specify an unlock password. You probably want to disable the Clock. The Navigation Buttons are browser navigation.
  4. Transformer can be unlocked by pressing Ctrl+Alt+U and entering the unlock password.
  5. On the Site Settings tab, you can add website URLs that can be launched from within Transformer.
  6. At the top of the Transformer window is a Sites icon that lets you go to the sites listed in the WEM Console.
  7. The Advanced node lets you configure Transformer to launch a process other than a browser.
  8. The Advanced & Administration Settings tab lets you hide features from Transformer.
  9. To prevent users from accessing the local system, consider checking Hide Taskbar & Start Button.
  10. You probably want Log Off Screen Redirection to redirect users to the logon page when StoreFront logs off.
  11. The Logon/Logoff & Power Settings tab lets you configure the WEM Agent to autologon as a specific account. Transformer then displays the StoreFront webpage where the user enters his or her credentials.

539 thoughts on “Workspace Environment Management (WEM) 2303”

  1. Hi Carl,

    Do you know of any issues with using WEM folder redirection. We have applied the folder redirection but want to remove one the folders we originally wanted to redirect. However we cannot get WEM to unapply the folder redirection for this folder, it still does it. Any help would be appreciated. Thanks.

  2. I am testing importing our Citrix Server hardening \ session lockdown GPOs into WEM 2009. I cannot figure out how to apply the GPO to Authenticated Users but exclude Admins. With GPOs, we used security filtering and set ‚ÄúApply group policy‚ÄĚ to Deny for Admins.

  3. Hi Carl,

    For CPU Management settings: Are there any best practices for Microsoft Teams. Do I need to add the teams process for exclusion or not?


  4. Does anyone has a problem with universal groups? Our WEM doesn’t use them. Even in “WEM Resultant Actions Viewer – User Groups Membership” they are not listed.

  5. Hi Carl

    We are setting up a new 2006 environment that will be Load Balanced by F5s. I see from Citrix’s documentation that it is best practice in a Load Balanced environment to use a Windows account to run the Norskale Service and connection to the WEM SQL DB. There is also a part about registering the Windows account with the Norskale/Broker Service SPN. Unfortunately another part of the business has beaten me to the punch in a separate domain (same forest) and registered their service account with the Norskale/Broker Service SPN attribute meaning I am unable to register an SPN for my service account. I am unable to share this account as all of our servers are on separate domains.

    What would you recommend for me to do in this scenario? Should I scrap the build and start again not using a Windows account and rely on the vuemUser account or continue as I am but without any SPN registration?

    1. I think this is a limitation of the product. You might have to call Citrix Sales or Citrix Support to determine if it’s on the roadmap.

      Another option is to use Citrix WEM service hosted in Citrix Cloud.

  6. Citrix’s documentation and yours indicates that with WEM 1912, Citrix would ****change **** the port that the infrastructure server uses for dishing out the cache data.
    >>>>>>>>>>>> start quote >>>>>>>>>>>>>
    Cached data synchronization port. (Applicable to Workspace Environment Management 1912 and later; ***** replaces ***** the port of Workspace Environment Management 1909 and earlier.) The port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. The cached data synchronization port must be the same as the port you configured for the cached data synchronization port (WEM Infrastructure Service Configuration > Network Settings) during the infrastructure services configuration. The port defaults to 8288 and corresponds to the CachedDataSyncPort command-line argument.
    <<<<< end quote <<<<<<<<<<<<<<<<

    Thus I thought we'd run into a scenario where we had to upgrade WEM backup servers AND the agents for the cache to work correctly.

    What Citrix has ACTUALLY done however is to ADD the 8288 port, so that port 8285 is still active and still listening, so that old agents and new agents and new servers can still work together.
    Perhaps you can update your documentation and include a screen shot of the network settings tab of the WEM infrastructure service configuration utility to show how there are now 5 ports listening , including cache synchronization port on 8285 and cache data synchronization port on 8288 .
    Please note however that NEW agents and old servers wont work as the new agent only attempts to get cache on port 8285.

  7. Hello,
    I allow myself to come to you carl in relation to WEM.

    I already had this error in 1906 and I still have it in 2006 in my users’ logs, I often have this:

    error 0x800705B4

    I don’t know where to look

  8. Hey Carl,

    We just upgraded our Server 2016 test environment from 1903 to 2006, but it seems the ‘Citrix WEM Agent Host Service’ seems to keep crashing on our VDAs, database and console seem fine.
    We also tried a full reinstallation, but the same thing seems to keep happening.

    Application: Citrix.Wem.Agent.Service.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.

    Faulting application name: Citrix.Wem.Agent.Service.exe, version: 2005.2.0.1, time stamp: 0x5ecc8b4e
    Faulting module name: KERNELBASE.dll, version: 10.0.14393.3659, time stamp: 0x5e9140ed
    Exception code: 0xe0434352

    I hope you are anybody else seen this before and can give a solution.
    We are installing a fresh new 2019 server atm, to give that a test as well.

    I appreciate any help, thanks in advance!

  9. hi,
    my citrix wem console is grayed out
    also i am getting the warning while connects to the license server still ports 27000 and 7279 are open from wem server to license server
    do we need to open 7279 port from citrix license server to wem server?

      1. hi carl,
        we are using citrix platinum licneses but SA is expired
        that could be the reason license server is not responding?

      2. wem console can connect to wem infrastructure server,but not able to contact to license server from wem infrastructure service/wem console.once i click ok on the warning to enter license server address.the console is grayed out.
        once i enter the license server address it says a valid license server with appropriate licenses need to be configured.

  10. hi,do we need to open port 7279 from citrix license server to WEM server for chec out licenses?

    1. I think the other direction. I’m not sure if the WEM Server checks out the license or if the WEM Agent checks out the license.

  11. When assigning action to a group, up to what level of nested group membership does WEM read to apply an action?

  12. HI Carl, we are planning upgrade our infrastructure from 7.15 LTSR to CVAD 1912, we are using WEM 1906 and planning to upgrade to 1912.which one we have to upgrade first WEM server or WEM agent? if i upgrade WEM server to 1912 first ,is there any impact to the 1906 WEM agents or vice versa ? please confirm

    1. Leaving the cache on the C: drive is certainly easier. You might need a script to refresh the cache at each boot.

  13. Hi Carl,
    I have an issue when I have finalize the installation of WEM 2003, appropriate licenses are not available.

    Which license do we have need ?



  14. Hi, upgraded to WEM 2003 from 1903 this weeken, cant pin taskbar icons from admin console after the upgrade.
    users can pin programs from agent program. but the preset are not working.

    we are running Windows 2016 (1607) servers.

    Are there any known issues with this release?

  15. We have an Problem with the WEM Agent.

    VDA 1912 LTSR
    MCS based
    OS 2016 1607
    WEM Agent 1912.1.0.1
    RDS Licence Server and Mode configured via GPO (per User) and are active on the VDA Machine.
    CTX Licence: XenApp Enterprise Cuncurrent SA2020.1229

    So what will happen:

    Any Remote logon will disapere on the maschine where the WEM Agent is installed.Then comes up the Evend IDs 1128/1069 RDS Licence Grace Period Error.
    Sometimes after a fresh reboot of the VDA all works fine.

    Have you any idea?

      1. Thanks for the Link. I¬īve seen the regkey before and delete it via GPO. When i open the registry in system context there is no information.

      2. Hello Carl,

        i get event id – 40960 which validating RDS server on Citrix VDAs.
        The Security System detected an authentication error for the server HOST/xxxxx. The failure code from authentication protocol Kerberos was “The name or SID of the domain specified is inconsistent with the trust information for that domain.
        The RDS server is hosted in another forest. Trust is validated and said to be working. Server is part of relevant AD group for Terminal License Servers.

        However it is still not issuing license.

        Anything that you can help me with?


  16. Hi Carl,

    we have on-prem WEM server and new azure VDA servers are added to our citrix farm , we installed WEM agent in that VDA and configued WEM server through registry and created a new site and added that azure VDA but that server is not showing in agents list and no settings are applied to that server.

    1. Robert is right: After all that we did as part of the 1912 Upgrade — the new PORT in the Infrastructure Services config, the new LBVIP on the Netscaler passing traffic on that Port, and giving the Service Account “Full Control” on the DBSync folder — the final thing, the thing that made it all finally WORK, was also to make that same Service Account “DBO” on the WEM database (in SQL, in our case). Thank you for your post!

  17. Hi Carl,
    I’m trying to configure WEM agent, but I think is not working.
    On VDA desktop I can click on WEM taskbar icon, and I can see the name of configuration Set configured by editing regedit:
    SiteName (Order: 3)hide
    Action Update
    PropertiesHive HKEY_LOCAL_MACHINE
    Key path SYSTEM\CurrentControlSet\Control\Norskale\Agent Host
    Value name SiteName
    Value type REG_SZ
    Value data ConfSet01

    But When I’m looking Wem Console, Administration, Agents, Registrations I can see my Machine Name and Description shows me:
    Agent is bound to ‘ConfSet03’ (OU=…) configuration Set

    On Statitstics I cannot see my Machine Name,

    What I’m doing wrong?

  18. Hello Carl,

    I have a brand new deployment of WEM 1912 with CVAD 1912 LTSR on Windows Server 2019 and SQL Server 2019. I receive an error when trying to launch the WEM administration console. All Citrix docs requirements and recommendations in your post have been followed. I created relevant Citrix discussions thread on this issue:

    Do you have any ideas?

  19. Hi Carl: We are on WEM version 1903. We’ve noticed on the Brokers that the Norskale Broker Service is absolutely pegging CPU and Memory. We have an escalation engineer from Citrix working with us on it, but just wondering if you know of things we can check? Thanks!

    1. Our Infrastructure upgrade to 1912 appears to have solved this issue. WEM Agent processing now happens in a few seconds, and the CPU and Memory on the Brokers remains relatively low throughout the process.

  20. Can anybody confirm if the Infrastructure Services component can be installed on a delivery controller?

    @Carl, I know in the article you mentioned it can but I noticed on Citrix Quick Start guide for WEM 1912 it says to not install it on a delivery controller.

    I am trying to minimize the amount of servers and WEM looks like it needs so few resources.

  21. Excellent article!

    Quick question, have you ever seen the WEM agent loading before the GPOs that assign the cloud connectors configuration? I’ve tried with everything including the latest software, and it still happens. Citrix support wants me to delay the application of the GPOs :/

    I tried to change the startuptype of the services to automatic (delayed) and that does not work.

    If I install the software with the cloud connectors set through the software, it works.


    1. I usually apply computer-level GPOs to my master image to avoid any timing issues when the non-persistent machines boot.

      1. Yeah, that’s the thing. I have the GPOs applied via computer gpo, and it still isn’t fast enough… the WEM agent loads before the GPOs are applied.

  22. Carl, Can I run WEM 1808 or 1909 in XA 7.15? I see ambiguous requirements in the release notes about the naming conventions being interchangeable (CVAD or XA/XD) so I’m not sure what they mean by “any supported version of…” are the terms interchangeable, or is 4.7 the latest version that I can install?

    1. XA/XD was renamed to CVAD. Version 7.15 still has the XA/XD name. The latest WEM version should work fine on XA/XD 7.15.

  23. Test user logs in and eventviewer logs following error: “Error while Configuring Registry Security.” No exeptions or warnings in citrix wem agent log. Removed all assgned settings but still the same error. New userprofile same result. Is this a fals positive ? When i assign a regsitry key, it works.

  24. Hello Carl,
    Version 1909 constantly generate this error.” Error while Configuring Registry Security “for the user that logs in. In the citrix wem agent log there is no fault/exceptions.. For test i removed all the registry assigend to domain users and then the error is gone. The registry directly assigned to the test account does not generate an error. Is it a false positive?

  25. Hello, I have a question according the actions in WEM and I’m not able to find the information at the moment.
    I would like to ask in which order actions are applied during logon. For example first applications, second external tasks, etc. Is there any documentation about that?

    Thank you very much.
    Regards Michael

  26. Hi Carl,

    We have Citrix WEM as a cloud service for profile management and all the printers are mapped via WEM – Actions – Printers. But when the user login to the Citrix it is prompting message to “Trust the printer” and asking for admin credentials to install the printer and it gets installed if we supply admin credentials and gets disappeared after logoff. This issue is with out new Citrix cloud environment running VDAs in server 2016.

    We are currently in the process of migrating users from XA6.5 to Citrix cloud and all the printers were working in the XA6.5 environment. Not sure what we are missing in terms of printer mapping. This issue is with US region and we have similar setup for UK region where all the printers get mapped via WEM policies without issues.

    Your help is much appreciated!


      1. Yes it is multi user RDSH and we didn’t install the printer driver on the VDA machine. As I explained above, we have similar setup for UK region where we didn’t install any printer drivers to the VDA machine, but it still maps the printer to the user session.

        1. I think RDSH needs administrator permission to install drivers. Virtual Desktops don’t have that requirement.

          1. Hi carl

            I have tested installing the printers directly to the Server VDA and it is not prompting the admin credentials to install the printer on the user session and works fine. I couldn’t understand how it works in this way. It means I have to install all the printers on all server VDAs manually. Please could you confirm that whether it is right approach and what I am doing is correct.?


  27. Hi Carl, we configured Application active setup through External Tasks but it is not working at user first logon but next time on wards it’s working fine. How to fix this ?

  28. Hi carl, we already created a new SQL db for WEM and i have to configure that db in WEM server , so which one(Create or upgrade ) i have to run in WEM Database Management Utility. ??

  29. Hi,

    after updating from stable 4.7 to 1906 a new nightmare is starting. The Management Server are stopping ever 24 hours. Means the norskale service is running but not answering.There are messages like this in the event id.

    Faulting application name: Norskale Broker Service.exe, version:, time stamp: 0x5b3b2f06
    Faulting module name: adsldpc.dll, version: 6.3.9600.17415, time stamp: 0x545053e3
    Exception code: 0xc0000005
    Fault offset: 0x000000000001e554
    Faulting process id: 0x1380
    Faulting application start time: 0x01d4d35b74778845
    Faulting application path: C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Norskale Broker Service.exe
    Faulting module path: C:\Windows\system32\adsldpc.dll
    Report Id: d350f54c-4299-11e9-80fe-005056ad16f6
    Faulting package full name:
    Faulting package-relative application ID:

    The Windows Server (W2K12R2) is fully patched but this doesn`t help :-(. The only thing is to restart the server. Restarting the Norskale Service did not help

    The WEM Client stopped to work, but the service is running. Try to restart with error “Failed to stop service. System.AggregateException: One or more errors occurred. —> Norskale.Common.Data.PortAlreadyInUseException: The requested port 49752 is busy”, but firewall port is definitly open. After downgrade to WEM Client 4.7 everything is good

    Any ideas ? The CITRIX Support is doing ….. nothing ūüôĀ

    Regards Claus-Michael

  30. Hi Carl we have Ivanti Environment Manager with none persistent VDI. The fast log off is not set under Log off tab. But when users log off the log off is fast. Are you aware of any Citrix settings where I can look at to stop this fast log off?

  31. Can WEM be updated directly from v4.6 to 1906 or are there intermediate update levels that need to be applied first?
    A) version 4.6 upgraded to version 1906
    B) something like version 4.6 upgraded to version 1811 then upgraded to version 1906

  32. Thank you Carl for the above article , i would like to know if there any way that we can export the application name and associated Active directory groups from WEM

  33. Hi Carl,

    Just FYI that the latest version of WEM (v1903 as of this post) includes GPO template files that have a typo; Workspace is spelled Worskpace.

    If others like me just copy the contents of the ADMX folder and replace them into the GPO store, you’ll get a prompt to replace files, but really it will create 2 ADMX\ADML files instead.

    Just FYI in case anyone else runs into this.

    Moiz Veravalwala

  34. Hi Carl,

    We are using the Citrix cloud service and installed/configured the WEM agent 1903 and pointed to cloud connectors. However, I can’t see the agents are getting registered in the WEM console. Any idea what is blocking?

    Our server VDAs and Cloud connectors are hosted in AWS and configured necessary security groups to allow WEM ports.


      1. Yes I followed the same. However, I didn’t set any additional arguments as they explained at the end of the article. I just ran the typical installation of the agent and configured the GPO as per this article.

      2. Hi Carl, Thanks for your advise. The issue has been resolved now. It seems the version WEM 1903 agent is not supported in the WEM as a service. I have reinstalled with the WEM agent 1811.1 and now it is appearing in the WEM console.


        1. Just adding to this incase someone is interested… I attempted to use WEM 1903 connected to our Cloud connectors to Cloud WEM. The new agent did not understand the use of cloud connectors instead of the Web broker. I went back to 1811 also.. My motive was to get around consistent problem with WEM applying my UPM settings. It will work at first, then some weeks later users lose their Citrix Profile. All other WEM settings are applied but I’ve finally resorted to Group Policy just for UPM configuration. To clarify this is cloud WEM …

  35. Carl,

    Thanks for the great work !!

    I’m upgrading a customer environment to 1903 versions. The use UPM from WEM and like to use the Profile container option from UPM 1903. Where can I configure that in WEM 1903 ?



  36. Just a note – in the Citrix upgrade docs for 1811, they specify that if you use SQL AlwaysOn HA, you must remove the WEM database from it before perfomring an upgrade:
    “SQL Server Always On availability groups. If your Workspace Environment Management database is deployed in an SQL Server Always On availability group, before upgrading the database you must remove it from the availability group.”

  37. Is this the same setup for Citrix Cloud wem version? I am wanting to set WEM up in Citrix Cloud and point the DB over to Azure. I scanned over the post but didn’t see anything that suggests setup from Citrix Cloud to Azure.

    1. For the Citrix Cloud version of WEM, Citrix handles the servers and the database. You just install the WEM Agent and point in to the Cloud Connector.

      Or are you asking about building your own WEM Servers in Azure without Citrix Cloud?

      1. No, if Citrix cloud supplies it already then no need to move it over to Azure. Thanks for the info. Love the site. Keep up the great work.

  38. Hey Carl, something basic but I think it is worth to mention, if you set a custom password for your vuemUser SQL account during installation you have to specify it in the Advanced Settings when you are first connecting your Management Console to the Infrastructure Broker. Otherwise, you will get errors like:

    “Login failed for user ‘vuemUser’. Reason: Password did not match that for the login provided”

  39. Hello Carl,

    I have to Provide some URLs to our VDIs – is there a way tor provide this links with WEM.
    We are using WEM 4.7

    Thank you

    1. Without WEM, you can Publish Content from XenApp. Otherwise, you should be able to use WEM or Group Policy Preferences to create a Shortcut (aka application) that points to a URL.

  40. Hello Carl,

    thanks for your blog. I am not shure wether to use one or two assignments with lots of filters or lots of assignments with less filter conditions. What would be a best practice soultion?

    Thanks in advance!

    1. I like to keep assignments generalised to groups, and then use filters and conditions when there is an exemption to that general requirement or you need to only apply something when another condition is true. Less filters, the less complex the processing.

  41. Hey Carl,

    Not to sure if you have ran across this yet, but for step 24 I would amend that if you move your Computer AD objects to a different OU, then you will need to apply that fix. Had a ticket open with Citrix and that fixed the issue with WEM not applying.


  42. Carl, Have you guys noticed by chance WEM will not allow Pinned Items to re-appear in the Start menu? I have the “Delete Taskbar Pinned Shortcuts not checked either.

  43. Has anyone seen an oddity using environment variables? I have a script that runs as an external task. It needs to use the clientname variable which isn’t present when WEM runs – no drama, we set a new variable in WEM to point to ##clientname##

    This works fine the first time a user logs on. The clientname is set as expected.

    What isn’t expected – and I may be missing a trick here – is that on subsequent logons, the environment variable isn’t updated. It remains stuck at whatever was set the very first time a user logged on.

    And it gets weirder – if you delete the key in the user registry hive, log off and back on, the value key (or just value – it doesn’t matter which you remove) never returns.

    I notice in the WEM logs, the following, which (again I may be misreading) suggest to me that WEM thinks the value is static/cached:

    08:54:38 Event -> VuemEnvironmentVariableExecutor.CheckExecCacheState() : Environment Variable -> TCName (Id:7) -> Action already processed -> returning true
    08:54:38 Event -> VuemEnvironmentVariableExecutor.CheckExecCacheState() : Environment Variable -> TCName (Id:7) -> Action already processed -> returning true
    08:54:38 Event -> VuemEnvironmentVariableController.ProcessActionRelatedRefresh() : Environment Variable Processing: No Refresh required -> Exiting

    Any ideas? I am sure I am missing a trick here.

      1. Sorry for the delay replying. I’d put a workaround into the script but that check box does the trick, albeit only at logon.

        Thanks for the pointer.

Leave a Reply

Your email address will not be published. Required fields are marked *