Some WEM-related security settings (such as hiding the Run menu or blocking access to system drives) are not being applied, and the Agent log throws errors such as these:

Exception -> VuemEnvironmentalSettingsController.ExecuteEntityPolicySettings() : Attempted to perform an unauthorized operation.

Exception -> VuemEnvironmentalSettingsController.ExecuteEntityPolicySettings() : Denied access to the registry.

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Solution 1. Your local or network password policies may be blocking the VuemLocalUser account

By default, the account is created with an 8-character password that contains a mix of alphanumeric characters in upper and lower cases. If this does not meet your password policy, the VuemLocalUser account will not be able to modify the registry.

To resolve this, uninstall the Norskale Agent Host, then reinstall it with the VuemLocalUserPassword argument and specify the password you wish the account to use. Instructions for this (including full syntax) are in the Citrix WEM Installation Guide.

 

Solution 2. The VuemLocalUser account is explicitly denied the right to log on locally

Some domain policies strip this right from certain users for security reasons. To resolve this, grant the VuemLocalUser account explicit rights to log on locally, as detailed in this Technet article: http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

Please note, you will need to make sure that whatever policy stripped this right from the account in the first place is not still in effect.

 

Solution 3. The Process Environmental Settings option is not enabled

In order to minimise our impact on the host computer, the Citrix WEM Agent service does not modify ACLs to grant vuemLocalUser access to use registry settings unless the Process Environmental Settings option is enabled under Policies and Profiles.

 

Solution 4. Your anti-virus is blocking access to the registry

To resolve this, completely exclude the Citrix WEM installation directory (typically %programfiles(x86)%\Norskale) from on-access scanning (this should be done by default in any case).

---

Problem Cause

To apply security settings such as these, Workspace Environment Management uses a local account called VuemLocalUser. If this user is not allowed to log on locally, WEM will not be allowed to apply security settings. There are several reasons why this right may not be allowed:

Reason 1. Your local or network password policies may be blocking the VuemLocaUser account

Reason 2. The VuemLocalUser account is explicitly denied the right to log on locally

Reason 3. The Process Environmental Settings option is not enabled

Reason 4. Your anti-virus is blocking access to the registry