Group Policy Settings
WEM currently supports adding and editing only Group Policy settings associated with the
In previous releases, you could migrate only Group Policy Preferences (GPP) into Workspace Environment Management (WEM). For more information, see the description of the Migrate wizard in Ribbon. You can now also import Group Policy settings (registry-based settings) into WEM.
After importing the settings, you can have an itemized view of the settings associated with each GPO before you decide which GPO to assign. You can assign the GPO to different AD groups, just like you assign other actions. If you assign GPOs to an individual user directly, the settings do not take effect. A group can contain users and machines. Machine-level settings take effect if the related machine belongs to the group. User-level settings take effect if the current user belongs to the group.
For machine-level settings to take effect immediately, restart the Citrix WEM Agent Host Service. For user-level settings to take effect immediately, users must log off and log back on.
Group Policy settings
For WEM agents to process Group Policy settings properly, verify that Citrix WEM User Logon Service is enabled on them.
Enable Group Policy Settings Processing. Controls whether to enable WEM to process Group Policy settings. By default, this option is disabled. When disabled:
- You cannot configure Group Policy settings.
- WEM does not process Group Policy settings even if they are already assigned to users or user groups.
Group Policy object list
Displays a list of your existing GPOs. Use Find to filter the list by name or description.
- Refresh. Refreshes the GPO list.
- Import. Opens the Import Group Policy Settings wizard, which lets you import Group Policy settings into WEM.
- Edit. Lets you edit an existing GPO.
- Delete. Deletes the GPO you select.
Import Group Policy settings
Before importing Group Policy settings, back up your Group Policy settings on your domain controller:
Open the Group Policy Management Console.
In the Group Policy Management window, right-click the GPO you want to back up and then select Back Up.
In the Back Up Group Policy Object window, specify the location where you want to save the backup. Optionally, you can give the backup a description.
Click Back Up to start the backup and then click OK.
Navigate to the backup folder and then compress it into a zip file.
WEM also supports importing zip files that contain multiple GPO backup folders.
To import your Group Policy settings, complete the following steps:
Use Upload, available in the menu on the WEM service Manage tab, to upload the zip file of your GPOs to the default folder in Citrix Cloud.
Navigate to the Administration Console > Actions > Group Policy Settings tab, select Enable Group Policy Settings Processing, and then click Import to open the import wizard.
On the File to Import page of the import wizard, click Browse and then select the applicable file from the list. You can also type the name of the file and then click Find to locate it.
- Overwrites GPOs you imported previously. Controls whether to overwrite existing GPOs.
Click Start Import to start the import process.
After the import completes, click Finish. Imported GPOs appear on the Group Policy Settings tab.
Edit Group Policy settings
Double-click a GPO from the list for an itemized view of its settings and to edit the settings if needed.
To clone a GPO, right-click the GPO and select Copy from the menu. The clone is automatically created after you click Copy. The clone inherits the name of the original and has a suffix “-Copy.” You can use Edit to change the name.
The Edit Group Policy Object window appears after you click Edit.
Name. The name of the GPO as it appears in the GPO list.
Description. Lets you specify additional information about the GPO, which appears in the GPO list.
Registry Operations. Displays registry operations that the GPO contains.
Editing, adding, and deleting registry-based settings incorrectly can prevent the settings from taking effect in the user environment.
- Add. Lets you add a registry key.
- Edit. Lets you edit a registry key.
- Delete. Lets you delete a registry key.
To add a registry key, click Add on the right-hand side. The following settings become available:
Order. Lets you specify the order of deployment for the registry key.
Action. Lets you specify the type of action for the registry key.
- Set value. Lets you set a value for the registry key.
- Delete value. Lets you delete a value for the registry key.
- Create key. Lets you create the key as specified by the combination of the root key and the subpath.
- Delete key. Lets you delete a key under the registry key.
- Delete all values. Lets you delete all values under the registry key.
Root Key. Supported values:
Subpath. The full path of the registry key without the root key. For example, if
HKEY_LOCAL_MACHINE\Software\Microsoft\Windowsis the full path of the registry key,
Software\Microsoft\Windowsis the subpath.
Value. Lets you specify a name for the registry value. The highlighted item in the following diagram as a whole is a registry value.
Type. Lets you specify the data type for the value.
- REG_SZ. This type is a standard string used to represent human readable text values.
- REG_EXPAND_SZ. This type is an expandable data string that contains a variable to be replaced when called by an application. For example, for the following value, the string “%SystemRoot%” will be replaced by the actual location of the folder in an operating system.
- REG_BINARY. Binary data in any form.
- REG_DWORD. A 32-bit number. This type is commonly used for Boolean values. For example, “0” means disabled and “1” means enabled.
- REG_DWORD_LITTLE_ENDIAN. A 32-bit number in little-endian format.
- REG_QWORD. A 64-bit number.
- REG_QWORD_LITTLE_ENDIAN. A 64-bit number in little-endian format.
- REG_MULTI_SZ. This type is a multi-string used to represent values that contain lists or multiple values. Each entry is separated by a null character.
- Data. Lets you type data corresponding to the registry value. For different data types, you might need to type different data in different formats.
Your changes might take some time to take effect. Keep the following in mind:
- Changes associated with the
HKEY_LOCAL_MACHINEregistry hive take effect when Citrix WEM Agent Host Service starts or the specified SQL Settings Refresh Delay times out.
- Changes associated with the
HKEY_CURRENT_USERregistry hive take effect when users log on.
Contextualize Group Policy settings
You can make Group Policy settings conditional by using a filter to contextualize their assignments. A filter comprises a rule and multiple conditions. The WEM agent applies the assigned Group Policy settings only when all conditions in the rule are met in the user environment at runtime. Otherwise, the agent skips those settings when enforcing filters.
A general workflow to make Group Policy settings conditional is as follows:
In the administration console, navigate to Filters > Conditions and define your conditions. See Conditions.
For a complete list of filter conditions available, see Filter conditions. Group Policy settings comprise user and machine settings. Some filter conditions apply only to user settings. If you apply those filter conditions to machine settings, the WEM agent ignores the filter conditions and applies the machine settings. For a complete list of filter conditions that do not apply to machine settings, see Filter conditions not applicable to machine settings.
Navigate to Filters > Rules and define your filter rule. You can include the conditions you defined in Step 1 into that rule. See Rules.
Navigate to Actions > Group Policy Settings and configure your Group Policy settings.
Navigate to Administration Console > Assignments > Action Assignment and complete the following:
Double-click the user or user group to which you want to assign the settings.
Select the application and click the right arrow (>) to assign them.
In the Assign Filter window, select the rule you defined in Step 2 and then click OK. The settings move from the Available pane to the Assigned pane.
In the Assigned pane, configure priority for the settings. Type an integer to specify a priority. The greater the value, the higher the priority. Settings with higher priority are processed later, ensuring that they are in effect when there is a conflict or dependency.
Filter conditions not applicable to machine settings
|Filter name||Applicable to machine settings|
|Client IP Address Match||No|
|Registry Value Match||If you configure a registry value starting with HKCU, the Registry Value Match filter does not work if applied to machine settings.|
|User Country Match||No|
|User UI Language Match||No|
|User SBC Resource Type||No|
|Active Directory Path Match||No|
|Active Directory Attribute Match||No|
|No ClientName Match||No|
|No Client IP Address Match||No|
|No Registry Value Match||No|
|No User Country Match||No|
|No User UI Language Match||No|
|No Active Directory Path Match||No|
|No Active Directory Attribute Match||No|
|Client Remote OS Match||No|
|No Client Remote OS Match||No|
|Active Directory Group Match||No|
|No Active Directory Group Match||No|
|Published Resource Name||No|