WEM Administration Console Version 1906 – Part 2 (System Optimization, Policies & Profiles and Security)

Update of the article to the Workspace Environment Management Version 1906.

About Citrix Workspace Environment Management Console Version 1906.0.1.1

Now I continue with the second part of the series about the WEM Administration Console. I give an insight into the menu items System Optimization, Policies & Profiles and Security.

System Optimization

These settings are designed to lower resource usage on the agent host machine. They help to ensure that freed-up resources are available for other applications, increasing user density by supporting more users on the same server hardware. The System Optimization settings are machine-based. 

When your virtual machines have different hardware configurations, consider creating multiple configuration sets for them, and configuring the system optimization settings differently for each configuration set. Machines can only belong to one configuration set.

WEM Administration Console - Part 2 (System Optimization, Policies & Profiles and Security)

All settings must be confirmed in the respective tab with Apply.

System Optimization

CPU Management

Processes can run across all cores and can use up as much CPU as they want. In Workspace Environment Management, CPU Management allow you to limit how much CPU capacity treats individual process can use.

CPU Management Settings

  • Enable CPU Spikes Protection
    • If a single process reaches a configurable threshold (CPU Usage Limit) for a certain time (Limit Sample Time), WEM automatically reduces the priority of the process for a defined time (Idle Priority Time).
    • If several individual processes together exceed the specified threshold, the CPU Spikes Protection will not be activated; it will only be activated if a single process instance exceeds the threshold.
    • CPU Spikes Protection is not designed to reduce overall CPU usage. It’s designed to reduce the impact on user experience by processes that consume an excessive percentage of CPU Usage.
    • Note that the process is not throttled, like in CPU Clamping; only it’s priority is reduced.
  • CPU Usage Limit (%)
    • Defines how much percentage of CPU a process can use before it lowers the priority.
    • Some basic sizing guidance is to take 100% and divide it by the number of CPUs then subtract 1. This will keep a single threaded process from killing one CPU.

For Example:

CPU Usage Limit = ( 100% / <NumCPUs> ) – 1

For a 4 Core XenApp Server:
( 100% / 4 ) – 1 = 24%

For a 2 Core VDI Machine:
( 100% / 2 ) – 1 = 49%

  • Limit Sample Time (s)
    • Decides for how long a process in seconds can exceed the CPU Usage Limit before it’s priority is lowered, which a less aggressive approach compared to CPU Clamping
  • Idle Priority Time (s)
    • Defines the amount of time in seconds a processes priority will be degraded for before it returns to its previous priority
System Optimization CPU Management CPU Management Settings
  • Limit CPU / Core usage
    • This setting allows you to limit the process to a certain amount of cores (number of logical processors in the VM, not in the underlying physical hardware) once it triggers CPU Spikes Protection by violating the CPU Usage Limit (%) value.
  • Enable Intelligent CPU Optimization
    • This setting makes processes a user launches in their session reactive by setting the process initially with a CPU Priority of High.
    • Whenever a specific process triggers Spike Protection, the event is recorded in the agent’s local database.
    • The agent records trigger events foreach user separately. The more a process triggers a spike protection the lower priority the process will be assigned at next launch by the same user.

For Example:

The first time I launch Internet Explorer, WEM will give the process a priority of High to make the application responsive.

If Internet Explorer repeatedly triggers spikes protection, WEM will make the process run at the next lowest CPU Priority the next time it is launched, for example Above Normal.

If the process continues to trigger spikes protection, it will launch at the next lowest priority until it eventually is launching at the lowest (Low) priority.

Note that priorities for processes set under the CPU Priority tab override the Intelligent CPU Optimization feature.

  • Enable Intelligent IO Optimization
    • This works the same way as CPU Optimization but instead for I/O.
  • Exclude specified processes
    • Allows you to exclude specific processes from spike protection.
    • By default, CPU Management excludes most of the common Citrix and Windows core service processes. 
    • You could set antivirus processes to be excluded but give those processes an I/O priority of Low to prevent them consuming too much disk I/O. 
    • Enter a process name as it is found in Task Manager but without the extension for example “explorer” rather than “explorer.exe”.
    • If a process is clamped by spikes protection, an Event Log entry is generated under “Application and Service Logs / Norskale Agent Service” indicating the process that was affected.

CPU Priority

On the CPU Priority tab, you can specify processes (by name) such as “explorer.exe” and assign a priority, which gives the process more or less CPU time. Giving a process Realtime priority is not recommended.

If you set a process such as “explorer.exe” with a priority of Normal, the process will begin with this priority set and it will never drop to a lower priority, however it can run at a higher priority.

System Optimization CPU Management CPU Priority

CPU Affinity

On the CPU Affinity tab you can set process affinity against processes. This determines how many CPU logical cores a process will use.

For example, configuring notepad.exe to use 2 cores, or configuring explorer.exe to use a single CPU core.

System Optimization CPU Management CPU Affinity

CPU Clamping

CPU Clamping prevents processes using more than a configurable percentage of the CPU’s processing power. WEM throttles or clamps) that process when it reaches the specified CPU % you set. This lets you prevent processes from consuming large amounts of CPU. CPU clamping is a brute force approach which is computationally expensive.

To keep the CPU usage of a troublesome process artificially low, it is better to use CPU Spikes Protection, at the same time as assigning static CPU Priorities and CPU Affinities to such processes.

CPU Clamping is best reserved for controlling processes which are notoriously bad at resource management, but which cannot stand to be dropped in priority. The clamping percentage you configure is applied to the total power of any individual CPU in the server, not to any individual core it contains. (In other words, 10% on a quad-core CPU is 10% of the entire CPU, not 10% of one core).

When Workspace Environment Management is clamping a process, it adds the process to its watchlist the WEM client initializes. You can verify that a process is clamped by viewing this.

System Optimization CPU Management CPU Clamping

Memory Management

If these settings are enabled, Workspace Environment Management calculates how much RAM a process is using, and the minimum amount of RAM a process needs, without losing stability. WEM considers the difference as excess RAM.

When the process becomes idle, usually when the application is minimized to the Task Bar, WEM releases the process’s excess RAM to the page file, and optimizes the process for subsequent launches. When applications are restored from the Task Bar, they initially run in their optimized state but can still go on to consume additional RAM as needed.

WEM optimizes all applications that a user is using during their desktop session in a similar way. If there are multiple processes over multiple user sessions, all RAM that is freed up is available for other processes. This increases user density by supporting a greater number of users on the same server.

System Optimization Memory Management

You can Enable Working Set Optimization (WSO) which withdraws excess memory from idle applications if they have not been used for a certain amount of time. You can exclude processes from being impacted by WSO. A default time of 120 minutes is set against Idle Sample Time (min) which enables WSO to calculate a process’s RAM usage and the least amount of RAM a process requires without losing stability.

An example of WSO in action is when a user opens Internet Explorer and browses a couple of websites. During this time, WSO calculates the amount of RAM used plus the least amount of RAM required. When the user is finished with Internet Explorer and when the Internet Explorer process percentage CPU drops to the value set for Idle State Limit (percent), WEM forces the process to release the excess RAM previously calculated. The RAM is released by writing it to the pagefile.

It is important that you do not set the Idle State Limit (percent) value too high as you don’t want WEM to force the process to release RAM if the process is active. The default value is 1% meaning that in the previous example once Internet Explorer drops to 1%, it’s excess RAM will be released. Citrix do not advise setting the value any higher than 5%.

There is also the decision on when to use Memory Management. In SBC environments, Working Set Optimization is an absolute no-brainer because we get more people on a server. VDI, on the otherhand, poses a different set of considerations. Your users have dedicated virtual machines, and they have dedicated resources available to them.

There are many environments, particularly those running PVS, where the applications rarely need all the RAM that gets paged out, hence only the applicable parts of the application stay in RAM, and this is where working set optimization comes into its own and can be extremely beneficial. Ideally you would model WEM in a POC environment and monitor to optimize for your specific needs.

It is worth reducing the default Idle Sample time to something like 10 minutes (default is 30).

I/O Management

On the I/O Management module, you can set an I/O priority for processes. This could be useful if you want to throttle a disk heavy application. This feature works just like the CPU Priority feature, but for network and disk I/O.

Add a Process Name with an extension for example “explorer.exe” and set an I/O priority. The next time you restart that process, I/O priority will apply.

System Optimization I/O Management

Fast Logoff

On the Fast Logoff tab you can enable fast logoff. Fast Logoff logs a user off instantly and performs any additional logoff tasks in the background. This basically means the user is instantly disconnected and the logoff happens as normal behind the scenes. You can enable this and exclude specific groups from processing.

System Optimization Fast Logoff

Policies and Profiles

These settings allow you to replace user GPOs and configure user profiles, resulting in a faster login experience. 

Policies and Profiles

All settings must be confirmed in the respective tab with Apply.

Policies and Profiles Actions

Environmental Settings

These options modify the user’s Environmental Settings. Some of the options are processed at logon, while some others can be refreshed in session with the agent refresh feature.

Start Menu

These options modify the user’s Start Menu and user appearance.

  • Process Environmental Settings
    • This checkbox toggles whether or not the agent processes environmental settings. If it is cleared, no environmental settings are processed
  • Exclude Administrators
    • If enabled, environmental settings are not processed for administrators, even if the agent is launched
  • Hide Common Programs
    • Keeps our Start Menu free of default shortcuts from All Users profile
  • Force Logoff Button
    • Set Logoff as Default Action in Shut Down Menu
  • Turn Off Notification Area Cleanup
    • The system notification area will not collapse notifications and show them all
  • Turn Off Personalized Menus
    • Hides the Personalized Menus that contain the recently used items that are moved to the top of the menu and hide items that were not recently used
  • Clear Recent Programs List
    • Clear history of recently opened documents on exit

The other options hide or remove self-explanatory menu buttons from the Start Menu or Taskbar.

On operating systems other than Windows 7, the options under User Interface: Start Menu might not work, except Hide System Clock and Hide Turnoff Computer.

Policies and Profiles Environmental Settings Start Menu

User Interface: Appearance settings allow you to customize the user’s Windows theme and desktop. Paths to resources must be entered as they are accessed from the user’s environment.

Desktop

Policies and Profiles Environmental Settings Desktop

With User Interface: Desktop you control which desktop elements and properties are disabled by the agent (For all supported OS).

User Interface: Edge UI you can disable aspects of the Windows 8.x Edge user interface.

Windows Explorer

Policies and Profiles Environmental Settings Windows Explorer

With User Interface: Explorer you control the access to different options of the Windows Explorer and prevent the access to regedit and cmd.

Be careful with the options Disable Silent Regedit and Disable Cmd Scripts, this will also prevent logon scripts and registry hacks from running outside of WEM.

In Drives Restrictions you have two options with different results.

  • Hide Specified Drives
    • The listed drives are hidden from the user’s My Computer menu. They are still accessible if browsed to directly.
  • Restrict Specified Drives
    • The listed drives are blocked. Neither the user nor their applications can access them.

Control Panel

Policies and Profiles Environmental Settings Control Panel

The option Hide Control Panel is enabled by default to secure the user environment.

With Show only / Hide specified Control Panel Applets you define the control panel applets that are hidden / show to the user.

Additional applets are added using their canonical name.

Applet NameCanonical Name
Action Center
Microsoft.ActionCenter
Administrative ToolsMicrosoft.AdministrativeTools
AutoPlayMicrosoft.AutoPlay
Biometric DevicesMicrsosoft.BiometricDevices
BitLocker Drive EncryptionMicrosoft.BitLockerDriveEncryption
Color ManagementMicrosoft.ColorManagement
Credential ManagerMicrosoft.CredentialManager
Date and TimeMicrosoft.DateAndTime
Default ProgramsMicrosoft.DefaultPrograms
Device ManagerMicrosoft.DeviceManager
Devices and PrintersMicrosoft.DevicesAndPrinters
DisplayMicrosoft.Display
Ease of Access CenterMicrosoft.EaseOfAccessCenter
Family SafetyMicrosoft.ParentalControls
File HistoryMicrosoft.FileHistory
Folder OptionsMicrosoft.FolderOptions
FontsMicrosoft.Fonts
HomeGroupMicrosoft.HomeGroup
Indexing OptionsMicrosoft.IndexingOptions
InfraredMicrosoft.Infrared
Internet OptionsMicrosoft.InternetOptions
iSCSI InitiatorMicrosoft.iSCSIInitiator
iSNS ServerMicrosoft.iSNSServer
KeyboardMicrosoft.Keyboard
LanguageMicrosoft.Language
Location SettingsMicrosoft.LocationSettings
MailMail
MouseMicrosoft.Mouse
MPIOConfigurationMicrosoft.MPIOConfiguration
Network and Sharing CenterMicrosoft.NetworkAndSharingCenter
Notification Area IconsMicrosoft.NotificationAreaIcons
Pen and TouchMicrosoft.PenAndTouch
PersonalizationMicrosoft.Personalization
Phone and ModemMicrosoft.PhoneAndModem
Power OptionsMicrosoft.PowerOptions
Programs and FeaturesMicrosoft.ProgramsAndFeatures
RecoveryMicrosoft.Recovery
RegionMicrosoft.RegionAndLanguage
RemoteApp and Desktop ConnectionsMicrosoft.RemoteAppAndDesktopConnections
SoundMicrosoft.Sound
Speech RecognitionMicrosoft.SpeechRecognition
Storage SpacesMicrosoft.StorageSpaces
Sync CenterMicrosoft.SyncCenter
SystemMicrosoft.System
Tablet PC SettingsMicrosoft.TabletPCSettings
Taskbar and NavigationMicrosoft.Taskbar
TroubleshootingMicrosoft.Troubleshooting
TSAppInstallMicrosoft.TSAppInstall
User AccountsMicrosoft.UserAccounts
Windows Anytime UpgradeMicrosoft.WindowsAnytimeUpgrade
Windows DefenderMicrosoft.WindowsDefender
Windows FirewallMicrosoft.WindowsFirewall
Windows Mobility CenterMicrosoft.MobilityCenter
Windows To GoMicrosoft.PortableWorkspaceCreator
Windows UpdateMicrosoft.WindowsUpdate
Work FoldersMicrosoft.WorkFolders

Known Folders Management

Policies and Profiles Environmental Settings Known Folders Management

Prevents the creation of the specified user profile known folders at profile creation.

SBC/ HVD Tuning

Policies and Profiles Environmental Settings SBC / HVD Tuning

SBC/HVD Tuning allows you to optimise performance when using Session Hosts such as Virtual Apps SharedDesktops.

Some of the options are designed to increase performance however may slightly degrade the user experience as a result.

Microsoft USV Settings

Microsoft USV Settings allow you to integrate WEM with Microsoft Roaming Profiles and Folder Redirection.

Roaming Profiles Configuration

Policies and Profiles Microsoft USV Settings Roaming Profiles Configuration

If Process USV Configuration checkbox is cleared, no USV settings (Roaming Profile or Folder Redirection) are processed.

With the remaining settings you define your Roaming Profile and Home Drive.

Roaming Profiles Advanced Configuration

Policies and Profiles Microsoft USV Settings Roaming Profiles Advanced Configuration

If Enable Folder Exclusions is enabled, the listed folders are not included in a user’s roaming profile.

This allows you to exclude specific folders known to contain large amounts of data which the user does not need to have as part of their roaming profile.

The list is pre-populated with default Windows 7 exclusions, and can be pre-populated with default Windows XP exclusions instead.

The other checkbox options are self explanatory.

The Profile Cleansing

The Profile Cleansing Button opens a wizard, which allows you to clean up existing profiles per Folder Exclusion settings.

Folder Redirection

Policies and Profiles Microsoft USV Settings Folder Redirection

The Process Folder Redirection Configuration checkbox mustbe activated or the Agent will not process folder redirections.

Select the options for the single folders here to controls whether and where the user’s folders are redirected.

Policies and Profiles Microsoft USV Settings Folder Redirection Delete Local Redirected Folders

With Delete Local Redirected Folders enabled, the Agent will delete the local copies of the folders selected for redirection.

Citrix Profile Management Settings

Workspace Environment Management supports the features and operation of the version 1903 of Citrix Profile Management.

Main Citrix Profile Management Settings

Policies and Profiles Citrix Profile Management Settings Main Citrix Profile Management Settings

If you enable the checkbox Enable Profile Management Configuration the Profile Management settings are processed. The remaining checkboxes (Set path to user store, Enable active write back etc.) are set as with the other UPM settings.

Profile Handling

Policies and Profiles Citrix Profile Management Settings Profile Handling

These settings control Profile Management profile handling like Delete local cached profiles on logoff, Enable template profile etc.

Advanced Settings

Policies and Profiles Citrix Profile Management Settings Advanced Settings

These options control advanced UPM settings.

In WEM Version 1808 the UPM Feature Enable search index roaming for Microsoft Outlook users is finally there. If enabled, the user-specific Microsoft Outlook offline folder file (*.ost) and Microsoft search database are roamed along with the user profile. This improves the user experience when searching mail in Microsoft Outlook.

Log Settings

Policies and Profiles Citrix Profile Management Settings Log Settings

These options control Profile Management logging.

Registry

Policies and Profiles Citrix Profile Management Settings Registry

These options control Profile Management registry settings.

If NTUSER.DAT Backup is selected, Profile Management maintains a last known good backup of the NTUSER.DAT file and if it detect a corruption it uses the last known good backup copy to recover the profile.

Enable Default Exclusion List is a default list of registry keys in the HKCU hive that are not synchronized to the user’s profile. If selected, registry settings which are selected in this list are forcibly excluded from Profile Management profiles.

File System

File System Citrix Profile Management Settings

Enable Logon Exclusion Check configures what Profile Management does when a user logs on when a profile in the user store contains excluded files or folders. (If disabled, the default behavior is Synchronize excluded files or folders). You can select one of the following behaviors in the list:

  • Synchronize excluded files or folders (default)
    • Profile Management will synchronize these excluded files or folders from the user store to local profile when a user logs on.
  • Ignore excluded files or folders
    • Profile Management ignores the excluded files or folders in the user store when a user logs on.
  • Delete excluded files or folder
    • Profile Management deletes the excluded files or folders in the user store when a user logs on.

Enable File / Folder Exclusion activate that the listed files are not included in a user’s Profile Management profile. Paths on this list must be relative to the user profile.

Synchronisation

Synchronization Citrix Profile Management Settings

With Enable Directory / File Synchronization you expand the user profile that synchronized by the listed folders and files. Paths on this list must be relative to the user profile. Wildcards can be used but are allowed only for file names. Wildcards cannot be nested and are applied recursively.

Activate Enable Folder Mirroring and the listed folders are mirrored to the profile store, ensuring users always get the most up-to-date versions of these folders. Mirroring folders allows Profile management to process a transactional folder and its contents as a single entity, avoiding profile bloat.

Be aware that, in these situations the “last write wins” so files in mirrored folders that have been modified in more than one session will be overwritten by the last update, resulting in loss of profile changes.

A new Option with WEM 1808 are the UPM Feature Large File Handling. Large files existing in a profile are a common reason for a slow logon or logoff. Citrix provides an option to redirect large files (as symbolic links) to the user store.

This option eliminates the need to synchronize those files over the network. You can use wildcards in policies that refer to files.

Example:

Make sure that these files are not added to the exclusion list from Citrix Profile Management. 

Some applications do not allow concurrent file access. Citrix recommends that you take application behavior into consideration when you define your large file handling policy.

Streamed User Profiles

Policies and Profiles Citrix Profile Management Settings Streamed User Profiles

With the Streamed User Profiles feature, files and folders contained in a profile are fetched from the user store to the local computer only when they are accessed by users after they have logged on.

Registry entries and any files in the pending area are fetched immediately.

Cross-Platform Settings

Policies and Profiles Citrix Profile Management Settings Cross Plattform Settings

This setting enables or disables the CrossPlatforms Settings feature, that allows you to migrate users’ profiles and roam them when a user connects to the same application running on multiple operating systems.

  • Cross-platform settings in Profile Management work with a set of supported operating systems (OSs) and applications.
  • Configure this feature only in a production environment.
  • Microsoft Office settings do not roam between versions of that application.
  • This feature is suitable for registry and application settings.
  • It is not for files or folders, or objects typically used with folder redirection (for example, browser favorites, and desktop and Start menu settings).
  • If you use this feature to migrate user profiles between systems with different profile versions, disable it after the migration has been completed for all users.
  • There is some performance impact, primarily to logoffs, when using this feature. So it is best to leave it disabled unless you support roaming between profile versions.

VMware Persona Settings

Policies and Profiles VM Persona Settings

These settings control Workspace Environment Management’s integration with VMware View Persona Management. Please note that some options only work with specific versions of View Persona Management; please consult the relevant VMware documentation for detailed instructions.

These settings are no longer offered with the newer versions of WEM.

Security

These settings allow you to control the applications users are permitted to run by defining rules. This functionality is similar to Windows AppLocker.

When you use Workspace Environment Management to manage Windows AppLocker rules, the agent processes (converts) Application Security tab rules into Windows AppLocker rules on the agent host.

If you stop the agent processing rules, they are preserved in the configuration set and AppLocker continues running by using the last set of instructions processed by the agent.

Application Security

When you select the top-level item Application Security in the Security tab, the following options become available to enable or disable rule processing:

Security Application Security
  • Process Application Security Rules
    • When selected, the Application Security tab controls are enabled and the agent processes rules in the current configuration set, converting them into AppLocker rules on the agent host.
    • When not selected, the Application Security tab controls are disabled and the agent does not process rules into AppLocker rules. (In this case AppLocker rules are not updated and the last set of instructions processed by the agent are still activ)
    • This option is not available if the WEM administration console is installed on Windows 7 SP1 or Windows Server 2008 R2 SP1 (or earlier versions).
  • Process DLL Rules
    • When selected, the agent processes DLL rules in the current configuration set into AppLocker DLL rules on the agent host. This option is only available when you select Process Application Security Rules.
    • If you use DLL rules, you must create a DLL rule with “Allow” permission for each DLL that is used by all the allowed apps
    • If you use DLL rules, users may experience a reduction in performance. This happens because AppLocker checks each DLL that an app loads before it is allowed to run.

Rule collections

Rules belong to AppLocker rule collections. Each collection name indicates how many rules it contains, for example Executable Rules (3). Click a collection name to filter the rule list to one of the following collections:

Security Rule Collections
  • Executable Rules
    • Rules which include files with the .exe and .com extensions that are associated with an application.
  • Windows Rules
    • Rules which include installer file formats (.msi, .msp, .mst) which control the installation of files on client computers and servers.
  • Script Rules
    • Rules which include files of the following formats: .ps1, .bat, .cmd, .vbs, .js.
  • Packaged Rules
    • Rules which include packaged apps, also known as Universal Windows apps. In packaged apps, all files within the app package share the same identity. Therefore, one rule can control the entire app. Workspace Environment Management supports only publisher rules for packaged apps.
  • DLL Rules
    • Rules which include files of the following formats: .dll, .ocx.
Security Rule Enforcement

When you filter the rule list to a collection, the Rule enforcement option is available to control how AppLocker enforces all rules in that collection on the agent host. The following rule enforcement values are possible:

  • Off (default)
    • Rules are created and set to off, which means they are not applied.
  • On
    • Rules are created and set to enforce, which means they are active on the agent host.
  • Audit
    • Rules are created and set to “audit,” which means they are on the agent host in an inactive state. Windows logs when things are started that would violate these rules were they enforced.

At the bottom there are several actions available.

Security Default Rules
  • Edit
    • You can select one or more rules in the list. In the editor, select the rows containing the users and user groups you want to assign the rule to. You can also unassign the selected rules from everyone using Select All to clear all selections.
    • If you select multiple rules, any rule assignment changes for those rules are applied to all users and user groups you select. In other words, existing rule assignments are merged across those rules.
  • Add Default Rules
    • A set of AppLocker default rules are added to the list.
  • Delete
    • Select one or more rules in the list and delete them.

Process Management

Security Process Management

If you enable Process Management, you can whitelist or blacklist certain processes. You can exclude local administrators and/or specific groups from both white and blacklists. This option only works if the session agent is running in the user’s session.

Security Process Blacklist
  • Process Blacklist
    • You can add certain processes to the blacklist and they won’t be run. Processes must be added by executable name (for example, cmd.exe).
Security Process Whitelist
  • Process Whitelist
    • Processes must be added by executable name (for example, cmd.exe). If enabled, Enable Process Whitelist automatically blacklists all processes not in the whitelist.

Link to the other Parts