Citrix Workspace Environment Management

Workspace Environment Manager (previously Norskale as many people may be familiar with) is a recent aquisition by Citrix that will fill the gap when it comes to Citrix offereing a UEM solution. WEM is available for all Enterprise and Platinum XA/XD customers with active Software Maintenance (Customer Success Services) and is available for download today. WEM 4.0 was the initial release.

Citrix quote using WEM in a Citrix environment could boost server scalability by 70% and reduce logon times by up to 80% so it would be rude not to have a look at this product and see what it is all about!

♣ Hardware and Software Requirements
♣ What’s new
♣ WEM Firewall Ports
♣ What has changed in WEM 4.3
♣ Install WEM Infrastructure Services
♣ Create WEM Database
♣ Broker Service Configuration
♣ Install WEM Administration Console
♣ Configure Licensing
♣ Import Setting Templates
♣ Install WEM Agent
♣ Point Agent to WEM Broker Server
♣ Connect to WEM Administration Console
♣ Add an Application (example)
♣ Add a Registry key (example)
♣ Import Registry keys (example)
♣ Import Printers (example)
♣ Create Directory (example)
♣ Apply settings to users using Rules and Conditions
♣ Modeling Wizard
♣ Resultant Actions Viewer
♣ System Optimization – Fast Logoff
♣ System Optimization – CPU Management
♣ System Optimization – Memory Management
♣ System Optimization – I/O Management
♣ Configuring Environment Settings
♣ Configuring Microsoft USV Settings
♣ Configuring Citrix UPM Settings
♣ Advanced Settings – Configuration – Main Configuration
♣ Configuring Agent Options
♣ Configuring Service Options
♣ Configuring UI Agent Personalization
♣ Configuring Helpdesk Options
♣ Power Saving Management – WEM Agent VMs
♣ Configure WEM Administrators
♣ Viewing WEM Connected Users
♣ Viewing WEM Connected Agents
♣ Administration Log
♣ Monitoring
♣ WEM Logging
♣ Creating additional WEM Sites
♣ WEM Transformer
♣ Upgrading WEM
♣ Documenting WEM Configurations
♣ VUEMAppCmd
♣ Troubleshooting

Hardware and Software Requirements

Citrix WEM consists of a Management Console, an Agent Host, a Broker and depends on Active Directory and SQL. For the sake of more detail:

  • Citrix WEM Administration Console – This can be installed on a Windows client or Server OS. This console will be used to manage the WEM installation such as creating and managing policies, assigning and creating resources and so on. The WEM Administration Console connects to the broker.
    • Software Prerequisites: .NET 4 (full package or client profile), Microsoft Sync Framework 2.1.
    • OS Prerequisites: Windows XP SP3 32/64bit, Windows Vista SP1 32/64bit, Windows 7, 8 & 10 32/64bit, Windows Server 2003 32/64bit, Windows Server 2003 R2 32/64bit, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (WEM 4.1).
    • Hardware Prerequisites: Dual core processor at minimum with 2GB RAM. Disk space usage is also low at 40MB minimum and 100MB during install required.
      • Note: Installing the WEM Administration Console on the following OS will not be supported in an upcoming Current Release of XenApp and XenDesktop (the next CR after the next LTSR):
        • Windows XP SP3 32bit and 64bit.
        • Windows Vista SP1 32bit and 64bit.
        • Windows 8.x 32bit and 64bit.
        • Windows Server 2003 32bit and 64bit.
        • Windows Server 2003 R2 32bit and 64bit.
        • Windows Server 2008 and 2008 R2.
  • Citrix WEM Agent Host – The Agent Host connects to the broker or Infrastructure Services and enforces the settings configured through the WEM Administration Console. This can be installed on Windows Desktop OS VDAs to manage those VDAs or Server OS VDAs. This component cannot be installed on the Infrastructure Services server.
    • Software Prerequisites: .NET 4 (full package or client profile), Microsoft Sync Framework 2.1.
    • OS Prerequisites: Windows XP SP3 32/64bit, Windows Vista SP1 32/64bit, Windows 7, 8 & 10 32/64bit, Windows Server 2003 32/64bit, Windows Server 2003 R2 32/64bit, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (WEM 4.1).
    • Hardware Prerequisites: Average RAM consumption for the agent is 10MB. Disk space usage is also low at 40MB minimum and 100MB during install required.
  • Citrix WEM Infrastructure Services – WEM Broker or Citrix WEM Infrastructure Services is installed on a Windows server acting as the connector between the Agent Host/Adminsitration Console and SQL/Active Directory. This component cannot be installed on an Active Directory server.
    • Software Prerequisites: .NET 4.5.2, SQL Server Compact Edition 3.5 SP3 (installed during setup), Microsoft Sync Framework 2.1 (installed during setup).
    • OS Prerequisites: Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016 (WEM 4.1).
    • Hardware Prerequisites: 4vCPUs, 8GB and a minimum of 80MB disk space for up to 3000 users.
  • SQL Server – WEM stores all settings within a SQL database. The SQL database must be a minimum of 50Mb in size. WEM requires sysadmin access to the SQL server instance during creation of the database and read/write access going forward for usage. SQL Server 2008 R2 or later is supported.
  • Active Directory – To push settings to your users AD is required. WEM required read access to AD to push configured settings out to users.
  • Citrix License Server – WEM requires Citrix License Server 11.14 or later for the current WEM 4.0/4.1 release.
  • XenApp/XenDesktop – Any currently supported version of XenApp and XenDesktop will work with WEM 4.0/4.1.

Note: WEM will not be supported on .NET Framework 4.0, 4.5 and 4.5.1 once the next Current Release is released after the next LTSR.

Antivirus requirements – The entire installation directory for the WEM Agent Host and WEM Infrastructure Services must be excluded from on access scanning. If not possible, the following services must be excluded from on access scanning.

  • Infrastructure Services – NorksaleBrokerService.exe, NorksaleBrokerServiceConfigurationUtility.exe, NortksaleDatabaseManagementUtility.exe.
  • Agent Host – Norksale Agent Host Service.exe, VUEMUIAgent.exe, Agent Log Parser.exe, AgentCacheUtility.exe, AppsMgmtUtil.exe, PrnsMgmtUtil.exe, VUEMAppCmd.exe, VUEMAppCmdDbg.exe, VUEMAppHide.exe, VUEMCmdAgent.exe, VUEMMaintMsg.exe, VUEMRSAV.exe.

What’s new

What’s new in WEM 4.1:

  • Transformer module re-enabled
  • Agent Host communication improvement (communication now occurs from WEM Broker Service to Agent Host Service)

What’s new in WEM 4.2:

  • Support for Profile Management up to v5.6 including new options in the Administration Console to manage Profile Management.

What’s new in WEM 4.3:

  • User interface improvements by renaming labels, and messages in the installation wizards for example.
  • The session agent user interface is not localised in the following languages: German, Spanish, French, Italian, Japanese, Korean, Dutch, Russian, Traditional and Simplified Chinese.
  • Sites are now assigned to machines, or Security Groups, or Organisational Units.

What’s new in WEM 4.4:

  • A new Security tab has been introduced to the WEM Management Console which contains settings controlling end-user activity.
  • The Process Management controls have been moved to the above new Security tab.
  • The Database Maintenance tab has a new setting called Agent registrations retention period which allows agent registration logs to be deleted after a defined period of time. This reduces the size of the database and reduces lag when populating the Registrations tab.
  • Support for Profile Management 7.15.
  • Infrastructure Services by default sends anonymous data to Google Analytics. You can opt out of this from within the WEM Management Console.

What’s new in WEM 4.5:

  • Application Security. Similar to AppLocker but provides some additional functionlity. This Application Security feature allows you to control the applications users are permitted to run by defining rules in WEM.
  • SDX PowerShell Modules and the ability to run some administrative tasks via PowerShell.
  • Support for SQL Always On availability groups.
  • Intelligent Optimisation is now user-centric. If a process infringes a rule for a particular user, the process is optimised only for that user rather than for all users as was the case with previous versions.
  • Intelligent Optimisation history is now moved to the local database (LocalAgentDatabase).

WEM Firewall Ports

Source Destination Port Reason
Infrastructure Services Agent Host TCP 49752 Agent Host listens for instructions from Infrastructure Services on this port.
Administration Console Infrastructure Services TCP 8284 For Administration Console connectivity to Infrastructure Services.
Broker Agent Infrastructure Services TCP 8286 Agent connects to Infrastructure Services on this port.
Broker Agent Cache Synchronization Process Infrastructure Services TCP 8285 Agent synchronizes the agent cache with Infrastructure Services on this port.
Infrastructure Services Citrix License Server TCP 27000 Infrastructure Services connects to the License Server on this port.
Monitoring Service Infrastructure Services TCP 8287 Used by the Monitoring Service on Infrastructure Services servers. Not yet in use.

What’s changed in WEM 4.3

Some things have changed in WEM 4.3 mainly within the Administration Console that you should be aware off.

Sites have now been renamed to Configuration Sets. Other than that, everything else is the same including the method to create additional Configuration Sets.

Agents who are pointed to the Infrastructure Servers without any extra configuration now display under Administration -> Agents -> Registrations. This agent is currently not bound to any Configuration Set.

The Agent itself will not be able to sync due to not being able to identify a Configuration Set.

To associate a machine with the Configuration Set, you have to navigate to Active Directory Objects (previously named Users) and then click on Machines. Here you add machines to your Configuration Set. You can add Organizational Units which will add every member of that OU to the Configuration Set, you can also add individual machine accounts or groups of computers. In this example, I’ll add an OU. Click Add OU.

Select the desired OU and click OK.

The OU will appear as below.

Now refresh the cache on the Agent host machine. The VDA will now report with a green tick to indicate that it is bound to the Default Site Configuration Set. If machines are bound to multiple Configuration Sets for example you’ll get an error here, this allows you to easily identify such machines and perform correction.

Install WEM Infrastructure Services

Launch the Citrix Workspace Environment Management Infrastructure Services v4.00.00.00 Setup.exe installer.1-minClick Install. Some of the prerequisites are installed for you. 2-minClick Next. 3-minAccept the License Agreement, click Next. 4-minClick Next. 5-minClick Next. If you want to change the install directory choose Custom. 6-minClick Install. 7-minNow click Finish. 8-minIf you want to specify the Agent Port, Admin Port or AgentSyncPort during install you can do so using the command line. The following switches are available to be used:

  • AgentPort – Default agent port is 8286 however using this switch you can specify a different port. This port will be opened locally on the firewall of the Windows Server during install.
  • AdminPort – Default admin port is 8284 however using this switch you can specify a different port. This port will be opened locally on the firewall of the Windows Server during install.
  • AgentSyncPort – Default agent sync port is 8285 however using this switch you can specify a different port. This port will be opened locally on the firewall of the Windows Sever during install.

Eample command line install: “Citrix Workspace Environment Manager Infrastructure Services v4.00.00.00 Setup.exe” /v”AgentPort=\”8288\””67-min

If you are going to use Windows Authentication and load balance Infrastructure Services you must create an SPN using the following command:

setspn -U -S Norskale/BrokerService [accountname]68-min

If you are just going to use Windows Authentication or do not plan on using Windows Authentication you must create an SPN with the following command:

setspn -C -S Norskale/BrokerService [hostname]

Note: You must use Windows Authentication when load balancing Infrastructure Services. Each server must be configured to use the same account name.

Create WEM Database

Now on the Start Menu locate and launch Database Management. 9-minClick Create Database. 10-minClick Next.11-minEnter your SQL server name and choose the database name for WEM. Analyse the Log File and Data File location. The wizard best estimates the location of the SQL server data folder however this may be incorrect. Make sure these paths are correct and match your SQL server to avoid database creation failure. If the directories shown below do not exist, database creation will fail. Click Next. 12-minThe Database Creation Wizard requires an account with sysadmin rights on the SQL instance to create the database. By default the account you use to run the Database Creation Wizard will be used however you do have the option to specify a SQL account that has sysadmin rights.13-minSpecify the VUEM Administrators Group for users who are Full WEM Administrators and can use the WEM Administration Console. Use a service account for the Broker Service Account which will be used to run the Norskale Infrastructure Service service. Make sure you are not running this wizard from the Broker Service Account. If your SQL Users require strict complex passwords you can set a specific password for vuemUser and then click Next. The default password set is 8 characters in length consisting of lower and uppercase characters including digits and punctuation. If you specify a password then you will need to configure the same password for the vuemUser account when running through the Broker Configuration later so keep this in mind. If you are using AlwaysOn SQL availability then you must specify a password here as it will be required when adding the database to an availability group.14-minMake sure the broker service account has Log on as a service rights on the WEM Infrastructure Services server.15-min Review all settings and then click Create Database. 16-minThe database creation occurs.

If you get a database creation failure, review the log file under C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Database Management Utility Debug Log.txt17-minClick OK. 18-minClick Finish. 19-min

Broker Service Configuration

Next you have to configure the Infrastructure Services using the Broker Service Configuration utility found on the Start Menu of your Infrastructure Services server. 20-minEnter the Database Server and Name as below on the Database Settings tab including failover database if you are using DB mirroring. 21-min

On the Network Settings tab if you changed any of the ports during the Infrastructure Services install such as the Admin Broker port then enter the same port numbers here. 22-min

On the Advanced Settings tab tick to enable Windows Account Impersonation and use the Broker account if you are not using SQL Mixed Mode Authentication. If you are using MMA you can leave this option unticked and the vuemUser SQL account created during database creation will be used for connections to the database. Specify the SQL user password if you manually specified one during database creation. If you did not then leave this unticked. You can also change:

  • Broker Cache Refresh Delay (15 minutes by default) and the cache is used if SQL is offline/unavailable or WEM Infrastructure Services is unavailable.
  • Broker SQL State monitor (15 seconds by default) which is how often the broker attempts to poll the SQL server.
  • Enable debug mode to enable verbose logging on WEM Infrastructure Services.
  • Use Cache Even if Online meaning WEM Infrastructure Services reads site settings from its cache even when SQL is available.


Over on the Database Maintenance tab you can specify to enable scheduled database maintenance cleaning up any old statistic records from the database every number of days. The default retention for statistic data is 365 days. The system monitoring retention period is 90 days and the maintenance occurs at 2AM.24-min

Using the global license override setting to specify a Citrix license server which overrides what is set within the WEM Administration Console. Once you have specified all your required settings across all tabs click the Save Configuration button.  25-min

The broker service will restart and we are now ready to install the Management Console.26-min

Install WEM Administration Console

Launch Citrix Workspace Environment Management Console v4.00.00.00 Setup.exe.27-min

Click Next. 28-min

Accept the License Agreement. Click Next. 29-min

Click Next. 30-min

Select Next. Choose Custom if you wish to specify an install location manually. 31-min

Click Install. 32-min

Click on Finish. 33-min

Now launch the management console. Click Connect. 34-min

Enter the broker server name and port. Click Connect. 35-min

Click OK on the below warning. We can configure the license server shortly using the Administration Console. 36-min

Configure Licensing

Click on Configure license server. 37-min

Enter the Citrix license server name and port. Click OK. 38-min

Import Setting Templates

Next we can import quickstart settings from templates that will configure WEM with default recommended settings giving us a good baseline to get started. There is also a template for environmental lockdown settings based on best practice recommendations. Click Import Settings. 39-min

Click Next.40-min

Browse to the Configuration Templates folder located within the installation media. There are three templates that you can import:

  • Default Recommended Settings – This template imports recommended System Optimization, Agent Configuration and System Monitoring settings for CPU and memory management, agent offline mode, asynchronous printers processing etc.
  • Environment Lockdown Example – This template imports Environmental Settings specifying lockdown actions based on best practice such as hiding administrative tools, control panel and the recycle bin.
  • Sample Applications – This template imports sample application shortcuts however doesn’t seem to be working at this time.

Check the boxes next to each settings type you want to import and click Next.


Click Import Settings. 42-min

Click Yes. 43-min

Cick Finish. 44-min

Finally install the WEM Agent Host component.

Install WEM Agent

This piece of software will be installed on the VDA making sure any environmental setting configured within WEM is enforced on the client.

Launch Citrix Workspace Environment Management Agent v4.00.00.00 Setup.exe.


Click Install. Some prerequisites are installed for you. 46-min

Click Next. 47-min

Accept the License Agreement. Click Next. 48-min

Click Next. 49-min

Click Next. Choose Custom if you want to specify an installation directory yourself. 50-min

Click Install.51-min

Click Finish. 52-min

A number of command line arguments are available to be used when installing the Agent Host. Some example arguments:

  • WaitForNework – Accepted values are 0 or 1, 0 meaning inactive and 1 meaning active. By default this key is not created.
  • SyncForegroundPolicy – Accepted values are 0 or 1, 0 meaning inactive and 1 meaning active. By default this key is not created.
  • GpNetworkStartTimeoutPolicyValue – By default the value is 30 (seconds). You can specify a different number during install using this argument.

All three keys above are designed to make sure the VDAs receive the broker address GPO before logon. All keys are created under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon during installation.

  • APPSYSTEMCOMPONENT – Presents the Agent Host as a System component and removes the Agent Host listing from Add/Remove Programs.
  • AgentCacheAlternateLocation – The cache file will be saved to the specified location rather than the Agent install directory. Useful for non persistent machines.
  • AgentServiceUseNonPersistentCompliantHistory – The agent service’s process optimisation history will be saved externally to an XML file in the same location as the Agent cache file rather than in the machine’s registry. Accepted value is 1. Useful for non persistent machines.

Example command: “Citrix Workspace Environment Management Agent Setup.exe” /v”AgentCacheAlternateLocation=\”E:\AgentCache\”” /v”AgentServiceUseNonPersistentCompliantHistory=\”1\””69-min

Changes to the registry values are made based on specified arguments. 70-min

The cache now resides on E:\AgentCache.71-min

The Netlogon service is made dependant on the Norskale Agent Host service to ensure that the host service is always running before logons can be made.72-min

Note: As mentioned the Netlogon service is made dependent on the Norskale Agent Host Service to ensure it does not start before the Norskale Agent Host Service is running. This is particularly important when using Citrix App Layering and PVS because the PVS Target Device Software (which you should be installing in the Platform Layer) also makes a change to the Netlogon service making it dependent on the BNDevice (Citrix PVS Device) service. So when both PVS and WEM are used together, we end up with two services that must be running BEFORE Netlogon can run. Why is this a problem when PVS and WEM are used with App Layering? The DependOnService multi-string registry value is actually where dependencies are stored for each service running within Windows. So this multi-string value is where both the Workspace Environment Management Agent (installed in Application Layer) and the PVS Target Device software (installed in Platform Layer) set their dependencies. They both edit the same DependOnService multi-string value. When you publish an image with these two layers combined, the WEM Agent Application Layer’s edit of DependOnService is overwritten by the Platform Layer edit. Since the Platform layer has the highest priority of all layers, it is simply overwriting the change made by WEM rather than merging. This means we end up with VDAs that have no Netlogon dependency set to Norskale Agent Host Service. To fix this, open a new Platform Layer version, navigate to RegEdit -> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon and type without quotes “Norskale Agent Host Service” inside the DependOnService multi-String value. Now when you publish the image, the dependencies will be correct for both WEM and PVS.

I reached out to Citrix (the ex-Unidesk guys) on this one and they confirmed their code does not contain what is required to merge multiple values together for anything set within DependOnService under the Netlogon key. In a future release of Citrix App Layering, values created under Netlogon from multiple layers including the Platform Layer will be merged. For now use the workaround above.

Point Agent to WEM Broker Server

Clients (VDAs) need to know where to find the broker server. For this you can use Group Policy however I recommend using the registry on each VDA that has a WEM Agent installed. Create a BrokerSvcName REG_SZ with a value of the WEM Infrastructure Services Load Balanced address under HKLM\SOFTWARE\Policies\Norskale\Agent Host\. If using GPOs, Grab the ADMX configuration files from the WEM install media. 53-min

Copy them in to the PolicyDefinitions Group Policy central store folder within SYSVOL on your Domain. Remove the ADM file as it is not needed. Also import the language file. 54-min

Now navigate to Computer Configuration -> Administrative Templates -> Citrix -> Workspace Environment Manager -> Agent Host Configuration -> Connection Broker Name. 55-min

Change the Connection Broker Name to Enabled and specify the broker server. The other settings such as Agent Port can be used to specify port numbers other than the default. For now I do not need to use these so will leave all others settings unconfigured.

Note: Assigning WEM 4.3+ agents to sites via GPO is not supported. In WEM 4.3+, you assign machines to Sites (now called Configuration Sets) using the WEM Administration Console.56-min

If you want to manually force a cache update/rebuild on a VDA or create the cache before the Agent runs for the first time after an install, you can use the following command:

AgentCacheUtility.exe -RefreshCache -BrokerName servername. The Agent Cache Utility is found within the WEM Agent Host install directory. An optional switch -brokerport:port should be used if you have changed the default Infrastructure Services port of 8285. 57-min

Connect to WEM Administration Console

Firstly launch he Citrix WEM Administration Console. Click Connect, enter your Infrastructure Services server name and specify the broker service port (default 8284).

60-minOnce connected click the About tab. 61-minClick Configure license server. 62-min

Enter the Citrix license server and port. Click OK. 63-min

Clicking Options on the About tab allows you to configure items such as:

  • Auto Admin Logon – Console automatically connects to last broker it was connected to.
  • Enable Debug Mode – Enables verbose logging for the administration console. Logs are created in the root of the currently logged on users profile.
  • Console Skin – Change the skin (graphical look) of the administration console.
  • Port Number – Allows you to change the port number used for administration console connection to broker service. Remember to update the port configured on the broker (Infrastructure Services) server.


Click on the Home tab. Here you will perform all of your WEM configurations. You have several directories listed such as:

Actions – Configure registry entries, virtual drives, printers etc. on agent host machines.

Filters – Filter actions based on rules and conditions such as if user if part of group then apply these rules.

Assignments – Assign created actions to configured users.

System Optimization – Configure CPU management, memory management, fast logoff for agent hosts etc.

Policies and Profiles – Configure UPM (Universal Profile Management), client lockdown settings i.e. hide administrative tools.

Configured Users – Import users from Active Directory to be used with WEM.

Advanced Settings – Agent logging options, printer processing, network drive cleanup options etc.

Administration – Configure WEM administrators, manage agents etc.

Monitoring – Login reports, boot reports, user and device reports.


Add an Application (example)

Click on Applications, click Add.73-min

Enter the application name, location and where the application will exist on the users Start Menu etc. I am just creating a basic notepad application. 74-min

Clicking on the Options tab allows you to change the icon, application state (enabled/disabled), maintenance mode presents the icon as normal to the user but with a warning icon beside it and a warning message if the user tries to launch it. Hotkeys allow users to launch the application using keyboard shortcuts. 75-min

Advanced Settings controls how the application will appear when launched such as maximized. By default applications appear within the WEM self-service window of the agent however you can disable this using the Do Not Show in Self Services checkbox. Enable Automatic Self-Healing will recreate application shortcuts if they have been deleted or moved by the user. Click OK. 76-minThe application now appears within the Application List view. 77-minJust to show you the maintenance mode feature. When an application is in maintenance mode it will display as below to the user.78-minWhen application is launched the following error is displayed. 79-minThe application also receives a warning icon within the WEM Administration Console. 80-min

Add a Registry key (example)

Click on Registry Entries under Actions and click Add. 66-min

Registry entries can only be created under HKEY_CURRENT_USER. So let’s create an entry to suppress the Citrix Receiver client add account popup on restart. Note that Target Path does not require HKEY_CURRENT_USERS to be entered in the path as this is handled automatically by WEM. Run Once as the name suggests runs this action once which may be desireable if you have lots of Registry entries as you would not want this key being recreated during every Agent refresh. This also allows users to change the key values if they prefer an application to behave differently to what the registry key specifies.81-min

The Options tab allows you to specify if you are deleting, creating or setting an existing key. Click OK.82-min

Import Registry keys (example)

You also have the option to import registry keys from a reg file. WEM reads the .reg file and gives you the option to import values of your choice. REG_BINARY values won’t be scanned because WEM does not support creating REG_BINARY keys. Use the Import Registry File action to import values.83-min

Import Printers (example)

To import printers you can either do so manually or simply connect to a Print Server using the Import Network Print Server button.84-min

Enter the print server name and specify alternate credentials if the ones you are currently using for the WEM Administration Console do not have the appropriate permissions. Click Connect.85-minSelect one or multiple printers and click Import Selected.86-minYou can then edit imported printers changing the name, printer state (enabled/disabled) and if the printer will recreate if deleted using self-healing etc.87-min

Create Directory (example)

Click on Folders and Files followed by Add. Here we can copy folders and files to the users environment and create directories etc. I’ll be creating a folder so the Target Path is blank.

Note that you can use variables such as C:\Users\##Username##\ which will expand to the username WEM is running under. This can help when creating/copying files/folders to the users profile.88-minOn the Options tab you have several action types. Select Create Directory. 89-min

Apply settings to users using Rules and Conditions

To apply these settings to the user environment we need to first configure a set of users or group of users who will receive the actions and create some rules and assignments. Navigate to Configured Users -> Add. Enter a user name, multiple user names or preferrably a group as I have done.90-minNext click on Filters -> Conditions. By default an Always True Condition and Rule is created however not in use. Click Add. 91-minEnter a name, and select a condition type. A single or multiple conditions make up a rule. Conditions can be based on things such as the IP address of the VDA machine, the client OS version etc. Here I will choose Client IP Address Match so that VDA’s within the range specified will match this condition. 92-min

Enter the IP address range of your VDA machines and click OK. You can enter multiple single/ranges of IPs together.

Note: What you cannot do is combine multiple different IP Address Match filters under a single Rule expecting WEM to apply the rule based on IP one or else IP two. It does not work this way.

Below is an example of entering multiple IPs under the same filter:;;

Note: Make sure no space exists at the end of the IP address(s) in the Matching Result box.93-min

Note: If you are matching on Computer Names/VDA names, you can use wildcards such as Desktop* or you can simply use the star * symbol to match all computers.

I created another condition which matches for users who are in the Citrix Desktop Users security group. Now we can use these conditions against a rule. 94-minClick on Rules and click on Add. 95-minEnter a rule name and toggle the two created conditions to the right. Click OK. If these two conditions match then the rule is activated and allowed. 96-minNow click on Assignments. You will see any configured user/group here. Double click the entry and the list of available actions appear. Highlight an action and click the right-arrow to move it across to the Assigned section. 97-minAsign the Allow Rule filter that we just created to the action. This means that the action will apply if the Allow Rule is matched. 98-minAll actions I have created are now assigned to the Citrix Desktop Users group. Any user who is a member of that group and logs on to a VDA within the range should receive the actions. 99-minNavigate to Administration -> Agents, right-click your VDA and click Refresh Cache… to force a refresh of the cache. 100-minNext log on to the VDA, the conditions and rules should match and WEM will apply any assigned actions. The Copy folder appears within E:\. 101-minThe printer appears. 102-minThe test application appears within the Start Menu. 103-minThe registry entry appears. 104-min

Modeling Wizard

You can also use the modeling wizard to check what actions will apply to a user (groups not allowed). Click Assignments -> Modeling Wizard. 105-minClick Next. 106-minEnter a user and click Next. 107-minThe list of actions that will apply show. 108-min

Resultant Actions Viewer

The Resultant Actions Viewer is a client side tool (installed on VDAs where the WEM Agent is installed) and is quite like server-side Modelling Wizard although this tool rather than telling you what should apply tells you what did apply to a user logged on.

When you log on to a VDA as a user, browse to C:\Program Files (x86)\Norskale\Norskale Agent Host and launch VUEMRSAV.exe.

A number of tabs will be on display. The Resultant Actions Viewer displays what actions have been applied to your session, what actions have been excluded, what environmental settings have been applied. You can also view configured Agent Settings and Group Membership for the user.

What Enrivornmental Settings have applied shows as below.

The Logs tab shows a copy of the Citrix WEM Agent.log found under %UserProfile%.

System Optimization – Fast Logoff

Navigate to System Optimization. Here you have a number of options. Firstly on the Fast Logoff tab you can enable fast logoff. Fast Logoff logs a user off instantly and performs any additional logoff tasks in the background. This basically means the user is instantly disconnected and the logoff happens as normal behind the scenes. You can enable this and exclude specific groups from processing. 109-min

System Optimization – CPU Management

On the CPU Management tab you have options such as:

Enable CPU Spikes Protection – Configured by the Default Recommended Settings template if imported. This option limits all processes from using more than the specified processor value. Limit Sample Time decides for how long a process can exceed the CPU Usage Limit before it’s priority is lowered. The CPU Usage Limit field defines how much percentage of CPU a process can use before it is pegged back. If you have multiple CPUs, divide them up where 99% in the CPU Usage Limit field would be for one CPU but 49% is for two and 33% is for three CPUs.

Enable Intelligent CPU Optimization – Keeps a history of processes and the amount of times they have triggered spikes protection. The more a process triggers a spike protection the lower priority the process will be assigned at launch.

Exclude specified processes – Allows you to exclude specific processes from spike protection.

Note: If a process is clamped by spikes protection, an Event Log entry is generated under Application and Service Logs -> Norskale Agent Service indicating the process that was affected.110-minOver on the CPU Priority tab you can specify processes (by name) such as iexplore.exe and assign a priority.111-minOn the CPU Affinity tab you can set process affinity against processes. 112-minThe CPU Clamping tab allows you to clamp a process to a certain amount of CPU i.e. only 10% CPU can be used by this process. 113-min

System Optimization – Memory Management

Click Memory Management. Here you can enable WSO which withdraws excess memory from idle applications if they have not been used for a certain amount of time. You can exclude processes from WSO. 114-min

System Optimization – I/O Management

On the Io Management module you can set I/O priority for processes. 115-min

System Optimization – Processes Management

Click Processes Management. If you enable processes management you can whitelist or blacklist certain processes. 116-minIf you enable blacklisting, you can add certain processes to the blacklist meaning the won’t be run. 117-min If you enable process whitelisting any process not in the whitelist is automatically blacklisted so be careful. You can exclude local administrators and/or specific groups from both white and blacklists 118-minWith a process blacklisted if you try and run the process manually you’ll get the below message.152-min

Configuring Environment Settings

Click Policies and Profiles -> Environmental Settings. A lot of these settings are configured if you import the Environment Lockdown Sample template. For example the taskbar can be locked and the run button can be removed from the Start Menu. You can exclude administrations from receiving environmental settings by ticking the Exclude Administrators check box. 119-minThis picture shows the system clock having been removed. 120-minThe Desktop portion allows you to hide the My Computer icon, hide the Recycle Bin and more. 121-minWindows Explorer allows you to hide the Porgrams Control Panel and prevent access to CMD etc. 122-minControl Panel allows you to hide the Control Panel all together, only show specific Control Panel applets or hide specific applets. 123-minKnown Folders Management gives you the ability to disable known folders within the users profile. 124-minSBC/HVD Tuning allows you to optimise performance when using Session Hosts such as XenApp Shared Desktops. Some of the options are designed to increase performance however may slightly degrade the user experience as a result. 125-min

Configuring Microsoft USV Settings

Microsoft USV Settings allow you to integrate WEM with Microsoft Roaming Profiles, configuring Roaming Profiles from the WEM Administration Console. 126-min

Configuring Citrix UPM Settings

Citrix UPM Settings allows you to integrate WEM with Universal Profile Mangement, configuring UPM from the WEM Administration Console. Note that some options only work with specific versions of UPM based on new or retired options.127-minMost familiar options will be present. To see a guide on configuring UPM read 128-min

Advanced Settings – Configuration – Main Configuration

Click on Advanced Settings -> Configuration -> Main Configuration. Here you can check or uncheck the processing of actions. If you don’t have any port actions for example then disabling the processing will reduce unneeded overhead and boost overall agent processing time. Other options include:

  • Launch Agent at Logon – A default, launches the agent at logon.
  • Launch Agent at Reconnect – Launches the agent if a user reconnects to a published Desktop.
  • Launch Agent for Admins – Launches the agent even for administrators.
  • Agent Type – UI (GUI) or CMD (no GUI).
  • Enable (Virtual) Desktop Compatibility – Leave this enabled when using physical desktops or VDI.

129-minOn the Cleanup Actions tab, you can specify to delete printers, network drives, Start Menu shortcuts etc. whenever the WEM agent refreshes. 130-min

Configuring Agent Options

On the Agent Options tab, you can specify where agent logging will reside. Other options include:

  • Enable Offline Mode – You can also enable offline mode which allows the agent to use the local cache in the event access to the WEM Infrastructure Services server is lost. This is on by default.
  • Use Cache Even If Online – As the name suggests, the local cache will be used even when the WEM agent is online.
  • Refresh On Environmental Setting Change – When an environmental setting is changed the Agent will trigger a Windows refresh.
  • Async Prnters Processing – Asynchronously process printers.
  • Async Network Drives Processing – Same as above only for network drives.
  • Broker Service Timeout (ms) – The local cache will be used if the broker service cannot connect within the specified time.
  • Directory Service Timeout (ms) – The local cache of user group associations will be used if the directory service times cannot connect within the specified time.

131-minOn the Advanced Options tab you can enforce actions even changes have not been made for example to any of the printer actions. You can also configure to revert any printer, virtual drive, application actions etc. once they have been unassigned the next time the agent refreshes. At the bottom you can specify how often the agent refreshes which is 30 minutes by default (UI only). 132-minOn the Reconnection Actions tab similar to the processing options on the Main Configuration tab you can allow or disallow processing of certain or all actions when a user reconnects.134-minOn the Advanced Processing tab you can enable or disable processing of action filters when the agent refreshes. 135-min

Configuring Service Options

The Service Options tab allows you to specify how often the agent will refresh the cache (15 min default), how often the agent will refresh its SQL connection and other options such as enabling debug mode for the agent and setting a delay on the agent executable launch on a desktop. You can also exclude the agent from running for specific groups of users.136-minThe Console Settings tab allows you to exclude drive letters when creating drive assignments which may help prevent a WEM administrator using a drive letter that is used globally for something else for example. 137-min

Configuring UI Agent Personalization

The UI Agent Personlization tab simply allows you to adjust the look and feel of the agent, helpdesk and self-service tools running on VDA. You can prevent users fro managig printers and applications etc. through the agent.138-minWhen printer and application management is disabled the options appear greyed out.154-minHere is a look at the agent using the Glass Oceans skin.153-min

Configuring Helpdesk Options

You can set help links and allow users to take a screen capture including the option to send the screen capture via email to support. 139-min

Power Saving Management – WEM Agent VMs

Power Saving can allow the agent to shut down the device it is running on after a specified time or when the machine is idle for so many seconds. 140-min

Configure WEM Administrators

Click on Administration. The Configured Administrator List section shows WEM Administrators and allows you to add more using the Add button or edit exsting users or groups. 141-minEditing a group or user you can set permissions such as read only access to the WEM Administration Console.142-min

Viewing WEM Connected Users

The Users portion shows a list of users who have connected and reserved a WEM license within the past 24 hours and 1 month.143-min

Viewing WEM Connected Agents

Agents shows a list of the machines that have the Agent Host component installed including some machine information such as Device Name and IP Address.  144-minRight-clicking on an agent provides you with a number of options such as manually forcing a cache refresh or uploading statistics to the WEM database. 145-min

Administration Log

The Administration Log presents a history of changes made by a WEM administrator. As you can see actions such as assigning tasks and refreshing an agent cache are recorded. 146-min


Click on Monitoring -> Daily Reports. This shows an overview of the login times over the past 24 hours. If you double-click one of the bar graphs you are presented with a list of individual logons and their logon times. This is exteremely useful for baselining activities and comparing boot times between mulitple minor or major changes/customisations both within WEM and outside of WEM i.e. Group Policy. 147-min

Click on User Trends. The Login Trends Report shows an overview of login times across all users connected to this site for the specified dates. If you double-click the graph bar you are presented with a more detailed view of login times including user logging on and their individual login times. 148-min

Device Types present a list of the different devices connecting to this WEM site over the specified time period. Double-clicking any of the graph bars show more detail such as the device name and OS version. 149-min

Click on User and Device Reports. On the User Report tab you can use the User drop-down box to select a WEM configured user and view the login times for that user over a certain time period. Note that all these different reporting features are exportable to Excel, PDF, HTML etc. 150-min

Click on Configuration. You can specify the work days so that reporting focuses only on the days your business is in operation. 151-min

WEM Logging

A number of logs are generated by default with advanced debug logs being optional. WEM related Event Logs also exist on both the VDA and Infrastructure Services servers.

By default Agent Logging is enabled, and this can be toggled on or off within the WEM Administration Console. With Agent Logging enabled, two log files are created on the VDA in location %UserProfile%. Again this location can be modified using the WEM Admin Console:

  • Citrix WEM Agent Init – Agent initialisation information is recorded here. Any issue with the WEM Agent not starting or making contact with the WEM Broker will be logged here as an exception.
  • Citrix WEM Agent – When the WEM Agent processes settings, such information is logged in this file. You’ll be able to see which settings have been processed and if any exceptions or errors occur.

You can turn on Debug Mode through the WEM Administration Console which generates a debugging Citrix WEM Agent Init and Citrix WEM Agent log files within %UserProfile%. These log files provide deeper output on the intialisation and processing stages.

If the WEM Agent cannot contact Infrastructure Services, change the AgentDebugModeLocalOverride REG_DWORD to 0x1 on the VDA you are troubleshooting.

An Agent Log Parser exists in the Agent Host install location that you can use to load either the Citrix WEM Agent or Citrix WEM Agent Init logs into for parsing and easier reading.

Once you load your desired log file, it will display as shown below.

If you browse to Service Options within Advanced Settings you can turn Agent Host service logging on. These logs related to the Norskale Agent service running on your VDA.

A log file named Citrix WEM Agent Host Service Debug will be created under the Norskale Agent Host install location. This is typically C:\Program Files (x86)\Norskale\Norskale Agent Host\.

If the Agent Host cannot contact Infrastructure Services, change the AgentServiceDebugModeLocalOverride REG_DWORD to 0x1 on your VDA.

On each VDA with the Agent Host installed, a Norskale Boker Service log directory is present in Event Viewer containing information related to the Norskale Agent Service. If the Agent is offline, or there are connectivity issues, it will be logged here. Informational events such as settings that have been synchronised from the WEM Broker Server to local cache are also logged.

On the Infrastructure Services servers, a Norskale Broker Service log is available in Event Viewer logging non debug events such as connectivity to SQL, database connection checks and when Agent Hosts connect to the WEM Broker Service.

You can enable Administration Console debugging by navigating to About -> Options and checking Enable Debug Mode -> OK.

A Citrix WEM Console Trace log file will be placed in %UserProfile% containing information related to the console start-up and connection to Infrastructure Services. If connections are timing out then this log file will help.

During the creation or upgrade of a WEM database, a log file is created by the Database Management Utility and stored on the Infrastructure Services install folder. Generally C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\.

You can also on the Infrastructure Services server enable Broker Service debug logs By changing the BrokerServiceDebugMode REG_DWORD to a value of 0x1. Now restart the Infrastructure Services service.

A Citrix WEM Infrastructure Service Debug log will appear within the Infrastructure Services install directory. This log file contains data such as information related to VDAs contacting the Infrastructure Services servers and database connectivity checks.  

Creating additional WEM Sites

Obviously a lot of the settings within WEM are site wide settings and can apply to all agents connected to the site. If you need a separate site for settings containment click on Create.155-minEnter a site name and click Ok. You can then move Agents to a separate site either by Group Policy or by creating a REG_SZ object with a name of SiteName and value of the sites actual name. This REG_SZ value resides in HKLM\SOFTWARE\Policies\Norskale\Agent Host\.156-minNow you can toggle between each site providing you are a Global Administrator. 157-minWhen assigning permissions to WEM Administrators untick Global Admnistrator. This allows you to assign an administrator to a certain site containing their permissions within that one site. 158-minA non Global Administrator can only manage the site they have assigned permissions for.159-min

WEM Transformer

Transformer is a feature that turns any Windows PC-type machine in to a thin-client acting device by enabling thin-client mode. Transformer was part of Norskale but not available in Citrix’s first version of WEM 4.0. It is now available in 4.1. To configure Transformer open the WEM Administration Console and click Transformer.

Note: Citrix do not support running Transformer on Windows Server OS.

On the General Settings tab you should click Enable Transformer then configure your Web Interface/StoreFront address that machines will automatically browse to upon logon to Windows. You can also configure the appearance of Transformer allowing you to add a system clock, language selection, enable windowed mode etc.

When a user logs on to a WEM managed machine the PC automatically goes in to kiosk mode and displays StoreFront.

Here you can see the clock, custom title and language options.

On the Site Settings tab you can add a bunch of websites that allows any user to launch that website through Transformer.

The list of added websites appears as below. You can use the navigation buttons to go back and forth between visited sites. Again navigation buttons must be enabled as they are disabled by default.     On the Tool Settings tab you can add different tools/programs that appear and are launchable within the Transformer window. To add a tool, click Add. Enter a name and the path to the program. You can configure it to autolaunch and maximize. Click OK. Now in Transformer you’ll have a tools icon, and once clicked you see Command Prompt. The Command Prompt window appears. On the Advanced node the Process Launcher tab allows you to enable Process Launcher. Doing this disables Transformer mode and launches a specified process of your choice. In this example I have specified that MSTSC launches when a user logs on to their desktop. MSTSC launches. If a user closes the application or kills the process off the process re-launches. The Advanced & Administration Settings tab under Transformer Settings -> Advanced allows you to further personalise the Transformer program. Here you can hide buttons such as restart options and the home button. You can also disable unlock ability so that CRL+ALT+U does not unlock the PC/kiosk restrictive view.The Logon/Logoff & Power Settings tab under Transformer Settings -> Advanced allows you to configure Windows auto-logon so that when your PC powers on it is automatically logged on, then the kiosk window opens. You can also configure actions to occur when your remote session ends and power actions to shut down a PC at a specific time etc. Shut down action being applied.

Upgrading WEM

WEM must be upgraded in the following order:

  • Infrastructure Services
  • Database
  • Administration Console
  • Agent Host

Infrastructure Services

Run the installer of the Infrastructure Services version you want to upgrade to. You should manually stop the Norskale Infrastructure Services service before upgrading to ensure the upgrade is successful. Once the new version of Infrastructure Services is complete, run the Database Management utility and click Upgrade Database.

Enter the required information and click Upgrade.

Click Yes.

Click OK. The database has now been upgraded.

Now you will need to reconfigure the Norskale Broker Service using the Broker Service Configuration utility.

Administration Console

Run the latest WEM Administration Console installer over the top of the existing installation.

Agent Host

Run the latest Agent Host upgrade installer or patch installation over the top of the existing installation on machines which have no users logged on and then perform the following steps:

  1. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update58-min
  2. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe eqi 359-min

If your using a 32bit OS use the same path above ony with 64 removed.

This ensures the Agent Host .dll files are correctly. Agents are backward compatible within the same major release i.e. v3.0 or v3.5 agents work with a v4.0 broker. Some functionality will however be lost until all components are on the same major and minor version.

If you have specified a specific Agent Host Cache location for example when using PVS and set AgentServiceUseNonPersistentCompliantHistory to 1, double check these values still exist. You may have to specify them again after an Agent upgrade.

Documenting WEM Configurations

Whilst there is no easy way to output all the different configured settings, policies, objects etc. created in WEM, there is a script available which pulls all configurations in to an easy to read HTML file. See


A nice trick from WEM Client Side Tools by James Kindon. If you have applications that require actions such as drive mapping or printer mapping to be completed first before the application launches, using Citrix Studio edit the properties of your desired application, define VUEMAppCmd.exe under the Location tab along with the actual published application name as a switch.

Doing this prevents the published application from launching until WEM has finished processing.


Launch Agent at Logon

If the agent does not launch on logon, create a registry entry as below:

Name: VUEMUIAgent

Data: C:\Program Files (x86)\Norskale\Norskale Agent Host\VUEMUIAgent.exe

Type: REG_SZ

Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Agent delay in detecting online mode

I’ve encountered 4.1 and 4.2 agents staying in “offline mode” for around 90-120 seconds after VDA power on, at which stage the agent changes to online and the online cache can be accessed. Allowing access to the local cache in offline mode allows the agent to process on first log on within the 90-120 seconds after VDA power on.

Agent syncornisation failure when using PVS

A timing issue in PVS can occur that prevents the WEM Agent to properly sync upon logon. To fix:

Run a Scheduled Task at system startup using the NT AUTHORITY\SYSTEM account which performs a Cache Refresh and restarts the Agent Host Service. On the VDA, create a batch file on C:\ for example and insert the following text:

Create an On system startup Scheduled Task which runs under the NT AUTHORITY/SYSTEM account.


  • Michael McAlpine

    October 25, 2016

    Is there any WEM documentation from Citrix?

    I’ve noticed some differences between GPO and WEM in regards to variables in drive mappings.

    • George Spiers

      October 25, 2016

      There is an administration guide included with the WEM downloadable media.

      • Michael McAlpine

        October 26, 2016

        Thanks. Also great posts, Carl Stalhood has some competition.

        • George Spiers

          October 26, 2016

          Thanks for your kind words Michael!

  • Michael McAlpine

    October 27, 2016

    I’ve begun to move items like drive mappings from a GPO to WEM and I noticed some differences. There also seems to be quite a bit of stuff the documentation leaves out which makes me believe that it is either an initial guide that will be expanded on or Citrix plan to leave it up to professionals/consultants to flush out what their documentation is missing.

    1) Drive mappings don’t seem to allow for variables like %LogonUser%. Does Citrix have any better documentation out for WEM than the stuff included with the media?

    2) For file associations, it looks like the “Command:” is a required field. I would like to set Irfanview as a default application for .JPG files. Do I point the target application path at the .exe or the folder then use the command to point at the .exe file?

  • George Spiers

    October 27, 2016

    I’m not aware of any additional documentation other than what is included with the media at this time. I believe Citrix internal teams are being skilled up on the product and no doubt more information will be published soon!

    1) %LogonUser% does not work however %UserName% is a useable variable for network drive mapping in WEM. Why wouldn’t you use %username%? I don’t think %LogonUser% is a variable that will be supported as it’s only used within GPP. You can use WEM to create Environment Variables for example one with a name of LogonUser with a value of %username%. This would then allow you to map a network drive using \\servername\share\%logonuser%.

    2) For file associations enter the complete path to .exe in the target application field and just use a space in the command field, this lets you get around it

  • Michael McAlpine

    October 28, 2016

    1) Part of the path is to an admin share… userdata$, which also might be the issue too. I tried %username% and I can’t get that to work either. I might try just pointing to the (single) file server instead of the DFS share.

    2) Thanks, I’ll give that a try next Monday

  • Relega

    January 9, 2017

    Hey, is it possible to use 2 Infrastructure Servers without load balancing them? Just one will be connected to with the Admin Console. Both will be used as connector between Agent Host and DB, but for different Clients. Will this work and is this supported?

    • George Spiers

      January 9, 2017

      It is possible and it will work. I don’t think Citrix have stated it is not supported anywhere in documentation. I cannot see why it won’t be supported as not everyone has a Load Balancer!

      • Relega

        January 9, 2017

        Many thanks for your fast reply!

  • Marco

    January 16, 2017

    Hey, I have two questions. Today I did a complete install of XenApp 7.12 and WEM with Server 2012R2 Worker. I tried to configure both UPM and folder redirection through WEM, but only the folder redirection gets applied. The UPM settings are completely ignored. Any hint where I could look for the problem?
    Second, the WEM Agent starts only about 30-90 seconds after the user login. I did a PoC of Norskale about a year ago, and there it started immediately at the user logon. Any idea why?

  • George Spiers

    January 16, 2017

    There is a private hotfix for the start delay issue – see here

    By default log files are kept on the broker agent machines under %UserProfile%\
    Citrix WEM Agent Init.log and Citrix WEM Agent.log. They contain information on assignment processing and agent launch etc. Look in these files for any indication as to why UPM settings are being ignored.

  • Alain Assaf

    January 19, 2017

    Does the transformer piece only work on a physical device or can it work with a virtual desktop?

    • George Spiers

      January 19, 2017

      It can work on both virtual and physical Windows machines.

  • Steve

    January 25, 2017

    Great guide. The logging/reporting needs some love. Wanting to use WEM to replace ThreadLocker and save some money. Only issue is the reporting on what WEM is doing is stored in a single log file for each user on each SHA server. 🙁 I would love to see reporting roll up to the broker like the trends do.

  • Ali

    April 4, 2017

    Hello George,
    i have installed wem 4.2 version unfortunately have an error hope you can help to solve 🙂
    event id: 0
    quelle: Norskale Agent Service

    VuemAgentServiceConfigurationHelper.TryUpdateAgentRegistration (): The creator of this error has not specified any reason.

    hope hear you soon
    have a nice evning

    • George Spiers

      April 4, 2017

      Hi Ali
      Does the Agent connect to Infrastructure Services at all?
      What OS are you running? Does the Agent appear in the WEM Console under Administration -> Agents?
      Are you using GPO to point the Agent to WEM Infrastructure Services server or direct Registry entry?

      • Ali

        April 4, 2017

        my OS server 2012r2 and xenapp 7.6 ltsr CU3, yes all service running and i am add it master per registry and gpo
        i see the norskale agent service is running
        and yes under administrator
        its just the one error only

  • George Spiers

    April 4, 2017

    Uninstall the agent, remove any leftover items such as the Norskale folder in %ProgramFiles(x86)% and registry under HKLM\SOFTWARE\Policies\Norskale or HKLM\SYSTEM\CurrentControlSet\Control\Norskale. Install the Agent again, specify the WEM Broker server under HKLM\SOFTWARE\Policies\Norskale\Agent Host. Also make sure you have created an appropriate SPN.

  • Ali

    April 5, 2017

    Hello George, i am uninstalled and deleted registry .. and after restart and new installed Agent host unfortunaltelly already same issue
    and yes i do it SPN

  • Ali

    April 5, 2017

    Hello George, endles solved issue wem worked now but logon time i have 22 second something long, i read its 8-15 second logon time is with wem have you any idea to fix it?

    • George Spiers

      April 6, 2017

      Move GPOs to WEM and take a WEM first approach. Hopefully then logon times should be kept at a minimum.

      • Melvin

        April 10, 2017

        Hi George,

        when you say “move GPO’s to WEM” is that creating a corresponding registry key for the GPOs that you have set and remove the GPO?


        • George Spiers

          April 11, 2017

          Hi Melvin
          I’d encourage it. If your GPOs perform client drive mapping, registry editing and so on, you should move such settings to WEM to reduce logon times.

  • Ali

    April 30, 2017

    Hello Geaorge,
    have again problem wirh wem agent host the log sayme;
    13:15:50 Warning -> ConfigurationDataSourcesHelper.CheckBrokerSvcConnection() : Network Detected as disconnected
    13:15:50 Exception -> ConfigurationDataSourcesHelper.CheckBrokerSvcConnection() : Broker Svc Check -> Failed
    13:15:50 Event -> AgentServiceHelper.OpenDataConnection() : Opening configuration cache connection -> C:\WEMCache\LocalAgentCache.sdf
    13:15:51 Event -> VuemAgentServiceConfigurationHelper.ReadCentralConfiguration() : Agent cache location: C:\WEMCache
    13:15:51 Exception -> VuemAgentServiceConfigurationHelper.ReadCentralConfiguration() : No matching Site Found … Exiting.
    13:15:51 Event -> VuemAgentServiceConfigurationHelper.DoCentralCfgReport() : Central Configuration Report:

    but network all is fine, port open and
    (“C:\Program Files (x86)\Norskale\Norskale Agent Host\AgentCacheUtility.exe” -refreshcache -BrokerName hostname fqdn ) also ok
    Citrix Workspace Environment Management Agent Cache Management Utility – By Citr
    ix Systems, Inc – Version

    Start Time: 30.04.2017 08:52:04
    Total changes downloaded: 0/0
    Last successful synchronization: 30.04.2017 08:52:04

    Operation Completed Successfully
    i don’t know really what can i do to fix… is really frusted me can oyu help to solve it?

    • George Spiers

      May 1, 2017

      No matching site found. What is your site name? Have you changed the name away from the default name? Are you using GPOs to specify the site name?

  • Ali

    May 1, 2017

    yes i am use GPO and but i am add yesterday registry too already not found

  • Ali

    May 1, 2017

    no i am not changed SiteName is already same all

  • Ali

    May 1, 2017

    Hello George, endless work it really again how i am leave it.
    Thanks so much your help!! have a nice day.

  • Ali

    May 12, 2017

    Hello George 🙂
    hope are you ok!! have a few error on my eventlog!
    maybe did you can help how can i fix it, this 2 error on my XA Worker;
    1. Event id: o Norkale Agent Service: ProcessIoPriorityController.SetProcessIoPriority() : Error While Changing Io Priority to High for Process: autoben (10704)
    2. VuemAgentServiceConfigurationHelper.TryUpdateAgentRegistration() : Agent registration update (HardwareId: 9AF8D4E5FCBD, InstanceGuid: 584e5717-37f6-4112-9b84-582bf8d82799) -> Failed

    are you have any idea to fix it?

    • George Spiers

      May 12, 2017

      You want to change the priority of a process and it is not working? Is your Agent actually working at all and showing with a green tick as being synchronized under Administration -> Agents?

  • Ali

    May 15, 2017

    yes all is correkt, and there agent is green, is happen not always sometimes happening!

    • George Spiers

      May 15, 2017

      If it’s an AV process, many Anti-Virus products don’t allow you to change the process priority however WEM still logs an error. This was fixed in v4.2.

  • Ali

    May 16, 2017

    yes and i have also v.4.2 version already habe this issue, i don’t know also what the f***
    i let the Anti-Virus wem not chek in this path:C:\Program Files (x86)\Norskale

  • Dennis Span

    May 27, 2017

    Great article George! This saved me a lot of time. Thanks for sharing!

    • George Spiers

      May 30, 2017

      No problem, glad it helped.

  • Junaid Yaseen

    May 29, 2017

    Hi George Spiers, Good Compilation, 🙂 Thanks.

    I haven’t used the product yet, but looking at it over all seems citrix wants to replace some good selling third party that had been in business “Appsense” and offload GPO processing. Moreover, they are reintroducing some of older XenApp features like memory/CPU optimization back into business. The wizards and consoles somewhat remind me of their earlier Edgesight for XenApp. They might be reusing it.

    That said, how stable is the product over all…! May be anyone who had been using can help answer … that would be helpful.

    I have a XenDesktop environment with Citrix UPM, with few GPO’s. From monitoring point of view how helpful this tool would be…!

    • George Spiers

      May 29, 2017

      You’re welcome, Junaid. WEM I would say has worked pretty well for most of the time I have used it. Some oddities do exist in the product. I’ve found some versions struggling to hide system drives and apply other environmental settings. Some agent versions also seem to be stuck in offline mode after system boot for 60-90 seconds. After that it is fine. There is a workaround for that though.

      • Eric

        June 20, 2017

        George —

        Have you seen this happen with specific versions of the agent? I’m currently seeing this issue with 4.3 and have a ticket open with Citrix support but if this is an issue with previous versions of the agent I will assume a fix won’t be forthcoming.

        • George Spiers

          June 20, 2017

          From memory I am seeing the 60-90 second initial offline problem in 4.1-4.3 but I have a workaround for that. Are you experiencing the same? All versions of WEM I have noticed for me fail to hide the Recycle Bin and any system drives. 4.0 and 4.1 failed to disable access to CMD but that seems sorted in newer versions. Are you seeing the same?

          • Eric

            June 21, 2017

            I am not seeing the 60-90 second delay but a large amount of my environmental settings only apply for a users first login to a machine. Any subsequent login no longer applies these environmental settings (disable command prompt, disable registry, hide icons on start menu, etc). The only environmental settings that I’ve found to work consistently is hiding the system clock. This is a PVS environment and I’ve followed all the build recommendations I’ve found.

          • George Spiers

            June 21, 2017

            What version fo WEM are you running? I’ve not noticed that before. You are redirecting the WEM cache to a persistent drive e.g. PVS Write Cache drive? Do the settings persist until you restart the PVS Target Device, or only on first logon where even a second logon for the same user to same VDA without a reboot results in lost settings?

          • Eric

            June 21, 2017

            Running WEM 4.3. I am redirecting everything to the persistent write cache drive. The settings only apply on a users first logon to the target device. These are XenApp targets so they only reboot once a day. Here is an example of the sequence of events:

            Machine reboots at 5am
            User1 logs in at 6am and gets correct settings
            User1 logoffs at 7am
            User1 logs back in at 8am and the environmental settings no longer apply.
            User2 logs in at 8am and the environmental settings apply correctly.
            User2 logs off at 9am
            User2 logs back in at 10am and settings no longer apply.
            Machine reboots at 5am
            User1 and User2 log in at 6am and get correct settings
            User1 and User2 log off at 7am
            User1 and User2 log back in at 8am and settings no longer apply

            I have WCF traces into the WEM dev team at Citrix so I can update once I hear back from them.

            Thanks for the blog posts they are all very helpful!

          • George Spiers

            June 21, 2017

            Thanks Eric

  • jim

    June 6, 2017

    Hi, great article.
    My question is, Does it work in parallel with UPM/GPO or all profile management settings can be relocated to WEM?
    Some people seem to think it does not replace UPM but rather works in part with it

    • George Spiers

      June 6, 2017

      WEM 4.3 supports the newest UPM features found in CPM 5.7. Older versions of WEM had been a bit short on features compared to what was available in Citrix Policies and GPOs. It comes down to preference and where you prefer managing your CPM settings.

  • Rick

    June 27, 2017

    George – Great guide. I understand how WEM improves login time by applying settings using the agent instead of waiting for Windows to process them natively before the desktop is loaded, but in our case the biggest wait during login time is profile copy of the UPM profile from the server to the VM. I have seen some infographics showing that WEM can optimize this as well but I don’t understand how. Does it wait to process the profile until after the user has logged on, and if so how does that work? Can a user start interacting with the desktop before their profile has fully copied to the machine?

    • George Spiers

      June 27, 2017

      Hi Rick, WEM has a fast logoff feature but no equivalent to logons. CPM still handles all the loading of profiles as normal. There are some features in UPM such as Profile Streaming and exclusions you can use and that are designed to quicken up logons. You should also redirect as much as possible to reduce profile size.

      • Rick

        June 27, 2017

        Understood. Thanks!

  • Pingback: Workspace Environment Management 4.3 – Carl Stalhood

  • Pingback: Detailed Change Log – Carl Stalhood

  • Pingback: EUC Weekly Digest – July 8, 2017 – Carl Stalhood

  • Vaqar Hasan

    July 10, 2017

    Good job George !!
    looks like I will have to visit this page multiple times during my implementation 🙂

    • George Spiers

      July 10, 2017

      Thanks Vaqar, you visit as many times you like. 🙂

  • Luke

    July 11, 2017

    Great article! I’ve got it working on attest VDA. I’m having trouble with Transformer though, I have a separate site to set it up, I have my test laptop appearing in the WEM console and is looking at the correct site. In that site I have enabled Transformer, specified a site etc but when I log into the laptop I have the regular desktop. Laptop is Windows 10 if that makes any difference. Thanks!

    • George Spiers

      July 11, 2017

      Does the WEM agent run on your laptop? It needs to run before entering Transformer mode. It should run on logon. Sounds to me like the agent is not running, or is but erroring out.

  • Luke

    July 12, 2017

    The WWM Agent is installed on the laptop, I can see that the Service is running and the WEM Console on the server can see the laptop. How do I ensure the WEM Agent launches on login? Have I missed an installation switch? Thanks for the reply!

    • George Spiers

      July 12, 2017

      If the agent does not launch on logon, create a registry entry as below:

      Name: VUEMUIAgent

      Data: C:\Program Files (x86)\Norskale\Norskale Agent Host\VUEMUIAgent.exe

      Type: REG_SZ

      Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      P.s. adjust the path as relevant to your configuration.

  • Peter Wynne

    July 20, 2017

    Hi mate 🙂 have you seen the following error before;
    BrokerServiceHelper.CheckSqlConnection() : SqlDatabaseHelper.TestSqlServerConnection() connection Error : 258 | A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 – The wait operation timed out.)
    2 new brokers in a particular datacentre won’t link back to the database. Other brokers worked just fine (all DB settings confirmed the same across the brokers).

    • George Spiers

      July 20, 2017

      Hi Mr. Wynne 🙂 Sounds like the broker and SQL server cannot match on a cipher/SSL protocol during SSL handshake. For example if SQL only accepts TLS 1.0 but the brokers don’t offer the same. On the brokers check HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ to see if any TLS versions are disabled vs. a working broker. A WireShark trace between a working broker/SQL server would let you know which ciphers and TLS protocols the SQL server supports.

      • George Spiers

        July 20, 2017

        It could also be a proxy/firewall type device along the communication path interfering with the connection. That would be another thing to check

        • Peter Wynne

          July 25, 2017

          Thanks George, the servers are exactly the same – have checked cipher settings and they all look the same. Citrix is suggesting it’s a latency issue – it’s 200ms between the broker and the DB instance.. I would setup a sync’d database local to the remote broker if it’s really necessary but there is very little documentation on whether that is recommended or not..

          • George Spiers

            July 25, 2017

            The latency may well explain the timeout error then, although there are no published guidelines around latency. AlwaysOn is popular with WEM databases but Citrix don’t even officially support that yet. I think the stance currently is if you have an issue, prove it happens without AlwaysOn to be supported. I’m sure someone at Citrix could confirm what options you have, asides from having a separate farm in that region..

  • Pingback: Site Updates – July 2017 – Carl Stalhood

  • Pingback: Image Optimization Analysis – Citrix XenApp | James Kindon

  • Chris

    November 4, 2017

    Hi George
    I have installed wem 4.4 in no persistence vdi using persistant cache through PVS and I have this initial offline problem . Do you have any idea how to deal with that?


    • George Spiers

      November 4, 2017

      Yes look at the bottom of the article titled “Agent syncornisation failure when using PVS”. That should help.

  • Chis

    November 7, 2017

    Thanks Goerge for you answer ,
    i have applied the script didn’t help at all . The offline delay for 120 secs remains.

    • George Spiers

      November 7, 2017

      Can you verify the script actually ran and the services restarted? Check Event Viewer to confirm services restarted and that the scheduled task completed successfully.

  • chris

    November 7, 2017

    Seems that have run and services restarted but let me check again.

  • Chris

    November 8, 2017

    Finally i found out that this script could gives the expected results only if i introduce a delay more than 5 secs to run it on vdi startup .

    Thanks George

  • Pingback: Configure Citrix Workspace Environment Management Application Security - Zero To Hero

  • Ray

    January 2, 2018

    Is there some math formula for the CPU Management Settings?
    CPU Usage % divided by Number of CPU?
    I have 8 CPU, So based on what he says here
    “the CPU setting should not be set above 49%, if 4 CPU’s are available, the CPU setting should not be set above 24%”

    2 CPUs= take 100% and dived that by 2 you get 50% So you set it to 49%
    4 CPUs= take 100% and dived that by 4 you get 25% So you set it to 24%
    8 CPUs= take 100% and dived that by 8 you get 12.5% So you set it to 11 %

    • George Spiers

      January 3, 2018

      If you are using VDI, the math formula seems to be:
      100% divided by #CPUs – 1.

      So an 8 core formula: 100% divided by 8 = 12.5 minus 1 = 11.5%

  • Mark

    February 9, 2018

    I am automating the build of a Win7 XD Image and was curious to know if there is particular order in which to install the WEM agent. Before or after VDA installation?

    BTW – I know the CPU optimization (process priority) was designed for XenApp but does it benefit in Win7/Win10 VDI?


    • George Spiers

      February 12, 2018

      I normally install it after installing the VDA. That is just personal preference but I am sure there is no specific priority. CPU optimisation could benefit in cases were you have an application that likes to CPU hog. In this case, we could use WEM to control the behaviour and lower the process priority, until maybe the application vendor releases a patch.


Leave a Reply