WEM Administration Console – Part 1 (Actions, Filters & Assignments)

Current version is Workspace Environment Management 2206.

Workspace Environment Management 2206

Known problems

  • When VUEMRSAV.exe is used to display results on actions applied through an action group for the current user, the Applied Actions tab may display the wrong source of actions. [WEM – 20002]

System requirements

  • Microsoft SQL Server 2012 or higher
    • WEM requires sysadmin access to the SQL Server instance to create its database and read/write permission to the database to use it.
    • During database creation, WEM creates an SQL login and then adds a database user mapping to that login. The user is automatically granted read/write access to the database. The SQL Server instance must be case-sensitive. Otherwise, the database creation or update will fail.
    • In the case of a WEM database upgrade it is recommended to use a sysadmin user account.
  • Microsoft Active Directory
    • Workspace Environment Management requires read access to Active Directory in order to propagate configured settings to users.
    • External Trust is not supported by WEM. Instead, other trust types must be used, such as Forest Trust Relationships.
    • WEM also does not support a One-Way Forest Trust between Active Directory forests.
  • Citrix Workspace App for Windows
    • To connect to Citrix StoreFront stores configured from WEM Administration Console, Citrix Workspace App for Windows must be installed on the Administration Console computer and on the target host machine. The following versions are supported:
      • On the Administration Console machine:
        • Citrix Receiver for Windows Version: 4.9 LTSR, 4.10, 4.10.1, 4.11 and 4.12
        • Citrix Workspace App for Windows Version 1808 and higher
      • On the target host machine:
        • Citrix Receiver for Windows Version: 4.4 LTSR CU5, 4.7, 4.9, 4.9 LTSR CU1 and 4.10
        • Citrix Workspace App for Windows Version 1808 and higher
    • For Transformer Kiosk Mode, the Citrix Workspace App for Windows must be installed with single sign-on and configured for passthrough authentication.
  • Operating System
    • Windows 11 (32-Bit and 64-Bit)
    • Windows 10 Version 1607 and newer (32-Bit and 64-Bit)
    • Windows Server 2022 Standard and Datacenter Edition
    • Windows Server 2019 Standard and Datacenter Edition
    • Windows Server 2016 Standard and Datacenter Edition
    • Windows Server 2012 R2 Standard and Datacenter Edition

Installation WEM Infrastructure

The following article is for WEM 2206, but can also be used for older versions.

WEM Caches

The WEM cache data is used to minimize load times and to provide WEM settings for the agent machines when the WEM broker is not available.

Using the WEM startup sequence when the computer boots and when the session starts, it is possible to check how the WEM cache data is used.

  • When the machine boots up, the Norskale Agent Host Service retrieves and applies all WEM settings for the machine. WEM caches are used here because WEM needs to read and apply the settings very early in the startup process, even before access to the WEM broker is possible.
  • When a user session logs in, the Norskale Agent Host Service is still used to apply user-specific WEM settings, and the WEM Agent’s local cache database (LocalAgentCache) can be used if the WEM Broker is not available or the administrator has configured WEM to always use the WEM Agent’s local cache.
  • Also, when logging in to user sessions, the WEM User Agent reads and applies the assigned actions. Here there are two caches that help to optimize the logon. The first is the WEM Agent’s local cache database, the second is a registry-based cache (Assigned Actions & Printers) that keeps track of what settings have already been applied.
WEM Agent Cache Data

WEM processes a total of 4 cache types on the respective end device. The Assigned Actions & Printers cache is persistently stored in the profile and thus moves from machine to machine. The LocalAgentCache and LocalAgentDatabase cache should be moved to the WriteCache disk via registry key (AgentCacheAlternateLocation).

AgentCacheAlternateLocation

The fourth cache is the Profile Management & Microsoft USV cache. This is not stored persistently in the profile and cannot be moved to the WriteCache. This should be stored in the Golden Image so that it is already present at the system startup.

Cache nameCache descriptionPurposeLocation on agent machine
Assigned Actions & PrintersHKCUPrevents previously applied settings from being applied again.Roaming profiles of the user (Microsoft or Citrix Profile Management)
Profile Management & Microsoft USVHKLMAllows the Agent Host Service to read and apply UPM / USV settings at the beginning of the computer boot process.System Registry (HKLM)
LocalAgentCacheAll WEM settings (Setting Database)Contains all WEM user and machine settings of the assigned configuration set.Database file on the local hard disk (Norskale Program Files Folder)
LocalAgentDatabaseWEM CPU Intelligent Optimization (History Database)Tracks WEM Intelligent Optimization history for each user per machine.Database file on the local hard disk (Norskale Program Files Folder)

The Assigned Actions & Printers cache is updated when the session is loaded or read from the LocalAgentCache database if the WEM Broker cannot be reached or if it is configured to always read from the LocalAgentCache.

The Profile Management & Microsoft USV cache is updated automatically at regular intervals or manually using the AgentCacheUtility on the agent machine. When the agent is right-clicked in the console and “Reset Profile Management Settings & Microsoft USV Settings” is selected, a request goes to the agent to refresh these caches.

The LocalAgentCache is also refreshed automatically at regular intervals or manually using the AgentCacheUtility on the agent machine. The Refresh Cache option in the WEM Administration Console sends an update instruction to the agent to refresh its own LocalAgentCache database.

Each WEM Agent has its own LocalAgentDatabase, since the Intelligent Optimization history is relevant only for this computer. This database is therefore updated in real time during the user session. It is therefore always up to date, and no console-side action is required to cause the agent to update.

Ribbon

When the Administration Console is started, the main categories are grayed out if you have not yet connected to the Infrastructure Service. Clicking the Connect button opens the Server Connection window.

Citrix Workspace Environment Management Administration Console

Enter the IP / hostname of the Infrastructure Server (in the picture localhost) and click on Connect. Leave the administration port on 8284.

New Infrastructure Server Connection Infrastructure server name Administration Port 8284
Please Wait Checking Administrator Authorization ...

After the successful connection, the main and subcategories are selectable. Furthermore, the ribbon has expanded to include the Confguration Set and Tools items.

Connected Configuration Set Tools Guide

Configuration Sets

A Configuration Set is a collection of WEM computer settings:

  • System Optimization Settings (CPU, RAM, I/O)
  • Environmental Settings
  • Application Security (AppLocker)
  • Roaming Profiles & Folder Redirection
Norskale Agent Host Service WEM User Agent

But also the WEM user settings:

  • Actions (Applications, Printers, External Tasks)

There are some scenarios where multiple Configurations Sets make sense for your environment:

  • Different profile and USV requirements, e.g. configuration for multiple sites
  • Connection test and productive environment for WEM settings

In the Configuration Set ribbon, you can switch between the created configuration sets via the drop-down menu. With Create new Configuration Sets can be created and with Edit existing ones can be modified. With Delete the Configuration Sets can be deleted. If this item is grayed out, there is only one Configuration Set and it cannot be deleted. The list can be refreshed via Refresh if a configuration set has been created in another Administration Console.

Configuration Set Create Edit Refresh

Tools

The Tools item allows you to create, restore and migrate backups of the settings.

Tools Backup Restore Migrate

Backup

The Backup button opens the Backup Wizard, where you can select which options you want to backup.

Tools Backup Restore Migrate

In the next window you can specify the destination folder for the backup, but not a name for the created backup.

Backup Wizard Actions Settings Security settings Active Directory objects Configuration Set
  • Actions
    • Saves selected WEM Actions
    • Each type of action is exported as a separate XML file.
  • Settings
    • Saves selected WEM settings
    • Each type of setting is exported as a separate XML file.
  • Security Settings
    • Saves all settings that are present on the Security tab
    • Each rule type is exported as a separate XML file
    • The following items associated with a Configuration Set can be backed up:
      • AppLocker Rule Settings
      • Privilege Elevation Settings
  • Active Directory (AD) objects
    • Backs up the users, computers, groups and organizational units that WEM manages
    • The Backup Wizard can be used to specify which type of Active Directory objects should be backed up
    • There are two types of AD objects:
      • Users
        • Individual users and user groups
      • Machines
        • Individual machines, machine groups and OUs
Backup Wizard Backup folder
  • Configuration set
    • Saves the selected WEM Configuration Sets
    • Each type of Configuration Set is exported as a separate XML file
    • Only the currently selected Configuration Set is saved
    • The following items associated with a Configuration Set are backed up:
      • Actions
      • AppLockers, Privilege Elevation and Process Hierarchy Control
      • Assignments (In the context of Actions and Action Groups)
      • Filters
      • Users
      • Settings (WEM Settings)
    • The following cannot be saved:
      • AD objects related to the machines (individual machines, machine groups and OUs)
      • Monitoring data (Statistics and Reports)
      • Process Management
      • Agents registered with the Configuration Set
Back up configuration set

Restore

The Restore button opens the Restore Wizard, where you can select which options you want to restore.

To do this, in the next window select the folder with the backups to be restored.

Restore Wizard Actions Settings Security settings Active Directory objects Configuration Set
  • Actions
    • Restores all WEM Actions from the XML file
  • Settings
    • Restores all WEM settings from the XML file
  • Security Settings
    • Restores all existing settings on the Security tab
    • The settings in the backup file replace the existing settings in the current Configuration Set
    • When switching to or updating the Security tab, invalid Application Security Rules are detected (These rules are automatically deleted)
    • The deleted rules are listed in a report that can be exported if required
    • The Restore Wizard can be used to select what is to be restored:
      • AppLocker Rule Settings
      • Privilege Elevation Settings
        • Overwrite Existing Settings
          • Controls whether existing Privilege Elevation settings should be overwritten in case of conflicts
        • In the Confirm Application Security Rule Assignment dialog box, select Yes or No to specify how the Restore Wizard should handle application security rule assignments:
          • If Yes is selected, the Restore Wizard attempts to restore the rule assignments to users and user groups in the current site
          • The new assignment is successful only if the backed up users or groups exist in the current site or AD
          • Any unmatched rules are restored but remain unassigned and are listed in a report dialog that can be exported in CSV format
          • If No is selected, all rules in the backup will be restored without assigning them to users or user groups in the site
  • Active Directory (AD) objects
    • Restores the backed up Active Directory objects to the existing site
    • The Restore Wizard provides detailed control over the AD objects to be imported
    • On the Select the AD objects you want to restore page you can specify which AD objects should be restored and whether existing WEM AD objects should be overwritten (Overwrite mode)
    • If Overwrite mode is enabled, all existing AD objects will be deleted and only then will the restore process begin.
Restore Wizard Overwrite mode AD Object
  • Configuration set
    • Restores the saved configuration set in WEM
    • Only one configuration set can be restored at a time
    • It may take some time for the WEM Administration Console to restore the restored configuration set
    • When a Configuration Set is restored, WEM automatically renames it to <Configuration Set Name>_1 if a Configuration Set with the same name already exists
Restore configuration set

Migrate

The Migrate button can be used to migrate a ZIP backup of Group Policy Objects (GPOs) to WEM. Only GPO settings that WEM supports can be migrated.

In the Group Policy Management Console, a backup of the GPOs can be created via Back Up. The backup must then be compressed into a ZIP file.

Group Policy Management Back Up
Back Up Group Policy Object
  • Overwrite
    • Overwrites existing WEM settings (GPOs) if there are conflicts
Migrate zip gpo Overwrite
  • Convert
    • Converts the GPOs into XML files suitable for import into WEM
    • Select this option if you want to precisely control the settings that will be imported
    • After successful conversion, uses the Restore Wizard to import the XML files manually

The main categories

  • Actions
    • Configure applications, registry entries, printers etc.
  • Filters
    • Filter actions based on rules and conditions
  • Assignments
    • Assignment of created actions to configured users via previously configured filters
  • System Optimization
    • Configure fast logoff, CPU, I/O and memory management
  • Policies and Profiles
    • Configure Universal Profile Management, Microsoft User State Virtualization and Environmental Settings
  • Security
    • Configure Application Security, Process Management and Privilege Elevation
  • Active Directory Objects
    • Import users, groups and computers from Active Directory
  • Transformer Settings
    • Configure the Transformer feature that convert any Windows PC into a high performance thin client using a fully reversible kiosk mode
  • Advanced Settings
    • Agent logging options, printer processing, network drive clean-up options etc.
  • Administration
    • Configure WEM administrators, manage agents etc.
  • Monitoring
    • Login, boot, user and device reports, as well as Profile Container Insights
User Interface

Actions

With the sub-items in Actions different things can be assigned to the user.

Actions

Action Groups

The Action Groups feature lets you define a group of actions (Applications, Printers etc.), that you can assign to a user or user group in a single step.

The Action Group list display the list of your existing action groups.

Action Groups Action Group list

With Add you define the new Action Group with a Name and Description. With Action Group State you can enable or disable the whole Action Group.

New Action Group General

Existing action groups can be edited via Edit and deleted via Delete. With Copy existing Action Groups can be copied.

Action Group List

After creating the action groups, they must be selected by double-clicking on them. Afterwards, existing actions can be assigned in the Configuration area under Available.

Assign Actions Configuration Available

Configured contains the actions that are already assigned to the created action group.

Also the options, as under Assignments (link location, drive letters, etc.) can be configured for each action, when adding.

! Important !

  • When an action group is assigned, all actions contained in it are assigned
  • One or more actions can overlap in different action groups
  • In case of overlapping action groups, the last processed group overwrites the previously processed groups (even if the later processed action group has an unassignable action).
  • When using the Copy function, only the actions related to Network and Virtual Drives are cloned if the option Allow Drive Letter Reuse in assignment process is enabled.

To enable this option, go to the Advanced Settings > Configuration > Console Settings tab.

Advanced Settings

Group Policy Settings

Using the Group Policy Settings item, existing GPOs can be imported and converted into registry entries (HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER only) that can be assigned to individual users or user groups.

Under Enforce Group Policy Settings the function must be switched on (Enable Group Policy Settings Processing).

Group Policy Settings

Via Import, existing backups of the GPO can be imported in zip format.

Group Policy Settings

In the Import Group Policy Settings Wizard window, the file can be selected via Browse and the process started via Start Import.

Import Group Policy Settings

The following screen shows which GPOs have been imported (here U_Workspace).

Import Group Policy Settings Finish

With Add a new Group Policy Object can be created. In the following wizard the Name and the Description are defined. Under Registry Operations the various registry changes can be entered.

Add Group Policy Object

Via Edit existing objects can be edited.

Edit Group Policy Object

The following options are also available in the Group Policy Object Wizard. When changing existing Group Policy Objects, the following message appears initially. This can be switched off in the future via the checkbox.

Warning Edit Add Delete Rigistry Entries in Group Policy Object

Add allows to add and Edit to edit an existing registry key. For both of them you can set different options under Registry Operations.

  • Order
    • Allows to set the order of the registry keys (smallest digit, first processing)
  • Action
    • Defines the action type
      • Set value
        • A value is defined for the defined registry key
      • Delete value
        • Deletes the value of the defined registry key
      • Create key
        • Creates the key defined by the Root Key and Subpath fields
      • Delete key
        • Deletes the defined (root key & subpath) registry key
      • Delete all values
        • Deletes all values under the defined registry key
Group Policy Object Action Set value Delete Value Create Key Delete Key Delete all values
  • Root Key
    • Defines the registry hive that is addressed. Possible values are HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER
      • HKEY_LOCAL_MACHINE keys take effect when the Citrix WEM Agent Host Service is started
      • HKEY_CURRENT_USER keys take effect at user login
Group Policy HKEY_LOCAL_MACHINE HKEY_CURRENT_USER
  • Subpath
    • The full path of the registry key without the root key specified above
  • Value
    • Defines a name for the registry value.
  • Type
    • Defines the type for the Value. Possible variants are:
      • REG_SZ
      • REG_EXPAND_SZ
        • An extensible data string that can contain a variable that is replaced by an application when called
        • For example, for the %SystemRoot% variable, the actual location of the folder in the respective operating system is set
      • REG_BINARY
      • REG_DWORD
      • REG_DWORD_LITTLE_ENDIAN
        • A 32-bit number in little-endian format
      • REG_QWORD
      • REG_QWORD_LITTLE_ENDIAN
        • A 64-bit number in little-endian format
      • REG_MULTI_SZ
Group Policy Object REG_SZ REG_EXPAND_SZ REG_BINARY
  • Data
    • Input of data corresponding to the Registry Value
    • For different data types, different data is entered, in different formats
    • For example, for REG_DWORD %SystemRoot% is replaced by the actual location of the folder in an operating system

Applications

Applications is used to control the creation of shortcuts. The Application List displays the list of existing applications.

Applications Application list

In the New Application window, accessible via Add, you can define the application type, which can be Installed application, File / Folder, URL or StoreFront store.

Existing applications can be edited via Edit and deleted via Delete.

Applications

StoreFront store is only visible under Application Type if a store has been defined via Advanced settings > Configuration > StoreFront.

Application Type Installed Application File Folder URL StoreFront store General

Depending on the Application Type, the name, the path to the EXE / folder / file / URL or StoreFront store, the parameters and the path in the Start menu can be configured.

  • Installed application
    • Create shortcuts for locally installed application
      • Command Line
        • The path to the application executable file as it appears on the target system
        • The Browse button can be used to navigate to a locally installed executable file
      • Working Directory
        • The working directory of the shortcut
        • Automatically filled in when navigating to the executable file under Command Line via Browse
      • Parameters
        • Parameters for starting the application
Actions Applications General Installed application
  • File / Folder
    • Create shortcuts to a file or folder
      • Target
        • Path to the destination file or folder
Actions Applications General File / Folder
  • URL
    • Create shortcuts to a URL
      • Shortcut URL
        • The URL to the target web page of the link
Actions Applications General URL
  • StoreFront store
    • Creates shortcuts to CVAD resources that are accessible via the StoreFront store, stored under Advanced settings > Configuration > StoreFront
Actions Applications General StoreFront store
  • Store URL
    • Selection of the stores stored under Advanced settings > Configuration > StoreFront
  • Store Ressource
    • The respective store can be accessed via Browse
      • To add a resource, the Receiver installed locally on the Administration Console machine must first be populated with valid Citrix credentials.
Actions Applications General StoreFront store Store Ressourcen Auth
  • Only then can WEM retrieve a list of published applications from the Receiver and display them in the Administration Console.
Actions Applications General StoreFront store Store Ressourcen

Under Start Menu Integration you can select where the created application will be placed in the start menu.

Actions Applications General StoreFront store Store Ressourcen
  • Start Menu Integration
    • Via Select path … the target of the application can be selected in the existing start menu tree
    • By default, a new shortcut is created under Programs
  • Start Menu Path Selection
    • With a right-click, new folders can be created (Add), existing folders can be renamed (Rename) or deleted (Delete) in the Start menu
Start Menu Path Selection
  • Icon
    • Under Icon File the icon file can be selected via Select Icon… the icon file can be selected
Icon Selector
  • Application State
    • Here the application can be activated / deactivated
    • If Disabled it will not be added to the user in the session, even if the object is assigned
    • When Maintenance Mode is enabled, the icon is displayed normally to the user, but a warning icon appears with in the icon and a warning message is displayed when the user tries to launch this application
  • Display Name
    • The name of the shortcut as it appears in the user’s environment is stored
  • Hotkey
    • Allows users to launch the application using the stored keyboard shortcuts
Application State Maintenance Mode

Advanced Settings controls how the application is displayed at startup, e.g. where the icon should be created on the desktop or whether it should be launched maximized / minimized.

  • Self Healing
    • By enabling Enable Automatic Self-Healing, the application’s shortcut will be recreated each time it is refreshed, even if it has been deleted or moved by the user
  • Desktop Icon Location
    • Via Enforce Icon Location the position of the icon on the desktop can be determined (The input of the position under X: and Y: is done in pixels)
  • Windows Style
    • This controls how the application is opened on the endpoint (Minimized, Windowed or Maximized)
  • Self Service Display
    • By default, applications are displayed in the WEM Self-Service menu of the agent
    • However, this can be disabled by unchecking the box at Do Not Shown in Self Services
Self-Service Menu My Applications
  • Favorites Folder Display
    • Create Shortcut in User Favorites Folder creates a shortcut in the favorites folder for the application
Advanced Settings

Via Start Menu View the available applications are displayed as they would be assigned in the local start menu at the user if they were assigned.

Applications Start Menu View

Using the action menu at the bottom of the screen, you can refresh the list via Refresh or delete existing applications via Delete.

! Important !

This deletes not only the start menu entry, but directly the complete application!

Via Edit existing applications can be edited, as well as via the Application List.

Edit Applications

Using Move, existing applications can be moved to a different location in the Start menu. This edits the entry Start Menu Integration in the specific application.

With a right-click, new folders can be created (Add), existing folders can be renamed (Rename) or deleted (Delete) in the Start menu.

Start Menu Path Selection

By right-clicking in the Start Menu View, you can also execute these points directly on the respective application.

Right Click Start Menu View

But if you right-click on an existing folder, you get the options Add Application…, to create an application like in the Application List, and Add Folder….

Add Folder… creates a new folder in the Start menu.

Right Click Start Menu View Add Folder

Printers

To add printers, you can either do so manually or simply connect to a Print Server using the Import Network Print Server wizard.

Actions Printers

In the Import Wizard, the Print Server Name and Alternate Credentials can be specified. Alternate Credentials are required if the credentials currently used for the Administration Console are not sufficient for the print server.

Import from Network Print Server

Now you can select one or multiple printers and import them.

  • Import Options
    • Via Enable Imported Items the printer can be directly activated (Printer State) in the Network Printer List
    • If Prefix Imported Items Names is checked, a prefix can be defined in the field next to it, which will be added to the imported printer
Import Network Printers

The Network Printer List can be refreshed via Refresh and individual selected objects can be deleted via Delete.

Applications

Via Add or Edit new printer objects can be created or edited. The following parameters are then available for selection.

  • Name
    • The display name of the printer as it appears in the Printer List
  • Target Path
    • The UNC path to the printer from the user’s point of view
  • Printer State
    • Status of the printer (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • External Credentials
    • Enter alternative credentials with which to connect to the printer
    • Otherwise the user credentials are used in the session
Network Printers General

Additional settings can be defined on the Options tab.

  • Self Healing
    • If this is enabled, deleted printers are automatically recreated during a refresh
  • Action Type
    • With Map Network Printer only the previously specified parameters are used
    • With Use Device Mapping Printers File the absolute path to the XML Printer List Configuration file (explained in detail in part 4 of the series) is specified as the target path
    • The specified file is processed during each refresh.
Network Printers Options

Network Drives

Network Drives allows you to add network drives to the user environment.

Actions Network Drives

In the New Network Drive window, accessible via Add, the network drive can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Network Drives
  • Name
    • The display name of the network drive as it should appear in the Network Drive List
  • Target Path
    • The UNC path to the network drive from the user’s point of view
    • Variables e.g. %username% can be specified
Network Drives General Variable
  • Network Drive State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • External Credentials
    • Here you can specify alternative credentials for the connection
Network Drives General

Additional settings can be found on the Options tab.

  • Display Name
    • The network drive name for the explorer can be specified
    • Variables can be used here too
Network Drives Options Variable
  • Self Healing
    • If Enable Automatic Self-Healing is enabled, user-deleted drives are rebuilt on refresh.
  • Home Drive Configuration
    • When Set as Home Drive is enabled, the network drive is set as the user’s home drive
Network Drives Options

Virtual Drives

Virtual Drives are drives or MS-DOS device names that bind local file paths to a drive letter (no UNC paths!!!).

Via Add, new virtual drives can be defined and via Edit existing ones can be edited. With Delete, objects that are no longer needed can be deleted.

Network Drives
  • Name
    • The display name of the virtual drive as it should appear in the Virtual Drive List
  • Target Path
    • The path to the target on the target system
  • Virtual Drive State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • Home Drive Configuration
    • When Set as Home Drive is enabled, the virtual drive is set as the user’s home drive
Virtual Drives

Registry Entries

Registry Entries allows you to customize the user’s registry. This can be done either manually or simply by using the wizard under Import Registry File.

Actions Registry Entries

In the Import from Registry File Wizard the registry file (.reg) can be selected via Browse…, after selecting the file must still be read out via Scan.

Import Registry File
Import Registry File Scan

Now one or more lines of the registry file can be selected and imported.

  • Import Options
    • Enable Imported Items activates the registry entries directly (Registry Value State) in the Registry Value List
    • If Prefix Imported Items Names is checked, a prefix can be defined in the field next to it, which will be added to the imported registry entries (visible in the Registry Value List).
Import from Registry File

In the New Registry Value window, accessible via Add, the registry entry can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Network Drives
  • Name
    • The display name of the registry entry as it appears in the Registry Value List
  • Registry Value State
    • Status of the Registry Entry (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • Target Path
    • The location in the registry where the Registry Entry should be created.

! Important !

Registry entries can only be created under HKEY_CURRENT_USER (therefore HKEY_CURRENT_USER does not need to be specified in the destination path).

  • Target Name
    • The name of the registry value as it appears in the registry
  • Target Type
    • The type of Registry Entry to be created. Possible types are:
      • REG_DWORD
      • REG_SZ
      • REG_EXPAND_SZ
        • An extensible data string that can contain a variable that is replaced by an application when called
        • For example, for the %SystemRoot% variable, the actual location of the folder in the respective operating system is set
    • REG_BINARY
    • REG_MULTI_SZ
Target Type REG_DWORD REG_SZ REG_EXPAND_SZ REG_BINARY REG_MULTI_SZ
  • Target Value
    • The value of the created registry entry
  • Run Once
    • This causes this action to be performed only once
    • By default, the key is recreated with each agent update
Registry Entries

On the Options tab, it is possible to specify whether an existing key should be deleted, created or redefined.

Registry Entries Options

Environment Variables

This action can be used to add Environment Variables to the user environment.

In the New Environment Variable window, accessible via Add, the environment variable can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Environment Variables
  • Name
    • The display name of the environment variable as it should appear in the Environment Variable List
  • Environment Variable State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • Variable Name
    • Definition of the functional name of the environment variable
  • Variable Value
    • The value of the environment variable
Environment Variable General

On the Options tab you can set the Action Type and the Execution Order.

  • Action Type
    • Only the displayed one can be selected, with which the environment variable can be set or defined.
  • Execution Order
    • Here is defined which priority the single Environment Variable has, if a user is assigned several Environment Variables of the same type, it is decided which one is effective
Environment Variables Options

Ports

Ports allows individual manual assignment of COM and LPT ports from the client to the target system.

! Important !

To make this work in the target system, the Citrix policy Client COM port redirection and/or Client LPT port redirection must also be enabled. By default these are not enabled.

In the New Port window, accessible via Add, the port assignment can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Environment Variables
  • Name
    • The display name of the port mapping as it should appear in the Ports List
  • Port State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • Port Name
    • Definition of the functional name of the port on the Citrix Worker
  • Port Target
    • Target of the port mapping on the client (Here mapping of the Citrix Worker COM3 port to the COM3 port of the client)
Ports General

Ini Files

Controls the creation or modification of Ini Files.

In the New Ini Files Operation window, accessible via Add, the Ini File Operation can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Environment Variables
  • Name
    • The display name of the ini file operation as it should appear in the ini file operations list
  • .ini File Operation State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • Targe Path
    • Definition of the target for the ini file operation (path from the point of view of the prospective user)
  • Target Section
    • Definition of the section in the previously defined INI file (Target Path) to be adjusted
    • If the section does not exist, it will be created
  • Target Value Name
    • Specification of the name of the value in the previously defined section (Target Section)
  • Target Value
    • Specifying the actual value
  • Run Once
    • This causes this action to be performed only once. By default, this is done with every agent update.
INI Files General

Result INI file using the above example:

INI file Operation example

External Tasks

Controls the execution of External Tasks, e.g. running CMD / PS1 scripts or installing MSI packages.

In the New External Task window, accessible via Add, the External Task can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Environment Variables
  • Name
    • The display name of the External Task, how it should appear in the External Task List.
  • Path
    • Definition of the target, from the point of view of the target system for the External Task
    • The target system has the appropriate program to execute the External Task
    • Example for PowerShell:
      Path to the exe (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) or directly path to the actual script, then the local file type association on the target system should match
  • Arguments
    • Allows the specification of start parameters or arguments
    • PowerShell example:
      Script file if not specified in path and so on (-file C:\Script\Evergreen.ps1 -executionpolicy bypass)
  • External Task State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • Run Hidden
    • Selected, the task runs in the background and is not displayed to users
  • Run Once
    • This causes this action to be performed only once. By default, this is done with every agent update.
  • Execution Order
    • Allows to set the order of execution for each task
    • This option can be useful when users are assigned multiple tasks and some tasks depend on others to run successfully
    • By default the value 0 is set
  • Wait for Task Completion
    • Here you can define how long the agent waits for the task to be completed
  • Wait Timeout
    • Defines the waiting time for the Wait for Task Completion option
    • The default value for the waiting time is 30 seconds
External Task General

On the Triggers tab you can define when the action should be executed.

  • Refresh
    • The External Task is executed when the WEM Agent is updated
    • By default this option is enabled
  • Reconnect
    • The action is executed when a reconnect is performed
    • By default this option is enabled
    • If the WEM Agent is installed on a physical Windows device, this option cannot be used
  • Logon
    • The External Task is executed when the user logs in
    • By default this option is enabled
  • Logoff
    • Controls whether the external task should be executed when users log off
    • This option works only if the Citrix User Logon Service is running
    • By default the option is not enabled
External Task Triggers

File System Operations

Here folders and files can be copied to the user’s environment and directories or symbolic links can be created.

In the New File System Operation window, accessible via Add, the file system operation can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Environment Variables
  • Name
    • The display name of the file system operation as it should appear in the File System Operations List.
  • External Task State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • Source Path
    • The path to the source file or folder to be copied
  • Target Path
    • The destination path for the source file or folder to be copied
  • Overwrite Target if Existing
    • Controls whether the file or folder operation is allowed to overwrite existing files or folders with the same name in the destination location
    • If the option is disabled and a file or folder with the same name already exists in the destination location, the affected files will not be copied
  • Run Once
    • By default, Workspace Environment Management performs the File System operation each time the agent is updated
    • If this option is selected, the operation is performed only once and not at each update
    • This speeds up the agent update process, especially if users are assigned many file system operations.

! Important!

It should be noted that variables such as C:\Users##Username## can be used which will be expanded to the user name under which the WEM Agent is running. This can be useful when creating/copying files/folders into the user profile.

File System Operations General

Various Action Types are available on the Options tab.

  • Copy Files / Folders
    • Files or folders are copied
  • Delete Files / Folders
    • Files or folders are deleted
  • Rename Files / Folders
    • Files or folders are renamed
  • Create Directory Symbolic Link
    • A symbolic link to a folder is created
  • Create Directory
    • An empty directory is created
  • Copy Directory Content
    • The contents of the directory will be copied without creating the parent folder structure.
  • Delete Directory Content
    • The contents of the directory are deleted, not the folder !
  • Move Directory Content
    • The contents of the directory will be moved, not copied !
File System Operations Options

Execution Order is used to specify the execution order of operations so that certain operations can be executed before others. Operations with an execution order value of 0 are executed first, then those with a value of 1, then those with a value of 2, and so on.

File System Operations Options

User DSN

Controls the creation of User DSNs (DSN is a string whose data structure is used to describe a connection to a data source such as SQL).

In the New User DSN window, accessible via Add, the database connection can be defined.

Existing objects can be edited via Edit and deleted via Delete.

User DSN
  • Name
    • The display name of the User DSN as it should appear in the User DSN List.
  • User DSN State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • DSN Name
    • The function name of the database connection
  • Driver
    • The driver for the connection
    • Only SQL Server can be selected
  • Server Name
    • The name of the destination server for the connection
  • Database Name
    • The name of the target database on the target server
User DSN

Connect Using Specific Credentials can be used to specify credentials with which to connect to the server/database.

With Run Once, the user DSN is created only once and not every time the agent is updated. By default, the user DSN would be written every time the agent is updated.

User DSN Options

File Associations

Controls the creation of File Associations in the user environment.

! Important !

The FTAs (File Type Associations) are stored only per machine since Windows Server 2012 and with this WEM feature this can be stored user based again.

In the New File Association window, accessible via Add, a new FTA can be defined.

Existing objects can be edited via Edit and deleted via Delete.

File association
  • Name
    • The display name of the file association as it should appear in the file association list.
  • File Association State
    • Status of the object (Enabled / Disabled)
    • If Disabled it will not be added to the user in the session, even if the object is assigned
  • File Extension
    • Defines the file extension to be used
    • When a file extension is selected from the list, the ProgID field fills automatically (if the file type exists on the computer running Administration Console)
    • The file extension can also be entered directly (For browser mappings this must be entered directly!)
  • ProgID
    • Defines the ProgID associated with the application
    • This value is automatically filled in when a File Extension is selected from the list
    • To find out the ProgID of an installed application, simply check the registry for the current assignment in a working system (here Microsoft Excel under file .xlsx, the ProgID [Excel.Sheet.12] can be found under Default)
ProgID Registry

Examples of required ProgIDs:

ProgramProgID
Microsoft Edge (Chromium Based)MSEdgeHTM
Google ChromeChromeHTML
Mozilla Firefoxfirefox
Internet ExplorerIE
Opera BrowserOperaStable
Microsoft Edgeedge
Acrobat Reader DCAcroExch.Document
Foxit PDF ReaderFoxitReader.Document
Microsoft Word 2016 and newerWord.Document.12
Microsoft Excel 2016 and newerExcel.Sheet.12
Microsoft PowerPoint 2016 and newerPowerPoint.Show.12
Microsoft Publisher 2016 and newerPublisher.Document.16
Microsoft Visio 2016 and newerVisio.Drawing.15
File Association with progid

! Important !

If the ProgID is not known or not filled in, the Action, Target application and Command fields must be filled in manually.

  • Action
    • The action type is selected
    • Possible values are open, edit or print
  • Target application
    • Allows to specify the executable file to be used with this file extension
    • The full path of the executable file must be stored
  • Command
    • Definition of the command of the action type specified above
    • Possible values are:
      • “%1” –> Open
      • /p “%1” –> Print
  • Set as Default Action
    • Sets the defined file association as default for the user
  • Overwrite
    • Defines whether the set file association is allowed to overwrite existing settings.
  • Run Once
    • Sets the setting only once
    • Normally the setting is reset at each agent refresh
File Associations

Filters

Filters contain Rules and Conditions (e.g. group membership or client IP address, etc.) that you can use to make actions available to users.

Filters

Conditions

Conditions are specific triggers that configure the circumstances under which the agent assigns a resource to a user. Various conditions must first be defined so that they can be used via rules.

In the New Filter Condition window, accessible via Add, a new filter condition can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Filter Condition
  • Name
    • The display name of the condition, how it should appear in the condition list
  • Filter Condition State
    • Status of the object (Enabled / Disabled)
    • If disabled the condition is not selectable during rule creation
  • Filter Condition Type
    • Defines the type of filter
    • Possible values are:
Filter Condition TypeMeaning
Active Directory Attribute MatchApplied when user has AD attributes as under Settings
Active Directory Group MatchUsed when user is a member of AD group under Settings (<Domain>\<Groupname>)
Active Directory Path MatchUsed if attribute is found under Settings in AD Path (e.g. OU=Users*)
Active Directory Site MatchApplied when user or worker is member of AD site under Settings
Always TrueIs always applied
Client IP Address MatchApplied when client IP is as under Settings
Client OSWill be applied if client OS is as under Settings
Client Remote OS MatchUsed when Worker OS is as under Settings
ClientName MatchWill be applied if Client Name is as under Settings
ComputerName MatchApplied when Worker Name is as under Settings
Connection StateApplied when Connection State (Online or Offline) is as under Settings.
DateTime MatchWill be applied if the date (e.g. 23/01/2022 or 23/01/2022-31/01/2022) under Settings is the current one
Dynamic Value MatchApplied when Dynamic Value is present and the value is as under Settings
Environment Variable MatchApplied when environment variable value is as under Settings
File Version MatchWill be applied if specified file exists and version is as under Settings
File/Folder does not existWill not be applied if the specified file or folder exists as under Settings
File/Folder existsWill be applied if the specified file or folder exists as under Settings
IP Address MatchWill be applied if Worker IP is as under Settings
Name is in ListWill be applied if the name is in the list as in Settings
Name or Value is in ListWill be applied if the value is in the list as under Settings
Name or Value is not in ListIs not applied if the value is in the list as under Settings
Network Connection StateWill be applied if the Network Connection State is as under Settings
No Active Directory Attribute MatchNot applied if user has AD attributes as under Settings
No Active Directory Group MatchNot applied if user is member of AD group under Settings (<Domain>\<Groupname>)
No Active Directory Path MatchNot applied if attribute can be found under Settings in AD Path (e.g. OU=Users*)
No Active Directory Site MatchNot applied if user or worker is member of AD site under Settings
No Client IP Address MatchNot applied if client IP is as under Settings
No Client OS MatchNot applied if client OS is as under Settings
No Client Remote OS MatchWill not be applied if Worker OS is as under Settings
No ClientName MatchNot applied if client name is as under Settings
No ComputerName MatchWill not be applied if Worker Name is as under Settings
No DateTime MatchWill not be applied if the date (e.g. 23/01/2022 or 23/01/2022-31/01/2022) under Settings is the current one
No Dynamic Value MatchWill not be applied if Dynamic Value is present and the value is as under Settings
No Environment Variable MatchNot applied if environment variable value is as under Settings
No File Version MatchWill not be applied if specified file exists and version is as under Settings
No IP Address MatchWill not be applied if Worker IP is as under Settings
No Registry Value MatchNot applied if System has configured the Registry Value under Settings (e.g. HKCU\Software\7-Zip\Path Value=C:)
No User Country MatchWill be applied if ISO Language is configured under Settings (e.g. German = DE etc.)
No User UI Language MatchNot applied if ISO UI Language is configured under Settings (e.g. German = de-DE etc.)
No WMI Query Result MatchNot applied if WMI value is as under Settings
No XenApp Farm Name MatchNot applied if XenApp Farm Name is as under Settings (Applies only up to XenApp 6.5)
No XenApp Version MatchWill not be applied if CVAD version (e.g. 1912) is like under Settings
No XenApp Farm Zone Name MatchNot applied if XenApp Zone Name is as under Settings (Applies only up to XenApp 6.5)
No XenDesktop Desktop Group Name MatchNot applied if the worker belongs to a virtual desktop (not the Delivery Group name) defined in Settings.
No XenDesktop Farm Name MatchApplied if XenDesktop Farm Name is as under Settings (Applies only up to XenDesktop 5)
OS Platform TypeApplied if OS architecture (x64 or x86) is as under Settings
Provisioning Services Image ModeApplied when Image Mode is as under Settings
Published Ressource NameWill be applied if the Published Resource Name is as under Settings
! Wichtig !
Pub. App is it the browser name
Pub. Desktop is the published name of the desktop
Registry Value MatchUsed when System has configured the Registry Value under Settings (e.g. HKCU\Software\7-Zip\Path Value=C:)
SchedulingUsed when day of the week (e.g. Monday) is as in Settings.
Transformer Mode StateIs applied, Tranformer Mode State is as under Settings
User Country MatchWill be applied if ISO Language is configured under Settings (e.g. German = DE etc.)
User SBC Ressource TypeApplied when user context (pub. app or desktop) is as under Settings
User UI Language MatchWill be applied if ISO UI Language is configured under Settings (e.g. German = de-DE etc.)
WMI Query Result MatchWill be applied if WMI value is as under Settings
XenApp Farm Name MatchApplied when XenApp Farm Name is as under Settings (Applies only up to XenApp 6.5)
XenApp Version MatchApplied when CVAD version (e.g. 1912) is as under Settings
XenApp Zone Name MatchApplied when XenApp Zone Name is as under Settings (Applies only up to XenApp 6.5)
XenDesktop Desktop Group Name MatchUsed when the worker belongs to a virtual desktop (not the Delivery Group name) that is defined under Settings
XenDesktop Farm Name MatchApplied if XenDesktop Farm Name is as under Settings (Applies only up to XenDesktop 5)
Filters Conditions
  • Settings
    • The values to be defined are stored there (per dropbox or string input)

! Important !

If you don’t want to store a static value in the possible strings you can also simply enter a ?, this simply means that the value is not zero. Furthermore, in the string queries, multiple values can be separated by ; (this is then an Or query).

Filter Condition Type

Rules

Rules consist of several Conditions. The rules used determine when a user is assigned an action.

These conditions are AND statements, not OR statements. If multiple conditions are added, all must be met for the filter to be considered triggered.

In the New Filter Rule window, accessible via Add, a new rule can be defined.

Existing objects can be edited via Edit and deleted via Delete.

Filter Rules
  • Name
    • The display name of the filter rule, how it should appear in the Filter Rule List
  • Filter Rule State
    • Status of the object (Enabled / Disabled)
    • If disabled the rule will not be processed by the agent
  • Filter Conditions
    • Only conditions with an active Condition State filter are displayed
New Filter Rule

Assignments

Assignments is used to make Actions available to your users. This way, e.g. parts of the user’s login scripts can be replaced.

Assignments

Before you can assign actions to users, you must perform the following steps in the order given:

  • Configure users or groups, see Users in Active Directory Objects
  • Define conditions, see Conditions
  • Define Filter Rules, see Rules
  • Configure Actions, see Actions

Action Assignment

Users is your list of configured users and groups (from Active Directory Objects).

To simplify assigning actions for all users from the Active Directory, the standard uses groups (e.g. department or specialist application) to assign the actions.

Assignments Action Assignment

If an Application or an Action Group, with an Application, is assigned via the Assigned list, the following options are available:

Action Group
  • Create Desktop
    • Creates an icon on the user desktop
  • Create Quick Launch
    • Creates an icon in Quick Launch
Quick Launch
  • Create Start Menu
    • Windows Server 2016 and newer / Windows 10: Create the icon in the Start menu under the program folder set under Application itself
    • Windows Server 2012 & 2012 R2 / Windows 7, 8 & 8.1: Creates the icon only in the Apps component of the Start menu
  • Pin To TaskBar
    • Creates and pins the shortcut to the taskbar
    • For this to work, the application must also have the Create Start Menu option enabled
  • Pin To Start Menu
    • Windows Server 2016 and newer / Windows 10: Creates a shortcut on the right side of the user start menu
      Windows Server 2012 & 2012 R2 / Windows 7, 8 & 8.1: Does nothing !!!
    • The Create Start Menu option must also be enabled, otherwise the application will not appear in the Start menu after updating the agent
  • Auto Start
    • Auto Start is set to Disabled by default
    • If enabled, it will be started automatically when the user logs in

If drives (Network or Virtual) are assigned directly or via Action Group, the filter and drive letter can be defined.

Assign Filter & Drive Letter

Modeling Wizard

The Action Modeling Wizard displays the resulting actions for a specific user (does not work for groups).

Modeling Wizard
  • Actions Modeling Target User
    • The account name of the user to be checked
Modeling Wizard
  • Resultant Actions
    • The Actions / Action Groups assigned to the user or the groups he belongs to
  • User Groups
    • The groups to which the user belongs
Modeling Wizard

Link to the other Parts

Installing Workspace Environment Management

Workspace Environment Management optimizes Citrix workers for the best possible performance (user density, logon time and application response time).

WEM is subject to the Current Release Lifecycle (Additional Component) and therefore there is no LTSR version of WEM available.

To use WEM, you must have an active Customer Success Services (CSS) for one of the following licenses:

  • Citrix Virtual Apps Advanced
  • Citrix Virtual Apps Premium
  • Citrix Virtual Apps and Desktops Advanced
  • Citrix Virtual Apps and Desktops Premium
  • Citrix Workspace Premium
  • Citrix Workspace Premium Plus

Technical Overview

Workspace Environment Management (WEM) is based on the following architecture:

WEM architecture

Continue reading “Installing Workspace Environment Management”

Install Teams & OneDrive in Citrix (Machine-Based)

Update of the existing article to the latest requirements and features.

Microsoft Teams

User Based Microsoft Teams

The standard installation that the user can perform, e.g. via the Microsoft365 Apps portal, is a user-based installation. In the Citrix environment, this is only recommended for desktop operating systems (pooled or personal desktop).

A User-Based Installation can be detected very quickly in the User Profile, because data are then located under AppData\Local\Microsoft\Teams.

Teams User Based Install

This type of installation in a worker with server operating system has many cons:

  • No control over the installed version
  • Several different versions possible installed on the same worker
  • Complete data (~1 GB) are in the user profile
Continue reading “Install Teams & OneDrive in Citrix (Machine-Based)”

SAML Authentication between Citrix & Microsoft with Azure MFA

Update the existing article to the latest Azure GUI.

As a result of increasing projects, here is a little how-to with the summary of my previous articles. The main points are:

  • Azure AD Seamless Single Sign-On (PTA / PHS)
  • SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)
  • Citrix Federated Authentication Service (FAS)
  • Microsoft Azure Multi-Factor-Authentication with Conditional Access

Requirements

  • Fully working Citrix Virtual Apps and Desktop Environment (StoreFront & DDC Minimum Version 7.9)
  • Citrix ADC with successful base configuration & activated Enterprise or Platinum license (Minimum Version 12.1 Build 50+ for native workspace app, for browser Minimum Version 11.1)
  • Configured Unified Gateway vServer
  • Internal and external DNS entries for Unified Gateway vServer (e.g. citrix.deyda.net)
  • Certificates for DNS entries (wildcard certificates are the easiest)
  • Existing Azure Tenant with Azure-AD base configuration (Domain, AAD Sync) & activated Azure AD Premium license
  • AD Connect version installed and configured (Minimum Version 1.1.644.0)
  • Firewall release for *.msappproxy.net on port 443
  • Domain administrator credentials for the domains that connected to Azure AD via AD Connect
  • Installed Authenticator App on Test User Mobile Phone
Continue reading “SAML Authentication between Citrix & Microsoft with Azure MFA”

Citrix ADC 101 – Fundamentals

The following is a collection of basic information about Citrix ADC. From licensing, to the most important commands, to the update procedures that can be performed.

General Information

Here is some basic information about Citrix ADC.

Operating System and Architecture

Citrix ADC is based on the open source operating system FreeBSD. Unlike the very similar Linux, FreeBSD has a modular kernel and Citrix has taken advantage of this to modify FreeBSD’s Bash shell by removing the networking subsystem and replacing it with its own. The modifications were placed in a custom kernel module called NetScaler Core Packet Processing Engine (PPE).

Citrix ADC FreeBSD
Continue reading “Citrix ADC 101 – Fundamentals”