Workspace Environment Management 4.5

Last Modified: Dec 9, 2017 @ 7:13 am

Navigation

This post covers Citrix Workspace Environment Management versions 4.5, 4.4, 4.3, 4.2, and 4.1.

ūüí° = Recently Updated

Changelog

  • 2017 Dec 9 – in Create/Upgrade database sections, added link to PowerShell SDK documentation
  • 2017 Dec 8:
    • Updated Install sections for 4.5
    • Added Security section for AppLocker configuration

Overview

Workspace Environment Management¬†(WEM) is Citrix’s Performance Management and UEM (User Environment Management) tool for all XenApp/XenDesktop Enterprise or Platinum Customers with active Software Maintenance (Subscription Advantage is not sufficient). The WEM Agent is supported on XenApp 6.5, and XenApp/XenDesktop 7.x. Videos:

Note: WEM does not replace Citrix Profile Management. You usually implement both.

Citrix Blog Post User Experience on Steroids: Citrix Workspace Environment Management has a list of Frequently Asked Questions about WEM, including a drawing of the architecture.

From Hal Lange at Database sizing at Citrix Discussions: SQL Always On is fully supported.  The ONE caveat is to remove from the Always On Availability Group before upgrading.

Here is the official calculations from the Norskale days on space needed on the SQL Server:

  • Reserve 1GB of RAM per 1,000 users deployed
  • RAM=1.5GB system + (1.5GB SQL + 1 GB per 1,000 users) for that SQL instance
  • Disk = 1GB per 10,000 users per year + 10 MB per WEM site configured

Upgrade WEM

To upgrade Citrix WEM:

  1. In-place upgrade the Citrix Licensing Server. No special instructions.
    1. Ensure the installed licenses a non-expired Subscription Advantage date.
  2. In-place upgrade the WEM Server. No special instructions.
  3. Use the Database Maintenance tool to upgrade the WEM database. You might have to run the WEM Broker Configuration Tool on each Broker to point to the upgraded database.
  4. In-place upgrade the WEM Console. No special instructions.
  5. In-place upgrade the WEM Agents. No special instructions.

Install/Upgrade WEM Server (Broker Service)

The WEM Broker Service can be installed on one or more servers, including Delivery Controllers. The WEM Agent cannot be installed on the Broker Server.

A WEM Server with 4 vCPU and 8 GB RAM can support 3,000 users.

  1. Go to the downloaded Workspace Environment Management 4.5, and run Citrix Workspace Environment Management Infrastructure Services Setup.exe.
  2. Click Install to install the prerequisites.
  3. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Magement Infrastructure Services page, click Next.
  4. In the License Agreement page, select I accept the terms, and click Next.
  5. In the Customer Information page, click Next.
  6. In the Setup Type page, click Next.
  7. In the Ready to Install the Program page, click Install.
  8. If you are upgrading, you might be prompted to restart applications.
  9. In the InstallShield Wizard Completed page, click Finish.
  10. C:\Program Files (x86)\Norskale\Norskale Infrastructure Services must be excluded from Antivirus scanning. Or exclude: Norskale Broker Service.exe; Norskale Broker Service Configuration Utility.exe; Norskale Database Management Utility.exe.
  11. Ensure firewall allows the following ports to/from the WEM Broker servers. See Citrix CTX101810 Communication Ports Used by Citrix Technologies.
    • Agent Port defaults to TCP 8286 – from WEM Agent to WEM Broker
    • AgentSyncPort defaults to TCP 8285 – from WEM Agent to WEM Broker SQL
    • AdminPort defaults to TCP 8284 – from WEM Admin Console to WEM Broker
    • Monitoring Port defaults to TCP 8287 – from Director to WEM Broker
    • AgentPort defaults to TCP¬†49752 –¬†from WEM Broker to WEM Agent
  12. See¬†CTX218965¬†Error: “Server sent back a fault indicating it is too busy to process the request” and the WEM Agent fails to connect to the Broker Service if you need to throttle the number of connections if you have insufficient resources on the WEM Broker server.

Upgrade WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management SDK v4.5 at Citrix Developer docs.

To upgrade the Workspace Environment Management database using the GUI tool:

  1. If this is a new install, skip to Create WEM Database.
  2. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  3. On the WEM server, run Database Management from the Start Menu.
  4. If upgrading, in the ribbon, click Upgrade Database.
  5. Enter the SQL Server Name.
  6. Enter the existing WEM Database Name.
  7. Configure the credentials for the WEM service account.
  8. If your account is not a sysadmin on Citrix, then enter a SQL account in the Database Credentials fields.
  9. Click Upgrade.
  10. Click Yes when asked to proceed.
  11. Click OK when prompted that database upgraded successfully.
  12. Click Finish to close the Database Upgrade Wizard.
  13. Close the WEM Database Management Utility.
  14. After the database is upgraded, run the WEM Infrastructure Service Configuration Utility to set the database connection settings again. Upgrading seems to wipe out the settings.
  15. On the Licensing tab, configure the licensing server.
  16. On the Advanced Settings tab, configure the service account.
  17. On the Database Settings tab, enter the database server name and database name.
  18. In the ribbon, click Save Configuration.
  19. Click Yes to restart the Broker Service.
  20. Skip ahead to upgrade the WEM Administration Console.

Create WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management SDK v4.5 at Citrix Developer docs.

To create the database using the GUI tool:

  1. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  2. Make sure SQL Server authentication (mixed mode) is enabled on the SQL server > Properties > Security. Even though the WEM Broker server runs as an AD account that is used login to SQL, WEM Broker also uses a SQL account named¬†vuemUser, which means mixed mode must be enabled. Source = John Long at WEM new install, cannot connect to infrastructure server at Citrix Discussions.¬† ūüí°

  3. On the WEM server, run WEM Database Management Utility from the Start Menu.
  4. If a new install, in the ribbon, click Create Database.
  5. In the Create database Wizard page, click Next.
  6. In the Database Informations page, enter the SQL server name, and enter a new Database Name.
    1. Only enter an instance name if you have a named SQL instance.
    2. Only enter a port number if your SQL instance is listening on a static port number other than 1433.
    3. From Måns Hurtigh at Problem creating WEM 4.3 Database on SQL Server 2012 at Citrix Discussions: The database name cannot contain a dash.
  7. The paths might not be correct so double check them. Then click Next.
  8. In the Database Server Credentials page, if your account has sysadmin permissions, then leave the box checked. Otherwise, uncheck the box, and enter a SQL login that has sysadmin permissions. Click Next.
  9. In the VUEM Administrators section, click Browse, and select your Citrix Admins group.
  10. In the Database Security page, if you intend to load balance multiple WEM servers, then specify a Windows service account for database access. The Broker Service will run as this account. Ryan Revord Load balancing Citrix Workspace Environment Manager. And the new load balancing topic at Install the Citrix Workspace Environment Management Infrastructure Services at Citrix Docs.
  11. The Database Creation Wizard also creates a SQL account called vuemUser with an 8 character alphanumeric password. If you want it more complex, check the box and specify the password.
    • Note: if you intend to implement AlwaysOn Availability Group, then you must specify this password, since you’ll be asked for it again when adding the database to the Availability Group. Also see SQL Server Always On at Citrix Docs.

  12. Click Next.
  13. In the Database Information Summary page, click Create Database.
  14. Click OK when prompted that the database was created successfully.
  15. Click Finish to close the Database Creation Wizard.
  16. Close the WEM Database Management Utility.
  17. There is a log file at¬†“C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log”

WEM Broker Configuration

  1. On the WEM Server, run WEM Infrastructure Service Configuration Utility from the Start Menu.
  2. On the Database Settings tab, enter the SQL Server name and database name.
  3. Switch to the Advanced Settings tab.
  4. If you intend to load balance WEM Servers, then Browse to a service acccount. This service account must have access to the database. Ryan Revord Load balancing Citrix Workspace Environment Manager.
  5. The service account must be in the local Administrators group on the WEM server.
  6. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
  7. On the Licensing tab, you can enter a Citrix License Server 11.14.0.1 or newer that has valid licenses. Or you can enter the license server later in the admin console.
  8. Click Save Configuration in the ribbon.
  9. Click Yes when asked to restart the Broker Service.
  10. Close the WEM Infrastructure Service Configuration utility.
  11. If you are load balancing WEM servers, then you must also create a Kerberos SPN, where [accountname] is the service account you are using for the Norskale service. Ryan Revord Load balancing Citrix Workspace Environment Manager.
    setspn -U -S Norskale/BrokerService [accountname]

Install/Upgrade WEM Console

  1. Run Citrix Workspace Environment Management Console Setup.exe.
  2. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Console page, click Next.
  3. In the License Agreement page, select I accept the terms, and click Next.
  4. In the Customer Information page, click Next.
  5. In the Setup Type page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the InstallShield Wizard Completed page, click Finish.

WEM Configuration Sets (formerly known as Sites)

In WEM 4.3, Sites was renamed to Configuration Sets.

  1. From the Start Menu, run WEM Administration Console.
  2. In the ribbon, click Connect.
  3. In the Database Broker Information window, enter the WEM Server name, and click Connect.
  4. Some WEM Console settings are global (every agent gets the same setting). So if you want different global settings for different agents, then you create multiple WEM Configuration sets. At the top of the window, in the ribbon, you can create a new WEM Configuration set. 
  5. Once you have multiple Configuration sets, you can use the drop-down to switch between them.
  6. An Agent can only belong to one WEM Configuration set. Different Agents can belong to different WEM Configuration sets.
  7. In WEM 4.3 and newer, you add agents to the Configuration set at Active Directory Objects (workspace on bottom left) > Machines (node on top left). You can add OUs or individual objects (computers or computer groups).
  8. In WEM 4.2 and older:
    1. The WEM Group Policy template has a GPO setting to specify the WEM Site name that an agent should use.

Import Recommended Settings

  1. If you have multiple WEM configuration sets, this process should be repeated for each WEM configuration set.
  2. In WEM 4.4 and newer, on the right side of the ribbon, click Restore.

    • In WEM 4.3 and older, on the right side of the ribbon, click Import Settings.
  3. In WEM 4.4 and newer, select Settings, and click Next.
  4. In the Settings Restore wizard, click Next.
  5. In the Restore from folder section, click Browse, and browse to the \Workspace-Environment-Management-v-4-04-00\Configuration Templates\Default Recommended Settings folder that was included in the WEM download.
  6. In the Settings Type Selection section, check all available boxes, and click Next.
  7. In the Restore settings processing window, click Restore Settings.
  8. Click Yes when prompted to replace.
  9. Click Finish.

James Kindon at WEM Hydration Kit has a collection of Applications, File System and Registry Actions that can be imported to WEM.

WEM Administrators

  1. In the Administration Console, go to Administration (workspace on bottom left) > Administrators (node on top left).
  2. In the right pane, click Add, and specify an Active Directory group that can administer WEM.
  3. After adding a group or user, right-click the new administrator, and click Edit.
  4. Use the Permissions drop-down to select a role. The roles are detailed at Administrators at Citrix Docs.
  5. Then use the State drop-down to select Enabled. New administrators are initially disabled. Click OK to close the window.

WEM Agent Configuration

For configuration guidance, see James Kindon and Hal Lange at WEM Advanced Guidance – Part 1 at CUGC.

  1. In the WEM Administration Console, in the Advanced Settings workspace (bottom left), there are several tabs for configuring the agent.
  2. On the bottom of each tab is an Apply button. Click this button periodically to save your configuration to the database.
  3. On the Main Configuration tab, one option you might want to enable is Launch Agent for admins.
  4. Also consider enabling Launch Agent at Reconnect.
  5. In the right pane, on the Reconnection Actions tab, you can select which modules should be refreshed on reconnect.
  6. The Agent Options tab defaults to processing printers and drives asynchronously.
  7. Setting on these tabs are mostly self-explanatory. Feel free to change any as desired.
  8. The Service Options tab has a setting for Bypass ie4uinit Check. Enabling this eliminates a 2 minute delay before WEM Agent starts. See Marco Hofman at http://www.carlstalhood.com/workspace-environment-manager/comment-page-1/#comment-5069 for details.
  9. On the top left, in the Advanced Settings workspace, there’s a¬†UI Agent Personalization node.
  10. In the right pane, in the UI Agent Options tab, you can change the Agent skin, and Preview it.
  11. Other settings on this page let you hide the splash screen.
  12. The Helpdesk Options tab lets you enable Screen Capture.

System Optimization

  1. The System Optimization workspace (bottom left) lets you configure the various optimizations.
  2. On the top left, click the CPU Management node.
  3. CPU Spikes Protection gives processes equal access to the CPU.
    • From Hal Lange: “CPU Usage Limit should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU.¬† Example:¬†if 2 CPU’s are available, the CPU setting should not be set above 49%,¬†if 4 CPU’s are available, the CPU setting should not be set above 24%”
    • Hal Lange demonstrates¬†Citrix WEM Performance Optimizations in a YouTube video.
  4. Other tabs on the right let you manually specify CPU priority and/or clamping.

    1. From CTA Chris Schrameyer¬†WEM ‚Äď CPU LOGGING:¬†WEM does not provide any built-in logs to determine when a CPU Spikes Protection action is taken. It would be nice to know what processes are often limited, so we can then add them to a CPU Clamping policy or identify why they are using so much CPU.
  5. On the top left, click the Memory Management node.
  6. In the right pane, you can enable¬†Working Set Optimization¬†to periodically reclaim memory from running processes. This feature tells processes to flush their memory to disk. In other words, you’re trading memory for disk.
  7. On the top left, click the I/O Management node.
  8. On the right, you can prioritize process IO.
  9. On the top left, click the Fast Logoff node.
  10. In the right pane, enabling Fast Logoff disconnects a session immediately, and runs logoff processes in the background.

Security

  1. In Workspace Environment Management 4.5 and newer, on the bottom left, click the Security workspace. In older WEM, stay on the Process Optimization workspace.
  2. On the top left, click the Process Management node.
  3. In the right pane, in the Processes Management tab, enable Process Management. The other tabs are grayed out until you check this box.

  4. You can BlackList processes. There’s also a WhiteList, but once something is added to the WhiteList, then all other processes are blocked.
  5. In Workspace Environment Management 4.5 and newer, on the top left, click Application Security.
  6. You can use the top-left sub-nodes to configure AppLocker. See Application Security at Citrix Docs.
  7. If you click the Executable Rules sub-node, on the bottom right is a button to Add Default Rules.
  8. If you edit a rule…

    1. You can assign the rule to a user group.
    2. The list of user groups comes from Active Directory Objects (workspace) > Users.
  9. On top of the right pane, set Rule enforcement to On or Audit.
  10. In the ribbon is a button to Import AppLocker Rules that were exported from a group policy. See CTA  Saadallah Chebaro Configure Citrix Workspace Environment Management Application Security for details.
  11. The other sub-nodes follow the same configuration pattern.

Policies and Profiles

  1. The Policies and Profiles workspace (bottom left) has four nodes on the top left.
  2. In the Environmental Settings node (top left), in the right pane, you can enable Environmental Settings, and configure restrictions that are usually configured in group policy. Peruse the various tabs on the right. Administrators can be excluded from these restrictions.
  3. The Environmental Settings within the WEM Administration Console are per-machine, not per-user. This means that, by default, all the settings configured inside of a Configuration Set apply to every non-admin user that logs into that particular Agent machine. In order to have different Environmental Settings apply to different users/user groups, they would need to be applied to a separate WEM Agent machine, and all the settings would need to be configured inside a separate Configuration Set to which the WEM Agent Machine is bound. Source = CTX226487 Guidance on configuring WEM settings per user/user groups.
  4. If you switch to the Citrix Profile Management Settings node, you can use WEM to configure Citrix Profile Management. See the Citrix Profile Management post for details on a recommended configuration.

    1. WEM 4.2 and newer includes the latest UPM 5.5 and 5.6 features, including: Active Write Back Registry, NTUSER.DAT Backup, and Default Exclusion Lists.
    2. WEM 4.4 and newer includes the latest UPM 5.8 and 7.15 features, including Enable Logon Exclusion Check.
  5. If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.
  6. In the right pane, the File System tab has a useful Profile Cleansing button to remove excluded folders from an existing UPM profile share.

    1. Adjust the Profiles Root Folder, click Scan Profiles Folder, and then click Cleanse Profile(s). This might not be necessary if you enable Logon Exclusion Check.
  7. To configure folder redirection, on the top left, click Microsoft USV Settings.
  8. On the right, on the Roaming Profiles Configuration tab, check the box to Process User State Virtualization Configuration.
  9. Then switch to the Folder Redirection tabs, and configure them as desired.

WEM Agent Group Policy

  1. In the WEM Download, go to the \Workspace-Environment-Management-v-4-05-00\Agent Group Policies\ADMX folder, and copy the .admx file, and the en-US folder to the clipboard. Yes, the .admx file is labelled 4.3.
  2. Go \\MyADDomain.com\sysvol\MyADDomain.com\Policies. If you have a PolicyDefinitions folder here, paste the file and folder.
  3. If you don’t have PolicyDefinitions in Sysvol, then instead go to¬†C:\Windows\PolicyDefinitions, and paste the file and folder there.
  4. Look for older versions of the .admx and .adml files (in the en-us subfolder), and delete them.

  5. Edit a GPO that applies to the VDAs that will run the WEM Agent.
  6. Go to Computer Configuration | Policies | Administrative Templates | Citrix | Workspace Environment Management | Agent Host Configuration.
  7. On the right, double-click Infrastructure server.
  8. Enable the setting, enter the FQDN of the WEM server (or load balanced name), and click OK. Note: It must be FQDN. Also see Ryan Revord Load balancing Citrix Workspace Environment Manager.
  9. In WEM 4.3 and newer, to assign an Agent to a Configuration Set (formerly known as Site). In the WEM Administration Console, go to Active Directory Objects workspace (bottom left) > Machines node (top left), and in the right pane, add an OU or individual machines.
  10. It’s possible that an Agent might register with multiple Configuration sets. You can review the registrations at¬†Administration¬†workspace (bottom left) > Agents¬†node (top left) >¬†Registrations¬†tab (right pane).
  11. It also might show you Agents not registered with any Configuration Set. Add the Agent to Active Directory Objects > Machines.
  12. If WEM 4.2 or older:
    1. You can configure the WEM Agents to connect to a non-default WEM site by editing the Site Name GPO setting.

Install WEM Agent

  1. If App Layering, Citrix recommends installing the WEM Agent in the Platform Layer.
    1. If you are installing the WEM Agent in a App Layer, see George Spiers to workaround an issue with the Netlogon service in a Platform Layer that has the Provisioning Services Target Device software installed.
  2. On a VDA Master machine, run the downloaded Citrix Workspace Environment Management Agent Setup.exe.
  3. If you are installing the Agent on a Provisioning Services vDisk, there are a couple Agent Installer Switches that let you move the WEM cache file to the PvS cache disk:
    "\\fs01\bin\Citrix\WEM\Workspace-Environment-Management-v-4-05-00\Citrix Workspace Environment Management Agent Setup.exe" /v"AgentCacheAlternateLocation=\"D:\WEMCache\" AgentServiceUseNonPersistentCompliantHistory=\"1\""
  4. You can use the ARPSYSTEMCOMPONENT=1 switch to prevent the Agent from showing up in the Programs and Features list where it can be uninstalled.
  5. Citrix CTX218964 How To Secure a Citrix WEM Agent Installation in Cases Where Users are Local Administrators also details how to configure a group policy to prevent local administrators from stopping the Agent service.
  6. Click Install to install the prerequisites.
  7. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Agent Host page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Customer Information page, click Next.
  10. In the Setup Type page, click Next.
  11. In the Ready to Install the Program page, click Install.
  12. In the InstallShield Wizard Completed page, click Finish.
  13. After installation, check the registry under HKLM\System\CurrentControlSet\Control\Norskale\Agent Host to verify your command line switches applied correctly.
  14. Citrix CTX219839 How to Enable Debug Logging on Workspace Environment Management Agent manually, if no connectivity to Broker exists. Set AgentDebugModeLocalOverride and AgentServiceDebugModeLocalOverride to 1. The Norskale Agent Host Service Debug.log file will be written to %ProgramFiles(x86)%\Norskale\Norskale Agent Host. The Agent Log file will be written to the User Profile (i.e. under %UserProfile%).
  15. Optionally, you can pre-build the Agent Cache by running AgentCacheUtility.exe, which is located in C:\Program Files (x86)\Norskale\Norskale Agent Host.
  16. It needs the following switches:
    -refreshcache -brokername:MyWEMServer
  17. From Hal Lange: “AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:)¬† the broker name should always be in FQDN since this does use Kerberos for the authentication.”
  18. You can also use the WEM Administration Console at Administration workspace (bottom left), Agents node (top left), to refresh the cache. The Synchronization column indicates if the cache is up to date or not. It takes a few minutes to update.
  19. From Hal Lange: “Need to optimize the client by running ngen for .NET optimizations¬†in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
    C:\Windows\Microsoft.NET\Framework\v4.0.30319
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319
    ngen.exe update
    ngen.exe eqi 1
    ngen.exe eqi 3
  20. C:\Program Files (x86)\Norskale\Norskale Agent Host must be excluded from Antivirus scanning. Or exclude Norskale Agent Host Service.exe; VUEMUIAgent.exe; Agent Log Parser.exe; AgentCacheUtility.exe; AppsMgmtUtil.exe; PrnsMgmtUtil.exe; VUEMAppCmd.exe; VUEMAppCmdDbg.exe; VUEMAppHide.exe; VUEMCmdAgent.exe; VUEMMaintMsg.exe; VUEMRSAV.exe.
  21. After Agents are installed, the Administration workspace (bottom left), Agents node (top left), shows the list of Agents, allowing you to perform actions against an Agent. For example, if UPM settings are not applying to your Agents, you can right-click the Agent, and click Reset Citrix Upm Settings. See Workspace Environment Manager UPM at Citrix Discussions.
  22. If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.  Delete the machine cache, which is at the following registry location:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\UsvMachineConfigurationSettings
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\UpmConfigurationSettings

    This will force VUEM to re-apply the per-machine settings (Microsoft USV or Citrix UPM settings, respectively).

  23. James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.

WEM Agent on Provisioning Services

From Julian Mooren Citrix Workspace Environment Management with PVS ‚Äď Synchronization State ‚ÄúUnknown‚ÄĚ: For PvS, schedule a task to run the following commands at Target Device boot (Trigger = At Startup).

"C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshcache

From CTA David Ott at Using Citrix Workspace Environment Management to Redirect Folders via Symbolic Links ‚Äď Speed Up Logon:¬†before shutting down your maintenance/private mode vdisk to re-seal, kill the Norskale Agent Host Service. For whatever reason if you don‚Äôt do this it can cause your vms in standard mode to take an obscenely long time to shutdown.

If you have a PVS environment and you have redirected the WEM cache to the persistent drive, use a startup task to refresh the cache, force restart the Norskale Agent Host Service, and start netlogon after. If the cache doesn’t already exist, WEM doesn’t seem to check with the WEM server. You have to create the cache, and then restart the service so that it reads it, and force restarting the Norskale Agent Host Service will stop netlogon (dependent on it).

Login Base Image Script Framework (BIS-F) automates many image sealing tasks, including tasks for Workspace Environment Management. The script is configurable using Group Policy.

Monitoring

  1. In the WEM Administration Console, the Monitoring workspace (bottom left) lets you see Logon Time and Boot Time reports.
  2. Double-click a category to see more info.

  3. Configuration node (top left) lets you configure Work Days Filtering for Login/Boot Time Reports.
  4. When you make changes in the console, if agents are already installed, you can right-click the agent icon (by the clock), and Refresh.
  5. You can also go to the Administration workspace (bottom left) > Agents node (top left). In the right pane, right-click one or more Agents, and click the Refresh options.

WEM Actions Configuration

WEM Actions are similar to Group Policy Preferences.

The general process is as follows:

  • Create the Actions
  • Add AD user groups to the WEM Console.
  • Assign Actions to user groups. Use¬†Conditions and Rules to perform the Action for only a subset of machines or users in the user group.

Create Actions

  1. In the WEM Console, use the Actions workspace to map drives, map printers, create shortcuts (Applications), set registry keys, etc. Each Action type is a separate node. In the right pane, click the Add button to add actions. These Actions are self explanatory.
  2. Some Actions, on the Options tab, have a Self-Healing option. To optimize performance, WEM only applies an action once. The Self Healing option causes it reapply at every logon.
  3. Note: Network Drives have no field for selecting a drive letter. Instead, you configure the drive letter later when assigning the action as detailed below.
  4. Note: Applications have no option for placing a shortcut on the Desktop. Instead, you configure shortcut placement later when assigning the action as detailed below.
    1. To prevent applications (shortcuts) from being created if the application isn’t installed, go to¬†Advanced Settings > Configuration > Agent Options, and check the box next to¬†Check Application Existence in the¬†Extra Features section.
    2. To clean up extra shortcuts, go to Advanced Settings > Configuration > Cleanup Actions, and check the boxes in the Shortcuts deletion at startup section. Also see James Kindon Citrix WEM, Modern Start Menus and Tiles.
  5. After you create Applications (Shortcuts), and assign them, on the agent, there’s a¬†Manage Applications tool that lets users control where shortcuts are created, including pinning to Taskbar and Start Menu.

  6. Applications can be placed in Maintenance Mode. Edit an Application, and find the Maintenance Mode setting on the Options tab.
  7. This causes the icon to change, and a maintenance message to be displayed to the user.

  8. The Applications node has a Start Menu View tab.
  9. For the¬†Printers Action, in the ribbon, there’s a¬†Import Network Print Server button.

  10. For the Registry Entries Action, in the ribbon, there’s an¬†Import Registry File button.
  11. For File System Operations, each Action has an Options tab that lets you set the Type of Action.
  12. For File Associations, “Command” is just the parameters without the executable.

Create Conditions and Rules

  1. Once the Actions are created, you then need to decide under what conditions the Actions are performed. Go to the Filters workspace (bottom left).
  2. On the top left, switch to the Conditions node.
  3. In the right pane, create Conditions. One or more Conditions are later combined into a Rule.
  4. Then switch to the Rules node (top left) and create Rules in the right pane.
  5. If you add (by clicking the right arrow)¬†multiple Conditions to a Rule, all (AND) Conditions must match. There doesn’t appear to be an OR option. The Rules are used later when assigning an Action to a user group.

Add AD Groups to WEM Console

  1. Go to the Active Directory Objects workspace (bottom left).
  2. With the Users node selected on the top left, in the right pane, add groups and/or users that will receive the Action assignments.

Assign Actions to User Groups

  1. Go to the Assignments workspace (bottom left) > Action Assignment node (top left).
  2. In the right pane, initially the bottom half is empty. Double-click a group to show the Actions that are available for assignment.
  3. Move an available Action from the left to the right. This assigns the Action to the user group.
  4. You will be prompted to select a Filter, which contains one or more Conditions.
  5. When you move a Network Drive to the right, you’re prompted to select a drive letter.

    1. The list of drive letters is restricted based on the configuration at Advanced Settings workspace (bottom left) > Configuration node (top left) > Console Settings tab (right pane).
  6. Back in the Assignments workspace, on the right, some Actions have additional options that you can right-click. For example, you can create shortcuts on the desktop.

Modeling Wizard

  1. In the Assignments workspace, you can use the Modeling Wizard node (top left) to see what Actions apply to a particular user.

Client Side Tools

James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.

Transformer

In WEM 4.1 and newer, you can enable Transformer, which puts the WEM Agent in Kiosk mode. Users can only launch icons (e.g. Citrix icons). Everything else is hidden. This is an alternative to Receiver Desktop Lock. The Transformer interface is customizable. Note: desktops currently will not auto-launch from Transformer.

  1. In the WEM Console, there’s a¬†Transformer Settings workspace (bottom left) with two nodes on the top left:¬†General and¬†Advanced.
  2. Enable Transformer, and point it to your StoreFront URL. Note, this applies to all users and all agents in this WEM configuration set. You should probably have a new Configuration Set just for Kiosk devices.
  3. Other settings on the General Settings tab let you customize the appearance, and specify an unlock password. You probably want to disable the Clock. The Navigation Buttons are browser navigation.
  4. Transformer can be unlocked by pressing Ctrl+Alt+U and entering the unlock password.
  5. On the Site Settings tab, you can add website URLs that can be launched from within Transformer.
  6. At the top of the Transformer window is a Sites icon that lets you go to the sites listed in the WEM Console.
  7. The Advanced node lets you configure Transformer to launch a process other than a browser.
  8. The Advanced & Administration Settings tab lets you hide features from Transformer.
  9. To prevent users from accessing the local system, consider checking Hide Taskbar & Start Button.
  10. You probably want Log Off Screen Redirection to redirect users to the logon page when StoreFront logs off.
  11. The Logon/Logoff & Power Settings tab lets you configure the WEM Agent to autologon as a specific account. Transformer then displays the StoreFront webpage where the user enters his or her credentials.

320 thoughts on “Workspace Environment Management 4.5”

  1. Carl!

    Could be that the installation parameter is false?

    You write:

    “\\fs01\bin\Citrix\WEM\Workspace-Environment-Management-v-4-05-00\Citrix Workspace Environment Management Agent Setup.exe” /v”AgentCacheAlternateLocation=\”D:\WEMCache\” AgentServiceUseNonPersistentCompliantHistory=\”1\””

    In my environment between /v” and AgentCacheAlternateLocation should be a space, otherwise the installer interpret is as one string and in WEM 4.5 “AgentServiceUseNonPersistentCompliantHistory” doesn’t exists any more.

    https://docs.citrix.com/en-us/workspace-environment-management/current-release/whats-new.html

    1. I tried this exact command and it worked. No space after the /v. Yes, it should be one string after the /v. Any quotes inside the string need to be escaped (\”). The /v switch passes the entire string to the MSI file.

  2. Hi Carl,
    In PVS environments we can redirect the cache to the same disk that pvs uses for the cache, but how do we configure the WEM Agent in MCS environments?

  3. I am using PVS 7.14 with Windows 2012 OS Target Devices using “Cache in device RAM with Overflow on Hard Disk”

    I did install the WEM Agent with the Installer Switches that let you move the WEM cache file to the PvS cache disk: This cache disk is the same disk I use for the OS WriteCache D Drive.
    Somehow the WriteCache D Drive is filling up fast and cant find a way to stop the D drive to fill. Any ideas ?

        1. Use procmon to see what’s modifying the files on the C: drive. Maybe antivirus or backup or something like that. You can set the procmon filter to Category = Write.

  4. Hi Carl,

    as Citrix recommends in this article (https://support.citrix.com/article/CTX225997) to install the WEM Agent within the Platform Layer already. That way you also won’t have that Netlogon service related issue as both dependency entries reside in the Platform Layer by default.
    Maybe you want to point this out in your install guide above.
    As this article also gives some advices regarding creating the App-V user account in the OS Layer of CLM you might want to mention this in your CLM guide, too.

    Best Regards

    Ewald

  5. How do we install the wem agent on a machine that is created with MCS and non-persistent? I see the how to for PVS, but there is no option for a second disk.

  6. Is there a stand alone version of WEM available that can be installed on the end point to lock down the local OS without having to built the whole infrastructure (brokers/database/NS etc)

  7. Hi Carl, do you know if the backwards compatibility works the other way? I would like to upgrade the WEM infrastructure and console prior to deploying the new agent to our gold image, we heavily rely on WEM. will the 4.3 agents report in and function correctly on 4.4 infrastructure? Many thanks for all your amazing contributions to the community, your guides are always my first point of call!

  8. Hi Carl. I have installed the version 4.4.5 that includes application security. I have some hard time to get script rules to apply. I managed to get exe rules just fine but script rules will not. Any sugestions?

  9. Hi Carl,
    Wonder if you have some thoughts on this.
    XD 7.14. Windows 10 Enterprise VDA setup in Catalog with MCS. Implemented WEM for control of most everything including UPM Profiles and Redirected Folders. Created an application catalog for Word and Excel, currently just one Server 2016 standard edition also deployed with MCS (Wem agent VDA, and UPM agent installed). Desktop shortcuts show up. Applications will launch. Application association working just fine.
    User can log in and log out all day long as long as they don’t launch one of the shared applications. If they do all will seem just fine until they log out. When they log back in we get stuck at the “Critical Error , Start Menu and Cortana aren’t working…. “Sign out now”. Only way to get past the error is delete (or rename) the user’s Profile folder on the server. Our theory is something is going wrong with the shared application session and updates to the user’s profile.
    Hope you might have some thoughts or a good way to test what’s wrong.
    Thanks
    Kevin

    1. What do you mean by ‚Äúshared application‚ÄĚ? Do you mean ‚ÄúAll Users‚ÄĚ (or Public Desktop) shortcut? Or do you mean shortcut created by WEM. If you move the shortcut to a per user location, does that work?

      1. Hi Carl,
        Sorry my terminology is probably off. Not sure how to correctly make this reference. MS Word 2016 (and Excel) are installed on a Server 2016 R2 Server with the VDA and WEM agent installed. I’ve used MCS to create a 1 vm catalog, then a Delivery Group to share (“publish”) Word and Excel no desktops in this delivery group. My main desktop delivery group has Receiver with SSO enabled. When a user logs in to their virtual desktop session the Word and Excel icons show up on the desktop as I would expect. Both of these icons work, I can see the user’s additional sessions in Director. It’s fast, and has access to printers, and storage. Seems just perfect. Except for the subsequent logins which get the error message and leaves the user’s session useless.

        Also a funny discovery. I have “delete desktop icons” enable in WEM. I think this is why when I close Word or Excel the desktop icons for these apps disappear. If I uncheck this option then a new icon for each app shows up after each login.. labeled (1) and (2) and so on….

        I do think I’m dealing with an incompatibility between Win 10 and Server 2016 profiles (or redirected Start Menu). I’ve quickly spun up another Windows 10 Catalog and Delivery group to share Notepad. This works, and does not create the error message on subsequent logins.
        Hope this clarifies.

        Kevin

  10. Hi Carl,

    Thanks for the info. Is there any way to make the Actions / Filters / Assignments global? I would require some registry settings ,for example to be applied to all config sets, but would like not to manage each setting on a per set basis.

  11. Hi
    Have you seen issues with missing Application Security feature under Security in WEM Console after upgrade from 4.3 to 4.4??

    On a fresh install of 4.4 I have the feature under Security in the WEM Console.

    1. It was accidentally enabled in the install. They refreshed the installer so it no longer enables. Download it again and it should no longer enable on a fresh install.

      1. Just to understand, the feature was not ready for 4.4??
        Used the same installer for two environments, one was an upgrade from 4.3 to 4.4 and the other was a new install.

  12. Hi Carl,

    Love and appreciate all your work. I am having the same issue as David:

    Hi carl,

    I am having an issue with Transformer and hoping you can point me in the right direction. I have configured the
    policy and applied a GPO that points the agent to the broker and site. When I apply the GPO to a windows 10 XD
    VM I have, it works perfectly. When I apply it to a win 10 physical machine, it does not. WEM agent is installed
    and the GPO is applied to the machine. If I make a change to the transformer policy for the site and then update
    the WEM cache on the machine, it does get the update. Also, if I check the Agent info in WEM Console, it shows
    that machine is in the correct site. Is there something else that needs configured or applied? Does Citrix Receiver
    also need to be installed? This physical machine is a fresh install and has very few programs installed.

    I have an open ticket w/ support, but it’s been difficult due to how new this component is in the Citrix portfolio.

    To expound:

    The agent launches but doesn’t start transformer or the program configured to auto-launch. Reviews of the log so that Kiosk mode is enabled (True).

    A refresh from the client or server does not force transformer to work, however if I exit the agent and re-launch the Transformer works as expected.

    This is the last piece to iron out so we can use transformer to replace desktop lock, but we need the agent to start and run transformer and it’s configured application when a user logs in/upon restart etc.

    Tried using batch files and scheduled task as a work around, but this is kluge and doesn’t work.

    Any help would be greatly appreciated!

    Thank You!

    Derek Black

  13. Hello Carl,
    Manage Applications tool that lets users control where shortcuts are created, (QuickLaunch) is greyd is it possible to enable?
    with me application i am enabled already!!

  14. We just upgraded our Dev environment from 4.3 per this guide. When I updated the agent in our first PVS image (WEM cache on persistent disk) I found that I could not get a successful sync. This shows up in the debug logs:

    11:07:27 AM Exception -> AgentLocalCacheSync.() : Cannot apply changes because the local provider does not have adapters configured for the following tables that were received from the remote provider: VuemAppLockerRule, VUEMAppLockerRuleAssigments, VUEMPublisherRuleCondition, VUEMPathRuleCondition, VUEMHashRuleCondition, VUEMFileHash. Ensure that the correct adapters have been added to both providers for Scope ‘AgentCache’, and that any table mapping has been correctly configured.

    If I stop the agent service, delete the persistent WEM cache and start it back up I am able to sync successfully again. Has anyone else seen this? My fear is that we’ll have to reset the WEM cache on thousands of PVS target devices…

  15. Hello Carl,

    I have a problem when I run the agentcacheutility.exe i get the following error:

    C:\WINDOWS\system32>”C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe” -refreshcache -brokername:fgridctxwem01
    Citrix Workspace Environment Management Agent Cache Management Utility – By Citrix Systems, Inc – Version 4.3.0.0
    Broker Server Name or Broker Port Error
    Operation Completed with Errors

    Are there any special requirements which need to be met in order for agent registration to work? Firewall communication is allowed between the WEM broker server and the agent machine.

  16. Carl I’m curious as to what your take is on the WEM licensing model.

    I’m getting conflicting answers on the rules for number of WEM agents that are allowed per the XenApp entitlement. At Synergy, the WEM booth the guy told me I could have 1 WEM agent per XenApp license on any device (vda or non-vda). I went to double check with my Citrix rep this week and they are saying something different. They say if I have 500 XA licenses and 400 are in use, I could only install the WEM agent on 100 non-vda devices which would then act as an in use XenApp license. If you read what’s on the Citrix Licensing portal (https://www.citrix.fr/buy/licensing/product.html) that doesn’t sound right to me.

    ‚ÄúIf you licensed XenApp Platinum Edition, you may use the WEM component to support physical desktops which are not part of a VDA deployment in addition to your VDA deployment, but total usage of WEM may not exceed total licenses purchased.‚ÄĚ

    In my mind, that’s saying if I have 500 XenApp licenses, I can have 500 WEM agents, either VDA or non-VDA. No where in there does it say anything about concurrent users using XenApp or a WEM agent acting as a connected user taking up a license. The license server doesn’t reflect a connected WEM agent as a user either.

    What do you think (know)?

    1. My suspicion is that you can deploy WEM Agent to any machine accessed by a licensed Citrix user. I just asked the Product Managers for confirmation.

      1. From Citrix Discussion:
        “I’m the product manager for WEM and your REP is correct, the intent was to provide a clear message that you can use WEM on physicals if you had enough licenses.

        WEM + VDA = 1 License
        WEM = 1 License

        I will get the wording tightened up on the licensing page to make it clearer, you are correct this is a EULA only enforcement not a license server check at this time but we will be working on that.”

        1. So is it “per device”, or is it “per user”? If per user, I would expect unlimited devices (and VDA) for that user.

          1. The way I’m understanding it is that if I have 500 XenApp CCU licenses, and I have 400 licenses being used for active connections, then I can only have 100 non-vda WEM agents out in the environment. Which doesn’t make sense to me at all. If I’m using WEM to turn a PC into a Transformer kiosk type device to use Citrix Receiver, then it would seem I need a XenApp license for that device, and then another license for the user on that device using accessing the apps…which seems a bit excessive. I don’t really know at this point…but I think it could use some attention from Citrix to clear up when you can and can’t use WEM.

          2. It would be very complicated to handle CCU Licenses that are usually meant to assign one License for one user, who is acting on different devices, also as per device Licenses especially for WEM.
            This simply makes no sense and causes just troubles.
            Just think of a user who is working on a Windows Thin Client managed by WEM and accessing from there a XenDesktop VDA in a Data Center which is also managed by WEM. That would require two CCU licenses in that case.
            Or another example:
            A user is working on a PC managed by WEM and accessing from there a XenApp Host which is also managed by WEM. In that case I would have to reserve one CCU License per managed XenApp Host.

            @Citrix Licensing Team:
            Please keep such things in mind when you’re planning licensing stuff.
            CCU should usually be one License assigned per user, who is working commonly on more than just one device, especially when it comes to WEM or Citrix Profile Management!

          3. @Tyson Glaser:
            Based on the License statements it would mean the following based on your example:
            If you have 500 CCU licenses you are allowed to use WEM up to 500 times concurrently, as it was said explicitly “total usage” and not “total installations” in the License statements.
            However, this also includes the XenApp Hosts in this case, if they have WEM Agents installed.
            Therefore, if you have 12 XenApp hosts with WEM Agents installed that are running simultaneously in your farm, you can use WEM 488 times on other devices concurrently, like for example physical PCs or Notebooks.
            As long as you haven’t more than 488 other devices at all that have WEM Agents installed it won’t be a difficult task to obey the License Requirements there.
            But if the amount of your devices with WEM Agents installed exceeds 488, well, then this might become a difficult task, as the License Manager doesn’t check that either…

  17. Hi Carl,

    I am having an issue with Transformer and hoping you can point me in the right direction. I have added the policy and it worked perfectly on a XD win 10 vm I have. However, when I can’t get it to work correctly on a win10 physical machine. I have a GPO pointing the machine to the broker and the correct site. I have verified it is pulling down the settings, but when I login, transformer isn’t launching. The issue seems to be that VUEM Agent isn’t launching. If I manually launch it from program files (x86)…, transformer immediately launches. I just can’t for the life of me figure out why it isn’t launching automatically. I do have the Advanced Settings > Configuration > Launch Agent at Logon checked, which I did after it wasn’t working, but even after that, it still isn’t working.

    Any thoughts?

  18. Hi carl,

    I am having an issue with Transformer and hoping you can point me in the right direction. I have configured the policy and applied a GPO that points the agent to the broker and site. When I apply the GPO to a windows 10 XD VM I have, it works perfectly. When I apply it to a win 10 physical machine, it does not. WEM agent is installed and the GPO is applied to the machine. If I make a change to the transformer policy for the site and then update the WEM cache on the machine, it does get the update. Also, if I check the Agent info in WEM Console, it shows that machine is in the correct site. Is there something else that needs configured or applied? Does Citrix Receiver also need to be installed? This physical machine is a fresh install and has very few programs installed.

    Any guidance you can provide would be greatly appreciated.

  19. great article! Thanks Carl. Does WEM require its own server? or can it be installed on the same server as a delivery controller, or Director?

      1. Hi carl, with a customers environment (+1000) Users it should it more Brokerserver, right? IO Requirements? i Think, It is required to Loadbalance the broker service?

  20. Is there a way to trigger the WEM Agent “Refresh” in the context menu of the system tray icon with a command line ?

  21. Thanks Carl for this effective documentation.
    After upgrading an installation from 4.2 to 4.3, the Norskale Infrastructure Service crashed intermittently.
    There is a private hotfix available for this issue (Infrastructure Service v4.03.00.01), contact Citrix support for it.

  22. Hi Carl,

    For a PVS vDisk that was created via the ELM (Citrix App Layering), should the agent be installed as an application layer or in the platform layer similiar to the VDA. Also, should we use the install parameters to redirect the WEM cache to the overflow drive in any of those layers if that Overflow drive does not yet exist or ?

    1. Hi Willy Wonka,

      have a look at Carls Citrix App Layering guide here on this site.
      If I remember it correctly Citrix Best Practices recommend to install it into the Platform Layer, too.

Leave a Reply