In my experience as a consultant and admin, designing and implementing solutions that take full advantage of Workspace Environment Management (WEM) are few and far between. This is due to the multitude of options and use cases and the urge to use every feature instead of understanding and designing a solution that fixes issues. WEM is a flexible tool that can help improve Citrix deployments by decreasing logon times, improving system performance, streamlining the admin experience, and providing users with the best possible experience.

This blog post covers examples of WEM use cases, including features and recommendations, as well as complexity, importance, and risk levels. You can implement each use case individually or in conjunction with the other use cases I cover here, supercharging your Citrix deployment.

Before I get started, all the uses cases I cover here assume that the Default Recommended Settings are imported from the WEM media and are applied to the configuration that is being modified. The Default Recommended Settings make most WEM features work out of the box, and the first thing you should do when creating a new Configuration Set is import them. Check out Step 5 of the Citrix WEM Quick Start Guide for more information. For the WEM Service, you can upload the Default Recommended Settings by clicking the upload button, shown above, in the HTML5 Receiver.

System Optimizations

The most important tool for improving user experience, System Optimizations can help address CPU, memory, or disk-related issues. WEM’s CPU Management improves on Microsoft’s Dynamic Fair Sharing, which is a required feature for most Citrix Virtual Apps deployments. Because CPU is the bottleneck for most of these deployments, smoothing out spikes will result in a better user experience, especially on multi-user operating systems. If CPU Spike protection rules are violated, the violating user process (a process initiated by a user) is reprioritized from high (WEM default with Enable Intelligent CPU Optimization enabled) to a lower priority. System processes are not impacted.

Hal Lange has an excellent video demonstration of this feature in action, which you can watch below. The WEM database retains information about process consumption and can apply those optimized settings to future user processes. WEM 1909+ includes an option to Auto Prevent CPU spikes, which reduces the need for additional Configuration sets for machines with different CPU configurations.

Complexity: Low. This is easy to configure with few configuration options. See this blog post and CTX233218 for additional information.

Importance: High. CPU optimization can improve both the user experience and user density in multi-user operating system environments, providing benefits to both end users and IT.

Risk: Low. Make sure to test before moving into production. Applications with high CPU usage are more likely to be impacted by spike protection. Add exclusions for Skype and the Real Time Optimization Pack, as noted in CTX230843.

Actions

Actions function as a replacement for user-based Group Policy Preferences (GPPs) within Group Policy Objects (GPOs). In the example logon below, the client used GPPs to create printers, drive mappings, registry settings, and shortcuts. Unfortunately for the user, these GPPs added more than 20 seconds to the logon process.

With WEM, we can move the printer creation, registry key creation, shortcut creation, and drive mappings from Group Policy to WEM. WEM can process these GPPs asynchronously (read more on asynchronous vs. synchronous processing), which means the drive mapping or printer creation task will not impede the logon process, resulting in faster app or desktop launch.

Please note, user-based GPOs affect logon, and computer-based GPOs have an impact on computer startup. WEM Actions only apply user-based settings, not computer-based settings.

Complexity: Use Case–Specific — Creating a few WEM Actions is straightforward; however, replacing a large number of GPPs with WEM Actions can be challenging and require extensive testing. WEM includes an Import Network Print Server, Import Registry File, and Import/Migrate GPO backups to help reduce manual configuration errors.

Importance: Use Case–Specific. How much benefit this will provide end users depends on how much time GPO/GPP processing is currently consuming as part of the logon process. Targeting GPPs that take a long time to execute will provide the greatest return on time and effort invested.

Risk: Low/Medium. There is very little risk when moving or creating individual actions with WEM if proper testing is performed. Creating multiple actions and applying filters significantly increases complexity. It is also important to consider the impact on any operational processes, such as audit of policy settings and logging/tracking of changes.

Profile Configuration

WEM enables administrators to configure Citrix Profile Management (CPM) settings with WEM instead of with Studio Policy or Group Policy. It is a common misconception that WEM is a profile management tool. WEM is only used to configure CPM (as an alternative to Studio or Group Policy). WEM may also be used to apply common lockdowns and user interface (UI) customizations that administrators would have to specify using Group Policy. WEM allows for the application of lockdowns and CPM policies asynchronously, which can speed up logons in the same way Actions do.

Complexity: Use Case–Specific. Creating a few settings for lockdowns and UI customizations is straightforward; however, a high volume of settings and configuration sets can introduce complexity.

Importance: Low. Configuring CPM, common lockdowns, or UI customization via WEM usually provides limited value to end users because these settings usually do not save a significant amount of time during logons. If WEM is being used for other configurations, this can assist administrators in centralizing where Citrix settings are configured.

Risk: Low/Medium. Similar to Actions, applying common lockdowns or UI customizations adds little risk if tested, proper change controls are followed, and changes are limited in scope. But you should evaluate impact to operational processes.

Application Security

WEM streamlines the ability to manage AppLocker, as well as application whitelists and blacklists. This feature enables administrators to set AppLocker policies without needing GPO rights. WEM also allows administrators to create many AppLocker policies and edit multiple policies at the same time.

Complexity: Medium/High. Blacklisting is easy to enable. Whitelisting and AppLocker are significantly more complicated. At a high level, AppLocker should run in audit mode to gather information about applications users are running so rules allow access after enabling AppLocker. Consult Microsoft documentation, perform user testing, and follow change control processes when implementing AppLocker policies. Incorrectly applying rules will block some or all application launches, causing an outage.

Importance: High. Blacklisting is recommended in Windows environments that do not use whitelists or AppLocker. AppLocker is preferable to whitelisting because it provides better security by checking a second file condition (e.g., hash, path, publisher, DLL, packaged app). If an executable is renamed to match that of a trusted application, the secondary condition will not match the trusted executable and the renamed application will not launch due to this second file condition.

Risk: Variable. Blacklisting introduces low risk while whitelisting and AppLocker introduce high risk. Incorrectly creating AppLocker rules or damaging default rules may prevent application launches on a server or desktop machine.

Learn More

WEM delivers significant value to your Citrix deployments, and we recommend that customers consider using the features covered in this post when designing and building Citrix environments. For more information about WEM, check out the WEM edocs and blog posts:

The topics I covered here will help you supercharge your Citrix environment. Keep an eye out for the next Lessons from the Field blog post from the Citrix Consulting team. And check out our previous Lessons from the Field posts on Citrix ADC migrations, Citrix on Azure network design, and scaling Citrix Gateway for business continuity.