Workspace Environment Management

WEM Tool Hub

WEM Tool Hub is a collection of tools that aims to simplify the configuration experience for Workspace Environment Management (WEM) administrators. To download it, go to Citrix Cloud > WEM service > Utilities.

The prerequisites for running the WEM Tool Hub are as follows:

  • .NET Framework 4.7.1 or later
  • Microsoft Edge WebView2 Runtime version 98 or later
  • Local administrator privilege

Currently, the following tool is available:

  • Application assistant
  • Printer assistant
  • Rule generator for app access control


  • WEM Tool Hub does not save data for you. Data will be cleared after you exit a tool. To avoid potential data loss, be sure to save your work.
  • To paste data copied from WEM Tool Hub into the web console, ensure that the browser allows data copying. Example: For Microsoft Edge, be sure to have the Site permissions > Clipboard > Ask when a site wants to see text and images copied to the clipboard option enabled.

Application assistant

Use this tool to prepare configuration information for icons and Citrix Workspace resources that you want to use when adding applications in the management console.

Workspace resources


This tool requires Citrix Workspace app to be installed on the machine.

When adding an application of type “Citrix Workspace resource” to the web console, you need to specify a resource. To get information for a resource, complete the following steps:

  1. Enter a Store URL or Workspace URL.

  2. Click Browse resources to browse your resources. Resources are then enumerated and listed.

  3. From the list, select the target application and copy its information.

In the web console, paste the information you copied by clicking Paste resource info. See Add an application.


When setting the icon for an application in the web console, you can add new icons. To get data for an icon, complete the following steps:

  1. Click Browse to browse to a file that contains the icon. Icons in the file are then loaded. Supported file types: .exe, .dll, .ico.

  2. Select the icon and copy the icon data.

In the web console, paste the icon data you copied by clicking Paste icon data. See Add an application.

Printer assistant

Use this tool to get a list of printers from your print server so that you can add them as assignable actions in the management console.

When adding printers from a network print server, you need printer information to add them. To get the printer information, complete the following steps:

  1. Enter the full name of the print server.
  2. Specify whether to connect to the print server using specific credentials.
  3. Click Connect to view the printer list.
  4. Select one or more printers from the list and copy the printer information.

In the web console, paste the information you copied by clicking Paste printer info. See Add printers from a print server.

Rule generator for app access control

Use this tool to create rules to control user access to items such as files, folders, and registries. The rules are implemented through Citrix Profile Management. A typical use case is to apply rules to control user access to apps installed on machines — whether to make apps invisible to relevant users.

You can perform the following operations:

  • Create app rules
  • Import app rules from a file
  • Generate raw data for rules
  • Edit app rules
  • Delete app rules

To create an app rule, complete the following steps:

  1. Click Create rule in the action bar.
  2. On the Target objects page, configure the following settings:

    • App rule name. Specify a name to help you identify the rule.
    • Target objects. Add target objects. Target objects can be files, folders, and registries related to the app that you want to hide. Click Scan for a list of apps installed on the current machine and objects associated with each app.


      • The tool might not be able to get the path for a folder after a scan. The path field shows the following warning: No path found. The issue occurs, for example, when the installation folder of an app resides in the user’s profile folder. In that case, you must locate the installation folder and then enter the path manually.
      • You cannot add paths for items on which certain Citrix and Windows services rely. Otherwise, those services might stop working properly. For a complete list of those paths, see Paths not allowed to be added.
  3. On the Assignments page, add users, computers (organizational units), and processes you want to assign the rule to. For more information about how to get the AAD users or groups and NDJ machines, see AAD/NDJ object selector.


    • After you assign this rule to certain users, computers, and processes, the target objects are invisible when users run the processes on related computers.
    • Without assignments specified, this rule always hides the target objects.
    • Assignments come in three categories: users, computers, and processes. The “OR” operator is used between items within a category, and the “AND” operator is used between categories.
    • You cannot add users and computers when running the tool on a non-domain-joined or Azure Active Directory joined machine.
    • You can bulk add processes. Enter process names (including the .exe extension), separated by line breaks.
  4. After you finish, click Done.

To generate raw data for rules, complete the following steps:

  1. Select desired rules or click Select all to select all rules.
  2. Click Generate raw data in the action bar. The raw data is then generated for the selected rules.
  3. In the Generate raw data window, save the raw data to a file for later restoration or copy the raw data to your clipboard.


    • Use the raw data when adding rules in the WEM administration console or when configuring the Profile Management policy “App access control,” depending on how you want to get the rules deployed.
    • After you save the raw data to a file, you can restore the rules from the file. To achieve that, use Import in the action bar.
  4. After you finish, click Done.

Paths not allowed to be added

You cannot add the following paths and their parent paths for items on which certain Citrix and Windows services rely. Profile Management related registries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\UserProfileManager
  • HKLM:\SOFTWARE\Policies\Citrix\UserProfileManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\UserProfileManager
  • HKLM:\SOFTWARE\Citrix\UserProfileManager

WEM related registries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale
  • HKLM:\SOFTWARE\Policies\Norskale
  • HKLM:\SYSTEM\CurrentControlSet\Control\Norskale

Virtual Delivery Agent (VDA) related registries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
  • HKLM:\SOFTWARE\Citrix\VirtualDesktopAgent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Citrix Virtual Desktop Agent
  • HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Citrix Virtual Desktop Agent

Windows related registries:

  • HKCU:
  • HKU:

Windows and Citrix service related folders:

  • c:\windows\system32
  • \Citrix\User Profile Manager\
  • \Citrix\Workspace Environment Management Agent\
  • \Citrix\XenDesktopVdaSetup\
  • \%windir\%\system32

Assigning app access rules to AAD users/groups and NDJ machines

To assign app access rules to AAD users or groups and NDJ machines, complete the following steps.

  1. Click AAD/NDJ object selector from the web console.

  2. Use the AAD/NDJ object selector to add the desired AAD users and NDJ machines.

  3. Copy the user or machine data.

  4. Go to WEM Tool Hub > Rule Generator for App Access Control, where you create a new app rule.

  5. Go to the Assignments page, and paste the data.

  6. Click Done to create the app access control rules.

  7. Copy the app access control rules.

  8. Go to the web console > configure set > Profile Management settings > App access control and paste the data there.

Add local applications for quick access

This feature lets you add local applications to the WEM Tool Hub for quick access. The added applications are considered as part of your personal data. The data is retained when you switch machines while using the Profile Management environment.

To add an application, click the plus sign on the top right corner of the WEM Tool Hub and then navigate to the application. You can add multiple applications at a time.

The added applications appear as tiles in the WEM Tool Hub. You can click a tile to start the application quickly.


To remove an added application, click the trash can icon.

WEM Tool Hub