CWS 315 2I en StudentManual 4 5 Days v02

N
ot
fo
rr
es
al
e
or
di
CWS-315-2I: Citrix Virtual Apps and Desktops 7 Advanced
s
tri
Administration
b
ut
io
n
(4-5 Days)
Table Of Contents
Module 1 - Introduction to Citrix App Layering..........................................................................................................................................2

Citrix App Layering Introduction....................................................................................................................................................4
Architecture and How it Works....................................................................................................................................................23
N
Module 2 - Create an OS Layer..............................................................................................................................................................49
ot
The OS Layer..............................................................................................................................................................................51
Module 3 - Create a Platform Layer........................................................................................................................................................72
fo
The Platform Layer......................................................................................................................................................................74
rr
Module 4 - Create an App Layer.............................................................................................................................................................91
es
The App Layers...........................................................................................................................................................................93
Module 5 - Elastic App and User Layers...............................................................................................................................................113
al
Elastic App Layering..................................................................................................................................................................115
e
User Layers...............................................................................................................................................................................126
or
Module 6 - Deploy a Layered Image Using Citrix Virtual Apps and Desktops......................................................................................156
Using Templates in Citrix App Layering....................................................................................................................................158
di
Using Layered Images in a Citrix Virtual Apps and Desktops Site............................................................................................175
s tri
Module 7 - Explore Layer Priority and Maintain an App Layering Environment....................................................................................194
Layer Priority.............................................................................................................................................................................196
b ut
Updating Layers........................................................................................................................................................................207
Maintaining and Updating the App Layering Environment .......................................................................................................215
io
Common Citrix App Layering Considerations and Additional Resources ................................................................................230
n
Module 8 - Introduction to Workspace Environment Management (WEM)...........................................................................................245
WEM Features and Benefits......................................................................................................................................................247
WEM On-Premises Components and Deployments.................................................................................................................252
WEM Service Components and Deployments..........................................................................................................................274
WEM Component Communication Workflows...........................................................................................................................286
Module 9 - WEM On-Premises and WEM Service Deployment Installation.........................................................................................303
WEM On-Premises Deployment Installation - Leading Practice Installation Prerequisites and Steps .....................................305
WEM On-Premises Deployment Installation - WEM ADMX Template Configuration................................................................312
WEM On-Premises Deployment Installation - Choosing a Security Principal to run the WEM Infrastructure
Service.......................................................................................................................................................................................316
WEM On-Premises Deployment Installation - Creating the WEM Database............................................................................325
WEM On-Premises Deployment Installation - Running the WEM Infrastructure Service Configuration Utility .........................335
N
WEM On-Premises Deployment Installation - WEM Agent Installation.....................................................................................348
ot
WEM Deployment Installation - WEM On-Premises vs WEM Service......................................................................................357
fo
WEM Service Deployment Installation - Leading Practice Installation Prerequisites and Steps...............................................361
rr
WEM Service Deployment Installation - WEM ADMX Template Configuration.........................................................................369
WEM Service Deployment Installation - WEM Agent Installation.............................................................................................374
es
Module 10 - WEM Administration Consoles and Initial Setup...............................................................................................................383
al
WEM Consoles..........................................................................................................................................................................385
e
WEM Initial Setup......................................................................................................................................................................394
Migrating GPO settings to WEM................................................................................................................................................411
or
Module 11 - WEM Centralized Management Features: System and Log On Optimization..................................................................421
di
WEM System Optimization Management Features...................................................................................................................423
s
WEM Logon Optimization Management Features.....................................................................................................................452
tri
WEM Assigned Actions.............................................................................................................................................................458
b
Citrix Profile Management in WEM............................................................................................................................................471
ut
Module 12 - WEM Centralized Management Features: Security & Lockdown......................................................................................483
io
WEM Security Management Features.......................................................................................................................................486
n
WEM Transformer.....................................................................................................................................................................502
WEM Monitoring and Reporting................................................................................................................................................523
Module 13 - The WEM Agent................................................................................................................................................................530
WEM Settings Processing and WEM Agent Caches.................................................................................................................532
WEM Agent integration with Citrix Virtual Apps and Desktops..................................................................................................551
Module 14 - Upgrading Workspace Environment Management (WEM) and Migration to WEM Service..............................................566
Upgrading Workspace Environment Management (WEM)........................................................................................................568
WEM on-premise Migration to WEM Service............................................................................................................................580
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Citrix App Layering and WEM
Administration
N
ot
Introduction to Citrix App Layering
fo
rr
es
al
e
Module 1
or
di
s
tri
b
ut
io
n
2 © 2021 Citrix Authorized Content

Learning Objectives
• Describe the benefits of Citrix App Layering
N
solution and purpose of each layer.
ot
• Identify the App Layering layer that each
fo
software component category is designed to
rr
be placed.
es
• Describe the role and the workflow of Citrix
al
App Layering
e
• Recognize how Elastic layers are mounted into
or
a layered image.
di
s
tri
b
ut
io
n

N
ot
Citrix App Layering Introduction
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

App Layering is an
App Layering
App and Image User Layer
Management
Solution Elastic Layer
N
• App Layering is a process
ot
used to deliver a Application Layers
fo
complete virtual desktop
to an end-user.
rr
es
• We can create and Platform Layer
manage the following
al
Hypervisor Tools (example)
types of layers:
e
• Operating System Layer
or
• Platform Layers Operating System Layer
di
• Application Layers
• Elastic Layers
s tri
• User Layers
b ut
io
n
Key Notes:
• App Layering is an App and Image Management Solution; it is a process and a technology.
• Layering is a process that is used to deliver a complete virtual desktop, including the OS and apps which are needed for an end user.
• App Layering allows you to Individualize virtual machine components into layers:
• Takes Application Complexity - makes it Application Layers
• Takes Hypervisor Complexity – makes it Platform Layers
• Takes Operating System Complexity – makes it Operating System Layers

• You can use the following types of layers:
• Layers to include in image templates and layered images
• Operating System Layer - The Operating System Layer contains the operating system that the software imports
from a golden image. It can also include configuration settings, printer settings, applications (for example, anti-
virus software), and all other aspects of the golden image at the time of import. The OS Layer is limited to
Windows at this time.
• Platform Layer - Similar to an application layer, but only applies at image build/compile. It Contains target
N
environment drivers, software, VDA, PVS target software, and et cetera.
ot
• Application Layers - Application Layers contain software programs that you can deploy to any desktop with the
fo
compatible operating system. A Layer can also include patches or plug-ins for programs.
• Layers you can enable on layered images
rr
• Elastic Layers - An App Layer that the administrator can deliver based on user entitlements when users log
es
onto sessions or standalone desktops. Elastic Layers allow administrators to give each user his/her own unique
al
set of applications, on top of the base Layered Image used across sessions (in the case of session hosts), and
across floating pools/shared groups (in the case of desktops). This can drastically reduce the number of base
e
Layered Images that administrators need to maintain
or
• User Layer - This layer contains a user's personalized data; applications, configuration settings, and data. When
di
you create a desktop, the software creates this layer. As users modify their desktop, the desktop stores all of
their changes in the User Layer associated with their desktop.
s tri
Additional Resources:
b ut
• Citrix App Layering: https://docs.citrix.com/en-us/citrix-app-layering/4.html
io
n

Citrix App Layering Benefits
Corporate IT infrastructures can benefit from Application Layering technology in a variety of ways.
N
ot
• Simplifies application and image management.
fo
rr
• Faster application packaging.
es
• High Availability.
al
• Real-time application delivery.
e
• Deploy the app package on any infrastructure, Hypervisor, or cloud.
or
• Eliminate managing multiple golden images.
di
s
• Reduce overall app and desktop management cost up to 80%.
tri
b ut
33 © 2020 Citrix | Confidential
io
n
Key Notes:
• Application Layering:
• Offers an application packaging, application lifecycle management, and image management solution designed for modern
mobile workspaces, including VDI and traditional server-based computing (terminal server) - both on-premises and in the
cloud. For customers looking to the cloud, App layering simplifies the move, because images have the agility to be switched
between Hypervisors, on-premises/cloud without having to repackage or reimage.
• High Availability – App Layering uses the same Hypervisor APIs as the brokering management tools, and adds the ability to

snapshot and version OS, Application and Personalization layers for easy rollback and recovery.
• Provides much faster and easier image management and is compatible with more applications than application
virtualization. It is much faster and easier, more reliable, and more resource-efficient than agent-based software
distribution tools that require repetitive reinstallations.
• Offers real-time application delivery for Citrix Virtual Apps and Desktops.
• Offers Elastic Layering , which attaches applications at user login to Citrix Virtual Apps and Desktops on basis of
Active Directory user and group membership. This enables Citrix Virtual Desktops to offer a persistent VDI
N
experience without having to allocate a full virtual desktop for every user since each user's application layers and
ot
personal user layer can be attached at login to non-persistent desktops.
fo
• Elastic Layering also works with Citrix Virtual Apps, enabling users logging onto the same Citrix workload server to
have different apps delivered to their sessions. This unique innovation gives customers more options when
rr
choosing between traditionally published desktops (Server OS) or VDI desktops (Desktop OS).
es
• Provides simplified image management for Citrix Virtual Apps and Desktops.
al
• Packages every component of a Windows workspace - even the OS itself - as a virtual disk 'layer'. This unique
capability can be used to completely eliminate image management in Citrix silos or server configurations are
e
needed, Virtual Apps and Desktops environments.
or
• IT administrators can combine the same Windows OS layer with any combination of app layers to create standard
di
Windows images. Irrespective of number of images, the OS layer and all app layers only have to be managed,
patched, and updated once.
s tri
• It will automatically recompose the images with any new layer versions and update the Citrix Virtual Apps and
Desktops environment through integration with Citrix Provisioning (PVS) and Machine Creation Services (MCS).
b ut
• Application installs are easier with App Layering, because the install is very straight forward like a standard install,
eliminating the need to rely on agent-based software distribution tools; which also increases the stability of the
io
applications running in the environment and speeds up installation times.
n
• Through layering, Applications can be packaged separately from the OS, which results in eliminating the golden
image sprawl and eliminating the re-packaging or repetitive installation of the same apps on different hypervisors
or clouds.
• Application packaging is more than just installs, and it’s also maintenance. With App Layering keeping the OS and
the Apps in separate layers for installs, this also means that the OS can be patched independently of the app

layers, allowing for a single round of updates per OS image.
• Helps to reduce the overall app and desktop management cost up to 80%.
• Benefits IT departments with much faster application packaging; the elimination of golden image sprawl and
related patching inefficiencies; error-free, install-free application management; reduced server and storage
resource requirements; and the agility to deliver apps to different Hypervisors and clouds without costly re-
packaging or re-imaging. End users benefit from greatly accelerated access to new applications and application
updates; faster remediation of common application patching and delivery issues; and a more personal, productive
N
computing experience.
ot
• IT will benefit from reduced operational and capital costs:
fo
• Faster application packaging.
• The elimination of golden image sprawl and related patching inefficiencies.
rr
• The elimination of service tickets caused by a failed application or OS patches.
es
• Faster service call remediation by being able to instantly "undo“ problematic patches and updates.
al
• Reduced server and storage costs by offer a persistent desktop experience with Citrix Virtual Desktop
non-persistent VDI or Citrix Virtual Apps shared hosted desktops.
e
• The agility to switch hypervisors without repackaging or reimaging.
or
• Easy on-ramp to the cloud.
di
• Reduction in unnecessary application licenses.
• End users will benefit from productivity gains and greater application availability:
s tri
• Real-time delivery of new applications and app updates.
• Instant remediation of problematic software updates.
but
• More personal, customizable workspaces.
• Faster provisioning and on-boarding of new employees.
io
• Citrix App Layering user layers provide a better experience for administrators and users in a virtual app and desktop
n
environment.
• Simplifies image management by allowing user-based customization to non-persistent virtual environments
• Solves the most difficult usability concerns in a virtual app and desktop environment: Outlook cache, OneDrive,
Windows search, user-installed apps, and so on

• Citrix App Layering - User Layers: https://docs.citrix.com/en-us/tech-zone/learn/tech-insights/app-layering-user-
layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

App Layering
Terminology Layered Image Platform Layer
Image Template Elastic Layer
OS Disk Prerequisite Layer
N
OS Machine Connector
ot
Packaging Disk Connector Configuration
fo
rr
Packaging Machine Directory Junction
es
Layer Directory Service
al
e
OS Layer Enterprise Layer Manager
or
App Layer Management Console
di
User Layer Compositing Engine
s tri
b ut
io
n
Key Notes:
• Layered Image - A bootable image composited from an OS Layer, a Platform Layer, and any number of App Layers. Layered Image(s)
are published using Image Templates where you save your layer selections for a particular use, usually provisioning servers in a
specific silo.
• Image Template - An Image Template saves the OS Layer, App Layer, and Platform Layer assignments you have chosen for a Layered
Image, allowing you to use any combination of layers to provision any number of servers.
• OS Disk - The virtual disk containing the Operating System that is imported to create an OS layer. To prepare the OS disk you will

install and configure an Operating System on a virtual machine. The OS Disk is the virtual disk where the Operating
System was installed.
• OS Machine - The Operating System (OS) Machine is a virtual machine that you create from which you can generate an
OS Disk and an OS Layer.
• Packaging Disk - A bootable virtual disk used to create a Packaging Machine needed for creating or updating a Layer. The
Packaging Disk always includes your OS Layer and may also include selected Application and Platform Layers.
• Packaging Machine - A virtual machine that acts as a staging area for the creation of App Layers, App Layer Versions,
N
and OS Layer Versions. The Packaging Machine is booted from a Packaging Disk using the credentials and location
ot
specified in the selected Connector Configuration.
fo
• Layer - A layer captures a Windows Operating System, a Windows Application, or the configuration settings and tools
required for Images to run on a particular platform in a virtual disk that can be combined with other layers to create a
rr
Layered Image. Layers are created from a simple install of the application or operating system. You can select any
es
combination of Layers for each Layered Image. You can reuse the same layers in any combination to provision a variety
al
of servers.
• OS Layer - A virtual disk containing the operating system. You can use an OS Layer with any compatible App Layers in any
e
number of Layered Images. You can create a new version of the OS Layer for every patch you need to roll out and
or
continue deploying every and all versions of the layer as you add patches.
di
• App Layer - A virtual disk containing one or more applications that you can use in any number of Layered Images. When
publishing a Layered Image, you can combine an App Layer with the OS Layer used to create it, other App Layers, and a
s tri
Platform Layer.
Platform Layer - A layer that includes configuration settings, tools, and other software required for Images to run on a
b
•
ut
particular platform. For example, a platform layer for vSphere would include VMTools. Platform Layers also remove
leftover software from other platforms from your image.
io
• Elastic Layer – An elastic layer can be delivered based on user entitlements when users log onto sessions or standalone
n
desktops. Elastic Layers allow administrators to give each user his/her own unique set of applications, on top of the
base Layered Image used across sessions. This can drastically reduce the number of base Layered Images that
administrators need to maintain
• User layer - Enabling user layers on a layered image allows you to persist a user’s data and settings, and any applications
that they install themselves. When enabled, a user layer is created for each user the first time they log on to an image.

• Prerequisite Layer - An application that is required when installing another application for a new Application Layer or
Layer Version. For example, you would select your Microsoft Office App Layer as a Pre-requisite Layer when installing a
Microsoft Office plugin in a separate App Layer. Or, you would select your Java App Layer as a Prerequisite Layer when
creating a Layer for an application that requires Java.
• Compositing Engine - The Compositing Engine feature, also referred to as Offload Compositing, aims to move the
process of packaging layers and image creation from the Linux-based ELM into a lightweight, ephemeral appliance
running Windows PE. Use of Compositing Engines is a choice.
N
• Connector - Connectors are the interfaces to environments where layers are created and images are published. The
ot
type of platform connector determines the information required to create a specific Connector Configuration.
fo
• Connector Configuration - A stored set of values for connecting to a specific environment. A configuration typically
includes credentials for authentication, a storage location, and any other information required to interface with the
rr
environment where you will be creating layers or publishing images.
es
• Directory Junction - A connection to a base Distinguished Name in a directory service (such as Microsoft Active
al
Directory). Adding a Directory Junction to the local tree allows you to assign Administrator privileges to users that are
defined in the directory service instead of in the Management Console.
e
• Directory Service - A hierarchical repository of information about users, devices, and services on a network server.
or
Microsoft Active Directory and LDAP are examples of directory services.
di
• Enterprise Layer Manager - A virtual appliance that coordinates communication in the Unidesk environment, and hosts
the Unidesk Management Console (UMC), the administrator interface for the Unidesk environment. The ELM also
s tri
manages copies of all Layers.
• Management Console - The Web-based management console that runs on the Unidesk Enterprise Layer Manager
b ut
(ELM). The UMC allows you to manage all of the components in the Unidesk environment. You can use is to create
Layers, publish Layered Images, and manage system settings.
io
n
• Citrix App Layering: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/app-layering.html
• A Technical Overview of Citrix Application Layering:
https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/citrix-application-layering-technical-
overview.pdf

OS Layer
• The OS Layer contains:

• The operating system
(imported from the golden
image).
Windows 10
N
• Configuration settings,
ot
printer settings, etc. Windows Server
fo
• Hypervisor tools (sole or 2008 R2, 2012 R2, 2016, and
rr
primary hypervisor 2019
es
platform)
al
Windows 7
• Applications such as
e
antivirus agents.
or
• The OS Layer is a Read-
di
Only image and can only
s
be updated/patched by
tri
an Administrator.
b ut
io
n
Key Notes:
• Typically there is one OS layer for all desktops making patches and updates easy to manage. However, you can have OS layers for
Desktop OS variants such as Windows 7, Windows 10 and Server OS variants such as Windows Server 2008 R2, 2012 R2, 2016, and
2019.
• Citrix App Layering only supports Windows virtual machines; there is no current support for other operating systems, such as Linux.
• The OS Layer is a Read-Only image and can only be patched or updated by IT.
• Applications such as anti-virus should be installed on the OS layer.

• Once a desktop has an OS Layer assigned to it, it cannot be changed. You cannot switch a desktop to a different OS
layer, even if the layer has the same OS as the one on which the desktop is created.
• Desktops can be updated by creating new versions of the current OS layer and deploying it to the desktops. The
desktops need to be restarted before the changes take effect.
• Layering technology can layer any application, there is no need for applications to be installed in the image. The golden
image (OS layer) you are creating may act as a base for numerous pools/delivery groups within the environment and
separation of apps from the OS is key to limiting the number of OS copies you have to manage. It should be noted at
N
this point that even applications with drivers, services, kernel devices, etc., are all supported as Application Layers and
ot
(with very few exceptions) should not need to be put in the golden image.
fo
rr
• Create the OS layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-os-layer.html
es
• Prepare the OS for layering: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/prepare-os-for-layering.html
al
e
or
di
s tri
b ut
io
n

Platform Layer
Citrix
Hypervisor
Hyper-V
The Platform Layer contains
N
• Configuration settings.
ot
• System tools.
fo
rr
• Other software required for images to run on
a particular platform.
es
The Platform Layer can integrate with many
al
hypervisors and environments.
e
Platform Layer
or
di
s tri
b ut
io
n
Key Notes:
• Layering technology can be run on many Hypervisors and deploy images built with the OS and Application Layers in any environment.
Platform Layers are designed to support this.
• A Platform Layer containing your Hypervisor, Provisioning Service and connection broker software, isolates App and OS layers from
the infrastructure where they will be published.
• For example, if OS and Application Layers were originally built on a VMware vSphere hypervisor, but the organization wants to re-use
those layers with Citrix Hypervisor, a Platform Layer with Citrix VM Tools installed can be created to accomplish that.

• The platform layer can be used to move other layer types between different Hypervisors.
• This enables an administrator to update applications and operating systems one time, but have them distributed out to
multiple sites.
• It doesn’t matter if both of those sites are internal VMWare vCenters, or if one is an on premises vCenter and the other
an Azure cloud DR deployment.
• All deployments will use the same base layers.
• The Platform Layer can integrate with many Hypervisors and environments.
N
• Common examples of Platform Layer install includes:
ot
• Hypervisor Tools.
fo
• Citrix VDA.
• Citrix PVS Target Device Software.
rr
• Domain join
es
• NVIDIA Drivers, if applicable
al
• Workspace App, for the Single Sign-on component
• Citrix Workspace Environment Management(WEM) agent
e
• Any software that impacts the logon stack, for example, Imprivata
or
• Citrix Provisioning on Hyper-V: Requires a Legacy Network Adapter to PXE boot.
di
• Microsoft System Center Configuration Manager (SCCM) software, if you are using it
s tri
• Create Platform layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
b ut
io
n

Application Layer
The Application Layers contain:
N
• Software programs, which can be deployed
ot
to any machine using a compatible OS
fo
Layer.
rr
• Patches or plugins for programs. Personal Apps
es
al
Corporate Apps
Are read-only and can only be updated by
e
administrators by adding an application layer
or
version.
di
A single application layer can contain multiple
s tri
applications.
b ut
io
n
Key Notes:
• Application Layers can also include patches or plugins for programs.
• App Layer doesn’t have to be just single applications. A single application layer can contain multiple applications.
• Citrix App Layering has five types of layers, the story is told in the configuration order.
• The App Layer is a unique virtual disk for the applications that were installed.
• Application dependency software can also be layered, such as Flash or Java.
• Any application can be packaged as a layer even those which requires device drivers and boot-time services.

• They can contain multiple applications or just contain documents and other files.
• Any data that is written when the application is installed directories, files or keys which are added are stored in the
app layer.
• If there are parts of the OS layer that needs to be modified by the application, they are first copied to the app layer
and then modified.
• Like OS Layers, App Layers are Read-Only and can only be updated by IT when the application layer is versioned.
• An app layer can include several layer versions. Each of these contains a different version of the application. Different
N
layer versions of the same application can be deployed to desktops.
ot
• The benefit of App Layering is that – If a user uninstalls an application or needs an application fixed, it can be repaired
fo
for an assigned application.
rr
es
• Create or clone an app layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html
al
e
or
di
s tri
b ut
io
n

Elastic Layer and User Layer
An App Layer that an administrator can deliver SMB Share Secondary Share
dynamically based on user entitlements when Elastic App Layers User Layer Profile Settings and Data
users log on to sessions or standalone

desktops.
N
ot
fo
• Allow administrators to give each user his/her
Session Host
own unique set of applications at logon.
rr
User 1 User 1
es
• Can drastically reduce the number of base
Layered Images that administrators need to
al
maintain.
e
User 2 User 2
or
• The User Layer provides persistence for user
profile settings, and other data, even when
di
connected to non-persistent VDI machines.
s tri
b ut
io
n
Key Notes:
• The Elastic layer is an App Layer.
• A copy of the Layer is stored in the appliance's Network File Share, and delivered to individual AD users and groups on-demand, in
addition to the Layers that they receive via the base image.
• To use this feature, you'll add Elastic Assignments specifying which users and groups should receive each of the App Layers
• Elastic layers do not become a part of the image like App Layers do, but are rather applied based on user entitlements.
• Elastic Layers can significantly reduce the number of “golden” images needed.

• The User Layer is a virtual disk, managed and delivered like elastic layers, but not limited to application delivery.
• The User Layer provides persistence for user profile settings, and other data, even when connected to non-persistent
VDI machines.
• You can enable the following types of User layers:
• Full - All of a user’s data, settings, and locally installed apps are stored on their User layer.
• Office 365 - (Desktop systems) Only the user’s Outlook data and settings are stored on their User layer.
• Session Office 365 - (Session hosts) Only the user’s Outlook data and settings are stored on their User layer.
N
ot
fo
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-layers.html
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Objective Review
N
ot
What are the six types of Layers that can be
fo
configured using App Layering?
rr
es
• Operating System Layer
al
• Platform Layers
e
• Application Layer
or
• Elastic Layer
di
s
• User Layer
tri
• Prerequisite Layer
b
ut
io
n

N
ot
Architecture and How it Works
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Architecture
Hardware Layer
Diagram Hardware Layer
Enterprise Layer
Manager Delivery Persistent
Controller
Domain Non-Persistent
N
Controller
ot
Repository
fo
Databases Session Host
rr
Layers Layered
es
Images License
Server
al
e
Hardware Layer
or
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
di
s tri
b ut
io
n
Key Notes:
• The Enterprise Layer Manager (ELM) creates and manages layers which can be assigned to users or machines.
• Using ELM, administrators can create different layers like application layers, OS layers, and platform layers which will be kept in a
repository managed by ELM.
• Administrators can create a layered image with a combination of a specific OS layer and a few application layers as per the
requirement of the users. During the layered image creation process, these different layers are merged to form a single image.
• This process will create a virtual machine on the underlying Hypervisor and the same can be used as a master image for Citrix

Machine Catalog.
• Once the machine catalog is created, we can create or provision machines which can be assigned to the users through
Delivery Group.
• Users can launch the desktop in the ICA session when they logon to Citrix Workspace.
• Compute Layer provides the hardware resources for the deployment.
Additional References:
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Technical Overview
• Internal users access

StoreFront directly; Access
User Layer Control Layer Resource Layer
external users are proxied Layer
by Citrix Gateway.
• StoreFront presents
N
Persistent
resources available to end-
ot
Enterprise
users. Layer Manager
StoreFron
fo
Internal Users Non-
t
• Enterprise Layer Manager Layers Persistent
rr
creates and manages the Firewall
Domain Delivery
Controller Controller
layers which can be saved Session Host
es
Repository
as VMs or vDisks to be c
al
Firewall Citrix ADC
integrated as Master External
Users Gateway Databases License
e
Server
Machines for MCS and
or
vDisks for PVS.
• Delivery Controllers broker
di
connections to resources. Hardware Layer
stri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
b ut
io
n
Key Notes:
• Where does Layering fit in with Citrix Virtual Apps and Desktops?
• Enterprise Layer manager creates and manages the layers which can be published to users through Delivery Groups.
• Resources include the layers which has the OS and app layers made available through the layering concept with the help of
Enterprise Layer Manager:
• Session host – Server OS
• Desktop OS – Hosted VDI (persistent and non-persistent)

• Compute Layer is where the Access, Control, and Resource Layers pool their virtual computing from.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Enterprise Layer Manager (ELM)
Server
• Linux-based virtual appliance.
N
• Coordinates communication in the App
ot
Layering environment.
fo
• Hosts the Management Console.
rr
• Manages copies of all Layers.
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Enterprise Layer Manager is a Linux CentOS system. Initially, it contains a 30GB boot disk and a 300GB Layer Repository disk. Both are
XFS file systems.
• The Enterprise Layer Manager is also known as the App Layering appliance.
• The following Hypervisors are supported for App Layering ELM Server:
• Citrix Hypervisor

• Microsoft Azure
• Microsoft Hyper-V
• Nutanix AHV
• VMware vSphere
• The App Layering appliance hosts the App Layering management console. Within the management console, you can
create layers, and assign them to layered images, or directly to users by using elastic assignment.
N
• The ELM Server manages copies of all layers; providing the ability to:
ot
• Install and manage a single copy of your Windows operating system and a single copy of each of your apps in layers.
• Select any combination of layers to create layered Images that are deployable as session hosts.
fo
• Deploy those layered images to virtual machine session hosts, making the applications available to users.
rr
es
• System requirements: https://docs.citrix.com/en-us/citrix-app-layering/4/system-requirements.html
al
• Citrix Hypervisor: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/citrix-hypervisor.html
e
• MS Azure or Azure Government: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/ms-azure.html
or
• MS Hyper-V: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/ms-hyper-v.html
• Nutanix AHV: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/nutanix-ahv.html
di
• VMware vSphere: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/vmware-vsphere.html
s
• VMware Horizon View in vSphere: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/vmware-horizon-view.html
tri
b ut
io
n

Configure the ELM
Server
The Process Overview
1
VPX
1. An administrator
N
downloads the ELM Citrix.co
ot
Administrator
virtual appliance from m
Citrix.com. 2
fo
2. The appliance is imported CLI adjustments made to
rr
ELM password and
to the customer’s Network Settings, etc.
es
environment, and basic
al
configurations are Administrator
performed in the VM
e
console. 3
or
App Layer System
3. Additional system Configurations made
di
for SMB location, Base
configurations are DN, etc.
s
performed using the web-
tri
Administrator
based admin console.
utb
io
n
Key Notes:
• To install, configure/use the ELM Server:
1. Install the Enterprise Layer Manager VPX on a dedicated virtual machine (i.e. Citrix Hypervisor_4.5.0.1.2.ova file). Downloaded
from Citrix website.
2. Start the ELM Linux-based appliance from within the Hypervisor.
3. Log in to the console with the default Localhost login: administrator/Password: “Unidesk1”.

4. Use the App layering appliance configuration CLI to make adjustments to ELM password, network settings, time zone,
and NTP Server:
• On the App layering appliance configuration, type P and then press Enter to change the default password of the
appliance. Then enter the new administrator password and press Enter. Then, enter the new password again to
confirm it.
• On the App layering appliance configuration, type C and then press Enter to configure network settings for the
N
appliance.
ot
• The following options are then required for completing the network configuration:
• (S)tatic or (D)ynamic networking
fo
• IP Address: 192.168.x.x
rr
• Netmask: 255..x.x.x
es
• Gateway IP address [optional]: 192.168.x.x
• DNS 1 [optional]: 192.168.x.x
al
• DNS 2 [optional]:
e
• Then you have the available options to save or quit: (S)save settings, (R)edo, or (Q)uit: type S
or
• The network services will restart upon saving the configurations.
Note: These below are ALL the available CLI commands available:
di
• S is used to show the current configuration of the appliance.
s
• C is used to configure the network settings of the appliance.
tri
• P is used to change the appliance password.
b
• T is used to change the time zone.
ut
• N is used to define the NTP servers.
io
• Q is used to quit and logoff the administrator account.
n
5. Then, access the App Layering management console via web browser using the ELM Server IP address you
configured, i.e. http://192.XXX.XX.XX.
6. Login to the App Layering management console with default login: administrator/Password: “Unidesk1”.
7. Accept the Citrix License Agreement.
8. Change the App Layering web console password.

9. Review the “Welcome to…” screen for any assistance on the App Layering creation and management process.
10. Additional configurations for the location of the Network File Share (SMB), Security timeout values, AD Directory
Service, Base DN can be set within the App Layering web console’s System menu option. Once you configure the SMB
File Share 11. Path you can validate it by pressing the “Test SMB File Share “ button.
12. Then you can configure Create Directory Junction under the App Layering management console; Users > Directory
Service.
N
The following information is needed:
ot
Directory Junction Name: <Domain>
• Server Address: <AD Domain Server FQDN>
fo
• Port: <i.e.389>
rr
Then “Test Connection” to validate.
es
13. On the Authentication Details page, enter the following information:
• Bind Distinguished Name: <Domain\administrator>
al
• Bind Password: <Password>
e
Then “Test Authentication“ to validate.
or
14. On the Distinguished Name (DN) Details page, you would enter the following details:
• Base Distinguished Name: (i.e.) DC=workspacelab,DC=com
di
15. Then Confirm and Create the Directory Junction.
s
• The ELM Server (App Layering appliance) utilizes local storage on the Hypervisor, as well as network file storage
tri
locations.
b
• Storage Requirements:
ut
• 350–500 GB local storage space.
io
• The App Layering appliance uses local storage for temporary files and finalized layers. The more layers you create, the
n
more space you need.
• If needed, the current disk size can be expanded when additional local storage space is needed; or additional disks
can be added to the appliance.
• 40–100 GB network file share (SMB).
• The file share connected to the appliance is used for upgrades, Elastic Layers, and cross-platform publishing. You can

expand this space, if necessary.
The following are the Architecture Requirements Outside of Citrix App Layering:
• Hypervisor:
• App layering supports all hypervisors and cloud solutions. Each Hypervisor solution has its own prerequisites.
• For example, Citrix Hypervisor requires an account with privileges to create and remove virtual disks; Copy and
delete layers on virtual disks using Citrix Hypervisor file APIs.
• Network File Share Protocol:
N
• Uses SMB/CIFS (only) file shares to store Elastic Layering.
ot
• Network Configuration:
fo
• A 10 GB connection is recommended between Layering service and the file share.
• Directory Service:
rr
• It requires an authentication service, such as Microsoft Active Directory.
es
• Storage:
al
• The ELM server starts with an expandable 300 GB local storage repository. This storage is used to store all OS,
Platform and App layers and versions.
e
• OS for Layered Images:
or
• To create layers, first, you need a VM configured with the OS setup, drivers, KMS licensing and not joined to the
di
domain.
• This VM becomes the golden image that is imported into the ELM server and saved as the OS Layer.
s tri
• All Platform, App and Elastic layers are then created from temporary packaging machines, built from the golden
Image import.
b ut
io
n
• Configure: https://docs.citrix.com/en-us/citrix-app-layering/4/configure.html
• Appliance settings: https://docs.citrix.com/en-us/citrix-app-layering/4/manage/appliance-settings.html

How App Layering Creates Layers? (Process Flow)
How the ELM Server Creates Layers
Layer Preparation Layer Management ELM Repository
N
ot
3 4 5 ELM 5
fo
6 Packaging Machine Enterprise Layer Manager
Repository
rr
(Temporary VM) App
es
1
2 2 Platform
al
e
or
OS
di
s
Citrix Layering Management
Targeted Hypervisor Saved Layer
tri
utb
io
n
Key Notes:
• The ELM server creates layers by using the connector for the targeted Hypervisor to build a temporary virtual machine. This virtual
machine is then used to package the layer that you want to create.
• This temporary VM is called the Packaging Machine. The Packaging Machine is used to install the purpose of the process.
• For Example, If you wanted to create a new Application layer for MS Office, you would install the MS Office application on the
temporary VM to create the layer.
• How the ELM Server Creates Layers? (High-Level Steps):

1. From within the Layering Management Console, you would start the process by choosing to create an App Layer.
2. The ELM server uses the connector to build the packaging machine.
3. Then you install the targeted app or apps into this packaging machine.
4. To finalize the targeted install, shut down the packaging machine using the app layering finalization software.
5. After shutdown, the ELM server captures the layer that was targeted from the Layering Management Console.
6. This VM packaging machine is then deleted, as is it is only temporarily created just to create or update the
targeted layer.
N
ot
fo
• Layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html
rr
es
al
e
or
di
s tri
b ut
io
n

Lab Exercise Prep
Please Take a Moment and Provision Your Lab
N
For Module 1
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

How App Layering Creates a VM
ELM Repository
N
Clean OS Install
1 2 3 4
ot
1 ELM
fo
Repository
2 1
rr
Enterprise Layer Manager
es
Drivers, Hypervisor Tools,
etc. installed on Packaging
Machine 2
al
e
Final VM with
4 merged layers
3
or
3 4
di
s
App or Apps installed on
tri
Packaging Machine
Targeted Hypervisor
b ut
io
n
Key Notes:
• Layering enables any app to be captured as a virtual disk container called a “Layer”.
• Layers are attached to virtual machines and combined with other layers using file system and registry virtualization so that they
appear locally installed.
• With Layering, you can create an OS Layer, Platform Layer, and App Layer once, and use it to create any number of images.
• Each App Layer can include one or more applications.

• An OS layer contains the OS and settings that you want to use for your other layers to deploy to virtual machines
hosting sessions.
• When the OS and Apps are layered, you only need to install it once and then it can be updated by adding a new
version to the layer.
• This updated layer can then be used across your other layers and deployed to images.
• This allows you to maintain a single OS layer used across these multiple images. If you need to support more than
once OS, you can create more than one OS layer.
N
• For example, you can create different OS layers if you need both Windows Server 2012 R2 and Windows Server
ot
2016.
fo
• It is important to know that each app layer is only compatible with the OS layer used to create it. So if you are using
multiple OS layers, and users will require access to the same application, you need to create a compatible layer for
rr
each OS layer with which it will be used.
es
• A Platform Layer containing your hypervisor, provisioning service, and connection broker software isolates App and
al
OS Layers from the infrastructure where they will be published.
• The Process Overview:
e
1. The OS of a VM is captured as a virtual disk and saved as an OS Layer.
or
2. The drivers, hypervisor tools, and other environmental parameters are captured as a virtual disk and saved as a
di
Platform Layer.
3. The Apps, both individually or as groups are captured as a virtual disk and saved as App Layers.
s tri
4. Each virtual disk is created separately and stored in the ELM server repository as individual layers.
5. Using a template in the ELM Management Console, the administrator can choose to enable Elastic layering and
b ut
then selects at least one of each of the above layers to Publish.
6. Publishing merges these chosen layers and outputs to a VM for MCS or a vDisk for PVS.
io
7. The resultant VM merges the registry and file system from each layer so the Windows OS sees all captured apps
n
and utilities as locally installed.
8. The VM is called the Layered Image and it runs the Layering Service when Elastic layering is enabled.

The Layered Image
Boot Process Flow File
Server
1. The Layered Image (3)

Share A:
Elastic App Layers
N
powers on.
ot
2. The user starts to log
fo
in.
rr
(4)
3. The Elastic App Layer Elastic App Layers
es
(2)
disks are mounted to App Layers
al
the Layered Image. Platform Layer
e
OS Layer
4. The user completes
or
the login process and
di
(1)
accessed one
s
complete VM with the
tri
Layered
merged registry and Image
b
file system.
ut
io
n
Key Notes:
• The process flow of App Layering when a Layered Image boots is described below:
1. The Layered Image VM powers on.
2. The user starts to log in.
3. The Layering Service on the Layered Image reads the json files in the SMB share to locate the Elastic App layers that is published
to the user and mounts the virtual disks to the Layered Image. The resultant extra registry and file systems are merged with the
Layered Image.

•When the user logs in, the layered image has the OS, apps and platform all merged already, the Layering Service,
goes to the FSR to get the elastic layer.
1. The user accesses one complete merged VM. The resultant user files are merged with the Layered Image.
• Remember, the ELM server and Management Console were used to create the SMB shares that store the Elastic
App layers and to create the Layered Image. Once this is done, the ELM server is not used during the process
flow of App Layering when the Layered Image VM boots.
• The ELM Server does not need HA because the ELM Server only builds the layers and outputs the Layered Image.
N
The Process to boot, does not use the ELM server.
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Citrix App Layering
Management
Console
The Web-based Citrix
N
Layering Management
ot
Console, running on the
fo
(ELM) can be used to:
rr
es
• Create Layers.
al
• Publish Layered Images.
e
• Manage system settings.
or
di
s tri
b ut
io
n
Key Notes:
We can connect to the Management Console by connecting to the IP address of the ELM on a browser.
• The Management console supports the following browsers with Microsoft Silverlight 4.0 support.
• Internet Explorer v11.
• Firefox v45 and later versions that support Microsoft Silverlight 4.0.
There are two methods of management for the ELM console:
• On-Premises - The Citrix Layering Management console can be launched via browsing to the IP address of the ELM Server.

• Citrix Cloud - The Citrix Layering Management console can be launched via Citrix Cloud.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

App Layering Connectors (There are Two Types of Connectors)
One type of connector is used when the One type of connector is used when the ELM
N
ELM server creates layers. This type of server publishes images that are ready for
production.
ot
connector creates the VM that is used to ELM
package the layers. This type of connector is the target virtual
fo
Enterprise Layer Manager environment and provisioning engine aware.
rr
es
al
e
or
di
s tri
Citrix Hypervisor Microsoft Azure Microsoft Hyper-V Nutanix Acropolis Vmware vSphere
b
ut
io
n
Key Notes:
There are two types of connectors:
1. One is used during the layer packaging process.
2. One is used during the image publishing process, after the layers are already built.
In order for the ELM server to build layers or provision an image to a targeted Hypervisor, a connector for the hypervisor has to be
configured.
• Connectors allow the ELM server to communicate with the target Hypervisor.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

N
ot
What Hypervisors are supported by App
fo
Layering?
rr
es
• Citrix Hypervisor
al
• Microsoft Azure
e
• Microsoft Hyper-V
or
• Nutanix AHV
di
s
• VMWare vSphere
tri
b
ut
io
n

Lab Exercise
Module 1
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• 1-1: Configure the ELM Server
N
• 1-2: Start the Citrix Layering Management
ot
Console
fo
rr
es
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• App Layering technology provides faster,
N
simpler, and more cost-efficient delivery for
ot
real-time application and image
management.
fo
rr
• The ELM Server is the primary component of
es
the App Layer architecture, coordinating all
communications, hosting the administrative
al
portal, and managing all created layers.
e
or
• The Citrix Layering Management Console
can be used to create layers, publish layered
di
images and configure various system
s
tri
settings.
b
ut
io
n

Administration
N
ot
Create an OS Layer
fo
rr
es
al
e
Module 2
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe the steps involved in OS layer
N
creation.
ot
• Identify the software’s and components that
fo
should be part of OS layer.
rr
• Describe the considerations and benefits of
es
OS Layer.
al
e
or
di
s
tri
utb
io
n

N
ot
The OS Layer
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

How to Create an OS Layer?
N
ot
1. Create the gold image.
fo
rr
2. Run the create OS layer wizard.
es
3. The OS layer gets created.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Create the gold image.
• The gold image is a VM.
• Configure the OS and the configuration settings for virtual hardware such as disks, CPUs, network cards, the virtualization tools,
the layering tools and optionally a set of applications.
• Run the create OS layer wizard.
• During the OS layer wizard, the details for the OS layer are gathered and the gold image or VM is imported into the ELM server.

• The OS layer gets created.
• The OS layer is a boot image virtual disk (VHD) stored in the repository on the ELM server.
• This OS layer is used to create the other layers.
• The ELM server repository is a 300GB expandable data disk used to store all OS layer, platform layer and app layer
VHDs.
N
• Citrix App Layering 4.x: Best Practices: https://support.citrix.com/article/CTX225952
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Create an OS 1
Layer
Admin Windows ISO
2
The Process of Preparing
N
the Operating System
ot
Admin Tools and Updates
fo
3
rr
es
Gold Image Tools Optimization and
al
Licensing
e
4
or
di
Image Preparation Utility
stri
utb
io
n
Key Notes:
Steps to create an OS layer:
• Step 1
• Install the Windows operating system from an ISO file.
• Step 2
• Verify Citrix VM Tools (or related hypervisor tools) are installed.

•Run all the latest windows updates.
• Step 3
• Run the Citrix App Layering Gold Image Tools.
• Run a Ngen update (to optimize framework).
• SetKMSVersion.exe (for windows licensing).
• Run the Optimize64.exe Citrix Optimization Script Builder (to optimize system and network configurations).
• Step 4
N
• Run the Citrix App Layering Image Preparation Utility.
ot
• While creating the OS layer the machine should not be domain joined (Verify within the system properties of the
fo
OS).
rr
• The Citrix App Layering Gold Image Tools contains optimization scripts, and an App Layering Image Preparation
Utility for the operating system of the machine used to create the OS layer.
es
al
Steps to create an OS layer: (DETAILED)
e
1. First prep the machine.
or
• Verify any system level operating system requirements, such as the machine name and its in workgroup.
• Then verify that the Citrix VM Tools are installed (if using XenServer).
di
• Remember: Before creating an OS layer:
s tri
• Install Windows from ISO
• Install hypervisor tools
but
• Fully update windows
• Run the citrix_app_layering_os_machine_tools_4.5.0.exe file.
io
• Then run the SetKMSVersion.hta file and confirm that the OS version is found, and then Save Script.
n
• From the command prompt window, run the following commands.
1. cd..
2. cd Microsoft.Net\Framework\v4.0.30319
3. ngen update
4. cd..\..

5. cd Framework64\v4.0.30319
6. ngen update
• Run the Optimize.hta file and clear the Option A for “Check to force GPO updates” and Save the file. This will
create a new optimizations.cmd batch file.
• Then it is recommended to take a Hypervisor snapshot of the Windows layer with all the configurations just made.
For example, within XenCenter, right-click the virtual machine and then select Take a Snapshot with an appropriate
name and description added.
N
ot
2. Next, you will run the Citrix App Layering Image Preparation Utility. It is a file named like setup_x64.exe. You can
fo
complete the brief install usually with default settings (unless you wish to add a custom answer file).
rr
es
3. Then, shut down the machine.
al
4. Connect via launch Internet Explorer to the App Layering management console.
e
or
5. Then you select the layer menu on the top left and then select the OS Layers tab.
di
s
6. From the Actions menu on the right pane, select Create OS Layer.
tri
b
7. On the Layer Details page in the Create OS Layer Wizard, type the following information:
ut
• Layer Name: <Windows version>
io
• Layer Description: <OS Layer>
n
• Version: # (i.e.1)
• Version Description: i.e. “Windows 10 with Citrix VM Tools”
• Max Layer Size (GB): # (i.e. 30)
8. On the Connector page, click New and select the appropriate Hypervisor; i.e. Citrix Hypervisor, from the drop-down

list.
9. Click New and you will be redirected to a new tab to mention Hypervisor details. Add the appropriate hypervisor
information, such as the Hypervisor IP address, username and password. You can then select CHECK CREDENTIALS
and validate username, and password is validated.
N
10. On the Virtual Machine Clone Settings, select the appropriate information from drop-down:
ot
• Example:
• Virtual Machine Template: NYC-DTP-TMP
fo
• Storage Repository: Local Storage
rr
• Layer Disk Cache Size in GB: <Leave Blank>
es
• Use HTTPS for File Transfers: Clear the check box
al
11. Click TEST to check that all is accurate.
e
or
12. Click SAVE, and then click CLOSE.
di
s
13. On the Connector page in Create OS Layer Wizard, select the appropriate Hypervisor, for example: “NYC-Citrix
tri
Hypervisor”.
b ut
14. On the OS Disk Details page, click Select Virtual Machine. This will redirect to a new tab to select the virtual machine
io
to use for importing OS. On the Specify the virtual machine to use for OS import by typing in the name or selecting it
n
from the list of suggested matches, click on the space below the Virtual Machine and it will give a drop-down menu.
Select the appropriate virtual machine
15. Click OK.

16. This will return back to the Create OS Layer Wizard page, verify if the OS Machine Name and the OS Disk Size (MB)
are populated with the correct details.
17. On the Icon Assignment page, select the appropriate icon (i.e. Windows 10) and click the Down Arrow to continue.
18. On the Confirm and Complete page, click on Create Layer.
N
ot
19. You can then monitor the event progress on the task section at the bottom of the window; click the Up Arrow to
pull the event viewer.
fo
rr
20. Click the information icon next to the running task, or double-click anywhere in the task line for more details.
es
Monitor the task progress and wait for it to complete. Process can take 10 to 20 minutes.
al
e
21. Validate the status changes to Done, after the OS disk is imported.
or
22. Verify the new OS layer (i.e. Windows 10) icon is now labeled as Deployable.
di
s tri
b ut
io
n

Lab Exercise Prep
N
For Module 2
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

Create an
1
OS Layer
Create OS Layer Action
Admin
ELM Console
Enterprise Layer Manager 2

Create OS Layer Wizard (hypervisor
N
(ELM) Preparation configuration)
ot
Admin
Hypervisor
fo
3
rr
Select Machine to
es
Use
al
Admin Virtual Machine
e
or
4
di
Create Layer
stri
Admin Layer
utb
io
n
Key Notes:
• Step 1:
• Log into the App Layering console.
• From the Layers menu, select the OS Layers tab.
• Select Create OS Layer from the Actions menu.
• Step 2:

•Complete the Create OS Layer Wizard with all required information:
• Example:
• Layer Name: Windows 10
• Layer Description: OS Layer
• Version: 1
• Version Description: Windows 10 with Citrix VM Tools
• Max Layer Size (GB): 50
N
• Choose a Connector Type, and enter the Hypervisor configuration and authentication information.
ot
• Select the required information from the Virtual Machine Clone Settings.
fo
• Example:
• Virtual Machine Template: NYC-DTP-TMP
rr
• Storage Repository: Local Storage
es
• Layer Disk Cache Size in GB: <Leave Blank>
al
• Step 3:
• Select the machine you want to use on the OS Disk Details page.
e
• Step 4:
or
• From the Icon Assignment page, go to Confirm and Complete page, and Create Layer.
di
• The OS Layer is then captured as a .VHD file “Layer” and saved to the ELM Repository by the ELM server.
s tri
b ut
io
n

How many OS Layers?
How many OS layers do we need to build?
N
ot
Windows 10
ELM
fo
Enterprise Layer Manager Repository
rr
Windows Server 2012 R2
Win 10
es
Windows Server 2016
al
Win 2012 R2
e
Windows Server 2019
or
Win 2019
Win 2016
di
s
Targeted Hypervisor Citrix Layering Management
tri
utb
io
n
Key Notes:
• Ideally, you can create one, generic OS layer and reuse it in all of the layered images you publish. This keeps layer maintenance to a
minimum, because App and Platform layers only work with the OS layer used to create them.
• This means if you want to have two published images, one for Windows Server 2016 and another for Windows 10, then you will
need two OS layers, one for each.
• You have no limit as to how many OS layers you CAN build, except for the ELM Repository storage limits.
• How many OS layers SHOULD you build? Typically, there is one OS layer per OS needed in the target environment.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

OS Layer Considerations
N
• Update the OS by adding a version to the layer, not by creating a separate layer.
ot
• Ensure a minimum of 2GB of RAM in the packaging machine, 4GB is better.
fo
• Ensure Windows update is already done.
rr
• Disable Windows update again when patching is complete.
es
• If you use any Microsoft products that are updated by Windows Update, but don’t
al
have a separate section like Office does, include those in the OS layer as well.
e
or
• For example, Windows Defender.
• It is recommended to reboot one or more times more than the software installer asks
di
for.
s tri
b ut
io
n
Key Notes:
• Updating the OS should be done by adding a version to the layer, not by creating a separate layer. If you don’t version update, but
instead create a new layer, all Platform and App layers created on top of the original OS layer have to be recreated.
• Packaging machines are used to build the Platform and App layers. Ensure there is at least 2GB of RAM in the packaging machine,
4GB is preferred.
• Remember to disable the Windows update again when patching is complete.
• If in the OS layer, the OS says it is not activated, then it must be reactivated. Activation scripts are in the

c:\windows\setup\scritps\kmsdir folder.
• Clean OS install virtual machine (supports Windows OS Only).
• Hypervisor tools of your main hypervisor should be installed into the OS layer.
• For example, if your main hypervisor is vSphere, you must put the vSphere tools in the OS layer.
• If you then plan to deploy to Citrix Hypervisor, then those tools are put into the Platform layer.
• .NET and other Operating System components are best delivered using the OS layer.
N
Additional Considerations:
ot
• Fresh install of Windows Operating System only.
fo
• The machine should not be joined to a domain.
• Use DHCP for IP configuration.
rr
• Don’t use 3rd party Optimization scripts.
es
• Use MBR not GPT partition.
al
• Verify targeted Hypervisor console port
• Install ELM tools.
e
or
di
• App Layering 4.x: Best Practices: https://support.citrix.com/article/CTX225952
s tri
b ut
io
n

OS Layer Benefits
• Patch Windows once for all virtual desktops,

Windows 7
N
session hosts and cloud platforms.
ot
• Undo bad patches in minutes to minimize Windows 10
fo
downtime. Windows Server 2008 R2
rr
• Images are slim “just Windows” with apps Windows Server 2012 R2
es
delivered separately as virtual disk layers.
Windows Server 2016
al
• One Windows OS layer for all platforms, no OS Layer
e
matter how many user customizations or Windows Server 2019
or
platform variations.
di
s tri
b ut
io
n
Key Notes:
• Task of patching Windows needs to be performed once
• Maintain a single OS layer for each major OS version.
• For an OS update, you add a version to the layer. You can then select a specific version of the layer for each image template, as
needed. The existing app and platform layers continue to run on each OS update.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

N
ot
fo
What is the ELM Repository?
rr
es
The ELM server repository is a 300GB
expandable data disk used to store all layers; to
al
e
include OS layers, Platform layers, and App
layers VHD files.
or
di
s
tri
b
ut
io
n

Lab Exercise
Module 2
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• 2-1: Prepare a Windows Server 2019 OS
N
Image
ot
• 2-2: Create an OS Layer
fo
rr
es
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• App Layering supports only Windows
N
platforms when creating OS layers.
ot
• The OS layer is used to create other layers.
fo
• The App Layering Image Preparation Utility
rr
must be run as a final prep, before the Create
es
OS Layer wizard.
al
• When updating an OS layer, add a version to
e
the layer instead of creating a separate layer.
or
di
s
tri
b
ut
io
n

Administration
N
ot
Create a Platform Layer
fo
rr
es
al
e
Module 3
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe the steps involved in Platform layer
N
creation.
ot
• Identify the software component categories
fo
that should be placed on the App Layering
rr
Platform layers.
es
• Identify the considerations when creating an
al
App Layering Platform layer.
e
or
di
s
tri
b
ut
io
n

N
ot
The Platform Layer
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

How to Create a
Platform Layer?
N
ot
1. Run the Platform Layer Wizard.
fo
2. Enter the details of the Platform types.
rr
es
3. Confirm to create the Platform layer.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Platform Layers have a special sub-tab in the layering section.
• Here you will have a Platform layer for each Hypervisor/provisioning service/broker service combination you have in your
environment.
• Citrix App Layering support is limited to virtual machines at this time; there is no current support for physical machines.
• The Platform layer is captured as .VHD file and then saved to the ELM Repository by the ELM Server as an available layer to be used.

• Create Platform Layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Lab Exercise Prep
N
For Module 3
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

Create a
1
Platform Layer
Create Platform Layer Action
Admin
App Layer Console
The Process of Preparing 2
N
the Platform Layer Create Platform Layer Wizard
ot
(Layers Details)
Admin
Hypervisor
fo
rr
3 Install Virtual Delivery Agent
es
al
Admin Virtual Machine
e
or
4
di
Finalize Layer to make
s
“Deployable”
tri
Admin Layer
b ut
io
n
Key Notes:
• Step 1:
• Log on to App Layering Console from NYC-FSR-001. To access the ELM Console, open Internet Explorer and browse to:
http://192.168.10.77
• From the Layers menu, select the Platform Layers tab. Select the Create Platform Layer option.
• Step 2:

• Complete the Create Platform Layer Wizard, to include the Layers Details:
• Example Layers Detail:
• Layer Name: Citrix Virtual Desktops MCS-B.
• Layer Description: For Citrix Virtual Desktops MCS.
• Version: 1
• Version Description: To join domain and install VDA.
N
• Validate the required Windows 10-1 version is selected.
ot
• Select the required hypervisor on the Connector page. (Microsoft Hyper-V – NYC-Hyper-V).
fo
• Select the “This Platform Layer will be used for publishing Layered Images”.
• Microsoft Hyper-V.
rr
• Citrix MCS.
es
• Citrix Virtual Desktops.
al
• Enter the package Name (Default).
• Icon Assignment page, select Windows 10.
e
• Confirm the settings and Create Layer.
or
• Click the information icon next to the running task for more details. Monitor the task progress and wait for it to
di
complete. This step may take approximately 10-20 minutes.
s
• Wait for the status to change to Action Required.
tri
• Switch to the hypervisor and you will see a new Virtual Machine created with a name that looks like ,i.e. Citrix
b
Virtual Desktops MCS-B-YYYY-MM-DD_Time. Select the new VM.
ut
• Log onto the new Virtual Machine from the hypervisor and once in Windows check the System settings. Make
io
sure the machine is not joined to a domain, but is instead part of a workgroup.
n
• Step 3:
• Install the Virtual Delivery Agent for Windows, so that it can communicate and register with the Delivery Controller
and reboot (Citrix recommends installing VDA on the platform layer).
• Join the machine to the Domain.

• Double-click the “Shutdown For Finalize” icon on the desktop.
• Step 4:
• Log on again to the App Layering management console, and go to the Platform Layers tab.
• Validate that the status of the Platform Layer now shows as “Deployable”.
N
ot
Create Platform layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
fo
rr
es
al
e
or
di
s tri
but
io
n

Are Platform Layers Optional?
How many Platform layers we need to build?
N
ot
ELM
Windows 10
fo
Enterprise Layer Manager Repository
rr
Windows Server 2012 R2
Win 10
es
Windows Server 2016
al
Win 2012 R2
e
Windows Server 2019
or
Win 2016
Win 2019
di
s
Targeted Hypervisor
tri
b ut
io
n
Key Notes:
• Platform Layers are needed for two purposes.
• One is used when packaging App Layers on a new hypervisor.
• The other is used to publish a layered image because we have to ensure that the output from the ELM server can run on the
targeted environment parameters for provisioning and hypervisor.
• You have no limit as to how many Platform Layers you can build, except for the ELM Repository storage limits.

• How many Platform Layers should you build? Typically, the hypervisor tools for the primary hypervisor platform can be
included in the OS Layer. Create one Platform Layer per additional targeted VM environment considering the
provisioning type and Hypervisor destination.
• Create additional Platform Layers for deployments that include multiple provisioning systems and/or multiple
hypervisors.
• For Example,
N
• Company ABC has an on-premises deployment of Citrix Hypervisor and a new location in Microsoft Azure.
ot
• In this scenario, the App Layering administrator has been instructed to deploy the same Windows 2016 image to
fo
both hypervisors.
• The App Layering administrator will create a single Windows Server 2016 OS Layer. The Citrix VM Tools were
rr
installed in the OS Layer, since that was the original hypervisor platform used.
es
• A Platform Layer can be created so that the existing OS and App Layers can be used with the new Microsoft Azure
al
deployment.
• Any necessary Azure integration tools can be installed in this Platform Layer. The Platform Layer configuration will
e
take precedence over the OS Layer, if there are any conflicts (this will be covered more in depth later in the
or
course).
di
s tri
b ut
io
n

Platform Layer
Considerations
Considerations
• Platform Layers are created for a particular provisioning
N
system and Hypervisor pair.
ot
fo
• Create separate Platform Layers for heterogeneous
rr
environments.
es
• No cross-platform pollution.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• App Layering is familiar with a wide variety of drivers and services associated with some of the most popular hypervisors,
provisioning services, and connection brokers.
• When an image is deployed with a Platform Layer, it will search for and disable drivers and services that have not been specified in
the create wizard.
• This ensures that no cross-platform pollution occurs.
• Common examples of Platform layer install includes:

• Hypervisor Tools.
• Citrix VDA.
• Citrix PVS Target Device Software.
• Domain join
• NVIDIA Drivers, if applicable
• Workspace App, for the Single Sign-on component
• Citrix Workspace Environment Management (WEM) agent
N
• Any software that impacts the logon stack, for example, Imprivata
ot
• Citrix Provisioning on Hyper-V: Requires a Legacy Network Adapter to PXE boot.
fo
• Microsoft System Center Configuration Manager (SCCM) software, if you are using it
rr
es
al
e
or
di
s tri
b ut
io
n

Platform Layers
Two Types 1
Packaging Platform Layer Publishing Platform Layer
N
• The Packaging Platform Layer is used only • The Publishing Platform Layer is used
ot
to create an App Layer. in image template which in turn publishes
fo
layered image.
rr
• Only required if the OS image originated in a
es
different hypervisor. • Required when publishing to a Provisioning
al
Service and using a connection broker.
e
or
• It has a very limited use case.
• Need to install Provisioning Service and
di
connection broker software and settings. If
s
• Need to install Hypervisor tools, when the
tri
publishing to a different hypervisor than the
OS originated on a different hypervisor. one where the OS originated, include the
b ut
77 © 2020 Citrix | Confidential hypervisor tools.
io
n
Key Notes:
• A Platform Layer includes the platform software and settings required for your layers and layered images to run flawlessly in your
environment.
• You can create Platform Layers for two purposes:
• For creating and packaging layers: When you’ve imported the OS from a different hypervisor than the one where you create your
layers, use this type of platform layer to create app layers.
• For publishing layered images: Use this type of Platform layer in your image template so that the published layered images run

flawlessly in your environment.
• You don’t have to use a Packaging Platform Layer, instead, you can change the properties of a Publishing one, to
Packaging to make your updates, and then change the properties back to a Publishing one.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

A Citrix administrator manages a Citrix App

Layering environment, which includes an
N
existing Windows Server 2016 OS Layer.
ot
Which two factors would require the creation
of a Platform layer, if the administrator wants
fo
to continue using the existing OS Layer?
rr
es
A new provisioning system or a new hypervisor
platform is introduced to the environment.
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
Module 3
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• 3-1: Prepare a Platform Layer for Windows
N
Server 2019
ot
• 3-2: Join the Domain and Install the Virtual
fo
Delivery Agent
rr
• 3-3: Finalize the Platform Layer Creation
es
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• Platform layers are created for specific
N
provisioning systems and Hypervisor
ot
combinations.
fo
• When creating platform layers, create separate
rr
ones for each heterogeneous environment.
es
al
e
or
di
s
tri
utb
io
n

Administration
N
ot
Create an App Layer
fo
rr
es
al
e
Module 4
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe the steps involved in an App layer
N
creation.
ot
• Identify the software component categories
fo
that should be placed on the App layers.
rr
• Identify the considerations when creating App
es
layers.
al
• Describe the benefits of App layers.
e
or
di
s
tri
b
ut
io
n

N
ot
The App Layers
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

How to Create an
App Layer?
1. Create an App layer with the Create Layer
N
Wizard.
ot
fo
2. Install the application(s) on the Packaging
rr
Machine.
es
al
3. Finalize the App layer.
e
or
di
s tri
b ut
io
n
Key Notes:
1. Create an App layer with the Create Layer Wizard.
• Select the OS layer version which should be assigned to the installation machine, and if any Pre-requisite Layers needed like
Microsoft Office add-on which is available when the install machine boots up, then assign an icon for the App layer and create it.
2. Install the application(s) on the Packaging Machine.
• The ELM server clones the OS layer to create a Packaging Machine.
• Once the packaging machine is powered on, login and install the application(s).

3. Finalize the Application layer.
• Once the application(s) is installed successfully, run the Shutdown for Finalize icon on the desktop.
• This automatically shuts down the packaging machine.
• Within a couple of minutes the Layer becomes Deployable, ready to publish.
• The App layer is saved as a VHD to the ELM server repository.
• The Packaging Machine is then deleted automatically.
• The App layer is captured as a .VHD file and then saved to the ELM Repository by the ELM Server as an available
N
Layer to be used.
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Create an
1
App Layer
Create App Layer Action
Admin App Layer Console
The Process 2
N
Create App Layer Wizard
ot
(Layers Details)
Admin Hypervisor
fo
rr
3
es
Install software /application
al
Packaging Virtual
e
Admin Machine
or
4
di
Finalize Layer to make
“Deployable”
s tri
Admin Layer
but
io
n
Key Notes:
• Step 1:
• Log on to App Layering Console.
• From the Layers menu, select the App Layers tab. Select the Create App Layer option.
• Step 2:

• Complete the Create App Layer Wizard, to include Layers Details:
• EXAMPLE Layers Detail:
• Layer Name: WinScp
• Layer Description: WinScp
• Version: 1
• Version Description: WinScp
N
ot
• Validate the required Windows version is selected.
fo
• Verify if any Prerequisites are needed.
rr
• Select the required hypervisor on the Connector page.
• Verify the Packaging Disk Filename is set and entered.
es
• Select the needed Icon Assignment.
al
• Confirm the settings and Create Layer.
e
or
• Step 3:
di
• Logon to the newly created Packaging Virtual Machine (VM) to install the software to be included in the Layer.
s
• The Packaging Machine is a temporary VM that will be deleted once the new Platform Layer has been finalized.
tri
• Install the required software/application on the Packaging VM.
b
• If a system restart is required, restart it manually. The packaging machine does not restart automatically. If the
ut
application you install affects boot-level components, restart the packaging machine as part of finalizing the Layer.
io
n
• Step 4:
• Run the Shutdown for Finalize icon on the desktop.
• From the App Layering Console, go to the App Layers tab and right-click the new application Layer and select Finalize.
• Validate that the status of the App Layer now shows as “Deployable”.
• Once the Platform Layer is finalized, the Virtual Machine created on hypervisor is destroyed and the Layer is saved in

the ELM.
• Create or clone an App layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lab Exercise Prep
N
For Module 4
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

How Many App Layers do we need to build?
N
ot
MS Office and ELM
Adobe Acrobat
fo
Repository
rr
Chrome and Firefox Office and Acrobat
es
Notepad++ and
Browsers
al
WireShark
e
or
Tools
di
s tri
utb
io
n
Key Notes:
• An App Layer does not have to be a single application. A single App Layer can have multiple applications, just make sure you confirm
the multiple applications are compatible both with each other and the targeted Layer Image OS and Platform Layers.
• You have no limit as to how many App Layers you can build, or how many Apps you include in each Layer; provided the ELM
Repository has enough storage. You could create a library of App Layers in the ELM Repository and then use this library to custom
tune your Layered images when the time to publish.
• This begs the question of how large an App Layer? When creating a new Layer, the default size is 10GB.

• It is Citrix Leading practice to decrease this size while creating an App Layer, however, if you are installing a large
application you can increase the size.
• To help limit the number of App Layers you are building, consider creating an Enterprise App Layer, that packages most
of the common apps to be delivered to users.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

App Layer
Considerations
• Verify if any Prerequisite Application Layers are
N
required.
ot
• Install application from a share or an ISO, instead of
fo
downloading to the packaging machine, to keep the
rr
layer size to a minimum.
es
• Turn off the automatic updates.
al
e
• Observe the Layer status in the Management
or
Console.
di
s tri
b ut
io
n
Key Notes:
• Only use prerequisite application Layers when necessary. Be sure they are available to select in the new Layer. Ensure they have been
deployed to desktops before deploying the new Layer.
• Prerequisite Layers can be required for several reasons:
• When installing the application on the current Layer requires the presence of another application. For example, when you install
an application that requires Java, and Java is located in a separate Layer.

• When the installation of the software adds settings to an existing application. For example, when you install an Office
add-in, you must install Microsoft Office first.
• If automatic updates are left on, the updates will be put into the Personalization Layer.
• You can also add a “run once script” to an app Layer, to support those applications that need extra parameters when
N
running. For example, a Run Once Script can be run for apps that require license activation on first boot, for example,
ot
Microsoft Office.
fo
• There are three status types for a Layer:
rr
• Not Deployable – The Layer is not ready for assignment.
es
• Editing – The Layer is in the process of creating or changing, typically seen when installing or updating on a packaging
machine.
al
• Deployable – The Layer is ready for assignment.
e
or
• Citrix Leading Practices for App Layers:
• Install from an ISO or a share.
di
• Always install MS Office in an App Layer, and never in the OS Layer.
s tri
• Put your antivirus application in an App Layer using the instructions laid by Citrix.
• Note: Antivirus can be delivered in an App layer or the OS layer, neither approach is wrong.
b ut
• Turn off automatic updates.
• Observe the Layer status before publishing.
io
• Remember apps can cross-talk between Layers after publishing.
n
• 99.5% of all apps are compatible.
• Layer antivirus apps: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html

• App Layering Recipes: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/app-layering-recipes.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

App Layer Benefits
• Fast and easy deployment of apps.
N
• Works with 99.5% of applications. Personal Apps
ot
• Apps can cross-communicate.
fo
rr
Corporate Apps
es
al
App Layers
e
or
di
s tri
b ut
io
n
Key Notes:
• Layering can take less than 15 minutes in a production environment, which allows administrators to deploy any app quickly and
easily.
• Apps with system services and boot-time drivers (For example: antivirus, printers, scanners, etc.), homegrown apps and apps with
complex setup procedures can all be layered.
• Apps can cross-communicate
• Layered Apps are not isolated.

• They appear to Windows, and other apps, as if they are natively installed.
• As a result, customers who rely on add-ins and plug-ins for Microsoft Office and other core applications can virtualize
the plug-ins as separate Layers to make patching and updating fast and easy.
• Yet, they don’t have to worry that the plug-ins won’t work with their base application.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

How to Update a Citrix Virtual Apps and Virtual Desktops Catalog
Using Citrix App Layering? 1
• Using the ELM server Management Console, wizards and the packaging machine to update or add
N
new Layers.
ot
• Finalize the Layers.
fo
• Create a template to publish the Layers, which output into a VM or a vDisk.
rr
• For MCS use this new VM as a Master to update the catalog.
es
• For PVS use this new vDisk to update the Device Collection.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• To publish Layered Images to Machine Creation Services a Machine Creation Services Connector created for the hypervisor being
published to. The Connector configuration includes the service account credentials used to access the hypervisor, in addition to
hosts, storage locations, templates, and so forth.
• The connector is then used to publish a Layered image as a virtual machine “Master Image” to the hypervisor.
• The MCS connector starts the Master Image after it’s published and run any Layer scripts that have been defined in any Layers. After
all the scripts are run, the Master Image has to be shut down and the hypervisor will take a snapshot of the virtual machine.

• Once this process is complete, the Master Image can be deployed using Machine Creation Services. The naming of the
virtual machine is similar to Citrix Provisioning. The virtual machine is named as the published image template name
followed by a date and time stamp.
• When a new version of the image is published, it is a new virtual machine.
• The new virtual machine is then used to update the existing catalog to roll out changes.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

N
ot
fo
What are the three status types for a Layer?
rr
es
Not Deployable
al
Editing
e
Deployable
or
di
s
tri
b
ut
io
n

Lab Exercise
Module 4
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• 4-1: Create an App Layer with Notepad++
N
• 4-2: Create an App Layer with Adobe PDF
ot
Reader
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• Creating an Application Layer is a multi-step
N
process initiated by the Create App Layer
ot
Wizard.
fo
• When installing an application on the
rr
packaging machine, it should be done from an
es
ISO or a file share.
al
• App Layers can cross-communicate and
e
appear to other apps as if they are natively
or
installed.
di
• App Layering works with most applications.
s
tri
b
ut
io
n

Administration
N
ot
Elastic App and User Layers
fo
rr
es
al
e
Module 5
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe Elastic App Layering and it’s Use
N
Cases
ot
• Identify Elastic Layer Considerations
fo
• Describe User Layers
rr
• Identify types of User Layers
es
• Describe User Layer Requirements,
al
Limitations, and Considerations
e
or
di
s
tri
b
ut
io
n

N
ot
Elastic App Layering
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Elastic App Layering
• Provide the ability for layers to be attached at log on to non-

persistent VMs.
N
• Are a Hot-Add feature used to deliver apps based on user
ot
entitlements.
fo
• Can be assigned to users and machines.
rr
• Consist of an App Layering Service that runs on the Layered
es
Image.
al
• Are assigned at the user logon by the App Layering Service.
e
or
• Are read from a .json file on the SMB share location.
di
s tri
b ut
io
n
Key Notes:
• Many organizations have learned to use Golden Images or standard templates to create multiple machines, but with user-specific
requirements oftentimes an organization may support dozens of these standard images, each one tuned to a specific set of users.
• Elastic Layering provides a resource-efficient approach to desktop deliveries, by sharing too many users, and providing the same
look and feel like the more resource-intensive persistent desktops, but without requiring a dedicated machine for every user.
• Then the user’s needed application layers and a persistent layer containing user information are attached whenever users log on
to their sessions or desktops.

• Elastic Layers can be assigned to a single user or a group of users, or to a machine - In this case, the layer is available as
the machine boots.
• Elastic layers assigned to users and elastic layers assigned to a machine can all be used together.
• Applications that work well as Elastic Layers are those that only a few users or groups require.
• Applications that do not work well as Elastic Layers are those that are used everywhere and often, such as anti-virus
applications that include drivers, such as printers. Ones that use .NET, like MS Office and Office Plugins.
• Since the multiple users can be logged into a session host the first thing that layering services will do is check to see if
N
the requested layers are already present on the VM. If the layer is found, that user is simply “authorized” to see the
ot
registry and file system data.
fo
• Once the user is logged in, they will see that application, just as other authorized users are. When a layer is not already
available on a session host, it is added during the logon process the same way it would be during a desktop logon.
rr
• When a user logs off from a session host, the applications associated with them are left on that host. The assumption is
es
that there could be other logged on users who are accessing that data.
al
• If for some reason a layer must be removed from a VM, the administrator will have to wait until all users are logged off
and the session host will have to be rebooted.
e
• Citrix App Layering Service:
or
• Once the OS, Platform, and App layers are built within the Enterprise Layer Manager (ELM), these layers can be
di
merged and used to build a complete VM or vDisk.
s
• In this case, the complete VM or vDisk is called the Layered Image.
tri
• When the Layer Image is published, you can choose to enable Elastic Layering; if enabled the App Layering Service
b
runs on the Layered Image.
ut
• Common Misunderstandings:
io
• The ELM server is contacted during the Elastic layer assignment. This is not true, instead, the ELM server is used to
n
create the layers that make up the Layered Image only.
• The App Layering Agent is needed for Layering. This is not true; the App Layering Agent is software that you load
on a PVS server.
• When the Layered Image output is a vDisk, the vDisk is stored in the ELM server’s repository. The App Layering
Agent on the PVS server is then used to connect to the ELM server and pull down the vDisk and save it to the
vDisk store.

• The How and What: Process:
• Packaging Machine Apps & Software Installations > .VHD Capture > Enterprise Layer Manager > Layer Created and
Stored on ELM Repository> Layer information written to the SMB or CIFS Network Share >
ElasticLayerAssignments.json and Layers.json.
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-
N
layers.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Elastic App Layer
Use Case
• Elastic App Layering can be chosen by an administrator in the

below scenarios:
N
• Used when specific users need access to one or more
ot
applications that are not a part of the common application set for
fo
all users.
rr
• For Example:
es
• Those applications not installed on the App Layers that are merged into
al
the Layered Image.
e
or
di
s tri
b ut
io
n
Key Notes:
• How do users access Elastic layers assigned to them?
• When users log into their session or desktop, icons for their Elastic layers will appear as shortcuts on the desktop.
• A user receives an Elastic layer in the following cases:
• The user (an AD user in the management console) is assigned the layer
• An AD group that the user belongs to is assigned the layer.
• A machine that the user logs into is a member of an AD Group that receives the Elastic layer.

• A machine that the user logs into is associated with an AD Group that is assigned to the layer via the management
console.
layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

How Many Elastic Layers do we need?
Layer Preparation Layer Management Outside of the ELM Repository
N
ot
ELM
fo
rr
Select Apps for Select Apps for SMB or CIFS
UserGroup1 only UserGroup3 only Network Share
es
al
Select Apps Select Apps
e
or
Target:
di
Target:
UserGroup1 UserGroup3
s tri
utb
io
n
Key Notes:
• Elastic Layers are typically chosen for applications that only a few users or groups require. It helps to reduce large number of Golden
images.
• For Example:
• If there was a standard set of applications that everyone needed, but a select few apps that only a specific user group needed; a
single Layered Image could be built with the standard set of apps deployed via regular app layers.
• The selected few apps would be packaged as an Elastic Layer and stored in the network share.

• When standard users access their machines, only the standard set of apps are available, but when those select few
login, the select few apps are also available.
• In both cases, all applications appear locally installed.
• An App Layer does not have to be a single application. A single App layer can have multiple applications, just make sure
you confirm the multiple applications are compatible both with each other and the targeted Layer Image OS and
Platform layers.
N
• You have no limit as to how many Elastic Layers you can build, or how many Apps you include in each; provided the SMB
ot
share has enough storage, and the network has enough bandwidth for throughput.
fo
• Typically, elastic layers are only created for apps on specific use cases, relying instead on non-elastic app layers for the
majority of the application workloads.
rr
es
al
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-layers.html
e
or
di
s tri
b ut
io
n

Elastic Layer Considerations
Consider the following:
N
ot
Elastic Layers
fo
rr
Configure
Ensure you
es
Set up a SMB the user
have a 10GB Elastic Layers
or CIFS entitlements
al
connection to require .NET
network share using groups in
e
the share
AD
Ensure
or
Limit Elastic If the share network
di
App Layering moves, you stability to the
s
to select use have to share prior to
tri
cases only re-publish using Elastic
b
Layers
ut
io
n
Key Notes:
• In order to use Elastic Layering, there are extra steps to consider and setup outside of the standard ELM server setup:
• You need a Network File Share, which must use either SMB or CIFS only.
• You need a 10GB connection between the Layering Service and the file share. Remember the Layering service runs on all layered
images that were published with Elastic Layering enabled.
• You must have an authentication service, such as Active Directory, to store the user entitlement records.
• Elastic Layers require .NET.

• Limit the use of Elastic App layering to situations where specific users need access to one or more apps that are not a
part of the common app set for all users.
• If the network file share location is moved, all Elastic layer-enabled images must be re-published.
• Long-term outages in the network between the network file share and the layered images can cause elastic layers to be
no longer available, ensure network stability before deploying Elastic layers.
N
ot
fo
layers.html
rr
es
al
e
or
di
s tri
b ut
io
n

N
ot
• What two Elastic Layering files are located
fo
on the SMB or CIFS share?
rr
es
• ElasticLayerAssignments.json and Layers.json
al
e
or
di
s
tri
b
ut
io
n

N
ot
User Layers
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

What are User
Layers?
• Persists each user’s profile settings, user’s data, and user-
N
installed applications in a non-persistent VDI environment.
ot
• Stores all desktop settings and user customizations in a writable
fo
virtual disk (attached to the virtual machine at end-user logon).
rr
es
• Improve end-user login time performance up to 40%.
al
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Substantially Improves end-user login time performance.
• User Layers persist each user’s profile settings, user’s data and user-installed applications in a non-persistent VDI environment.
• All desktop settings, user customizations, and other changes are stored in a writable virtual disk that is attached to the virtual
machine when the end-user logs in.
• With User Layer IT administrators can provide a fully persistent environment to end users while utilizing floating pools, providing cost
savings.

• Any changes that a user is allowed to make including profile settings, things like Office plugins, and other user-installed
applications are all captured and maintained.
• Create user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Types of User Layers
Types of User Layers
N
FULL OFFICE 365 SESSION OFFICE 365
ot
fo
All user data, settings, and
rr
local installed applications Only a user’s Outlook data Only a user’s Outlook data
and settings are stored on
es
are stored on their specific and settings are stored on
user layer. their user layer. their user layer.
al
e
or
di
s tri
but
io
n
Key Notes:
• When you enable user layers on an image template, systems provisioned using the resulting layered images provide every user with
a user layer.
• When a user logs on to a desktop that is user layer-enabled, a new Search index database is created. The index incorporates search
information from the user layer and any elastic layers.
• The Search feature is only available when the indexing is complete.
• You can enable the following types of user layers:

• Full - All of a user’s data, settings, and locally installed apps are stored on their user layer.
• Office 365 - (Desktop systems) Only the user’s Outlook data and settings are stored on their user layer.
• Session Office 365 - (Session hosts) Only the user’s Outlook data and settings are stored on their user layer.
• Each setting produces different types of layered images: images that persist all user data and settings, and images that
persist Office 365 data and settings.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Requirements for all User Layers
• Adequate Storage Space
N
• Adequate Network Bandwidth
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Before enabling any user layers, you need to be sure to meet the requirements for storage and network bandwidth.
• User layer requirements for all user layers:
• Need to have adequate network bandwidth as all writes go over the network (Bandwidth and latency have a significant effect on
the user layer).
• Need to have enough storage space allocated for users’ data, configuration settings, and their locally installed apps. (The
appliance uses the main storage location for packaging layers, publishing layered images, and serving up Elastic layers).

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Requirements for Full User Layers
Profile Management Compatibility Publishing Platforms
N
ot
With Profile Management Operating Systems: Publishing Platforms:
fo
(UPM) you must turn off the • Windows 7, 64-bit • Citrix Virtual Desktops
deletion of the user’s • Windows 10, 64-bit • VMware Horizon View
rr
information on logoff.
es
al
• These settings can be turned
off via a Group Policy Object
e
(GPO) or through the HDX
or
policy on the Delivery
Controller.
di
s tri
b
ut
io
n
Key Notes:
• There are specific requirements for implementing Full User layers:
• When using Profile Management (UPM) with a Full user layer, you must turn off the deletion of the user’s information on logoff
using GPO or HDX policies.
• There are compatibility requirements for Full user layers as well, to include:
• Operating systems:
• Windows 7, 64-bit

• Windows 10, 64-bit
• Publishing platforms:
• Citrix Virtual Desktops
• VMware Horizon View
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Requirements for
Office 365 User
Layers
• A profile manager, such as Citrix User Profile Manager is

required.
N
ot
• The Office layer must be in the image template and deployed in
the layered image.
fo
rr
• Is supported as an App layer in a published image only, not as an
es
Elastic Layer.
al
• Should be used with one desktop per user at a time (Single sign-
e
on).
or
di
s tri
b ut
io
n
Key Notes:
• You must use a profile manager, such as the Citrix User Profile Manager. Otherwise, Outlook assumes that every user who logs in is a
new user and creates OS files for them.
• The Office layer must be included in the image template and deployed in the layered image. However, you can use other Elastic
layers with an Office 365 user layer.
• Microsoft Office is supported as an App layer in a published image only, not as an Elastic Layer.
• Any change to the default location of the search index files is not be preserved in the Office 365 layer.

• This feature has been tested for one desktop per user at a time (Single sign-on).
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

User Layer
Limitations
Applications not supported
• Enterprise applications: i.e. MS Office and Visual Studio.
N
ot
• Applications with drivers that use the driver store: i.e. Printer
driver.
fo
rr
• Applications that modify the network stack or hardware: i.e. a
es
VPN client.
al
• Applications with boot level drivers: i.e. a virus scanner.
e
or
di
s tri
b ut
io
n
Key Notes:
• The following applications are not supported on the user layer, so users must not install these applications locally:
• Enterprise applications, such as MS Office and Visual Studio, must be installed in App layers. User layers are based on the same
technology as Elastic layers.
• As with Elastic layers, never use user layers for enterprise applications!
• Applications with drivers that use the driver store. Example: a printer driver.
• Applications that modify the network stack or hardware. Example: a VPN client.

• Applications that have boot level drivers. Example: a virus scanner.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

User Layer
Considerations
• All Windows updates must be disabled on the User layer.
N
ot
• Citrix Profile Management disables Store add-ins.
fo
• GPO-installed printers are supported for users on non-persistent
rr
Windows 10 desktops.
es
• With VMware Horizon View, you must configure it to refresh at
al
logoff with any non-persistent desktops.
e
or
di
s tri
b ut
io
n
Key Notes:
• User Layer Considerations:
• Windows updates must be disabled on the user layer.
• Citrix Profile Management disables Store add-ins (Outlook store add-ins).
• The first time Outlook starts, the Store/Add-ins icon on the ribbon displays a window with a long list of add-ins.
• During the initial login, if you install add-ins, they appear on the ribbon on subsequent logins. If you do not install the add-ins,
the Store/Add-ins icon displays a blank white window.

• GPO-installed printers:
• For users on non-persistent desktops running Windows 10, you can install printers using a Group Policy (GPO).
• With a policy in place, the printers are listed in users’ Devices and Printers, application printer settings, and device
manager.
• To set up GPO-installed printers:
1. Enable user layers in the image template.
2. Ensure that the desktop is joined to the domain (on the Platform layer).
N
3. Create a group policy to deploy each network printer, and then assign it to the machine.
ot
4. When logged in as a domain user, verify that the printer is listed in Devices and Printers, Notepad, and device
fo
manager.
• VMware Horizon View:
rr
• The View must be configured for non-persistent desktops, and the desktop must be set to Refresh at logoff. Delete or
es
refresh the machine on logoff.
al
• User Layers can provide some of the same benefits as personal vDisk, which is now a deprecated product.
e
or
di
s tri
b ut
io
n

User Layer Location
Storage required for layers
Image templates with user layers enabled, consist of user data, settings and locally installed
applications that must be saved to a secure location.
N
User layers require you to add storage locations for the layers.
ot
You can assign groups of users to each storage location that you add.
fo
rr
es
al
e
or
di
s tri
User Layer Storage Location
b ut
io
n
Key Notes:
• When an image template has user layers enabled, the images you publish persist users’ data, settings, and locally installed apps.
• When user layers are enabled, you need to add storage locations for the layers.
• You should not allow user layers to be saved on the appliance’s main file share, as space can be depleted for:
• Upgrading the software.
• Serving up elastic layers to users.
• Saving files that you are moving to a Hypervisor for which there is no supported connector.

• You can assign groups of users to each storage location that you add.
• Where a user layer is stored when the user belongs to more than one group:
• If a user belongs to more than one group and those groups are assigned to different storage locations, the person’s
user layer is stored in the highest priority storage location.
• If you change the priority order of the storage locations that the user is assigned to after the person’s user layer was
saved to the highest priority location, data saved up until that point remains in the original location.
• To preserve the person’s user layer, you must copy their user layer to the new highest priority location.
N
• How to specify the user layer file share location on a specific image:
ot
• You can support a user who needs to access two separate images at the same time, where both images:
fo
• Need the persistence of user layers.
• Were created using the same OS layer.
rr
• To configure user layer file share assignments:
es
• Add the following Registry key in one or more of your published images before any user logs in:
al
• [HKLM\Software\Unidesk\ULayer] “UserLayerSharePath”
• You can add the preceding key to the Platform layer, to an App layer, or as a machine group policy.
e
• If you add the UserLayerSharePath key to the image before a user logs in, the appliance ignores the user layer
or
share assignments. Instead, all users on the machine use the specified share for user layer VHDs.
di
The \Users subtree is appended to this key to locating the actual layers.
s tri
• Deployuser layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
b ut
io
n

Lab Exercise Prep
N
For Module 5
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
If needed, please refer back to Module 0 for reference on how to access the Lab.
Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

Where User Layers
are Created on the MyServer
Appliance
MyShare
User layers are created
N
and maintained on the
ot
appliance’s network file
share. Users
fo
rr
es
workspacelab_jwright
al
e
or
123456_MyOSLayer
di
s
jwright.vhd
tri
but
io
n
Key Notes:
• User layers are created and maintained on the ELM appliances network file share, under the Users folder.
• For example: \MyServer\MyShare\Users
• Each user has their own directory within the Users directory, named as follows:
• Users\DomainName_username\OS-Layer-ID-in-hex_OS-Layer-name\username.vhd
• For example:
• User’s login name: jdoe

• User’s Domain: testdomain1
• OS layer: MyOSLayer (ID is in hexadecimal format: 123456)
• User layer would be created in:
• \MyServer\MyShare\Users\testdomain1_jdoe\123456_MyOSLayer\jdoe.vhd
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Where Users can
Access Their User Full User Layer
Layer
• Users access their files
N
from different locations C:User username Appdata local
ot
based on the type of User
layer being used.
fo
rr
• Full user layer
es
• Office 365 layer Office 365 Layer
al
e
or
di
C:User username Appdata local Microsoft Outlook
s tri
b ut
io
n
Key Notes:
• User access their files from different locations based on the type of User layer being used.
• When Full user layers are created, users can access the files in the following directory:
- C:\user\<username>\Appdata\local
• When Office 365 layers are created, the user layers directory is redirected to the Office 365 layer:
- C:\user\<username>\Appdata\local\Microsoft\Outlook

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Considerations for Configuring
Storage Locations
• Storage locations for user layers are added
N
via the management console.
ot
• More than one storage location can be
fo
specified for user layers.
rr
• The first storage location added to the
es
appliance becomes the default location for
user layers.
al
e
• Security settings for user layers are edited
or
via the management console.
di
s tri
b ut
io
n
Key Notes:
• Storage Considerations:
• You can specify more than one storage location for your user layers if it is needed.
• For each storage location created (including the default location), you need to create a /Users subfolder and secure that location.
• The first storage location added to the appliance becomes the default location for user layers (any that are not already associated
with another storage location).
• When you add more storage locations, they are listed in priority order.

• To Add a storage location for an image’s user layers:
1. Log into the management console.
2. Select System > Storage Locations. A list of file shares will be displayed, except for the appliance’s main file share.
3. Select Add Storage Location and enter a Name and Network Path for the new location.
4. On the user layer Assignments tab, expand the directory tree.
5. Add the new storage location by clicking the check boxes for one or more groups.
6. A list of file shares is displayed, except for the appliance’s main file share.
N
7. On the Confirm and Complete tab, select Add Storage Location.
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Configure Security Settings on User Layer Folders
Setting Name Value Apply To
Creator Owner Modify Subfolders and Files only
N
ot
Owner Rights Modify Subfolders and Files only
fo
rr
Create Folder/Append Data;
es
Traverse Folder/Execute
Users or group: Selected Folder Only
File;List Folder/Read Data;
al
Read Attributes
e
or
Selected Folder, Subfolders
System Full Control
and Files
di
s
Domain Admins, and selected Selected Folder, Subfolders
tri
Full Control
Admin group and Files
b ut
io
n
Key Notes:
• After storage locations are added and configured, the next step is to set security on the user layer folders via the management
console.
• These user layer folder security settings must be set to by a domain administrator.
• To configure security on user layer folders:
1. Log in to the management console.
2. Click System >Storage Locations. The file shares displayed are the storage locations defined for user layers.

• For Example, Say you’ve defined three Storage Locations so that you can manage storage for Group1 and Group2
separate from everyone else in the organization:
• Default location - \MyDefaultShare\UserLayerFolder\
• Group1 - \MyGroup1\Share\UserLayerFolder\
• Group2 - \MyGroup2\Share\UserLayerFolder\
• Note: The appliance’s main file share, which is used for storing OS, App, and Platform Layers, is not listed as a user
layer Storage Location.
N
3. Create a \Users subdirectory under each file share:
ot
• \MyDefaultShare\UserLayerFolder\Users\
fo
• \MyGroup1Share\UserLayerFolder\Users\
• \MyGroup2Share\UserLayerFolder\Users\
rr
4. Apply the preceding list of security settings to each subdirectory under \Users.
es
al
e
or
di
s tri
b ut
io
n

N
ot
• Which type(s) of user layer will store only
fo
Outlook data and settings?
rr
es
• Session Office 365 and Office 365
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
Module 5
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• 5-1: Verify the ELM Server Elastic Repository
N
• 5-2: Create an Elastic App Layer for Server OS
ot
• 5-3: Configure the User Layer Repository
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• Elastic layers are attached at logon, by the
App Layering Service, to either users or
machines.
• Elastic layers work best with apps that only a
few users or groups require.
N
ot
• Either an SMB or CIFS network share location
is required when using Elastic layers.
fo
rr
• There are three types of user layers: Full,
es
Office365, SessionOffice365.
al
• There are specific limitations and
e
considerations to consider when utilizing User
or
layers.
di
• User layers require at least one storage
s
location.
tri
utb
io
n

Administration
N
ot
Deploy a Layered Image Using Citrix
fo
Virtual Apps and Desktops
rr
es
al
e
Module 6
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe template creation process and

template considerations
• Discuss considerations while deploying
N
various App Layering Layers
ot
• Describe image requirements
fo
• Identify approach when using Citrix Virtual
rr
Apps and Desktops with and without App
es
Layering
al
• Discuss MCS and PVS considerations with
e
App Layering
or
di
s
tri
utb
io
n

N
Using Templates in Citrix App
ot
Layering
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

How to Create a Template?
To publish an image, you must first create a

template.
1. Create a layered image using the Create
N
Template Wizard.
ot
2. Select the OS layer, Application
fo
assignments, Platform layer, and the
rr
connector.
es
3. Confirm and complete the creation.
al
4. The Template creates either a virtual
e
machine on the underlying Hypervisor or a
or
Citrix Provisioning vDisk.
di
s tri
b ut
io
n
Key Notes:
• Templates are a compilation of various layers put together by the ELM server. For Example, multiple App Layers, a Platform Layer, and
an OS Layer compiled to create a unique Template. This is all initiated via the Citrix Layer Management console- Create Template
Wizard.
• Connectors are the interfaces to environments where layers are created and images are published. The type of platform connector
determines the information required to create a specific Connector Configuration.

• Once the above steps are done, then confirm and complete the creation process.
• Create or clone an image template: https://docs.citrix.com/en-us/citrix-app-layering/4/publish/create-image-
template.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Create a Template
1
Create Template Action
Admin App Layer Console
2
N
Create Template Wizard
(Template Details)
ot
Admin
Hypervisor
fo
rr
3
Publish Layered image
es
“Publishable”
al
Admin
e
Template
or
4
di
s
Windows10
tri
Admin
Hypervisor MCS-YYYY-MM-DD_TIME
b ut
io
n
Key Notes:
• Step 1:
• Log on to App Layering Console.
• From the Images menu, from the Actions menu select Create Template.
• Step 2:
• Complete the Create Template Wizard, to include:

• Example Template Detail:
• Name: Windows10 MCS.
• Description: Windows 10 with WinSCP.
• Choose the Windows version Icon; i.e. Windows 10.
• Select any Application Assignments needed for this template.
• Select the required Hypervisor on the Connector page.
N
• Select the required Platform Layer.
ot
• Verify the settings made on the Layered Image Disk page.
fo
• Select to Create Template.
rr
• Step 3:
• Verify the new Windows template is labelled as “Publishable”.
es
• Right-click and select Publish Layered Image.
al
• Click Publish Layered Image.
e
• Step 4:
or
• Go to the Hypervisor used for this template and verify a new Virtual Machine was created; i.e. Windows10 MCS-
YYYY-MM-DD_TIME.
di
s tri
b
• Create or clone an image template: https://docs.citrix.com/en-us/citrix-app-layering/4/publish/create-image-
ut
template.html
io
n

Template Considerations
• Update whenever there are changes.
N
• Do not delete the layered image when used
ot
for a Catalog.
fo
• When you update the Master Image, take a
rr
snapshot.
es
• Select the right connector based on the
al
platform layer.
e
or
di
s tri
b ut
io
n
Key Notes:
• Further considerations:
• Do not move this VM across different hypervisor platforms as the connector and the platform layer does change when we move it
from one hypervisor to another.

OS Layers: Review
• Create one OS Layer per Operating System.
N
ot
• App Layers are tied to the OS Layer they were
created on.
fo
rr
• Before a version or layer can be deleted, it
es
must not be in use.
al
• .NET is best delivered using the OS Layer.
e
or
di
s tri
b ut
io
n
Key Notes:
• Further Considerations:
• To deploy Windows patches and updates, you can simply add a version to the layer. You can easily revert to the previous version of
the layer, if necessary.
• You can select any version of the layer to use in an image template, and therefore in the published images.
• You can update the OS using Windows Update, Windows Server Update Services (WSUS), or offline standalone update packages.

Do not use tools like SCCM.
• Platform and app layers are tied to the specific OS layer that you use to create them, though not to a specific version
of the layer. When you add versions to the OS layer, the dependent app and platform layers continue to work.
• Windows updates must be applied to the OS layer before you update any other layers.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Platform Layers: Review
• A unique platform layer is needed for each

hypervisor /provisioning service/broker service
combination in an environment.
N
• Citrix Layering support is limited to virtual
ot
machines at this time (no physical machine
fo
support).
rr
• Platform Layers are created for a particular
es
provisioning system and Hypervisor pair.
al
• There are two types of Platform Layers:
e
Packaging Platform Layer and Publishing
or
Platform Layer.
di
s tri
b ut
io
n
Key Notes:
• When an image is deployed with a Platform Layer, it will search for and disable drivers and services that have not been specified in
the create wizard - to ensure that no cross-platform pollution occurs.
• The two types of Platform layers:
• The Packaging Platform Layer - used only to update an App Layer.
• The Publishing Platform Layer - used every time, to publish.

• Create Platform layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

App Layers: Review
• App Layers can be almost any changes that

include files/folders/registry settings.
• Single or multiple applications can be
N
included in the same App Layer.
ot
• Do NOT reduce the Layer Size from the
fo
default value while creating App Layer.
rr
• Increase the default size while packaging a
es
large application.
al
• Create an Enterprise App Layer that holds the
e
most common components to be delivered to
or
users.
di
s tri
b ut
io
n
Key Notes:
• When creating a new layer, never adjust the Layer Size down from the default of 10 GB. You can increase the setting if you are
packaging a large application.
• All Layers are thin provisioned, so even if you are planning on a very small Layer, never adjust down.
• Create a Utility Layer or Enterprise Application Layer that holds the most common components to be delivered to users. For example,
if Flash, Adobe Reader, and Java are going to be delivered to all users, then put them into the same layer.

• Create or clone an App layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Elastic Layers: Remember
• Elastic Layers can only use SMB/CIFS

network shares. (NFS is not supported)
N
ot
• Elastic Layers require .NET Framework 4.5.
fo
• Changing the location of a network file share
rr
requires all Elastic layer-enabled images to
es
be re-published.
al
• A sustained outage can cause elastically
e
assigned layers to no longer be available.
or
di
s tri
b ut
io
n
Key Notes:
• An elastic layer is an app layer that you assign to individual users and groups for delivery on demand. Users receive the elastic layers
assigned to them in addition to the apps included in the base image.
• Based on user entitlements, elastic layers are delivered to users’ desktops upon login. You can assign elastic layers to users on
session hosts, and also on standalone desktops, as long as the images were published using App Layering.
• Elastic layers are a feature of App Layering. You cannot use elastic layers as published virtual apps in Citrix Virtual Apps and Desktops.
And, you cannot assign a Citrix Virtual App as an elastic layer.

• Assign App layers as Elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

User Layers: Remember
• Persist data, settings and installed applications
between user sessions.
• Consist of three types: Full, Office 365 and
Session Office 365.
N
• Consist of two formats: those that
ot
persist all user data and settings, and another
that persist only Office 365 data and settings.
fo
rr
• Must utilize a dedicated storage location for
es
these layers; multiple storage location for User
layers are supported.
al
e
• The default size is set to a maximum of 10GB
or
(maximum size can be modified via registry
settings).
di
s tri
b ut
io
n
Key Notes:
• User layers persist user profile settings, data, and user-installed applications in non-persistent VDI environments.
• The first time a user logs onto a system that is User layer-enabled, the User layer is created. After that, the user’s data and settings,
and any applications they install locally are saved in their User layer.
• You can enable the following types of User layers:
• Full - All of a user’s data, settings, and locally installed apps are stored on their User layer.
• Office 365 - (Desktop systems) Only the user’s Outlook data and settings are stored on their User layer.

• Session Office 365 - Only the Outlook data and settings are stored on their User layer.
• Requirements and pre-requisites will vary based on which type of layer you use: Full, or Office 365.
• Full User layers are supported on the following platforms:
• Operating systems: Windows 7, 64-bit and Windows 10, 64-bit.
• Publishing platforms: Citrix Virtual Desktops and VMware Horizon View.
• Applications that a user installs locally on their desktop become part of the User layer.
• Some applications are not supported on the User Layer: Enterprise applications and Applications with drivers that use
N
the driver store, Applications that modify the network stack or hardware, and Applications that have boot level drivers.
ot
• Administrators need to disable Windows Updates that need to be disabled on the User layer.
fo
• When using multiple storage locations and a specific user belongs to more than one group, and those groups are
assigned to different storage locations, the person’s User layer is stored in the highest priority storage location.
rr
• Users will receive a notification message when they are unable to access their User layer for various reasons. These
es
notifications are customizable if needed via the management console.
al
e
• Deploy User layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
or
di
s tri
b ut
io
n

Lesson Review
N
ot
What storage network share formats are
fo
supported when using Elastic layers?
rr
es
SMB and CIFS
al
e
or
di
s
tri
b
ut
io
n

N
Using Layered Images in a Citrix
ot
Virtual Apps and Desktops Site
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Setting the Stage
Company ABC
N
ot
1
fo
200 Total Users App1
rr
es
2
al
UserGroup1 Windows 10 Virtual Machine
150 Users
e
App2
or
UserGroup2
3
di
50 Users Citrix Hypervisor Microsoft Hyper-V
s tri
App3
b
ut
io
n
Key Notes:
• Company ABC:
• Mixed Hypervisor environment of Citrix Hypervisor and Microsoft Hyper-V
• The Citrix Virtual Apps and Desktops team has been instructed to evenly distribute the Session Host VMs across both Hypervisors.
• There are 200 users split across 2 core domain user groups, with 150 users in UserGroup1 and 50 users in UserGroup2.
• Citrix Virtual Apps and Desktops is used to deliver a Windows 10 Desktop to all users.
• There are 3 core apps that the users need, however, due to environmental constraints not everyone gets every app.

• The users in UserGroup1 are limited to machines with only Apps 1 and 2 installed. Users in UserGroup2 must login to
machines with all three apps installed.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Image Requirements
Company ABC
Summary of requirements:
N
• 150 Win10 VM Desktops with 1
ot
App1 and App2 installed. 200 Total Users App1
fo
rr
• 75 VMs for Citrix Hypervisor. 2
Windows 10 Virtual Machine
• 75 VMs for Microsoft Hyper-V. UserGroup1
es
150 Users App2
al
• 50 Win10 VM Desktops with
3
e
UserGroup2 Citrix Hypervisor Microsoft Hyper-V
App1 and App2 and App3 50 Users
or
App3
installed.
di
• 25 VMs for Citrix Hypervisor.
s
• 25 VMs for Microsoft Hyper-V.
tri
but
io
n
Key Notes:
• In this scenario, there is a need to create multiple images due to different user requirements. There are also multiple hypervisors
involved in the deployment. The combination of VMs needed to fulfill these requirements is summarized above.
• Each layered image also has a set of prerequisites that are needed, which include the following:
• Hypervisor:
• App layering supports all hypervisors and cloud solutions. Each hypervisor solution has its own prerequisites.

• For example, Citrix Hypervisor requires an account with privileges to create and remove virtual disks; Copy and
delete layers on virtual disks using Citrix Hypervisor file APIs.
• Network File Share Protocol:
• Uses SMB/CIFS (only) file shares to store Elastic Layering.
• Network Configuration:
• A 10 GB connection is recommended between Layering service and the file share.
• Directory Service:
N
• It Requires an authentication service, such as Microsoft Active Directory.
ot
• Storage:
fo
• The ELM server starts with an expandable 300 GB local storage repository. This storage is used to store all OS,
Platform and App layers and versions.
rr
• OS for Layered Images:
es
• To create layers, first you need a VM configured with the OS setup, drivers, KMS licensing and not joined to the
al
domain.
• This VM becomes the golden Image that is imported into the ELM server and saved as the OS Layer.
e
• All Platform, App and Elastic layers are then created from temporary packaging machines, built from the golden
or
Image import.
di
s tri
b ut
io
n

Citrix Virtual Apps and Desktops Approach without App Layering
• Using the Scenario for this lesson, what is the Golden Image approach?
Company ABC
4 Golden Images
N
ot
Golden Image #1 Golden Image #2 Golden Image #3 Golden Image #4
fo
rr
1 2 3 1 2 3 1 2 1 2
es
App1 App2 App3 App1 App2 App3 App1 App2 App1 App2
al
e
or
Windows 10 Virtual Windows 10 Virtual Windows 10 Virtual Windows 10 Virtual
di
Machine Machine Machine Machine
stri
b
Citrix Hypervisor Microsoft Hyper-V Citrix Hypervisor Microsoft Hyper-V
ut
io
n
Key Notes:
• The Citrix Virtual Apps and Desktops provisioning technologies - Machine Creation Services (MCS) and Citrix Provisioning - optimize
the solution by being able to manage catalogs of hundreds of like virtual machines from a single golden image. The key here is the
words “like virtual machines”.
• Our scenario in this lesson has several types of machines. How many to be exact? Four:
• Windows 10 with Citrix Hypervisor Tools running App1 and App2
• Windows 10 with Microsoft Hyper-V Tools running App1 and App2

• Windows 10 with Citrix Hypervisor Tools running App1 and App2 and App3
• Windows 10 with Microsoft Hyper-V Tools running App1 and App2 and App3
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Lab Exercise Prep
• Please Take a Moment and Provision Your Lab
N
For Module 6
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
exercise.

Citrix Virtual Apps and Desktops Approach with App Layering
Using the Scenario for this lesson, what is the Golden Image approach?
Company ABC
N
To get here:
ot
Golden Image #1 Golden Image #2 ELM • Install Windows 10 once using an OS
fo
Layer
1 2 3 1 2 3
rr
Enterprise Layer Manager • Install Citrix Hypervisor Tools once
App1 App2 App3 App1 App2 App3
es
using a Platform Layer
• Install Microsoft Hyper-V once using a
al
Platform Layer
e
• Install each app once, for App1 and
or
Windows 10 Virtual Machine Windows 10 Virtual Machine
App2 using an App Layer, for App3
using an Elastic App Layer entitled to
di
UserGroup2
s tri
b
Citrix Hypervisor Microsoft Hyper-V
ut
io
n
Key Notes:
• To Deploy Citrix App Layering within an Existing Citrix Virtual Apps and Virtual Desktops Site:
1. Import a VM into ELM to create the OS Layer.
2. Use the OS Layer to create Platform and App layers.
3. Create a template to select which layers to use and publish to merge the selected layers and creates a Layered Image output to
VM or vDisk.

4. This layered Image can be used as a Master Machine for MCS Catalogs or it can be used to populate the PVS vDisk
Store.
5. Once the Catalog is created, create the delivery group to assign the desktop and/or the apps to the users.
• Additional Considerations to Deploying Layering within an existing Citrix Virtual Apps and Desktops Site:
• App Layering requires either Enterprise or Platinum edition.
• The Enterprise edition is limited by one Connector.
• The Platinum edition can have unlimited Connectors.
N
• In both cases, the CSS or Customer Success Service must be current.
ot
• You can publish one or more Layered Images to Citrix Machine Creation Services in your Citrix Hypervisor environment.
fo
Publishing a template creates a Virtual Machine that can be used as a master image to create a Citrix Virtual Apps and
Desktops catalog.
rr
• Publishing a template to a PVS Store creates a vDisk within the store. You can then assign the vDisk to a targeted
es
device(s).
al
• Publishing a template to the NFS share creates a layered image on the NFS share. For example, you can populate a PVS
Store using the images stored in the NFS share.
e
or
di
• Plan your deployment: Citrix PVS: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/citrix-pvs.html
• Plan your deployment: Citrix MCS in Citrix Hypervisor: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/citrix-
s tri
mcs-in-Citrix Hypervisor.html
• Plan your deployment: Network File Share (other platforms): https://docs.citrix.com/en-us/citrix-app-
b ut
layering/4/plan/network-file-share.html
io
n

Installing the Virtual Delivery Agent
Preparing the Eventual Layered Image for MCS
N
VDA
ot
ELM
fo
Packaging Machine Repository
rr
(Temporary VM)
es
al
e
or
Platform Layer
di
Create New or
Update Existing
s
tri
utb
io
n
Key Notes:
• When prepping the layer for Citrix Provisioning, you will need to install the Citrix Provisioning (PVS Tools) on the layer, in addition to
the Virtual Delivery Agent.

Using App Layering with MCS
MCS hasn’t changed, just the method of provisioning and managing the Master Image
App Layering
Hypervisor
N
Read Cache Virtual Machine Virtual Machine Virtual Machine
ot
(Hypervisor dependent) Write Cache Write Cache
Write Cache
Repository
RAM
fo
rr
es
Storage Repository 1 Storage Repository 2
ELM
al
e
or
Master Image
di
Identity Disk Differencing Disk
s tri
b
ut
io
n
Key Notes:
• The Machine Creation Services or MCS process does not change, whether you use App Layering or not -there’s still a Master Image
used to create a catalog with differencing disks and identity disks. The key difference is the ease in which the Master Image is
provisioned and maintained.
• Using App Layering with Citrix Provisioning:
• The Provisioning Services or PVS process does not change, whether you use App Layering or not, there’s still a golden image in the
form of a bootable virtual disk called a vDisk.

• This vDisk is used by PVS to provision target devices. When the Virtual Desktop Setup Wizard is used, the
provisioning process also creates the Virtual App and Desktop catalog.
• The key difference is the ease in which the golden vDisk is provisioned and maintained.
• No longer do we have to build a VM, get it just right and capture the image, we can prepare the vDisk, as we would
any other published image through Citrix App Layering.
• Just as the ELM server is capable of mapping Elastic Layers to a network share, in the use case for Citrix Provisioning,
the ELM server creates a Connector for Citrix Provisioning to map the ELM server to the vDisk Store. This way, when
N
the image is published, instead of a virtual machine the target environment can be a vDisk store, so the output is a
ot
vDisk.
fo
rr
• Publish layered images from template: https://docs.citrix.com/en-us/citrix-app-layering/4/publish/publish-layered-
es
images.html
al
• Citrix Provisioning (Citrix Hypervisor, VMware, Hyper-V, Nutanix): https://docs.citrix.com/en-us/citrix-app-
layering/4/connect/citrix-provisioning.html
e
or
di
s tri
b ut
io
n

MCS Considerations with App Layering
ELM
N
ot
fo
rr
es
al
e
Install SSO Verify desired Install WEM
Test Login as
or
Install the VDA Join the Domain software if Workspace App Agent if needed
network user
needed version
di
s tri
b ut
io
n
Key Notes:
• MCS Considerations with App Layering:
• Prior to the Layering Stage:
• Review the Citrix online documentation via docs.citrix.com to verify the MCS parameters and detailed instructions that match
the targeted hypervisor platform.
• During the Layering stage:
• Install the VDA.

• Join the Domain.
• Log on as a network user, reboot and then logon as an administrator and delete the network user profile.
• Install any Single Sign On (SSO) software, if needed.
• Verify the desired version of the Receiver was installed with the VDA, if not install the version needed.
• Install the Workspace Environment Management (WEM) agent, if planning to use this feature.
• Reboot.
• Finalize.
N
ot
• PVS Considerations with App Layering:
fo
• Prior to the Layering Stage:
• Review the Citrix online documentation via docs.citrix.com to verify the PVS parameters and detailed instructions
rr
that match the targeted hypervisor platform.
es
• During the Layering stage:
al
• Install PVS Tools.
• Install the VDA.
e
• Join the Domain.
or
• Log on as a network user, reboot and then logon as an administrator and delete the network user profile.
di
• Install any Single Sign On (SSO) software, if needed.
• Verify the desired version of the Receiver was installed with the VDA, if not install the version needed.
s tri
• Install the Workspace Environment Management (WEM) agent, if planning to use this feature.
• Reboot.
b ut
• Finalize.
io
n
• How to Create a Platform Layer in App Layering 4.x: https://support.citrix.com/article/CTX225997

Lesson Review
The ELM server maintains a default storage

location as part of standard image
N
requirements.
ot
What are the specifications for this storage
fo
location?
rr
es
The ELM server starts with an expandable 300
GB local storage repository used to store all
al
e
layers and versions.
or
di
s
tri
b
ut
io
n

Lab Exercise
Module 6
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• 6-1: Create a Template
N
• 6-2: Create a Machine Catalog
ot
• 6-3: Create a Delivery Group
fo
rr
• 6-4: Test the Resources Located on the
Layered Image
es
• 6-5: Test the User Layer functioning
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• App Layering Templates consist of multiple

layers and a connector.
• The Create Template Wizard is used to
N
customize and create each template (or
ot
layered image).
fo
• Templates consist of an OS Layer, a Platform
rr
Layer, and one or more App Layers.
es
• When packaging the Platform layer, it is
al
necessary to install provisioning tools for use
e
with any non-MCS provisioning technology,
or
such as Citrix Provisioning.
di
s
tri
b
ut
io
n

Administration
N
ot
Explore Layer Priority and Maintain
fo
an App Layering Environment
rr
es
al
e
Module 7
or
di
s
tri
b
ut
io
n

Learning Objectives
• Define Layer Priority and how it works

• Describe Layer update process and its
considerations
N
• Describe ELM Server back-up and ELM Multi-
ot
location
fo
• Recognize Layer back-up considerations
rr
es
• Describe ELM Server Update procedure
al
• Identify considerations while deploying Anti-
e
Virus and Microsoft Office in a Layer
or
• Describe App Layering Labs
di
s
tri
b
ut
io
n

N
ot
Layer Priority
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Layer Priority
C:\DIR\A.DAT
C: C:\DIR\B.DAT
• Layer priority defines C:\DIR\D.DAT
layer order when creating
the Windows file system
N
and registry.
CFS Composite File
ot
System
fo
• The Composite File
rr
System (CFS) runs on
es
the Layered Image and
C:\DIR\D.DAT
al
views the layers,
e
presenting a unified
C:\DIR\B.DAT
or
registry and data file
system to Windows. C:\DIR\A.DAT
di
C:\DIR\D.DAT
s tri
b ut
io
n
Key Notes:
• Layer Priority refers to how the Windows operating system on the published desktop only reads the combined C: drive of the
underlying layers. In the example shown in the diagram, the underlying layers are the user layer, application layer and OS layer.
• As the desktop boots, it initially uses the Boot Image which contains the Windows Boot File, the composited registry and the
Windows Page File. When the layering filter driver is loaded milliseconds into the boot process, it virtualizes all of the
independent virtual disk files which makes up the layer for a desktop into the single C: drive Windows sees and uses on the
desktop.

• These layers include the boot image, the OS layer, the user personalization layer, and any application layers which has
been assigned to the desktop. Windows continues the boot process as it normally does using this virtualized C: drive.
• Even during boot, the layering priority principles are applied to locate the files needed by Windows.
• Layer priority manages the file system and registry in every layer before it is actually presented to the Windows OS on
the user session.
• Priority in an image starts from the bottom up, with the OS Layer, then the App Layers (by date/time), then the
N
Platform Layer, then the Elastic Layers with the User Layer on top.
ot
• Application layers are assembled in priority order based on the package creation date and time.
fo
• Let’s assume that we have an OS Layer, an App Layer and an User Layer and assume these layers only have one or
two files in each of them.
rr
• What the Composite File System does, is below NTFS, it grabs the layers, which are volumes and presents them,
es
merging the namespace as “C”, to Windows at the top. The user looks at the C – directory and sees the A, B and D
al
files. The A.DAT is coming from the OS Layer, the B.DAT is coming from the App Layer and the D.DAT is coming
e
from the User Layer.
• Why is D.DAT coming from the User Layer?
or
Because they are duplicate files but there was some changes by the user to that file, may be an application
di
changed it when the user ran the app, or may be the user created their own D.DAT file, but they changed it and
s
from Layer priority, the way the Layers are stacked, the user wins over the OS layer.
tri
• This priority mechanism begins at layer creation and is based on the order in which the layers are created. When
b
Windows views these layers, it is from a top-down model where the highest priority wins.
ut
• If a file (or registry entry) exists in two layers, but only one can be presented to an executing Windows
io
environment, the layer with highest priority “wins”.
n
• Before you dive into priority it is important to note that the Personalization is always “on top” or the highest
priority and the OS layer or layered image is always “on bottom” or the lowest priority. Application layers are what
receive specific priorities relative to each other and not to the OS or Personalization layer.
• Layer Priority can only be changed using an external utility or by deleting and adding layers.

• Layer priority : https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html#layer-priority
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

How Layer Priority is Determined
N
Composite File System (CSF) Logic File 1 File 2 File 3 File 4 File 5
ot
fo
Composite File System (CSF) Logic
rr
Elastic App Layer File 5
es
al
App Layer 2 File 4
e
or
App Layer 1 File 3
di
s tri
Windows OS Layer File 1 File 2
b
ut
io
n
Key Notes:
• A layer’s priority is determined by the layer type. Layers that are part of the layered image are applied in order, with the Platform
Layer always applied last, as the highest priority layer, apps being Medium and then OS Layer is lowest and applied first.
• When a published image boots, more layers can be applied during the boot process, if needed. The layers need to be enabled in the
image template for your layered image to do this. The two layers below are examples of what can be applied at boot:
• Elastic layers (App layers assigned to users as Elastic layers)
• User Layers

• When merging layers onto an image, User layers are always the highest priority. Elastic layers are next, and the layers in
the base image last.
• Layer : https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

How does Layer
Priority Work?
File 1 File 2 File 3 File 4 File 5 What Windows “Sees”

• Layer Priority addresses
N
conflict between two app
ot
layers. Composite file System Logic
fo
• Layer Priority overrides
App 2 Layer
rr
are set by changing the File 4 File 5
es
Layer priority.
App1 Layer
al
File 3 File 4
e
or
File 1 File 2 Windows OS Layer
di
stri
b ut
io
n
Key Notes:
• In the image above we see a total of 3 layers:
The OS layer, and 2 application layers.
• The conflict here is between App1 and App2 layers with regards to “File 4”, as the same file is present in both the layers. Now
there arises a conflict on which App Layer to be selected so as to present the “File 4” to Windows.
• In this scenario, “File 4” from App2 layer “wins” and is presented to Windows. Because by default, the layer at the highest priority
wins, hence in the above image, the App2 layer wins over App1 layer on File 4.

• In App Layering, layer priority can be overridden by changing the layer priority which will allow the user to get the file
from a lower priority layer to be presented to Windows OS.
• Layer priority defines layer order when creating the Windows file system and registry. Layer priority is taken into
consideration when:
• Compositing (merging) layers when publishing layered images from an image template.
• Searching layers for file and registry settings.
• Delivering Elastic layers and User layers to users’ desktops.
N
• Once any and all conflicts are resolved, the layers are compiled as a layered image, creating a single, unified composite
ot
file system.
fo
• Each layer contains unique registry and file system virtualizations. Once compiled into a layered image, it results in a
single registry and data file system on the image.
rr
• Layer priority is used in two different places. When we create an image layer priority is used both when creating the file
es
system and when creating the registry. The best way to think of it is that the layers are merged in this order for both file
al
system and registry:
e
or
• Layer Priority: https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html#layer-priority
di
s tri
b ut
io
n

Scenario: How to
Change Layer
Priority
File 3 What Windows “Sees”

File 1 File 2 File 4 File 5
• File conflict between
N
App1 and App2 layers.
ot
Composite file System Logic
fo
• Solved by using Layer App 1 Layer
rr
File 3 File 4
Priority Tool for changing
es
the Layer Priority.
File 4 File 5 App 2 Layer
al
e
or
File 1 File 2 Windows OS Layer
di
s
tri
b ut
io
n
Key Notes:
• Lets assume there is a problem and we need to expose “File 4” from App1 to the Windows environment.
• This is where layer priority overrides come into play. The IT admin can adjust the priorities so App1 is a higher priority than App2.
(compared to previous slide 4 “Layer Priority” diagram). Thus “File 4” from App1 is presented to Windows.
• Why would you want to change the priority? You might want to change layer priority for many reasons. Normally it is because two
different layers use a common file or registry key, and you find by switching the order of the layers both applications will work when
originally only one did.

• The Layer Priority Tool is used to modify the layer priority of specific App layers.
1. The utility is designed to be easy to use and install. It is a downloadable file, containing a reg file to be ran-
HTARunAsReg reg.
2. Once the tools is installed you the IP or FQDN address of the ELM server.
3. The utility works by sending ssh commands to the Enterprise Layer Manager to query and update the layering
database.
4. Once the tool is setup, you select the “Get SO Layers” to run a query to capture all the OS layers you have. It will
N
then store the OS layers to use whenever you open the utility.
ot
5. Then you select the appropriate OS layer that you want to change the priority on. The utility will load all the layers
fo
created with that OS layer with highest priority on top.
6. Then you just select “Set Start”.
rr
7. Then select the row to move the selected layer above and click “Set End”.
es
8. Review the selected layer information and if correct click the “Process” button.
al
9. The status of the job will be shown in the status area at the top.
10. The process will update the layering database with priority changes.
e
Note: These steps above will not update the json files located on the elastic layer share.
or
Note: Sometime a company may need the ability to change just the priority for a single layer. To change the
di
priority for a single layer click on the layer then click on “Change Priority Value”. This will set the start and end
rows at the bottom both to the selected layer. It will also expose the input field (3) for the new value. Enter a
s tri
value and Press the “Change” button (4). The status of the update will be shown in the status box and the table
will be updated and resorted.
b ut
io
• The priority change can only be done through a tool from Citrix App Layering 4: LayerPriority Utility:
n
https://support.citrix.com/article/CTX225934

Lesson Review
N
ot
What is the default application order of layers
fo
that are part of the layered image?
rr
es
• OS Layer
al
• App Layers
e
• Platform Layer
or
• Elastic and User Layers (at logon)
di
s
tri
utb
io
n

N
ot
Updating Layers
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Updating Layers
Layer Preparation Layer Management ELM Repository MCS Deployments
N
3 6
3 5 5
ot
ELM Layered Image
Updates
1
fo
2 Enterprise Layer Manager Citrix Studio Delivery Controller
rr
Targeted Hypervisor
es
Packaging Machine
(Temporary VM)
4 1 PVS Deployments
al
2 6
e
PVS Farm Store
1
or
2 5
PVS Console PVS Server
di
Targeted Hypervisor New Version
Citrix Layering Management = Copy Win10.vhdx
s tri
b
ut
io
n
Key Notes:
• The Update layer process:
1. An administrator would use the Layering Management Console to create a new version of the specific layer, which is kept and
maintained within the ELM repository.
2. The ELM server then uses its hypervisor connector to create a temporary Packaging VM, which boots with the virtual disk layer in
question so the required changes can be made.
3. When all the required changes have been made, you can finish prep by “Finalizing” the update.

4. From the Layering Management Console, assign the new version of the layer by creating a new template.
5. Publish the new template to a layered image, which could be a virtual machine for MCS or a vDisk for PVS.
6. In the case of either MCS or PVS, the final step is to update the machine catalog with the new master image or
golden vDisk.
• Main benefits of updating using versions are:
• Version Control of each resource or set of resources per layer.
• Simplified deployment of updates, with rollback options.
N
ot
fo
• Update layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/update-layer.html
rr
es
al
e
or
di
s tri
but
io
n

Layer Update
Considerations
• All layers can be updated as needed by adding a new version to it.
• The ELM server Management Console is used to create new
versions.
• All layers have version control. Version control and the ability to
N
update application layers is a key feature in Layering.
ot
• The process for updating OS, Platform, or App layers is virtually
fo
the same.
rr
• Creating a new OS Layer would require all Platform, Apps and
es
Elastic App layers to be re-created that were built off that OS
al
Layer.
e
or
di
s tri
b ut
io
n
Key Notes:
• Updating OS layers:
• Is a straight-forward operation, with built-in version control. When you create a new version of the OS layer, the latest version of
the layer is copied, and this copy is marked as read-write.
• A special virtual machine called a “Packaging Machine” is created on the infrastructure and the copy of the OS layer virtual disk is
attached. The machine is then booted with this new writable version of the OS and the admin can update the OS layer as needed.
• Once all of the changes are complete and any required reboots are finished, the OS version can be assigned to Image templates

and updated images can be published to the image provisioning system. Layering will create updated images with the
new OS versions which can then be published to the defined targets (such as the Citrix PVS Image Store directories).
• The below are the specific steps involved in updating an OS Layer:
1. Select the OS layer to update.
2. Select Add Version which opens up the Add Version Wizard.
3. Enter a version details and select an installation machine.
4. To run a script the first time a desktop starts and the user runs the new OS version, enter a version description
N
and a path for the script. This is called a ‘Layer Script’.
ot
5. Confirm and complete. When prompted, install the new OS service pack or upgrade on the installation
fo
machine.
6. After installing the service pack or upgrade, select the OS Layer and select 'Finalize’.
rr
7. Create a new template using the new version of the OS Layer and select the respective App Layers; then
es
confirm and complete.
al
• The completion of the template creates a layered image which can be outputted to a VM on the hypervisor or a
e
vDisk stored on the ELM server repository.
or
• To update the Catalog of a Citrix Virtual Apps and Desktops site, roll out the changes using either the Studio (for MCS
di
created catalogs) or Citrix Provisioning Console (for PVS created catalogs).
s tri
• Updating APP layers:
• When updating an application layer, a copy of the existing layer is made. The virtual disk of the most current version
b ut
of the layer is copied and attached to a Packaging.
io
• The Admin would then update or patch the layer as needed. Once the update is complete the layer can be pushed
n
out to users or assigned to existing layered images.
• When applications are versioned in this way it also ensures that two different versions of the same application will
not be assigned to a virtual machine simultaneously.
• Note: on versioning layers: A new layer version can be created for a layer when IT needs to modify the existing app
install/configuration or the application needs to be upgraded. You can create a new application layer for a major
application version (such as moving from Office 2010 to Office 2013) but in most instances application layers are

simply versioned during upgrades.
• The below steps can be followed in order to update an App Layer:
1. Update existing App Layer by creating a new version.
2. Install the new version of the application on the installation machine which gets created.
3. Once installed and validated, click on Finalize.
4. Assign this new version of the App Layer by creating a new template or layered image and publish it to users by
updating the Citrix Machine Catalog.
N
ot
fo
• Update layer : https://docs.citrix.com/en-us/citrix-app-layering/4/layer/update-layer.html
rr
es
al
e
or
di
s tri
but
io
n

Layer Deletion Considerations
You can delete an App Layer which includes all versions, or just a specific version.
ELM Repository
N
ot
fo
App Layer App Layer ELM
rr
(V1) (V2)
es
Create a
new version
al
e
Platform Platform
Layer Layer
Enterprise Layer Manager Citrix Layering Management
or
di
s tri
OS Layer OS Layer
b
ut
io
n
Key Notes:
• The ELM Management Console gives an option, so as to delete the App Layer or just the App Layer version alone.
• After selecting the respective App Layer on the management console, we can click on Delete Version option which will give us the
wizard to delete the layers.
• Note: While deleting layers, be aware if you are deleting the layer version alone, or the entire underlying App Layer itself.
• App Layers once deleted, can not be recovered.
• If a version is referenced in an image template, the App Layer cannot be deleted.

Lesson Review
N
ot
What object is used to install updates or new
fo
applications on an existing OS layer?
rr
es
A packaging virtual machine is temporarily
created and then deleted once the OS layer
al
e
update has been finalized.
or
di
s
tri
b
ut
io
n

N
Maintaining and Updating the
ot
App Layering Environment
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

ELM Server Account Management
Coordination and Management
ELM
N
ot
fo
Enterprise Layer Manager Three Administrative User Accounts
rr
es
al
Management Appliance Appliance
e
Console (superuser)
or
• Username: administrator • Username: root • Username: administrator
di
• Password: Unidesk1 • Password: v9Yx*6uj • Password: Unidesk1
s tri
utb
io
n
Key Notes:
• The ELM server coordinates communication in the App Layering environment, hosts the management console and manages all of the
layers, and using connectors works with the hypervisor or hypervisors to create layers and to publish images.
• The appliance has three accounts that you can use to manage its features and settings.
• Management console “administrator” account - Lets you access the management console hosted on the appliance. There you can
create and manage layers, and publish layered images. The default password is Unidesk1.
• Appliance “administrator” account - Lets you access the appliance’s configuration utility where you can change the network

settings, date, time, ntp server, and time zone. The default password is Unidesk1.
• Appliance “root” user account - The appliance’s default Linux superuser account. The password for this account is
required if you ever need to reset your other administrative accounts. The root user has access to all commands and
files on the appliance’s Linux OS. The default password is v9Yx*6uj.
• Both the Administrator for the management console and the Administrator for the appliance use the same default
password: Unidesk1
• The Appliance default password (Unidesk1) can be changed from the CLI of the ELM appliance machine.
N
• The default Management Console password (Unidesk1) must be changed when the appliance is installed. Upon first log
ot
in, a tab is displayed where you must change the passwords for the administrator accounts that you use to manage the
fo
appliance.
• The root (superuser) account uses a case sensitive mixed character password.
rr
• The root (superuser) account is needed to change any of these administrative passwords.
es
• The Management Console is the primary account an administrator will use.. You can easily configure and use the App
al
Layering service without ever accessing the other two accounts.
e
or
• Change administrator passwords: https://docs.citrix.com/en-us/citrix-app-layering/4/configure/change-
di
administrator-passwords.html
s tri
b ut
io
n

ELM Backup Server
repository
Unidesk
• App Layering contains a virtual appliance Finalize Disks
N
where the layer library is stored. This library
ot
contains folders where all layers are stored. Layered Images
fo
• Backing up this appliance protects a large part Layers
rr
of the Layering infrastructure and greatly
es
improves disaster recovery chances.
App
al
• The ELM appliance should be backed up via
e
some type of virtual machine backup to
Repository OS
or
storage, or else made as a clone.
di
Platform
s tri
b ut
io
n
Key Notes:
• The App Layering appliance is a Centos based virtual appliance that hosts the App Layering console, all App Layering logic and the
App Layering database.
• The appliance is also where the layer library is stored. The layer library is a virtual disk partitioned into several folders where the OS,
App, and Platform Layers are kept.
• Everything about layers is stored in the appliance. If the appliance is backed up you have a significant part of the App Layering
infrastructure available for recovery.

• If the Recovery Time Objective for this solution is very short you may have to consider using a SAN/NAS solution that
supports snapshotting at the storage level. This will not help if the storage is damaged but will certainly help if the
appliance VM files are damaged or a user error happens. For example, deleting many layers due to miscommunications.
• It is also possible to keep two ELM appliances in sync using the layer import/export functionality. This is currently a
manual process but layers can be exported to a share and imported to another appliance from that share.
• Connectors and image templates would have to be recreated manually if suing this method to sync appliances.
N
ot
• App Layering 4.x availability and recovery concepts guide: https://www.citrix.com/products/citrix-virtual-apps-and-
fo
desktops/resources/app-layering-4x-availability-recovery-guide.html
rr
es
al
e
or
di
s tri
b ut
io
n

ELM Multi-Location
NYC Datacenter SFO Datacenter
N
Import to ELM2
ot
User Layer VDA User Layer
fo
Application Layer Application Layer
rr
Platform Layer Platform Layer
es
al
Elastic layers OS Layer Image Elastic layers OS Layer
Template Export to
e
ELM fileserver ELM
or
File Server ELM Server1 File Server ELM Server2
di
stri
Hypervisor NYC SAN NYC DFS-R Hypervisor SFO
utb
io
n
Key Notes:
• Layers can be shared across composite images (so long as the underlying OS is consistent). It is possible to export all your layers from
one ELM appliance to a Windows share, and then import them to another appliance. This process could be used to keep two
appliances in separate physical sites in sync.
• Elastic layers are attached to the OS layer they were created on. A new version of an OS layer is still the same OS layer, so it will still
work with the existing application layers. The reason is that Windows uses dynamic creation of some GUIDs, short folder names,
short file names, etc. Applications remember those, so we need to keep them consistent. Updating OS layers by creating a new

version of the layer (as opposed to importing a new OS image) is therefore recommended.
• Disaster recovery approach for cross-WAN location can be similar to local recovery. The quickest way to keep images in
sync is to use some type of replication process for the images.
• If you are using Citrix Provisioning, you can use a tool like robocopy to copy the vDisks across to the secondary site. If
you are using MCS or Horizon View on vSphere you will need a different process to replicate virtual machine, such as
lVeeam, Zerto, VMware vSphere Replication or Site Recovery Manger.
• For Elastic Layers, SAN replication or a scripted copy can both work.
N
• It is also possible to use two ELM appliances, one in each site, and then use the import/export functionality added in
ot
App Layering 4.3 to keep those ELMs in sync from a layer perspective. Then you can treat DR separately and build
fo
images there from a local ELM.
• If two ELM appliances are being used, then the sync will transfer over the WAN to the SMB share defined in Settings and
rr
Configuration. Then the layers can be synchronized to the SMB share used in the second site using something like
es
Robocopy again using the /MIR switch.
al
• In the Dual ELM model connectors and permissions for elastic shares must be created on each side.
e
or
• Enterprise Architect TechTalk: Citrix App Layering FAQ: https://www.citrix.com/blogs/2017/08/07/enterprise-
di
architect-techtalk-citrix-app-layering-faq/
s tri
b ut
io
n

Creating Backups
for Layers • For standard (OS, Platform, Apps) layers, regular backups are
important as with other forms of single-image management.
• Elastic and User layers have different requirements for backups.
User layers are write-intensive where Elastic layers are read-only.
• Elastic and User layers require a highly available share, such as a
N
File Server cluster or multiple head NAS devices.
ot
• Backing up User Layers is more challenging than Elastic Layers,
fo
as the User Layer .vhd file is open and locked for writes whenever
rr
a user is logged on. Additionally, User Layers are large and change
es
constantly.
al
• To back up User Layers, it can be done at block-level using
e
SAN/NAS level replication (or NetApp’s SnapMirror) ,or when they
or
are not in use.
di
• Elastic Layer shares can be synchronized with a script tool, such
s
as a robocopy script using the /mir directive.
tri
b ut
io
n
Key Notes:
• By default, user layers are stored on the same share as normal elastic layers. Most organizations will likely use a different file share or
even file server for user layers, one that is optimized for writes.
• If the user layer share is different from the elastic layer share user assignment will be defined by AD user groups.
• All Elastic layers are stored on the ELM in the layer repository. It is possible to re-publish all the elastic layers to a new file share if the
share were to require recreating but it is not quick or easy.
• Elastic layers are just .vhd files stored on the share. They are opened as read only, so it is fairly easy to back them up using a file

system back utility or a script.
• If your design includes two separate shares for elastic layers and you keep them in sync then a backup is probably not
necessary since you also have a copy in the ELM and a backup of the ELM.
• Robocopy is not a great solution for User Layers, because even if you can lock the file to copy it you would have to copy
a very large file every time. That means you will be much better off using something like SAN replication or NetApp’s
SnapMirror to replicate the user layers locally, as a backup at a block level rather than copying the entire vhd file using
something like robocopy.
N
• If you don’t have one of these advanced technologies it might work to spread the copy load over a couple of weeks so
ot
that there is not as much to copy every night. This could be scripted using PowerShell to ensure you get a backup at
fo
least one every x number of days.
rr
es
• Enterprise Architect TechTalk: Citrix App Layering FAQ: https://www.citrix.com/blogs/2017/08/07/enterprise-
al
architect-techtalk-citrix-app-layering-faq/
e
or
di
s tri
b ut
io
n

ELM Server Periodic Updates
Considerations for Updating The ELM Server
Layer Management
N
Update
ot
Package
ELM
Saved
fo
Update
rr
Package Enterprise Layer Manager Network Share
Download
es
Citrix.com/Downloads
al
e
or
Periodic
Updates
di
s tri
b ut
io
n
Key Notes:
• The App Layering upgrade process is partially automated. The appliance periodically checks for upgrades, and downloads available
packages to your appliance.
• When an administrator performs the next logon to the App Layering console, a message indicates that an upgrade is ready to install.
• As an administrator you can choose to:
• Start Upgrade: Run the App Layering appliance software upgrade.(Administrators only.)
• Remind Me Later: Wait seven days before reopening the message. Applies to individual users’ desktops.

• Close: Dismisses the message, so you can manually start the upgrade later using System tab > Manage Appliance >
Upgrade.
• Only an administrator can run the upgrade. Users who do not have administrator privileges cannot start the upgrade,
but they can select Remind Me Later to postpone the next upgrade message for seven days.
• When an upgrade is available, every user receives a notification when they log into the App Layering console..
• An Administrator may receive various upgrade messages:
• If an update is not available: Nothing happens. Another check is made at the next scheduled interval.
N
• If an update is available, but there is no network file share configured: The user receives a message that there is an
ot
upgrade available and that the administrator needs to finish configuring a network file share before it can be
fo
downloaded and applied.
• If an update is available: A job is started to “Download Upgrade Media. Then, If extraction is successful, the next time
rr
any user logs in they will be notified that an upgrade is available.
es
• If another update is found before a previously downloaded one is installed - The new upgrade is downloaded, and once
al
successfully completed, becomes the “Upgrade Available.”
• If one upgrade is downloading when another is made available - The running download is aborted and a new download
e
is started. All files related to the in-progress download are deleted.
or
• Before and administrator performs an upgrade of the appliance, they should verify that a network file share has been
di
configured. This can be done via the App Layering console, navigating to System > Settings and Configuration, and
finding the network file share setting.
s tri
• An administrator should perform a back up the appliance first.
Periodic upgrades are usually adequate as they occur regularly, however, an administrator, can run the Upgrade
b
•
ut
“manually” by going to the System tab and selecting the Upgrade action as before. If an upgrade is available, the
Upgrade Disk appears.
io
n
• Upgrade: https://docs.citrix.com/en-us/citrix-app-layering/4/upgrade.html

Considerations for Updating the ELM Server
The ELM Server may not be the only component to update
Layer Management PVS Farm
N
ELM
ot
Updated PVS-1
fo
Enterprise Layer Manager App Layering
Agent
rr
Update the
es
App Layering
Agents
al
e
or
PVS-2
App Layering
di
Agent
s tri
utb
io
n
Key Notes:
• An administrator should upgrade the App Layering agent (if the app layering agent is being used).
• To upgrade the App Layering agent:
1. Make sure that you have copied the App Layering agent upgrade file to the server(s) where the agent is installed.
2. Double-click the agent upgrade file, and follow the instructions for upgrading the agent.

• Upgrade: https://docs.citrix.com/en-us/citrix-app-layering/4/upgrade.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

N
What is the primary difference between
ot
standard layers compared to User or Elastic
layers when choosing a backup plan of
fo
action?
rr
es
The OS, App, and Platform Layers are kept in a
library folder structure on the ELM appliance
al
e
storage, whereas Elastic and User layers require
a File Server cluster or multiple head NAS
or
device.
di
s
tri
utb
io
n

Lab Exercise Prep
• Please Take a Moment and Provision Your Lab
N
For Module 7
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

Common Citrix App Layering
N
Considerations and Additional
ot
Resources
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Layering Anti-Virus
Anti-Virus Considerations
• Anti-Virus is an app and can be installed into the App or OS Layer

(App Layers are recommended).
• The decision to enable updates, or the consideration of where to
N
ot
save them does not change in a Citrix Virtual Apps and Desktops
environment when you integrate with App Layering.
fo
rr
es
• All layers are read only.
al
• App Layering creates the VM or vDisk used to build the catalogs.
e
or
di
s tri
b ut
io
n
Key Notes:
• The decision to use Anti-Virus does not change when integrating Citrix Virtual Apps and Desktops with App layering.
• The decision to enable Anti-Virus updates or the consideration of where to save them does not change when integrating Citrix
Virtual Apps and Desktops with App layering.
• Remember:
• All OS, Platform, App and Elastic layers are read only.

• The Layered Image is Read Only
• We use these layers to merge into complete VMs or vDisks to built masters for MCS and PVS catalogs.
• When you deploy anti-virus software in an App Layering layer, you have two options for deploying the anti-virus
updates:
• You can enable auto updates, and store the updates in users Personalization Layer. This is ideal if auto updates occurs
daily.
N
• Disable auto updates, and redeploy the layer for each update. This requires updating the layer whenever you install
ot
new updates.
fo
rr
• Layer antivirus apps: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html
es
al
e
or
di
s tri
b ut
io
n

Layering Microsoft
Office • Can be installed into an App or OS Layer (App Layers are
Microsoft Office and Office recommended).
365 Considerations • Should be installed from a ISO or Network share.
• Is generally easy to install into a layer, with activation being a
primary complexity.
N
ot
• Starting with Office 2013 both KMS and MAK activation for
Windows 7, as well as AD Activation are supported.
fo
rr
• Should be created with separate layers for each full set of Office
es
apps you use. If separate Office layers are used, include the
Base.separats
al
e
• Will require that you to run the ngen process, as Office requires
or
much use of .NET.
di
• Will need to be rearmed after installation completes and before
s
Finalizing. \Rearm off
tri
b ut
io
n
Key Notes:
• Microsoft Office is generally easy to install into a layer, and, if it will be used by itself, there are not many complexities other than
activation.
• This information covers all versions of Office between Office 2010 and Office 365.
• If you use Office Add-ons, these should be included in the office layer, but can sometimes be installed in different layers with Office
checked as a prerequisite layer during layer creation.
• It is recommended to create separate layers for each full set of Office apps you will distribute: For example:

• Office 2010 Standard (standalone)
• Office 2010 Standard, Visio 2010
• Office 2010 Standard, Project 2010
• Office 2010 Standard, Visio 2010, Project 2010
• For App Layering 4.x:
• If a companies licensing setup for Visio and Project allows for all your users to access these two applications, then a
single layer can be created with all of Office and then add it to your image.
N
• If your company needs a smaller set of users to have access to Visio and Project then you must create a second layer
ot
for Office, Visio and Project, and include that on a separate Layered image.
fo
• Running Visio and Project as elastic layers will cause issues with broker sessions or a reconfigure when the
applications are run because of the way Office Apps update the windows store.
rr
• Alternatively, you can use Visio and Project as published apps on XenApp.
es
• Licensing Considerations:
al
• All of the Office products share a licensing file and the method of activation. For KMS licensing, Activation can be
automated or activation can be performed on first use.
e
• When the first Office application is run for the first time on a desktop it creates a CMID for the application on that
or
desktop that uniquely identifies the application instance for licensing. Therefore, when packaging Office for an image
di
installation as we do with App Layering, the best option is to rearm the office deployment before finalizing. This will
reset any licensing information to allow an image deployment.
s tri
• If you are using MAK keys and not KMS, then activation must be run on each desktop after the layer has been
deployed. You can activate on the desktop using the ospp.vbs script or using the Volume Activation Management
b ut
Tool (VAMT 2.0/3.0).
• Microsoft has changed activation with Office 2013 allowing KMS and MAK activation for Windows 7 , along with AD
io
Activation. When using the AD Activation it will tie the account to the machine it is activated on.
n
• In 4.x a layered image is created and then deployed using a provisioning system. For Citrix MCS and Horizon View
Linked clones the Master Image/Parent VM’s should have Office Applications activated before they are snapshotted
for deployment. The included Citrix activation scripts will activate Office when the Master Image/Parent VM is first
booted.
• Office Activation scripts have been included in conjunction with the Citrix optimizer for a long time. However they

are often updated. When you upgrade App Layering versions it is recommended to also upgrade the scripts that
come with our gold tools self extracting zip.
• Updating the scripts in the OS layer allows you to use them for all the Office layers you might want to use. For Office
the utility provides the ability to activate office during or after the build using KMS by just selecting the appropriate
checkbox when creating the layer. MAK is also supported but not recommended.
• When using non-persistent desktops activation must be performed during setup or on every machine boot.
Otherwise it will happen each time an office application is run for the first time. This is primarily an issue with MAC
N
activation, as KMS does not care how many times you reactivate a version of Office.
ot
• Installation:
fo
• To create application layers for Office, Visio and Project:
• To create the application layer for Office 2010, 2013, and 2016:
rr
1. You start the Create an Application layer wizard and enter all the required information, such as the name of the
es
layer.
al
2. Install desired Office Apps from ISO on the temp VM created.
3. Enable any Windows Updates and Patch Office then disable Windows Updates
e
4. Run ngen 32 bit and 64 bit (ngen update)
or
5. Reboot the machine.
di
6. Run the Optimizer tool using the RunOptimizer.cmd , and activate “MS Office via KMS" or "Process Office 365",
7. Rearm Office
s tri
8. Shutdown for Finalize.
• To create an layer using Office 365: Office 365 can be installed with a standalone downloader or using the Office
b ut
Deployment Toolkit. For Citrix App Layering Deployments, we require that the Office Deployment Toolkit is used
1. You start the Create an Application layer wizard and enter all the required information, such as the name of the
io
layer.
n
2. Download and install the Office Deployment Kit.
3. Create a configuration.xml to meet your needs.
4. Open an admin CMD prompt changed to the ODK folder and run
5. From the same CMD window run Setup.exe /configure configuration. - This will install o365.
6. Run ngen 32 bit and 64 bit (using ngen update see detail section below)

7. Reboot
8. Run the Optimizer tool using "Activate MS Office via KMS" or "Process Office 365".
9. When using Windows 10, Windows 2012 R2 or Windows 2016, and also Office 2013, 2016 or 365, verify that the
Optimizer tool displays the message "Microsoft Office preparation script ran successfully" after saving. If it does
not, you must manually run: C:\windows\setup\scripts\Office2013Windows81_PREP.cmd.
10. Finalize Layer
• General Considerations:
N
• If you choose not to activate using a script and the version of the Office product you want to deploy is different from
ot
the version your installer installs by default, you can change the version using the ospp.vbs script (Office Software
fo
Protection Platform).
• The Citrix Office Activation script (OfficeActivate.cmd) has all of these commands built in for all Office Products using
rr
Office 2010, Office 2013 and Office 2016. Use the appropriate command for your situation.
es
• If you are using these tools, just run the App Layering Optimization Builder utility and choose which Office
al
applications are installed in the layer. The script will handle entering the product key and activating all the Office
applications included in the layer.
e
• For Office 365:
or
1. To update Office 365, you can create a whole new Office Layer based on the current distribution or add a version
di
to your existing Office layer and update that.
2. When going from one version of Office to another (IE 2013 to 2016) it is highly recommended that a new Layer is
s tri
created rather than upgrading an existing layer inside of a version
• There are a few things to think about on Non-Persistent Desktops including activation, registration and GPO settings.
b ut
These are discussed in the sections below. Activation
• Registration-If you plan on deploying more than one office version to the same desktops and you receive this
io
message “Please wait while Windows Configures Microsoft Office” you should consider setting these registry options
n
in the default profile. The “NoReReg” tells windows to not re-register the office programs and their associations. This
is very important in a non-persistent environment because the users will see this warning every time they open an
Office application after logon. But it also pertains to persistent desktops when using multiple version of Office.
• How to Setup Office with App Layering (Recipe): https://support.citrix.com/article/CTX224566

App Layering
Recipes &
Documentation • Adobe Reader
Certain applications require
more detailed instructions in use • Appsense Agent Sample
with layering. List
• Chrome
N
ot
• Java
fo
rr
• MS Office, including Office 365
es
al
• Quickbooks
e
or
• vGPU in Vmware View
di
• And more …
s tri
b ut
io
n
Key Notes:
• In most cases, you can layer applications without any issues. However, there are some applications that require more detailed
instructions, and many of these are provided in the form of recipes, which provide step-by-step guidance on the specific installation
and configuration settings for the application so that it can be successful in a layered environment.
• These recipes apply to all App Layering 4 releases.
• Some of the primary applications that fall into this recipe category ( There are specific instructions for how to specialize install each
of these within CTX docs; see some examples under Additional Resources below).

• Adobe Reader
• Appsense
• Bit9
• Chrome
• Dropbox
• Firefox
• Gimp
N
• IBM SPSS 21 Licensing Server
ot
• Internet Explorer 10
fo
• Java
• MS Office, including Office 365
rr
• Print Server
es
• QuickBooks
al
• SAS Enterprise
• Sccm 2012 Client
e
• Solidworks
or
• Symantec Encryption Desktop Recipe
di
• USB Drivers With VMWARE Horizon View 5.X
• VMware Horizon View Agent
s tri
• VMware View dragging windows between monitors
vGPU in VMware View
b
•
ut
io
• App Layering Recipes: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/app-layering-recipes.html
n
• How to Setup Office with App Layering (Recipe): https://support.citrix.com/article/CTX224566
• Adobe Reader Recipe:: https://support.citrix.com/article/CTX223969

App Layering Labs
What are they?
• App Layering Labs are new

features that are in the early
N
versions and are planned for
ot
future release.
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• App Layering Labs (also just known as “Labs “) are features of Citrix App Layering that are:
• In the early versions and are planned for future releases.
• These features are usually disabled by default with the release.
• It is always recommended to not enable and using any of these features in a production deployment.
• So what is the value of these features here?
• We can test the latest and greatest.

• There’s a chance that through testing there’s a feature you want to play with, to prepare for the eventual full version
release
• These labs are a good way to see what could be coming soon.
• Each What’s new release has a section documenting the latest updates or additions to App Layering Labs.
• Enable Labs features: https://docs.citrix.com/en-us/citrix-app-layering/4/configure/enable-labs-features.html
N
• What’s new in App Layering 4 2005: https://docs.citrix.com/en-us/citrix-app-layering/4/whats-new/20-5.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
N
ot
Starting with Office 2013 what forms of
fo
license activation can be used?
rr
es
KMS, MAK, and AD
al
e
or
di
s
tri
utb
io
n

Lab Exercise
Module 7
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• 7-1: Update an Existing App Layer
N
• 7-2: Create a Conflicting Layers Template
ot
• 7-3: Update the MCS Catalog
fo
rr
• 7-4: Test the New Virtual Machine
es
• 7-5: Delete an App Layer
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• Layer Priority addresses conflicts between two
N
app layers sharing a file.
ot
• The process for updating all standard layers is
fo
very similar.
rr
• Backing up the layer library store on the virtual
es
appliance protects a large part of the layering
al
infrastructure.
e
• MS Office and Office 365 have special
or
considerations when used with app layering,
di
specifically as related to license activation and
s
installation.
tri
b
ut
io
n

Administration
N
ot
Introduction to Workspace
fo
Environment Management (WEM)
rr
es
al
e
Module 8
or
di
s
tri
b
ut
io
n

Learning Objectives
• Explain the purpose and benefits of a WEM

solution.
• Describe the roles of each of the components
N
required for a WEM on-premises deployment and
ot
how the WEM Administration console is used for
fo
managing the deployment.
rr
• Describe the roles of each of the components
es
required for a WEM Service deployment and how
the WEM Service Manage console is used for
al
managing the deployment.
e
• Describe the communications workflow between
or
components in a WEM on-premise deployment.
di
• Describe the communications workflow between
s
components in a WEM Service deployment.
tri
b
ut
io
n

N
ot
WEM Features and Benefits
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

What is Workspace Environment Management (WEM)?
1
• A software solution that utilizes powerful Resource Management and User Environment Management
N
technologies for Citrix Virtual Apps and Desktops deployments, resulting in optimized performance
ot
and app response times, while helping to maintain the best possible logon performance for Users.
fo
• Available for on-premises Citrix Virtual Apps and Desktops deployments.
rr
• Citrix WEM Service is available for Citrix Cloud deployments, when used with Citrix Virtual Apps and
es
Desktops Service and Citrix Endpoint Management (CEM) deployments.
al
e
or
di
s
tri
but
io
n
Key Notes:
• Citrix WEM is a software solution that utilizes powerful Resource Management and User Environment Management technologies for
Citrix Virtual Apps and Desktops deployments, resulting in optimized performance and app response times, while helping to maintain
the best possible logon performance for Users.
• Citrix WEM is available for on-premises Citrix Virtual Apps and Desktops deployments.
• Citrix WEM Service is available for Citrix Cloud deployments, when used with Citrix Virtual Apps and Desktops Service and Citrix
Endpoint Management (CEM) deployments.

WEM Features & Benefits
Features Benefits
• Aggregate more user sessions on
• CPU optimization Windows multi-session OS VDAs.
System Optimization • Memory management • Improve HDX session user experience with
N
• Disk I/O optimization single-session OS and multi-session OS
ot
VDAs
• User Assigned Actions
fo
Logon Optimization • Reduce session logon durations
rr
• Citrix Profile Management
es
Security • AppLocker • Secure user access to apps & installs
al
• Provide web pages, apps & desktops in a • Turns physical machines into kiosks
Transformer
controlled kiosk environment accessed by multiple users
e
• WEM Administration Console (on-premise)
or
WEM Administration • Centralize environment management
• WEM Service Manage (Citrix Cloud)
di
• Daily Reports, User & Device Reports • Monitoring and reporting for users and
s
Monitoring and Reporting
WEM Agent machines
tri
• User Trends
b
ut
io
n
Key Notes:
• System Optimization:
• WEM System Optimization settings monitors user and application behavior in real-time, and then uses this information to pro-
actively adjust system resources, such as RAM, CPU, and disk I/O; to provide the most optimized overall experience for user; as
well as ensuring that each user does not consume more resources than needed.
• WEM analyzes each individual application process being used within a user session and determine if the RAM currently
allocated to that specific application is needed at that time. If not, it will “ask” Windows to re-allocate the RAM resource to

other application processes that need it.
• This will allow you to aggregate more user sessions on Windows multi-session OS VDAs, and improve the HDX
session user experience for single-session OS and multi-session OS VDAs.
• Logon Optimization:
• Helps to provide the best possible logon performance by using an Agent that applies changes to a user
environment only when required; this helps to ensure users access to their desktop as quickly as possible.
• Features that contribute to reduced session launch durations are:
N
• User Assigned Actions
ot
• Citrix Profile Management configured through WEM
fo
• Security:
• Microsoft Windows AppLocker security is normally configured locally or through Group Policy. WEM enhances
rr
AppLocker security by centralizing configuration and the ability to bulk manage machines.
es
• Transformer:
al
• When the WEM Agent is installed and set to Transformer mode, it turns a physical machine into kiosks accessed
by multiple users.
e
• Once the user logs on, WEM can be configured to provide web pages, apps & desktops; all in a controlled kiosk
or
environment.
di
• WEM Administration:
• An on-premises WEM deployment is managed centrally using the WEM Administration Console.
s tri
• Similarly, a WEM Service deployment is managed centrally through the Citrix Cloud portal webpage, using the
WEM Service’s Manage tab.
b ut
• Monitoring and Reporting:
• Machines with a WEM Agent installed synchronize their user and logon statistics, Agent and device information,
io
and boot statistics with the WEM deployment database.
n
• The information can be displayed in the WEM Administration Console or the WEM Service Manage tab for
monitoring purposes, or exported as reports.

Lesson Review
N
ot
List the two benefits of WEM System
fo
Optimization.
rr
es
Aggregate more user sessions on Windows
multi-session OS VDAs.
al
e
Improve HDX session user experience with
or
single-session OS and multi-session OS VDAs.
di
s
tri
b
ut
io
n

N
WEM On-Premises Components
ot
and Deployments
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM On-Premises
Components Management AD Integration
Active
Directory
WEM Administration
Console
Overview:
N
• The WEM system
ot
Physical
components are marked Transformer
Kiosk
fo
in the diagram with a User
rr
green Citrix symbol.
Synchronization
es
WEM
• An on-premises WEM WEM Agent
Infrastructure
Servers SQL Transaction
deployment is used to
al
WEM
optimize and secure
e
Database on
VDA SQL Server
VDAs and kiosk Synchronization
or
machines in an on-
di
premises Citrix Virtual HDX Session
s
WEM Agent User/Endpoint
Apps and Desktops Site.
tri
with Citrix
Workspace
b
app
ut
io
n
Key Notes:
• The WEM system components are marked in the diagram with a green Citrix symbol. In addition to the WEM components, a WEM
deployment requires an Microsoft Active Directory domain and Microsoft SQL Server.
• An on-premises WEM deployment is used to optimize and secure VDAs and kiosk machines in an on-premises Citrix Virtual Apps and
Desktops Site.

• Workspace Environment Management: https://docs.citrix.com/en-us/workspace-environment-management/current-
release.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

WEM On-Premises
Active
Directory
WEM Administration
Console
WEM Agent:
N
• Applies the system
ot
Physical
Transformer
optimization, logon Kiosk
fo
optimization, security, and User
rr
user experience settings.
Synchronization
es
WEM
WEM Agent
• Settings are synchronized Infrastructure
al
from the WEM WEM
e
Database on
Infrastructure Server. VDA SQL Server
Synchronization
or
• Web proxy is supported
di
and configured by GPO. HDX Session
s
• Agent installed on VDAs
tri
with Citrix
Workspace
or physical kiosk
b
app
ut
machines (Transformer)
io
n
Key Notes:
• WEM Agent: The WEM Agent applies the system optimization, logon optimization, security, and user experience WEM settings to the
WEM Agent machines and the users that access them.
• The WEM Agent applies WEM settings retrieved from the WEM Infrastructure Server, or from local caches.
• The WEM Agent maintains local caches to reduce logon times and as a failback if the Agent cannot connect to the WEM
Infrastructure Server.
• Web proxies are supported for communications between Agent and WEM Infrastructure Server. WEM proxy configuration is set

through a GPO ADMX template provided in the WEM install media.
• The WEM Agent can be installed on a Windows Desktop OS or Windows Server OS virtual machine.
• The WEM Agent can also be installed on a physical Windows machine; usually on a kiosk machine that many
different end users have access to.
N
release.html
ot
• Agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
fo
configure/agent-host.html
rr
es
al
e
or
di
s tri
but
io
n

WEM On-Premises
Active
Directory
WEM Administration
Console
WEM Database:
N
• The WEM settings are
ot
Physical
Transformer
stored in the WEM Kiosk
fo
database, on a Microsoft User
rr
SQL Server instance.
Synchronization
es
WEM
WEM Agent
• For high-availability (HA), Infrastructure
al
WEM supports SQL WEM
e
Database on
Always On availability VDA SQL Server
Synchronization
or
groups on Windows
Server failover Cluster
di
HDX Session
(WSFC) nodes.
s
tri
with Citrix
Workspace
b
app
ut
io
n
Key Notes:
• WEM Database: The WEM settings are stored in the WEM database, on a Microsoft SQL Server instance.
• For high-availability (HA), WEM supports SQL Always On availability groups on Windows Server failover Cluster (WSFC) nodes.
• Create a Workspace Environment Management Database: https://docs.citrix.com/en-us/workspace-environment-
management/2003/install-and-configure/infrastructure-services.html#create-a-workspace-environment-management-database

• SQL Server Always On: https://docs.citrix.com/en-us/workspace-environment-management/current-release/system-
requirements.html#sql-server-always-on
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM On-Premises
Active
Directory
WEM Administration
Console
WEM Administration
N
Console:
ot
Physical
Transformer
• Also known as the WEM Kiosk
fo
Console. User
rr
• The WEM Console is a Synchronization
es
WEM
WEM Agent
management interface Infrastructure
al
where all system WEM
e
Database on
optimization, logon VDA SQL Server
Synchronization
or
optimization, security, and
user experience WEM
di
HDX Session
settings are configured.
s
tri
with Citrix
Workspace
b
app
ut
io
n
Key Notes:
• WEM Administration Console: Also known as the WEM Console. The WEM Console is a management interface where all system
optimization, logon optimization, security, and user experience WEM settings are configured.
• The WEM Console accesses the WEM database by first connecting to the WEM Infrastructure Server. Once connected, the
WEM Console displays all configured WEM settings and any changes made to WEM settings are written to the WEM database
via the WEM Infrastructure Server.
• WEM Agents automatically synchronize their WEM settings but when needed, sSettings can be manually pushed to the Agent

from the Console through the WEM Infrastructure Server.
release.html
• Administration console: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
and-configure/admin-console.html
N
ot
fo
rr
es
al
e
or
di
s tri
utb
io
n

WEM On-Premises
Active
Directory
WEM Administration
Active Directory (AD) Console
Integration (1/2):
N
All deployments must
ot
Physical
include an AD domain. Transformer
Kiosk
fo
User
• The computer accounts
rr
for the WEM Agent Synchronization
es
WEM
Windows OS machines WEM Agent
Infrastructure
must be members of an
al
WEM
e
AD domain. VDA
Database on
SQL Server
Synchronization
or
• WEM Infrastructure
Server validates accounts
di
HDX Session
with AD and reads AD to
s
tri
with Citrix
push user WEM settings Workspace
b
app
out to users.
ut
io
n
Key Notes:
• Active Directory domain: All WEM deployments must include an Active Directory domain.
• The computer accounts for the Windows OS machines on which the WEM Agent has been installed, must be members of an
Active Directory domain within the same AD structure.
• The WEM Agents, WEM Infrastructure Servers, and the WEM Administration Console all need to communicate with Active
Directory.
• The WEM Infrastructure Server validates accounts with Active Directory and reads Active Directory user account information to

push user WEM settings out to users.
release.html
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n

WEM On-Premises Active
Directory Two-way Forest Trust
Components Structure
AD Integration (2/2): AD Forest A AD Forest B

• Components must have
N
domain membership within
ot
the same AD structure.
fo
• WEM components contact
rr
AD frequently.
es
AD Global Catalog
• AD Global Catalog
al
WEM Servers (GCS)
Servers (GCS) are key to Deployment
e
optimized object lookups.
or
• Without GCSs, WEM
di
components fall back to
s tri
trawling through all domain WEM Infrastructure Servers WEM Administration Console WEM Agents
b
controllers.
ut
io
n
Key Notes:
• All machines on which WEM components are installed, must have membership in a domain within the AD structure and must be
able to traverse domains and forest trusts within the AD structure.
• All users that are part of the WEM deployment must also have their AD user account membership within the same AD structure.
• WEM components in a deployment contact AD frequently. To optimize AD lookups by WEM components, WEM is designed to
contact AD Global Catalog Servers (GCS).
• A GCS holds records and partial records of all domains within a single AD domain forest or multiple AD forests joined by two-

way forest trusts. One-way forest trusts are not supported by WEM.
• WEM AD search optimization is achieved by reading a GCS, or multiple GCSs in parallel.
• If no GCS can be contacted, WEM components will fall back to trawling through each domain controller in turn.
This should be avoided as it can cause lengthy search retrieval of AD objects, if the AD structure is complex.
• It is important to have a GSC or GCSs close to a WEM deployment.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM On-Premises
Active
Directory
WEM Infrastructure Server: WEM Administration
Console
• Also known as the WEM
N
Broker.
ot
Physical
• Central component of any Transformer
Kiosk
fo
WEM deployment. User
rr
• Retrieves WEM settings Synchronization
es
WEM
WEM Agent
from the WEM database Infrastructure
al
for the WEM Agents and WEM
e
the WEM Console. VDA
Database on
SQL Server
Synchronization
or
• Reads computer and user
accounts from AD.
di
HDX Session
s
• Manages the status of
tri
with Citrix
Workspace
WEM Agents.
b
app
ut
io
n
Key Notes:
• WEM Infrastructure Server: The WEM Infrastructure Server is also known as the WEM Broker.
• It is the central component of any WEM deployment.
• It communicates with the WEM database on SQL Server to retrieve and write WEM settings and WEM data for the WEM
Agents and the WEM Console.
• Neither the Console nor the Agents communicate directly with the WEM database instance on SQL.
• Only the WEM Infrastructure Server has direct access to the WEM database and performs SQL transactions on behalf of the

Agents and the Console when required.
• For resiliency, the Infrastructure Server maintains a local cache of the WEM database that is updated by a
schedule.
• The WEM Infrastructure Server reads computer and user accounts from Active Directory.
• It manages the status of WEM Agents and writes the status to the WEM database.
N
ot
release.html
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM On-Premises
Active
Directory
WEM Administration
Console Citrix ADC
(load balancing)
WEM Infrastructure Server
N
High Availability (HA):
ot
Physical
Transformer
• Multiple WEM Kiosk
fo
Infrastructure Servers can User
rr
be accessed through a
Synchronization
es
Citrix ADC for load WEM Agent
WEM
Infrastructure
balancing or for failover Servers SQL Transaction
al
WEM
purposes.
e
Database on
VDA SQL Server
Synchronization
or
• The WEM Console and
WEM Agents would point
di
HDX Session
to the Citrix ADC, rather
s
tri
with Citrix
than to the WEM Broker Workspace
directly.
b
app
ut
io
n
Key Notes:
• WEM Infrastructure Server – High Availability:
• For high-availability (HA), multiple WEM Infrastructure Servers can be accessed through a Citrix ADC for load balancing or for
failover purposes.
• If a Citrix ADC is used for load balancing multiple WEM Infrastructure Servers, The WEM Console and WEM Agents would point
to the Citrix ADC, rather than to the WEM Broker directly.

• Load balancing (WEM Infrastructure Servers) with Citrix ADC: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/reference/load-balancing-with-citrix-adc.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM On-Premises
Active
Directory
WEM Administration
Users: Console
• WEM deployment creates
N
a user experience that
ot
Physical
aligns with user Transformer
Kiosk
productivity requirements
fo
User
and an organization’s
rr
security requirements. Synchronization
es
WEM
WEM Agent
Infrastructure
• Launch apps and desktops Servers SQL Transaction
al
hosted by VDAs that have WEM
e
Database on
the WEM Agent installed. VDA
Synchronization
SQL Server
or
• Logon to a physical
di
Windows kiosk machine HDX Session
s
User/Endpoint
that has the WEM Agent WEM Agent
tri
with Citrix
installed and set to Workspace app
b
Transformer mode.
ut
io
n
Key Notes:
• Users: A major goal of a WEM deployment is the ability to create a user experience that aligns with both a user’s productivity
requirements and an organization’s security requirements.
• There are two ways users access resources optimized by a WEM deployment:
• Launching apps and desktops hosted by VDAs that have the WEM Agent installed.
• Logging on to a physical Windows kiosk machine that has the WEM Agent installed and set to Transformer mode.

• Part 1: WEM System Optimization: https://www.citrix.com/blogs/2018/07/03/the-best-kept-secret-at-citrix/
• Part 2: WEM Logon Optimization: https://www.citrix.com/blogs/2018/11/19/part-2-wem-logon-optimization-engage-
computers-prepare-for-warp-speed/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

The WEM
Administration
Console
(On-premises)
N
To manage an on-premise
ot
WEM deployment:
fo
• Add WEM Agent
rr
Machines
es
• Add users
al
• Create and Assign
e
Resources
or
• Manage Policies
di
s
• Delegate admin roles
tri
• Migrate Agents to WEM
b ut
Service
io
n
Key Notes:
• The WEM Administration Console is used to manage a WEM on-premises deployment. There are many WEM administrative tasks,
and the main ones are listed here:
• WEM settings are applied to machines with WEM Agents installed. The AD computer accounts for these machines, individually
or by OU are added to the WEM deployment using the console.
• WEM settings can also be applied to users. The AD user accounts or the AD Security Groups containing user accounts, are
added to the WEM deployment using the console.

• Creating and assigning resources to users and groups of users, such as printers and network drives, can be
configured using the console.
• Typical GPO user experience and Windows control settings are managed through policy settings in the console.
Citrix Profile Management can also be configured.
• WEM full administrators can assign users, scope-based WEM administration roles, allowing these delegated
administrators to perform specific tasks using the console.
• Migrate WEM Agents to WEM Service
N
• The WEM Administration Console can be installed on a Windows client or server operating system.
ot
• Initial use requires selecting a WEM Infrastructure Server to connect and the TCP communications port to use.
fo
• The default connection port is TCP 8288.
• These settings can be saved for auto-connection when launching the console again.
rr
• The Administration Console is currently the single point to manage a WEM infrastructure; there is no PowerShell
es
or command line capabilities at this time.
al
• Note: PowerShell commands can be used to create and upgrade the WEM database and perform tasks on the
Infrastructure service.
e
• Once the WEM Administration Console is connected to a WEM Broker, all changes are synchronized through the
or
WEM Broker and saved to the WEM database instance.
di
s tri
• Administration Console: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
b ut
io
n

Lesson Review
N
What are the roles of the WEM Infrastructure
ot
Server in a WEM on-premises deployment?
fo
rr
It is the central component of any WEM
deployment.
es
al
It retrieves WEM settings from the WEM
e
database for the WEM Agents and the WEM
Console.
or
It reads computer and user account information
di
from Active Directory.
s
tri
It manages the status of WEM Agents.
b
ut
io
n

N
WEM Service Components and
ot
Deployments
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM Service - Components Overview
Citrix Cloud-Managed
N
Customer-Managed
ot
Management
On-Premises
fo
rr
WEM Service
AD Integration
Manage Console
es
Active
Citrix Cloud Connectors
Directory
al
Connection
WEM Service
e
Details
Infrastructure
or
Services
User/Endpoint with
Citrix Workspace app VDA
di
SQL Transaction
s
WEM Database on
tri
HDX Session Synchronization
Citrix Cloud Azure SQL Server
over HTTPS
b
WEM Agent
ut
io
n
Key Notes:
• Customer-managed components of a WEM Service deployment:
• WEM Agents: For clarity, the Transformer kiosk machine is not shown in the diagram. However, just like a WEM Agent installed
on a VDA, a Transformer kiosk machine still synchronizes it WEM settings with the WEM database, through the WEM
Infrastructure Services in Citrix Cloud.
• Microsoft Active Directory Server:
• Typically this is an on-premises, corporate Active Directory domain: VDAs with WEM Agents installed, Transformer kiosk

machines, and users will all be members of the corporate Active Directory domain.
• The WEM Infrastructure Service requires access to your Active Directory to push settings to users.
• The WEM Infrastructure Service communicates with your Active Directory using the Citrix Cloud Identity
service and services provided by the Citrix Cloud Connector.
• Cloud Connectors:
• In a WEM Service deployment, WEM Agents must retrieve connection details from the Cloud Connector
before communicating with the WEM Infrastructure Services.
N
• As mentioned earlier, a Citrix Cloud Connector is required to allow WEM Infrastructure Services to
ot
communicate with WEM Agents and customer-managed Active Directory.
fo
• You must install Citrix Cloud Connector on at least one machine in every resource location you are using.
• For continuous availability, install multiple Cloud Connectors in each of your resource locations.
rr
• Citrix recommends at least two Cloud Connectors in each resource location to ensure high availability. If one
es
Cloud Connector is unavailable for any period of time, the other Cloud Connectors can maintain the
al
connection.
• Note: Strictly speaking, Citrix Cloud Connectors are co-managed by the customer and by Citrix. Customers are
e
responsible for installing and managing the Cloud Connector machines, while Citrix is responsible for providing
or
the automatic Cloud Connector software updates.
di
• Citrix Cloud-managed components of a WEM Service deployment:
• WEM Infrastructure Services:
s tri
• Communicates with the WEM database on SQL Server to retrieve and write WEM settings and WEM data for
the WEM Agents and the WEM Console.
b ut
• This means that neither the Console nor the Agents communicate directly with the WEM database instance on
SQL – it is the WEM Infrastructure Server that performs the SQL transactions on their behalf when requested.
io
• Citrix ensures that sufficient infrastructure services are provided on Citrix Cloud.
n
• WEM Service Manage console:
• Used by WEM administrators to manage a WEM Service deployment.
• Azure SQL Database:
• The WEM Service database is stored in a Microsoft Azure SQL Database service, deployed in an elastic pool.

• Workspace Environment Management Service: https://docs.citrix.com/en-us/workspace-environment-
management/service.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Service
A Citrix Cloud Service
• WEM Service is used with a Citrix Virtual Apps and Desktops Services Site.
• Can be deployed as US-based and EU-based instances in Citrix Cloud.
N
ot
• WEM Service provides the same resource and logon optimizations as an on-premises WEM
deployment.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• A WEM Service deployment is used with a Citrix Virtual Apps and Desktops Services Site.
• Currently, a WEM Service can be deployed as US-based and EU-based instances in Citrix Cloud.
• A WEM Service deployment provides the same resource and logon optimizations as an on-premises WEM deployment.
• Workspace Environment Management Service: https://docs.citrix.com/en-us/workspace-environment-management/service.html

WEM Service
On-Premises WEM vs. WEM Service
• Differences between on-premises WEM and WEM Service:

• WEM Agents are installed on VDAs that are part of a CVAD Service deployment’s resource location.
• Citrix Cloud Connectors are required.
N
• Infrastructure Services, WEM database, and the WEM administration console are all managed by Citrix Cloud.
ot
• WEM Agents communicate with WEM Infrastructure Services over an internet connection using HTTPS.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• From a component point-of-view, the differences between on-premises WEM and WEM Service deployments are that:
• The VDAs that WEM Agents are installed on are part of a Citrix Virtual Apps and Desktops Service deployment’s resource
location.
• WEM Service deployments require Citrix Cloud Connectors – on-premises WEM deployments do not.
• Infrastructure Services, WEM database, and the WEM administration or Manage console are all managed by Citrix Cloud. All
components in an on-premises WEM deployment are managed by customers.

• WEM Agents need to communicate to WEM Infrastructure Services over an internet connection and do so
securely over HTTPS. In a WEM on-premises deployment, Agent to WEM Infrastructure Server communications
use Windows Communication Foundation (WCF) over TCP.
• Just as with on-premises WEM Agents, a web proxy is supported and set through a GPO ADMX template.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Service
Benefits Over On-Premises WEM
• The benefits of a WEM Service deployment over an on-premises WEM deployment:

• Citrix takes care of the maintenance, upgrading, availability, and security of the WEM Infrastructure Services,
WEM Manage console, and WEM database.
N
• This greatly reduces the administrative overhead.
ot
• Customers only need to manage the WEM Agents and Citrix Cloud Connectors.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• The benefits of a WEM Service deployment over an on-premises WEM deployment are that:
• Citrix takes care of the maintenance, upgrading, availability, and security of the WEM Infrastructure Services, WEM Manage
console, and WEM database.
• This greatly reduces the administrative overhead when compared with on-premises WEM deployments.
• Customers only need to manage the WEM Agents and Citrix Cloud Connectors.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

The WEM Service
Manage Console
(Citrix Cloud)
WEM Service Manage
N
console is used to manage
ot
a WEM Service
deployment:
fo
rr
• No delegated admins and
es
no migration functionality
al
• Add WEM Agent
e
Machines
or
• Add users
di
• Create and Assign
s
Resources
tri
b
• Manage Policies
ut
io
n
Key Notes:
• The WEM Service Manage console is used to manage a WEM Service deployment.
• There are only cosmetic differences between the on-premises WEM Administration Console and the WEM Service Manage console
in Citrix Cloud.
• Functionality is almost identical between the two consoles. However, the main differences are that:
• There is no facility in the WEM Service Manage console to migrate WEM Agents from a WEM Service deployment to an on-
premises WEM deployment.

• There is no support for delegated administrators, meaning anyone logging into the Citrix Cloud portal has full
administrative access to the WEM Manage console.
• There are many WEM administrative tasks, and the main ones are listed here:
• WEM settings are applied to machines with WEM Agents installed. The AD computer accounts for these machines,
individually or by OU are added to the WEM deployment using the console.
• WEM settings can also be applied to users. The AD user accounts or the AD Security Groups containing user
accounts, are added to the WEM deployment using the console.
N
• Creating and assigning resources to users and groups of users, such as printers and network drives, can be
ot
configured using the console.
fo
• Typical GPO user experience and Windows control settings are managed through policy settings in the console.
Citrix Profile Management can also be configured.
rr
• WEM full administrators can assign users, scope-based WEM administration roles, allowing these delegated
es
administrators to perform specific tasks using the console.
al
• The WEM Service Manage console is hosted on a Citrix Cloud-based Windows VDA.
• WEM administrators access the Manage console by first logging into the Citrix Cloud portal and seamlessly connect
e
using Citrix Workspace app for HTML5.
or
• The Manage console is pre-connected to the WEM Infrastructure Services, so there’s no need to choose an
di
Infrastructure Server or communications port number.
• The Manage console is the single point to manage a WEM infrastructure; there is no PowerShell or command line
s tri
capabilities at this time.
b ut
• Administration Console: https://docs.citrix.com/en-us/workspace-environment-management/service.html
io
n

N
Why are Citrix Cloud Connectors required for
ot
a WEM Service deployment?
fo
rr
The Cloud Connectors handle communications
between the WEM Infrastructure Services and
es
the corporate Active Directory.
al
e
The Cloud Connectors handle communications
between the WEM Infrastructure Services and
or
WEM Agents.
di
The Cloud Connectors provide connection details
s
tri
to WEM Agents so that they can connect to the
b
WEM Infrastructure Services.
ut
io
n

N
WEM Component
ot
Communication Workflows
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM On-Premises
Communications Management AD Integration
WEM Database Access and Active

Directory
the Infrastructure Server WEM
Administration
Console
N
• Communications between
ot
Physical
Transformer
WEM components based Kiosk
fo
a on WCF client/server User
rr
SQL Transaction
model. Synchronization
TCP port 1433
es
WEM
WEM Agent
• Only the WEM Infrastructure
al
Infrastructure Server has WEM Database
e
direct access to the WEM VDA on SQL Server
Synchronization
or
database.
di
• The WEM Infrastructure HDX Session
s
Server is the central WEM Agent User/Endpoint
tri
with Citrix
component of a WEM Workspace app
b
deployment.
ut
io
n
Key Notes:
• All the communication amongst the WEM Agents, WEM Infrastructure Servers, and WEM Administration Console are based on the
Windows Communications Foundation (WCF).
• Depending on the direction of communications, components act as either a WCF server or WCF client.
• Only the WEM Infrastructure Server communicates with the WEM database directly, and so it is considered to be the centralizing
component of a WEM deployment.
• When an Agent or a WEM Admin Console requests data from the WEM database or has data to write to the WEM database, it is the

WEM Infrastructure Server that performs the SQL transactions over TCP port 1433, on behalf of the Agents or Console.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM On-Premises
Communications Management
AD Integration
TCP Port 389
Active Directory Integration Active

Directory
WEM
Administration
Console
• WEM Agents,
N
Infrastructure Servers,
ot
Physical
and the Administration Transformer
Kiosk
Console all need to
fo
communicate directly with
rr
Active Directory. Synchronization
es
WEM
WEM Agent Infrastructure
• Purpose is to retrieve AD Server SQL Transaction
al
WEM Database
objects when setting or
e
on SQL Server
deploying WEM settings. Synchronization
or
VDA
• Communications between
di
HDX Session
WEM components and
s
tri
AD is over TCP port 389. with Citrix
Workspace app
b ut
io
n
Key Notes:
• The WEM Agents, WEM Infrastructure Servers, and the WEM Administration Console all need to communicate directly with Active
Directory.
• As we saw earlier, AD object searches by WEM components are most efficient when queried against Global Catalog Servers.
• WEM components communicate to AD over TCP port 389.

WEM On-Premises
Communications Management AD Integration
WEM Agent Active

Directory
WEM
Administration
Console
• Communicates with the
N
WEM Infrastructure
ot
Server to synchronize
fo
with the WEM database.
rr
SQL Transaction
TCP port 1433
• Periodically “syncs” with
es
WEM
the Infrastructure service Infrastructure
Server
AgentBrokerSvc
al
to acquire updates TCP Port 8286
WEM Database
e
(AgentLocalCacheSyncServi on SQL Server
or
ce TCP port 8288) AgentLocalCacheSyncService
TCP Port 8288
• The Agent retrieves
di
machine/user WEM
s
WEM Agent
tri
settings at session launch
b
(AgentBrokerSvc TCP port
ut
8286)
io
n
Key Notes:
• The WEM Agent communicates with the WEM Infrastructure Server, primarily to synchronize with the WEM database.
• Most communications between the WEM Agent and the WEM Infrastructure Server are initiated by the WEM Agent. There are two
purposes for this Agent-initiated communications:
• Firstly, to synchronize the WEM Agent local cache database with the WEM Infrastructure Server:
• This task uses a WCF service called AgentLocalCacheSyncService and communication is over TCP port 8288 by default.
• AgentLocalCacheSyncService is the term that can be followed in WEM Agent logs, when troubleshooting cache sync issues.

• The task is performed roughly every 15 minutes if the default setting is not changed in the WEM
Administration Console. Also, to avoid congestion when there are a high number of Agents, the cache sync
interval includes a random offset time. This means that an Agent can initiate a sync of its local cache anywhere
between a 15 – 45 minute interval.
• Secondly, to synchronize the Agent Service settings:
• This task uses a WCF service called AgentBrokerSvc and communication is over TCP port 8286.
• AgentBrokerSvc is the term that can be followed in WEM Agent logs, when troubleshooting Agent sync issues.
N
• The Agent Service sync task is performed each time a user launches a session to the VDA, if the Agent has
ot
been configured to do so in the WEM Admin Console. Its purpose is to retrieve the machine-specific and user-
fo
specific WEM settings from the WEM Infrastructure Server at session start. If the Agent has not been
configured to retrieve the machine/user settings from the Infrastructure Server at session start, the Agent will
rr
rely on local caches for this information.
es
• The task is also initiated by the Agent to send monitoring, statistics, status updates to the WEM Infrastructure
al
Server.
• The WEM Infrastructure Server communicates with the WEM database instance over TCP port 1433, by default.
e
or
di
• Configure the Agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
s tri
• How to enable/collect logs on WEM Agent machine: https://support.citrix.com/article/CTX220635
• How to enable/collect logs on WEM Broker: https://support.citrix.com/article/CTX228742
b ut
io
n

WEM On-Premises
AD Integration
Communications TCP Port 389
Management
WEM Administration TCP port 8284
Active
Directory
Console WEM
Administration
Console
• Connects to the WEM
N
Infrastructure Server over
ot
TCP port 8284.
fo
• Adds computer accounts
rr
SQL Transaction
TCP port 1433
(with Agents installed)
es
WEM
and user accounts. These Infrastructure
Server
al
are read from AD over WEM Database
e
TCP port 389. VDA on SQL Server
or
Synchronization (listening)
• Sync requests can be TCP port 49752
di
pushed to Agents. Agents
s
listen for requests on TCP WEM Agent
tri
port 49752.
b ut
io
n
Key Notes:
• In order to perform any WEM deployment configuration tasks, the WEM Console must first be connected to the WEM Infrastructure
Server. By default this uses TCP port 8284.
• The Console retrieves the WEM configuration from the WEM database using the WEM Infrastructure Server. The Infrastructure
Server retrieves the WEM settings from the WEM database over TCP port 1433, on behalf of the Console.
• For any WEM Agent to receive or synchronize WEM settings, they must first be added to the WEM deployment using the WEM
Administration Console. For this, the console retrieves the computer account information from Active Directory, over port 389.

• There are WEM settings that apply specifically to users or groups of users. The user accounts must also be added to the
WEM deployment using the Console, and again this information is read from Active Directory.
• These AD Computer Accounts and AD User Accounts can be added to the Console as individual AD objects, as part of an
AD Security Group, or as an AD Organizational Unit (OU).
• It is possible for WEM admins to manually send instructions from the Console to WEM Agents, to request that they
synchronize themselves. These requests are sent to the Infrastructure Server and passed to the Agents. The Agents are
always listening on TCP port 49752 for these requests.
N
ot
fo
• Administration Console: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Service Communications
WEM Agent Synchronization (1/2)
• WEM Agents in both an on-premises deployment and a WEM Service deployment need to
communicate with WEM Infrastructure Services.
N
• WEM Agents in a WEM Service deployment need to communicate over the internet and use Citrix
ot
Cloud Connectors.
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Just like in an on-premises WEM deployment, WEM Agents need to synchronize their data with the WEM database through the
• But unlike a on-premises WEM deployment, a WEM Service deployment Agents and Infrastructure Services must communicate over
an internet connection.
• Citrix Cloud Connectors are an integral part of a WEM Service deployment’s communications.

WEM Agent Synchronization (2/2)
• WEM Agent requires either AgentLocalCacheSyncService or AgentBrokerSvc from the WEM Service.
• Step 1: Agent requests the WEM Service URL and a one-time service key from Cloud Connector.
N
ot
• Step 2: Agent communicates directly to WEM Service using URL and service key and completes
synchronization.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• When a WEM Agent needs to synchronize its data, it must first know the public URL of the WEM Infrastructure Services in Citrix
Cloud.
• As with the on-premises WEM Agent, there are two services it can request from the WEM Infrastructure Services:
• The Agent Local Cache Sync Service (AgentLocalCacheSyncService): This service is requested by the Agent when it needs to
update its local cache database.
• The Agent Broker Service (AgentBrokerSvc): This service is requested by the Agent when a user launches a session, or the Agent

needs to synchronize status or statistics.
• Step 1 then, is for the Agent to contact the Citrix Cloud Connector’s “Citrix WEM Cloud Authentication Service” and
request the URL of the WEM Service Infrastructure Services on Citrix Cloud.
• The Cloud Connector generates the URL along with a unique, one-use service key, and sends this back to the WEM
Agent.
• In Step 2, the Agent connects directly to the WEM Service Infrastructure in Citrix Cloud, using the URL and service key
provided.
N
• The URL path includes the requested service: AgentLocalCacheSyncService or AgentBrokerSvc.
ot
• The service key is by validated by Citrix Cloud and synchronization can complete.
fo
• Communications are over HTTPS and protected by TLS 1.2.
• Note: Agent synchronization occurs fairly frequently, and an Agent must retrieve the WEM Service URL and service key
rr
from the Cloud Connector each time.
es
al
e
or
di
s tri
b ut
io
n

Active Directory Integration
• Corporate AD infrastructure is typically on a private subnet and not accessible from the internet.
• Citrix Cloud Connectors facilitate access from Citrix Cloud services, to deployment components in
private, customer-managed networks.
N
ot
• For AD integration, WEM Service Infrastructure Services connect to the “Citrix Cloud Services AD
Provider” on a Citrix Cloud Connector.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In an on-premises WEM deployment, the WEM Infrastructure Server can communicate directly with Active Directory because they
are on the same local network.
• In a WEM Service deployment, the corporate Active Directory infrastructure is typically on a private subnet and not accessible from
the internet.
• One of the major roles of Citrix Cloud Connectors is to facilitate access from Citrix Cloud services, such as WEM Service, to
deployment components in private, customer-managed networks.

• To access the on-premises, corporate Active Directory, WEM Service Infrastructure Services connect to the “Citrix Cloud
Services AD Provider” on a Citrix Cloud Connector.
• In this way, the WEM Service Infrastructure Services and the WEM Service Manage console are able to retrieve the
Active Directory computer and user account information.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Manually pushing syncs from the Manage Console
• WEM Agents are typically on a private subnet, inaccessible from the public internet.
• Step 1: WEM administrator manually pushes synchronization requests to WEM Agents from the WEM Service
Manage console.
• Step 2: Infrastructure Services sends the Agent sync request to the “Citrix WEM Cloud Messaging Service” on
N
the Citrix Cloud Connector.
ot
• Step 3: WEM Agent listening on TCP port 49752 for sync request. The Agent then processes the sync request.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In a WEM Service deployment, WEM Agents are typically on a private subnet, inaccessible from the public internet. Again it is the
Citrix Cloud Connector that facilitates access from Citrix Cloud services to deployment components in private, customer-managed
networks.
• In Step 1, a WEM administrator manually pushes synchronization requests to WEM Agents from the WEM Service Manage console.
The request is sent to the WEM Infrastructure Services.
• In Step 2, Infrastructure Services sends the Agent sync request to the “Citrix WEM Cloud Messaging Service” on the Citrix Cloud

Connector.
• In Step 3, the WEM Agent is listening on TCP port 49752 for such sync requests. The Agent then processes the sync
request.
• From this point, the Agent follows the same communications flow covered by the WEM Agent synchronization slides. As
you recall, this consisted of the Agent requesting the WEM Services URL and a one-time service key.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
Which component in a WEM Service

deployment facilitates access between Citrix
Cloud services, such as the WEM Service,
N
and on-premise components on private
ot
subnets?
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• The Workspace Environment Management
N
infrastructure consists of multiple WEM and
ot
Microsoft components.
fo
• The Infrastructure Service is the primary
rr
communication component within WEM.
es
• The Workspace Environment Management
al
infrastructure can be deployed on-premises or
e
as a Citrix Cloud service.
or
• The Administration Console is the single point
di
for managing a WEM infrastructure.
s
tri
b
ut
io
n

Administration
N
ot
WEM On-Premises and WEM
fo
Service Deployment Installation
rr
es
al
e
Module 9
or
di
s
tri
b
ut
io
n

Learning Objectives
• Identify the high-level steps to install and

configure a WEM on-premises or WEM
Service deployment.
• Identify the WEM ADMX template Group
N
Policy settings that are relevant to WEM on-
ot
premises and WEM Service deployments.
fo
• Describe the settings and account
rr
requirements when setting up WEM on-
es
premises infrastructure components.
al
• Describe the purpose and requirements of the
e
settings when installing the WEM Agent in a
or
WEM on-premises or WEM Service
deployment.
di
s
• Discuss the differences between WEM on-
tri
premises and WEM Service deployment
b
components and capabilities.
ut
io
n

N
WEM On-Premises Deployment
ot
Installation
fo
rr
Leading Practice Installation Prerequisites and
es
Steps
al
e
or
di
s
tri
b
ut
io
n

Software prerequisites for WEM installed components
On-premises Deployments
N
There are three WEM on-premises deployment components to install:
ot
• WEM Infrastructure Server
fo
• WEM Administration Console
• WEM Agents
rr
es
All require .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be pre-installed.
al
• WEM installers will install these software, if not already present.
e
• Recommended to pre-install .NET version before WEM component install to avoid lengthy installation time and
reboots.
or
di
The WEM database is created as a follow-up task to the WEM Infrastructure Server install.
s
• Microsoft SQL Server 2008 R2 (or later) required.
tri
b ut
io
n
Key Notes:
There are three WEM on-premises deployment components to install as part of a WEM on-premises deployment:
• WEM Agent
All require that the .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be pre-installed.

Each WEM component installer will automatically install these required software before the installation of the WEM
components starts, but it is recommended to install WEM components on machines that already have .NET Framework
4.7.1 (or later) installed. Doing so will avoid lengthy .NET installation time and reboots.
Strictly speaking, the WEM database is a WEM component but not an installed component. The WEM database is created
as a follow-up task to the WEM Infrastructure Server install.
Microsoft SQL Server 2008 R2 or later is required.
N
ot
fo
• WEM System requirements: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/system-requirements.html
rr
es
al
e
or
di
s tri
but
io
n

WEM On-premise
Deployment Steps
• Before rolling out the
N
WEM Agent machines it
ot
is leading practice to
setup the WEM
fo
environment first.
rr
es
• Allows immediate
al
synchronization of WEM
e
settings and populating
or
WEM Agent local
caches.
di
s tri
b ut
218
© 2020 Citrix | Confidential
io
n
Key Notes:
• Before rolling out the WEM Agent machines it is leading practice to setup the WEM environment first.
• This is so WEM Agent machines can immediately synchronize their WEM settings and populate them into WEM Agent local caches,
at first start up.

WEM On-premise Deployment Steps
The high-level steps to deploy a WEM on-premises deployment are:
N
Step 1. Add the WEM ADMX GPO template to the AD domain controller and configure WEM environment settings.
ot
fo
Step 2. Install and configure the WEM Infrastructure Services.
rr
Create the WEM database.
Run and complete the WEM Infrastructure Service Configuration utility.
es
al
Step 3. Install the WEM Administration Console.
e
or
Step 4. Perform initial WEM deployment configuration tasks.
Configure WEM settings to apply to WEM Agents and users.
di
s
Step 5. Install WEM Agent on master image, Layer, or machine (varies depending on provisioning methods).
tri
b
Step 6. Test and verify WEM Agent registration and synchronization.
ut
io
n
Key Notes:
• The high-level steps to deploy a WEM on-premises deployment are:
• Step 1. Add the WEM ADMX GPO template to the AD domain controller and configure WEM environment settings. This is an
optional step as the parameter values in the GPO can be configured as part of the WEM Agent install.
• Step 2. Install and configure the WEM Infrastructure Services. Create the WEM database. Run and complete the WEM
Infrastructure Service Configuration utility.
• Step 3. Install the WEM Administration Console.

• Step 4. From the WEM Administration Console, perform initial WEM deployment configuration tasks. Configure
WEM settings to apply to WEM Agents and users.
• Step 5. Install WEM Agent on master image, Layer, or machine (varies depending on provisioning methods:
Single dedicated machine, Citrix Provisioning, Machine Creation Services, App Layering).
• Step 6. Test and verify WEM Agent registration and synchronization.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
Why should WEM deployment infrastructure
N
be installed and configured prior to installing
ot
WEM Agents on machines?
fo
To allow WEM Agents to immediately
rr
synchronize themselves on first start up.
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Installation
fo
rr
WEM ADMX Template Configuration
es
al
e
or
di
s
tri
b
ut
io
n

WEM On-Premises Deployment Installation
• Convenient to use a GPO to apply WEM Agent

configuration to all WEM Agents in a WEM
deployment.
N
• The Infrastructure server setting is only
ot
enabled and configured for on-premises WEM
fo
deployments. Value will be of the WEM Broker
rr
or WEM Broker load balancer.
es
• WEM Agent version 1912 and later supports
both the Cached synchronization and the
al
Cached data synchronization for updating its
e
local cache with the WEM Broker.
or
• All port-related settings can be left unspecified if
di
WEM deployment uses default port values.
s tri
b ut
io
n
Key Notes:
• The most convenient method of centrally applying WEM Agent configuration to all WEM Agents in a deployment; whether an on-
premises or WEM Service deployment is using the WEM ADMX template in a Group Policy Object (GPO).
• The Infrastructure server setting is only enabled and configured for on-premises WEM deployments.
• If WEM Infrastructure Server load balancing is used, the FQDN or IP address will be of the load balancer – usually a Citrix ADC.
• As mentioned earlier, currently the WEM Agent supports two methods of synchronizing it’s local WEM settings cache with the WEM
Broker.

• Agent versions 1909 and earlier support only the method using the Cache synchronization port. Agent versions 1912
and later support both the Cached synchronization port and the Cached data synchronization port.
• If the WEM deployment uses default port settings, there is no need to specify values for any of the port-related settings.
• The VUEMAppCmd Extra Sync Delay setting applies to both on-premises and WEM Service deployments. The setting
will be covered in the next lesson.
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/current-
N
release/install-and-configure/agent-host.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
What value is used in the Infrastructure
N
Service Group Policy setting if WEM
ot
Infrastructure Servers are to be load
balanced?
fo
The FQDN or IP address of the load balancer
rr
itself and not the address of a WEM
es
Infrastructure Server.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Installation
fo
rr
Choosing a Security Principal to run the WEM
es
Infrastructure Service
al
e
or
di
s
tri
b
ut
io
n

Installing the WEM Infrastructure Services
Choosing an Infrastructure Services Log On account
• Before installing the WEM Infrastructure Server, it

is important to decide on the security principal that
will be used to run the Norskale Infrastructure
N
Service.
ot
• There is no need to manually configure the
fo
service’s Log On properties as shown in the
rr
image.
es
• The final post-installation task uses a
al
configuration UI utility that handles this for you.
e
• The following slides explain how to choose an
or
appropriate security principal.
di
s tri
b ut
io
n
Key Notes:
• Before installing the WEM Infrastructure Server, it is important to decide on the security principal that will be used to run the
Norskale Infrastructure Service.
• There is no need to manually configure the service’s Log On properties as shown in the image.
• After installing the WEM Infrastructure Server, the final post-installation task uses a configuration UI utility that handles this for you.
• The goal of the following slides is to allow you to be aware of the considerations and to be able to choose an appropriate security
principal.

Choosing a Infrastructure Services Log On account – LocalSystem
• Installer always adds LocalSystem as the service’s Log On LocalSystem

account. This can be changed after install to an AD User
account or AD Group Managed Service Account (gMSA)
N
• Using LocalSystem means that the Norskale Infrastructure
ot
Service will present the computer’s credentials to remote
fo
servers and will use the vuemUser account for connection
rr
to the WEM database on SQL.
es
Advantages:
al
• Easy WEM Broker setup.
e
• No password expiration issues.
or
Disadvantages:
di
• Security vulnerability – LocalSystem has almost unlimited privileges
on a Windows machine.
s tri
• Cannot use when load balancing WEM Brokers.
utb
io
n
Key Notes:
• During installation, the service always adds LocalSystem as the service’s Log On account. This can be changed to an AD user account
or an AD Group Managed Service Account (gMSA) in accordance with your organization’s security policies.
• Using LocalSystem means that the Norskale Infrastructure Service will present the computer’s machine account credentials to
remote servers and will use the vuemUser account for connection to the WEM database on SQL.
• The vuemUser account is a SQL account created on the SQL Server during the WEM database creation task.

• Advantages: Easiest setup option for WEM Infrastructure Services. No password expiration issues to deal with.
• Disadvantages: Security vulnerability - LocalSystem has almost unlimited privileges on a Windows machine. When load
balancing WEM Brokers, LocalSystem cannot be used to run the Norskale Infrastructure Service.
• Install and configure: Infrastructure services: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/install-and-configure/infrastructure-services.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Choosing a Infrastructure Services Log On account – AD User Account
• An AD user account principal can be used to

restrict access just to the requirements of
running the Norskale Infrastructure Service.
AD User Account
• The account must be a member of the local
N
Administrators group on the WEM
ot
Infrastructure Services machine.
fo
Advantages:
rr
• A single AD User Account is used to allow WEM
es
Infrastructure Servers to be load balanced.
al
Disadvantages:
e
• Typically, an AD User account password expires, and
will have to be periodically updated in the service’s
or
properties and Infrastructure Services Configuration
di
utility.
s tri
but
io
n
Key Notes:
• Some organizations require the granular security of using an AD user account principal so they can restrict access just to the
requirements of running the Norskale Infrastructure Service.
• The account must be a member of the local Administrators group on the machine where the WEM Infrastructure Services has been
installed.
• The advantage of using a single AD User Account to run the service is that it allows for the load balancing of WEM Infrastructure
servers.

• The disadvantage of using an AD user account is that typically, they’re subject to the domain password policy - meaning
that the password expires, and will have to be periodically updated in the service properties and the Infrastructure
Services Configuration utility.
N
• Configure load balancing: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
ot
and-configure/infrastructure-services.html#configure-load-balancing
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Choosing a Infrastructure Services Log On account – gMSA
• The Norskale Infrastructure Service can also

run using a group Managed Service Account
(gMSA) solution.
gMSA Account
Advantages:
N
ot
• Automatic password account management by
Windows.
fo
• A single gMSA is used to run the Norskale
rr
Infrastructure Service across multiple WEM
Infrastructure Servers and allows these servers to
es
function in a load balanced configuration.
al
Disadvantages:
e
• Requires the skills to create and manage a gMSA
or
solution.
• Machines within a failover cluster do not support
di
gMSAs.
s
tri
b
ut
io
n
Key Notes:
• The Norskale Infrastructure Service can also run using a group Managed Service Account (gMSA).
• Advantages:
• When a gMSA is used as a service principal, Windows manages the password for the account instead of relying on
administrators to manage it.
• A single gMSA be used to run the Norskale Infrastructure Service on multiple WEM Infrastructure Servers and allows these
servers to function in a load balanced configuration.

• Disadvantages:
• Requires the skills to create and manage a gMSA solution.
• Machines within a failover cluster do not support gMSAs.
N
• Configure load balancing: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
ot
and-configure/infrastructure-services.html#configure-load-balancing
fo
• Group Managed Service Accounts (gMSAs)Overview: https://docs.microsoft.com/en-us/windows-
server/security/group-managed-service-accounts/group-managed-service-accounts-overview
rr
es
al
e
or
di
s tri
b
ut
io
n

Lesson Review
You are deciding on a security principal to

use to run the Norskale Infrastructure
Service. Your organization wants to minimize
the security risks on the WEM Broker and
N
administrators do not want to have to deal
ot
with expired passwords. Which security
principal will you use?
fo
A Group Managed Security Account (gMSA).
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Installation
fo
rr
Creating the WEM Database
es
al
e
or
di
s
tri
b
ut
io
n

WEM Infrastructure Server post-installation tasks
Create WEM Database
• After installing the WEM
N
Infrastructure Services from the
ot
installer UI, the next task is to
create the WEM database.
fo
rr
• This lesson covers the creation of
the WEM database using the
es
Database Management Utility;
al
focusing on the accounts used.
e
• A WEM database can also be
or
created using the WEM SDK in
di
PowerShell. Check the Additional
Resources on the slide for further
s tri
details.
but
io
n
Key Notes:
• After installing the WEM Infrastructure Services from the installer UI, the next task is to create the WEM database.
• This lesson covers the creation of the WEM database using the Database Management Utility; focusing on the accounts used.
• A WEM database can also be created using the WEM SDK in PowerShell. Check the Additional Resources on the slide for further
details.

• Citrix Workspace Environment Management 1912 SDK: https://developer-docs.citrix.com/projects/workspace-
environment-management-sdk/en/latest/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Create WEM Database (1/3)
• Host name of the SQL Server that
N
will hold the WEM database.
ot
• WEM database to be created on
fo
SQL Server.
rr
es
• The Data File and Log File
locations will populate
al
automatically using the default
e
SQL file locations.
or
di
s tri
b ut
io
n
Key Notes:
• The “Server and instance name” is the host name of the SQL Server that will hold the WEM database.
• The “Database name” is the WEM database to be created on SQL Server.
• The “Data file” and Log file” are populated automatically using the default SQL file locations.
• There is no need to change this unless the location of these files has been changed on the SQL Server.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

• The database will be created
N
using the credentials of the user
ot
currently logged onto the machine
running the wizard.
fo
rr
• Username and password of an
es
account that has the SysAdmin
role on the SQL Server.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• The “Database Server Credentials” specify which account will be used to create the WEM database on the SQL Server.
• Creating the WEM database requires an account that has the SysAdmin role on the SQL Server.
• Checking the “Use integrated connection” means that the database will be created using the credentials of the user currently logged
onto the machine running the wizard.
• This user account must already have the SysAdmin role on the SQL Server.
• If the logged in user does not have the SysAdmin role, uncheck the box and provide the credentials of an account that has the

SysAdmin role.
• Whichever user account is specified, it cannot be the same account used to run the Norskale Infrastructure Service.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

• The AD Security Group that is

given full admin permissions in
N
the WEM Administration Console.
ot
• Box unchecked when
fo
LocalSystem runs the WEM
rr
Infrastructure Service. Box is
es
checked when providing AD User
Account or gMSA to run the
al
service.
e
or
• Set a vuemUser password if SQL
Server Always On Availability
di
Groups will be used or if the SQL
s tri
password policy is more
stringent.
b ut
io
n
Key Notes:
• The “Initial administrator group” is not required for creating the WEM database. Instead it is the AD Security Group that is given full
admin permissions in the WEM Administration Console.
• The “Database Security” section deals specifically with the security principal that will run the Norskale Infrastructure Service.
• When the “Use Windows authentication…” box is unchecked, it means you’ve decided to run the Norskale Infrastructure
Service as LocalSystem.
• Recall that if the service will run as LocalSystem, the WEM Infrastructure Service’s connection to the WEM database

on SQL will use the vuemUser SQL account.
• When the box is unchecked, SQL Mixed-Mode Authentication will be used for the WEM database.
• When the box is checked, it means that you’ve decided to run the Norskale Infrastructure Service using an AD
User Account or gMSA (group Managed Service Account).
• If an AD User Account or gMSA is used to run the service, WEM Infrastructure Service’s connection to the
WEM database on SQL will use that same account.
• Recall that if an AD User Account is used, it cannot be the same account as the logged on user creating
N
the WEM database.
ot
• When the box is checked, Windows Authentication on SQL will be used for the WEM database.
fo
• The “Set vuemUser SQL user account password” box needs to be checked if using SQL Server Always On Availability
Groups – which is used for database high availability.
rr
• A vuemUser password needs to be created because it must be known, and provided when adding the database
es
to the availability group.
al
• A suitable vuemUser password will also need to be specified if the WEM auto-generated password does not
meet a more stringent SQL password policy.
e
or
di
s tri
b ut
io
n

Lesson Review
You have installed a WEM Infrastructure

Server and are now creating the WEM
database. You will be using your own
account to create the database on the SQL
N
ot
Server. What permissions do you need to
have?
fo
Your account must have the SysAdmin role on
rr
the SQL Server.
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Installation
fo
rr
Running the WEM Infrastructure Service
es
Configuration Utility
al
e
or
di
s
tri
utb
io
n

WEM Infrastructure Service Configuration (1/6)
•TheThe
finalfinal post-installation
post-installation task istask is and
to run to run
complete the
N
and complete the WEM Services
WEM Services Infrastructure Configuration utility.
ot
Infrastructure
Alternatively, Configuration
use the WEM SDK inutility.
PowerShell. Check the
Additional Resources on the slide for further details.
fo
•Main
Alternatively, use the WEM SDK in
purpose is to write the WEM Infrastructure Services
rr
PowerShell.
setup Checkduring
values configured the Additional
install, to the WEM
es
Resources on the slide
database and local registry. for further details.
The Database Settings
is totab specifies the location and
al
• Main purpose write the WEM
name of the WEM database.
e
Infrastructure Services setup values
or
configured during install, to the WEM
database and local registry.
di
s
• The Database Settings tab specifies the
tri
location and name of the WEM database.
b ut
io
n
Key Notes:
• After creating the WEM database, the final task for completing the installation of the WEM Infrastructure Server is to run the WEM
• Alternatively, use the WEM SDK in PowerShell. Check the Additional Resources on the slide for further details.
• There are several purposes for the UI utility:
• The main purpose of the utility is to write all of the WEM Infrastructure Services setup values that were configured during
installation, to the WEM database and local registry.

• The Database Settings tab specifies the location and name of the WEM database that was created during installation.
• The database failover information is only required if the WEM database uses SQL Server database mirroring.
• Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/install-and-configure/infrastructure-services.html#configure-the-infrastructure-service
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

• The Network Settings tab: TCP port numbers
N
that the WEM Infrastructure Services will listen
ot
to requests from other WEM components.
fo
• Must match the TCP ports configured on each
rr
of the other WEM components otherwise
es
communications between the Broker and the
component will fail for that service.
al
e
• The image shows the default pre-set values.
or
• No reason to change the default WEM port
di
values unless there are security or other
s
environmental justifications.
tri
but
io
n
Key Notes:
• The Network Settings tab specifies the TCP port numbers that the WEM Infrastructure Services will listen to requests from other
WEM components.
• These must match the TCP ports configured on each of the other WEM components otherwise communications between the Broker
and the component will fail for that service.
• The Administration port used when launching the WEM Administration Console must match the Administration port specified on
this Network Settings tab.

• The WEM Agent uses the Agent service port to retrieve WEM settings on session launch, synchronizes it’s status, and
sends monitoring statistics.
• The WEM Agent, v1912 or higher, updates its local caches using the Cached data synchronization port. Agent versions
prior to version 1909 can only use the Cache synchronization port.
• The image shows the default pre-set values for these ports during the installation of the WEM Broker, WEM Admin
Console, and WEM Agents.
• There is no reason to change the default WEM port values unless there are security or other environmental
N
justifications.
ot
fo
Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-
rr
es
al
e
or
di
s tri
b ut
io
n

• The Advanced Settings tab is where you
N
record the account information.
ot
• Match the account values with those used
fo
when configuring the WEM Infrastructure
rr
Service and WEM database connection
es
information.
al
• If the Norskale Infrastructure Service has
e
been configured to run using a gMSA
or
solution:
• Enter any password in to the “Infrastructure
di
service account password” box.
s
• The Norskale Infrastructure Service will be
tri
correctly configured and the password will be
b
ignored.
ut
io
n
Key Notes:
• The Advanced Settings tab is where you record the account information. Again, it is important to match these values with the values
used when configuring the WEM Infrastructure Service and WEM database connection information.
• The Infrastructure service account and password entered here are written to the Norskale Infrastructure Service Log On properties.
• The exception is if the Norskale Infrastructure Service has been configured to run using a group Managed Service Account (gMSA)
solution:
• If a gMSA has been configured to run the Norskale Infrastructure Service, enter the account and just enter any password in to

the “Infrastructure service account password” box.
• Recall that you won’t know the actual gMSA password as this is managed by Windows.
• After completing and saving the WEM Infrastructure Service Configuration, the gMSA account will be correctly
configured to run the Norskale Infrastructure Service and the password will be ignored.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

• The Advanced Settings tab is also where
N
you configure WEM database connection
ot
and WEM database caching settings.
fo
• Local WEM database cache is updated as
rr
per frequency settings and can be used
es
when SQL Server connection is unreliable.
al
• Enabling performance tuning should only
e
be done if server performance optimization
or
is required or if WEM component
disconnection issues.
di
s
• Worker threads and asynchronous I/O
tri
thread values set to equal the number of
b
WEM Agents in the deployment.
ut
io
n
Key Notes:
• The Advanced Settings tab is also where you configure WEM database connection and WEM database caching settings.
• The WEM Broker maintains a local cache of the WEM database that it can use to retrieve WEM settings and statistics if the
connection between the Broker and the SQL Server is lost.
• The cache synchronization refresh frequency can be set and well as the WEM database connection attempt timeout value.
• You can set to always use the local WEM database cache, for example if the connection to the SQL Server is sometimes unreliable –
the cache itself will continue to be updated as per the refresh frequency.

• Enabling performance tuning should only be done if server performance optimization is required or Agents and Console
intermittently disconnect. The rule of thumb is to set the worker threads and asynchronous I/O thread values to equal
the number of WEM Agents in the deployment.
• Since the default value for both settings is 200, enabling and changing the values can be done when the WEM Broker is
servicing a high number of WEM Agents.
• Setting too low a value for worker threads and asynchronous I/O threads can cause WEM Agents and WEM Console to
intermittently disconnect.
N
• Setting too high a value can cause performance issues on the WEM Broker.
ot
• Be sure to refer to the Additional Resources links for this slide before changing performance tuning values.
fo
rr
• Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-
es
al
e
or
di
s tri
but
io
n

N
ot
• On the Database Maintenance tab,
fo
scheduled data maintenance can be
rr
enabled to run, as per the values set.
es
• Default values are provided but can be
al
changed to suit needs.
e
or
• If the Enable box is not checked, no
database maintenance will occur.
di
s tri
b ut
io
n
Key Notes:
• On the Database Maintenance tab, scheduled data maintenance can be enabled to run, as per the values set.
• Default values are provided but can be changed to suit your needs.
• If the Enable box is not checked, no database maintenance will occur.
Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
configure/infrastructure-services.html#configure-the-infrastructure-service
• On the Licensing tab, the Citrix License
N
Server host name or IP address, and
ot
License Server port can be specified.
fo
• When then Global License Server
rr
override box is checked, the values are
es
used by WEM Administration Consoles at
each launch.
al
e
• If the Global License Server override box
or
is not checked, the admin will need to
provide Citrix License Server details on
di
first launch of the Admin Console.
s tri
b ut
io
n
Key Notes:
• On the Licensing tab, the Citrix License Server host name or IP address, and License Server port can be specified.
• When then Global License Server override box is checked, the values are used by WEM Administration Consoles at each launch.
• If the Global License Server override box is not checked, the admin will need to provide Citrix License Server details on first launch of
the Admin Console.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
You are running the WEM Infrastructure

Services Configuration utility after installing
the first WEM Broker of your new deployment.
The network security team have assigned you
TCP ports to use for communications between
N
WEM components but none of them match the
ot
default WEM ports. You configure the
fo
assigned ports, but what will you need to do
rr
when setting up and configuring the other
es
WEM components?
al
You must ensure that the ports configured during
e
the rollout of the WEM Administration Console
or
and WEM Agent machines match the assigned
TCP port numbers.
di
s
tri
b
ut
io
n

N
ot
Installation
fo
rr
WEM Agent Installation
es
al
e
or
di
s
tri
b
ut
io
n

WEM Agent Installer
• The WEM Agent installer for on-premises WEM deployments: Available from the Citrix website Downloads page.
N
• The WEM Agent installer for WEM Service deployments: Available from the Citrix Cloud portal’s Workspace
ot
Environment Management page.
fo
• Both versions of the WEM Agent can be installed and configured using the WEM PowerShell SDK, which is added
rr
automatically during Agent installation.
es
• Both installers are universal but the versions may be different because the WEM Agent installer for WEM Service
deployments is on a more frequent release cycle than the quarterly release cycle of the on-premises WEM Agent:
al
e
• Installing a WEM Service WEM Agent on a machine that is part of a WEM on-premise deployment is not
or
recommended.
di
• Using an on-premises WEM Agent version in a WEM Service deployment is supported, as long as the WEM Agent
version meets Citrix product lifecycle requirements. The scenario would occur after an on-premises WEM
stri
deployment is migrated to a WEM Service deployment.
b ut
io
n
Key Notes:
• The WEM Agent installer for on-premises deployments is available for download from the Citrix website Downloads page.
• The WEM Agent installer for WEM Service deployments is available for download from the Citrix Cloud portal’s Workspace
Environment Management page.
• Both versions of the WEM Agent can be installed and configured using the WEM PowerShell SDK, which is added automatically
during Agent installation.
• Both installers are universal in that they are the same installer but at any one time, the versions will be different.

• The WEM Agent installer for WEM Service deployments is on a more frequent release cycle than the quarterly
release cycle of the on-premises WEM Agent.
• The WEM Service Agent is most likely to be a more recent version than the WEM components version of a on-
• There maybe new features or code changes in the newer WEM Service Agent that make it incompatible to be
incorporated into an on-premises WEM deployment.
• Consequently, installing a WEM Service WEM Agent on a machine that is part of a WEM on-premise deployment
N
is not recommended.
ot
• Using an on-premises WEM Agent version as part of a WEM Service deployment is supported because
fo
backwards compatibility is supported, as long as the WEM Agent version meets Citrix product lifecycle
requirements. The scenario would occur after an on-premises WEM deployment is migrated to a WEM Service
rr
deployment.
es
al
• Install and configure the Agent: https://docs.citrix.com/en-us/workspace-environment-management/current-
e
or
• Citrix Product Lifecycle matrix: https://www.citrix.com/support/product-lifecycle/product-matrix.html
di
• WEM Service management on Citrix Cloud: https://wem-production-ui.wem.cloud.com/
s tri
b ut
io
n

Deployment Type
• Choose to install the WEM Agent as part of an
N
on-premises WEM deployment.
ot
• It is not recommended to use the WEM
fo
Service WEM Agent installer as part of an on-
rr
es
al
e
or
di
s tri
b ut
246
io
n
Key Notes:
• Choose to install the WEM Agent as part of an on-premises WEM deployment.
• Recall that it is not recommended to use the WEM Service WEM Agent installer as part of an on-premises WEM deployment.
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-

Infrastructure Service Configuration
• When using App Layering, the WEM Agent is

installed on the Platform Layer. At that time,
the machine is not usually subject to any AD
N
GPOs.
ot
• Configure the Infrastructure Service value and
fo
port values so that the Agent can
rr
communicate with the WEM Broker without
need for the values provided by GPO.
es
al
• Both port values specified must match the
e
same port values set during the WEM
or
Infrastructure Server installation and
configuration.
di
s tri
b ut
247
io
n
Key Notes:
• When using App Layering, the WEM Agent is installed on the Platform Layer. At that time, the machine is not usually subject to any
AD GPOs.
• So to ensure that the Platform Layer WEM Agent is able to communicate with the WEM Broker immediately after Agent installation,
configure the Infrastructure Service FQDN or IP address, rather than choosing “Skip configuration”, even if the WEM GPO has been
configured.
• For the same reason, ensure that the Agent service port and Cached Data synchronization ports are configured on this page.

• Recall that both port values specified must match the same port values set during the WEM Infrastructure Server
installation and configuration.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Advanced Settings
• Two of four WEM Agent local caches can

be moved to the cache data drive used by
Citrix Provisioning and Citrix MCS.
N
• Recommended to specify the Alternative
ot
Cache Location to persist these two
caches between restarts on non-
fo
persistent VDAs.
rr
es
• VUEMAppCmd Extra Sync Delay: Delay
the published app launch until all WEM
al
settings have been applied.
e
or
• Only applies when The VUEMAppCmd
executable is used to control the launch
di
timing of published applications in a
s tri
Delivery Group.
b ut
248
io
n
Key Notes:
• The WEM Agent uses four local caches. Two of them can be moved from the local drive to, most commonly, the cache data drive
used by Citrix Provisioning and Citrix Machine Creation Services (MCS).
• It is recommended to specify the Alternative Cache Location to persist these two caches between restarts on non-persistent VDAs.
• The VUEMAppCmd executable is used to control the launch timing of published applications in a Delivery Group. It is not mandatory
to use VUEMAppCmd but it can resolve issues where some WEM settings are not applying intermittently.
• The purpose of the Extra Sync Delay is to delay the published app launch until all WEM settings have been applied. 100 to 200

milliseconds is usually sufficient.
• The Extra Sync Delay value can be set by Group Policy through the WEM ADMX GPO template.
• Editing application settings using Citrix Studio: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/user-interface-description/actions/applications.html#editing-application-settings-using-
N
citrix-studio
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
You are a WEM administrator and a
technician is rolling out WEM Agent
machines in a WEM on-premises
deployment. He has downloaded both the
WEM Agent from the Citrix Downloads page
N
and the WEM Agent from the WEM Service
ot
download page on the Citrix portal. He asks
fo
you which one he should use. What do you
rr
advise them?
es
In an on-premise WEM deployment, only install
al
the on-premise WEM Agent.
e
If it’s an on-premise WEM deployment that is
or
about to be migrated to a WEM Service
di
deployment, they may continue to use the on-
s
premises WEM Agent and upgrade to the latest
tri
WEM Service Agent a part of the next
b
maintenance cycle.
ut
io
n

N
ot
WEM Deployment Installation
fo
rr
WEM On-Premises vs WEM Service
es
al
e
or
di
s
tri
b
ut
io
n

WEM Installation: On-Premises vs. Citrix Cloud
Summary Review
On Prem Citrix Cloud
• All Active Directory infrastructure maintained • All Active Directory infrastructure maintained on
N
on local premises. local premises.
ot
• All Workspace Environment Management • A Citrix Cloud Service subscription is required to
fo
components (including Infrastructure use the WEM Service infrastructure.
rr
Service) maintained on local premises. • WEM Infrastructure Service and administration
es
• Microsoft SQL Server maintained on local Manage console maintained in the Citrix Cloud.
al
premises. • Single or multiple resource locations.
e
• All physical and virtual machine with WEM
or
• Multiple (recommended) Cloud Connectors
Agent maintained on local premises. maintained on local premises.
di
s
• Microsoft SQL Server maintained in Citrix Cloud.
tri
• All physical and virtual machines with WEM Agent
b ut
maintained on local premises.
io
n
Key Notes:
• In both on-premises WEM and WEM Service, all Active Directory infrastructure maintained on local premises and managed by the
customer.
• In on-premises WEM deployments, all WEM components are installed locally, customer-managed, must comply with AD
requirements, and usually all on the same network to support the communication requirements.
• In a WEM Service deployment, all WEM infrastructure components are managed and maintained by Citrix Cloud.
• WEM Service supports multiple separate resource locations containing VDAs with WEM Agent installed. This frees WEM Agents to be

on multiple networks, all communicating to the backend WEM Service infrastructure on Citrix Cloud.
• Citrix Cloud Connectors are only required for WEM Service deployments and multiple Connectors are recommended for
each resource location.
• WEM on-prem requires locally-managed SQL Server while Citrix Cloud takes care of the WEM database on reliable
Azure Elastic Pool instances.
• Finally, both on-prem WEM and WEM Service require customer-managed WEM Agents.
N
ot
• Workspace Environment Management service: https://docs.citrix.com/en-us/workspace-environment-
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
N
ot
Describe the benefits of a using WEM
Service rather than WEM on-premises.
fo
All WEM infrastructure components are
rr
managed and maintained by Citrix Cloud,
es
removing the admin burden.
al
Supports multiple resource locations in a single
e
WEM Service deployment.
or
di
s
tri
b
ut
io
n

N
WEM Service Deployment
ot
Installation
fo
rr
Leading Practice Installation Prerequisites and
es
Steps
al
e
or
di
s
tri
b
ut
io
n

Software prerequisites for WEM installed components
WEM Service Deployments
There are two WEM on-premises deployment components to install:

• Citrix Cloud Connectors
N
• WEM Agents
ot
fo
Cloud Connectors require .NET Framework 4.7.2 (or later).
rr
• Citrix strongly recommends installing at least two Cloud Connectors in each resource location to
es
ensure high availability.
al
• Refer to the Citrix Cloud Connector Technical Details page on Citrix Product Documentation.
e
WEM Agent requires .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be
or
pre-installed.
di
• WEM installer will install these software, if not already present.
s
• Recommended to pre-install .NET version before WEM component install to avoid lengthy
tri
installation time and reboots.
b ut
io
n
Key Notes:
There are two WEM Service deployment components to install:
• WEM Agents
Cloud Connectors require .NET Framework 4.7.2 (or later).

• Citrix strongly recommends installing at least two Cloud Connectors in each resource location to ensure high availability.

• The installation and configuration of Citrix Cloud Connectors is not covered in this course. Refer to the Citrix Cloud
Connector Technical Details page on Citrix Product Documentation for further information on system requirements.
WEM Agent require that the .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be pre-installed.
• Each WEM component installer will automatically install these required software before the installation of the WEM
components starts, but it is recommended to install WEM components on machines that already have .NET Framework
4.7.1 (or later) installed.
N
• Doing so will avoid lengthy .NET installation time and reboots.
ot
fo
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/service/install-
rr
and-configure.html
es
• Citrix Cloud Connector Technical Details: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-
al
locations/citrix-cloud-connector/technical-details.html
• CXD-250 - Moving to the Citrix Virtual Apps and Desktops Service on Citrix Cloud:
e
https://training.citrix.com/learning/course?courseId=1746
or
• CXD-252 - Moving to the Citrix Virtual Apps and Desktops Service on Citrix Cloud with Microsoft Azure:
di
https://training.citrix.com/learning/course?courseId=1854
s tri
b ut
io
n

WEM Service
Deployment Steps
• WEM Service is most
commonly used with VDAs
that are in a Citrix Virtual
Apps and Desktops Service
N
(CVAD Service), Citrix Cloud
ot
deployment.
fo
• The VDAs are contained in a
rr
Citrix Cloud resource location
es
and each resource location
al
will contain at least two Citrix
e
Cloud Connectors.
or
• The setup and configuration
di
of CVAD Service, Resource
s
Locations, and WEM Service
tri
are all managed through the
b
Citrix Cloud portal.
ut
255
io
n
Key Notes:
• WEM Service is most commonly used with VDAs that are in a Citrix Virtual Apps and Desktops Service (CVAD Service), Citrix Cloud
deployment.
• The VDAs on which the WEM Agents are installed are contained in a Citrix Cloud resource location and each resource location will
contain at least two Citrix Cloud Connectors.
• The setup and configuration of CVAD Service, Resource Locations, and WEM Service are all managed through the Citrix Cloud portal.

WEM Service
Deployment Steps
• Before rolling out the WEM

Agent machines it is leading
N
practice to setup the WEM
ot
Service environment first.
fo
• This is so WEM Agent
rr
machines can immediately
es
synchronize their WEM
al
settings and populate them
e
into WEM Agent local
or
caches, at first start up.
di
s tri
but
256
io
n
Key Notes:
• Just as with a WEM on-premises deployment, before rolling out the WEM Agent machines it is leading practice to setup the WEM
Service environment first.
at first start up.

WEM Service Deployment Steps
The high-level steps to deploy a WEM Service deployment are:
N
Add the WEM ADMX GPO template to the AD domain controller and
ot
Step 1 configure WEM environment settings.
fo
rr
Install and configure the Citrix Cloud Connectors (if not already
Step 2
existing)
es
al
Step 3 Create Resource Locations (if not already existing)
e
Perform initial WEM deployment configuration tasks. Configure WEM
or
Step 4
settings to apply to WEM Agents and users.
di
Install WEM Agent on master image, Layer, or machine (varies
s
Step 5
depending on provisioning methods).
tri
b
Step 6 Test and verify WEM Agent registration and synchronization.
ut
io
n
Key Notes:
• Before rolling out the WEM Agent machines it is leading practice to setup the WEM environment first.
at first start up.
• The broad steps to deploy a WEM on-premises deployment are:
• Step 1. Add the WEM ADMX GPO template to the on-premises, customer-managed AD domain controller and configure WEM
environment settings. This is an optional step as the parameter values in the GPO can be configured as part of the WEM Agent

install.
• Step 2. Install and configure the Citrix Cloud Connectors (if not already existing)
• Step 3. Create Resource Locations (if not already existing)
• Step 4. From the WEM Service Manage console, perform initial WEM deployment configuration tasks. Configure
WEM settings to apply to WEM Agents and users.
• Step 5. Install WEM Agent on master image, Layer, or machine (varies depending on provisioning methods: Single
dedicated machine, Citrix Provisioning, Machine Creation Services, App Layering).
N
• Step 6. Test and verify WEM Agent registration and synchronization.
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Lesson Review
You have decided to rollout WEM Service

and incorporate it with your existing CVAD
Service environment. Your VDAs, are spread
N
over three separate resource locations. The
ot
resource locations each have two Citrix
Cloud Connectors. Are additional Cloud
fo
Connectors required to support WEM
rr
Service?
es
No, WEM Service incorporates seamlessly into
al
an existing CVAD Service environment.
e
or
di
s
tri
b
ut
io
n

N
ot
Installation
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM Service Deployment Installation
• Convenient method of centrally applying WEM Agent

configuration to all WEM Agents in a deployment is
N
using the WEM ADMX template in a Group Policy
ot
Object (GPO).
fo
• For WEM Service deployments, only the Citrix
rr
Cloud Connectors setting, Agent proxy setting,
es
and VUEMAppCmd extra sync delay setting are
al
used.
e
• The Agent proxy configuration setting:
or
• WEM Agents in a WEM Service deployment, must be
di
able to communicate over the internet to the WEM
s
tri
• To facilitate this requirement, a proxy server can be used
but
where security policies block internet access for VDAs.
io
n
Key Notes:
• Just like with on-premises WEM deployments, the most convenient method of centrally applying WEM Agent configuration to all
WEM Agents in a deployment is using the WEM ADMX template in a Group Policy Object (GPO).
• For WEM Service deployments, only the Cloud Connector setting, Agent proxy setting, and VUEMAppCmd extra sync delay setting
are used.
• The Agent proxy configuration setting: In some Citrix Virtual Apps and Desktops deployments, whether on-premise or part of a Citrix
Cloud resource location, VDAs are denied internet access for security reasons.

• However WEM Agents in a WEM Service deployment, must be able to communicate over the internet to the WEM
• To facilitate this requirement, a proxy server can be used and its address added to the GPO setting.
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/service/install-
and-configure.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
A WEM administrator has created a proof-of-

concept (POC) WEM Service deployment but
none of the Agents are able to communicate
with the Citrix Cloud backend WEM
N
infrastructure. You ask the admin which
ot
WEM ADMX Group Policy settings he
configured. You are told that the
fo
Infrastructure server setting was enabled
rr
and configured. Which settings do you tell
es
him are relevant?
al
e
or
• Agent proxy configuration
di
• VUEMAppCmd extra sync delay
s
tri
b
ut
io
n

Lab Exercise Prep
N
For Module 9
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

N
ot
Installation
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Deployment Type
• Recall that the WEM Agent can be
N
installed and configured using the WEM
ot
PowerShell SDK.
fo
• When using the installer UI, choose to
rr
install the WEM Agent as part of a Cloud
es
Service deployment.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Recall that the WEM Agent can be installed and configured using the WEM PowerShell SDK.
• When using the installer UI, choose to install the WEM Agent as part of a Cloud Service deployment.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Infrastructure Service Configuration
• When using App Layering, the WEM

Agent is installed on the Platform Layer.
N
At that time, the machine is not usually
ot
subject to any AD GPOs.
fo
• Configure the Citrix Cloud Connectors so
rr
that the Agent can communicate with the
es
WEM Broker without need for the values
al
provided by GPO.
e
• The WEM Agent installer does not require
or
port numbers to be configured as Agent
di
communications to the WEM
s
Infrastructure Services in Citrix Cloud
tri
uses HTTPS over port 443.
b ut
io
n
Key Notes:
• When using App Layering, the WEM Agent is installed on the Platform Layer. At that time, the machine is not usually subject to any
AD GPOs.
• So to ensure that the Platform Layer WEM Agent is able to communicate with the Citrix Cloud WEM Infrastructure Services
immediately after Agent installation, configure the Infrastructure Service FQDN or IP address, rather than choosing “Skip
configuration”, even if the WEM GPO has been configured.
• The WEM Agent installer does not require port numbers to be configured as Agent communications to the WEM Infrastructure

Services in Citrix Cloud uses HTTPS over port 443.
• Install and configure the Agent: https://docs.citrix.com/en-us/workspace-environment-management/service/install-
and-configure.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
You are a WEM administrator and a

technician is rolling out WEM Agent
machines in a WEM Service deployment. He
has downloaded both the WEM Agent from
N
the Citrix Downloads page and the WEM
ot
Agent from the WEM Service download page
on the Citrix portal. He asks you which one
fo
he should use. What do you advise them?
rr
es
• In a WEM Service deployment, install the latest
WEM Agent from the Citrix Cloud portal.
al
e
• If it’s an on-premise WEM deployment that is
or
about to be migrated to a WEM Service
deployment, they may continue to use the on-
di
premises WEM Agent and upgrade to the
s
tri
latest WEM Service Agent a part of the next
maintenance cycle.
b
ut
io
n

Lab Exercise
Module 9
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• Exercise 9-1: Install and Configure the WEM
N
Server and WEM Database.
ot
• Exercise 9-2: Install the WEM Administration
fo
Console.
rr
• Exercise 9-3: Install the WEM Agent on the App
es
Layers Platform Layer.
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• The high-level steps to install and configure a WEM on-
premises or WEM Service deployment are designed to
pre-prepare the environment for the successful rollout of
WEM Agents.
• The WEM ADMX template Group Policy supports both
N
WEM on-premises and WEM Service deployments and
ot
includes specific setting for each.
fo
• An WEM on-premise deployment requires the
rr
installation and configuration of WEM infrastructure
components that require attention and planning.
es
• The WEM Agent for WEM on-premise deployments is
al
supported for use in a WEM Service deployment.
e
or
• It is not supported to use a WEM Service WEM Agent
version in a WEM on-premises deployment.
di
s
• The main difference between WEM on-premises and
tri
WEM Service deployments is that the WEM
b
infrastructure components in WEM Service are all
ut
managed and maintained by Citrix Cloud.
io
n

Administration
N
ot
WEM Administration Consoles and
fo
Initial Setup
rr
es
al
e
Module 10
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe the purpose of the WEM on-premises

and WEM Service administrative consoles and
identify the different delegated administrator
N
roles.
ot
• Identify the differences between WEM user
fo
settings and WEM machine settings and
rr
describe the capabilities of the Configuration
Set backup and restore process.
es
al
• Describe the process and capabilities of WEM
e
Group Policy Object (GPO) import and
or
migration features.
di
s
tri
b
ut
io
n

N
ot
WEM Consoles
fo
rr
WEM On-premises and WEM Service
es
al
e
or
di
s
tri
b
ut
io
n

WEM Consoles
WEM Administration Console (on-premises)
• Initial use requires selecting a WEM

Infrastructure Server to connect and the TCP
communications port to use.
N
• Default connection port is TCP 8288.
ot
• Connection settings can be saved for auto-
fo
connection. Multiple WEM
rr
Administration Consoles
es
• Single point to manage a WEM infrastructure can be created.
- no PowerShell or command line capabilities
al
at this time.
e
or
• Changes are synchronized through the WEM
Broker and saved to the WEM database
di
instance.
s tri
• Multiple Consoles can be created.
b ut
273
io
n
Key Notes:
• Initial use requires selecting a WEM Infrastructure Server to connect and the TCP communications port to use.
• The default connection port is TCP 8288.
• These settings can be saved for auto-connection when launching the console again.
• The WEM Administration Console is currently the single point to manage a WEM infrastructure; there is no PowerShell or command
line capabilities at this time.
• Note: PowerShell commands can be used to create and upgrade the WEM database, and perform tasks on the Infrastructure

service.
• Once the WEM Administration Console is connected to a WEM Broker, all changes are synchronized through the WEM
Broker and saved to the WEM database instance.
• Multiple WEM Administration Consoles can be created.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

WEM Consoles
WEM Service Manage Console (Citrix Cloud)
• The WEM Service Manage console is hosted

on a Citrix Cloud-based Windows VDA.
• WEM administrators access the Manage
N
console by first logging into the Citrix Cloud
ot
portal and seamlessly connect using Citrix
fo
Workspace app for HTML5.
rr
• Pre-connected to the WEM Infrastructure
es
Services - no need to choose an WEM Service provides a
al
Infrastructure Server or communications port single console to administer
e
number. a WEM Service deployment.
or
• Single point to manage a WEM infrastructure
di
- no PowerShell or command line capabilities
s
at this time.
tri
b ut
274
io
n
Key Notes:
• The WEM Service Manage console is hosted on a Citrix Cloud-based Windows VDA.
• WEM administrators access the Manage console by first logging into the Citrix Cloud portal and seamlessly connect using Citrix
Workspace app for HTML5.
• The Manage console is pre-connected to the WEM Infrastructure Services, so there’s no need to choose an Infrastructure Server or
communications port number.
• The Manage console is the single point to manage a WEM infrastructure; there is no PowerShell or command line capabilities at this

time.
• WEM Service provides a single Manage console to administer a WEM Service deployment.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Consoles
Delegating Administration
• The WEM Administration Console (on-

premises) provides
N
Administrators with the
ot
ability to:
fo
• Configure and manage
rr
Delegated Administrators.
es
• Maintain better control of the
infrastructure.
al
e
• By default, all new users are created with read-
only permissions
or
• WEM Service does not support Delegated
di
Administrators.
s
tri
• All users accessing the WEM Manage console
b
do so with full administrator rights.
ut
io
n
Key Notes:
• The WEM Administration Console (on-premises) provides
Administrators with the
ability to:
• Configure and manage
Delegated Administrators.
• Maintain better control of the

infrastructure.
• By default, all new users are created with read-only permissions
• WEM Service does not support Delegated Administrators.
• All users accessing the WEM Service Manage console do so with full administrator rights.
• Delegated Administrators (on-premises only): https://docs.citrix.com/en-us/workspace-environment-
N
management/current-release/user-interface-description/administration.html#administrators
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

WEM Consoles
Delegated Administrator Permissions
Delegating Administration: Administrator Permissions
Full Access
Policies and Profile Managers
Configured Users Managers
• There are 11 Delegated Administrator
N
permissions that can be used. Transformer Managers
ot
• An Administration Log is maintained that Advanced Settings Manager
fo
records all changes made to all Filter Managers
rr
Configuration Sets.
es
System Utilities Managers
• Only WEM Full Access admins have
al
Action Managers
access.
e
or
Action Creators
• The log can be exported.
di
Assignment Managers
s tri
Read Only
b ut
276
io
n
Key Notes:
• Administrators can be created by adding a user to the Configured Administrator List. Then, the Edit Administrator dialog is used to
adjust each Administrators specific delegated permissions.
• There are 11 Delegated Administrator permissions that can be used:
• Full Access - have full control over every aspect of the specified Configuration set (s).
• Policies and Profiles Managers - can manage Policies and Profiles settings.

• Configured Users Managers - can add, edit and remove users or groups from the configured users list. Users or
groups with assigned actions cannot be edited or deleted by Configured Users Managers.
• Transformer Managers - can manage Transformer settings. (Transformer setting relate to kiosk mode. When in
kiosk mode, the Agent Host becomes a web/application launcher which will redirect the user to the configured
remote desktop interface. The user environment can be completely locked down and the user only allowed to
interact with the Agent. )
N
• Advanced Settings Managers - can manage advanced settings (enabling or disabling action processing, cleanup
ot
actions, etc.)
• Filter Managers- can create and manage conditions and rules. Rules that are in use on assigned applications
fo
cannot be edited or deleted by Filter Managers.
rr
• System Utilities Managers - can manage the System Utilities settings (CPU, RAM and process management).
es
• Action Managers - can create and manage actions; as well as control their assignment.
• Action Creators - can create and manage actions.
al
• Assignment Managers - can only assign resources to users or groups.
e
• Read Only - can view the entire console, but cannot modify any settings.
or
• There is an Administration Log maintained that lists all changes made to your WEM settings in all Configuration Sets.
di
• The log is empty by default, and requires a manual refresh to display initial data.
s
• There are 3 main options that can be used to manage and review the log data.
tri
1. Export Log - This button will export the log into XLS format.
b
2. Refresh Log - This can be used to refresh the log.
ut
3. Clear Log - This flushes the log. This applies for all users, and cannot be undone
io
• The log is only available to Global Full Access Administrators

WEM Initial Setup
Configuration Sets
WEM Administration Console(On-Premises)

A WEM Configuration Set is a logical
grouping of WEM Agent machines to
N
which you want to apply the same or
ot
similar WEM settings.
fo
• WEM settings are divided into those
rr
that apply to WEM Agent machines
and those which apply to users
es
logging onto those machines. WEM Service Manage Console (Citrix Cloud)
al
• A WEM Agent machine can be a
e
member of only one Configuration
or
Set.
• Users can be added to more than
di
one Configuration Set.
s
• There is no difference between
tri
WEM on-premises and WEM
b
Service Configuration Sets.
ut
io
n
Key Notes:
• A WEM Configuration Set is a logical grouping of WEM Agent machines to which you want to apply the same or similar WEM
settings.
• WEM settings are divided into those that apply to WEM Agent machines and those which apply to users logging onto those WEM
Agent machines.
• A WEM Agent machine can be a member of only one Configuration Set.
• Users can be added to more than one Configuration Set.

• There is no difference between the concept or behaviour of WEM on-premises and WEM Service Configuration Sets.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Key Notes:
The Default Site Configuration Set and any newly created Config Set start off completely unconfigured.
The WEM administrator can configure WEM settings in many categories. Some must be set for WEM to be operational:
• User-specific settings
• Actions
• Machine-specific settings
• Environmental Settings (controlling the user’s experience and access to Windows OS features)
• Microsoft USV (Microsoft Roaming Profiles and Folder Redirection)
• Citrix Profile Management
N
• Security settings (AppLocker and process management)
• System optimization settings (CPU spikes protection, memory and I/O optimization)
ot
• Settings that control the operation of user settings (toggles for Action items)
fo
• Settings that control the operation and behaviour of WEM Agents
rr
• Agent launch behaviour
• Cache usage modes
es
• Applying/reapplying settings behavior
al
• Active Directory Objects
e
• Users and Machines
• Transformer kiosk
or
• Monitoring and statistics
di
s tri
but
io
n

WEM Initial Setup
Restoring XML files to Initialize Configuration Sets
• To make initial configuration easier:
N
• Citrix provides a set of XML files, that when restored to a Configuration Set, enable and configure settings that will be
ot
common to most WEM environments.
fo
• Administrators can enable and configure the WEM optimization, WEM security, and WEM user environment control
settings.
rr
es
• In the set of WEM install media, Citrix provides 3 sets of XML files:
al
• Default Recommended Settings
e
• Environment Lockdown Sample
or
• Sample Applications
di
• Start off configuring an empty Configuration Set by restoring the Default Recommended Settings.
s tri
• Configuration Sets can be backed up to recover from accidental changes.
b ut
io
n
Key Notes:
• To make initial configuration easier, Citrix provides a set of XML files, that when restored to a Configuration Set, enable and configure
setting that will be common to most WEM environments.
• Administrators can then focus on enabling and configuring the WEM optimization, WEM security, and WEM user environment
control settings they have planned to rollout.
• In the set of WEM install media, Citrix provides 3 sets of XML files:
• Default Recommended Settings

• Environment Lockdown Sample
• Sample Applications
• Leading practice is to start off configuring an empty Configuration Set by restoring the Default Recommended Settings.
• Once a Configuration Set has been configured and customized for an environment, it can be backed up.
• This is also leading practice as it allows Configuration Sets to be recovered from accidental or unintentional changes
made in the Console.
N
ot
• Configure configuration sets: https://docs.citrix.com/en-us/workspace-environment-management/current-
fo
release/quick-start-guide.html#step-5-configure-configuration-sets
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Initial Setup
Backup, Restore Configuration Set Settings
• The WEM consoles provide backup and restore facilities for individual Configuration Sets.
• Entire Configuration sets can be backed up and restored.
N
• Groups of settings can be selectively backed up and restored.
ot
Typical Usage Scenarios Supported For
fo
Create initial settings for a new WEM deployment by loading WEM On-
rr
WEM Service
recommended default settings provided by Citrix. Premises
es
Create a definitive backup of WEM settings to restore when WEM On-
WEM Service
al
required or when testing. Premises
e
WEM On-
Migrate WEM settings from one WEM deployment to another.
or
Premises
di
Adding additional WEM Administration Consoles - backup the WEM On-
Configuration Set and restore to the new Consoles. Premises
s tri
Migrate WEM settings from WEM on-premises to WEM Service. WEM On-
WEM Service
b
(consider a full WEM on-premises to WEM Service migration) Premises
ut
io
n
Key Notes:
• The WEM consoles provide backup and restore facilities for individual Configuration Sets.
• Entire Configuration sets can be backed up and restored.
• Groups of settings can be selectively backed up and restored.
There are several scenarios in which WEM’s backup and restore feature is useful:
• Create initial settings for a new WEM deployment by loading recommended default settings provided by Citrix. Supported for both

WEM on-premises and WEM Service deployments.
• Create a definitive backup of WEM settings to restore when required or when testing. Supported for both WEM on-
premises and WEM Service deployments.
• Migrate WEM settings from one WEM deployment to another. Only supported for WEM on-premises deployments.
• When adding additional WEM Administration Consoles, backup the Configuration Set and restore to the new Consoles.
Only supported for WEM on-premises deployments.
• Migrate WEM settings from WEM on-premises to WEM Service. This is supported but always consider whether a full
N
WEM on-premises to WEM Service migration is the better option.
ot
fo
Configuration Set, backup/restore: https://docs.citrix.com/en-us/workspace-environment-management/current-
rr
release/user-interface-description/ribbon.html
es
al
e
or
di
s tri
but
io
n

WEM Initial Setup
WEM Machine Settings (1/2)
WEM
Configuration Set
Session
N
ot
• WEM machine-specific
fo
settings are global settings: WEM Agents WEM Machine Machine Settings
they apply uniformly to all
rr
(AD Computers) Settings Apply Always
WEM Agent machines that
es
are part of the same
WEM
al
Configuration Set. WEM Active
Directory Objects Agent
e
User
or
Logon
WEM User
Users Settings User Settings Apply
di
(AD Users) Conditionally
s
Rules &
tri
Users
Conditions
utb
io
n
Key Notes:
• WEM machine-specific settings are global settings, in that they apply uniformly to all WEM Agent machines that are part of the same
Configuration Set.

Key Notes:
• When a user logs onto a WEM Agent machine that is a member of a given Configuration Set, the WEM machine-specific settings will
apply to all users that log onto those machines (only Administrators can be optionally excluded).
• For example:
• Hiding the Control Panel from users is a machine-specific setting:
• All users that log onto a WEM Agent Machine that is part of a Configuration Set that has the Control Panel hidden will have their
Control Panel hidden. (only Administrators can be optionally excluded).
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Key Notes:
• WEM user-specific settings from a given Configuration Set apply to users only when they log onto a WEM Agent machine that is a
member of that same Configuration Set.
• WEM user-specific settings are not necessarily global: They can be made to apply to all users that log onto the WEM Agent machine,
but the use of rules allow WEM user settings to apply only to those users that meet the rule conditions.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Key Notes:
• Multiple collections of WEM user settings can be created in a Configuration Set and each collection can apply to different sets of
users.
• When a user starts a session to a WEM Agent machine that is a member of a given WEM Configuration Set:
• All WEM machine settings will apply to the user (only Administrators can be optionally excluded).
• The WEM user settings that will apply is determined at user logon to a WEM Agent machine, and apply according to the
conditions of each WEM user setting rules.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Initial Setup
Active Directory Objects
The WEM Active Directory Objects

section in the WEM Console holds WEM Users
N
WEM Users and WEM Machines.
ot
WEM Users are added so that Actions
fo
can be assigned to them. Users can be Single AD User Account AD Security Group
rr
added to more than one Configuration
es
Set.
WEM Machines
al
WEM Machines hold the Active
e
Directory computer accounts of WEM
or
Agent machines in a Configuration Set.
Single AD
di
Computer
Any one WEM Agent machine’s AD Account
s tri
computer account can belong to only AD Security Group Organizational Unit (OU)
one Configuration Set.
b ut
io
n
Key Notes:
• The WEM Active Directory Objects section in the WEM Console holds WEM Users and WEM Machines.
• WEM Users are added so that Actions can be assigned to them. Recall that users can be added to more than one Configuration Set.
• WEM Machines hold the Active Directory computer accounts of WEM Agent machines in a Configuration Set. Any one WEM Agent
machine’s AD computer account can belong to only one Configuration Set.
• On the right, you can see that AD user accounts and AD computer accounts can be added in several ways:
• Users can be added individually or as part of an Active Directory Security Group.

• WEM Agent machines can be added as a single AD computer account, as an AD Security Group containing
computers, or as an OU containing computers.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lab Exercise Prep
N
For Module 10
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

Migrating and Importing GPOs into WEM
Two WEM features for Importing GPOs to WEM
• WEM’s Migrate feature and Group Policy Settings feature solves the most time-consuming task of rolling out
a WEM deployment: Migrating Group Policy Objects (GPOs) from the AD domain controller to the WEM
N
console.
ot
• Migrate – extracts Group Policy • Group Policy Settings – imports an entire
fo
Preferences (GPPs) from a GPO Group Policy as a WEM Action, which can
rr
and applies them to a WEM then be assigned to users or machines in a
es
Configuration Set. WEM Configuration Set.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• WEM’s Migrate feature and Group Policy Settings feature solves the most time-consuming task of rolling out a WEM deployment:
• Migrating Group Policy Objects (GPOs) from the AD domain controller to the WEM console.
• There are two methods for importing AD GPOs. The method you choose depends on the type of GPO settings.
• Migrate – extracts Group Policy Preferences (GPPs) from a GPO and applies them to a WEM Configuration Set.
• Group Policy Settings – imports an entire Group Policy as a WEM Action, which can then be assigned to users or machines in a
WEM Configuration Set.

Migrating GPOs & GPPs into WEM
Migrate Feature
The GPO Migrate Utility is available for WEM on-premises and WEM Service deployments
N
• GPP settings extracted from GPO can be converted into WEM settings automatically prior to import, giving
ot
administrators full granular control over which WEM setting types to import.
• Computer Configuration settings are converted to WEM machine settings ready for import.
fo
• User Configuration settings are converted to WEM user settings, known as Actions. The imported WEM
rr
Actions are then ready to assign to users.
es
• GPP settings imported using the Migrate feature automatically configure UI checkboxes.
al
e
or
di
s tri
but
io
n
Key Notes:
• The GPO Migrate Utility is available for WEM on-premises and WEM Service deployments.
• GPP settings extracted from GPO can be converted into WEM settings automatically prior to import, giving administrators full
granular control over which WEM setting types to import.
• Computer Configuration settings are converted to WEM machine settings ready for import.
• User Configuration settings are converted to WEM user settings, known as Actions. The imported WEM Actions are then ready to
assign to users.

• GPP settings imported using the Migrate feature automatically configure UI checkboxes. You then have the control of, as
shown in the image, to enable the Process Environmental Settings checkbox to turn everything on.
• Migrate GPOs (on-premises): https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/ribbon.html
• Migrate GPOs (WEM Service): https://docs.citrix.com/en-us/workspace-environment-management/service/user-
N
interface-description/ribbon.html
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Migrating GPO settings to WEM
Migrate GPO: Steps
• Using the Microsoft Group Policy Management Console,

backup your existing GPO objects into a zip file.
N
ot
• For WEM Service, upload the zip file to the WEM Manage
console using the HTML5 Upload function.
fo
• Import the zip file into the WEM Administration Console (on-
rr
premises) or WEM Service Manage console (Citrix Cloud)
es
using the GPO Migrate option.
al
• Choose whether to import everything (The Overwrite option)
e
or to first convert the zip file into a WEM compatible format
or
(Convert option).
• To give control over the import tasks, it’s recommended
di
to always choose the Convert option.
s tri
• Import the Actions and/or other WEM settings.
b
• Assign the Actions to users.
ut
io
n
Key Notes:
• Using the Microsoft Group Policy Management Console, backup your existing GPO or GPP objects into a zip file.
• For WEM Service, upload the zip file to the WEM Manage console using the HTML5 Upload function.
• Import the zip file into the WEM Administration Console (on-premises) or WEM Service Manage console (Citrix Cloud) using the GPO
Migrate option.
• Choose whether to import everything (The Overwrite option) or to first convert the zip file into a WEM compatible format (Convert
option).

• To give control over the import tasks, it’s recommended to always choose the Convert option.
• Import the Actions and/or other WEM settings.
• Assign the Actions to users.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Group Policy Settings Feature (1/2)
The Group Policy Settings feature is available for WEM on-premises and WEM Service deployments.
N
The Group Policy Settings feature takes a different approach than the Migrate feature.
ot
fo
• The Migrate import method only takes a GPOs GPP settings.
rr
• The Group Policy Settings method imports entire GPOs.
• All of a GPO’s registry-based settings can be imported using this feature.
es
• Unlike the Migrate method, imported GPOs using the Group Policy Settings method do not populate WEM
al
setting checkboxes in the WEM Console UI.
e
• The GPO is imported as an Action item. Actions are user-based WEM settings – in that they apply to the
or
users that have been assigned the Action item.
• For example: Assigning a printer Action item or network drive Action item to a group of users.
di
• GPO settings though, can either be Computer Configuration or User Configuration settings.
s
• So how can a GPO’s Computer Configuration settings be assigned when they are user-based Actions?
tri
b ut
io
n
Key Notes:
• The Group Policy Settings feature takes a different approach than the Migrate feature.
• The Migrate import method only takes a GPOs GPP settings.
• The Group Policy Settings method imports entire GPOs.
• All of a GPO’s registry-based settings can be imported using this feature.
• Unlike the Migrate method, imported GPOs using the Group Policy Settings method do not populate WEM setting checkboxes in the
WEM Console UI.

• The GPO is imported as an Action item. Actions are user-based WEM settings – in that they apply to the users that have
been assigned the Action item.
• For example: Assigning a printer Action item or network drive Action item to a group of users.
• GPO settings though, can either be Computer Configuration or User Configuration settings.
• So how can a GPO’s Computer Configuration settings be assigned when they are user-based Actions?
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Group Policy Settings Feature (2/2)
• Assigning the User Configuration part of an imported GPO to WEM users is intuitive because Actions are
designed to be assigned to users or AD Security Group of users.
N
Action: Group Policy Setting
ot
Assigned to:
fo
Imported GPO:
rr
User Configuration
settings Users
Users or AD Security Group of users
es
• Assigning the Computer Configuration part of an imported GPO is not as intuitive. It requires that the imported
al
GPO is assigned to an AD Security Group containing computers.
e
Action: Group Policy Setting
or
Assigned to:
di
Imported GPO:
s
Computer
tri
Configuration settings
b
AD Security Group of computers
ut
io
n
Key Notes:
In the previous slide, we asked how we can assign an imported GPO’s Computer Configuration
• Assigning the User Configuration part of an imported GPO to WEM users is intuitive because Actions are designed to be assigned to
users or an AD Security group of users.
• Assigning the Computer Configuration part of an imported GPO is not as intuitive. It requires that the imported GPO is assigned to an
AD Security Group containing computers.
• The non-intuitive part is that the AD Security Group containing computers, must be first added to the Users section in WEM’s Active

Directory Objects.
• The imported GPO’s Computer Configuration settings cannot be assigned to users.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Lab Exercises
Module 10
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• Exercise 10-1: Confirm WEM Console Initial
N
Settings
ot
• Exercise 10-2: Import a Microsoft Group Policy
fo
Object (GPO) into a WEM Configuration Set
rr
es
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• Delegated administrators give WEM admin users
different levels of permissions and control in the WEM
Administration Console. Delegated administrators
cannot be created in the WEM Service Manage
console.
• WEM settings that controlling users and the WEM
N
Agent machines on which they log onto are divided
ot
into WEM user-specific settings and WEM machine-
fo
specific settings.
rr
• Configuration Sets are unconfigured initially but WEM
es
admins can restore pre-configured initial WEM
settings suitable for most environments. The backup
al
and restore feature can be used to migrate settings
e
between WEM on-premises deployments, or as a
or
method of recovering from unintentional changes.
di
• The WEM Migrate and WEM Group Policy Settings
s
features allow WEM admins to import AD Group
tri
Policy Objects; thereby solving the most time-
b
consuming task of rolling out a WEM deployment.
ut
io
n
Key Takeaways:
• Delegated administrators can be created to give WEM admin users different levels of permissions and control when working in the
WEM Administration Console. Delegated administrators cannot be created in the WEM Service Manage console.
• There are many WEM settings but those for controlling users and the WEM Agent machines on which they log onto are divided into
WEM user-specific settings and WEM machine-specific settings.
• Configuration Sets are unconfigured initially but WEM admins can restore pre-configured initial WEM settings as a starting point for
most environments. The backup and restore feature can also be used to migrate settings between WEM on-premises deployments,

or as a method of recovering from unintentional changes.
• The WEM Migrate and WEM Group Policy Settings features allow WEM admins to import AD Group Policy Objects;
thereby solving the most time-consuming task of rolling out a WEM deployment.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Administration
N
ot
WEM Centralized Management
fo
Features: System and Log On
rr
Optimization
es
al
e
Module 11
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe how WEM System Optimization
N
options are used to benefit the user experience
ot
during sessions.
fo
• Describe the role of WEM Assigned Actions in
rr
reducing session logon times.
es
• Describe how WEM logon optimization
al
settings are used to benefit the user
e
experience during sessions.
or
• Recognise the benefits of applying Citrix
di
Profile Management through a WEM
s
deployment.
tri
utb
io
n

N
WEM System Optimization
ot
Management Features
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM On-Premises and WEM Service
• The WEM System Optimization feature is a group of settings

designed to dramatically improve user experience during user
N
sessions on single-user and multi-user Windows machines.
ot
fo
• Used correctly, these features could potentially increase user
density on Citrix Virtual Apps and Desktops VDAs (on-premises
rr
and Citrix Cloud), saving money on infrastructure costs.
es
• There 5 WEM System Optimization features:
al
e
• CPU Management
or
• Memory Management
di
• I/O Management
s tri
• Fast Logoff
b
• Citrix Optimizer
ut
io
n
Key Notes:
• The WEM System Optimization feature is a group of settings designed to dramatically improve user experience during user sessions
on single-user and multi-user Windows machines.
• WEM System Optimization settings are identical and their benefits are identical whether your WEM deployment is on-premises or in
Citrix Cloud.
• Used correctly, these features could potentially increase user density on Citrix Virtual Apps and Desktops multi-user VDAs (on-
premises and Citrix Cloud), saving money on infrastructure costs.

• Note: To ensure reliability and stability, WEM System Optimization features do not apply to critical Windows OS
processes and critical Citrix processes.
• There 5 WEM System Optimization features:
• CPU Management
• Memory Management
• I/O Management
• Fast Logoff
N
• Citrix Optimizer
ot
fo
• WEM System Optimization: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
rr
interface-description/system-optimization.html
es
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
al
secret-at-citrix/
e
or
di
s tri
b ut
io
n

CPU Management Settings – CPU Spike Protection
• CPU Spike Protection improves the user experience
N
by improving application responsiveness.
ot
• This is achieved not by lowering CPU usage in a
fo
session, but by reducing the CPU Priority of
rr
troublesome processes that excessively consume
es
CPU time.
al
• When a troublesome process exceeds a given
e
percentage CPU usage for a period of time, CPU
or
Spikes Protection is triggered and lowers the CPU
Priority of the troublesome process.
di
s
• The default CPU Spikes Protection configuration is
tri
suitable for most machines to optimize CPU usage.
b ut
io
n
Key Notes:
• CPU Spike Protection improves the user experience by improving application responsiveness.
• This is achieved not by lowering CPU usage in a session, but by reducing the CPU Priority of troublesome processes that excessively
consume CPU time.
• When a troublesome process exceeds a given percentage CPU usage, CPU Spikes Protection is triggered and lowers the CPU Priority
of the troublesome process.
• The default CPU Spike Protection configuration is suitable for most machines to optimize CPU usage. The default settings are enabled

once you Enable the CPU Spike Protection checkbox.
• These default settings are:
• Auto Prevent CPU Spikes
• Enable Intelligent CPU Optimization
• Enable Intelligent I/O Optimization
Next we will examine each of these default settings.
N
ot
fo
• CPU Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/system-optimization/cpu-management.html
rr
es
secret-at-citrix/
al
e
or
di
s tri
b ut
io
n

CPU Management Settings – CPU Spike Protection
• Auto Prevent CPU Spikes:
N
• The percentage CPU usage that triggers the lowering of a
ot
troublesome process’s CPU Priority is not fixed.
fo
• It differs depending on the total number of a machine’s
rr
logical CPU cores.
es
• This means that machines with differing numbers of CPU
al
cores can be effectively optimized within the same
e
Configuration Set.
or
di
s
tri
but
io
n
Key Notes:
• With Auto Prevent CPU Spikes enabled, the percentage CPU usage that triggers the lowering of a troublesome process’s CPU
Priority is not fixed.
• It differs depending on the total number of a machine’s logical CPU cores.
• This means that machines with differing numbers of CPU cores can be effectively optimized within the same Configuration Set.

secret-at-citrix/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

CPU Management Settings – Auto Prevent CPU Spikes
• Auto Prevent CPU Spikes example: The machines from both Machine Catalogs can be
part of the same Configuration Set because Auto
N
• Machine Catalog of Windows 2019 VDAs built on 4 Prevent CPU Spikes can adapt to different numbers
ot
CPU core VMs: of cores.
• When overall CPU usage exceeds 23%, the CPU
fo
priority of processes that consume more than 15% of If Customize CPU Spike Protection was enabled
rr
the overall CPU resources reduces automatically. instead, the CPU Usage Limit is fixed:
es
• Machine Catalog of Windows 2019 VDAs built on 8 Each Machine Catalog could be part of different
Configuration Sets – each with a different CPU Usage
al
CPU core VMs:
Limit (%) value.
e
• When overall CPU usage exceeds 11%, the CPU
priority of processes that consume more than 8% of the
or
CPU resources reduces automatically.
di
s
tri
b ut
io
n
Key Notes:
• For example:
• You have a Machine Catalog of Windows 2019 VDAs built on 4 CPU core VMs.
• If the overall CPU usage exceeds 23%, the CPU priority of processes that consume more than 15% of the overall CPU
resources reduces automatically.
• You have another Machine Catalog of Windows 2019 VDAs built on 8 CPU core VMs.

• If the overall CPU usage exceeds 11%, the CPU priority of processes that consume more than 8% of the CPU
resources reduces automatically.
• The machines from both Machine Catalogs can be part of the same Configuration Set because Auto Prevent CPU
Spikes can adapt to different numbers of cores.
• If Customize CPU Spike Protection was enabled instead, the CPU Usage Limit is fixed (the image shows this set to 35%).
• If this was the case, you would consider placing each Machine Catalog in different Configuration Sets – each with a
different CPU Usage Limit (%) value.
N
• In cases where customizing individual CPU Spikes Protection values produces better results, the Customize CPU Spike
ot
Protection would be selected over Auto Prevent CPU Spikes.
fo
• But as stated earlier, the default CPU Spike Protection settings are very effective in most situations.
• For maximum CPU optimization effectiveness, always test and compare the results.
rr
es
al
e
or
secret-at-citrix/
di
s tri
b ut
io
n

CPU Management Settings – Enable Intelligent CPU Optimization
• Without Enabling Intelligent CPU Optimization,
N
CPU Spike Protection changes a troublesome
ot
process’s CPU Priority to low, just for a few minutes.
fo
• Enable Intelligent CPU Optimization keeps track
rr
of each time a process has triggered CPU Spike
es
Protection until eventually, the process will always
run with a CPU Priority of low.
al
e
• The CPU Spike Protection triggers are remembered
or
for each process on each machine and for each
user.
di
s
• So when a user launches a session to a machine
tri
that they have logged onto previously, CPU usage
b
will already be optimized.
ut
io
n
Key Notes:
• Without Enabling Intelligent CPU Optimization, CPU Spike Protection changes a troublesome process’s CPU Priority to low for a few
minutes.
• It will continue to do this every time the process triggers CPU Spike Protection without prejudice, and so without learning that the
process is in fact troublesome.
• By Enabling Intelligent CPU Optimization, WEM will keep track of each time a process has triggered CPU Spike Protection until
eventually, the process will always run with a CPU Priority of low.

• The CPU Spike Protection triggers are remembered for each process on each machine and for each user.
• So when a user launches a session to a machine that they have logged onto previously, CPU usage for processes will
already be optimized.
N
ot
secret-at-citrix/
fo
rr
es
al
e
or
di
s tri
b ut
io
n

CPU Management Settings – Enable Intelligent I/O
Optimization
• Enable Intelligent I/O Optimization adopts the
N
same principals as Intelligent CPU Optimization by
ot
lowering the I/O Priority of processes when
required.
fo
rr
• Similarly, the triggering of I/O Optimization is
es
remembered for each process, for user, and on
each machine.
al
e
• Neither Intelligent CPU Optimization nor Intelligent
or
I/O Optimization is operational without first
enabling CPU Spike Protection
di
s tri
b ut
io
n
Key Notes:
• Intelligent I/O Optimization adopts the same principals as Intelligent CPU Optimization by lowering the I/O Priority of processes
when required.
• Similarly, the triggering of I/O Optimization is remembered for each process, for user, and on each machine.
• Neither Intelligent CPU Optimization nor Intelligent I/O Optimization is operational without first enabling CPU Spike Protection.

secret-at-citrix/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

CPU Priority, CPU Affinity, CPU Clamping
• Though default CPU Management settings are • CPU Affinity: Specify a process and set how
effective, there maybe particular processes that many logical cores the process can use.
N
need individual attention. • Limiting a troublesome process to use just a single
ot
logical core can improve performance.
• All of the settings listed here require a solid
fo
understanding of the underlying principals:
rr
• CPU Priority: Specify a process and set it’s CPU
es
Priority to a fixed base level. The options are:
al
• Realtime (not recommended)
e
• High
or
• Above Normal
• Normal
• CPU Clamping: Specify a process and set the
di
• Below Normal
maximum percentage of a processor’s resources that
s
• Low
tri
that process can use.
• It’s a brute force approach that is computationally
b ut
expensive.
io
n
Key Notes:
• Though default CPU Management settings are effective, there maybe particular processes that need individual attention.
• All of the settings listed here require a solid understanding of the underlying principals.
• CPU Priority: Specify a process and set it’s CPU Priority to a fixed base level. The options are:
• Realtime (not recommended as this can make a process completely hog CPU time. Even mouse and keyboard activity will appear
slow)
• High

• Above Normal
• Normal
• Below Normal
• Low
• CPU Affinity: Specify a process and set how many logical cores the process can use.
• Limiting a troublesome process to use just a single logical core can improve performance.
• CPU Clamping: Specify a process and set the maximum percentage of a processor’s resources that that process can use.
N
• WEM admins have been known to add processes like iexplore.exe or Chome.exe (Internet Explorer & Chrome) to the
ot
CPU Clamping list.
fo
• It’s a brute force approach that is computationally expensive. CPU clamping is more for processes that are perform
their resource management tasks poorly.
rr
• IE and Chrome are more easily controlled using default CPU Spike Protection settings, perhaps adding CPU Affinity to
es
limit their impact further.
al
e
or
di
secret-at-citrix/
s tri
b ut
io
n

Memory Management – Working Set Optimization
• When Working Set Optimization is enabled,
N
WEM analyzes running applications and
ot
determines:
• How much RAM the application is using
fo
• The minimum amount of RAM that the application
rr
needs to run in a stable manner.
es
• The difference is considered to be excess RAM
al
and is released when the application goes into an
e
idle state.
or
• Greatly reduces the amount of RAM used in a
di
session and contributes to increasing overall user
s
density.
tri
b ut
io
n
Key Notes:
• The next WEM System Optimization feature is that of Memory Management.
• When enabled, WEM analyzes running applications and determines:
• How much RAM the application is using
• The minimum amount of RAM that the application needs to run in a stable manner.
• The difference is considered to be excess RAM and can be released to the pagefile when the application goes into an idle state.
• Working Set Optimization greatly reduces the amount of RAM used in a session and contributes to increasing overall user density on

multi-session VDAs.
• Memory Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/system-optimization/memory-management.html
secret-at-citrix/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Working Set Optimization - Example
1. A user opens Chrome browser, navigates to YouTube. Chrome will use as much RAM as it needs.
N
2. Over the sampling period [Idle Sample Time: 30 minutes default], WEM determines the amount of
ot
RAM Chrome has used and also determines the least amount of RAM required.
fo
3. Then the user is finished with Chrome and it becomes idle.
rr
4. Chrome’s CPU usage drops to the value set by the Idle State Limit value [1% default].
es
5. WEM forces the Chrome to release the excess RAM to the pagefile.
al
e
6. When Chrome is used again, it will initially run in its optimized state but can still go on to consume
or
additional RAM as needed.
7. When considering how this affects multiple processes over multiple user sessions, the result is that
di
all of that RAM freed up is available for other processes and will increase user density by supporting
s tri
a greater amount of users on the same server.
b ut
io
n
Key Notes:
• A user opens Chrome browser, navigates to YouTube, and plays some videos. Chrome will use as much RAM as it needs.
• In the background, and over the sampling period [the Idle Sample Time setting], WEM determines the amount of RAM Chrome has
used and also determines the least amount of RAM required, while still maintaining stability.
• Then the user is finished with Chrome and it becomes idle (this could be done by simply working with another app or minimizing
Chrome to the Task Bar).
• When the Chrome’s percentage CPU usage drops to the value set by the Idle State Limit value, WEM then forces the process to

release the excess RAM to the pagefile.
• When Chrome is used again, it will initially run in its optimized state but can still go on to consume additional RAM as
needed.
• When considering how this affects multiple processes over multiple user sessions, the result is that all of that RAM
freed up is available for other processes and will increase user density by supporting a greater amount of users on the
same server.
N
ot
• Memory Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
fo
interface-description/system-optimization/memory-management.html
rr
secret-at-citrix/
es
al
e
or
di
s tri
b ut
io
n

I/O Management
• Optimizes the I/O priority of specific processes, so
N
that processes which are contending for network
ot
and disk I/O access do not cause performance
bottlenecks.
fo
rr
• Establishes the "base priority" for all of the threads
es
in the process. The actual, or "current," priority of a
thread may be higher, but is never lower than the
al
base.
e
or
• In general, Windows gives access to threads of
higher priority before threads of lower priority.
di
s tri
b ut
io
n
Key Notes:
• These settings allow you to optimize the I/O priority of specific processes, so that processes which are contending for network and
disk I/O access do not cause performance bottlenecks.
• The process priority you set here establishes the "base priority" for all of the threads in the process. The actual, or "current," priority
of a thread may be higher, but is never lower than the base.
• In general, Windows gives access to threads of higher priority before threads of lower priority.

• I/O Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/system-optimization/io-management.html
secret-at-citrix/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Fast Logoff
N
• A purely visual option that will end the HDX
ot
connection to a app's session, giving the
impression that the session has immediately
fo
closed.
rr
es
• The session itself continues to progress through
the app session logoff phases on the VDA.
al
e
• Specified AD Security Groups can be excluded
or
di
s tri
b ut
io
n
Key Notes:
• A purely visual option that will end the HDX connection to a apps session, giving the impression that the session has immediately
closed.
• The session itself continues to progress through the app session logoff phases on the VDA.
• You can specify particular AD Security Groups that Fast Logoff won’t apply to.

• Fast Logoff: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/system-optimization/fast-logoff.html
secret-at-citrix/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lab Exercise Prep
N
For Module 11
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

Citrix Optimizer
• Citrix Optimizer optimizes Windows machines to improve performance and can increase user density.
N
• It applies a pre-created optimization template to machines in WEM’s Active Directory Objects list (one
ot
template per OS version).
fo
• Optimizations are performed on several categories, which you can choose to apply or not apply.
rr
• A Preview button displays the details of the optimization changes that the template will apply.
es
al
• A Configuration Set contains
e
Server 2019 WEM Agent
or
machines and Server 2016
WEM Agent machines.
di
s
• The relevant template will apply
tri
only to the matching machines.
b ut
io
n
Key Notes:
• Citrix Optimizer optimizes Windows machines to improve performance and can increase user density.
• Citrix Optimizer applies a pre-created Windows OS optimization template to machines in WEM’s Active Directory Objects list.
• It applies only one Windows version template to the matching Windows version WEM Agent machine.
• Optimizations are performed on several categories, called Groups, which you can choose to apply or not apply.
• A Preview button displays the details of the optimization changes that the template will apply.

• As an example, a Configuration Set contains Server 2019 WEM Agent machines and Server 2016 WEM Agent machines.
• The relevant template will apply only to the matching machines.
• The unused templates have been disabled.
• Citrix optimizer: https://docs.citrix.com/en-us/workspace-environment-management/service/user-interface-
description/system-optimization/citrix-optimizer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
A WEM admin has added the machines from 2 Windows
Server 2016 Machine Catalogs into the one Configuration
Set. One Machine Catalog contains machines based on 4
CPU core VMs. The other Machine Catalog machines are
based on 8 CPU core VMs. The default CPU Management
settings have been enabled, including “Auto Prevent
CPU Spikes”.
N
ot
There is also another Machine Catalog of Windows 10
based on 4 core VMs. The admin is considering added
fo
these machines into the same Configuration Set. Is this a
good idea?
rr
es
While the default CPU Optimization WEM settings will
probably suit all Machine Catalogs, there are other WEM
al
machine-based settings that will need to be configured for the
e
multi-session Server 2016 VDAs - such as user lockdown
or
settings.
The single-session Windows 10 machines most likely need to
di
be configured with different user environment lockdown
s
settings. So in most cases, this is not a good idea.
tri
utb
io
n

Lab Exercise
Module 11
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• Exercise 11-1: Identify CPU Spikes
N
• Exercise 11-2: Configure CPU Management
ot
• Exercise 11-3: Test CPU Management
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
WEM Logon Optimization
ot
Management Features
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Overview
N
ot
fo
rr
• The Windows logon process contains
es
several phases which are processed
al
synchronously:
e
• WEM logon optimization addresses the most
or
time-consuming phases: User Profile and
GPO/GPP processing.
di
• The WEM logon optimization settings when
s
configured, are processed by the WEM Agent
tri
to give a far shorter logon duration.
b ut
io
n
Key Notes:
• The Windows logon process contains several phases which are processed synchronously:
• Session Initialization
• Authentication
• User Profile
• GPO/GPP
• User Initialization

• SHELL Initialization
• WEM logon optimization addresses the most time-consuming phases: User Profile and Group Policy Object (GPO) and
Group Policy Preferences (GPP) processing.
• The WEM logon optimization settings when configured, are processed by the WEM Agent to give a far shorter logon
duration.
N
• WEM Logon Optimization – Engage computers. Prepare for warp speed! :
ot
https://www.citrix.com/blogs/2018/11/19/part-2-wem-logon-optimization-engage-computers-prepare-for-warp-
fo
speed/
rr
es
al
e
or
di
s tri
b ut
io
n

Overview
• Unlike WEM’s System Optimization, there’s no checkbox that simply enables logon optimization –
N
rather WEM groups these setting under different sections:
ot
• Actions: Settings that are assigned to users according to rules.*
fo
• Environmental Settings: Machine lockdown settings that apply to machines only – and so affect all
rr
users that logon to the machine.
es
• Citrix Profile Management Settings: Centrally manage an environment’s profile settings using the
al
WEM console’s intuitive user interface (UI).
e
or
• Microsoft USV Settings: For configuring Microsoft Roaming Profiles and Folder Redirection.
di
*Imported Group Policies that have GPO Computer Configuration settings are Actions assigned to AD computer
s
groups, rather than users.
tri
b ut
io
n
Key Notes:
• Unlike WEM’s System Optimization, there’s no checkbox that simply enables logon optimization – rather WEM groups these setting
under different sections:
• Actions: Settings that are assigned to users according to rules. Though if you recall, imported Group Policies that have GPO
Computer Configuration settings are Actions that are assigned to AD computer groups.
• Environmental Settings: Machine lockdown settings that apply to machines only – and so affect all users that logon to the machine.
Administrators though, can be excluded.

• Since Environmental Settings are more concerned with locking down and securing sessions, it will be covered in the
WEM Security Module of this course.
• Citrix Profile Management Settings: Centrally manage an environment’s profile settings using the WEM console’s
intuitive user interface (UI).
• Microsoft USV Settings: For configuring Microsoft Roaming Profiles and Folder Redirection.
N
WEM Logon Optimization – Engage computers. Prepare for warp speed! : https://www.citrix.com/blogs/2018/11/19/part-
ot
2-wem-logon-optimization-engage-computers-prepare-for-warp-speed/
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
N
ot
fo
Which two Windows logon phases does WEM optimize
processing for?
rr
es
User Profile processing and Group Policy Object and Group
Policy Preferences processing.
al
e
or
di
s
tri
b
ut
io
n

N
ot
WEM Assigned Actions
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM Actions
• WEM Actions replace settings commonly found in Group
N
Policy Object settings or provided though scripts.
ot
• Actions are WEM user-based settings, so they apply for a
fo
user when they launch a session.
rr
• There are many types of Actions, but the most common
es
ones configured by WEM admins are:
al
e
• Applications: These could be installed applications or Citrix
or
Virtual Apps and Desktops published applications.
• Printers: UNC path to network printers.
di
• Network Drives: Shared folders on the network that are
s tri
mapped to a drive letter.
b
• Group Policy Settings: GPOs imported into WEM.
ut
io
n
Key Notes:
• WEM Actions replace settings commonly found in Group Policy Object settings or provided though scripts.
• Actions are WEM user-based settings, so they apply for a user when they launch a session to a WEM Agent Machine.
• From the screenshot on the right you can see that there are many types of Actions that can be assigned to users, but the most
common ones configured by WEM admins are:
• Applications: These could be installed applications or Citrix Virtual Apps and Desktops published applications.
• Printers: UNC path to network printers.

• Network Drives: Shared folders on the network that are mapped to a drive letter.
• Group Policy Settings: GPOs imported into WEM and then assigned to users or computers.
• WEM Actions: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/actions.html
• Each additional Action type has a dedicated page in the same documentation section as the above URL.
N
ot
Additional Information:
fo
Complete list of Action types, with descriptions:
• Group Policy Settings.
rr
• The Applications section controls the creation of application shortcuts, as well as various settings pertaining to
es
application presentation. This includes both applications within a desktop, as well as seamless published apps.
al
• If Applications settings need to be applied to published apps, use Citrix Studio to edit the application settings and
add an executable file path that points to VUEMAppCmd.exe (located in the agent installation directory).
e
• VUEMAppCmd.exe ensures that Workspace Environment Management agent has finished processing an
or
environment before Citrix Virtual Apps and Desktops published applications are started.
di
• Printer mapping can be managed with the Printers option. The primary use case for this is to map network printers
within the corporate network.
s tri
• The Network Drives section can be used to map network drives to users or groups. In contrast, the Virtual Drives section
is used to map Windows virtual drives or MS-DOX device names which map local file paths to drive letters.
b ut
• Registry Entries allows for the deployment of registry entries using WEM. Similarly, Environment Variables are managed
using the section with that name.
io
• The Ports feature allows client COM and LPT port mapping.
n
• If you use the Ports feature to manually control the mapping of each port, remember to enable the Client COM port
redirection or the Client LPT port redirection policies in Citrix Studio. By default, COM port redirection and LPT port
redirection are prohibited.
• Ini Files controls the creation of .ini file operations, which allow for the modification of .ini files.
• External Tasks can be used to control the execution of external tasks such as running .vbs or .cmd scripts.

• File System Operations controls the copying of folders and files into the user’s environment. This may be useful for
certain applications that require a unique configuration file to be present on the Virtual Delivery Agent machine for the
user’s session.
• User DSNs can be created using the section with the same name. A User DSN is a specific ODBC Data Source for a user
on a given workstation.
• File associations can also be created in the user environment within the section of the same name.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Filters
• Filters contain Rules and Conditions.
N
• Rules, defined by these conditions
ot
determine who or how Actions apply (Rules
fo
are only used for Actions).
rr
• Rules are made up of conditions:
es
al
• A Condition is just a parameter that matches a
specified value.
e
• When creating a Rule, Conditions can be
or
ANDed together (OR is not supported).
• There are over 60 different conditions.
di
s
• If no rules have been created, the default
tri
Always true rule will be used.
b ut
io
n
Key Notes:
• Filters contain Rules and Conditions.
• Filter rules can only be applied to Actions. Other settings, such as Citrix Profile Management, WEM Transformer, System
Optimization, and Environmental Settings, will automatically be applied to all Agents that are a part of the configuration set.
• Rules are made up of conditions:
• A Condition is just a parameter that matches a specified value.
• When creating a Rule, Conditions can be ANDed together (OR is not supported).

• There are over 60 different conditions.
• Rules, defined by these conditions determine who or how Actions apply.
• If no rules have been created, the default “Always true” rule will be used when assigning an Action.
• WEM Filters: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/filters.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Assignments
• Assignments are where Actions are assigned to users

and apply according to a Rule.
N
• Since Actions only apply to users or groups of users, you
ot
need to first add WEM Active Directory Objects (Users).
fo
• Once added, they automatically appear in the list of
rr
Users.
es
• A User or a group of Users is selected, an Action is
al
selected, and a Rule is selected.
e
• This can get repetitive – so create Action Groups to make
or
it easy.
• Action Groups are a collection of Actions that can be
di
assigned in one step.
s tri
• The Modeling Wizard section displays the resultant
b
actions for a given user only (it does not work for groups).
ut
io
n
Key Notes:
• Assignments are where Actions are assigned to users and apply according to a Rule.
• Since Actions only apply to users or groups of users, you need to first add WEM Active Directory Objects (Users) section in the WEM
Console.
• Once added, they automatically appear in the list of Users.
• To create an Assignment: First select a User or a group of Users, select an Action, and select a Rule.
• When you have a lot of Actions and a lot of users, this can get repetitive – so create Action Groups to make it easy.

• Action Groups are created in the Actions section and are a collection of Actions that you can assign to users in one step.
• The Modeling Wizard section displays the resultant actions for a given user only (it does not work for groups).
• WEM Assignments: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/assignments.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Assigned Actions Example
A WEM admin wants to have a shared folder that’s only used by the Human Resources (HR)
department, mapped to a drive letter. The drive letter is only needed to be accessed when HR are
N
saving work from published app sessions. It’s not needed for Desktop sessions.
ot
fo
Add Active Directory Objects Domain Users
rr
(Users)
Create Action (Network Path = \\NYC-FSR-001\HR Resources\
es
Drive) Drive Letter = R
al
Create Conditions Condition 1 = Active Directory Attribute Match
e
Value = HR Security Group
Condition 2 = User SBC Resource
or
Value = Application
Create Rule Name = Network drive for HR
di
Value = Condition 1 AND Condition 2
s tri
Create Assignment Assign Network Drive (Action) to Domain Users (Active Directory
Objects) using Network drive for HR (Rule)
b ut
io
n
Key Notes:
A WEM admin wants to have a shared folder that’s only used by the Human Resources (HR) department mapped to a drive letter.
The drive letter is only needed to be accessed when HR are saving work from published app sessions. It’s not needed for Desktop
sessions.
So what would be the process to set this up?
• First, add an Active Directory Group to WEM Active Directory Objects. It doesn’t need to be the HR Group but does need to include
the HR Group. Adding a broader AD Group is ok because the Rule we create will narrow it down to HR. So we can add Domain Users

for example.
• Next, create the Network Drive Action. Specify the path and a drive letter.
• Next create a couple of Conditions:
• Condition 1: Use the “Active Directory Attribute Match” parameter with a value of HR Security Group.
• Condition 2: Use the “User SBC Resource” parameter with a value of Application.
• Next create a Rule. Initially this is just an empty container that we give a name to, but we add the 2 Conditions. These
are ANDed together, which means when a user launches a session, they must be a member of the HR Group AND they
N
are launching an app session.
ot
• Finally, we create the Assignment. In this task, you select the users (Domain Users Group), then select the Network
fo
Drive Action for them and select the “Network drive for HR” Rule we created.
rr
Note: We could have simply added the HR Security Group to Active Directory Objects. That would mean we wouldn’t need
es
to create Condition 1 – the condition that narrows down to the HR group. But adding the larger parent group to WEM
al
Active Directory Objects may be less work in the end; especially if you will be assigning Actions to many different groups in
a specific Configuration Set. Really, it’s what works best for you.
e
or
di
• WEM Filters: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/filters.html
s tri
b ut
io
n

Advanced Settings for Assigned Actions
• Advanced Settings section, under Main
N
Configuration: Settings which relate to Assigned
ot
Actions.
fo
• No Assigned Actions will apply unless the
rr
corresponding Action Agent checkbox is enabled.
es
• Restoring the Default Recommended Settings
al
enables all of the baseline settings, such as these
e
Agent Actions checkboxes.
or
• WEM admins often customize their own WEM baseline
settings, taken from the Default Recommended
di
Settings and restore them to any newly created
s tri
Configuration Set.
b ut
io
n
Key Notes:
• There are a group of settings in the Advanced Settings section, under Main Configuration, which are related specifically to Assigned
Actions.
• None of the Assigned Actions you create will apply at all unless the corresponding Action Agent checkbox is enabled.
• So for instance, users won’t get their mapped network drive Assigned Action unless the corresponding “Process Network Drives” box
is enabled.
• Restoring the “Default Recommended Settings” enables all of the baseline settings, such as these Agent Actions checkboxes.

• WEM admins often customize their own WEM baseline settings, taken from the “Default Recommended Settings” and
restore them to any newly created Configuration Set.
• WEM Advanced Settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/advanced-settings.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Lesson Review
N
A Citrix Administrator needs to map a network drive into
ot
user sessions, but only if the user endpoint is part of the
corporate network.
fo
How can this be accomplished using WEM?
rr
es
1. Create a Condition based on client IP.
al
2. Set IP range specific to the corporate network.
e
3. Add the Condition to a filter rule.
or
4. Create the Action to map the network drive.
di
5. Assign the Action to users with the filter rule attached.
s
tri
b
ut
io
n

N
Citrix Profile Management in
ot
WEM
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Citrix Profile Management in WEM
Overview
• Citrix Profile Management (CPM) is a roaming profile solution installed on VDAs.
N
• Runs as a Windows service using settings that reside in the HKLM registry.
ot
• Without WEM, CPM settings are written to the registry from one of three choices:
fo
• AD Group Policy Object (GPO)
rr
es
• HDX Policy
• Local .ini file
al
e
• If WEM is used to configure CPM, the WEM Agent writes CPM settings to the registry from CPM
or
settings configured in the WEM Console.
di
• The benefit to logon optimization that WEM brings is that CPM settings don’t have to be read and
s
processed from a HDX policy or AD GPO during the logon phase.
tri
• WEM does not affect the operation of CPM, it only provides the settings in HKLM that CPM uses.
b ut
io
n
Key Notes:
• Citrix Profile Management (CPM) is a roaming profile solution that is typically installed as part of the VDA.
• CPM runs as a Windows service using settings that reside in the HKLM registry.
• Without WEM, CPM settings are written to the registry from one of three choices:
• AD GPO
• HDX Policy
• Local .ini file

• If WEM is used to configure CPM, the WEM Agent writes CPM settings to the registry from CPM settings configured in
the WEM Console.
• So WEM settings become the fourth choice admins have for writing CPM settings to the registry.
• The benefit to logon optimization that WEM brings is that CPM settings don’t have to be read and processed from a
HDX policy or AD GPO during the logon phase.
• WEM does not affect the operation of CPM, it only provides the settings in HKLM that CPM uses.
N
ot
• Citrix Profile Management - Decide on a configuration: https://docs.citrix.com/en-us/profile-management/current-
fo
release/plan/configuration.html
• WEM - Citrix Profile Management Settings: https://docs.citrix.com/en-us/workspace-environment-
rr
management/current-release/user-interface-description/policies-and-profiles/citrix-upm-settings.html
es
al
e
or
di
s tri
b ut
io
n

CPM configuration
• WEM provides by far the easiest method of
N
centrally configuring Citrix Profile
ot
Management.
fo
• CPM settings are intuitively arranged and
rr
divided in sections.
es
• Keep your WEM deployment version up-to-
al
date: CPM settings in the WEM Console
e
always match the settings of the latest
or
CPM version.
• Microsoft User State Virtualization (USV)
di
and VMware Persona settings can also be
s tri
managed by WEM.
b ut
io
n
Key Notes:
• The other benefit that WEM provides is that it is by far the easiest method of centrally configuring Citrix Profile Management.
• All the CPM settings are intuitively arranged and divided in sections.
• It’s good practice to keep your WEM deployment version up-to-date. One reason is so the CPM settings in the WEM Console always
match the settings of the latest CPM version.
• Microsoft User State Virtualization (USV) and VMware Persona settings can also be managed by WEM.

• Citrix Profile Management Settings: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/policies-and-profiles/citrix-upm-settings.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Citrix Profile Management Health Status
• The health status of Profile

Profile Management is in good shape.
N
Management in the deployment can
ot
be viewed.
fo
• Go to Administration > Agents > Suboptimal settings may affect the user
rr
Statistics to view health status.
experience.
es
al
Profile Management is configured
e
incorrectly and is not functioning
or
properly.
di
Profile Management is not found, not
s tri
enabled, or WEM agent version is not
b
high enough.
ut
io
n
Key Resources:
• The Citrix Profile Management health status feature is available in the form of a Profile Management Health Status column on the
Statistics tab of the Agents section.
• Profile Management health status performs automated status checks on your agent hosts to determine whether Profile
Management is configured optimally.
• You can view the results of these checks to identify specific issues from the output file on each agent host. (%systemroot%\temp
\UpmConfigCheckOutput.xml)

• The feature performs status checks every day or each time the WEM Agent Host service starts.
• To perform the status checks manually, right-click the selected agent in the administration console, and then select the
Refresh Profile Management Configuration Check in the context menu.
• Administration – Agents: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/administration.html#agents
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Lesson Review
N
ot
fo
What considerations change when deploying Citrix
Profile Management using WEM?
rr
es
None; all Citrix Profile Management considerations stay the
same, and all profile settings available via HDX or GPO policy
al
are also available in the equivalent version of WEM.
e
or
di
s
tri
utb
io
n

Lab Exercise
Module 11
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• Exercise 11-4: Configure Assigned Actions for
N
Users
ot
• Exercise 11-5: Configure Citrix Profile
fo
Management from the WEM Console
rr
• Exercise 11-6: Test Profile Management and
es
Assigned Actions
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• WEM CPU Management improves user experience
by greatly reducing the impact of applications that
use a high percentage of CPU time
• WEM Memory Management improves user
experience by greatly reducing the amount of RAM
N
used by idle processes.
ot
• Both CPU Management and Memory Management
fo
can increase user density on multi-session VDAs.
rr
• WEM Assigned Actions replace GPO, GPP, and
es
script settings so that they don’t contribute to logon
al
duration.
e
• WEM Assigned Actions can be applied using rules
or
and conditions, making it a very versatile feature.
di
• Deploying Citrix Profile Management (CPM) settings
s
through the WEM Console provides the easiest and
tri
most intuitive method of CPM configuration.
b ut
io
n
Key Takeaways:
• WEM CPU Management improves user experience by greatly reducing the impact of applications that use a high percentage of CPU
time
• WEM Memory Management improves user experience by greatly reducing the amount of RAM used by idle processes.
• Both CPU Management and Memory Management can increase user density on multi-session VDAs.
• WEM Assigned Actions replace GPO, GPP, and script settings so that they don’t contribute to logon duration.
• WEM Assigned Actions can be applied using rules and conditions, making it a very versatile feature.

• Deploying Citrix Profile Management (CPM) settings through the WEM Console provides the easiest and most intuitive
method of CPM configuration.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Administration
N
ot
WEM Centralized Management
fo
Features: Security & Lockdown
rr
es
al
e
Module 12
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe the benefits of managing Microsoft

Windows AppLocker security using WEM.
N
• Describe how to configure the WEM Process
ot
Management feature.
fo
• Describe how WEM Environment Settings is
rr
used to lock down the Windows user interface
es
features.
al
• Describe the purpose and benefits of creating
e
a WEM Transformer kiosk machine.
or
• Describe the purpose and capabilities of WEM
di
monitoring and reporting features.
s
tri
b
ut
io
n

Lab Exercise Prep
N
For Module 12
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercises.

N
WEM Security Management
ot
Features
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Use WEM to Enforce Security on
the Machine Running the VDA
• Citrix Workspace Environment Management
N
provides settings that can apply security and
ot
restrictions to a session:
fo
• Application Security
rr
• Process Management
es
• Environmental Settings
al
e
or
di
s tri
b ut
342
io
n
Key Notes:
• WEM can lock down and secure an environment with settings such as, disabling user access to the registry or command line, hiding
specific elements in Windows Explorer, hiding or blocking access to drives, and the ability to exclude Administrators from security
settings that are applied to user sessions.
• Some security settings are processed at logon and others are refreshed by the Agent while the session is active.

• WEM Security: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/security.html
• WEM Environmental Settings: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/policies-and-profiles/environmental-settings.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

WEM Security
Application Security
• WEM Application Security

is based on the Windows
AppLocker security
N
feature.
ot
• AppLocker control the
fo
application executables,
rr
scripts, installer
es
packages, and even
al
DLLs that users are
e
permitted to run on a
or
machine.
• WEM Application Security
di
adds useful centralized
s tri
management features.
b ut
io
n
Key Notes:
• WEM Application Security is based on the Windows AppLocker security feature.
• Windows AppLocker allows administrators to control the application executables, scripts, installer packages, and even DLLs that
users are permitted to run on a machine.
• The AppLocker rules and operations in WEM are identical to that of Windows AppLocker but WEM Application Security adds useful
centralized management features.

• WEM Application Security: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/security.html#application-security
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

WEM Security
Application Security
• Bulk operations:
• Apply Application
Security Rules to all
N
WEM Agent Machines in
ot
the Configuration Set.
fo
• Bulk assign or unassign
rr
Rules.
es
• Select multiple Rules
al
and edit settings.
e
• Import AppLocker Rules
or
from exported GPO:
di
• Export the GPO as an
s
XML file and import to
tri
the WEM Console.
b ut
io
n
Key Notes:
• Bulk operations:
• Apply Application Security Rules to all WEM Agent Machines in the Configuration Set.
• Bulk assign or unassign Rules.
• Select multiple Rules and edit settings for all selected.
• Import AppLocker Rules from exported GPO:
• Export the GPO as an XML file and import to the WEM Console.

• There’s a dedicated “Import AppLocker Rules” button for this.
• Useful when setting up the feature for the first time from an existing environment.
N
ot
• AppLocker configuration for any Windows machine can be viewed using the Local Security Policy on that machine.
fo
• When you migrate an AD GPO to WEM, you disable, unlink, or delete the original AD GPO – to avoid conflicts.
• This does not need to be done for AppLocker settings in the Local Security Policy.
rr
• This is because the Local Security Policy will always display the machine’s AppLocker settings that are retrieved from
es
WEM.
al
• After configuring AppLocker through the WEM Console, each WEM Agent machine’s Local Security Policy AppLocker
settings will match those configured in the WEM Console’s Application Security
e
or
di
s tri
b ut
io
n

WEM Security
Application Security: Tips
• AppLocker DLL Rules

may affect machine
performance.
N
• For testing Rules without
ot
affecting users, set a
fo
Rule to Audit mode.
rr
Rule violations are
es
written to the AppLocker
event log.
al
e
• AppLocker runs using
or
the Application
Management Windows
di
Service on each
s tri
machine. Check the
b
service if there are
ut
AppLocker issues.
io
n
Key Notes:
• There is a separate checkbox for enabling the processing of AppLocker DLL Rules.
• Enabling DLL Rules may affect machine performance. This is because AppLocker checks each DLL that an app loads before it’s
allowed to run.
• AppLocker Rules can be set to Audit. Rules set to audit are inactive. This means the rule runs without affecting the app but the
details about the rule violations is added to the AppLocker event log.
• AppLocker runs using the Application Management Windows Service on each machine. If there are problems with the operation of

WEM Application Security, always check the service is running. Restarting the service can resolve issues.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Security
Process Management
• Process Management
provides the ability to
whitelist or blacklist
N
specific processes.
ot
• If a process is added to
fo
the blacklist, then it can
rr
not be launched.
es
• Processes that are
al
added to the whitelist
e
can always be
or
launched.
di
• There’s the option to
s
exclude local admins
tri
and/or specific groups.
but
io
n
Key Notes:
• An alternative to WEM’s Application Security Rules is Process Management. This controls app executables only and operates on a
blacklist/whitelist basis.
• If a process is added to the blacklist, then it can not be launched.
• Processes that are added to the whitelist can always be launched.
• There’s the option to exclude local admins and/or specific groups.

WEM Process Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/security.html#process-management
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

WEM Security
Application Security Tips
• WEM’s Environmental Settings are found in the
N
Policies and Profiles section of the WEM
ot
Console. Primarily, these settings are for locking
down the Windows UI.
fo
rr
• WEM machine-based settings: Applies to all users
es
(admins can be excluded).
al
• The Environmental Settings categories are:
e
• Start Menu
• Desktop
or
• Windows Explorer
di
• Control Panel
• Known Folders Management
s tri
• SBC/HVD Tuning
b ut
io
n
Key Notes:
• WEM’s Environmental Settings are found in the Policies and Profiles section of the WEM Console. Primarily, these settings are for
locking down the Windows UI.
• Since they are WEM machine-based settings, they will affect all users that logon to the WEM Agent machines part of the
Configuration Set – but administrators can be excluded.
• Start Menu: These options modify the user’s Start Menu.
• Desktop: These settings control which desktop elements are disabled by the Agent, and allow you to disable aspects of the Windows

8.x Edge user interface.
• Windows Explorer: These settings control which Windows Explorer functionalities are disabled by the Agent.
• Control Panel: These settings are used to secure the user environment, and control how Control Panel applets are from
users.
• Known Folders Management: These settings prevent the creation of the specified user profile known folders at profile
creation.
• SBC/HVD Tuning: These options allow you to optimize performance in SBC/HVD environments.
N
• Although it appears simply as “SBC/HVD Tuning” in the WEM console, this option is referring to “server-based
ot
computing/hosted virtual desktops”, and includes settings that can improve performance on server-OS machines
fo
that can host multiple concurrent sessions.
rr
es
• Environmental Settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
al
interface-description/policies-and-profiles/environmental-settings.html
e
or
di
s tri
b ut
io
n

Lesson Review
N
ot
What is the difference between WEM
application security settings and Windows
fo
AppLocker?
rr
es
Both features use the same AppLocker settings;
the difference is where they are configured and
al
e
managed (WEM vs. Local Security Settings or
GPO).
or
di
s
tri
b
ut
io
n

Lab Exercise
Module 12
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• Exercise 12-1: Log on to Test the Default
N
Environment
ot
• Exercise 12-2: Configure Environment
fo
Lockdowns
rr
• Exercise 12-3: Manage the VDA Processes
es
• Exercise 12-4: Log on to Test the Newly
al
Configured Environment
e
or
di
s
tri
utb
io
n

N
ot
WEM Transformer
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM Transformer
Purpose and Benefits of WEM Transformer
WEM Transformer Kiosk Panel

• The purpose of the WEM Transformer is to
provide users with a locked down, physical
Windows Desktop OS machine that they
N
access in a kiosk-only mode.
ot
• In kiosk mode, users are provided access only
fo
to the resources they have been granted and
rr
typically users are not given access to the
es
Windows desktop and Start Menu.
al
• Only Windows Desktop OS are supported by
e
WEM Transformer.
or
di
s tri
b ut
352
io
n
Key Notes:
• The purpose of the WEM Transformer is to provide users with a locked down, physical Windows Desktop OS machine that they
access in a kiosk-only mode.
• In kiosk mode, users are provided access only to the resources they have been granted and typically users are not given access to the
Windows desktop and Start Menu.
• Only Windows Desktop operating systems are supported by WEM Transformer.

• Transformer settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/transformer-settings.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Transformer

• The WEM administrator can provide the kiosk
user access to:
• Locally installed applications.
N
• CVAD or CVAD Service published apps and
ot
desktops.
fo
• A whitelist of websites they can access.
• A list of printers.
rr
• Items on the kiosk panel that haven’t been locked
es
down. For example: Shutdown, Restart, log off,
system clock.
al
• Tools such as the Command Prompt.
e
• Users can only access these resources and
or
items using the WEM Transformer kiosk panel.
di
s tri
but
353
io
n
Key Notes:
• The WEM administrator can provide the kiosk user access to:
• Locally installed applications.
• Citrix Virtual Apps and Desktops or Citrix Virtual Apps and Desktops Service published apps and desktops.
• All apps on the Applications tab, whether they are local or CVAD published are Application Actions added in the WEM Console.
• A whitelist of websites they can access.
• A list of printers, which are Printer Actions added in the WEM Console.

• Items on the kiosk panel that haven’t been locked down. For example: Shutdown, Restart, log off, system clock.
• Users can only access these resources and items using the WEM Transformer kiosk panel. The underlying Windows
interface is not accessible.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Transformer
• WEM Transformer can provide a user’s

published apps and desktops from CVAD or
CVAD Service.
N
ot
• There are two methods:
fo
1. Through the Transformer Applications tab.
rr
This requires:
es
• StoreFront-based Application Actions assigned to
users.
al
• Users to log onto the physical WEM Transformer
e
kiosk machine using their own company
or
credentials.
• Citrix Workspace app for Windows to be installed
di
and configured for pass-through authentication.
s tri
b ut
354
io
n
Key Notes:
• WEM Transformer can be configured to provide a user’s assigned Citrix Virtual Apps and Desktops or Citrix Virtual Apps and Desktops
Service published apps and desktops.
• There are two methods to choose from:
1. Users are provided access to CVAD or CVAD Service published resources through the Applications tab.
• This requires:
• StoreFront-based Application Actions assigned to users.

• Users to log onto the physical WEM Transformer kiosk machine using their own company credentials.
• Citrix Workspace app for Windows to be installed and configured for pass-through authentication.
N
ot
1. The user logs onto the physical WEM Transformer kiosk machine using their own company credentials:
fo
• This case is used when access to CVAD or CVAD Service published app resources will be automatically provided
through the Applications tab.
rr
• Having users logon to the machine allows Citrix Workspace app for Windows to pass-through their authentication
es
for automatic enumeration and display of their CVAD or CVAD Service published apps (Note: CVAD published
al
resources are supported. CVAD Service published resources are supported but only using Citrix Workspace in Citrix
Cloud – local StoreFront is not supported).
e
or
di
s tri
but
io
n

WEM Transformer
WEM Transformer Use Cases for CVAD
2. Through the Transformer Web Browser tab:

• Not required to provide credentials at Windows
N
logon. WEM Transformer can perform an auto-
ot
Windows logon using a generic account.
fo
• Users must enter their own credentials to the Citrix
Gateway/ADC or StoreFront page (CVAD on-
rr
premises). Or to Citrix Cloud’s Citrix Gateway
es
Service or Workspace page (CVAD Service).
al
• Citrix Workspace app for Windows is not
e
mandatory. App and desktops can be launched
or
using the browser-based Citrix Workspace app for
HTML5.
di
stri
b ut
355
io
n
Key Notes:
2. Users are provided access to Citrix Virtual Apps and Desktops or Citrix Virtual Apps and Desktops Service published resources through
the Web Browser tab.
• User are not required to provide their own credentials at Windows logon. WEM Transformer can perform an auto-Windows logon
using a generic account.
• To access their published resources, users must enter their own credentials to the Citrix Gateway/ADC or StoreFront page (CVAD
on-premises). Or to Citrix Cloud’s Citrix Gateway Service or Workspace page (CVAD Service).

• Citrix Workspace app for Windows is not mandatory since app and desktops can be launched using the browser-
based Citrix Workspace app for HTML5.
N
ot
2. The user starts the physical WEM Transformer kiosk machine and is automatically logged on to Windows using a
fo
generic account.
• This case is typical when users need access only to locally installed apps and whitelisted web pages.
rr
• If users need access to CVAD or CVAD Service published app resources, they must enter their own credentials to
es
the Citrix Gateway/ADC or StoreFront. Or Citrix Cloud’s Workspace browser page (Note: both CVAD and CVAD
al
Service published resources are supported).
For access to other resources configured for the user, such as printers, locally installed apps, whitelisted web sites, it
e
doesn’t matter whether Transformer is configured for Windows auto-logon or user account logon.
or
di
s tri
b ut
io
n

WEM Transformer
General Settings
• The General Settings tab

controls the appearance and
basic settings for the
N
Transformer.
ot
• Enable Transformer, when
fo
enabled, puts all agents in
rr
the Configuration Set into
kiosk mode.
es
• Web Interface URL Only
al
required if published
e
resources will be provided
or
through the Web Browser
di
tab.
s tri
b ut
356
io
n
Key Notes
• The General Settings tab controls the appearance and basic settings for the Transformer.
• Enable Transformer turns on the Transformer kiosk mode for every WEM Agent machine in the Configuration Set’s Active Directory
Objects (Machines) list.
• If users are to be provided to their CVAD or CVAD Service published apps and desktops through the kiosk’s Web Browser tab, the
Web Interface URL needs to be populated with the Citrix Gateway/Gateway service, StoreFront, or Citrix Workspace URL.
• The Appearance of the kiosk panel can be customized with, for instance, a company label. Also, don’t forget to enable the

Application Panel if that will be the method you’ve chosen to present CVAD published apps and desktops.
• If a user is having issues with their kiosk, an unlock password can be configured so that help desk staff can breakout of
the kiosk mode and troubleshoot.
• Transformer settings – General: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/transformer-settings.html#general
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Transformer
General Settings
• Site Settings and Tool

Settings allow for the
addition of permitted web
N
URLs and tools that can be
ot
accessed by end users.
fo
• Site settings: A whitelist of
web sites that can be
rr
accessed directly via the
es
kiosk’s Sites button.
al
• Tool Settings: A list of tools
e
such as the Command
or
Prompt. Accessed via the
kiosk’s Tool Settings tab.
di
s tri
b ut
357
io
n
Key Notes
• Site Settings and Tool Settings allow for the addition of permitted web URLs and tools that can be accessed by end users.
• Site settings are essentially a white list of web sites that can be accessed directly via the kiosk’s Sites button. Note that the
Transformer on its own will not prevent all access to URLs not on the list if the end user clicks hyperlinks within the permitted web
sites.
• Tool settings allow for the inclusion of executables on the Transformer endpoint that would otherwise be inaccessible in kiosk
mode. Any local executable path could be included, based on the needs of the user base.

• Transformer settings – General: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/transformer-settings.html#general
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Transformer
Advanced Settings –
Process Launcher
• The Process Launcher
N
feature allows for the
ot
Transformer agent to serve
as a process launcher
fo
rather than presenting a
rr
kiosk interface.
es
• This can be used to
al
facilitate integration with
non-web-based access for
e
clients.
or
di
s tri
b ut
358
io
n
Key Notes:
• We said earlier that users can only access resources and other items using the WEM Transformer kiosk panel. However there is an
exception.
• The Process Launcher feature when enabled, runs a specified process and arguments will automatically launch when the session
starts.
• The kiosk mode/web interface view will no longer appear.
• If the process is terminated, it is automatically relaunched.

• Note that in this mode, the rest of the endpoint is not locked down.
• This feature is useful to quickly onboard new employees who may not be familiar with the client access software used
at an organization. For example, it can be used to automatically launch a Microsoft Remote Desktop session using a
specified RDP file.
• “VMWare View Mode,” “Microsoft RDS Mode”, and “Citrix Mode” can be used in conjunction with the End of Session
settings (covered later in this lesson) to perform a certain action (log off, shut down, restart, or nothing) when all
instances of the specified connection type are closed by the user.
N
ot
fo
• Transformer settings – Advanced: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/transformer-settings.html#advanced
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Transformer
Advanced &
Settings
Administration
–
Process Launcher
Settings
• Advanced Settings and
N
Administration Settings
ot
allow for more
customization of the user-
fo
facing Transformer UI.
rr
• Most settings are self-
es
explanatory, and preferred
al
settings will depend on
user requirements.
e
or
di
s tri
b ut
359
io
n
Key Notes:
• The Advanced Settings and Administration Settings allow for more customization of the user-facing Transformer kiosk UI.
• Most settings are self-explanatory, and preferred settings will depend on user requirements.
• Transformer settings – Advanced: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/transformer-settings.html#advanced

WEM Transformer
Logon/Logoff & Power Settings
• Recall that WEM admins can

design their Transformer
kiosk solution to:
• Have the Windows machine
N
auto-logon for all users.
ot
• Have each user logon to the
fo
Windows machine using their
rr
own credentials.
es
• Only Enable Autologon Mode
if you plan to use the same
al
generic account to auto-
e
logon every user.
or
• The Desktop Mode Options
di
and End Of Session Options
s
sections control session
tri
start/end behaviour.
b ut
360
io
n
Key Notes:
• Recall that WEM admins can design their Transformer kiosk solution to:
• Have the Windows machine auto-logon for all users.
• Have each user logon to the Windows machine using their own credentials.
• Only Enable Autologon Mode if you’ve planned to use the same generic account to auto-logon every user.
• The Desktop Mode Options and End Of Session Options sections control the behavior for when a remote session launch starts and
ends a Transformer machine.

• Additionally, various power management options are available.
• Transformer settings – Advanced: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/transformer-settings.html#advanced
N
ot
fo
rr
es
al
e
or
di
s tri
b
ut
io
n

Lesson Review
N
ot
On which Citrix Virtual Apps and Desktops
component should WEM Transformer settings
fo
be applied?
rr
es
WEM Transformer is intended for user endpoints
that should behave as a thin client, or
al
e
automatically launch a particular process.
or
di
s
tri
utb
io
n

Lab Exercise
Module 12
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• Exercise 12-5: Install WEM Agent on the
N
machine to be used as a Transformer Kiosk.
ot
• Exercise 12-6: Create Transformer
fo
Configuration Set and StoreFront Application
rr
Actions for Marketing Users.
es
• Exercise 12-7: Configure WEM Transformer
al
• Exercise 12-8: Test WEM Transformer
e
or
di
s
tri
b
ut
io
n

N
ot
WEM Monitoring and Reporting
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM Monitoring
User Statistics vs. Agent Statistics
The Citrix Workspace Environment Management can display User and Agent Statistics.
User Statistics Agent Statistics

• Users Summary • Agents Summary
N
• Displays a count of total Agents who have
ot
• Displays a count of total users who have
reserved a WEM license, for both the current reserved a WEM license, for both the current
fo
Configuration set and all Configuration sets. Configuration set and all Configuration sets.
rr
• Displays a count of new users in the last 24 • Displays a count of new Agent in the last 24
hours, as well as within the last month. hours and in the last month.
es
• Users History • Agents History
al
• Displays connection information for all the • Displays connection information for all the
e
User’s Hosts associated with this Configuration Agents associated with this Configuration set.
or
set. • Displays the last connection time, the name of
• Displays the last connection time, the name of the device from which they last connected, and
di
the device from which they last connected, and the Agent version.
s
tri
the Agent version.
but
io
n

WEM Monitoring Reporting
Trends and Reports
The Workspace Environment Management
N
Monitoring option allows for user and
ot
machine reporting statistics to be captured
and displayed.
fo
rr
es
Reports include:
al
• Daily Reports
e
• User Trends
or
• User & Device Reports
di
s tri
b ut
io
n
Key Notes:
• The Workspace Environment Management Monitoring reports include options for Daily, User and Device, as well a the ability to
control the reporting time period and work days.
• Daily Reports:
• Daily Login Report. A daily summary of login times across all users connected to this site. You can double-click a category for a
detailed view showing individual logon times for each user on each device.
• Daily Boot Report. A daily summary of boot times across all devices connected to this site. You can double-click a category for a

detailed view showing individual boot times for each device.
• User Trends
• Login Trends Report. This report displays overall login trends for each day over the selected period. You can double-
click each category of each day for a detailed view.
• Boot Trends Report. This report displays overall boot trends for each day over the selected period. You can double-
click each category of each day for a detailed view.
• Device Types. This report displays a daily count of the number of devices of each listed operating system connecting
N
to this site. You can double-click each device type for a detailed view.
ot
• User & Device Reports
fo
• User Report. This report allows you to view login trends for a single user over the selected period. You can double-
click each data point for a detailed view.
rr
• Device Report. This report allows you to view boot trends for a single device over the selected period. You can
es
double-click each data point for a detailed view.
al
• Configuration
• Report Options: These options allow you to control the reporting period and work days. You can also specify
e
minimum Boot Time and Login Time (in seconds) below which values are not reported.
or
di
• Monitoring: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
s tri
description/monitoring.html#daily-reports
b ut
io
n

Lesson Review
In the WEM Console, where would you find a

daily summary of boot times across all
N
devices connected to your WEM on-premises
ot
or WEM Service deployment?
fo
Is it possible to export the data to a file?
rr
es
The Daily Boot Report in the Daily Reports
section.
al
e
Yes, you can export the data to, for example, an
or
Excel format.
di
s
tri
b
ut
io
n

Key Takeaways
• WEM takes the existing Windows AppLocker
security feature and adds centralized management,
bulk rule assignment/unassignment, bulk rule
editing, and AppLocker rules importing.
• The WEM Process Management security feature
N
takes a more simplified approach than AppLocker
ot
and uses thee blacklist/whitelist method to control
application security.
fo
• WEM Environmental Settings are machine-based
rr
settings that control the user’s operation of Windows
es
user interface features.
al
• WEM Transformer turns WEM Agent machines into
e
kiosks; providing only the resources granted to the
or
user and isolating them from the underlying
Windows operating system.
di
• WEM’s Monitoring and Reporting features keep a
s tri
running record of Agent, user, and device usage
b
statistics which can be displayed, and exported if
ut
needed.
io
n
Key Takeaways:
• WEM takes the existing Windows AppLocker security feature and adds centralized management, bulk rule
assignment/unassignment, bulk rule editing, and AppLocker rules importing.
• The WEM Process Management security feature takes a more simplified approach than AppLocker and uses thee blacklist/whitelist
method to control application security.
• WEM Environmental Settings are machine-based settings that control the user’s operation of Windows user interface features.
• WEM Transformer turns WEM Agent machines into kiosks; providing only the resources granted to the user and isolating them from

the underlying Windows operating system.
• WEM’s Monitoring and Reporting features keep a running record of Agent, user, and device usage statistics which can
be displayed, and exported if needed.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Administration
N
ot
The WEM Agent
fo
rr
es
al
e
Module 13
or
di
s
tri
b
ut
io
n

Learning Objectives
• Recognize how WEM settings apply during
N
WEM Agent machine start-up and during
ot
session launch.
fo
• Identify the purpose of WEM Agent local
rr
caches and describe how they are refreshed.
es
• Describe how to integrate the WEM Agent into
al
Citrix Provisioning, Machine Creation Services,
e
Citrix App Layering and published app launch.
or
di
s
tri
utb
io
n

N
WEM Settings Processing and
ot
WEM Agent Caches
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

When do WEM Settings Apply?
User Logon
Machine Boot
Norskale Agent Host Service

WEM User Agent
N
ot
WEM User Agent
Norskale Agent Host Service Norskale Agent Host Service
fo
Actions:
Environmental Settings
rr
Environmental Settings • Environmental variables
(Machine lock-down settings) (Administrators can be excluded)
• Applications
es
Citrix Profile Management & Application Security (AppLocker): • Registry Values
• Evaluated and applied on a user-
al
Microsoft USV • Network Drives
by-user basis • Virtual Drives
e
System Optimization settings • Service creates AppLocker rules • Printers
or
(CPU, RAM, I/O)
• Ports
Optimization & Monitoring starts • Filesystem Operations
di
• Ini Files
s
• DSN Files
tri
• External Tasks
but
io
n
Key Notes:
• When it comes to applying WEM settings to a WEM Agent machine, there are two components:
• The Norskale Agent Host Service and the WEM User Agent.
• The Norskale Agent Host Service handles the WEM machine-based settings that are processed at WEM Agent machine boot.
• These are the WEM Environmental Settings, Citrix Profile Management (CPM), WEM System Optimization, and statistics collection
for monitoring.

User Logon
Machine Boot

WEM User Agent
N
ot
WEM User Agent
fo
Actions:
rr
• Applications
es
al
e
or
(CPU, RAM, I/O)
• Ports
di
• Ini Files
s
• DSN Files
tri
• External Tasks
b ut
io
n
Key Notes:
• At some point, a use will launch an app or desktop session.
• The Norskale Agent Host Service is still needed at user session logon because some WEM machine-based settings needs to
determine who is logging on before deciding whether or not to apply its settings.
• For example, some Environmental settings can be excluded for administrators. Also, how WEM Application Security settings
(AppLocker) apply depends on who is logging on.

User Logon
Machine Boot

WEM User Agent
N
ot
WEM User Agent
fo
Actions:
rr
• Applications
es
al
e
or
(CPU, RAM, I/O)
• Ports
di
• Ini Files
s
• DSN Files
tri
• External Tasks
b ut
io
n
Key Notes:
• The WEM User Agent runs when a user logs onto a WEM Agent machine. It is at this point that Actions assigned to the user will
apply.

User Logon
Machine Boot

WEM User Agent
N
ot
WEM User Agent
fo
Actions:
rr
(Administrators can be excluded) VUEMUIAgent.exe
(Machine lock-down settings) • Applications
es
al
VUEMCmdAgent.exe
e
or
(CPU, RAM, I/O)
• Ports
di
• Ini Files
s
• DSN Files
tri
• External Tasks
b ut
io
n
Key Notes:
• There are two WEM User Agents that WEM admins can configure for WEM Agent machine usage:
• The first is VUEMUIAgent.exe, which provides a user interface (UI) such as a WEM Agent splash screen and WEM icon that comes
with a context menu.
• The second is VUEMCmdAgent.exe, which is the non-UI version. Similar commands to the UI version can be run, but only from a
command prompt.
• Selecting to use either the UI or non-UI WEM User Agent version is done using a checkbox in the WEM Console.

Agent Retrieval of WEM Settings
Local Cache or from WEM Database
WEM
Database on
SQL Server
SQL
Transaction
• WEM settings are mainly applied to the
N
system registry or user’s registry hive (in the
ot
case of WEM assigned Actions).
fo
• The WEM Agent retrieves WEM settings and
rr
applies them to the machine. The Agent WEM
Infrastructure
es
retrieves WEM settings from: Services
• The WEM database, through the WEM WEM Settings
al
Retrieval
Infrastructure Services (on-premise or WEM
e
WEM
Cloud). Agent
or
• WEM local caches (updated regularly).
WEM Settings
di
Retrieval
s tri
WEM Agent
b
Caches
ut
io
n
Key Notes:
• Almost all of these WEM machine-based and WEM user-based settings are applied to the WEM Agent Machine’s system registry, or
user’s registry hive; in the case of WEM assigned Actions.
• The WEM Agent performs this task of retrieving WEM settings and applying them to the machine. The WEM can retrieve WEM
settings from:
• The WEM database, through the WEM Infrastructure Services (on-premises or WEM Cloud).
• WEM local caches on the WEM Agent machine. These are updated regularly.

WEM Agent Caches
Local Cache Benefits and Configuration
WEM
Database on
SQL Server
SQL
Transaction
• Local cache retrieval is preferred because:
• WEM Agent cache data helps to reduce session
N
logon times.
ot
• It can greatly reduce internet traffic in WEM
Service deployments.
fo
• They provide WEM settings when the WEM
rr
Broker is unavailable. WEM
Infrastructure
es
Services
• Through the WEM Console you can configure WEM Settings
al
Retrieval
how the WEM Agent retrieves settings:
e
WEM
• Enable Offline Mode: Only retrieve settings from Agent
or
the cache when the WEM Infrastructure Services
are unavailable. WEM Settings
di
• Use Cache Even When Online. Retrieval
s
• Use Cache to Accelerate Action Processing.
tri
Can be enabled with or without Enable Offline WEM Agent
b
Caches
Mode.
ut
io
n
Key Notes:
• Configuring the Agent to retrieve WEM settings from local caches is preferred because:
• WEM Agent cache data helps to reduce session logon times.
• In WEM Service deployments, using the local cache for WEM Actions greatly reduces the Agent to WEM Infrastructure Services
traffic over the internet.
• They provide WEM settings when the WEM Broker is unavailable.
• Through the WEM Console you can configure how the WEM Agent retrieves settings:

• Enable Offline Mode: Only retrieve settings from the cache when the WEM Infrastructure Services are unavailable.
• Use Cache Even When Online. Always use local WEM caches to retrieve WEM settings.
• Use Cache to Accelerate Action Processing. At each user logon, the user’s WEM Actions cache will always be used.
Combined with Enable Offline Mode, this gives you the best of both worlds.
Agent Options: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
N
description/advanced-settings.html#configuration
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Agent Caches
WEM Cache Identification
• There are four WEM local caches.
Location on Agent
N
Cache Name Cache Description Purpose
machine
ot
User’s Roaming Profile
Assigned Actions & User’s registry Prevent previously applied
fo
(Microsoft or Citrix Profile
Printers Hive (HKCU) settings from being re-applied.
Management)
rr
Allows the Agent Host service to
es
Profile Management & Machine registry
read and apply UPM/USV settings System registry (HKLM)
Microsoft USV (HKLM)
al
early in the machine boot process.
e
All WEM config settings Holds all WEM user and machine Database file on the local
LocalAgentCache
database settings. disk
or
Tracks WEM Intelligent
Intelligent Optimization Database file on the local
di
LocalAgentDatabase Optimization history for each user
history database disk
s
per machine.
tri
b ut
io
n
Key Notes:
There are four WEM local caches.
• Assigned Actions and Printers:
• The cache that stores WEM Actions, including printers that have been assigned are kept in each user’s NTUSER.DAT profile. When
a centralized roaming profile solution has been configured, such as Citrix Profile Management, this means that the record of a
user’s assigned Actions and printers travels with them from machine to machine.
• The cache is read by the WEM Agent at user logon and prevents previously applied settings from being re-applied. This helps to

reduce logon durations.
• Profile Management & Microsoft USV:
• This is the only WEM cache that resides in the HKLM system registry and is the only cache that needs to be “baked”
into a golden image or App Layering layer.
• Allows the Agent Host service to read and apply UPM/USV settings early in the machine boot process.
• This is important because the network may not yet be available, for the Agent to retrieve these settings from the
N
• The Local Agent Cache:
ot
• This is a database file that, by default, resides in the Program Files (x86) WEM folder.
fo
• The database holds all the WEM settings of the Configuration Set that the machine is a member of.
• How this cache is used by the Agent depends on the mode configured (as we saw on the previous slide – Enable
rr
Offline Mode, Use Cache Even When Online, or Use Cache to Accelerate Action Processing.
es
• The Local Agent Database:
al
• This database file also resides in the Program Files (x86) WEM folder.
• It doesn’t have a particularly intuitive file name considering its purpose. And its purpose is to keep track of the
e
number of times a process has triggered CPU Spikes Protection on a user-by-user, process-by-process basis. If a user
or
logs off their session to this VDA, and then logs back on, all those CPU Spikes Protection triggers have been
di
remembered, and so WEM CPU Intelligent Optimization for that user on that machine doesn’t have to be
recalculated from scratch.
s tri
b ut
• WEM System Optimization: https://www.citrix.com/blogs/2018/07/03/the-best-kept-secret-at-citrix/
io
n
WEM Agent cache locations:
• Assigned Actions & Printers: HKEY_CURRENT_USER\SOFTWARE\VirtuAll Solutions\VirtuAll User Environment
Manager\Agent\Tasks Exec Cache\
• Profile Management: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent
Host\UpmConfigurationSettings\

• Microsoft USV: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host\Microsoft USV\
• Local Agent Cache: C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\Local Databases\
• Note: On non-persistent, provisioned VDAs, it’s recommended to move the cache location to the machine’s cache
data disk using the AgentCacheAlternateLocation registry key.
• Local Agent Database: C:\Program Files (x86)\Citrix\Workspace Environment Management Agent\Local Databases\
• Note: On non-persistent, provisioned VDAs, it’s recommended to move the cache location to the machine’s cache
data disk using the AgentCacheAlternateLocation registry key.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Agent Caches
Updating WEM Agent Caches
• All WEM local caches are automatically updated:

• By periodic schedule in the case of Action & Printers cache, Citrix Profile Management &
N
Microsoft USV cache, and Local Agent Cache.
ot
• When WEM System Optimization settings have been enabled, the Local Database Cache is
fo
populated and updated as users work in their sessions.
rr
• There are two situations where you would want to force the Agent to update its WEM Settings
es
immediately:
al
1. Applying WEM settings just configured.
e
or
2. “Baking” in WEM settings to a golden image or App Layering layer.
di
• Perform this task because each time a non-persistent, provisioned machine reboots, it will revert to its
s
initial state.
tri
b ut
io
n
Key Notes:
• All WEM local caches are automatically updated, either by periodic schedule in the case of Action & Printers cache, Citrix Profile
Management & Microsoft USV cache, and Local Agent Cache.
• The Local Database Cache is populated and updated as users work in their sessions when WEM System Optimization settings have
been enabled.
• There are two situations where you would want to force the Agent to update its WEM Settings immediately:
1. Applying WEM settings just configured. Perhaps if you are testing a new Configuration Set.

2. “Baking” in Citrix Profile Management & Microsoft USV settings to a golden image or App Layering layer.
• Perform this task because each time a non-persistent, provisioned machine reboots, it will revert to its initial state.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

WEM Agent Caches
Forcing WEM Agents to update settings (from the WEM Console)
• Initiate requests to the WEM Agent to
N
refresh its own settings, from the WEM
ot
Consoles.
fo
• Refresh Cache updates the Local Agent
rr
Cache.
es
• Refresh Agent Host Settings updates the
al
advanced settings, optimization settings,
e
transformer settings, and other non-user
or
assigned settings.
di
• Refresh Workspace Agents applies the
s
user-assigned WEM Actions.
tri
b ut
io
n
Key Notes:
• From the WEM Administration Console or WEM Service’s Manage console, you can initiate requests to the WEM Agent to refresh its
own settings.
• You’ll find these in the Administration section under Agents => Agent History. By right-clicking on any WEM Agent machine brings up
the menu shown.
• Refresh Cache updates the Local Agent Cache.
• Refresh Agent Host Settings updates the advanced settings, optimization settings, transformer settings, and other non-user assigned

settings.
• Refresh Workspace Agents applies the user-assigned WEM Actions.
• Refer to the WEM Product Documentation to understand exactly what gets refreshed with each option.
• Refreshing Agent settings from the WEM Consoles: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/user-interface-description/administration.html#agents
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

WEM Agent Caches
Forcing WEM Agents to update settings (from the WEM Agent)
N
ot
fo
rr
es
al
e
• Refresh the Local Agent Cache using the AgentCacheUtility.exe program.
or
• Syntax: AgentCacheUtility.exe –RefreshCache. Adding –Debug to the command writes detailed
di
results to the Windows Event logs.
s tri
• This is the command you’ll use to pre-populate or “bake” the WEM settings and cache on master images
b
and App Layering layers that have the WEM Agent installed.
ut
io
n
Key Notes:
• You can also refresh the Local Agent Cache using the AgentCacheUtility.exe program.
• The syntax is AgentCacheUtility.exe –RefreshCache. Adding –Debug to the command writes detailed results to the Windows Event
logs.
• This is the command you’ll use to pre-populate the WEM settings and cache on master images and App Layering layers that have the
WEM Agent installed.

release/install-and-configure/agent-host.html#install-and-configure-the-agent
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Why do WEM admins only have to pre-
N
populate Citrix Profile Management &
ot
Microsoft USV WEM settings into a master
image or App Layering layer. What about the
fo
other WEM local caches?
rr
es
WEM’s Actions and Printer settings are stored in
the user’s CPM roaming profile, and won’t be lost
al
e
on VDA restarts.
or
The Local Agent Cache and Local Database
Cache can both be offloaded to a persistent
di
attached drive using the
s
tri
AgentCacheAlternateLocation registry key.
utb
io
n

Lab Exercise Prep
N
For Module 13
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
exercise.

N
WEM Agent integration with
ot
Citrix Virtual Apps and Desktops
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Pre-Populate WEM Settings on WEM Agents
On Non-Persistent Provisioned Machines – Citrix Provisioning
1
• Citrix Provisioning can use a persistent
N
formatted write cache disk.
ot
• This can persist the LocalAgentCache and
fo
LocalAgentDatabase files, using the
rr
AgentCacheAlternateLocation HKLM
es
registry key pre-configured in your image.
al
• The Profile Management & Microsoft USV
e
cache can’t be saved to the write cache
or
disk- the solution is to “bake” those settings
into the Citrix Provisioning master image
di
before rollout.
s tri
but
io
n
Key Notes:
• Starting with Citrix Provisioning:
• Citrix Provisioning can use a persistent disk in the form of a formatted write cache disk.
• This can persist the LocalAgentCache and LocalAgentDatabase files, using the AgentCacheAlternateLocation HKLM registry key
pre-configured in your master image.
• There is no cache redirection registry key for the “Profile Management/Microsoft USV” cache and so it can’t be saved to the write
cache disk.

• The solution is to “bake” these fairly consistent Profile Management/Microsoft USV settings to the Citrix Provisioning
master image before rollout.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

On Non-Persistent Provisioned Machines – Machine
1
Creation Services
• MCS can use a formatted write cache disk.
N
• Use the AgentCacheAlternateLocation
ot
registry key to redirect the LocalAgentCache
fo
and LocalAgentDatabase files to the VDA’s
rr
formatted write cache disk.
es
• “Bake” the Profile Management & Microsoft
al
USV cache into the MCS master image
e
before rollout.
or
di
s tri
b ut
io
n
Key Notes:
• Next we have Machine Creation Services (MCS).
• Just like Citrix Provisioning, MCS includes formatted write cache disk capabilities.
• Just like in the PVS scenario, we use the AgentCacheAlternateLocation registry key to redirect the LocalAgentCache and
LocalAgentDatabase files to the VDA’s formatted write cache disk.
• Also just like PVS, customers should “bake” the “Profile Management/Microsoft USV” cache into the MCS master image before
rollout.

On Non-Persistent Provisioned Machines – App Layering
1
• Citrix App Layering is used to layer the different parts of
N
your image.
ot
• If using Citrix Provisioning, the WEM Agent needs to
fo
be installed on an App Layering platform layer
rr
(Netlogon dependencies).
es
• If using MCS, the WEM Agent can be installed on the
al
OS layer, Platform layer, or App layer.
e
• The “baking” of the Profile Management & Microsoft
or
USV cache is done in App Layering layers.
di
• Then pass the Finalized layered image to Citrix
s
Provisioning or MCS.
tri
b ut
io
n
Key Notes:
And finally App Layering…
• App layering isn’t a provisioning method of course, but it is used to layer the different parts of your image prior to passing over the
results to a provisioning method.
• If using Citrix Provisioning for provisioning, the WEM Agent needs to be installed on an App Layering Platform Layer.
• The reason for this would need some detailed explanation but in short it’s because both the PVS Target Device Software and the
Norskale Agent Host Service make changes to Netlogon dependencies.

• If using MCS, the WEM Agent can be installed on the OS layer, Platform layer, or App layer.
• The “baking” of the WEM cache data is done in App Layering layers. So install WEM Agent and let it cache the WEM
settings. Then pass the Finalized layered image to Citrix Provisioning or MCS.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Publish Apps using VUEMAppCMD.exe
Delay published app launches (1/2) 1
• Some published apps depend on WEM
N
settings to finish applying before app launch
ot
completes.
fo
• WEM provides the VUEMAppCMD.exe
rr
program to control the launch delay of
es
published apps (100ms – 200ms is
sufficient.
al
e
• Configuration is performed in the Application
or
Properties, in the Delivery Group.
di
• VUEMAppCMD.exe resides on the WEM
s
Agent.
tri
b ut
io
n
Key Notes:
• In certain use cases, where a published app depends on WEM settings such as drive mappings or printer mappings to be applied
before the app launch completes, you want to be sure that WEM has applied its settings.
• To facilitate this, WEM provides the VUEMAppCMD.exe program to control the launch delay of published apps.
• The delay is miniscule, around 100 to 200 milliseconds – but sufficient to achieve its purpose.
• Configuration is performed in Citrix Studio; in the Application’s Properties, in the Delivery Group.
• The VUEMAppCMD.exe program runs on the WEM Agent, where is was installed.

• Editing application settings using Citrix Studio: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/user-interface-description/actions/applications.html#editing-application-settings-using-
citrix-studio
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Publish Apps using VUEMAppCMD.exe
Delay published app launches (2/2) 1
• Configuring the amount of app launch delay
N
is done usually though the WEM GPO
ot
ADMX template.
fo
• Can also specify the value when installing
rr
the Agent.
es
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• Configuring the amount of app launch delay is done usually though the WEM GPO ADMX template, but you can also specify the
value when installing the Agent.
configure/agent-host.html#install-and-configure-the-agent

A WEM admin has just created and
N
configured a WEM Configuration Set for an
ot
existing Machine Catalog of 100 MCS-based
non-persistent VDAs. The WEM GPO has also
fo
been added to the OU containing the
rr
machines.
es
They tell the CVAD admin to update the
al
master image by installing the WEM Agent.
e
What else should the CVAD admin do on the
or
master image machine to get it ready for the
di
WEM deployment?
s
tri
b
ut
io
n

• The CVAD admin should run gpupdate /force to
N
have WEM GPO apply and so that it points to
ot
the WEM Infrastructure Services (or to Citrix
fo
Cloud Connectors if WEM Service deployment).
rr
• Then run the AgentCacheUtility.exe program to
es
populate the WEM settings and local WEM
al
caches.
e
• Finally, Update the Machine Catalog.
or
di
s
tri
b
ut
io
n

Lab Exercise
Module 13
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Lab Exercise
• Exercise 13-1: Log on to Test the Default
N
Environment
ot
• Exercise 13-2: Configure Environment
fo
Lockdowns
rr
• Exercise 13-3: Manage the VDA Processes
es
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• There are two WEM Agent components:

• The Norskale Agent Host Service, which processes
WEM machine-based settings at machine start up
and during session launch.
• The WEM User Agent, which processes only WEM
N
Actions for the user during session launch.
ot
• There are four WEM caches:
• The Actions and Printers cache, which resides in the
fo
user’s registry hive.
rr
• The Citrix Profile Management & Microsoft USV
es
cache, which resides in the system registry.
• The Local Agent Cache, which is stored in a
al
database file.
e
• The Local Database Cache, which is stored in a
database file.
or
• Only the Citrix Profile Management & Microsoft USV
di
cache cannot be offloaded from the WEM Agent
s
machine; so should be “baked” into master images
tri
when provisioning VDAs using Citrix Provisioning,
b
Machine Creation Services, and Citrix App Layering.
ut
io
n
Key Takeaways:
• There are two WEM Agent components:
• The Norskale Agent Host Service, which processes WEM machine-based settings at machine start up and during session launch.
• The WEM User Agent, which processes only WEM Actions for the user during session launch.
• There are four WEM caches:
• The Actions and Printers cache, which resides in the user’s registry hive.
• The Citrix Profile Management & Microsoft USV cache, which resides in the system registry.

• The Local Agent Cache, which is stored in a database file.
• The Local Database Cache, which is stored in a database file.
• Only the Citrix Profile Management & Microsoft USV cache cannot be offloaded from the WEM Agent machine; so
should be “baked” into master images when provisioning VDAs using Citrix Provisioning, Machine Creation Services, and
Citrix App Layering.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Administration
N
ot
Upgrading Workspace Environment Management
fo
(WEM) and Migration to WEM Service
rr
es
al
e
Module 14
or
di
s
tri
b
ut
io
n

Learning Objectives
• Describe the component upgrade process for
N
WEM on-premises and WEM Service
ot
deployments.
fo
• Identify important tips that lead to the
rr
successful migration of a WEM on-premises
es
deployment to WEM Service.
al
e
or
di
s
tri
b
ut
io
n

N
Upgrading Workspace
ot
Environment Management (WEM)
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Upgrading WEM on-premises deployments
Citrix Product Lifecycle
End of Maintenance (EoM):
6 months after the version
Version New Version End of Maintenance release date. From this point,
Release Date Release Date (EoM) End of Life (EoL)
product is supported but usually
N
no code-level fixes.
ot
Upgrade 3 months
Window
End of Life (EoL):
fo
The product version reaches end
rr
6 months 12 months
of life 18 months after version
es
release. From this point, version
is no longer supported.
al
e
or
• A good leading practice is to upgrade to the latest WEM on-premises version during an
organization’s Citrix system maintenance cycle:
di
• Sometime in the (approx) 3 months between the release date of the new WEM version and the End of
s tri
Maintenance date for the previous version.
b
ut
io
n
Key Notes:
• The WEM on-premises product release cycle follows that of other Citrix products used in on-premises deployments.
• End of Maintenance (EoM): 6 months after the version release date, Citrix no longer performs code maintenance updates.
• End of Life (EoL): The product version reaches end of life 18 months after version release. At that point, technical support and
product downloads for that version will no longer be available.
• In the 12 months between End of Maintenance and End of Life, Citrix will still continue to provide technical support; say for
configuration issues, but code-level fixes may not be available.

• In the first 6 months after version release, Citrix fully supports the product version, including code-level fixes made
available to customers.
• New product versions for most on-premises Citrix products are released very 3 months.
• For WEM on-premises deployments, a good leading practice is to upgrade to the latest version. Usually during an
organization’s Citrix system maintenance cycle and somewhere between the release date of the new WEM version and
the End of Maintenance date for the previous version.
N
ot
• Citrix product lifecycle dates: https://www.citrix.com/support/product-lifecycle/product-matrix.html
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Upgrading WEM on-premises Deployments
Order of WEM component upgrade
WEM on-premises deployment components
N
must be upgraded in the following order: 
ot
1. WEM Infrastructure Servers
fo
2. WEM Database
rr
3. WEM Administration Console
es
4. WEM Agents
al

e
or

di

s

tri
b ut
io
n
Key Notes:
• WEM on-premises deployment components must be upgraded in the following order:
• WEM Database.
• Don’t forget to upgrade the database. Citrix support do get cases from customers who say that the upgrade failed, and the
cause is that the WEM database wasn’t upgraded.

• WEM Agents.
• Don’t forget to upgrade the WEM Agents on Transformer kiosk machines.
• Upgrade a deployment: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/upgrade.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Upgrade process 1
• In place upgrades are supported for all WEM • WEM Administration Console
N
components: Can upgrade from WEM version • All WEM settings stored in the database and
ot
4.7 to the latest WEM on-premises version. are preserved during upgrade.
• WEM Agents
fo
• Component upgrades: Run the relevant
• Upgrade the WEM Agent on Citrix Provisioning
rr
component installer on the component machine or MCS master images, or App Layering layer.
es
(except for the WEM database). • Ensure all users are logged off the WEM Agent
machine.
al
• WEM Infrastructure Server & WEM Database
• The WEM Agent version should be at the same
e
• After upgrade, you must run and reconfigure using
the WEM Infrastructure Service Configuration utility. version as the WEM Infrastructure Server.
or
• From the WEM Infrastructure Server, run the WEM • One version lower is supported but its always
best to keep the Agent current – to make the
di
Database Management Utility but select the
most of the newer WEM features.
s
“Upgrade Database” option.
tri
b
ut
io
n
Key Notes:
• In place upgrades are supported for all WEM components. You can upgrade from WEM version 4.7 to the latest WEM on-premises
version.
• v4.7 is the lowest version you can upgrade to the latest WEM version from.
• Apart from upgrading the WEM database, which uses the Database utility, all component upgrades consist of running the relevant
component installer on the component machine.

• After upgrade, you must run and reconfigure using the WEM Infrastructure Service Configuration utility.
• WEM Database
• From the WEM Infrastructure Server, run the WEM Database Management Utility but select the “Upgrade
Database” option.
• All Workspace Environment Management settings configured with the Administration Console are stored in the
database and are preserved during upgrade.
N
• WEM Agents
ot
• Upgrade the WEM Agent to the latest version on Citrix Provisioning or MCS master images, or App Layering layer.
fo
Update the Machine Catalog with the new image as the final step.
• If you’re not using a provisioning method, ensure all users are logged off the WEM Agent machine so that all files
rr
can be changed during the upgrade process.
es
• The WEM Agent version should be at the same version or one version lower than the WEM Infrastructure Server.
al
• One version lower is supported but its always best to keep the Agent current – to make the most of the newer
WEM features.
e
or
di
s tri
but
io
n

Citrix Workspace Environment Management SDK
• Installing the WEM Infrastructure Server also installs the Citrix Workspace Environment Management
N
SDK.
ot
• WEM SDK PowerShell modules allow you to:
fo
• Create a new WEM database or upgrade existing to a new version during deployment upgrade.
rr
es
• Retrieve WEM Infrastructure Service configuration and make configuration changes.
al
• Export a Configuration Set and import to another WEM deployment.
e
• Export WEM Active Directory Objects, and import to another WEM deployment.
or
• Many WEM SDK module cmdlets available for building PowerShell scripts.
di
• Instructions, guidance, and examples are provided on the Citrix Developer Docs website.
s tri
but
io
n
Key Notes:
• Installing the WEM Infrastructure Server also installs the WEM software development kit (SDK).
• WEM SDK PowerShell modules allow you to:
• Create a new WEM database or upgrade existing to a new version during deployment upgrade.
• Retrieve WEM Infrastructure Service configuration and make configuration changes.
• Export a Configuration Set and import to another WEM deployment.
• Export WEM Active Directory Objects, and import to another WEM deployment.

• Many WEM SDK module cmdlets available for building PowerShell scripts.
• Instructions, guidance, and examples are provided on the Citrix Developer Docs website.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Upgrading WEM Service Deployments
Customer-managed Citrix Cloud-managed
On-Premises
N
ot
WEM Service
Manage Console
fo
Active
rr
Directory
es
WEM Service
Infrastructure Services
al
e
VDA
or
WEM Database on
di
Azure SQL Server
s
WEM Agent
Citrix Cloud
tri
b ut
io
n
Key Notes:
• Upgrading WEM Service deployments is a far easier task than an on-premises because Citrix Cloud manages all of the backend WEM
Infrastructure Services.
• An organization’s WEM administrators only need to upgrade the WEM Agents – a task made a lot simpler when Citrix Provisioning,
MCS, or App Layering is used in a Citrix Virtual Apps and Desktops Service deployment.
• The Agent installation instructions are the same between WEM on-premises and WEM Cloud except that the latest WEM Agent
installer is downloaded from the Citrix Cloud portal.

• Upgrade the Agent: https://docs.citrix.com/en-us/workspace-environment-management/service/upgrade.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

N
ot
What are the benefits of a WEM Service
deployment over a WEM on-premises
fo
deployment when is comes to upgrading?
rr
es
In a WEM on-premises deployment upgrade, The
WEM Infrastructure Server, WEM database,
al
e
WEM Console, and WEM Agents must all be
upgraded.
or
In a WEM Service deployment, Citrix takes care
di
of the WEM Service infrastructure upgrading,
s
tri
leaving only the responsibility of upgrading the
b
WEM Agents to the organization’s administrator.
ut
io
n

N
WEM on-premise Migration to
ot
WEM Service
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

WEM Service Migration
Migration process – Useful Tips
• Once you’ve decided to transition to Citrix
N
Cloud, the process of migrating your WEM on-
ot
premises deployment to WEM Service is
straightforward.
fo
rr
• The Migrate section in the WEM Service
es
Product Documentation is clear and guides
you through the process.
al
e
or
di
s tri
but
io
n
Key Notes:
• Once you’ve decided to transition to Citrix Cloud, the process of migrating your WEM on-premises deployment to WEM Service is
straightforward.
• The Migrate section in the WEM Service Product Documentation is clear and guides you through the process.
• Upgrade a deployment: https://docs.citrix.com/en-us/workspace-environment-management/current-release/upgrade.html

Useful Tips – WEM Service Activation
Useful Tips:
N
• Check that the Workspace Environment
ot
Management Service tile is active.
fo
• The WEM Infrastructure Services, WEM
rr
Database, and WEM Service Manage console
es
are already available.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• The Migrate Product Docs are great but experience also helps - so here are some very useful tips:
• In your Citrix Cloud account, check that the Workspace Environment Management Service tile is active. You’ll see the Manage
button if it is.
• This means that the WEM Infrastructure Services, WEM Database, and WEM Service Manage console are already available and
running in Citrix Cloud.
• Your WEM Service deployment now exists, but empty of WEM settings, users, and machines.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Useful Tips – WEM GPO
• Configure your WEM GPO ahead of time by

entering the FQDNs or IP addresses of your
N
Citrix Cloud Connectors.
ot
• The WEM Agents do not get confused by
fo
having both the on-premises Infrastructure
rr
server and Citrix Cloud Connectors settings,
configured and enabled at the same time.
es
• Later in the migration, the WEM Agent
al
e
undergoes a switching process to make it part
of the WEM Service deployment.
or
• The Citrix Cloud Connectors GPO setting will
di
come into effect then.
s tri
but
io
n
Key Notes:
• Configure your WEM GPO ahead of time by entering the FQDNs or IP addresses of your Citrix Cloud Connectors.
• Don’t worry, the on-premises WEM Agents do not get confused by having both the on-premises “Infrastructure server” and “Citrix
Cloud Connectors” settings, configured and enabled at the same time.
• It’s not until later in the migration, that the WEM Agent undergoes a switching process to make it part of the WEM Service
deployment.
• The “Citrix Cloud Connectors” GPO setting will come into effect then.

• Migration to WEM Service: https://docs.citrix.com/en-us/workspace-environment-management/service/migrate.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Useful Tips – Database Migration Wizard
• The migration tool runs as UI called the

Database Migration Wizard.
N
ot
• When running the Wizard, also open the WEM
fo
rr
• You’ll see the correct SQL Server and WEM
es
database information to enter into the Wizard.
al
• Check the Use integrated connection box if
e
you have sufficient permissions. Otherwise
or
enter the credentials of an account that does.
di
• Not recommended to enable the Export logs
s
checkbox.
tri
but
io
n
Key Notes:
• The migration tool runs as UI called the Database Migration Wizard.
• Its purpose is to extract all of the relevant WEM database settings to a new SQL file which is then compressed.
• When running the Wizard, also open the WEM Infrastructure Service Configuration utility.
• You’ll see the correct SQL Server and WEM database information to enter into the Wizard.
• If the logged on user has sufficient permissions to access the WEM database, check the “Use integrated connection” box.
Otherwise enter the credentials of an account that does.

• The “Export logs” checkbox embeds additional logging information into the exported SQL file. Don’t enable it, as
generating the entries will slow down the extraction.
• The Wizard’s export process always creates a separate log file locally, that you can check if something goes wrong.
• Migration to WEM Service: https://docs.citrix.com/en-us/workspace-environment-management/service/migrate.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Useful Tips – Switch to Service Agent (1/2)
• Open the WEM Administration Console.
N
• In the Advanced Settings > Agent Switch
ot
section on the on-premises WEM
Administration Console.
fo
rr
• All Agents in the current Configuration Set are
es
switched in bulk.
al
• Note: Explicitly specify the Cloud Connector
e
addresses.
or
• This is so the on-premises Agents can pickup the
settings immediately on the next Agent sync, and
di
not wait until the WEM GPO settings apply.
s tri
b ut
io
n
Key Notes:
• After uploading the extracted on-premises WEM database to Citrix Cloud, it can take a few hours before you receive the migration
completion notification in the Citrix Cloud portal.
• At that point, go back to the on-premises WEM Administration Console to perform the step of switching your on-premises WEM
Agent machines to WEM Service mode.
• This is in the Advanced Settings > Agent Switch section.
• All Agents in the current Configuration Set are switched in bulk. Complete the switching task for all Configuration Sets in your on-

premises deployment.
• Notice that we explicitly specified the Cloud Connector addresses, even though we’ve already configured the same
settings in the WEM GPO.
• This is so the on-premises Agents can pickup the settings immediately on the next Agent sync, and not wait until the
WEM GPO settings apply.
N
• After migration: https://docs.citrix.com/en-us/workspace-environment-management/service/migrate.html#after-
ot
migration
fo
rr
es
al
e
or
di
s tri
but
io
n

Useful Tips – Switch to Service Agent (2/2)
• Agent switch settings are written to the on-

premise WEM database.
N
ot
• Agents connect to the on-premise WEM
Broker to retrieve and apply their new settings.
fo
rr
• Three things will happen automatically:
es
• The WEM Agent machines will now point to the
Cloud Connectors.
al
• The WEM Agent will delete its LocalAgentCache
e
database and restart the Norskale Agent Host
or
Service (Agent reset).
di
• The Agent will synchronize it’s LocalAgentCache
s
with the WEM service Broker.
tri
b ut
io
n
Key Notes:
• Agent switch settings are written to the on-premise WEM database.
• At this stage, the WEM Agents are still part of the on-premises deployment. Agents connect to the on-premise WEM Broker to
retrieve and apply their new settings.
• In the Agent “switching” process, three things will happen automatically:
• The WEM Agent machines will now point to the Cloud Connectors.
• The WEM Agent will delete its LocalAgentCache database and restart the Norskale Agent Host Service (Agent reset).

• The Agent will synchronize its LocalAgentCache with the WEM Infrastructure Services in Citrix Cloud.
• Congratulations! The WEM Agent machines are now part of your new WEM Service deployment.
• After migration: https://docs.citrix.com/en-us/workspace-environment-management/service/migrate.html#after-
migration
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Useful Tips – Upgrading the Agent
• Since the pre-migration WEM deployment was

on-premises, the WEM Agents were originally
installed from the Citrix Download page.
N
ot
• After migration, it is still supported to continue
to use the on-premises WEM Agent version
fo
installed.
rr
• Citrix recommends to download and install the
es
WEM Agent version from the Citrix Cloud
al
porta.
e
or
• This is because the migrated deployment is
now a WEM Service deployment, and you
di
need to keep the WEM Agent versions in line
s
with the WEM Service release cycle.
tri
but
io
n
Key Notes:
• Since the pre-migration WEM deployment was on-premises, the WEM Agents were originally installed from the Citrix Download
page.
• After migration, Citrix still supports the use of the on-premises WEM Agent in the WEM Service deployment.
• Citrix does recommend though, to download the WEM Agent version from the Citrix Cloud portal and install it as part of your regular
software maintenance cycle.
• This is because the migrated deployment is now a WEM Service deployment, and you need to keep the WEM Agent versions in line

with the WEM Service release cycle.
• Note: Recall that a WEM Agent downloaded from the Citrix Cloud portal is not supported for WEM on-premises
deployments.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

What is the advantage of specifying the Citrix
N
Cloud Connector addresses in the Agent
ot
switching section of the WEM Console, even
though the WEM already has the same
fo
information configured?
rr
es
A WEM Agent will usually pick up and apply the
WEM settings more quickly than the machine
al
e
account will read and apply the GPO.
or
di
s
tri
b
ut
io
n

Key Takeaways
• WEM on-premises upgrades carries the administrative

overhead of having to upgrade all WEM components.
• On-premises deployments can take advantage of the
WEM SDK, a set of PowerShell cmdlets that allow scripted
N
upgrades, backups, and restores.
ot
• WEM Service deployments are much easier to upgrade as
fo
Citrix Cloud is responsible for the upgrade and
rr
management of all of the WEM Service backend
infrastructure components.
es
• When it’s time to migrate WEM to the Citrix Cloud, use the
al
migration tool to extract the on-premises WEM database
e
and upload to Citrix Cloud. There are several migration
tips to ensure the migration process is smooth. These
or
include:
di
• Check first that WEM Service is active.
• Add the Citrix Cloud Connectors to the WEM GPO.
s
• You can continue to use the on-premises WEM Agent in WEM
tri
Service, and upgrade to the Service version of the Agent later.
utb
io
n
Key Takeaways:
• WEM on-premises upgrades carries the administrative overhead of having to upgrade all WEM components.
• On-premises deployments can take advantage of the WEM SDK, a set of PowerShell cmdlets that allow scripted upgrades, backups,
and restores.
• WEM Service deployments are much easier to upgrade as Citrix Cloud is responsible for the upgrade and management of all of the
WEM Service backend infrastructure components.
• When it’s time to migrate WEM to the Citrix Cloud, use the migration tool to extract the on-premises WEM database and upload to

Citrix Cloud. There are several migration tips to ensure the migration process is smooth. These include:
• Check first that WEM Service is active.
• Add the Citrix Cloud Connectors to the WEM GPO.
• You can continue to use the on-premises WEM Agent in WEM Service, and upgrade to the Service version of the
Agent later.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

CWS 315 2I en StudentManual 4 5 Days v02

Uploaded by

Copyright:

Available Formats

CWS 315 2I en StudentManual 4 5 Days v02

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CWS 315 2I en StudentManual 4 5 Days v02

Uploaded by

Copyright:

Available Formats

N

Module 1 - Introduction to Citrix App Layering..........................................................................................................................................2

2 © 2021 Citrix Authorized Content

• Describe the benefits of Citrix App Layering

3 © 2021 Citrix Authorized Content

4 © 2021 Citrix Authorized Content

5 © 2021 Citrix Authorized Content

6 © 2021 Citrix Authorized Content

7 © 2021 Citrix Authorized Content

8 © 2021 Citrix Authorized Content

9 © 2021 Citrix Authorized Content

10 © 2021 Citrix Authorized Content

Image Template Elastic Layer

OS Disk Prerequisite Layer

11 © 2021 Citrix Authorized Content

12 © 2021 Citrix Authorized Content

13 © 2021 Citrix Authorized Content

• The OS Layer contains:

14 © 2021 Citrix Authorized Content

15 © 2021 Citrix Authorized Content

16 © 2021 Citrix Authorized Content

17 © 2021 Citrix Authorized Content

The Application Layers contain:

18 © 2021 Citrix Authorized Content

19 © 2021 Citrix Authorized Content

users log on to sessions or standalone

20 © 2021 Citrix Authorized Content

21 © 2021 Citrix Authorized Content

22 © 2021 Citrix Authorized Content

23 © 2021 Citrix Authorized Content

24 © 2021 Citrix Authorized Content

25 © 2021 Citrix Authorized Content

• Internal users access

26 © 2021 Citrix Authorized Content

27 © 2021 Citrix Authorized Content

• Linux-based virtual appliance.

28 © 2021 Citrix Authorized Content

29 © 2021 Citrix Authorized Content

30 © 2021 Citrix Authorized Content

31 © 2021 Citrix Authorized Content

32 © 2021 Citrix Authorized Content

33 © 2021 Citrix Authorized Content

How the ELM Server Creates Layers

Layer Preparation Layer Management ELM Repository

34 © 2021 Citrix Authorized Content

35 © 2021 Citrix Authorized Content

Please Take a Moment and Provision Your Lab

36 © 2021 Citrix Authorized Content

37 © 2021 Citrix Authorized Content

38 © 2021 Citrix Authorized Content

1. The Layered Image (3)

Elastic App Layers

39 © 2021 Citrix Authorized Content

40 © 2021 Citrix Authorized Content

The Web-based Citrix

41 © 2021 Citrix Authorized Content

42 © 2021 Citrix Authorized Content

43 © 2021 Citrix Authorized Content

44 © 2021 Citrix Authorized Content