Workspace Environment Management

WEM Tool Hub

WEM Tool Hub is a collection of tools that aims to simplify the configuration experience for Workspace Environment Management (WEM) administrators. On the on-premises environment, users can download the tool from the on-premises web console.

The prerequisites for running the WEM Tool Hub are as follows:

  • .NET Framework 4.7.1 or later
  • Microsoft Edge WebView2 Runtime version 98 or later
  • Local administrator privilege

Currently, the following tools are available:

  • Application assistant
  • Start Menu Configurator for Windows 11
  • Windows Logon analysis
  • User Store Creation Tool
  • File Info Viewer
  • File Type Association Assistant
  • Printer assistant
  • Profile Migration Tool
  • Rule generator for app access control

Note:

  • WEM Tool Hub does not save data for you. Data will be cleared after you exit a tool. To avoid potential data loss, be sure to save your work.
  • To paste data copied from the WEM Tool Hub into the web console, ensure that the browser allows data copying. Example: For Microsoft Edge, be sure to have the Site permissions > Clipboard > Ask when a site wants to see text and images copied to the clipboard option enabled.

Application Assistant

Use this tool to prepare configuration information for icons and Citrix Workspace resources that you want to use when adding applications in the management console.

Workspace resources

Note:

This tool requires Citrix Workspace app to be installed on the machine.

When adding an application of type “Citrix Workspace resource” to the web console, you need to specify a resource. To get information for a resource, complete the following steps:

  1. Enter a Store URL or Workspace URL.

  2. Click Browse resources to browse your resources. Resources are then counted and listed.

  3. From the list, select the target application and copy its information.

In the web console, paste the information you copied by clicking Paste resource info. See Add an application.

Icons

When setting the icon for an application in the web console, you can add new icons. To get data for an icon, complete the following steps:

  1. Click Browse to browse to a file that contains the icon. Icons in the file are then loaded. Supported file types: .exe, .dll, .ico.

  2. Select the icon and copy the icon data.

In the web console, paste the icon data you copied by clicking Paste icon data. See Add an application.

Start Menu Configurator for Windows 11

Use this tool to configure Start menu layouts for Windows 11 and generate configurations in JSON format that you can assign as actions in the management console.

To customize the Start menu layout for Windows 11, complete the following steps.

  1. Click Start Menu Configurator for Windows 11 in the WEM Tool Hub. Select applications that you prefer to add to the Pinned section of the Start menu and arrange the layout as needed.

  2. Click Generate configuration and copy the result.

  3. In the web console, click Add a new JSON object and select Start menu configuration for Windows 11. Paste the configuration in the Add JSON object page and click Done.

  4. Assign JSON file configuration to the users by selecting the required assignment target in the Manage assignments page and click Save.

Add applications

To add applications using the WEM Tool Hub, complete the following steps.

  1. Click Add applications in the Start Menu Configurator for Windows 11 page.

  2. Choose the applications from the Add applications page by selecting the required applications that you intend to add to the Start menu, and click Add.

  3. You can change the order of the applications by dragging the applications as needed under the Pinned layout section.

  4. Click Generate configuration and after the configuration is generated, click Copy. While generating the configuration, the selected layout is applied to the Start menu.

Windows Logon analysis

You can use this tool to view logon duration reports and get the tips for logon duration optimization and troubleshooting.

To receive complete reports, enable log collection for relevant Windows event logs on the machine.

  • Click Windows Logon analysis > Get reports to access the Get latest reports wizard.
  • Select the time range by choosing one of the options from the drop down list and click Get reports. The default range is Last 24 hours.
  • The phase and description are displayed in the form of a chart based on the following table.

The following table lists all the metrics, submetrics, and tips in detail.

Base-metric Base-metric Description(UI) Sub-metrics Tips Details
Pre-logon Time taken before Windows Logon. Citrix pre-logon    
    HDX connection    
Authentication Time taken to complete authentication to the session. Windows authentication Use Windows Hello. Windows Hello is a biometric authentication feature that allows you to sign in to your PC using your face or fingerprint.  
    VDA authentication Network/Active Directory Speed. Ensure that there is a good network communication between the current machine and the Active Directory. You can use the tool, such as Dcdiag to check it.  
      Efficient Input of Username and Password. Incorrect or delayed input of the user name and password can lead to an overall extension of the authentication time.  
  Time taken to complete authentication to the session. Session Arbitration    
Citrix RSOP Time taken to complete Citrix RSOP(Resultant Set of Policy).      
User Profile Loading Time taken to load the profile settings for the user logging on. FSLogixLoadProfile (Time taken to load FSLogix profile container). Check for low disk space and free up space. If your hard drive is almost full, it can slow down your PC’s login process. Ensure that you have enough free space on your hard drive.  
    UserProfile (Time taken to load Windows user profile files and settings). Use ProcMon tool. To analyze the details, use the ProcMon tool to capture the file I/Os within the user profile during user logon. Windows profile data (Profile size, file/folder counts), Temp folder data (Profile size, file/folder counts), Top 10 large file list (Size not less than 50 MB), Top 10 large folder list (Size not less than 100 MB)
    SMB client (Time taken to initialize the SMB client for remote connections).    
    CitrixProfileMgmt Citrix Profile Management. If you are using Citrix Profile Management, you can optimize the logon process either by using a container-based solution or by using the file-based solution with Profile streaming, for folders with Accelerate folder mirroring enabled. For more details, see link. Profile Management health check report
  Time taken to load the profile settings for the user logging on. Windows Logon Package   Windows Logon Package
    Citrix Layering Service    
Group Policy Processing Time taken to process Group Policy settings. GroupPolicy GroupPolicyScript (Async) GroupPolicyCse (Async) GroupPolicyScript Disable the GPO cache. Run gpedit.msc and locate to path Computer Configuration > Administrative Templates > System > Group Policy. Then, disable the GPO cache.  
    WmiFilter LogonScheduledTask (Async) SingleLogonScheduledTask FolderRedirection Decrease the number of GPOs. Decrease the number of GPOs that are processed at once. Group Policy processing is done in parallel, but there are limits to how many GPOs can be processed simultaneously. Decreasing the number of GPOs that are processed at once can speed up the Group Policy processing.  
    CitrixWemTotal CitrixWemCheckingHostServiceStatus CitrixWemReadConfiguration CitrixWemStartupScriptedTask Use Citrix WEM to process group policy async. Using Citrix WEM to process group policy async can process group policy before user logon and make group policy processing faster. For more details, see link.  
    CitrixWemCache (Sync) CitrixWemJsonFile CitrixWemMachineGroupPolicy CitrixWemUserGroupPolicy    
    Group policy objects   Single group policy object list
Pre-shell (UserInit) Time for the userinit.exe to the explorer.exe startup.      
Logon Script Processing Time taken to run logon scripts. UserLogonScript Optimize your logon script. You can optimize your logon script by removing unnecessary commands and reducing the size of the script.  
      Use Group Policy Preferences. Group Policy preferences can be used to replace logon scripts. They are easier to manage and can be processed faster than logon scripts.  
      Use Citrix WEM external tasks. Set up your logon scripts using external tasks. You can specify whether to wait for the task to complete and the duration of the wait timeout. Limiting the wait time helps speed-up user logon. To learn more about external tasks, see the product documentation.  
Shell Startup Time taken to run shell startup. ActiveSetup FSLogixShellStart (Time taken to run the shell after loading the FSLogix profile container). Disable startup programs. You can disable the programs that automatically launch when you turn on your PC. To disable startup programs on Win11/Win10/Win Server 2022, perform the following steps. Press the Windows + I shortcut to open Settings and select Apps > Startup. Toggle off any apps or programs that must not be turned on automatically during startup. Remove unnecessary programs from the global startup folder: %allusersprofile%\Microsoft\Windows\Start Menu\Programs\StartUp. Remove unnecessary programs from the user startup folder: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.  
    ShellStart (Time taken to run the shell after loading the Windows user profile). AppxAssociations Enable fast startup. The fast startup feature allows your computer to start up faster after shutdown. To enable fast startup on Windows 10, perform the following steps: Open the Control Panel in Icon view and choose Power Options. Choose what the power buttons do in the sidebar. Select the checkbox Turn on fast startup from the list of options that must be available.  
    AppxLoadPackage(AppX packages loaded during logon) SingleAppxLoadPackage Adjust the appearance and performance of Windows. You can adjust the appearance and performance of Windows to speed up your PC’s login process. To do this, right-click My Computer and select Properties. Click Advanced System Settings and then click the Settings button under Performance. You can adjust the appearance and performance of Windows here.  
  Time taken to run shell startup. Windows Logon Package   Windows Logon Package

User Store Creation Tool

Use this tool to create the user stores with Citrix Profile Management on the current machine, running the tool, or on a different machine. You can specify the folder path and share the name for the user store. When the user store is created, the recommended configuration for the path to the user store is provided, allowing you to use it directly in your Profile Management settings.

Create a user store on the current machine

To create a user store on the current machine, complete the following steps.

  1. Specify the Folder path that you want to set as the user store location. The folder is created and shared with the specified users and groups.

  2. Choose Stop and let me know or Use the existing folder, if the folder already exists.

  3. Optionally, specify a name for the file share. By default, the name of the folder is used as the share name.

  4. Choose Stop and let me know or Stop sharing the existing item and take the name, if a share with the same name already exists.

  5. Select the users and groups that use this user store by clicking Add. This opens the native AD selector to select users and groups.

  6. Select the Users or Groups object type from the location specified.

  7. Add the object names in the Enter the object names to select field in the native AD selector and click OK.

  8. Click Create user store.

Create a user store on a different machine

To create a user store on a different machine, complete the following steps.

  1. Specify the machine name and enter the credentials of a domain user with the local administrator privilege on the machine specified. Make sure that the PowerShell remoting is enabled on the machine.

  2. Specify the Folder path that you want to set as the user store location. The folder is created and shared with the specified users and groups.

  3. Choose Stop and let me know or Use the existing folder, if the folder already exists.

  4. Optionally, specify a name for the file share. By default, the name of the folder is used as the share name.

  5. Choose Stop and let me know or Stop sharing the existing item and take the name, if a share with the same name already exists.

  6. Select the users and groups that use this user store by clicking Add. This opens the native AD selector to select users and groups.

  7. Select the Users or Groups object type from the location specified.

  8. Add the object names in the Enter the object names to select field in the native AD selector and click OK.

  9. Click Create user store.

Errors

The following error messages appear in the related sections.

  • Incorrect user credentials
  • Insufficient user privilege
  • Folder already exists
  • Share name in use

If you receive an error message apart from the ones listed, you can view the error details at the bottom of the page with the title An error occurred. View details below.

To create another user store, click Create another. This choice redirects you to the starting page with all the inputs cleared and reset.

File Info Viewer

You can now use the WEM Tool Hub to quickly retrieve data such as that of path, publisher, and hash value to configure an executable rule in the web console. The process includes the following steps:

  • Select WEM Tool Hub > All Tools > File Info Viewer.

  • Choose a file or folder to get its relevant information.

  • Copy the data from one of the criteria, such as, path information, publisher information, or file hash.

  • Paste the data in the Create Windows installer rule page.

File Type Association Assistant

Use this tool to get the information needed for configuring FTAs to add them as assignable actions in the management console.

Selecting File Type Association Assistant leads you to the File Type Association Assistant page in the WEM Tool Hub. You can configure an FTA by completing the following steps.

  • When you type a file name extension, you can choose from the matching file name extension options that begins with your input.
  • Check if the extension entered has an associated ProgID and whether the ProgID has associated actions in the registry.
  • Click Browse to list all the applications that have the entered ProgID registered.
  • Configure the application that you want to associate it with.
  • You can also select Customize action to perform the Open, Edit, and Print actions.
  • You can copy the configured FTA data by clicking the Copy button.

For more details, see File Type Associations.

Group Policy Migration Tool

This tool enables you to migrate settings from Group Policy to WEM by converting policies and preferences into WEM actions, which you can then manage and assign using the web console.

WEM Actions handle user configuration through the WEM agent after the Windows sign-on is finalized. Unlike Windows GPPs, WEM Actions do not cause delays in the Windows sign-in process.

This feature allows you to convert settings in Group Policy to actions managed and processed by WEM, reducing the procesing time needed during user sign-on.

To migrate settings from Group Policy, consider the following prerequisites:

  • Machine must be domain joined
  • The current user must be a domain user
  • Modules required for GPO backup are installed

You can configure the Group Policy migration by completing the following steps.

  1. Export GPPs to the local machine using the WEM Tool Hub: Export the selected settings and save the exported ZIP file to a location that is accessible for the WEM web console.

  2. Import GPPs to WEM as actions using the WEM web console: In the web console, navigate to Assignments > Assignment Groups in a configuration set and select Import. You can create an assignment group with the settings exported, which you can then assign to the users. For more details, see Create an assignment group using the exported settings.

  3. Remove migrated settings from the GPO: Once you finish migrating the settings, remove the migrated settings from the GPO by setting the migrated options to Disabled. Sign out to verify.

  4. Compare the sign-on times.

Printer Assistant

Use this tool to get a list of printers from your print server so that you can add them as assignable actions in the management console.

When adding printers from a network print server, you need printer information to add them. To get the printer information, complete the following steps:

  1. Enter the full name of the print server.
  2. Specify whether to connect to the print server using specific credentials.
  3. Click Connect to view the printer list.
  4. Select one or more printers from the list and copy the printer information.

In the web console, paste the information you copied by clicking Paste printer info. See Add printers from a print server.

Profile Migration Tool

Use this tool to migrate other profiles to the Citrix container-based profile solution. The process includes the following steps:

  1. Select any of the following source profiles:
    • FSLogix profile container
    • Citrix file-based solution
    • Local machine

    Note:

    If you select Local machine, skip step 2 as Profile Migration Tool retrieves the default configuration of the local machine profiles.

  2. Configure the location of the source profiles:
    • File share: Click Browse and select the required source file share location or directly enter the location.
    • Subpath: If you are not using the default container folder, enter the subpath.

    Note:

    For FSLogix profile container, two different folder patterns are supported, where %SID%_%USERNAME% is the default folder pattern.

  3. Configure the location of the target Citrix user store:
    • File share: Click Browse and select the required target file share location or directly enter the location.
    • Subpath: Enter the required target subpath.
  4. Click Check access to verify if your current account or the alternate account has read access to the source file share and full access to the target file share. If your current account doesn’t have access, select the Use alternate credentials checkbox to enter the alternate user name and password.

  5. Specify the users and groups whose profiles are to be migrated. If no users or groups are specified, all the profiles in the source location are migrated.

  6. Select the OS version of the source profiles.

  7. Click Start migration.

Profile Migration Tool migrates one profile at a time. If you choose to stop the migration, click Stop. This action completes the migration for the current profile and stops the migration for the remaining profiles. You can choose to retry the migration by clicking Retry selected. Otherwise, to perform another migration, click Do another migration.

In case of a failure, you can click View log to see the error logs. You have the option to retry the migration for failed profiles by clicking Retry selected.

Rule generator for app access control

Use this tool to create the following rules:

  • Hide rules. Control user access to files, folders, registry values, and keys.
  • Redirect rules. Redirect files, folders, and registry values and keys for users.

These rules are implemented through Citrix Profile Management. Typical use cases include:

  • Control user access to apps installed on machines — whether to make apps invisible to relevant users.
  • Implement data roaming. Redirect non-user-profile data to a file share, ensuring users can access the same data regardless of which machines they sign into.
  • Enhance data protection. Redirect critical data to alternative locations or values, protecting it from unauthorized access.
  • Customize the user experience. Tailor app experience based on specific requirements.

You can perform the following operations:

  • Create rules
  • Import rules from a file
  • Generate raw data for rules
  • Edit rules
  • Delete rules
  • Test app rules

To create a rule for app access control, complete the following steps:

  1. Click Create rule in the action bar, and then select Hide or Redirect.
  2. On the Rule details page, configure the following settings:
    • App rule name. Specify a name to help you identify the rule.
    • Objects to hide. Add target objects. Target objects can be files, folders, and registries related to the app that you want to hide. Click Scan for apps installed on the current machine and objects associated with each app.

    • Redirections. You can redirect files, folders, and registries. For each redirection, specify the source and destination path.

    Note:

    • You cannot add paths for items on which certain Citrix and Windows services rely. Otherwise, those services might stop working properly. For a complete list of those paths, see Paths not allowed to be added.
  3. On the Assignments page, add users, computers (organizational units), and processes you want to assign the rule to. For more information about how to get the AAD users or groups and NDJ machines, see the AAD/NDJ object selector.

    1. Select an assignment type from Users, Machines, or Processes.

    2. In the Apply to section, specify the assignment objects. If no objects are selected, the rule applies to all objects of that assignment type.

    3. To specify exclusions, go to the Exclude section and add the necessary assignment objects.

    4. If needed, repeat steps a to c for another assignment type.

    Note:

    • Without assignments specified, this rule always takes effect on the target objects.
    • Assignments come in three categories: users, computers, and processes. The OR operator is used between items within a category, and the AND operator is used between categories.
    • You cannot add users and computers when running the tool on a non-domain-joined or Azure Active Directory joined machine.
    • You can add bulk processes. Enter process names (including the .exe extension), separated by line breaks.
  4. After you finish, click Done.

To generate raw data for rules, complete the following steps:

  1. Select desired rules or click Select all to select all rules.
  2. Click Generate raw data in the action bar. The raw data is then generated for the selected rules.
  3. In the Generate raw data window, save the raw data to a file for later restoration or copy the raw data to your clipboard.

    Note:

    • Use the raw data when adding rules in the WEM administration console or when configuring the Profile Management policy App access control, depending on how you want to get the rules deployed.
    • After you save the raw data to a file, you can restore the rules from the file. To achieve that, use Import in the action bar.
  4. After you finish, click Done.

You can validate the app access control rules on the local machine before deploying in the testing or production environment.

To test app rules, complete the following steps:

  1. Select the desired rules or click Select all to select all rules.

  2. Click Test in the action bar.

    • Click Deploy to local machine to deploy the selected rules to the local machine and verify if the rules are working as expected. Click Deploy on the popup window to confirm the action.

    Note:

    While testing the app rules, the rules affect only the current user.

    • Click Clear deployed rules from local machine to clear deployed app access control rules from the local machine.

Paths not allowed to be added

You cannot add the following paths and their parent paths for items on which certain Citrix and Windows services rely. Profile Management related registries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\UserProfileManager
  • HKLM:\SOFTWARE\Policies\Citrix\UserProfileManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\UserProfileManager
  • HKLM:\SOFTWARE\Citrix\UserProfileManager

WEM related registries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Norskale
  • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\WEM
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale
  • HKLM:\SOFTWARE\Policies\Norskale
  • HKLM:\SOFTWARE\Citrix\WEM
  • HKLM:\SYSTEM\CurrentControlSet\Control\Norskale

Virtual Delivery Agent (VDA) related registries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
  • HKLM:\SOFTWARE\Citrix\VirtualDesktopAgent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Citrix Virtual Desktop Agent
  • HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Citrix Virtual Desktop Agent

Windows related registries:

  • HKCU:
  • HKEY_CURRENT_USER
  • HKU:
  • HKEY_USERS

Windows and Citrix service related folders:

  • c:\windows\system32
  • \Citrix\User Profile Manager\
  • \Citrix\Workspace Environment Management Agent\
  • \Citrix\XenDesktopVdaSetup\
  • \%windir\%\system32

Assigning app access rules to AAD users/groups and NDJ machines

To assign app access rules to AAD users or groups and NDJ machines, complete the following steps.

  1. Click AAD/NDJ object selector from the web console.

  2. Use the AAD/NDJ object selector to add the desired AAD users and NDJ machines.

  3. Copy the user or machine data.

  4. Go to WEM Tool Hub > Rule Generator for App Access Control, where you create a new app rule.

  5. Go to the Assignments page, and paste the data.

  6. Click Done to create the app access control rules.

  7. Copy the app access control rules.

  8. Go to the web console > configure set > Profile Management settings > App access control and paste the data there.

Add local applications for quick access

This feature lets you add local applications to the WEM Tool Hub for quick access. The added applications are considered as part of your personal data. The data is retained when you switch machines while using the Profile Management environment.

To add an application, click the plus sign on the top right corner of the WEM Tool Hub and then navigate to the application. You can add multiple applications at a time.

The added applications appear as tiles in the WEM Tool Hub. You can click a tile to start the application quickly.

Note:

To remove an added application, click the trash can icon.