by Ray Davis, CTA & Jacksonville CUGC Leader

In this quick post, I will go over how to successfully migrate native group policy objects (GPOs) and inject them into Citrix Workspace Environment Manager (WEM). Many organizations rely heavily on GPO in their current Citrix VDA space. Some often wonder how to put them all in WEM or if it’s a good idea or not. I say it depends on the use case.

WEM, hands down, will take the login experience and dramatically reduce the login times by simply moving the GPP aspects into WEM. On the computer side of the GPO, I am not 100% sure if the juice is worth the squeeze. Computer GPO applies at machine startup, and it is speedy. But a good use case is where the Citrix Admin doesn’t have rights to GPO to manage them. This will enable them to control these aspects from a Citrix Administrative side by using WEM to apply all GPO from this product.

I was working with a client to migrate all the current GPOs they had applied the native way. Then, migrate them to WEM. When I speak of the word migrate, I am referring to backing up the GPOs, importing/migrating them into Citrix WEM, and applying them to a subset of VDAs for testing. This ensures that the current production setup is not impacted if something does not apply correctly in the use case here.

If you need more information, I encourage you to read James Kindon’s “Migrating GPO settings to WEM” blog. Migrating GPO settings to WEM | James Kindon (jkindon.com). In this blog, he goes over more examples for different use cases.

(See also WEM Advanced Guidance – 2023, recently updated by James Kindon.)

Let’s get started migrating GPOs to Citrix WEM:

1. The first thing is to back up a GPO and store it in a location you can import into WEM.
2. The example below shows me backing up my AV exclusions.

3. The GPO must be a ZIP format for WEM to process it.

4. In these examples, I am using the WEM service. But the process is the same for those who have Citrix WEM on-premises.
5. Go to DaaS and use either the Web WEM console or Legacy WEM console.
   1. WEB
6. Select your desired configuration set.

7. Click on “Group Policy Settings”

8. Click Import

9. Browse to the backup of where you store the GPO after it was backed up.

10. Import the Zip file

11. Below shows the import of the GPO from Microsoft GPO into WEM.

12. If you are using the Legacy WEM console, here are some screenshots of the same process.

14. I already have this GPO; I will select and overwrite in this case. This example shows you how to do it via the legacy console. Then click Start Import,

14. To see the settings, edit the imported file.
    1. Legacy Console

15.  It takes the GPO and imports all the Registry settings that contain what the GPO is made up of, such as all the registry settings.

16. To see the settings, edit the imported file.
    1. WEB Console

17. Assigning the action.
    1. WEB Console

18. In this example, I chose everyone, which applies to users and computers. In most production cases, you can do groups or conditions.
19. **NOTE**
    “You can assign the GPO to different AD groups, just like you assign other actions. If you assign GPOs to an individual user directly, the settings do not take effect. A group can contain users and machines. Machine-level settings take effect if the related machine belongs to the group. User-level settings take effect if the current user belongs to the group.”

20. Reference for the Legacy Console, for comparison in showing if you do it via the Web console. It will show like this in the Legacy console.
21. The Priority is how it is applied.
    1. https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-description/actions/group-policy-settings.html#contextualize-group-policy-settings
    1. “Type an integer to specify a priority. The greater the value, the higher the priority. Settings with higher priority are processed later.”

22. Assigned the action.
    1. Legacy Console
23. In this example, I chose everyone, which applies to users and computers. In most production cases, you can do groups or conditions.
    
    **NOTE**
    “You can assign the GPO to different AD groups, just like you assign other actions. If you assign GPOs to an individual user directly, the settings do not take effect. A group can contain users and machines. Machine-level settings take effect if the related machine belongs to the group. User-level settings take effect if the current user belongs to the group.”

25. Reference for the WEB Console, for comparison in showing if you do it via the legacy console. It will show like this in the WEB console.

26. Let’s reboot a VDA and see the results.
27. I logged in before, as I have this applied already, But I updated it with the new WEM AV exclusion they released in May 2023. The registry will update the list to reflect what I am missing.

28. Last cache sync

29. Rebooting now.

30. GPO were successfully updated.

31. Before the antimalware was around 47%-50% of CPU.

32. Event Logs
33. I can see the GPO proceed, but I am unsure how to show what GPO applied from logs yet. This could be me not knowing where it logs it yet. Perhaps it does, and I am missing it. So, the only thing I can see is that the computer GPO components are processed. (More to this on line 34).

36. After researching this, I had Sharp Gou reach out and explain to me where these logs are located.
    
    View log files | Workspace Environment Management 2303 (citrix.com)

1. “Citrix WEM Agent Host Service Debug.log. The log that lets you troubleshoot issues with the Citrix WEM Agent Host Service. By default, this log file is located in %PROGRAMFILES(X86)%\Citrix\Workspace Environment Management Agent. To enable logging, be sure to enable Debug Mode for the relevant configuration set on the Administration Console > Advanced Settings > Configuration > Service Options tab. You now will see the GPO processing in that log file. Thank you, Sharp Gou. In this log, you will see the GPO applied and processed.

35. We can verify in the Windows Defender section (windows) as well for the GPOs.

36. What happens if I need to remove it? What happens if now?
37. Go back to the area and unassing it.

38. Reference for the Legacy Console, for comparison in showing if you do it via the Web console. It will show like this in the Legacy console:

39. Reboot the VDA again. According to Citrix, if you restart the WEM Agent Host, it will take effect immediately. (Machine Level GPO)

40. User level

41. Before:

42. After: it’s empty now:

43. I will reboot anyway, to show you how vital AV exclusion is needed.
44. CPU % with Antimalware process.

45. Processing is slower as well.

46. Add the GPO back in WEM
47. The WEM agent processed exceptionally quickly in my testing.
48. Other questions I get at times: what is the purpose of Migrating vs. Importing?
    
    a. The Migrate button in the legacy console below allows you to convert user GPPs into a readable XML file that WEM can use in user actions, where Import takes the whole GPO and imports it in. From what I found where you have GPP policies, the migrate option does the trick.  In cases where you have the standard GPO settings, the Import will bring over the settings that make up the ADMX.

2. Example: I have a GPP applying some mapped drive with Item-level targeting on myself.
3. Loopback is set to replace being I am applying a user policy to the Citrix VDA.

d. Added more to show you the value of a quick summary of how GPP/loopback can potentially slow logins down. This is not a lousy login, but it’s just a tiny example.

e. By adding a couple of drives, it added 1.4-1.6 seconds. Sure, that is not bad. But that is 1.4-1.6 seconds more than I did not have before—another reason why WEM is the go-to here, IMHO.

49. I will back up the GPO as I did above.

52. I will unlink the Mapped Drive GPO before importing it for testing.
53. Now, I will migrate the GPP to an XML format for WEM to understand.

52. I kept getting the error, and I did not understand why. After messing around for a bit, I discovered that when I create a customer folder for the GUID and zip it. It was not too fond of that.
53. So, When I backed up the GPO, I only kept the GUID name instead.

54. Now click on Restore.

55. You will see the File you named when you converted it from the GPO backup. Also, you will see the Network drive icon light up, ready for it to be selected.

Now, you will see the Network drive in the actions for the user side.

56. Assign it to the user of your choice. Everyone in my example.

57. I needed to go into the “Advanced settings > Main Configuration > Check= Process Virtual Drives.”

58. I am going to reboot the VDA now. Remember, GPO was unlinked, GPO was backed up, Converted to the WEM XML format, Then WEM XML format, we restored with the Actions, and lastly, it was assigned to a user. (Everyone in this case.)

59. To verify WEM is doing it.

60. Another way is to put in a description of the actions.

61. You can let WEM update on its own or refresh the cache.
62. As you can see below, the Drives that I had in the native GPMC is now applying via WEM.

I hope you found this helpful in your journey if you are considering this technology. Citrix WEM is an excellent product and keeps improving as time goes on. Thank you, Citrix, for the great tool 😊

Another option, before WEM could do this, was to use a tool made by Arjan Mensch. It allowed you to convert the GPPs via PowerShell. I still use this today, and it’s another excellent tool to save as an ace in your back pocket. Powershell Module for Citrix WEM – Part 1 – Application actions | msfreaks (wordpress.com)

References

Group Policy Settings | Workspace Environment Management 2308 (citrix.com)

Workspace Environment Management service (citrix.com)

Agent system Settings around GPO
Agent | Workspace Environment Management 2308 (citrix.com)