Jump to content
Updated Privacy Statement

  • How to Migrate GPOs from Microsoft to Citrix WEM

    cugcblogs

    By cugcblogs

     Share

    raydavis22rnd.jpg by Ray Davis, CTA & Jacksonville CUGC Leader

    In this quick post, I will go over how to successfully migrate native group policy objects (GPOs) and inject them into Citrix Workspace Environment Manager (WEM). Many organizations rely heavily on GPO in their current Citrix VDA space. Some often wonder how to put them all in WEM or if it’s a good idea or not. I say it depends on the use case.

    WEM, hands down, will take the login experience and dramatically reduce the login times by simply moving the GPP aspects into WEM. On the computer side of the GPO, I am not 100% sure if the juice is worth the squeeze. Computer GPO applies at machine startup, and it is speedy. But a good use case is where the Citrix Admin doesn’t have rights to GPO to manage them. This will enable them to control these aspects from a Citrix Administrative side by using WEM to apply all GPO from this product.

    I was working with a client to migrate all the current GPOs they had applied the native way. Then, migrate them to WEM. When I speak of the word migrate, I am referring to backing up the GPOs, importing/migrating them into Citrix WEM, and applying them to a subset of VDAs for testing. This ensures that the current production setup is not impacted if something does not apply correctly in the use case here.

    If you need more information, I encourage you to read James Kindon's “Migrating GPO settings to WEM” blog. Migrating GPO settings to WEM | James Kindon (jkindon.com). In this blog, he goes over more examples for different use cases.

    (See also WEM Advanced Guidance - 2023, recently updated by James Kindon.)

    Let's get started migrating GPOs to Citrix WEM:

    1. The first thing is to back up a GPO and store it in a location you can import into WEM.
    2. The example below shows me backing up my AV exclusions.
    image-66.png.d34ea32a926ea98d530fefd1393302d0.pngimage-67.png.7d5fecdc99644b571abb3145c60f02c8.pngimage-68.png.33d430ab34d7a3d0a81cc15b8f718f9a.pngimage-69.png.917b9e1c49094845cbbc246e6dcd1c02.png
    1. The GPO must be a ZIP format for WEM to process it.
    image-70.png.0ccb3422f6922dd46921aea80351b805.png
    1. In these examples, I am using the WEM service. But the process is the same for those who have Citrix WEM on-premises.
    2. Go to DaaS and use either the Web WEM console or Legacy WEM console.
      1. WEB
    3. Select your desired configuration set.
    image-71.png.b03707c2fb25e5abe79b539f8f08ab99.png
    1. Click on “Group Policy Settings”
    image-72.png.b35c5d62c0a982e2432ecbc4f041a8c6.png
    1. Click Import
    image-73.png.5dd413555a2615b529be7cfd1c1869e0.png
    1. Browse to the backup of where you store the GPO after it was backed up.
    image-74.png.c9de867cf19e9d929984cd3e4d176fb5.pngimage-75.png.1a0d00e32843559c5d4a453be7aae52b.png
    1. Import the Zip file
    image-76.png.61c3b13cd1fe813d960e69c6cf06da13.png
    1. Below shows the import of the GPO from Microsoft GPO into WEM.
    image-77.png.8f9fc4ea4012de6f39588c37159b14b3.png
    1. If you are using the Legacy WEM console, here are some screenshots of the same process.
    image-78.png.333e8f996ab3527543a89b67ee4f1f1d.pngimage-79.png.9f4e27320767edbdf33d150a72b46a78.pngimage-80.png.7687aa886048c501880fc9992ff5c8ef.pngimage-81.png.5648e8fb34ae74beca3f553dcadb9269.png
    1. I already have this GPO; I will select and overwrite in this case. This example shows you how to do it via the legacy console. Then click Start Import,
    image-82.png.31d1b9c59249738b849287b3bd9d9b94.pngimage-83.png.94e0cad827adbbc53ac29055f6e350ad.png
    1. To see the settings, edit the imported file.
      1. Legacy Console
    image-84.png.745510a38279a6e78d96a584864a7b45.png
    1.  It takes the GPO and imports all the Registry settings that contain what the GPO is made up of, such as all the registry settings.
    image-85.png.65fd694d67de42280ae75d601e3cfe7c.png
    1. To see the settings, edit the imported file.
      1. WEB Console
    image-86.png.8067c2e754646d50ec61847818014679.pngimage-87.png.09c46fce66b690467fe40fe142c73f31.png
    1. Assigning the action.
      1. WEB Console
    image-88.png.82e38a912823d0764f388b0c2954773d.png
    1. In this example, I chose everyone, which applies to users and computers. In most production cases, you can do groups or conditions.
    2. **NOTE**

      “You can assign the GPO to different AD groups, just like you assign other actions. If you assign GPOs to an individual user directly, the settings do not take effect. A group can contain users and machines. Machine-level settings take effect if the related machine belongs to the group. User-level settings take effect if the current user belongs to the group.”

    image-89.png.7e40aad4673215db8c1015303290106b.png
    1. Reference for the Legacy Console, for comparison in showing if you do it via the Web console. It will show like this in the Legacy console.
    2. The Priority is how it is applied.
      1. https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-description/actions/group-policy-settings.html#contextualize-group-policy-settings
      1. “Type an integer to specify a priority. The greater the value, the higher the priority. Settings with higher priority are processed later.”
    image-90.png.55c288bb2161f45890c188abc0a9faf9.png
    1. Assigned the action.
      1. Legacy Console
    2. In this example, I chose everyone, which applies to users and computers. In most production cases, you can do groups or conditions.

       

      **NOTE**

      “You can assign the GPO to different AD groups, just like you assign other actions. If you assign GPOs to an individual user directly, the settings do not take effect. A group can contain users and machines. Machine-level settings take effect if the related machine belongs to the group. User-level settings take effect if the current user belongs to the group.”

    image-91.png.b14d67d16e6db4e41cf3457cd38e267c.pngimage-92.png.934191df8983026ca7e82f2a7eb2ca25.pngimage-93.png.3962d13fbc8d340d1de34ee4e7bc3e7b.png
    1. Reference for the WEB Console, for comparison in showing if you do it via the legacy console. It will show like this in the WEB console.
    image-94.png.bd5d1d0cc2e1600deb2e56562094328d.png
    1. Let’s reboot a VDA and see the results.
    2. I logged in before, as I have this applied already, But I updated it with the new WEM AV exclusion they released in May 2023. The registry will update the list to reflect what I am missing.
    image-95.png.cfd5296315bc7b6ae1624d81068a28ed.png
    1. Last cache sync
    image-96.png.277aecb46e395a17731288c4533202a8.png
    1. Rebooting now.
    image-97.png.a4163fd9c173746d4f03538d6075b424.pngimage-98.png.c33af03ddac2641fe10282796b8328af.pngimage-99.png.f13ee2f283317d189c609f4a43819bea.png
    1. GPO were successfully updated.
    image-100.png.588bf7c26202a7bdbd1a7381b9ab6419.png
    1. Before the antimalware was around 47%-50% of CPU.
    image-101.png.f9e633d0dabbd6aed5cfe95fd72a6015.png
    1. Event Logs
    2. I can see the GPO proceed, but I am unsure how to show what GPO applied from logs yet. This could be me not knowing where it logs it yet. Perhaps it does, and I am missing it. So, the only thing I can see is that the computer GPO components are processed. (More to this on line 34).
    image-102.png.fe5eb334e598e76007e727b19276be6a.pngimage-103.png.ff751df5e6a91945c06d5ac920d346c0.pngimage-104.png.c30c0d6e74485d85e17417dd8999b550.png
    1. After researching this, I had Sharp Gou reach out and explain to me where these logs are located.

       

      View log files | Workspace Environment Management 2303 (citrix.com)

    1. Citrix WEM Agent Host Service Debug.log. The log that lets you troubleshoot issues with the Citrix WEM Agent Host Service. By default, this log file is located in %PROGRAMFILES(X86)%\Citrix\Workspace Environment Management Agent. To enable logging, be sure to enable Debug Mode for the relevant configuration set on the Administration Console > Advanced Settings > Configuration > Service Options tab. You now will see the GPO processing in that log file. Thank you, Sharp Gou. In this log, you will see the GPO applied and processed.
    1. We can verify in the Windows Defender section (windows) as well for the GPOs.
    image-105.png.a5e04f18827cadaae1c00f74fe8c523b.png
    1. What happens if I need to remove it? What happens if now?
    2. Go back to the area and unassing it.
    image-106.png.604653f1e1517f5129d4fe7f9d2147b1.pngimage-107.png.3bf0970f11565a1a37bd67af03fdb90c.png
    1. Reference for the Legacy Console, for comparison in showing if you do it via the Web console. It will show like this in the Legacy console:
    image-108.png.f5f98043c656def3d0e78c600c77ac2d.png
    1. Reboot the VDA again. According to Citrix, if you restart the WEM Agent Host, it will take effect immediately. (Machine Level GPO)
    image-109.png.f8d27099a8c4adfc373b923b4f14bc37.png
    1. User level
    image-110.png.083339e234ab2f50a7337177ea8251df.png
    1. Before:
    image-111.png.8fd52c7794b205ba7b9eb541b84d2018.pngimage-112.png.3f694714d9db3042e92964187500bd7e.pngimage-113.png.44044fdde909b7832492800e254274b6.png
    1. After: it's empty now:
    Registry editorimage-115.png.80e19e6a749772766f5093e66dcfc12a.png
    1. I will reboot anyway, to show you how vital AV exclusion is needed.
    2. CPU % with Antimalware process.
    image-116.png.91538a53c0dd338598a05029290cb54d.png
    1. Processing is slower as well.
    image-117.png.bbe2153656cf83abac137d4d25df7e4f.pngimage-118.png.04819c76f70f48ef1b52ced6fb752748.png
    1. Add the GPO back in WEM
    2. The WEM agent processed exceptionally quickly in my testing.
    3. Other questions I get at times: what is the purpose of Migrating vs. Importing?

       

      a. The Migrate button in the legacy console below allows you to convert user GPPs into a readable XML file that WEM can use in user actions, where Import takes the whole GPO and imports it in. From what I found where you have GPP policies, the migrate option does the trick.  In cases where you have the standard GPO settings, the Import will bring over the settings that make up the ADMX.

    config screen
    1. Example: I have a GPP applying some mapped drive with Item-level targeting on myself.
    2. Loopback is set to replace being I am applying a user policy to the Citrix VDA.
    drive maps

    d. Added more to show you the value of a quick summary of how GPP/loopback can potentially slow logins down. This is not a lousy login, but it’s just a tiny example.

    drive mapsDevices and drives

    e. By adding a couple of drives, it added 1.4-1.6 seconds. Sure, that is not bad. But that is 1.4-1.6 seconds more than I did not have before—another reason why WEM is the go-to here, IMHO.

    WEM code
    1. I will back up the GPO as I did above.
    image-124.png.ba42fbf609cee5cf9f39f53ba688af0f.png
    1. I will unlink the Mapped Drive GPO before importing it for testing.
    2. Now, I will migrate the GPP to an XML format for WEM to understand.
    image-125.png.3ce8bbbd01dfc75211389345ec78b4cc.pngconfiguration screenimage-127.png.15d4847d750c02a5406720128e368989.png
    1. I kept getting the error, and I did not understand why. After messing around for a bit, I discovered that when I create a customer folder for the GUID and zip it. It was not too fond of that.
    2. So, When I backed up the GPO, I only kept the GUID name instead.
    image-128.png.c5a521e709bb56aeafcaf8446037164f.pngfile directoryimage-130.png.4834586949d31f2d045b511467052362.pngimage-131.png.2f532cd5b1e2fdfaa29a970291cbd055.pngimage-132.png.fea15cb20d951296eb5c27fbec09e2c9.png
    1. Now click on Restore.
    config setimage-134.png.2205eafa317cfa69a5097cc97d8dc738.pngimage-135.png.273cf966cce10377be4235d6fcb20a0a.png
    1. You will see the File you named when you converted it from the GPO backup. Also, you will see the Network drive icon light up, ready for it to be selected.
    image-136.png.46e68e2f087e5a4b1ec388d7508cae43.pngimage-137.png.9bc2ac75aadfc4c82949a3ceffdf5e03.pngimage-138.png.4baf06984b6e5d9c06761ce1a58d85e7.pngimage-139.png.661a2b3059943ea16a84e5e99d864953.png

    Now, you will see the Network drive in the actions for the user side.

    user side network
    1. Assign it to the user of your choice. Everyone in my example.
    file directoryimage-142.png.78f120855cb97d2ecae5712a15effdf3.pngimage-143.png.b3a5c8f48d5884597c520b27e723eff9.png
    1. I needed to go into the “Advanced settings > Main Configuration > Check= Process Virtual Drives.”
    config set
    1. I am going to reboot the VDA now. Remember, GPO was unlinked, GPO was backed up, Converted to the WEM XML format, Then WEM XML format, we restored with the Actions, and lastly, it was assigned to a user. (Everyone in this case.)
    file directory
    1. To verify WEM is doing it.
    wem verify
    1. Another way is to put in a description of the actions.
    image-147.png.b67d8cbee02c53b674268e8d53b48943.png
    1. You can let WEM update on its own or refresh the cache.
    2. As you can see below, the Drives that I had in the native GPMC is now applying via WEM.
    filed directory

    I hope you found this helpful in your journey if you are considering this technology. Citrix WEM is an excellent product and keeps improving as time goes on. Thank you, Citrix, for the great tool 😊

    Another option, before WEM could do this, was to use a tool made by Arjan Mensch. It allowed you to convert the GPPs via PowerShell. I still use this today, and it’s another excellent tool to save as an ace in your back pocket. Powershell Module for Citrix WEM – Part 1 – Application actions | msfreaks (wordpress.com)

    References

    Group Policy Settings | Workspace Environment Management 2308 (citrix.com)

    Workspace Environment Management service (citrix.com)

     

    Agent system Settings around GPO

    Agent | Workspace Environment Management 2308 (citrix.com)

    image-114.png.f4023bc965c7aedf165fcd9e03da7f64.png

    image-119.png.55b0ac709387434eea8b4f3ed1f6fc6e.png

    image-120.png.3f4f6902dd48ebb91bb5a87c11edbdeb.png

    image-121.png.b91a7410d13a1e2995a76e1c4895d921.png

    image-122.png.72bba1b59a2a07fd6ae2832fedaebf6c.png

    image-123.png.3773cc7116576a6fc72d2156c336678f.png

    image-126.png.f3d0388f3ca97c351146b53b9d456972.png

    image-129.png.9bbafc9a43e01e977565e370f1978ee2.png

    image-133.png.b9a69ce77a62b1638eb037db6654a7c4.png

    image-140.png.79aeb0d4e3c56bf9000a0eecf16e35e3.png

    image-141.png.fc1cbe02961a7c83833a522e584afaba.png

    image-144.png.f5098587b0666b161f4710d92177afd2.png

    image-145.png.0dbbe4b4972afc1f312fa252045c3484.png

    image-146.png.3a1226e71288ece870a28f9d832286ee.png

    image-148.png.5c5a8bb9b694303c4d0c0548e45602a7.png

    • Like 1
     Share
    Go to posts

    User Feedback

    Recommended Comments

    Jeff Riechers

    Nice article, question though.   Does wem gpo have the same potential performance hit with multiple policies similar to how traditional gpos do?  Or is breaking out gpos for dedicated purposes a better scenario?

    Link to comment
    Share on other sites
    rdavis1983

    I try to apply a monolithic myself. So, bigger policies are set, but there are fewer GPOS, but it really all depends.
    So, like all security GPOs, apps GPOs, Windows tuning GPO, and so on.
    But to answer your question, I would say yes. Often, I see WEM apply all the GPOs, but the timing is off, and it will miss some, but it's doing async mode, and it will apply them, but a couple might be missing. Then the next time it gets them 100%.

    Often at times, I use this to get around that. 
    Agent | Workspace Environment Management 2402 (citrix.com)

    • SyncForegroundPolicy. Lets you configure the SyncForegroundPolicy registry value during agent installation. This policy setting determines whether Group Policy processing is synchronous. Accepted values: 0, 1. If the value is not set or you set the value to 0, Citrix WEM Agent User Logon Service does not delay logons, and user Group Policy settings are processed in the background. If you set the value to 1, Citrix WEM Agent User Logon Service delays logons until the processing of user Group Policy settings completes. By default, the value does not change during installation.

      IMPORTANT:

      If Group Policy settings are processed in the background, Windows Shell (Windows Explorer) might start before all policy settings are processed. Therefore, some settings might not take effect the first time a user logs on. If you want all policy settings to be processed the first time a user logs on, set the value to 1.

    s://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-configure/agent-host.html#system-settings

    Link to comment
    Share on other sites
    UDDAVE JAJOO

    Great stuff and a detailed deep dive on this migration process for GPOs. Very helpful for customers migrating their GPOs to WEM. I would give it a try for sure as we also own and mange several GPOs locally. It would be a good to manage all the GPOs from one single console. Thanks again @rdavis1983

    • Like 1
    Link to comment
    Share on other sites


    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...