Current version is Workspace Environment Management 2206.

Known problems

• When VUEMRSAV.exe is used to display results on actions applied through an action group for the current user, the Applied Actions tab may display the wrong source of actions. [WEM – 20002]

System requirements

• Microsoft SQL Server 2012 or higher
  • WEM requires sysadmin access to the SQL Server instance to create its database and read/write permission to the database to use it.
  • During database creation, WEM creates an SQL login and then adds a database user mapping to that login. The user is automatically granted read/write access to the database. The SQL Server instance must be case-sensitive. Otherwise, the database creation or update will fail.
  • In the case of a WEM database upgrade it is recommended to use a sysadmin user account.
• Microsoft Active Directory
  • Workspace Environment Management requires read access to Active Directory in order to propagate configured settings to users.
  • External Trust is not supported by WEM. Instead, other trust types must be used, such as Forest Trust Relationships.
  • WEM also does not support a One-Way Forest Trust between Active Directory forests.

• Citrix Workspace App for Windows
  • To connect to Citrix StoreFront stores configured from WEM Administration Console, Citrix Workspace App for Windows must be installed on the Administration Console computer and on the target host machine. The following versions are supported:
    • On the Administration Console machine:
      • Citrix Receiver for Windows Version: 4.9 LTSR, 4.10, 4.10.1, 4.11 and 4.12
      • Citrix Workspace App for Windows Version 1808 and higher
    • On the target host machine:
      • Citrix Receiver for Windows Version: 4.4 LTSR CU5, 4.7, 4.9, 4.9 LTSR CU1 and 4.10
      • Citrix Workspace App for Windows Version 1808 and higher
  • For Transformer Kiosk Mode, the Citrix Workspace App for Windows must be installed with single sign-on and configured for passthrough authentication.

• Operating System
  • Windows 11 (32-Bit and 64-Bit)
  • Windows 10 Version 1607 and newer (32-Bit and 64-Bit)
  • Windows Server 2022 Standard and Datacenter Edition
  • Windows Server 2019 Standard and Datacenter Edition
  • Windows Server 2016 Standard and Datacenter Edition
  • Windows Server 2012 R2 Standard and Datacenter Edition

Installation WEM Infrastructure

The following article is for WEM 2206, but can also be used for older versions.

Installing Workspace Environment Management

WEM Caches

The WEM cache data is used to minimize load times and to provide WEM settings for the agent machines when the WEM broker is not available.

Using the WEM startup sequence when the computer boots and when the session starts, it is possible to check how the WEM cache data is used.

• When the machine boots up, the Norskale Agent Host Service retrieves and applies all WEM settings for the machine. WEM caches are used here because WEM needs to read and apply the settings very early in the startup process, even before access to the WEM broker is possible.
• When a user session logs in, the Norskale Agent Host Service is still used to apply user-specific WEM settings, and the WEM Agent’s local cache database (LocalAgentCache) can be used if the WEM Broker is not available or the administrator has configured WEM to always use the WEM Agent’s local cache.
• Also, when logging in to user sessions, the WEM User Agent reads and applies the assigned actions. Here there are two caches that help to optimize the logon. The first is the WEM Agent’s local cache database, the second is a registry-based cache (Assigned Actions & Printers) that keeps track of what settings have already been applied.

WEM processes a total of 4 cache types on the respective end device. The Assigned Actions & Printers cache is persistently stored in the profile and thus moves from machine to machine. The LocalAgentCache and LocalAgentDatabase cache should be moved to the WriteCache disk via registry key (AgentCacheAlternateLocation).

The fourth cache is the Profile Management & Microsoft USV cache. This is not stored persistently in the profile and cannot be moved to the WriteCache. This should be stored in the Golden Image so that it is already present at the system startup.

Cache name	Cache description	Purpose	Location on agent machine
Assigned Actions & Printers	HKCU	Prevents previously applied settings from being applied again.	Roaming profiles of the user (Microsoft or Citrix Profile Management)
Profile Management & Microsoft USV	HKLM	Allows the Agent Host Service to read and apply UPM / USV settings at the beginning of the computer boot process.	System Registry (HKLM)
LocalAgentCache	All WEM settings (Setting Database)	Contains all WEM user and machine settings of the assigned configuration set.	Database file on the local hard disk (Norskale Program Files Folder)
LocalAgentDatabase	WEM CPU Intelligent Optimization (History Database)	Tracks WEM Intelligent Optimization history for each user per machine.	Database file on the local hard disk (Norskale Program Files Folder)

The Assigned Actions & Printers cache is updated when the session is loaded or read from the LocalAgentCache database if the WEM Broker cannot be reached or if it is configured to always read from the LocalAgentCache.

The Profile Management & Microsoft USV cache is updated automatically at regular intervals or manually using the AgentCacheUtility on the agent machine. When the agent is right-clicked in the console and “Reset Profile Management Settings & Microsoft USV Settings” is selected, a request goes to the agent to refresh these caches.

The LocalAgentCache is also refreshed automatically at regular intervals or manually using the AgentCacheUtility on the agent machine. The Refresh Cache option in the WEM Administration Console sends an update instruction to the agent to refresh its own LocalAgentCache database.

Each WEM Agent has its own LocalAgentDatabase, since the Intelligent Optimization history is relevant only for this computer. This database is therefore updated in real time during the user session. It is therefore always up to date, and no console-side action is required to cause the agent to update.

Ribbon

When the Administration Console is started, the main categories are grayed out if you have not yet connected to the Infrastructure Service. Clicking the Connect button opens the Server Connection window.

Enter the IP / hostname of the Infrastructure Server (in the picture localhost) and click on Connect. Leave the administration port on 8284.

After the successful connection, the main and subcategories are selectable. Furthermore, the ribbon has expanded to include the Confguration Set and Tools items.

Configuration Sets

A Configuration Set is a collection of WEM computer settings:

• System Optimization Settings (CPU, RAM, I/O)
• Environmental Settings
• Application Security (AppLocker)
• Roaming Profiles & Folder Redirection

But also the WEM user settings:

• Actions (Applications, Printers, External Tasks)

There are some scenarios where multiple Configurations Sets make sense for your environment:

• Different profile and USV requirements, e.g. configuration for multiple sites
• Connection test and productive environment for WEM settings

In the Configuration Set ribbon, you can switch between the created configuration sets via the drop-down menu. With Create new Configuration Sets can be created and with Edit existing ones can be modified. With Delete the Configuration Sets can be deleted. If this item is grayed out, there is only one Configuration Set and it cannot be deleted. The list can be refreshed via Refresh if a configuration set has been created in another Administration Console.

Tools

The Tools item allows you to create, restore and migrate backups of the settings.

Backup

The Backup button opens the Backup Wizard, where you can select which options you want to backup.

In the next window you can specify the destination folder for the backup, but not a name for the created backup.

• Actions
  • Saves selected WEM Actions
  • Each type of action is exported as a separate XML file.
• Settings
  • Saves selected WEM settings
  • Each type of setting is exported as a separate XML file.
• Security Settings
  • Saves all settings that are present on the Security tab
  • Each rule type is exported as a separate XML file
  • The following items associated with a Configuration Set can be backed up:
    • AppLocker Rule Settings
    • Privilege Elevation Settings
• Active Directory (AD) objects
  • Backs up the users, computers, groups and organizational units that WEM manages
  • The Backup Wizard can be used to specify which type of Active Directory objects should be backed up
  • There are two types of AD objects:
    • Users
      • Individual users and user groups
    • Machines
      • Individual machines, machine groups and OUs

• Configuration set
  • Saves the selected WEM Configuration Sets
  • Each type of Configuration Set is exported as a separate XML file
  • Only the currently selected Configuration Set is saved
  • The following items associated with a Configuration Set are backed up:
    • Actions
    • AppLockers, Privilege Elevation and Process Hierarchy Control
    • Assignments (In the context of Actions and Action Groups)
    • Filters
    • Users
    • Settings (WEM Settings)
  • The following cannot be saved:
    • AD objects related to the machines (individual machines, machine groups and OUs)
    • Monitoring data (Statistics and Reports)
    • Process Management
    • Agents registered with the Configuration Set

Restore

The Restore button opens the Restore Wizard, where you can select which options you want to restore.

To do this, in the next window select the folder with the backups to be restored.

• Actions
  • Restores all WEM Actions from the XML file
• Settings
  • Restores all WEM settings from the XML file
• Security Settings
  • Restores all existing settings on the Security tab
  • The settings in the backup file replace the existing settings in the current Configuration Set
  • When switching to or updating the Security tab, invalid Application Security Rules are detected (These rules are automatically deleted)
  • The deleted rules are listed in a report that can be exported if required
  • The Restore Wizard can be used to select what is to be restored:
    • AppLocker Rule Settings
    • Privilege Elevation Settings
      • Overwrite Existing Settings
        • Controls whether existing Privilege Elevation settings should be overwritten in case of conflicts
      • In the Confirm Application Security Rule Assignment dialog box, select Yes or No to specify how the Restore Wizard should handle application security rule assignments:
        • If Yes is selected, the Restore Wizard attempts to restore the rule assignments to users and user groups in the current site
        • The new assignment is successful only if the backed up users or groups exist in the current site or AD
        • Any unmatched rules are restored but remain unassigned and are listed in a report dialog that can be exported in CSV format
        • If No is selected, all rules in the backup will be restored without assigning them to users or user groups in the site

• Active Directory (AD) objects
  • Restores the backed up Active Directory objects to the existing site
  • The Restore Wizard provides detailed control over the AD objects to be imported
  • On the Select the AD objects you want to restore page you can specify which AD objects should be restored and whether existing WEM AD objects should be overwritten (Overwrite mode)
  • If Overwrite mode is enabled, all existing AD objects will be deleted and only then will the restore process begin.

• Configuration set
  • Restores the saved configuration set in WEM
  • Only one configuration set can be restored at a time
  • It may take some time for the WEM Administration Console to restore the restored configuration set
  • When a Configuration Set is restored, WEM automatically renames it to <Configuration Set Name>_1 if a Configuration Set with the same name already exists

Migrate

The Migrate button can be used to migrate a ZIP backup of Group Policy Objects (GPOs) to WEM. Only GPO settings that WEM supports can be migrated.

In the Group Policy Management Console, a backup of the GPOs can be created via Back Up. The backup must then be compressed into a ZIP file.

• Overwrite
  • Overwrites existing WEM settings (GPOs) if there are conflicts

• Convert
  • Converts the GPOs into XML files suitable for import into WEM
  • Select this option if you want to precisely control the settings that will be imported
  • After successful conversion, uses the Restore Wizard to import the XML files manually

The main categories

• Actions
  • Configure applications, registry entries, printers etc.
• Filters
  • Filter actions based on rules and conditions
• Assignments
  • Assignment of created actions to configured users via previously configured filters
• System Optimization
  • Configure fast logoff, CPU, I/O and memory management
• Policies and Profiles
  • Configure Universal Profile Management, Microsoft User State Virtualization and Environmental Settings
• Security
  • Configure Application Security, Process Management and Privilege Elevation
• Active Directory Objects
  • Import users, groups and computers from Active Directory
• Transformer Settings
  • Configure the Transformer feature that convert any Windows PC into a high performance thin client using a fully reversible kiosk mode
• Advanced Settings
  • Agent logging options, printer processing, network drive clean-up options etc.
• Administration
  • Configure WEM administrators, manage agents etc.
• Monitoring
  • Login, boot, user and device reports, as well as Profile Container Insights

Actions

With the sub-items in Actions different things can be assigned to the user.

Action Groups

The Action Groups feature lets you define a group of actions (Applications, Printers etc.), that you can assign to a user or user group in a single step.

The Action Group list display the list of your existing action groups.

With Add you define the new Action Group with a Name and Description. With Action Group State you can enable or disable the whole Action Group.

Existing action groups can be edited via Edit and deleted via Delete. With Copy existing Action Groups can be copied.

After creating the action groups, they must be selected by double-clicking on them. Afterwards, existing actions can be assigned in the Configuration area under Available.

Configured contains the actions that are already assigned to the created action group.

Also the options, as under Assignments (link location, drive letters, etc.) can be configured for each action, when adding.

! Important !

• When an action group is assigned, all actions contained in it are assigned
• One or more actions can overlap in different action groups
• In case of overlapping action groups, the last processed group overwrites the previously processed groups (even if the later processed action group has an unassignable action).

• When using the Copy function, only the actions related to Network and Virtual Drives are cloned if the option Allow Drive Letter Reuse in assignment process is enabled.

To enable this option, go to the Advanced Settings > Configuration > Console Settings tab.

Group Policy Settings

Using the Group Policy Settings item, existing GPOs can be imported and converted into registry entries (HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER only) that can be assigned to individual users or user groups.

Under Enforce Group Policy Settings the function must be switched on (Enable Group Policy Settings Processing).

Via Import, existing backups of the GPO can be imported in zip format.

In the Import Group Policy Settings Wizard window, the file can be selected via Browse and the process started via Start Import.

The following screen shows which GPOs have been imported (here U_Workspace).

With Add a new Group Policy Object can be created. In the following wizard the Name and the Description are defined. Under Registry Operations the various registry changes can be entered.

Via Edit existing objects can be edited.

The following options are also available in the Group Policy Object Wizard. When changing existing Group Policy Objects, the following message appears initially. This can be switched off in the future via the checkbox.

Add allows to add and Edit to edit an existing registry key. For both of them you can set different options under Registry Operations.

• Order
  • Allows to set the order of the registry keys (smallest digit, first processing)
• Action
  • Defines the action type
    • Set value
      • A value is defined for the defined registry key
    • Delete value
      • Deletes the value of the defined registry key
    • Create key
      • Creates the key defined by the Root Key and Subpath fields
    • Delete key
      • Deletes the defined (root key & subpath) registry key
    • Delete all values
      • Deletes all values under the defined registry key

• Root Key
  • Defines the registry hive that is addressed. Possible values are HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER
    • HKEY_LOCAL_MACHINE keys take effect when the Citrix WEM Agent Host Service is started
    • HKEY_CURRENT_USER keys take effect at user login

• Subpath
  • The full path of the registry key without the root key specified above
• Value
  • Defines a name for the registry value.
• Type
  • Defines the type for the Value. Possible variants are:
    • REG_SZ
    • REG_EXPAND_SZ
      • An extensible data string that can contain a variable that is replaced by an application when called
      • For example, for the %SystemRoot% variable, the actual location of the folder in the respective operating system is set
    • REG_BINARY
    • REG_DWORD
    • REG_DWORD_LITTLE_ENDIAN
      • A 32-bit number in little-endian format
    • REG_QWORD
    • REG_QWORD_LITTLE_ENDIAN
      • A 64-bit number in little-endian format
    • REG_MULTI_SZ

• Data
  • Input of data corresponding to the Registry Value
  • For different data types, different data is entered, in different formats
  • For example, for REG_DWORD %SystemRoot% is replaced by the actual location of the folder in an operating system

Applications

Applications is used to control the creation of shortcuts. The Application List displays the list of existing applications.

In the New Application window, accessible via Add, you can define the application type, which can be Installed application, File / Folder, URL or StoreFront store.

Existing applications can be edited via Edit and deleted via Delete.

StoreFront store is only visible under Application Type if a store has been defined via Advanced settings > Configuration > StoreFront.

Depending on the Application Type, the name, the path to the EXE / folder / file / URL or StoreFront store, the parameters and the path in the Start menu can be configured.

• Installed application
  • Create shortcuts for locally installed application
    • Command Line
      • The path to the application executable file as it appears on the target system
      • The Browse button can be used to navigate to a locally installed executable file
    • Working Directory
      • The working directory of the shortcut
      • Automatically filled in when navigating to the executable file under Command Line via Browse
    • Parameters
      • Parameters for starting the application

• File / Folder
  • Create shortcuts to a file or folder
    • Target
      • Path to the destination file or folder

• URL
  • Create shortcuts to a URL
    • Shortcut URL
      • The URL to the target web page of the link

• StoreFront store
  • Creates shortcuts to CVAD resources that are accessible via the StoreFront store, stored under Advanced settings > Configuration > StoreFront

• Store URL
  • Selection of the stores stored under Advanced settings > Configuration > StoreFront
• Store Ressource
  • The respective store can be accessed via Browse
    • To add a resource, the Receiver installed locally on the Administration Console machine must first be populated with valid Citrix credentials.

• Only then can WEM retrieve a list of published applications from the Receiver and display them in the Administration Console.

Under Start Menu Integration you can select where the created application will be placed in the start menu.

• Start Menu Integration
  • Via Select path … the target of the application can be selected in the existing start menu tree
  • By default, a new shortcut is created under Programs
• Start Menu Path Selection
  • With a right-click, new folders can be created (Add), existing folders can be renamed (Rename) or deleted (Delete) in the Start menu

• Icon
  • Under Icon File the icon file can be selected via Select Icon… the icon file can be selected

• Application State
  • Here the application can be activated / deactivated
  • If Disabled it will not be added to the user in the session, even if the object is assigned
  • When Maintenance Mode is enabled, the icon is displayed normally to the user, but a warning icon appears with in the icon and a warning message is displayed when the user tries to launch this application
• Display Name
  • The name of the shortcut as it appears in the user’s environment is stored
• Hotkey
  • Allows users to launch the application using the stored keyboard shortcuts

Advanced Settings controls how the application is displayed at startup, e.g. where the icon should be created on the desktop or whether it should be launched maximized / minimized.

• Self Healing
  • By enabling Enable Automatic Self-Healing, the application’s shortcut will be recreated each time it is refreshed, even if it has been deleted or moved by the user
• Desktop Icon Location
  • Via Enforce Icon Location the position of the icon on the desktop can be determined (The input of the position under X: and Y: is done in pixels)
• Windows Style
  • This controls how the application is opened on the endpoint (Minimized, Windowed or Maximized)
• Self Service Display
  • By default, applications are displayed in the WEM Self-Service menu of the agent
  • However, this can be disabled by unchecking the box at Do Not Shown in Self Services

• Favorites Folder Display
  • Create Shortcut in User Favorites Folder creates a shortcut in the favorites folder for the application

Via Start Menu View the available applications are displayed as they would be assigned in the local start menu at the user if they were assigned.

Using the action menu at the bottom of the screen, you can refresh the list via Refresh or delete existing applications via Delete.

! Important !

This deletes not only the start menu entry, but directly the complete application!

Via Edit existing applications can be edited, as well as via the Application List.

Using Move, existing applications can be moved to a different location in the Start menu. This edits the entry Start Menu Integration in the specific application.

With a right-click, new folders can be created (Add), existing folders can be renamed (Rename) or deleted (Delete) in the Start menu.

By right-clicking in the Start Menu View, you can also execute these points directly on the respective application.

But if you right-click on an existing folder, you get the options Add Application…, to create an application like in the Application List, and Add Folder….

Add Folder… creates a new folder in the Start menu.

Printers

To add printers, you can either do so manually or simply connect to a Print Server using the Import Network Print Server wizard.

In the Import Wizard, the Print Server Name and Alternate Credentials can be specified. Alternate Credentials are required if the credentials currently used for the Administration Console are not sufficient for the print server.

Now you can select one or multiple printers and import them.

• Import Options
  • Via Enable Imported Items the printer can be directly activated (Printer State) in the Network Printer List
  • If Prefix Imported Items Names is checked, a prefix can be defined in the field next to it, which will be added to the imported printer

The Network Printer List can be refreshed via Refresh and individual selected objects can be deleted via Delete.

Via Add or Edit new printer objects can be created or edited. The following parameters are then available for selection.

• Name
  • The display name of the printer as it appears in the Printer List
• Target Path
  • The UNC path to the printer from the user’s point of view
• Printer State
  • Status of the printer (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• External Credentials
  • Enter alternative credentials with which to connect to the printer
  • Otherwise the user credentials are used in the session

Additional settings can be defined on the Options tab.

• Self Healing
  • If this is enabled, deleted printers are automatically recreated during a refresh
• Action Type
  • With Map Network Printer only the previously specified parameters are used
  • With Use Device Mapping Printers File the absolute path to the XML Printer List Configuration file (explained in detail in part 4 of the series) is specified as the target path
  • The specified file is processed during each refresh.

Network Drives

Network Drives allows you to add network drives to the user environment.

In the New Network Drive window, accessible via Add, the network drive can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the network drive as it should appear in the Network Drive List
• Target Path
  • The UNC path to the network drive from the user’s point of view
  • Variables e.g. %username% can be specified

• Network Drive State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• External Credentials
  • Here you can specify alternative credentials for the connection

Additional settings can be found on the Options tab.

• Display Name
  • The network drive name for the explorer can be specified
  • Variables can be used here too

• Self Healing
  • If Enable Automatic Self-Healing is enabled, user-deleted drives are rebuilt on refresh.
• Home Drive Configuration
  • When Set as Home Drive is enabled, the network drive is set as the user’s home drive

Virtual Drives

Virtual Drives are drives or MS-DOS device names that bind local file paths to a drive letter (no UNC paths!!!).

Via Add, new virtual drives can be defined and via Edit existing ones can be edited. With Delete, objects that are no longer needed can be deleted.

• Name
  • The display name of the virtual drive as it should appear in the Virtual Drive List
• Target Path
  • The path to the target on the target system
• Virtual Drive State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• Home Drive Configuration
  • When Set as Home Drive is enabled, the virtual drive is set as the user’s home drive

Registry Entries

Registry Entries allows you to customize the user’s registry. This can be done either manually or simply by using the wizard under Import Registry File.

In the Import from Registry File Wizard the registry file (.reg) can be selected via Browse…, after selecting the file must still be read out via Scan.

Now one or more lines of the registry file can be selected and imported.

• Import Options
  • Enable Imported Items activates the registry entries directly (Registry Value State) in the Registry Value List
  • If Prefix Imported Items Names is checked, a prefix can be defined in the field next to it, which will be added to the imported registry entries (visible in the Registry Value List).

In the New Registry Value window, accessible via Add, the registry entry can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the registry entry as it appears in the Registry Value List
• Registry Value State
  • Status of the Registry Entry (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• Target Path
  • The location in the registry where the Registry Entry should be created.

! Important !

Registry entries can only be created under HKEY_CURRENT_USER (therefore HKEY_CURRENT_USER does not need to be specified in the destination path).

• Target Name
  • The name of the registry value as it appears in the registry
• Target Type
  • The type of Registry Entry to be created. Possible types are:
    • REG_DWORD
    • REG_SZ
    • REG_EXPAND_SZ
      • An extensible data string that can contain a variable that is replaced by an application when called
      • For example, for the %SystemRoot% variable, the actual location of the folder in the respective operating system is set
  • REG_BINARY
  • REG_MULTI_SZ

• Target Value
  • The value of the created registry entry
• Run Once
  • This causes this action to be performed only once
  • By default, the key is recreated with each agent update

On the Options tab, it is possible to specify whether an existing key should be deleted, created or redefined.

Environment Variables

This action can be used to add Environment Variables to the user environment.

In the New Environment Variable window, accessible via Add, the environment variable can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the environment variable as it should appear in the Environment Variable List
• Environment Variable State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• Variable Name
  • Definition of the functional name of the environment variable
• Variable Value
  • The value of the environment variable

On the Options tab you can set the Action Type and the Execution Order.

• Action Type
  • Only the displayed one can be selected, with which the environment variable can be set or defined.
• Execution Order
  • Here is defined which priority the single Environment Variable has, if a user is assigned several Environment Variables of the same type, it is decided which one is effective

Ports

Ports allows individual manual assignment of COM and LPT ports from the client to the target system.

! Important !

To make this work in the target system, the Citrix policy Client COM port redirection and/or Client LPT port redirection must also be enabled. By default these are not enabled.

In the New Port window, accessible via Add, the port assignment can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the port mapping as it should appear in the Ports List
• Port State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• Port Name
  • Definition of the functional name of the port on the Citrix Worker
• Port Target
  • Target of the port mapping on the client (Here mapping of the Citrix Worker COM3 port to the COM3 port of the client)

Ini Files

Controls the creation or modification of Ini Files.

In the New Ini Files Operation window, accessible via Add, the Ini File Operation can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the ini file operation as it should appear in the ini file operations list
• .ini File Operation State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• Targe Path
  • Definition of the target for the ini file operation (path from the point of view of the prospective user)
• Target Section
  • Definition of the section in the previously defined INI file (Target Path) to be adjusted
  • If the section does not exist, it will be created
• Target Value Name
  • Specification of the name of the value in the previously defined section (Target Section)
• Target Value
  • Specifying the actual value
• Run Once
  • This causes this action to be performed only once. By default, this is done with every agent update.

Result INI file using the above example:

External Tasks

Controls the execution of External Tasks, e.g. running CMD / PS1 scripts or installing MSI packages.

In the New External Task window, accessible via Add, the External Task can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the External Task, how it should appear in the External Task List.
• Path
  • Definition of the target, from the point of view of the target system for the External Task
  • The target system has the appropriate program to execute the External Task
  • Example for PowerShell:
    Path to the exe (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) or directly path to the actual script, then the local file type association on the target system should match

• Arguments
  • Allows the specification of start parameters or arguments
  • PowerShell example:
    Script file if not specified in path and so on (-file C:\Script\Evergreen.ps1 -executionpolicy bypass)

• External Task State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• Run Hidden
  • Selected, the task runs in the background and is not displayed to users
• Run Once
  • This causes this action to be performed only once. By default, this is done with every agent update.
• Execution Order
  • Allows to set the order of execution for each task
  • This option can be useful when users are assigned multiple tasks and some tasks depend on others to run successfully
  • By default the value 0 is set
• Wait for Task Completion
  • Here you can define how long the agent waits for the task to be completed
• Wait Timeout
  • Defines the waiting time for the Wait for Task Completion option
  • The default value for the waiting time is 30 seconds

On the Triggers tab you can define when the action should be executed.

• Refresh
  • The External Task is executed when the WEM Agent is updated
  • By default this option is enabled
• Reconnect
  • The action is executed when a reconnect is performed
  • By default this option is enabled
  • If the WEM Agent is installed on a physical Windows device, this option cannot be used
• Logon
  • The External Task is executed when the user logs in
  • By default this option is enabled
• Logoff
  • Controls whether the external task should be executed when users log off
  • This option works only if the Citrix User Logon Service is running
  • By default the option is not enabled

File System Operations

Here folders and files can be copied to the user’s environment and directories or symbolic links can be created.

In the New File System Operation window, accessible via Add, the file system operation can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the file system operation as it should appear in the File System Operations List.
• External Task State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• Source Path
  • The path to the source file or folder to be copied
• Target Path
  • The destination path for the source file or folder to be copied
• Overwrite Target if Existing
  • Controls whether the file or folder operation is allowed to overwrite existing files or folders with the same name in the destination location
  • If the option is disabled and a file or folder with the same name already exists in the destination location, the affected files will not be copied
• Run Once
  • By default, Workspace Environment Management performs the File System operation each time the agent is updated
  • If this option is selected, the operation is performed only once and not at each update
  • This speeds up the agent update process, especially if users are assigned many file system operations.

! Important!

It should be noted that variables such as C:\Users##Username## can be used which will be expanded to the user name under which the WEM Agent is running. This can be useful when creating/copying files/folders into the user profile.

Various Action Types are available on the Options tab.

• Copy Files / Folders
  • Files or folders are copied
• Delete Files / Folders
  • Files or folders are deleted
• Rename Files / Folders
  • Files or folders are renamed
• Create Directory Symbolic Link
  • A symbolic link to a folder is created
• Create Directory
  • An empty directory is created
• Copy Directory Content
  • The contents of the directory will be copied without creating the parent folder structure.
• Delete Directory Content
  • The contents of the directory are deleted, not the folder !
• Move Directory Content
  • The contents of the directory will be moved, not copied !

Execution Order is used to specify the execution order of operations so that certain operations can be executed before others. Operations with an execution order value of 0 are executed first, then those with a value of 1, then those with a value of 2, and so on.

User DSN

Controls the creation of User DSNs (DSN is a string whose data structure is used to describe a connection to a data source such as SQL).

In the New User DSN window, accessible via Add, the database connection can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the User DSN as it should appear in the User DSN List.
• User DSN State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• DSN Name
  • The function name of the database connection
• Driver
  • The driver for the connection
  • Only SQL Server can be selected
• Server Name
  • The name of the destination server for the connection
• Database Name
  • The name of the target database on the target server

Connect Using Specific Credentials can be used to specify credentials with which to connect to the server/database.

With Run Once, the user DSN is created only once and not every time the agent is updated. By default, the user DSN would be written every time the agent is updated.

File Associations

Controls the creation of File Associations in the user environment.

! Important !

The FTAs (File Type Associations) are stored only per machine since Windows Server 2012 and with this WEM feature this can be stored user based again.

In the New File Association window, accessible via Add, a new FTA can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the file association as it should appear in the file association list.
• File Association State
  • Status of the object (Enabled / Disabled)
  • If Disabled it will not be added to the user in the session, even if the object is assigned
• File Extension
  • Defines the file extension to be used
  • When a file extension is selected from the list, the ProgID field fills automatically (if the file type exists on the computer running Administration Console)
  • The file extension can also be entered directly (For browser mappings this must be entered directly!)
• ProgID
  • Defines the ProgID associated with the application
  • This value is automatically filled in when a File Extension is selected from the list
  • To find out the ProgID of an installed application, simply check the registry for the current assignment in a working system (here Microsoft Excel under file .xlsx, the ProgID [Excel.Sheet.12] can be found under Default)

Examples of required ProgIDs:

Program	ProgID
Microsoft Edge (Chromium Based)	MSEdgeHTM
Google Chrome	ChromeHTML
Mozilla Firefox	firefox
Internet Explorer	IE
Opera Browser	OperaStable
Microsoft Edge	edge
Acrobat Reader DC	AcroExch.Document
Foxit PDF Reader	FoxitReader.Document
Microsoft Word 2016 and newer	Word.Document.12
Microsoft Excel 2016 and newer	Excel.Sheet.12
Microsoft PowerPoint 2016 and newer	PowerPoint.Show.12
Microsoft Publisher 2016 and newer	Publisher.Document.16
Microsoft Visio 2016 and newer	Visio.Drawing.15

! Important !

If the ProgID is not known or not filled in, the Action, Target application and Command fields must be filled in manually.

• Action
  • The action type is selected
  • Possible values are open, edit or print
• Target application
  • Allows to specify the executable file to be used with this file extension
  • The full path of the executable file must be stored
• Command
  • Definition of the command of the action type specified above
  • Possible values are:
    • “%1” –> Open
    • /p “%1” –> Print
• Set as Default Action
  • Sets the defined file association as default for the user
• Overwrite
  • Defines whether the set file association is allowed to overwrite existing settings.
• Run Once
  • Sets the setting only once
  • Normally the setting is reset at each agent refresh

Filters

Filters contain Rules and Conditions (e.g. group membership or client IP address, etc.) that you can use to make actions available to users.

Conditions

Conditions are specific triggers that configure the circumstances under which the agent assigns a resource to a user. Various conditions must first be defined so that they can be used via rules.

In the New Filter Condition window, accessible via Add, a new filter condition can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the condition, how it should appear in the condition list
• Filter Condition State
  • Status of the object (Enabled / Disabled)
  • If disabled the condition is not selectable during rule creation
• Filter Condition Type
  • Defines the type of filter
  • Possible values are:

Filter Condition Type	Meaning
Active Directory Attribute Match	Applied when user has AD attributes as under Settings
Active Directory Group Match	Used when user is a member of AD group under Settings (<Domain>\<Groupname>)
Active Directory Path Match	Used if attribute is found under Settings in AD Path (e.g. OU=Users*)
Active Directory Site Match	Applied when user or worker is member of AD site under Settings
Always True	Is always applied
Client IP Address Match	Applied when client IP is as under Settings
Client OS	Will be applied if client OS is as under Settings
Client Remote OS Match	Used when Worker OS is as under Settings
ClientName Match	Will be applied if Client Name is as under Settings
ComputerName Match	Applied when Worker Name is as under Settings
Connection State	Applied when Connection State (Online or Offline) is as under Settings.
DateTime Match	Will be applied if the date (e.g. 23/01/2022 or 23/01/2022-31/01/2022) under Settings is the current one
Dynamic Value Match	Applied when Dynamic Value is present and the value is as under Settings
Environment Variable Match	Applied when environment variable value is as under Settings
File Version Match	Will be applied if specified file exists and version is as under Settings
File/Folder does not exist	Will not be applied if the specified file or folder exists as under Settings
File/Folder exists	Will be applied if the specified file or folder exists as under Settings
IP Address Match	Will be applied if Worker IP is as under Settings
Name is in List	Will be applied if the name is in the list as in Settings
Name or Value is in List	Will be applied if the value is in the list as under Settings
Name or Value is not in List	Is not applied if the value is in the list as under Settings
Network Connection State	Will be applied if the Network Connection State is as under Settings
No Active Directory Attribute Match	Not applied if user has AD attributes as under Settings
No Active Directory Group Match	Not applied if user is member of AD group under Settings (<Domain>\<Groupname>)
No Active Directory Path Match	Not applied if attribute can be found under Settings in AD Path (e.g. OU=Users*)
No Active Directory Site Match	Not applied if user or worker is member of AD site under Settings
No Client IP Address Match	Not applied if client IP is as under Settings
No Client OS Match	Not applied if client OS is as under Settings
No Client Remote OS Match	Will not be applied if Worker OS is as under Settings
No ClientName Match	Not applied if client name is as under Settings
No ComputerName Match	Will not be applied if Worker Name is as under Settings
No DateTime Match	Will not be applied if the date (e.g. 23/01/2022 or 23/01/2022-31/01/2022) under Settings is the current one
No Dynamic Value Match	Will not be applied if Dynamic Value is present and the value is as under Settings
No Environment Variable Match	Not applied if environment variable value is as under Settings
No File Version Match	Will not be applied if specified file exists and version is as under Settings
No IP Address Match	Will not be applied if Worker IP is as under Settings
No Registry Value Match	Not applied if System has configured the Registry Value under Settings (e.g. HKCU\Software\7-Zip\Path Value=C:)
No User Country Match	Will be applied if ISO Language is configured under Settings (e.g. German = DE etc.)
No User UI Language Match	Not applied if ISO UI Language is configured under Settings (e.g. German = de-DE etc.)
No WMI Query Result Match	Not applied if WMI value is as under Settings
No XenApp Farm Name Match	Not applied if XenApp Farm Name is as under Settings (Applies only up to XenApp 6.5)
No XenApp Version Match	Will not be applied if CVAD version (e.g. 1912) is like under Settings
No XenApp Farm Zone Name Match	Not applied if XenApp Zone Name is as under Settings (Applies only up to XenApp 6.5)
No XenDesktop Desktop Group Name Match	Not applied if the worker belongs to a virtual desktop (not the Delivery Group name) defined in Settings.
No XenDesktop Farm Name Match	Applied if XenDesktop Farm Name is as under Settings (Applies only up to XenDesktop 5)
OS Platform Type	Applied if OS architecture (x64 or x86) is as under Settings
Provisioning Services Image Mode	Applied when Image Mode is as under Settings
Published Ressource Name	Will be applied if the Published Resource Name is as under Settings ! Wichtig ! Pub. App is it the browser name Pub. Desktop is the published name of the desktop
Registry Value Match	Used when System has configured the Registry Value under Settings (e.g. HKCU\Software\7-Zip\Path Value=C:)
Scheduling	Used when day of the week (e.g. Monday) is as in Settings.
Transformer Mode State	Is applied, Tranformer Mode State is as under Settings
User Country Match	Will be applied if ISO Language is configured under Settings (e.g. German = DE etc.)
User SBC Ressource Type	Applied when user context (pub. app or desktop) is as under Settings
User UI Language Match	Will be applied if ISO UI Language is configured under Settings (e.g. German = de-DE etc.)
WMI Query Result Match	Will be applied if WMI value is as under Settings
XenApp Farm Name Match	Applied when XenApp Farm Name is as under Settings (Applies only up to XenApp 6.5)
XenApp Version Match	Applied when CVAD version (e.g. 1912) is as under Settings
XenApp Zone Name Match	Applied when XenApp Zone Name is as under Settings (Applies only up to XenApp 6.5)
XenDesktop Desktop Group Name Match	Used when the worker belongs to a virtual desktop (not the Delivery Group name) that is defined under Settings
XenDesktop Farm Name Match	Applied if XenDesktop Farm Name is as under Settings (Applies only up to XenDesktop 5)

• Settings
  • The values to be defined are stored there (per dropbox or string input)

! Important !

If you don’t want to store a static value in the possible strings you can also simply enter a ?, this simply means that the value is not zero. Furthermore, in the string queries, multiple values can be separated by ; (this is then an Or query).

Rules

Rules consist of several Conditions. The rules used determine when a user is assigned an action.

These conditions are AND statements, not OR statements. If multiple conditions are added, all must be met for the filter to be considered triggered.

In the New Filter Rule window, accessible via Add, a new rule can be defined.

Existing objects can be edited via Edit and deleted via Delete.

• Name
  • The display name of the filter rule, how it should appear in the Filter Rule List
• Filter Rule State
  • Status of the object (Enabled / Disabled)
  • If disabled the rule will not be processed by the agent
• Filter Conditions
  • Only conditions with an active Condition State filter are displayed

Assignments

Assignments is used to make Actions available to your users. This way, e.g. parts of the user’s login scripts can be replaced.

Before you can assign actions to users, you must perform the following steps in the order given:

• Configure users or groups, see Users in Active Directory Objects
• Define conditions, see Conditions
• Define Filter Rules, see Rules
• Configure Actions, see Actions

Action Assignment

Users is your list of configured users and groups (from Active Directory Objects).

To simplify assigning actions for all users from the Active Directory, the standard uses groups (e.g. department or specialist application) to assign the actions.

If an Application or an Action Group, with an Application, is assigned via the Assigned list, the following options are available:

• Create Desktop
  • Creates an icon on the user desktop
• Create Quick Launch
  • Creates an icon in Quick Launch

• Create Start Menu
  • Windows Server 2016 and newer / Windows 10: Create the icon in the Start menu under the program folder set under Application itself
  • Windows Server 2012 & 2012 R2 / Windows 7, 8 & 8.1: Creates the icon only in the Apps component of the Start menu
• Pin To TaskBar
  • Creates and pins the shortcut to the taskbar
  • For this to work, the application must also have the Create Start Menu option enabled
• Pin To Start Menu
  • Windows Server 2016 and newer / Windows 10: Creates a shortcut on the right side of the user start menu
    Windows Server 2012 & 2012 R2 / Windows 7, 8 & 8.1: Does nothing !!!
  • The Create Start Menu option must also be enabled, otherwise the application will not appear in the Start menu after updating the agent
• Auto Start
  • Auto Start is set to Disabled by default
  • If enabled, it will be started automatically when the user logs in

If drives (Network or Virtual) are assigned directly or via Action Group, the filter and drive letter can be defined.

Modeling Wizard

The Action Modeling Wizard displays the resulting actions for a specific user (does not work for groups).

• Actions Modeling Target User
  • The account name of the user to be checked

• Resultant Actions
  • The Actions / Action Groups assigned to the user or the groups he belongs to
• User Groups
  • The groups to which the user belongs

Link to the other Parts

WEM Administration Console – Part 2 (System Optimization, Policies & Profiles and Security)

WEM Administration Console Version 1906 – Part 3 (Active Directory Objects, Transformer Settings and Advanced Settings)

WEM Administration Console Version 1906 – Part 4 (Administration & Monitoring)