Citrix Workspace Environment Manager can be used as a replacement for Active Directory (AD) Group Policy Preferences (GPP). It does not deal with machine policies, however. Because of this AD Group Policy Objects (GPO) are still required to apply policies to machines. However, WEM’s goal isn’t to manipulate machine policies but to improve user logon times by replacing the user policy of an AD GPO. A GPO has two different engines to apply settings. A Registry Policy engine and the engine that drives “Client Side Extensions” (CSE). The biggest time consumer of a GPO is processing the logic of a CSE or the action of the CSE. I’ll look at each engine and what they mean for WEM.
The first is the ‘Registry’ policy engine. This engine is confusingly called the “Registry Extension” as opposed to the CSE “Group Policy Registry”. The “Registry Extension” is engine applies registry settings set in via ‘Administrative Templates’.
These settings are ‘dumb’ in that there is no logic processing required. When set to Enabled or Disabled whatever key needs to be set with that value is applied immediately. Processing of this engine occurs very, very fast so migrating these policy settings would have minimal or no improvement to logon times (unless you have a ton of GPO’s apply and network latency becomes your primary blocker).
If you use ControlUp to Analyze GPO Extension Load Times it will display the Registry Extension and the Group Policy Registry CSE:
Client Side Extensions
However, CSE’s allow you to put complex logic and actions within that require processing to determine if a setting should be applied or how a settings should be applied. One of the most powerful of these is the Registry CSE. This CSE allows you to apply registry settings with Boolean logic and can be filtered on a huge number of variables.
All of this logic is stored in a XML document that is pulled when the group policy object is processed. This file is located in “C:\ProgramData\Microsoft\Group Policy\History\GUID OF GPO\SID OF USER\Preferences\Registry”.
Parsing and executing the Boolean logic takes time. This is where we would be hopeful that WEM can make this faster. The processing of all this, in our existing environment consumes the majority of our logon time:
Migrating Group Policy Preferences to WEM
Looking at some of our Registry Preferences we’ll look at what is required to migrate it into WEM.
Basic settings “eg, ‘Always applied’”.
These settings have no filters and are applied to all users. To migrate them to WEM I’ve exported these values and set them into a registry file:
Windows Registry Editor Version 5.00
Switching to WEM I select ‘Actions’ then ‘Registry Entries’ and then I imported the registry file.
An interesting side note, it appears the import excluded the REG_BINARY. However you can create the REG_BINARY via the GUI:
To set the Registry Entries I created a filter condition called “Always True”
And then created a rule “Always True”
We have a user group that encompasses all of our Citrix users upon which I added in ‘Configure Users’. Then, during the assignment of the registry keys I selected the ‘Always True’ filter:
And now these registry keys have been migrated to WEM. It would be nice to ‘Group’ these keys like you can do for a collection in Group Policy Preferences. Without the ability to do so the name of the action becomes really important as it’s the only way you can filter:
Next I’ll look at replacing Group Policy Preferences that contain some boolean logic.