Workspace Environment Management (WEM) 2103

Last Modified: Mar 19, 2021 @ 12:05 pm


This post covers Citrix Workspace Environment Management (WEM) versions 2103, 1912, and 4.7 through 4.1.

ūüí° = Recently Updated

Change Log


Workspace Environment Management¬†(WEM) is Citrix’s Performance Management and UEM (User Environment Management) tool for all XenApp/XenDesktop Enterprise or Platinum Customers with active Software Maintenance (Subscription Advantage is not sufficient). The WEM Agent is supported on XenApp 6.5, and XenApp/XenDesktop 7.x. Videos:

Note: WEM does not replace Citrix Profile Management. You usually implement both.

Citrix Blog Post User Experience on Steroids: Citrix Workspace Environment Management has a list of Frequently Asked Questions about WEM, including a drawing of the architecture.

From Hal Lange at Database sizing at Citrix Discussions: SQL Always On is fully supported.  In WEM 1909 and older, the ONE caveat is to remove from the Always On Availability Group before upgrading.

Here is the official calculations from the Norskale days on space needed on the SQL Server:

  • Reserve 1GB of RAM per 1,000 users deployed
  • RAM=1.5GB system + (1.5GB SQL + 1 GB per 1,000 users) for that SQL instance
  • Disk = 1GB per 10,000 users per year + 10 MB per WEM site configured

Upgrade WEM

There is no LTSR version of Citrix Workspace Environment Management (WEM) so you should always upgrade to the latest version of WEM.

From Upgrade a deployment at Citrix Docs: In-place upgrades from versions earlier than Workspace Environment Management 4.7 to version 1808 or later are not supported. To upgrade from any of those earlier versions, you need to upgrade to version 4.7 first and then upgrade to the target version.

CTA Marco Hofmann at CUGC: How-To: Update Citrix Workspace Environment Management (WEM) from 4.x to 4.7 (v4.07.00.00)

To upgrade Citrix WEM:

  1. In-place upgrade the Citrix Licensing Server. No special instructions.
    • Ensure the installed licenses a non-expired Subscription Advantage date.
  2. Before you upgrade, run WEM Infrastructure Service Configuration Utility and record all settings.
  3. In-place upgrade the WEM Server. No special instructions.
  4. Use the Database Maintenance tool to upgrade the WEM database.
    • In WEM 1909 and older, before upgrading the database that’s in a SQL Server Always On availability group, you must remove it from the availability group. This is no longer required in WEM 1912 and newer.
  5. You might have to run the WEM Infrastructure Service Configuration Utility on each Broker to point to the upgraded database. If the settings are still there, then just click Save Configuration.
  6. In-place upgrade the WEM Console. No special instructions.
  7. In-place upgrade the WEM Agents.

Install/Upgrade WEM Server (Broker Service)

There is no LTSR version of Citrix Workspace Environment Management (WEM) so you should always upgrade to the latest version of WEM.

The WEM Broker Service can be installed on one or more servers, including Delivery Controllers. The WEM Agent cannot be installed on the Broker Server.

A WEM Server with 4 vCPU and 8 GB RAM can support up to 3,000 users.

  1. Port 8288 – WEM 1912 and newer have a new port 8288 for WEM Agent Cache Synchronization. You’ll need to add this port to your load balancer and open it in your firewall.
    • Port 8285 is still available for older WEM Agents connecting to newer WEM Servers.
  2. Download Workspace Environment Management 2103 and extract it.
  3. If you are upgrading, run WEM Infrastructure Service Configuration Utility and record all settings. These settings might be wiped out during the upgrade.
  4. Licenses – make sure your installed CVAD licenses have a CSS date that is later than the date required by your WEM version. The required CSS date is shown at the top of the WEM download page.
  5. Run the downloaded Citrix Workspace Environment Management Infrastructure Services Setup.exe from the 2103-01-00-01 folder.
  6. If you see a prerequisites screen, then click Install to install the prerequisites.
  7. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Infrastructure Services page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Customer Information page, click Next.
  10. In the Setup Type page, click Next.
  11. In the Ready to Install the Program page, click Install.
  12. If you are upgrading, you might be prompted to restart applications.
  13. In the InstallShield Wizard Completed page, click Finish.
  14. Antivirus –¬†C:\Program Files (x86)\Norskale\Norskale Infrastructure Services must be excluded from Antivirus scanning. Or exclude: Norskale Broker Service.exe; Norskale Broker Service Configuration Utility.exe; Norskale Database Management Utility.exe.
  15. If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured. Note: this folder seems to be missing in newer versions of WEM.
  16. Firewall – Ensure firewall allows the following ports to/from the WEM Broker servers. See Citrix Tech Zone Communication Ports Used by Citrix Technologies.
    • Agent Port – defaults to TCP 8286 – from WEM Agent to WEM Broker
    • AgentSyncPort – defaults to TCP 8285 – from WEM Agent to WEM Broker
    • Cached data synchronization port – defaults to TCP 8288 – from WEM Agent 1912 and newer to WEM Broker
    • AdminPort – defaults to TCP 8284 – from WEM Admin Console to WEM Broker
    • Monitoring Port – defaults to TCP 8287 – from Director to WEM Broker
    • AgentPort – defaults to TCP 49752 – from WEM Broker to WEM Agent
  17. See¬†CTX218965¬†Error: “Server sent back a fault indicating it is too busy to process the request” and the WEM Agent fails to connect to the Broker Service if you need to throttle the number of connections if you have insufficient resources on the WEM Broker server.

Upgrade WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management 2103 SDK at Citrix Developer docs.

To upgrade the Workspace Environment Management database using the GUI tool:

  1. If this is a new install, skip to Create WEM Database.
  2. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  3. On the WEM server, run Database Management from the Start Menu.
  4. If upgrading, in the ribbon, click Upgrade Database.
  5. In WEM 1906 and newer, the fields might already be filled in. Otherwise:
    1. Enter the SQL Server Name.
    2. Enter the existing WEM Database Name.
    3. Configure the credentials for the WEM service account.
  6. If your account is not a sysadmin on SQL, then enter a SQL account in the Database Credentials fields.
  7. Click Upgrade.
  8. Click Yes when asked to proceed.
  9. Click OK when prompted that database upgraded successfully.
  10. Click Finish to close the Database Upgrade Wizard.
  11. Close the WEM Database Management Utility.
  12. Open services.msc and restart the Norskale Infrastructure Service.

After the database is upgraded, run the WEM Infrastructure Service Configuration Utility.

  1. If the upgrade preserved the settings, then simply click Save Configuration. The service won’t start unless you do this.
  2. In WEM older than version 1906, you might have to re-configure the settings.
    1. On the Licensing tab, configure the licensing server.
    2. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
    3. On the Advanced Settings tab:
      1. Enter the Infrastructure service account credentials.
      2. Enter the vuemUser SQL user account password.
      3. In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
      4. Make a choice regarding Google Analytics.
    4. The Advanced Settings tab will look something like this.
    5. On the Database Settings tab, enter the database server name and database name.
    6. In the ribbon, click Save Configuration.
  3. Click Yes to restart the Broker Service.
  4. If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured. This folder doesn’t exist in newer versions of WEM.
  5. Skip ahead to upgrade the WEM Administration Console.

Create WEM Database

Workspace Environment Management 4.5 and newer have PowerShell commands. For details, see Citrix Workspace Environment Management 1912 SDK at Citrix Developer docs.

To create the database using the GUI tool:

  1. The person running Database Management must be a sysadmin on the SQL Server. Or you can enter a SQL login.
  2. Make sure SQL Server authentication (mixed mode) is enabled on the SQL server > Properties > Security. Even though the WEM Broker server runs as an AD account that is used login to SQL, WEM Broker also uses a SQL account named vuemUser, which means mixed mode must be enabled. Source = John Long at WEM new install, cannot connect to infrastructure server at Citrix Discussions.

  3. On the WEM server, run WEM Database Management Utility from the Start Menu.
  4. If a new install, in the ribbon, click Create Database.
  5. In the Create database Wizard page, click Next.
  6. In the Database Informations page, enter the SQL server name, and enter a new Database Name.
    1. Only enter an instance name if you have a named SQL instance.
    2. Only enter a port number if your SQL instance is listening on a static port number other than 1433.
    3. From Måns Hurtigh at Problem creating WEM 4.3 Database on SQL Server 2012 at Citrix Discussions: The database name cannot contain a dash.
  7. The paths might not be correct so double check them. Then click Next.
  8. In the Database Server Credentials page, if your account has sysadmin permissions, then leave the box checked. Otherwise, uncheck the box, and enter a SQL login that has sysadmin permissions. Click Next.
  9. In the VUEM Administrators section, click Browse, and select your Citrix Admins group.
  10. In the Database Security page, if you intend to load balance multiple WEM servers, then specify a Windows service account for database access. The Broker Service will run as this account. See the load balancing topic at Install the Citrix Workspace Environment Management Infrastructure Services at Citrix Docs.
  11. The Database Creation Wizard also creates a SQL account called vuemUser with an 8 character alphanumeric password. If you want it more complex, check the box and specify the password.
    • Note: if you intend to implement AlwaysOn Availability Group, then you must specify this password, since you’ll be asked for it again when adding the database to the Availability Group. Also see SQL Server Always On at Citrix Docs.

  12. Click Next.
  13. In the Database Information Summary page, click Create Database.
  14. Click OK when prompted that the database was created successfully.
  15. Click Finish to close the Database Creation Wizard.
  16. Close the WEM Database Management Utility.
  17. There is a log file at¬†“C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Database Management Utility Debug Log.log”

WEM Infrastructure Services Configuration

  1. On the WEM Server, run WEM Infrastructure Service Configuration Utility from the Start Menu.
  2. On the Database Settings tab, enter the SQL Server name and database name.
  3. Switch to the Advanced Settings tab.
  4. If you intend to load balance WEM Servers, then Browse to a service account. This service account must have access to the database.

    • The service account must be in the¬†local Administrators group on the WEM servers.
  5. Enter the vuemUser SQL user account password.
  6. In WEM 1909 and newer, check the box next to Enable performance tuning and set both of the Minimum threads boxes to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
  7. Make a choice regarding Google Analytics.
  8. The Advanced Settings tab will look something like this.
  9. On the Database Maintenance tab, consider checking Enable Scheduled Database Maintenance.
  10. On the Licensing tab, you can enter a Citrix License Server or newer that has valid licenses. Or you can enter the license server later in the admin console.
  11. Click Save Configuration in the ribbon.
  12. Click Yes when asked to restart the Broker Service.
  13. Close the WEM Infrastructure Service Configuration utility.
  14. If you are upgrading, then make sure your WEM Service Account has Full control permissions on the DBSync folder at C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\DBSync. For new installs, WEM should set this permission correctly once the Infrastructure Services are configured.
  15. If you are load balancing WEM servers, then you must also create a Kerberos SPN, where [accountname] is the service account you are using for the Norskale service.
    setspn -U -S Norskale/BrokerService [accountname]

Install/Upgrade WEM Console

  1. Run Citrix Workspace Environment Management Console Setup.exe from the downloaded WEM 2103 (aka 2103-01-00-01) installation files.
  2. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Console page, click Next.
  3. In the License Agreement page, select I accept the terms, and click Next.
  4. In the Customer Information page, click Next.
  5. In the Setup Type page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the InstallShield Wizard Completed page, click Finish.

WEM Configuration Sets (formerly known as Sites)

In WEM 4.3, Sites was renamed to Configuration Sets.

  1. From the Start Menu, run WEM Administration Console.
  2. In the ribbon, click Connect.
  3. In the Database Broker Information window, enter the WEM Server name, and click Connect.
  4. Some WEM Console settings are global (every agent gets the same setting). So if you want different global settings for different agents, then you create multiple WEM Configuration sets. At the top of the window, in the ribbon, you can create a new WEM Configuration set. 
  5. WEM 1912 and newer can Backup and Restore entire Configuration Sets, which makes it easy to duplicate a Configuration Set.

    • When Restoring a Configuration Set, there’s no need to create a new empty Set. Just run the Restore wizard and WEM will try to use the original Configuration Set name. If the original Configuration Set already exists, then WEM will append _1 to the name, which you can then rename.
  6. Once you have multiple Configuration sets, you can use the drop-down to switch between them.
  7. A WEM Agent can only belong to one WEM Configuration set. Different Agents can belong to different WEM Configuration sets.
  8. In WEM 4.3 and newer, you add agents to the Configuration set at Active Directory Objects (workspace on bottom left) > Machines (node on top left). You can add OUs or individual objects (computers or computer groups).
  9. In WEM 4.2 and older:
    1. The WEM Group Policy template has a GPO setting to specify the WEM Site name that an agent should use.

Import Recommended Settings

If you have multiple WEM configuration sets, this process should be repeated for each new, empty WEM configuration set.

  1. In WEM 4.4 and newer, on the right side of the ribbon, click Restore.

    • In WEM 4.3 and older, on the right side of the ribbon, click Import Settings.
  2. In WEM 4.4 and newer, select Settings, and click Next.
  3. In the Settings Restore wizard, click Next.
  4. In the Restore from folder section, click Browse, and browse to the \Workspace-Environment-Management-v-2103-01-00-01\Configuration Templates\Default Recommended Settings folder that was included in the WEM download.
  5. In the Settings Type Selection section, check all available boxes, and click Next.
  6. In the Restore settings processing window, click Restore Settings.
  7. Click Yes when prompted to replace.
  8. Click Finish.

CTP James Kindon at WEM Hydration Kit has a collection of Applications, File System and Registry Actions that can be imported to WEM. CTP James Kindon recently added Environmental Settings to the Hydration Kit.

WEM 1909 and newer can Migrate your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.

WEM Administrators

  1. In the Administration Console, go to Administration (workspace on bottom left) > Administrators (node on top left).
  2. In the right pane, click Add, and specify an Active Directory group that can administer WEM.
  3. After adding a group or user, right-click the new administrator, and click Edit.
  4. Use the Permissions drop-down to select a role. The roles are detailed at Administrators at Citrix Docs.
  5. Then use the State drop-down to select Enabled. New administrators are initially disabled. Click OK to close the window.

WEM Agent Configuration

For configuration guidance, see CTP James Kindon and CTA Hal Lange at WEM Advanced Guidance – Part 1¬†and WEM Advanced Guidance‚ÄďPart 2: User Interaction at CUGC.

  1. In the WEM Administration Console, in the Advanced Settings workspace (bottom left), there are several tabs for configuring the agent.
  2. On the bottom of each tab is an Apply button. Click this button periodically to save your configuration to the database.
  3. Setting on these tabs are mostly self-explanatory. Feel free to change any as desired.
  4. On the Main Configuration tab, one option you might want to enable is Launch Agent for admins.
  5. Also consider enabling Launch Agent at Reconnect.
  6. In the right pane, on the Reconnection Actions tab, you can select which modules should be refreshed on reconnect.
  7. The Agent Options tab defaults to processing printers and drives asynchronously.
  8. If WEM in Citrix Cloud, consider enabling Offline Mode and Use Cache to Accelerate Actions Processing. More info at Citrix Blog Post Workspace Environment Management agent caching explained.
  9. The Service Options tab has a setting for Bypass ie4uinit Check. Enabling this might eliminate a 2 minute delay before WEM Agent starts.
  10. On the top left, in the Advanced Settings workspace, there’s a¬†UI Agent Personalization node.
  11. In the right pane, in the UI Agent Options tab, you can change the Agent skin, and Preview it.
  12. Other settings on this page let you hide the splash screen.
  13. The Helpdesk Options tab lets you enable Screen Capture.

System Optimization

  1. The System Optimization workspace (bottom left) lets you configure the various optimizations.
  2. On the top left, click the CPU Management node.
  3. CPU Spikes Protection gives processes equal access to the CPU.
    • WEM 1909 and newer have an option for Auto Prevent CPU Spikes.
    • From Hal Lange: “CPU Usage Limit should never be set to higher a percentage than one CPU. This will keep a single threaded application from thrashing a CPU.¬† Example:¬†if 2 CPU’s are available, the CPU setting should not be set above 49%,¬†if 4 CPU’s are available, the CPU setting should not be set above 24%”
    • Hal Lange demonstrates¬†Citrix WEM Performance Optimizations in a YouTube video.
  4. Other tabs on the right let you manually specify CPU priority and/or clamping.

    • CTX230843¬†WEM protection and Skype for Business + Real Time Optimization Pack has a list of processes that should be excluded from WEM¬†CPU Spikes protection.
    • From CTA Chris Schrameyer¬†WEM ‚Äď CPU LOGGING:¬†WEM does not provide any built-in logs to determine when a CPU Spikes Protection action is taken. It would be nice to know what processes are often limited, so we can then add them to a CPU Clamping policy or identify why they are using so much CPU.
  5. On the top left, click the Memory Management node.
  6. In the right pane, you can enable¬†Working Set Optimization¬†to periodically reclaim memory from running processes. This feature tells processes to flush their memory to disk. In other words, you’re trading memory for disk.
  7. On the top left, click the I/O Management node.
  8. On the right, you can prioritize process IO.
  9. On the top left, click the Fast Logoff node.
  10. In the right pane, enabling Fast Logoff disconnects a session immediately, and runs logoff processes in the background.
  11. WEM 2003 and newer have a Citrix Optimizer feature. If you enable it, then the WEM Agents will disable services and scheduled tasks according to the settings in the template. WEM comes with built-in templates, or you can add your own. Only one template can be assigned to an operating system version.
    • WEM 2012 and newer have an option to¬†Automatically select Templates to Use.
    • WEM 2012 and newer come with a template for Windows 10 version 2004.
    • WEM 2009 and newer come with a template for Windows 10 version 1909.
    • The Administration > Agents section adds a¬†Process Citrix Optimizer action to each agent.


  1. In Workspace Environment Management 4.5 and newer, on the bottom left, click the Security workspace. In older WEM, stay on the Process Optimization workspace.
  2. On the top left, click the Process Management node.
  3. In the right pane, in the Processes Management tab, enable Process Management. The other tabs are grayed out until you check this box.

  4. You can BlackList processes. There’s also a WhiteList, but once something is added to the WhiteList, then all other processes are blocked.
  5. In Workspace Environment Management 4.5 and newer, on the top left, click Application Security.
  6. You can use the top-left sub-nodes to configure AppLocker. See Application Security at Citrix Docs.
  7. If you click the Executable Rules sub-node, on the bottom right is a button to Add Default Rules.
  8. If you edit a rule…

    1. You can assign the rule to a user group.
    2. The list of user groups comes from Active Directory Objects (workspace on bottom left) > Users.
  9. On top of the right pane, set Rule enforcement to On or Audit.
  10. In the ribbon is a button to Import AppLocker Rules that were exported from a group policy.
  11. The other sub-nodes follow the same configuration pattern.

Policies and Profiles

  1. The Policies and Profiles workspace (bottom left) has four nodes on the top left.
  2. In the Environmental Settings node (top left), in the right pane, you can enable Environmental Settings, and configure restrictions that are usually configured in group policy. Peruse the various tabs on the right. Administrators can be excluded from these restrictions.
  3. The Environmental Settings within the WEM Administration Console are per-machine, not per-user. This means that, by default, all the settings configured inside of a Configuration Set apply to every non-admin user that logs into that particular Agent machine. In order to have different Environmental Settings apply to different users/user groups, they would need to be applied to a separate WEM Agent machine, and all the settings would need to be configured inside a separate Configuration Set to which the WEM Agent Machine is bound. Source = CTX226487 Guidance on configuring WEM settings per user/user groups.
  4. If you switch to the Citrix Profile Management Settings node, you can use WEM to configure Citrix Profile Management. See the Citrix Profile Management post for details on a recommended configuration.

    • Newer Profile Management features requires newer Virtual Delivery Agents (VDA).
    • WEM 2103 and newer have Streamed User Profiles > Enable Profile Streaming for Folders, which should speed up logons.
    • WEM 2103 and newer have Advanced Settings > Enable multi-session write-back for profile containers, which applies to both UPM Profile Containers and Microsoft FSLogix Profile Containers.
    • WEM 2103 and newer have Profile Container Settings > Enable Local Cache for Profile Container.
    • WEM 2009 and newer have the Profile Container settings tab that lets you store the entire profile in the container.
    • WEM 2003 and newer can configure the¬†multi-session write-back for FSLogix Profile Container feature in VDA 2003 and newer.
    • WEM 1909 and newer can configure UPM 1909 features, including¬†Migrate user store.
    • WEM 1906 and newer can configure UPM 1903 features, including Enable Profile Container on the Synchronization tab.
    • WEM 1808 and newer can configure UPM 1808 features, including Outlook Search Index Roaming on the Advanced Settings tab.
    • WEM 4.4 and newer can configure UPM 5.8 and 7.15 features, including Enable Logon Exclusion Check.
    • WEM 4.2 and newer can configure UPM 5.5 and 5.6 features, including: Active Write Back Registry, NTUSER.DAT Backup, and Default Exclusion Lists.
  5. If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.
  6. In the right pane, the File System tab has a useful Profile Cleansing button to remove excluded folders from an existing UPM profile share. This function might not be necessary if you enable Logon Exclusion Check.

    • Adjust the Profiles Root Folder, click¬†Scan Profiles Folder, and then click¬†Cleanse Profile(s).
  7. To configure folder redirection, on the top left, click Microsoft USV Settings.
  8. On the right, on the Roaming Profiles Configuration tab, check the box to Process User State Virtualization Configuration.
  9. Then switch to the Folder Redirection tabs, and configure them as desired.

WEM Agent Group Policy

  1. In the WEM Download, go to the \Workspace-Environment-Management-v-2103-01-00-01\Agent Group Policies\ADMX folder.
  2. Copy the .admx file, and the en-US folder to the clipboard.
    • In WEM 4,3, 4.4, and 4.5, the .admx file is suffixed with “v4.3”.
    • In WEM 1808, the .admx file is suffixed with “v1808”.
    • WEM 4.6, WEM 4.7, WEM 1903 and newer do not include the version number in the .admx file name.
  3. Go \\\sysvol\\Policies.
  4. If you have a PolicyDefinitions folder here, then paste the .admx file and folder.

    • If you don’t have PolicyDefinitions in Sysvol, then instead go to¬†C:\Windows\PolicyDefinitions, and paste the .admx file and folder there.
  5. Look for older versions of the .admx and .adml files (in the en-us subfolder), and delete them.
    • In WEM 4.6, WEM 4.7, WEM 1903 and newer, the .admx and .adml files no longer have a version designation, so remove any .admx and .adml files that have a version number.
    • The WEM 1808 .admx and .admx files have v1808 in their names, so remove any .admx and .adml files that don’t have a version number.

  6. Edit a GPO that applies to the VDAs that will run the WEM Agent.
  7. In WEM 1906 and newer, go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Workspace Environment Management | Agent Host Configuration.
    • In WEM 1903 and older, go to Computer Configuration | Policies | Administrative Templates | Citrix | Workspace Environment Management | Agent Host Configuration.
  8. On the right, double-click Infrastructure server.
  9. Enable the setting, enter the FQDN of the WEM server (or load balanced name), and click OK. Note: It must be FQDN.
  10. In WEM 4.3 and newer, assign Agents to a Configuration Set (formerly known as Site). In the WEM Administration Console, go to Active Directory Objects workspace (bottom left) > Machines node (top left), and in the right pane, add an OU or individual machines.
  11. It’s possible that an Agent might register with multiple Configuration sets. You can review the registrations at¬†Administration¬†workspace (bottom left) > Agents¬†node (top left) >¬†Registrations¬†tab (right pane).
  12. It also might show you Agents not registered with any Configuration Set. Add the Agent to Active Directory Objects > Machines.
  13. If WEM 4.2 or older:
    1. You can configure the WEM Agents to connect to a non-default WEM site by editing the Site Name GPO setting.

Install/Upgrade WEM Agent

  1. If App Layering, Citrix recommends installing the WEM Agent in the Platform Layer.
    • If you are installing the WEM Agent in a App Layer, see George Spiers to workaround an issue with the Netlogon service in a Platform Layer that has the Provisioning Services Target Device software installed.
  2. Use registry editor to confirm that the WEM GPO has applied. Look for HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host\BrokerSvcName.
  3. In VDA 2012 and newer, the WEM Agent is included with the VDA installer. Or you can install it separately as detailed in the next step.

  4. On a VDA Master machine, run Citrix Workspace Environment Management Agent Setup.exe from the downloaded WEM 2103 (aka 2103-01-00-01) installation files.

WEM Agent 1909 or newer

The install instructions for WEM Agent 1909 and newer are different than the instructions for WEM Agent 1906 and older.

For command line unattended installation of WEM Agent 1909, see Alain Assaf at Citrix Discussions.

  1. In the Citrix Workspace Environment Management Agent window, check the box next to I agree to the license terms and click Install.
  2. In the Welcome to the Citrix Workspace Environment Management Agent Setup Wizard page, click Next.
  3. In the Destination Folder page, click Next.
  4. In the Deployment Type page, select On-premises Deployment and click Next.
  5. In the Infrastructure Service Configuration page, change the selection to Skip Configuration since you’ve already configured the group policy. Click Next. Note: In WEM 1912 and newer, the cache synchronization port changes from 8285 to 8288.
  6. In the Advanced Settings page, if this machine will be used with Citrix Provisioning and has a Provisioning cache disk, then you can optionally move the WEM Cache to the Provisioning cache disk. Click Next. WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
  7. In the Ready to install Citrix Workspace Environment Management Agent page, click Install.
  8. In the Completed the Citrix Workspace Environment Management Agent Setup Wizard page, click Finish.
  9. In the Installation Successfully Completed window, click Close.
  10. Jump ahead to WEM Agent Common.

WEM Agent 1906 or older

This section is for WEM Agent 1906 and older.

  1. If you are installing the WEM Agent on a Provisioning Services vDisk, then there are a couple Agent Installer Switches that let you move the WEM cache file to the PvS cache disk.
    "\\fs01\bin\Citrix\WEM\Workspace-Environment-Management-v-1906-00-01-01\Citrix Workspace Environment Management Agent Setup.exe" /v"AgentCacheAlternateLocation=\"D:\WEMCache\""
  2. You can use the ARPSYSTEMCOMPONENT=1 switch to prevent the Agent from showing up in the Programs and Features list where it can be uninstalled.
  3. Citrix CTX218964 How To Secure a Citrix WEM Agent Installation in Cases Where Users are Local Administrators also details how to configure a group policy to prevent local administrators from stopping the Agent service.
  4. Click Install to install the prerequisites.
  5. In the Welcome to the InstallShield Wizard for Citrix Workspace Environment Management Agent page, click Next.
  6. In the License Agreement page, select I accept the terms, and click Next.
  7. In the Customer Information page, click Next.
  8. In the Setup Type page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the InstallShield Wizard Completed page, click Finish.

WEM Agent Common

  1. CyrillDaeniker at WEM 1906 – Citrix WEM User Logon Service adds 5 seconds to logon time at Citrix Discussions says that Citrix WEM User Logon Service adds 5 seconds to logon time.
  2. After installation, check the registry under HKLM\System\CurrentControlSet\Control\Norskale\Agent Host to verify your command line switches applied correctly.

  3. WEM Agent 2012 and newer have some enhancements for non-persistent machines. See Prerequisites and recommendations and Agent startup behaviors at Citrix Docs.
  4. In WEM Agent 1909 and newer, the WEM Agent installation path is now C:\Program Files (x86)\Citrix\Workspace Environment Management Agent instead of C:\Program Files (x86)\Norskale\Norskale Agent Host and you might have to modify your WEM Agent Cache Refresh scripts with the new path. See CTP James Kindon Citrix WEM Updated Start-Up Scripts for more details.
  5. Citrix CTX219839 How to Enable Debug Logging on Workspace Environment Management Agent manually, if no connectivity to Broker exists. Set AgentDebugModeLocalOverride and AgentServiceDebugModeLocalOverride to 1. The Norskale Agent Host Service Debug.log file will be written to %ProgramFiles(x86)%\Norskale\Norskale Agent Host. The Agent Log file will be written to the User Profile (i.e. under %UserProfile%).
  6. Srinivasan Shanmugam at¬†WEM Agent v4.5 Upgrade Issues at CUGC mentioned that you might have to delete the upgraded Agent’s local database.
  7. Optionally, you can pre-build the Agent Cache by running AgentCacheUtility.exe, which is located in C:\Program Files (x86)\Citrix\Workspace Environment Management Agent (fresh WEM Agent 1909 and newer) or in C:\Program Files (x86)\Norskale\Norskale Agent Host.

  8. It needs the following switches:
    -refreshcache -brokername:MyWEMServer
  9. From Hal Lange: “AgentCacheUtility does except short values (Eg AgentCacheUtility -r -b:)¬† the broker name should always be in FQDN since this does use Kerberos for the authentication.”

  10. You can also use the WEM Administration Console at Administration workspace (bottom left), Agents node (top left), to refresh the cache. The Synchronization column indicates if the cache is up to date or not. It takes a few minutes to update.
  11. From Hal Lange: “Need to optimize the client by running ngen for .NET optimizations¬†in the x64 and x86 directories. These commands will help optimize ANY .NET application installed on the system
    ngen.exe update
    ngen.exe eqi 1
    ngen.exe eqi 3
  12. AntivirusC:\Program Files (x86)\Citrix\Workspace Environment Management Agent or C:\Program Files (x86)\Norskale\Norskale Agent Host must be excluded from Antivirus scanning. Or exclude Citrix.Wem.Agent.Service.exe; Norskale Agent Host Service.exe; VUEMUIAgent.exe; Agent Log Parser.exe; AgentCacheUtility.exe; AppsMgmtUtil.exe; PrnsMgmtUtil.exe; VUEMAppCmd.exe; VUEMAppCmdDbg.exe; VUEMAppHide.exe; VUEMCmdAgent.exe; VUEMMaintMsg.exe; VUEMRSAV.exe.
  13. After Agents are installed, the Administration workspace (bottom left), Agents node (top left), shows the list of Agents, allowing you to perform actions against an Agent. For example, if UPM settings are not applying to your Agents, you can right-click the Agent, and click Reset Profile Management Settings. WEM 1912 and newer let you Reset Actions. You might have to click the Refresh button on the bottom right. See Workspace Environment Manager UPM at Citrix Discussions.
  14. If you use WEM to configure UPM settings, but the settings are not applying to the WEM Agent, then see Citrix CTX219086 Some UPM or WEM Agent parameters may not be applied by the agent after switching from GPO settings to Workspace Environment Management settings.  Delete the machine cache, which is at the following registry location:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UsvMachineConfigurationSettings
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\UpmConfigurationSettings

    This will force WEM to re-apply the per-machine settings (Microsoft USV or Citrix UPM settings, respectively).

  15. WEM Cache tends to break often. See CTP James Kindon Citrix WEM Cache Problems…. Again for a script to reset the cache periodically.
  16. CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.

WEM Agent on Citrix Provisioning Target Device

From Citrix Discussions: create a computer startup script that deletes the WEM cache and refreshes it:

net stop "Citrix WEM Agent Host Service" /y
net stop "Norskale Agent Host Service" /y
del D:\WEMCache\ /S /F /q
net start "Citrix WEM Agent Host Service"
net start "Norskale Agent Host Service"
net start "Netlogon"
timeout /T 45 /nobreak
"C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache -brokername:XXXX
"C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshCache -brokerName:XXXX

From Julian Mooren Citrix Workspace Environment Management with PVS ‚Äď Synchronization State ‚ÄúUnknown‚ÄĚ: For Citrix Provisioning, schedule a task to run the following commands at Target Device boot (Trigger = At Startup).

"C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\AgentCacheUtility.exe" -refreshcache
"C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe" -refreshcache

From CTA David Ott at Using Citrix Workspace Environment Management to Redirect Folders via Symbolic Links ‚Äď Speed Up Logon:¬†before shutting down your maintenance/private mode vdisk to re-seal, kill the Citrix WEM Agent Host Service or Norskale Agent Host Service. For whatever reason if you don‚Äôt do this it can cause your vms in standard mode to take an obscenely long time to shutdown.

Base Image Script Framework (BIS-F) automates many image sealing tasks, including tasks for Workspace Environment Management. The script is configurable using Group Policy.


  1. In the WEM Administration Console, the Monitoring workspace (bottom left) lets you see Logon Time and Boot Time reports.
  2. Double-click a category to see more info.

  3. Configuration node (top left) lets you configure Work Days Filtering for Login/Boot Time Reports.
  4. When you make changes in the console, if agents are already installed, you can right-click the agent icon (by the clock), and Refresh.
  5. You can also go to the Administration workspace (bottom left) > Agents node (top left). In the right pane, right-click one or more Agents, and click the Refresh options.
  6. WEM 1811 and newer periodically run UPMConfigCheck every day, or whenever the Norskale Agent Service restarts. The Administration > Agents node in the WEM Console has a visual indicator of the UPMConfigCheck results. For status details, check the file C:\Windows\Temp\UPMConfigCheckOutput.xml on each WEM Agent Machine.

WEM Actions Configuration

WEM Actions are similar to Group Policy Preferences.

The general process is as follows:

  • Create the Actions
  • Optionally create Action Groups (WEM 1906 and newer)
  • Add AD user groups to the WEM Console.
  • Assign Actions or Action Groups to user groups. Use Conditions and Rules to perform the Action (or Action Group) for only a subset of machines or users in the user group.

Create Actions

  1. In the WEM Console, use the Actions workspace to map drives, map printers, create shortcuts (Applications), set registry keys, etc. Each Action type is a separate node.
  2. WEM 1909 and newer can Migrate or Import your Group Policies to WEM. CTP James Kindon at Migrating GPO settings to WEM explains this feature in detail.
    1. In Group Policy Management Console, back up the GPOs that you want to import to WEM.
    2. Go to the GPO Backup folder and zip everything.
    3. In WEM Console, go to Actions > Group Policy Settings and click Import.
    4. WEM 2012 and newer let you edit the imported group policies.
    5. It seems to be a registry editor that doesn’t use ADMX templates.
  3. On the left, select an Action Type. In the right pane, click the Add button to add actions. These Actions are self explanatory.
  4. Some Actions, on the Options tab, have a Self-Healing option. To optimize performance, WEM only applies an action once. The Self Healing option causes it reapply at every logon.
  5. Network Drives have no field for selecting a drive letter. Instead, you configure the drive letter later when assigning the action as detailed below.
  6. Applications (shortcuts)
    1. In the Actions pane, Applications have no option for placing a shortcut on the Desktop. Instead, you configure shortcut placement later when assigning the action as detailed below.
    2. WEM 4.6 and newer let you pull icons from a StoreFront store.

    3. Arjan Mensch at Powershell Module for Citrix WEM ‚Äď Part 3 ‚Äď EnvironmentalSettings and MicrosoftUsvSettings from GPO and much, much more¬†provides a PowerShell Module that can do several things to help setup WEM, including reading a bunch of shortcuts (e.g. from Start Menu), and converting them to an .xml file that can be imported into WEM. This simplifies Applications configuration.
    4. To prevent applications (shortcuts) from being created if the application isn’t installed, go to¬†Advanced Settings > Configuration > Agent Options, and check the box next to¬†Check Application Existence in the¬†Extra Features section.
    5. To clean up extra shortcuts, go to Advanced Settings > Configuration > Cleanup Actions, and check the boxes in the Shortcuts deletion at startup section. Also see CTP James Kindon Citrix WEM, Modern Start Menus and Tiles.
    6. After you create Applications (Shortcuts), and assign them, on the agent, there’s a¬†Manage Applications tool that lets users control where shortcuts are created, including pinning to Taskbar and Start Menu.

    7. Applications can be placed in Maintenance Mode. Edit an Application, and find the Maintenance Mode setting on the Options tab.
    8. This causes the icon to change, and a maintenance message to be displayed to the user.

    9. The Applications node has a Start Menu View tab on the right.
  7. For the¬†Printers Action, in the ribbon, there’s a Import Network Print Server button.

  8. For the Registry Entries Action, in the ribbon, there’s an¬†Import Registry File button.

    • If Registry Actions are not applying, delete¬†HKEY_CURRENT_USER\Software\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\. (Source = Registry Entries not applied to users at Citrix Discussions)
  9. For File System Operations, each Action has an Options tab that lets you set the Type of Action.
  10. For File Associations, “Command” is just the parameters without the executable.
  11. CTP James Kindon at File Type Association with WEM and SetUserFTA¬†explains how to use WEM to run¬†Christoph Kolbicz’s¬†SetUserFTA utility to reliably set file type associations on Windows 2012 and newer.
  12. For variables that can be used in the Actions configurations, see CTP James Kindon WEM Variables, Dynamic Tokens, Hashtags and Strings.
  13. The WEM Cloud Service has native support for importing group policies and converting them to WEM Actions and other WEM configurations. See CTP James Kindon Migrating GPO settings to WEM.
  14. WEM 1906 and newer let you combine multiple Actions into an Action Group. Then you can later assign the entire Action Group to a user.

    1. Create an Action Group and name it.
    2. Double-click the Action Group to show the actions on the bottom.
    3. On the bottom, move Actions from the Available box to the Configured box.
    4. For more info, see Action Groups at Citrix Docs.

Create Conditions and Rules

  1. Once the Actions and Action Groups are created, you then need to decide under what conditions the Actions are performed. Go to the Filters workspace (bottom left).
  2. On the top left, switch to the Conditions node.
  3. In the right pane, create Conditions. One or more Conditions are later combined into a Rule.
  4. One of the interesting Conditions is User SBC Resource Type, which lets you run Actions for either Published Desktop or Published Application.

  5. CTP James Kindon at WEM filter conditions on OU and IP Address at Citrix Discussions says that the Active Directory Path Match condition requires a * at the end of the path.
  6. Then switch to the Rules node (top left) and create Rules in the right pane.
  7. If you add (by clicking the right arrow)¬†multiple Conditions to a Rule, all (AND) Conditions must match. There doesn’t appear to be an OR option. The Rules are used later when assigning an Action to a user group.

Add AD Groups to WEM Console

  1. Go to the Active Directory Objects workspace (bottom left).
  2. With the Users node selected on the top left, in the right pane, add groups and/or users that will receive the Action assignments.

Assign Actions to User Groups

  1. Go to the Assignments workspace (bottom left) > Action Assignment node (top left).
  2. In the right pane, initially the bottom half is empty. Double-click a group to show the Actions that are available for assignment. WEM 1808 and newer has a built-in Everyone group.
  3. Move an available Action or Action Group from the left to the right. This assigns the Action (or Action Group) to the user group.
  4. You will be prompted to select a Filter, which contains one or more Conditions.
  5. When you move a Network Drive to the right, you’re prompted to select a drive letter.

    • The list of drive letters is restricted based on the configuration at¬†Advanced Settings¬†workspace (bottom left) > Configuration¬†node (top left) > Console Settings¬†tab (right pane).
  6. Back in the Assignments workspace, on the right, some Actions have additional options that you can right-click. For example, you can create shortcuts on the desktop.

Actions Troubleshooting

WEM caches Actions executions under HKEY_CURRENT_USER\SOFTWARE\VirtuAll Solutions\VirtuAll User Environment Manager\Agent\Tasks Exec Cache. Sometimes clearing these keys and values will fix Actions not applying.

CTP James Kindon at Selective Deletion of the WEM Actions Tracking Cache wrote a PowerShell script to selectively clear these registry keys and values.

Modeling Wizard

  1. In the Assignments workspace, you can use the Modeling Wizard node (top left) to see what Actions apply to a particular user.

Client Side Tools

CTP James Kindon describes the WEM Client Side Tools including: Log Parser, Resultant Actions Viewer, VUEMAppCMD, Manage Printers, Manage Applications, and Help Desk Tools.


In WEM 4.1 and newer, you can enable Transformer, which puts the WEM Agent in Kiosk mode. Users can only launch icons (e.g. Citrix icons). Everything else is hidden. This is an alternative to Receiver Desktop Lock. The Transformer interface is customizable. Note: desktops currently will not auto-launch from Transformer.

  1. In the WEM Console, there’s a¬†Transformer Settings workspace (bottom left) with two nodes on the top left:¬†General and¬†Advanced.
  2. Enable Transformer, and point it to your StoreFront URL. Note, this applies to all users and all agents in this WEM configuration set. You should probably have a new Configuration Set just for Kiosk devices.
  3. Other settings on the General Settings tab let you customize the appearance, and specify an unlock password. You probably want to disable the Clock. The Navigation Buttons are browser navigation.
  4. Transformer can be unlocked by pressing Ctrl+Alt+U and entering the unlock password.
  5. On the Site Settings tab, you can add website URLs that can be launched from within Transformer.
  6. At the top of the Transformer window is a Sites icon that lets you go to the sites listed in the WEM Console.
  7. The Advanced node lets you configure Transformer to launch a process other than a browser.
  8. The Advanced & Administration Settings tab lets you hide features from Transformer.
  9. To prevent users from accessing the local system, consider checking Hide Taskbar & Start Button.
  10. You probably want Log Off Screen Redirection to redirect users to the logon page when StoreFront logs off.
  11. The Logon/Logoff & Power Settings tab lets you configure the WEM Agent to autologon as a specific account. Transformer then displays the StoreFront webpage where the user enters his or her credentials.

484 thoughts on “Workspace Environment Management (WEM) 2103”

  1. So, I seem to have WEM installed and it appears to be working. However, it seems once WEM was installed and configured my Microsoft GPO seem like they are not getting applied any longer. Even adding Citrix Admins to the local Administrators group is not working. Any ideas?

  2. Hello Carl,
    I am a bit confused on a couple of things. I made a presistent D drive for my PVS write cache. Intialized it in windows and it’s in my vdas now. I use the stream wizard to build new machines or servers. My question is do I have to go to every vda to install the WEM agent on the D drive? Or can I still put the vdisk in maintenance mode and do it that way on the D drive?
    Being the D drive are presistent accross all vdas, I don’t know which option is correct?

  3. You are not registered as a Workspace Environment Management administrator. Therefore you are not allowed to access the service. Please contact your Workspace
    Environment Management administrator to gain access

    1. When it was installed a group needed to be added to administer the console. You are probably not in that group.

  4. After upgrading the WEM server to 4.3 the “Norskale Infrastructure Service” on the server isworking well, but randomly stopping. It can manually always be restarted without any problem, but after a while it is again in the “stopped” state. This has never been an issue before 4.3 Anyone experiencing the same issue andhaving a solution?

      1. Thank you, can you post a link?
        And did they find any solution other than always manually starting the service again?

  5. Hello and thanks for a great article!
    I have updated to 4.3 today and the console and database works great, but when I try to start the agent on my XenApp servern I get
    “Unhandled Exception
    CLS Terminating = True
    Message: Could not load file or assembly “Norskale.Vuem.Agent. Controllers, Version=, Culture=neutral…..” and more

    Any idea what that could be? The server is restarted after upgrade

    1. Update: After a total new installation that error disappeared but now I gets that the agent cant start and in event viewer:
      “Service appears to be Offline and no valid local cache found!”

      1. SOLVED! It was a time difference between the infrastructure server and the machine with the agent, for 8 minutes, of some strange reason. Changed that and then everything works as expected ūüôā

      2. Hi Kent, I got the same issue. It seems to be a failure in the install routine. In most installations a file called ‘Norskale.Vuem.Agent.Controllers’ is missing. You should uninstall the agent and reinstall version 4.2. It runs with 4.3 controllers.

  6. Hello Carl,
    If read through this and u stated Wem doesn’t replace upm. But it look like wem 4.3 can do everything the upm does. I am setting this up from scratch for a new customer. Everything is fresh, can I use wem 4.3 to do all the upm setting without doing a admx like we used to? Meaning control all upm from wem side?

    1. You can use WEM to configure UPM, but it doesn’t replace UPM. What it replaces is the group policy settings for UPM.

      1. What do u mean it doesn’t replace upm? Do u mean the upm can be controlled by wem and or GPO? If you do it by wem only do you still need to import the admx file? Meaning does wem need the admx file only for upm.

        1. I think ur saying it’s not a official replacement but u can use wem instead of GPO? Meaning I don’t need the admx file because I will be using the alternative method with wem. Is this what u mean.

          Sorry for all the questions

        2. UPM is a service. It’s controlled through policies. The UPM service is doing all of the work, no matter how you configure it.

          Other UEM products have their own profile handling (backup/restore) capabilities. WEM does not.

  7. hello carl, still the problem with 4.3 agent , Broker Server name or Broker Port Error, no agent is showing up in the console. any ideas?

  8. At the Broker Service Configuration I had to type SQLServer\SQLInstance (with the backslash in it) . Only typing the SQL Server like in your documentation fails in my test lab.

    1. If you are using named instances, then you definitely need to use this format. My home lab uses the default SQL instance.

  9. So lets say you use Domain Users as your configured user, and assign it two environment variables:
    EnvVar = \\FileServer1\Stuff
    Filter: Active Directory Group match: UserGroup1
    EnvVar = \\FileServer2\OtherStuff
    Filter: Active Directory Group match: UserGroup2

    If I sign in as JoeShopfloor, who is a member of Domain Users, UserGroup1 AND UserGroup2, will my EnvVar point at “\\FileServer1\Stuff” or at “\\FileServer2\OtherStuff”?

    Mostly I’m trying to figure out if we can implement item level targeting for Windows Folder Redirection settings in WEM, since it appears that it only allows you to configure it at the site level (really??)

  10. Hi Carl,
    we are using VEEAM for years already and now want to upgrade to 4.3. Do you know if the new Agent works with the old Broker 3.5, sow we can pre-deploy the agent to all our clients?

      1. i added the server und active directory and objects, but still get this error:

        AgentLocalCacheSync.() : Local Agent cache synchronization error occured, please Check debug log for more details

  11. I am unable to get the Agent to check in with the Broker Server. WEM 4.3 installed. When I try to manually update the agentcache it gives me “Broker Server Name or Broker Port Error”. I have the machine with the agent installed added to the Machines under Active Directory Objects. Any ideas where I might be going wrong?

  12. hello carl, after upgrading to 4.3 our agents cannot connect any more to the server. i got the following error Agent ‘ATDOXAPVS001’ is not bound to any configuration set! any ideas? kind regards

      1. can i add the ou where the xa Server are located? or does it `need to be the object like the Servers himself?

        1. You can add an OU. But sub-OUs don’t work. So the objects need to be direct members of the OU.

    1. Have you load the updated ADM Template? Make sure you point the agents to the correct Broker Server. WEM 4.3 is different from 4.2.

  13. Hi guys

    Somehow I can’t connect to the infrastructure server anymore by console.
    I receive the following error: Error while connecting to the specified Infrastructure Server
    In the console trace I can see this:
    System.ArgumentException : Value was invalid. Parameter name: sddlForm

    Did anybody face the same problem?


    1. Opened a ticket. Here is the fix if anyone else comes across the issue.

      Run the following query on the VUEM database:
      SELECT * FROM VUEMUsers WHERE Name=’\’
      This will return the user statistic recording with the corrupt SID. Once you have identified the recording, you will need to run the following requests to delete it:
      DELETE FROM VUEMUserStatistics WHERE UserId=’X’

      Where X is the UserId of the recording with the corrupted SID.
      Problem Cause
      A corrupt SID recording in the Name column of the VUEMUsers table in the database. When attempting to read the user statistics, the console cannot translate the corrupted SID and thus errors out.
      Additional Resources
      One of the potential causes of the corrupt SID recording is a malfunctioning Netlogon service on a server which is mistakenly identified as having opened a session with an SID of \. If the issue re-occurs, compare the LastAgentId of the corrupt SID user record with the VUEMAgents table to determine which server the recording is coming from, then restart the Netlogon service there.

      1. The above SQL query did not work for me. I had to use SELECT * FROM VUEMUsers WHERE Name NOT LIKE ‘S-1-5-21%’ and then delete the resulting user statistics and users as specified.

    2. I didn’t run a trace, but I got the “Error while connecting to the specified Infrastructure Server” error when time was off by over five minutes on one of my VMs in a test environment.

  14. Hi Carl

    very great article. I have one question: Does the WEM Transformer support pass-through authentication to virtual desktop or apps ?


  15. Hi Carl,

    Great article, thanks! I have a strange issue with the WEM integrated Citrix Profile Management settings. When I configure the user store path with \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER! it creates a folder named #SAMAccountName#. Same with %USERPROFILE%. It looks like it doesn’t translate it correct to the name of the user. What am I doing wrong?

    1. I found out that it has something to do with NTFS rights. With Everyone ‘Full Control’ (PoC environment) usernames folders are created the way they should. So %USERNAME% (typo in my first post) is now the (user) name of the user.

  16. Hello! We are currently testing Citrix WEM. But we are having some challenges regarding site change.
    We added ADM, and set SITE. Even though we change in GPO, the VM connect to our template SITE (we created this earlier)

    It updates and show the correct SITE in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale\Agent Host – but still reads the config from template site. How can we force a SITE change?

    Thanks in advance
    José Daniel

    1. In WEM Console > Administration > Agents, if you right-click the agent and use the Refresh options, does that help?

  17. Hi Carl.

    I’m using 4.2 version and the logon freezes for 5 minutes when I use UI Agent style.
    After 5 minutes everything works well.
    If I change to CMD Agent style, the session doesn’t freeze, but the command prompt takes 5 minutes to close with the message “Processing filters conditions…”
    I’ve already tested versions 4.1 and 4.2, all of them with the same behavior.
    How can I solve this problem?


  18. Hello Carl, i have an issue at the momment hope you can help to fix it.
    te Problem is event log i see this error
    Event ID: 0 VuemAgentServiceConfigurationHelper.TryUpdateAgentRegistration (): The creator of this error has not specified any reason.
    i try finx or find reason but no succes
    so now i am deinstaled and new installed have a new error now
    event id 0 sourche Norskale Agent Service & The creator of this error has not given any reason.
    so i dont know realy what is wrong!!
    by Administration Console under i cant see also my new “xa”
    and no error can help me about it what can be reasonor how can i get it fix work again?

    i am user Server 2012r2, xendesktip 7.6 CU3
    PS before work fine it, this issue happen after i am deleted Machine catalog and create new Worker
    hope did you can help me!!

  19. On some VMs i get this state, and WEM will not execute every rule/action. This is on non-presistant VDIs with presistant cache disk. Anyone have a clue?

    Im not sure if this has anything to do with it. But i get this in the Citrix WEM agent text file.

    Event -> MainController.SwitchToMainLog() : Detected Agent Connection State -> Offline

    And if i restart the norskale agent service it gets back to Online and if i then refresh alle the rules get applied.

  20. Hi everyone,
    What’s the best practice for versioning with WEM?
    Looking at replacing AppSense with WEM and trying to find out the best way to handle versioning in regards to testing changes, etc


    1. You could create a different Site or Configuration Set (WEM 4.3) for testing then configure the agent to connect to it. You then can test your changes.

  21. New to WEM. Do you have the ability to Nest Sites? If so I havent found a way to do that. Specifically create a main site with items that affect the whole org, then create child sites that have specific settings in that?

  22. Great article. I have an issue. The SQL server is listening on a different port than 1433. Is there any way to pass the specific port on the database creation wizard? I have already tested Servername;port or Servername:port and Servername,port. The result is “Database creation error”. thanks.

    1. I have just tested in 3 different environments, running 3 different versions, and it is “Servername,port”. read the log file that is created in C:\Program FIles\x86)\Norskale\Norskale Infrastructure SErvices\ called Citrix.WEM.Database.Creation….. This will tell you the exact error. Usually has to do with the DB’s being moved to a non-discovered location and the path of the ldf and mdf will need to be changed on the first tab to match the SQL paths.

  23. Hey Carl, I ran into something interesting today and was curious if you or anyone else had this issue. When working with WEM and assignments I noticed that only 3 of the 4 working set group found showed for my user in the Norskale Vuem Agent log. I also noticed that the working set group I was missing was having issues for some other users, but those users were in a nested group. I guess the question is there a limit to the number of Working Set groups that can be applied to an individual and is there an issue with WEM going through Nested groups for assignment. (Note: I’m not really a fan of the Nested group myself, I’m just trying to confirm that it’s a issue to try to enforce why we shouldn’t be using nested groups for this)

    1. The only limitation i have found tend to be AD issues. Mainly Kerberos ticket size. I have seen no issues with Nested groups or number of groups, unless AD has the issues already.

  24. Hi Carl

    What’s the difference between “Network Drives” and “Virtual Drives”? Of course some config settings more in the network drives. But when should I use one or the other?

        1. To add more color. the VHD files will be mapped to a drive letter. This is for a desktop OS and not very compatible with a system utilizing RDS since it would attempt to mount a VHD as a drive letter for the system but not have access, due to multi-user

  25. Since installing WEM in the environment on different servers both PVS and NonPVS images I am seeing a lot of BSOD referencing REGISTRY_FILTER_DRIVER_EXCEPTION (135)”upmjit.sys. It actually happened while on a support call with Citrix. I have a ticket open but I was speaking with a “XenApp” tech had heard of Workspace Environment Manager before but knew little to nothing about it and didn’t know who I should even speak with about it. Why am I paying thousands of dollars in support? Anyway…I have submitted the memory dumps and a scout report for Citrix to analyze and get back to me on…this should be interesting.

    1. Another issue I’m seeing is the CitrixProfileManager.exe is eating RAM like Pacman after getting a power pellet. Still no support from Citrix on these WEM issues. Does active write back cause the CPM.exe to eat RAM more than normal?

        1. I updated to XenApp LTSR CU3 about 2 weeks ago and installed UPM 5.6 on the Delivery Controllers since that what the documentation listed as LTSR compatible. Should I update profile management on the Delivery Controllers to 5.7? Is there a piece that needs updated on the Server VDA’s to fix the UserProfileManager.exe process?

          1. UPM goes on the VDAS. Yes, you can upgrade to 5.7 since it’s LTSR compatible.

          2. Is that separate than the User Profile Manager that gets installed when you install the VDA (C:\Program Files\Citrix\User Profile Manager) or does running the 5.7 installer update those files in that path?

          3. Alright thanks. I’ll submit that for a change next week and hopefully that fixes the UPM issue. Now on to the modified RAM issues with Citrix support…

            Again…thanks for everything. Your guidance is always greatly appreciated.

    2. Just had the exact same issue. With an adjustment in Workspace Manager => setting the Active Writeback to disabled, all servers started to bluescreen (upmjit.sys) in a matter of minutes. I’m upgrading now to latest UPM version and Workspace agent on the VDA host.

  26. Carl, I’m not sure if I have something configured wrong or what but it appears RAM optimizations aren’t working correctly. I’m on XenApp 7.6 LTSR CU3 and have WEM installed on 48 servers all running the same image. The policy kicks in correctly and takes the RAM back from the process but under the resource monitor it put’s it in the “Modified” section of RAM saying “Memory whose contents must be written to disk before it can be used for another purpose”. The “modified” RAM just keeps growing and never releases the RAM back to be used. Am I missing a setting somewhere? Thanks,

  27. Hi, does anyone know WEM support NetScaler GSLB for the broker services?
    How does it this solution support the active/active datacenter solutions?

    1. Assuming you’ve handled SQL, I don’t see why not. I assume each Broker instance shares the same SQL database.

  28. Can you elaborate on the host agent install on PVS. Could the service not be set to delayed start or am I not understanding the explanation?

    1. I created a startup script that restarts netlogon and the agent service then applied it to a gpo for the servers. Haven’t had any issues as of yet in my testing…but I could be off the mark on that one.

  29. Any chance you can shed some light on the login times under monitoring? What exactly does that measure? In my test environment it’s saying the login times are 1-3 seconds but in reality it’s about 10 seconds before the app is actually launched and usable in the client device. Is that simply meaduring login time to the server and not app launch time?

  30. Carl I could use a little help with the Citrix UPM vs the WEM settings. You say WEM doesn’t replace Citrix UPM but you use both? How exactly does that work? If I have Citrix policies configured in Studio and WEM policies configured for the same thing what happens? Or if there’s differences between the 2 which one wins? I’m guess I’m just confused as to which to use and why one over the other? Any clarification would be greatly appreciated.

    1. Most UEM products have Profile (Personalization) capabilities. WEM does not. So you need to deploy both.

      As for configuring UPM, you can use WEM to configure it. Or you can use more traditional GPO or Studio.

      1. So if I already have UPM setup in Studio and working fine I don’t need to worry about configuring WEM profile settings? If I want to use the WEM settings do I need to turn off the Studio policies? What personalization capabilities are you referring to? Is there a benefit to using UPM over WEM or WEM over UPM besides WEM looking pretty with nice buttons?

        As always, thanks for the help. I don’t know what the Citrix community would do without your guides.

        1. UEM products with Personalization are more capable than UPM. Most of them have a method of specifying specific folders/registry for each application and storing each application in a separate location. When the app is launched, the application’s settings are restored at that time. Check out AppSense, VMware UEM, RES, LiquidWare Labs ProfileUnity, etc.

          1. Ahh thanks. We currently don’t have any of that in place and don’t have any specific profile settings configured besides redirection and minor things. Do you have a preference on using the settings in WEM vs UPM?

          2. If you’re anti-GPO, then you can use WEM to configure it. WEM also has a handy profile cleanup tool if you used WEM to configure UPM.

  31. Is there any way of placing desktop icons of assigned applications in sub directories of the desktop/start menu and not directly on the desktop/start menu, so that we can group in categories?
    If all applications will be put directly on the desktop this will end up in a mess sooner or later.

    1. Yes, under actions, applications, there’s a tab called “Start menu view”, in there you can add subfolders for the startmenu, then by editing an application in the bottom you can select in which folder of the startmenu you want the app to be placed.

      1. Thank you Peter, that improves things for the start menu, but in most cases placing icons on the desktop in sub folders would be much more important. But there is no equivalent like “Desktop View” or something similar to the “Start Menu View”.
        Is there any way to get this done otherwise?

        1. You could always create shortcuts to the Start Menu Folders on the desktop to give the illusion of desktop folders, but not clutter with multiple icons. This way you still only have to change the shortcut in one location.

  32. Hi Carl, do you have details on configuring a WEM server to work across multiple domains? I’ve built a WEM server on domain A, with VM’s running on domain B. When a user logs in from domain A every thing works fine, however when a user logs in from domain B, a Norskale Agent Service event log error shows the following:

    Error while retrieving user directory services groups list check log for more details (some sids may not have been translated properly)

  33. I assume there no way to limit how much RAM a user can consume in a session? I can in AppSense Performance Manager but it has a bug where user’s process get permanent placed in Suspended Mode.

  34. Hey Carl do you know if there is a way to trigger the Memory Management outside the application? I’m not even sure this would be possible, but it would be interesting if the Norskale Agent could except command lines so I could do a custom Idle time cleanup on memory. Something like Norskale Agent.exe -MemoryManagement 5 which would then cause anything that has been idle for 5 minutes to be cleaned up. I was thinking I could put something in the external Tasks that on refresh would trigger this.

  35. I’m curious about the flexibly of the server specs. One server at 4vCPU and 8GB RAM will support 3000 users. We don’t have near the need to support that many users currently but we have a dual (active-active) datacenter setup so when we build a server on one side we build the same on the other. I really don’t need two 3000 user servers so can I just run 2vCPUs and 4GB RAM on each server behind the load balancer to equal out to the same thing or is the 4×8 the minimum supported?

    1. I don’t think 4-8 is a required minimum. Start with 2-4, watch performance, and increase if needed.

      1. Thank you. That’s my initial plan. I’ll update this if I see issues down the road. Great article…always helpful!

  36. In the steps above you call out License Server 11.14.1 or newer but the latest version I see is Is that just a type or am I missing something somewhere.

  37. Thanks for this great article! I have the problem, that the agent cache sync is not working. Synchronization state shows always an error. Running the agentcacheutility.exe doesn’t help. The logs don’t show anything interesting. How can I completly recreate the agent cache?

      1. In the WEM Console I have a red cross under synchronization state. When I run the agentcacheutility.exe I receive the following error: Local Agent cache synchronization occured, please Check debug log for more details. I checked the debug log but there is no further information about this problem.

        1. We’ve had the local change totally stuff itself, especially when moving between sites. We had to remove the agent via appwiz and the manually remove the local database, and then reinstall the agent.

        2. Hi Enrico, have you been able to resolve your “red cross” issue. I am experiencing the same issue and looking for a fix. Any updates on this post would be greatly appreciated.

  38. Hi,

    What is the process of upgrading from 4.1 to 4.2 please, I couldn’t see it in the above. The was a section about upgrading the database, but I’m sure there are other areas to upgrade.


    1. Every component is in-place upgrade using a standard install. It’s only the database that is separate. I’ll add a section to clarify.

  39. Hey Carl,

    Does the Transformer agent automatically launch a desktop when you configure it? We’re using WI 5.4 and when we connect to the same site in Internet Explorer, the single desktop launches fine. WEM on the other hand, when using the same site, looks like it ties to auto launch it (you see the spinning graphic for a few seconds) but nothing ever happens (the blue play graphic is shown). You can then click on it and see it launch without issue. It’s almost as if the IE frame it’s rendering is sort of incapable of handling the ICA download. Or maybe we’ve broken something.


    1. We’ve tried the site in both local intranet and trusted and still no dice via WEM, but fine via the full browser. This is 64-bit Windows 10 (1607).

        1. Citrix have confirm they will not release a private for this. They have asked us to submit a business case for a feature enhancement. On we go..

  40. One of Citrix related document mention that in case WEM on XenApp, DFSS or any other CPU optimization should be disabled. Any information on that with right approach? I our case I am trying to load WEM for Windows 2016 and this portion is unclear, if anything should be done prior WEM agent installation.

    Thank you in advance,

  41. Hi

    Xenapp 6.5 pvs targets are successful when refresh cache and brokername registration but not showing up in WEM console why

      1. Thought WEM was only for XenApp 7.9 (or 7.6) and higher?
        1 off the things that i faced was in the GPO settings, the field for brokername and site-name contained unwanted spaces, cleaing those, made the agents show up in my console.

      2. Got Fixed as we use F: for cache disk

        Have another query though,I have created multiple sites as per my WG but how to do I force site details to agents on their respective sited. Do I need to have a policy at each OU level with respective site names. Or can I edit the reg for site.

  42. I have been trying to make a silent install of the agent, but haven’t been able to find the correct parameters yet.
    I am also using the paramters suggested in this article:
    /v”AgentCacheAlternateLocation=\”D:\WEMCache\” AgentServiceUseNonPersistentCompliantHistory=\”1\””

    And if I add /? so the agent .exe file, it tells me a silent install need this paramters:
    /S /v/qn

    If I then try to install it with these paramters:
    /S /v/qn”AgentCacheAlternateLocation=\”D:\WEMCache\” AgentServiceUseNonPersistentCompliantHistory=\”1\””
    Then it installs silently, but it doesn’t add the AgentCacheAlternateLocation and AgentServiceUseNonPersistentCo… to the registry.

    I also tried with /S /qn /v”AgentCacheAlternateLocation=\”D:\WEMCache\” AgentServiceUseNonPersistentCompliantHistory=\”1\”” – but then it doesn’t make a silent install.

    Has anyone tried making a silent install?

    1. Hi Kim,

      The /v option tells the setup.exe to parse parameters to the Windows Installed (msiexec.exe). The parameter /QN is a Windows Installer parameter. So it has be come after the /v command, like this: Setup.exe /s /v‚ÄĚ/qn /norestart /l ‚Äú\C:\Logs\WEM.log\‚ÄĚ‚ÄĚ
      Please allow me to direct you to an article I wrote this week explaining this in more detail:



  43. We have checked the “Launch Agent for Admins” flag in the Main Configuration, but on some machines (not on all!) the settings for the one and the same admin user are not applied.

    Digging around we then found that the ClientResultantActionsViewer is showing no admin privileges for this admin user, even though the Windows User Manager is clearly stating that he IS domain admin.

    Then, as soon as we start the VUEMUIAgent.exe with administrative privileges from the context menu, suddenly the WEM settings get applied and also the ClientResultantActionsViewer us showing the admin privileges!

    And the strange thing is that on some identically deployed other machines in other subnets, everything is ok without explicitly running the applications with admin privileges.

    Anyone with some insights on this?

  44. Carl – awesome write up on this as usual! You mentioned 3000 users for a 4vCPU & 8 GB RAM server which I can see comes directly from the Citrix WEM administration guide. Do you have any guidance larger environments? Would you just add a 2nd server and load balance them? Or would you have to increase the size of the server? Both? Just curious your thoughts on this. Thanks!

    1. Hal Lange has done several large deployments. I think he said he’s seen 5,000 users on a single server. But yes, you can easily scale out by load balancing. Or you can make it more of a pod architecture.

      1. We spoke to Citrix about this specifically, and the advice was to throw more VMs at it and jam them it in front of a load balancer. It’s all stateless UDP so that’s pretty easy. You can scale the individual VMs further if you wish, but I’m always cautions about the number of vCPUs I allocate to a given VM.

  45. Great Stuff.
    Just facing 1 issue, when a user starts a published XenApp desktop (7.9), the sessions freezes completely, and will only unfreeze when I click “Refresh Workspace Agents” from the administration console. (then the icon in the taskbar pops-up and all works great)
    (using WEM 4.1)
    Any hints or clues?

  46. Anyone use WEM and UPM together? Im having this issue that WEM loads like after 2 minutes when logged on when UPM is enabled. When i disable the UPM service WEM agents start instant on logon.

        1. Yep. Citrix Discussions indicated there’s a private hotfix for WEM not launching immediately after login.

    1. Check:
      Bypass ie4uinit Check: by default, the Agent service will wait for ie4uinit to run before launching the Agent executable. This setting forces the Agent service to not wait for ie4uinit.

  47. I have an issue with creating application links. On my WEM administration server are not installed any apps (e.g. MS Office). That’s why I have to copy the whole path (e.g. of MS Word) from another server to the wizard. But this path is not available at the WEM server. As a result I can create the application but I don’t have an icon for it.

    1. You can easely start the WEM administration console from your VDI. Logon to you VDI with admin cred’s, and browse to the \\adminserver\c$ and launch the console there.

      1. you can also get to the applications by going to \\vda\c$\program files\… This will dynamically change to a local path but will give you icon and application

Leave a Reply