Workspace Environment Manager

Last Modified: Jan 7, 2017 @ 9:21 am


ūüí° = Recently Updated


Workspace Environment Manager¬†(WEM) is Citrix’s Performance Management and UEM tool for all XenApp/XenDesktop Enterprise or Platinum Customers with active Software Maintenance (Subscription Advantage is not sufficient). The WEM Agent is supported on XenApp 6.5, and XenApp/XenDesktop 7.x. Videos:

Note: WEM does not replace Citrix Profile Management. You usually implement both.

Install WEM Server (Broker Service)

The WEM Broker Service can be installed on one or more servers. The WEM Agent cannot be installed on the Broker Server.

A WEM Server with 4 vCPU and 8 GB RAM can support 3,000 users.

  1. Go to the downloaded Workspace Environment Manager 4.1, and run Citrix Workspace Environment Management Infrastructure Services v4.01.00.00 Setup.exe.
  2. Click Install to install the prerequisites.
  3. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Magement Infrastructure Services page, click Next.
  4. In the License Agreement page, select I accept the terms, and click Next.
  5. In the Customer Information page, click Next.
  6. In the Setup Type page, click Next.
  7. In the Ready to Install the Program page, click Install.
  8. In the InstallShield Wizard Completed page, click Finish.
  9. C:\Program Files (x86)\Norskale\Norskale Infrastructure Services must be excluded from Antivirus scanning. Or exclude Norskale Broker Service.exe; Norskale Broker Service Configuration Utility.exe; Norskale Database Management Utility.exe.
  10. Ensure firewall allows the following to the WEM Broker servers:
    • Agent Port defaults to TCP 8286.
    • AgentSyncPort defaults to TCP 8285.
    • AdminPort defaults to TCP 8284.
    • Monitoring Port defaults to TCP 8287.
  11. See¬†CTX218965¬†Error: “Server sent back a fault indicating it is too busy to process the request” and the WEM Agent fails to connect to the Broker Service if you need to throttle the number of connections if you have insufficient resources on the WEM Broker server.¬† ūüí°

Create WEM Database

  1. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  2. On the WEM server, run Database Management from the Start Menu.
  3. If upgrading, in the ribbon, click Upgrade Database.

  4. If a new install, in the ribbon, click Create Database.
  5. In the Create database Wizard page, click Next.
  6. In the Database Informations page, enter the SQL server name, and enter a new Database Name. The paths might not be correct so double check them. Then click Next.
  7. In the Database Server Credentials page, if your account has sysadmin permissions, then leave the box checked. Otherwise, uncheck the box, and enter a SQL login that has sysadmin permissions. Click Next.
  8. In the VUEM Administrators section, click Browse, and select your Citrix Admins group.
  9. In the Database Security page, if you intend to load balance multiple WEM servers, then specify a Windows service account for database access. The Broker Service will run as this account. Ryan Revord Load balancing Citrix Workspace Environment Manager.
  10. The Database Creation Wizard also creates a SQL account called¬†vuemUser with an 8 character alphanumeric password. If you want it more complex, check the box and specify the password. Note: if you intend to implement AlwaysOn Availability Group, then you must specify this password, since you’ll be asked for it again when adding the database to the Availability Group. Click Next.¬† ūüí°

  11. In the Database Information Summary page, click Create Database.
  12. Click OK when prompted that the database was created successfully.
  13. Click Finish.
  14. There is a log file at¬†“C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log”

WEM Broker Configuration

  1. On the WEM Server, run Broker Service Configuration from the Start Menu.
  2. On the Database Settings tab, enter the SQL Server name and database name.
  3. Switch to the Advanced Settings tab.
  4. If you intend to load balance WEM Servers, then Browse to a service acccount. This service account must have access to the database. Ryan Revord Load balancing Citrix Workspace Environment Manager.
  5. The service account must be in the local Administrators group on the WEM server.
  6. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
  7. On the Licensing tab, you can enter a Citrix License Server 11.14.1 or newer that has valid licenses. Or you can enter the license server later in the admin console.
  8. Click Save Configuration in the ribbon.
  9. Click Yes when asked to restart the Broker Service.
  10. If you are load balancing WEM servers, then you must also create a Kerberos SPN, where [accountname] is the service account you are using for the Norskale service. Ryan Revord Load balancing Citrix Workspace Environment Manager.
    setspn -U -S Norskale/BrokerService [accountname]

Install WEM Console

  1. Run Citrix Workspace Environment Management Console v4.01.00.00 Setup.exe.
  2. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Console page, click Next.
  3. In the License Agreement page, select I accept the terms, and click Next.
  4. In the Customer Information page, click Next.
  5. In the Setup Type page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the InstallShield Wizard Completed page, click Finish.

WEM Sites

  1. From the Start Menu, run Administration Console.
  2. In the ribbon, click Connect.
  3. In the Database Broker Informations window, enter the WEM Server name, and click Connect.
  4. Some WEM Console settings are global (every agent gets the same setting). So if you want different global settings for different agents, then you create multiple WEM sites. At the top of the window, you can create a new WEM site and/or select an existing WEM site. A “site” is a complete WEM configuration and is completely unrelated to a XenDesktop site. An Agent can only point to one WEM site. Different Agents can point to different WEM sites.
  5. The WEM Group Policy template has a GPO setting to specify the WEM Site name that an agent should use.

Import Recommended Settings

  1. If you have multiple WEM sites, this process should be repeated for each WEM site.
  2. On the right side of the ribbon, click Import Settings.
  3. In the Settings Import Wizard page, click Next.
  4. In the Export File Load section, click Browse, and browse to the \Workspace-Environment-Management-v-4-01-00\Configuration Templates\Default Recommended Settings folder that was included in the WEM download.
  5. In the Settings Type Selection section, check all available boxes, and click Next.
  6. In the Settings Import Processing window, click Import Settings.
  7. Click Yes when prompted to replace.
  8. Click Finish.

WEM Agent Configuration

  1. In the WEM Administration Console, in the Advanced Settings workspace, there are several tabs for configuring the agent.
  2. One you might want to enable is Launch Agent for admins.
  3. Also consider enabling Launch Agent at Reconnect.
  4. On the right, on the Reconnection Actions tab, you can select which modules should be refreshed on reconnect.
  5. The Agent Options tab defaults to processing printers and drives asynchronously.
  6. Setting on these tabs are mostly self-explanatory. Feel free to change any as desired.
  7. On the left, in the Advanced Settings workspace, there’s a¬†UI Agent Personalization node.
  8. On the right, in the UI Agent Options tab, you can change the Agent skin, and Preview it.
  9. Other settings on this page let you hide the splash screen.
  10. The Helpdesk Options tab lets you enable Screen Capture.

  11. After Agents are installed, the Administration workspace, Agents node, shows the list of Agents, allowing you to perform actions against an Agent.
  12. The System Optimization workspace lets you configure the various optimizations.
  13. Fast Logoff disconnects a session and lets logoff processes run in the background.
  14. CPU Spikes Protection gives processes equal access to the CPU.
  15. From Hal Lange: “CPU Usage Limit should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU.¬† Example:¬†if 2 CPU’s are available, the CPU setting should not be set above 49%,¬†if 4 CPU’s are available, the CPU setting should not be set above 24%”
  16. Hal Lange demonstrates Citrix WEM Performance Optimizations in a YouTube video.
  17. Other tabs on the right let you manually specify CPU priority and/or clamping.
  18. Memory Management periodically reclaims memory from running processes.
  19. IO Management can prioritize process IO.
  20. Process Management lets you Blacklist processes. There’s also a WhiteList, but once something is added to the WhiteList, then all other processes are blocked.
  21. The Policies and Profiles workspace has four nodes.
  22. You can enable Environmental Settings, and configure restrictions that are usually configured in group policy. Peruse the various tabs on the right. Administrators can be excluded from these restrictions.
  23. If you switch to the Citrix UPM Settings node, you can use WEM to configure Citrix Profile Management. Note: the NTUSER.DAT backup feature in UPM 5.5, and registry write back feature in UPM 5.6 seem to be missing.
  24. The File System tab has a useful Profile Cleansing button to remove excluded folders from an existing UPM profile share.

  25. The Monitoring workspace lets you see Logon Time and Boot Time reports.
  26. Double-click a category to see more info.
  27. Configuration node lets you configure Work Day Filtering for Login/Boot Time Reports.

WEM Agent Group Policy

  1. In the WEM Download, go to the \Workspace-Environment-Management-v-4-01-00\Configuration ADM РADMX folder, and copy the .admx file, and the en-US folder to the clipboard.
  2. Go \\\sysvol\\Policies. If you have a PolicyDefinitions folder here, paste the file and folder.
  3. If you don’t have PolicyDefinitions in Sysvol, then instead go to¬†C:\Windows\PolicyDefinitions, and paste the file and folder there.
  4. Edit a GPO that applies to the VDAs that will run the WEM Agent.
  5. Go to Computer Configuration | Policies | Administrative Templates | Citrix | Workspace Environment Manager | Agent Host Configuration.
  6. On the right, double-click Connection Broker Name.
  7. Enable the setting, enter the FQDN of the WEM server (or load balanced name), and click OK. Note: It must be FQDN. Ryan Revord Load balancing Citrix Workspace Environment Manager.
  8. If you want the WEM Agents to connect to a non-default WEM site, then configure the Site Name GPO setting.

Install WEM Agent

  1. On a VDA Master, run the downloaded Citrix Workspace Environment Management Agent v4.01.00.00 Setup.exe.
  2. If you are installing the Agent on a Provisioning Services vDisk, there are a couple Agent Installer Switches that let you move the WEM cache file to the PvS cache disk:
    "\\fs01\bin\Citrix\Workspace-Environment-Management-v-4-01-00\Citrix Workspace Environment Management Agent v4.01.00.00 Setup.exe" /v"AgentCacheAlternateLocation=\"D:\WEMCache\" AgentServiceUseNonPersistentCompliantHistory=\"1\""
  3. Click Install to install the prerequisites.
  4. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Manager Agent Host page, click Next.
  5. In the License Agreement page, select I accept the terms, and click Next.
  6. In the Customer Information page, click Next.
  7. In the Setup Type page, click Next.
  8. In the Ready to Install the Program page, click Install.
  9. In the InstallShield Wizard Completed page, click Finish.
  10. After installation, check the registry under HKLM\System\CurrentControlSet\Control\Norskale\Agent Host to verify your command line switches applied correctly.
  11. Citrix¬†CTX219839¬†How to Enable Debug Logging on Workspace Environment Management Agent manually, if no connectivity to Broker exists. Set¬†AgentDebugModeLocalOverride and¬†AgentServiceDebugModeLocalOverride to 1.¬†The Norskale Agent Host Service Debug.log file will be written to %ProgramFiles(x86)%\Norskale\Norskale Agent Host.¬†The Agent Log file will be written to the User Profile (i.e. under %UserProfile%).¬† ūüí°
  12. Optionally, you can pre-build the Agent Cache by running AgentCacheUtility.exe, which is located in C:\Program Files (x86)\Norskale\Norskale Agent Host.
  13. It needs the following switches:
    -refreshcache -brokername:MyWEMServer
    From Hal Lange: “AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:)¬† the broker name should always be in FQDN since this does use Kerberos for the authentication.”
  14. From Hal Lange: “Need to optimize the client by running ngen for .NET optimizations¬†in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
    ngen.exe update
    ngen.exe eqi 1
    ngen.exe eqi 3
  15. C:\Program Files (x86)\Norskale\Norskale Agent Host must be excluded from Antivirus scanning. Or exclude Norskale Agent Host Service.exe; VUEMUIAgent.exe; Agent Log Parser.exe; AgentCacheUtility.exe; AppsMgmtUtil.exe; PrnsMgmtUtil.exe; VUEMAppCmd.exe; VUEMAppCmdDbg.exe; VUEMAppHide.exe; VUEMCmdAgent.exe; VUEMMaintMsg.exe; VUEMRSAV.exe.

WEM Agent on Provisioning Services¬† ūüí°

From CTA David Ott at Using Citrix Workspace Environment Management to Redirect Folders via Symbolic Links ‚Äď Speed Up Logon:¬†before shutting down your maintenance/private mode vdisk to re-seal, kill the Norskale Agent Host Service. For whatever reason if you don‚Äôt do this it can cause your vms in standard mode to take an obscenely long time to shutdown.

If you have a PVS environment and you have redirected the WEM cache to the persistent drive, use a startup task to refresh the cache, force restart the Norskale Agent Host Service, and start netlogon after. If the cache doesn’t already exist, WEM doesn’t seem to check with the WEM server. You have to create the cache, and then restart the service so that it reads it, and force restarting the Norskale Agent Host Service will stop netlogon (dependent on it).

WEM Actions Configuration

WEM Actions are similar to Group Policy Preferences.

The general process is as follows:

  • Create the Actions
  • Add AD user groups to the WEM Console.
  • Assign Actions to user groups. Use¬†Conditions and Rules to perform the Action for only a subset of machines or users in the user group.

Create Actions

  1. In the WEM Console, use the Actions workspace to map drives, map printers, create shortcuts (Applications), set registry keys, etc. Click the Add button on the bottom of each node. These Actions are self explanatory.
  2. Some Actions, on the Options tab, have a Self-Healing option. To optimize performance, WEM only applies an action once. The Self Healing option causes it reapply at every logon.
  3. Note: Network Drives have no field for selecting a drive letter. Instead, you configure the drive letter later when assigning the action as detailed below.
  4. Note: Applications have no option for placing a shortcut on the Desktop. Instead, you configure shortcut placement later when assigning the action as detailed below.
  5. After you create Applications (Shortcuts) and assign them, on the agent, there’s a¬†Manage Applications tool that lets users control where shortcuts are created, including pinning to Taskbar and Start Menu.

  6. Applications can be placed in Maintenance Mode. Edit an Application, and find the Maintenance Mode setting on the Options tab.
  7. This causes the icon to change, and a maintenance message to be displayed to the user.

  8. The Applications node has a Start Menu View tab.
  9. For the¬†Printers Action, in the ribbon, there’s a¬†Import Network Print Server button.

  10. For the Registry Entries Action, in the ribbon, there’s an¬†Import Registry File button.
  11. For File System Operations, each Action has an Options tab that lets you set the Type of Action.
  12. For File Associations, “Command” is just the parameters without the executable.

Create Conditions and Rules

  1. Once the Actions are created, you then need to decide under what conditions the Actions are performed. Go to the Filters workspace.
  2. On the top left, switch to the Conditions node, and create Conditions. One or more Conditions are combined into a Rule.
  3. Then switch to the Rules node and create Rules. If you add multiple Conditions to a Rule, all (AND) Conditions must match. There doesn’t appear to be an OR option. The Rules are used later when assigning an Action to a user group.

Add AD Groups to WEM Console

  1. Go to the Configured Users workspace, and add groups and/or users that will receive the Action assignments.

Assign Actions to User Groups

  1. Go to the Assignments workspace. Initially the bottom half is empty. Double-click a group to show the Actions that are available for assignment.
  2. Move an available Action from the left to the right. This assigns the Action to the user group.
  3. You will be prompted to select a Filter, which contains one or more Conditions.
  4. When you move a Network Drive to the right, you’re prompted to select a drive letter.
  5. The list of drive letters is restricted based on the configuration at Advanced Settings workspace > Configuration node > Console Settings tab.
  6. On the right, some Actions have additional options that you can right-click. For example, you can create shortcuts on the desktop.

Modeling Wizard

  1. You can use the Modeling Wizard node to see what Actions apply to a particular user.

Transformer¬† ūüí°

In WEM 4.1 and newer, you can enable Transformer, which puts the WEM Agent in Kiosk mode. Users can only launch icons (e.g. Citrix icons). Everything else is hidden. This is an alternative to Receiver Desktop Lock. The interface is customizable.

  1. In the WEM Console, there’s a¬†Transformer Settings workspace with two nodes:¬†General and¬†Advanced.
  2. Enable Transformer and point it to your StoreFront URL. Note, this applies to all users and all agents in this WEM site.
  3. Other settings on the General Settings tab let you customize the appearance, and specify an unlock password. You probably want to disable the Clock. The Navigation Buttons are browser navigation.
  4. Transformer can be unlocked by pressing Ctrl+Alt+U and entering the unlock password.
  5. On the Site Settings tab, you can add website URLs that can be launched from within Transformer.
  6. At the top of the Transformer window is a Sites icon that lets you go to the sites listed in the WEM Console.
  7. The Advanced node lets you configure Transformer to launch a process other than a browser.
  8. The Advanced & Administration Settings tab lets you hide features from Transformer.
  9. To prevent users from accessing the local system, consider checking Hide Taskbar & Start Button.
  10. You probably want Log Off Screen Redirection to redirect users to the logon page when StoreFront logs off.
  11. The Logon/Logoff & Power Settings tab lets you configure the WEM Agent to autologon as a specific account. Transformer then displays the StoreFront webpage where the user enters his or her credentials.

115 thoughts on “Workspace Environment Manager”

  1. Hey, I have two questions. Today I did a complete install of XenApp 7.12 and WEM with Server 2012R2 Worker. I tried to configure both UPM and folder redirection through WEM, but only the folder redirection gets applied. The UPM settings are completely ignored. Any hint where I could look for the problem?
    Second, the WEM Agent starts only about 30-90 seconds after the user login. I did a PoC of Norskale about a year ago, and there it started immediately at the user logon. Any idea why?

    1. There’s a private hotfix for the WEM Agent issue.

      Do you see UPM settings at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UpmConfigurationSettings?

  2. Hey Carl! Have you managed to get the Transformer agent working with StoreFront and Receiver. Specifically, single sign-on? Do you know if single sign-on is supported at all?

    When we point it at our StoreFront 3.8 servers, the Transformer specifically requests explicit authentication. If we alt-tab out of the Transformer, we can point Internet Explorer at the exact same address and SSO works no problem. If we disable expliict auth on the store (and just leave SSO), then the Transformer fails loading StoreFront, stating there are no longon methods available. The StoreFront logs show the Transformer requesting explicit auth so that is expected. We’ve tried the ‘wait for Receiver to launch’ setting but that doesn’t work either.

    It seems like this component, which was licensed by ThinkKiosk to Norskale (, is pretty out of date with what is available via ThinKiosk (

    Thanks mate.

  3. i get some Errors on the wem agent host system.
    The creator of this fault did not specify a Reason.
    and “No matching Site Found … Exiting.”

    But i have create a GPO with the Sitename and the broker address.
    can anybody help me?

  4. Just ran into the “broker machine error or port error” message on running the ‘AgentCacheUtility.exe -RefreshCache -brokermachine’ command.
    Solution was to first create the Agent GPO with the broker machine name and link it to the VDA OU ūüôā

    So keep in mind to first built and apply the agent GPO before trying to refresh the cache.

  5. On slow networks like WAN links the agent is starting as always, but the configured actions are not carried out. If we wait until the desktop has settled and then do a manual refresh, all the missing printers, drive mapings etc. appear.
    Seems that either the slow WAN link is leading to this or the agent is loading too early end the configured actions can not be carried out that early?
    Tried to set the network “agent options-timeout value” higher and also the “service options-agent extra launch delay”, but neither of them helped. Any insights on this?

  6. Hello Carl,

    I have some question around Actions and assignments.

    One thing I see is you are adding the action items that include printer, Drive mappings, Reg tuning ect here. Then you made sure the Filter is applied for AD group match. The assigned to the farm name.
    Then you set the user you wanted it to apply to under configured users. Example Domain Users

    Does this mean that they will get all the assigned action items? Or that it’s available to them, and I have to move it over to the assigned area on the right side?

    Are the action settings a global thing? Or is each action item you set for the configured user to applied it to as a whole? This is In the action tab and configured tab I am referring to.

    I am just confused on actions, the available, and assigned.

    1. You assign Actions to an AD group first. You double-click any AD group you added to the console. In the Available box, you see the Actions not yet assigned to this AD group. You move them to the right so that the Actions are performed for members of this AD group. If you use the Always True filter, then the Action occurs for every user in the group, on every machine. You can use Filters to reduce the machines the Action runs on. It’s interesting that you can only apply one Filter per action per AD group.

  7. We have A LOT of GPOs which take quite a long time on each and every boot and especially logon and we’d like to speed this up with WEM.
    Only the big question is how to “convert” all these GPOs and if WEM is able to replace any GPO, no matter which kind?
    I’m surprised that I could not find anything on this issue in any documentation and the posts here.
    If we all needed to “clone” all the functionalities manually without any automatic conversion, it would take us ages and I’m sure that this would be a real problem for almost all other admins with real Citrix environments also?

    1. It’s not possible to import .ADMX files to WEM.

      The logon time savings come from moving Actions from Group Policy Preferences to WEM. Actions include: drive mappings, printer mappings, etc. WEM runs them in the background.

      1. That means WEM can only handle GPPreferences and all so the majority of all other GPOswill always have to stay within standard admx/GPOs still?
        And regarding drive/printer mappings: Since they are run asynchronously in WEM, I can never be sure when they have been applied, just as if I would run logon scripts asynchronously, which is possible with standard GPOs already, but causes more trouble than advantages in many respects?

        1. There are some GPO ADMX settings. But you can’t import ADMX.

          The idea is faster logons. Citrix Session Printing also runs asynchronously. Group Policy Preferences runs synchronous.

  8. Hi Carl,

    Great article!

    What would be the recommendation for the agent cache when using server session hosts (VDAs) with MCS?

  9. I have followed your guide. My lab setup is a Windows 2016 domain / Xendesktop 7.12.

    WEM is using the Default site, i have added one application and 1 network drive in the WEM console, but when i log into the VDI client or Xenapp server i dont see my test applicaton or network drive mapping….Both the application and network drive is enabled in the WEM console.

    I can see the VDI client and Xenapp server under Agents in the WEM console. Anyone else experienced this?

  10. Hello, we use XenApp 7.6 and publish full desktops to users. We find users can consume a lot of the CPU/Mem when running videos on IE/Chrome like YouTube. I think WEM can help with this but we also have AppSense coming in to show us how it can help. We are the differences between WEM and Appsense, This would be a great article I think.

    1. Hey, From my Experience with AppSense Suite, you get 3 products, one for Software Restriction and Security (Application Manager), one for System Optimization (Performance Manager) and UEV (Environment Manager) – up until the release of WEM by Citrix, you have only UPM, with WEM you now have UEV and System Optimization, what Appsense gives is the additinal SRP and Security which Citrix lacks a product for.

    2. If you consider Appsense, I would check out RES Workspace as wel. Both solutions have a far more holistic approach to User Environment Management opposed to WEM which barely scratches the surface of what the others are capable of. Think about user centric security for example.

      1. The main areas we are looking for is improving performance and logon times to our XenApp desktops. So stop users consuming all the CPU/mem on a VDA and we use a UPM for our user profiles and group policies so ways around speed that up.

        We would also like to control what applications users have access too.

  11. Hi Carl,

    I’m having another look at it – and unless I am mistaken (very probably), there is no place I can see to apply certain ADMX group policy settings. e.g. setting MS-word file paths etc. So for certain things we need to do it via GP and others via WEM. Is this correct?



  12. Hey, I was wondering did anyone add any excluded processes to system optimization cpu management feature? i’m wondering because i’m thinking that if i see this message in the norskale event log:

    Initializing process limitation thread for process : UserProfileManager with ID : 2104 [detected average of 12.42857%]

    then does this mean, i’m actually causing my UPM agent to run slower? (the UPM reached this CPU when i logged off 30+ users at once during a load test),

    what do you guys think?

  13. Hello! Just found your amazing post. Tried to work it out with the documentation in the download – which really sucks.
    Question – does wsm replaces profile manager or should you use both? I’m setting up a completely new xenapp / xendesktop environment.

  14. Has anyone else had an issue with Director failing to report Average Login Duration for delivery groups that have WEM agent installed? Environment is XD 7.11, w10vdi and w16sbc guests.

    1. @jjh there is a bug in Director 7.11 with this. However citrix does offer a private fix. But I was told by a escalation engineer to upgrade to 7.12 director to rectify the bug. I was one of there dev testing sites for the bug. So they rolled it into 7.12 director.

  15. Hi Carl, we have a pretty strict SQL policy, i can’t use the name VUEMUser and the DB is in another AD forest so i can’t use AD account during DB creation, do you know of a way to change the name of the default VUEMUser in the DB?

  16. Hallo Carl

    How can i create Default Printers in Citrix Workspace Enviroment Management? I created for every Printer-Tray a Printer in the Citrix Workspace Enviroment Management. I created also a AD-Group for every Printer and on for the Default Printer.

    Example: User1 is in the AD-Group Printer01, Printer02 and Printer02_Default => now all Printer-Tray from Printer01 and Printer02 should be mapping and set the default Printer-Tray from Printer02.

    User2 is in the AD-Group Printer01, Printer02 and Printer01_Default => now all Printer-Tray from Printer01 and Printer02 should be mapping and set the default Printer-Tray from Printer01. How can do this

    How can do this in the Citrix Workspace Enviroment Management, that the user have at the end the right default printer?

    The Printer-Mapping works very well.

    Sorry for my bad english. I hope you unterstand my questions. Thanks for your help

    1. Are you asking how to mark a printer as the default? You add the AD group to the WEM Console. Then you assign the printer to the AD group. During assignment there’s a drop-down to make the printer the default.

  17. I see that you can setup this with load balancing. But if you only have two brokers in HA, how do you proceed then?

    1. I’m not sure what you’re asking. You can load balance the WEM Servers on the ports they are listening on. Then point the Agents to the DNS name that resolves to the Load Balancing VIP.

      1. I have currently have two xendesktop controllers setup in HA, but without any netscaler loadbalancing vip. I guess I need too install the WEM server on both the controllers?

        1. WEM is completely separate from XenDesktop. WEM is it’s own server. You can build two WEM servers and load balance them. There is no connection to the XenDesktop Brokers. WEM also calls itself a broker.

          1. oh! That explains a lot. I thought it had to be installed on the brokers to function. Thanks for clarifying that.

            As usual great article.

  18. Hi Carl,

    Great article.
    Has anyone tried to setup the “Send to Support” option under Advanced Settings, UI Agent Personalization?
    It does not seem to work with Outlook 2016 MAPI profile.
    Is Outlook 2016 supported for this feature?
    Agent log reveals the following error: “No valid default MAPI profile found”, the Outlook 2016 client is correctly configured.

  19. I’d like to know if anyone has extensive real-world experience with the CPU and IO Management features. I’ve started with the basic configuration in Hal’s video, only to find that intensive logon operations such as the App-V client refreshing take significantly longer. I then find myself trying increasingly complex combinations of process exclusion, priority/affinity/claming, changing the CPU usage limit and IO management with widely varied results. I’d like to see some tuning advice from someone who’s implemented this in a production environment similar to ours (Win7 pooled desktops, App-V 5 in SCS mode, Symantec Endpoint Protection, XenDesktop 7.11 with UPM).

  20. II have installed the agent on windows server 2012R2 . To succesful install,u need to create the local user before running the installer. Otherwise the installer fails on password complexity with the creation of the local user.

    1. or if you use these /v switches your are able to set your password and it will install :

      /v”AgentCacheAlternateLocation=\”D:\WEMCache\” AgentServiceUseNonPersistentCompliantHistory=\”1\” VuemLocalUserPassword=\”Mylongpassword\””

  21. I am seeing a couple of issues with WEM.
    1. Citrix Profile Management settings do not work unless you restart the service before a user logs on (I’m seeing this on a Windows 7 VDA). Even refreshing the cache via startup script does not correct this issue… the only way I have found thus far is to remotely restart the Norskale/netlogon services. Which that is easily scripted if need be… personally I’ll just keep those settings in a Citrix policy.
    2. WEM seems to hang the shutdown process. What ends up happening is the user logs off of the desktop, the machine is sent a shutdown command, and it sits there spinning the Shutdown logo. While that is going on the machine appears on and registered with no active user on it – which that could lead to logon issues. I wrote a script to kill the service and set it to go off by the System 1074 event (shutdown initiated). This allows the machine to shutdown quickly.

    1. David, Did you every find a resolution to item 1.? I am seeing this in xenapp 7.9 2008 R2 environment. Have to restart the service one time on a new vm to get the agent to launch on for users. After that the server can be rebooted and the agent will continue to launch.
      Bill Flink

      1. I found a solution to both problems.
        1. I have a startup script which activates windows/office, starts antivirus services etc. I just added a refesh of the cache followed by a forced restart of the norskale service (also remember to start netlogon)
        2. When editing the image I decided to stop the norskale service before shutdown in maintenance mode. After that when running in standard mode there is no hang while shutting down.

      2. Hi,

        If the cache is not redirected or updated before the golden image is resealed the service can start with incorrect values leading to configuration inconsistencies.

        1) Make sure the cache is up to date before any image reseal
        2) Redirect the cache to a persistent location to avoid any discrepancies.
        3) Make sure the configuration GPO is applied correctly (registry values are inside the image) before resealing

    2. David,
      Did you ever get a resolution for issue 1?
      I’m seeing the same thing however mine is a little worse.
      The WEM agent doesn’t start unless the Norskale service is restarted at each reboot when the VDA has been promoted to production (PVS machine).

      The Maintenance machine seems to start fine every reboot but with the prod versions the WEM Agent doesn’t start.

  22. Excellent article Carl. A always!

    As for WEM itself, I hope this is going to be better integrated into XA/XD’s management framework over time. Having to deploy separate SQL instances, brokers, consoles in order to control just one or two additional aspects of the infrastructure simply doesn’t make sense to me.

  23. Has anyone had issues importing printers from a network print server? I am able to from a test server, but from our production server I receiver an error attempting to pull in the printers.

  24. Carl, do you know if there is a list of accepted variables for drive mappings? I tested and %username% and %LogonUser% don’t seem to work in WEM. I can confirm that %LogonUser% works as part of a GPO… but not in WEM.

  25. I am going to answer a few posts here. This does replace the USER based GPO’s and GPP’s… not machine based. it does add a performance enhancement to policies as it runs most all in parallel and not serial.

    As far as if your environment is running well, do you need WEM. No…. I would not use it for the policy aspect. I would however turn on the performance optimizations. By turning on RAM/CPU/IOPS optimizations, all you will see is a huge performance gain. To turn it on with basic tuning, check out.

    1. Hi Hal/Carl, We have several User OU’s and mostly use GPP’s for login drive mappings. Can we configure WEM to use the existing drive mappings from GPP’s based on user OU’s or do we have manually create each drive mapping for every single GPP/GPO?

  26. Hey Carl, have you tried deploying any of the “Policies and Profiles\Environmental Settings” specifically the Control Panel? I’m trying to deploy this at the moment and notice that it’s not Locking down the applets like I’m defining. The Norskale log indicates that Login failure: the user has not been granted the requested logon type at this computer for the VuemEnvironmentSettingsController. I’m suspecting this is associated to the account vuemLocalUser that exists on the machine. I’m guessing that this account needs some type of “Allow Log On locally” access, but am waiting to hear back from support before I start making a bunch of changes.

    1. I have deployed the Environment Settings for the Control Panel countless times without issue. How is your environment setup. Are you using a service account on the broker? Are you trying to use a service account for the Agent?

      1. Hal, I did setup a Service account for the Broker. Does that same account need logon rights to the device as well, and if so what rights would it specifically need?

  27. Hi Carl,
    Do you know if environment variables can be used in WEM for registry items?

    Maybe I’m using the wrong variables but %username% doesn’t seem to work. It just adds %username% as the value for the REG_SZ that I’m trying to set.

    1. From what i have found you are unable to expand a variable into the registry. It takes the text and dumps it directly to the registry. The workaround is to expand it via a script and insert it that way. Use the External Tasks to perform the script.

      1. Hi, If you need to expand an environment variable you can use the Expand dynamic token (details in Administration Guide).

    1. If no performance problems, then don’t deploy it. But you probably already own it so there’s no harm it trying it.

      It’s Actions functionality is the similar to Group Policy Preferences, but it has more condition filters.

  28. Carl I assume that if you are trying to get the most out of performance you would use WEM to replaced both Computer and User Windows Policies?

  29. Hi Carl,

    I’m new to this – but I had a small funny with it when setting the GPO for the agent – it didn’t like a shortname for the server, it needed to be FQDN. I got the error “invalid broker connection settings!” in the event log, but once i changed it in GPO editor to be the FQDN of the server it started to work. Not sure if just me or not…maybe helps someone.



  30. HI Carl
    well, asking myself how to setup a test/lab if SW maint, is a requirement.. or does WEM will be in a grace period if no proper license file is found ?
    Read the papers delivered and seems like as if SQL Express is not supported ?

  31. Im having a bit of trouble with getting the VUEM agent to refresh. The agent is installed on client and when running a manual refresh i get the message “An error occrured while building your environment.Agent processing will now stop. Please contact your Administrator.” Also inside of the console the agent doesnt show up for that machine or user under the Administration tab.

    1. Yeah the GPO is in place and applied. The log parser shows this message “10:10:12 AM Exception -> MainController.InternalRun() : VUEM Configured Items Retrieval Failed … Exiting.”

      Seems to happen everytime i manually attempt to run a refresh.

      1. Check your registry on the Agent for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host\BrokerSvcName and make sure it’s set to the FQDN of the WEM Server.

        1. run the command agentcacheutility -r -b: and then try again. you tend to get the error if your cache is not filled and the agent is starting before the network has fully been initialized.

  32. Hi Carl,
    Great article as always, thank you. Just a few things to clarify the usage of WEM:

    1: Is it correct that the 2 components “Infrastructure Services” and “Console” can both be installed on a Citrix Delivery Controller and the “Agent” needs to be installed on all the VDA enabled Terminal Servers (or VDI VMs) which should be optimized with WEM? And no additional components are needed (apart from rolling out the GPO templates)?

    2: And can WEM also be used for resource optimzation only, without any “WIN Native GPO replacements” like printer/ drive mapping and other stuff we are already controlling via GPOs we don’t want to touch or replace with WEM?

    3: And what are the advantages of using WEM as GPO replacement anyway and what are the limitations?

    Thank you!

    1. 1. If the Delivery Controller is sized for both components, then it should work.

      2. Yes. You don’t have to enable Environment Settings or Actions.

      3. Actions in WEM can be applied to a large variety of conditions. Compare with Group Policy Preferences. Otherwise, UEM policy management is typically used in environments where AD administrators are barriers to using group policy. ūüôā

      1. There are two Agent installer properties:

        AgentCacheAlternateLocation = path on PvS cache disk
        AgentServiceUseNonPersistentCompliantHistory = 1

  33. There are a few things missing from here….. the easy one is the AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:) the broker name should always be in FQDN since this does use Kerberos for the authentication.

    Need to register the SPN based on the service account that you are utilizing for the broker service. Setspn -U -S Norskale/BrokerService [accountname]

    Need to optimize the client by running ngen for .NET optimizations
    in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
    ngen.exe update
    ngen.exe eqi 1
    ngen.exe eqi 3

    CPU should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU. Example
    if 2 CPU’s are available the CPU setting should not be set above 49%
    if 4 CPU’s are available the CPU setting should not be set above 24%

    There are many other fine tunings that can be completed, but those are on a per environment basis

    1. Thanks Hal. I’ll incorporate these into the main article. Let me know if you post your own documentation, or want me to add something.

  34. Hi Carl, is there some special requirement for the license server? I Receive the following error: “A valid license server with appropriate licenses needs to be configured before you can start using Citrix Workspace Environment Management”

    1. I think it needs to be 11.14.1. Also, licenses must have active “Software Maintenance”. “Subscription Advantage” isn’t good enough.

  35. Hi Carl, great article, thanks! You are the first and only hit on Google with proper installation instructions.
    Do you know if it is possible to install the WEM server on the DDC, or do you recommend to install it on a separate server?

    1. The Install Guide says 4 vPCU, 8 GB RAM can handle 3,000 users. If you put it on a DDC, that would be in addition to whatever specs the DDC needs.

  36. Hi Carl,
    Great post, had a small query here.
    The settings we are configuring under System Optimization (Memory & CPU) will work against the Agents ? If Yes Can we get the reports for CPU & Memory like how we are getting for logon time.

    1. I don’t see any CPU/Memory reporting. That’s what Director 7.11 is for. ūüôā

      But it’s a simple install, so you’re welcome to install it yourself and try it.

  37. Hi Carl, Have you noticed any genuine performance benefits of putting this in and enabling the default optimisations? I have been watching this product for a while, and given its simplicity and now availability, I am thinking this should become a standard part of any Citrix deployment if the optimisations are genuine – i like the environment management concept far more than managing policies and preferences etc, this could be a significant change in the way non-app sense style customers operate

    1. CTP Steve Greenberg’s team has deployed Norskale many times and they definitely see the benefits. I’m hoping to see more literature on this soon.

  38. Is this being aimed at Citrix VDI and RDS deployments only? Or can it be used to target standard Windows OS deployments like AppSense does as well?

    Our team have been looking at UEM’s so we can provide a single user experience across multiple platforms and as we already have the required subscription level and XenApp 7.6 LTSR, this could potentially save us a lot of money.

    1. The client works across desktops as well. The Norskale product was aimed for all Windows platforms. Citrix is still working out the licensing for the desktop version

  39. Wow this is neat. Looks like we can use this for printing mappings, drives, and set upm settings. If we used this i assume it is replaces studio policies in some area?

Leave a Reply