WEM agent launch group exclusion does not work and the excluded group still applies all the settings.

book

Article ID: CTX695944

calendar_today

Updated On:

Description

As we see in below screenshot a specific group has been excluded :-

image.png

However WEM GPO are still getting applied although the exclusion policy seems to be working as per the debug logs.

Cause

https://docs.citrix.com/en-us/workspace-environment-management/service/reference/filter-conditions.html

Resolution

Based on our review of the product code with the Engineering team, here is a clarification of how WEM handles exclusions and Group Policy Objects (GPOs):

WEM Exclusion Logic

The "Exclusion Group" setting specifically targets the WEM UI Agent (the user-session executable), not the background service.

  • User-Level Actions: If a user is excluded, the WEM UI Agent will not launch. Consequently, user-specific actions like printer mapping, application delivery, and desktop shortcuts will not be processed.

  • Machine-Level Optimizations: These are managed by the WEM Agent Host Service. Since this service runs independently of the user session, machine-wide optimizations (such as CPU, Memory, and I/O management) will remain active even for excluded users.

WEM GPO Processing

We have confirmed that WEM GPOs are processed by the Agent Host Service rather than the UI Agent. Because of this architectural design, the standard UI Agent exclusion does not prevent WEM GPOs from being applied.

Solution

To successfully prevent GPOs from applying to specific users, we need to use the Active Directory Group Match filter condition within the WEM Console. This allows us to create a logic-based filter for the user-level GPOs:

Reference: WEM Filter Conditions - AD Group Match

image.png

Issue/Introduction

With a new WEM 2507 deployment where the "WEM Agent Launch" exclusion policy is not functioning as intended.
 
Observed Behavior:
  • Exclusion Failure: A specific user group was added to the WEM Agent Launch exclusion list to prevent any WEM settings from being applied. However, settings continue to process for these excluded users.
  • Testing: We attempted to exclude multiple other groups and individual users, but the behavior remains inconsistent; WEM settings are still being enforced.
  • UI vs. Processing: While the WEM Agent UI does not load (the icon is missing from the system tray), a check via VUEMRSAV confirms that policies and settings are still being successfully applied to the session.
  • Expected Result: Based on product documentation, any user or group part of the Agent Launch exclusion should be completely bypassed by the WEM processing engine.
Powered by Wolken Software