Author: Carl Stalhood

Omnissa Horizon 2406: Virtual Desktop Pools

Last Modified: Jul 30, 2024 @ 5:18 am

177 Comments

This article details Horizon pool configuration for Virtual Desktops. RDS Farms and pools are detailed in a separate article at https://www.carlstalhood.com/vmware-horizon-8-rds-farms-pools/.

Navigation

This post applies to all Horizon versions 2006 (8.0) and newer.

Change Log

Non-Persistent – Instant Clones

All editions of Horizon 2006 and newer include Instant Clones so there is no need to use Composer. Composer is deprecated in Horizon 2006. Composer was removed from Horizon 2012 (8.1) and newer.

Notes on Instant Clones:

  • The master VM snapshot is copied to every LUN containing instant clones. Composer does the same.
  • If you deploy 12+ VMs per host of the same pool, then “Parent” machines are created on each ESXi host for each datastore. These “parent” machines are powered on and consume CPU/Memory/Disk resources. If you have six hosts and three datastores containing instant clones, then Horizon creates 18 parent virtual machines. Composer does not need parent virtual machines.
    • For lower density, Horizon 2006 and newer support Smart Provisioning, which eliminates the need for “Parent” machines. See the Smart Provisioning YouTube video for an overview.
    • Horizon 2306 (8.10) and newer now default to no longer creating parent virtual machines.
  • Horizon 2306 (8.10) and newer support Persistent Disks with dedicated Instant Clones. See Omnissa 93091 Guidelines for Persistent Disk Migration from Horizon 7 Environments to Horizon 8.
    • An alternative is Microsoft FSLogix, or App Volumes Writable Volumes
  • See Instant-Clone Desktop Pools at Omnissa Docs.

Infrastructure Prep

  • Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.
  • Each desktop pool points to one vSphere cluster.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
    • Instant Clones in Horizon 8.1 and newer support all port bindings, including ephemeral. Older versions of Horizon, including Horizon 7.x, require static port binding.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
  • KMS Licensing is required, preferably using Active Directory-based activationMAK licensing (Omnissa Docs) is not supported until Horizon 2212 and newer.
  • The virtual desktop pools will use the same hardware specs (e.g., vCPUs, memory size, network label, GPU) specified on the master virtual desktop. Adjust accordingly.
  • The master image should be in the same vSphere cluster where the instant clone virtual desktops will be created.
  • ESXi must be version 6 update 1 or newer
  • Master VM must be version hardware version 11 or newer
  • In Horizon Console, add Instant Clone Domain Accounts
  • In Horizon Console, enable View Storage Accelerator on your vCenter connection.
  • If you upgrade vCenter from version 6.5 or older to version 6.7 or later, then you must upgrade your ESXi hosts to version 6.7 or later at the same time. Afterwards, take a new snapshot of the master image and perform a push operation.
  • Windows 11 – Omnissa says don’t add vTPM to the gold image. Instead add the vTPM when creating the Instant Clone pool or Full Clone pool. There are various methods of installing Windows 11 without a vTPM. See Omnissa KB article 85960 Horizon and Horizon Cloud readiness for Microsoft Windows 11.
  • vTPM requires a Key Provider. vSphere 7 has a Native Key Provider that does not need any additional servers or licenses.
    1. In vSphere Client, in Inventory, click the vCenter object. On the right, on the Configure tab, scroll down to Key Providers and add a Native Key Provider.
    2. After it’s added, select it and then click Back-up to activate it.

Disk space

  • One or more LUNs (datastores) for storage of the virtual desktops.
  • By default, Replicas are copied to each LUN that contains virtual desktops.
    • It’s possible to place the Replica and the instant clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops.
    • Note: NFS VAAI requires the Replica to be copied to each virtual desktop LUN.
  • .vswp files – Plan for disk space for memory swap and graphics memory overhead. If the master virtual desktop has 4 GB of RAM configured and if none of its memory is reserved then each linked clone will have a 4 GB .vswp file.
    • To reduce the size of the .vswp files, edit each virtual desktop and reserve its memory. Whatever memory is reserved will be subtracted from the .vswp file size.
  • Instant Clone Delta disks – Delta disks start small whenever the virtual desktop boots and grow until the user logs off of the virtual desktop and it reboots.

Non-Persistent, Floating, Automatic, Instant Clone Desktop Pool

Master Image Preparation

Do the following on the master image that the virtual desktops will link to:

  1. Video Memory – shut down the master, Edit Settings (hardware) in vSphere client, expand Video card, and set video memory. More video memory means more client monitors. The maximum number of displays and maximum resolution of client monitors depends on the ESXi version, the Horizon version, and the Windows version with newest versions providing the greatest number of client monitors.
  2. DHCP – Make sure the master VM is configured for DHCP.
  3. Join domain – Join the master VM to the domain.
  4. Computer Group Policy – Make sure the Master VM is in the same OU as the Instant Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See Omnissa 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  5. KMS Licensing or Active Directory-Based Activation (recommended) is required.
  6. Snapshot – Shut down the master image and take a new snapshot.

Floating Pool

Use Horizon Console to create an Instant Clone pool:

  1. Login to Horizon Console.
  2. On the left, under Inventory, click Desktops.
  3. On the right, if you select an existing pool, you can click Duplicate to copy the settings to a new pool.
  4. On the right, click Add.
  5. In the Type page, select Automated desktop pool.
  6. In the vCenter Server page, select Instant Clone, select a vCenter server, and click Next. Notice that Composer is no longer an option.
  7. In the User Assignment page, select Floating, and click Next.
  8. In the Storage Optimization page, if you want to use storage tiering, check the box for Select separate datastores for replica and OS disk. Click Next.
  9. In the Desktop Pool Identification page, do the following:
    1. Give the pool a unique ID, which is not shown to the users. Horizon creates a vCenter VM folder with the same name as the Pool ID.
    2. Enter a Display name, which is shown to the users.
    3.  If you intend to use Omnissa Access, then leave Access group set to /. Otherwise, if you intend to delegate administration of this pool, then select an Access group that the delegated administrators have been assigned to.
  10. Click Next.
  11. In the Provisioning Settings page, do the following:
    • In Virtual Machine Naming, enter a Naming Pattern. You can use {n:fixed=3} to specify the location for incremented numerals in the machine names. Make sure the naming pattern does not conflict with any existing machines. Remember, the maximum computer name length is 15 characters.
      • Horizon 2103 (8.2) and newer let you Specify Names Manually instead of using a naming pattern.
    • In Desktop Pool Sizing, enter the maximum number of desktops to create. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here. If your desktop pool size exceeds a single VLAN, then you can create multiple pools and combine them into a Cloud Pod Global Entitlement.
    • Select Provision all machines up-front to create all of the machines now.
    • Or select Provision machines on demand, which tells Horizon to create the machines (up to the maximum) as users connect.
    • If you’re not creating all machines up-front, then specify the Number of spare (powered on) machines. As users connect, Horizon creates more machines to try to keep this number of spare machines running and waiting for a new connection.
  12. If Windows 11, consider checking the box to Add vTPM Device to VMs.
  13. Click Next.
  14. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option and make your selection.

    • If the Golden Image VM (aka Parent VM or Master VM) is not showing up in the list, then check the box next to Show all parent VMs and click the … next to the VM to see the issue.
    • Instant Clones monitors/resolution – the number of monitors configured on the Master Image (snapshot) is displayed. If not correct, delete the snapshot, edit the master VM’s Hardware Settings, expand video card, make your desired changes, and take another snapshot.
    • Scroll down for more settings.
    • VM Folder Location – Horizon will create a folder under the location (e.g., datacenter) you choose. Make sure the folder names don’t have any spaces in them.
    • Datastores – select one or more datastores on which the virtual desktops will be placed.
    • If you selected to put Replica on a different datastore, then you’ll have another Browse button for Replica disk datastores.
    • When selecting Networks, you can use the Network from the parent image, or uncheck the box and select a different network.
  15. In Horizon 2206 and newer, in the VM Compute Profile Settings section, you can change the CPU, RAM, and Cores per socket assigned to each new virtual desktop.
  16. Click Next when done.
  17. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop.

      1. Change the selection to Select a category folder from the folder list.
      2. You can type in a new category, or select an existing one.
      3. Then click Submit.
    2. In the Desktop Pool Settings page, Horizon Enterprise Edition lets you select a Session Type, which means you can optionally publish applications from virtual desktops.
    3. Change the selection for Logoff after disconnect to After, and specify a disconnect timer.

      • You can also use Group Policy to configure this. The GPO overrides the pool setting. Install the Horizon GPO Templates if you haven’t already. Edit a GPO that applies to the Horizon Agents. Find the Disconnect Session Time Limit (VDI) setting at VMware View Agent Configuration > Agent Configuration.
      • Horizon also has an Idle Time Until Disconnect (VDI) for virtual desktops. Note: RDSH idle timer is configured using Microsoft RDSH GPO settings, not Horizon GPO settings.
    4. You can allow users to restart their machines.
    5. If you choose Dedicated assignment instead of Floating assignment, there’s an option for Refresh OS disk after logoff. Leaving it set to Always is strongly recommended. The other options cause the delta disk to grow, and will cause data loss surprise for the users when you later push a new image. Instant Clones floating assignment pools always refresh on logoff.
    6. Reclaim VM disk space is also an option for Dedicated assignment pools. Floating assignment pools always refresh on logoff so there’s no need to reclaim disk space.
  18. Click Next.
  19. In the Remote Display Settings page:
    1. In 3D Renderer, there’s an option for NVIDIA GRID VGPU if you have GPUs installed.
    2. There’s an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.  See Session Collaboration for details.
  20. Click Next.
  21. In the Guest Customization page,
    1. Next to AD container, click Browse, and select the OU where virtual desktop computer objects will be placed. You can type (paste) into the AD container field.
    2. Consider checking the box next to Allow reuse of pre-existing computer accounts.
  22. Click Next.
  23. In the Ready to Complete page, you may entitle users now, or leave it unchecked and do it later. Click Submit.

If you opted to add entitlements now:

  1. In the Add Entitlements window, click Add.
  2. Find a group that will have permission to log into these desktops, and click OK.
  3. Then click OK.

To check the status of the virtual desktops:

  1. Go to Inventory > Desktops.
  2. You might have to click the refresh icon on the top right to see the new pool.
  3. Click the link for the pool name.
  4. On the Summary page, if you scroll down, the vCenter Server section has a State field where you can see the status of the pool creation process.  It takes several minutes to publish the master image snapshot. After the snapshot is copied to the Replica, vSphere creates a digest file for View Storage Accelerator, which takes a few more minutes.
  5. Horizon Console has a Pending Image progress bar that doesn’t update automatically. To refresh it, scroll up and click the refresh icon.

  6. You can watch the progress in vSphere Client’s Recent Tasks list. In high-density pools, Instant Clones are forked from the cp-parent machine. In low-density pools, Instant Clones are cloned from the cp-replica.


  7. Eventually the pool’s tabs named Machines and Machines (InstantClone Details) will show the new machines.
  8. iccleanup.cmd can show you (list) the structure of the Instant Clones. For higher-density pools, there is a cp-parent at the bottom of the hierarchy. For Smart Provisioning of lower-density pools, there is no cp-parent.

If you wish to automate the creation of the pool, Aresh Sarkari at Automating Desktop Pool creation using PowerCLI – VMware Horizon 7.x explains New-HVPool -spec 'C:\temp\DesktopPool\LinkedClone.json' and the contents of the JSON file.

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

  1. In Horizon Console, go to Inventory > Desktops.
  2. Click the link for a pool name.
  3. Switch to the Entitlements tab to see the existing entitlements.
  4. Click Add entitlements.
  5. In the Add Entitlements window, click Add.
  6. Find a group that will have permission to log into these desktops, and click OK.
  7. Then click OK.

Add Machine to Pool

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click the link for an existing Desktop Pool.
  3. At the top, click Edit.
  4. Switch to the Provisioning Settings tab, scroll down, and change the Max number of machines. Then click OK.
  5. With Instant Clones, this won’t take very long. In high-density pools, the new machine is forked from the cp-parent. In low-density pools, the new machine is cloned from the cp-replica.

  6. If you open the pool, the tabs named Machines and Machines (InstantClone Details) show the new machines.

Update a Pool

Master Image Preparation

  1. Power on the master/parent virtual desktop.
  2. After making your changes, shut down the master virtual desktop.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  5. Delete one or more of the snapshots.
  6. In Horizon Console, go to Inventory > Desktops.
  7. Click the link for a pool name.
  8. On the Summary tab, click Maintain, and then click Schedule.
  9. In the Image page, select the new snapshot. Notice the snapshot’s monitor/resolution settings. Click Next.
  10. In the Scheduling page, decide when to apply this new image. If you select Force users to log off, notice you can customize the logoff message in Global Settings. Click Next.
  11. In the Ready to Complete page, click Finish.
  12. The pool’s Summary tab, near the bottom, indicates that the image is being pushed.

  13. You can click the tab named Machines (InstantClone Details) to check on the status of the push task. Notice the Pending Image.
  14. The snapshot is copied to each datastore.
  15. The snapshot is attached to a Replica, powered on, then powered off. Digest is then computed.
  16. Then the Replica is attached to a parent, and the parent is powered on. This all takes a bit of time. But the existing Instant Clones remain accessible until the Replica preparation is complete.
  17. Once Replicas are prepared, each machine is rebooted once.
  18. Eventually the Pending Image field will be cleared and the desktops are available again.

Host Maintenance – Instant Clones

Horizon 2012 (8.1) and newer have an option to Disable ParentVMs so vSphere Update Manager can put the hosts into maintenance mode. This uses the parentless Smart Provisioning technology. Find the option at Settings > Servers, select a vCenter server, click the More menu, and select Disable ParentVMs.

ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

Instant-Clone Maintenance Utilities at Omnissa Docs:

  • IcCleanup.cmd – use this utility to unprotect and delete some or all of the internal VMs created by instant clones. This is the easiest method of cleaning up Instant Clone internal machines.
  • IcUnprotect.cmd – use this utility to unprotect folders and VMs, delete VMs, and detect VMs whose master image or snapshot is deleted.
  • IcMaint.cmd – This command deletes the master images, which are the parent VMs in vCenter Server, from the ESXi host, so that the host can be put into maintenance mode. This utility generally isn’t needed. Also see Omnissa 2144808 Entering and exiting maintenance mode for an ESXi host that has Horizon instant clones.

Persistent Full Clones – Automated

Horizon can clone your Template machine to a specified number of Full Clones. Once Full Clones are created, you’ll need a Software Deployment tool, like Microsoft SCCM, to manage the Full Clones.

Customization Specification

Horizon uses a Customization Specification to specialize each machine cloned from the template:

  1. In vSphere Client, open the Menu and click Policies and Profiles.
  2. Make sure you have a Customization Specification with the settings detailed in the next few steps. You can create a new Customization Specification.
  3. In the Computer name page, set it to Use the virtual machine name.
  4. In the Windows license page, you can optionally set it to Include server license information but change it to Per seat.
  5. In the Network page, make sure the networks are set to DHCP. Once the machines are created you can manually set them to Static or configure DHCP reservations.
  6. In the Workgroup or domain page, enter credentials to join the new Full Clones to the domain.

Gold Image Template

  1. On the gold image machine, in sysdm.cpl > Advanced > User Profiles > Settings, make sure there are no local profiles other than your administrator profile and the Default Profile. Delete all others. Sysprep frequently fails if there is more than one profile on the template.
  2. If you have SCCM Client installed on your Gold Image, then see Prepare the client computer for imaging.
  3. Shut down the Gold Image.
  4. Right-click the gold image, expand Template, and then click Convert to Template.
  5. Before creating a pool, test deploying a new machine from the template to make sure SysPrep is successful.
    1. Right-click the Template and click New VM from This Template.
    2. In the Select clone options page, check the boxes next to Customize the operating system and Power on virtual machine after creation.
    3. In the Customize guest OS page, select the Customization Specification you created earlier.
    4. If cloning fails, then see Broadcom 2001932 Locations of sysprep log files. Store apps (aka UWP apps) are a frequent cause of SysPrep failures. You can convert your Template back to a Virtual Machine, power it on, fix the problem, power it off, and then convert it to a Template again.

Automated Full Clone Pool

  1. In Horizon Console, in the left menu, expand Inventory and then click Desktops.
  2. On the right, click Add.
  3. In the Type page, select Automated Desktop Pool and click Next.
  4. In the vCenter Server page, select Full Virtual Machines. Select your vCenter Server and then click Next.
  5. In the User Assignment page, you usually want Dedicated assignment.
  6. Automatic Assignment is an optional feature that avoids you having to manually assign users to each full clone desktop. But manual assignments give you more control over capacity planning. Click Next.
  7. In the Storage Optimization page, click Next.
  8. In the Desktop Pool Identification page, give the pool an ID (no spaces) and a Display Name that is shown to users. Horizon creates a vCenter virtual machine folder with the same name as the ID. Click Next.
  9. In the Provisioning Settings page, specify a Naming Pattern. You can hover your mouse over the information icon to see the syntax. Then scroll down.
  10. After scrolling down, specify the number of machines to create. If you specify All Machines Up-Front, then Horizon will create the Maximum Machines. If you specify Spare (Powered On) Machines, then Horizon will try to preserve this specified number of unassigned machines. Click Next.
  11. In the vCenter Settings page, click Browse next to Template and select the template you created earlier.
  12. Click Browse next to the other fields and specify where you want the new machines to be created. Make sure VM Folder Location doesn’t have any spaces in it. Click Next.
  13. In the Desktop Pool Settings page, these settings are the same as Instant Clones, but Remote Machine Power Policy might be different. Scroll down.
  14. After scrolling down, notice the option for Show Assigned Machine Name instead of the pool name. Hover your mouse over the information icons. Click Next when done.
  15. In the Remote Display Settings page, specify video settings and then click Next. Horizon 2106 (8.3) and newer let you choose 5K and 8K monitors for Blast only.
  16. In the Advanced Storage Options page, note that View Storage Accelerator is just a read cache (no write caching). If your storage can handle the reads then enabling this feature probably isn’t necessary. Click Next.
  17. In the Guest Customization page, select the Customization Specification that you created earlier. Consider checking the box next to Allow Reuse of Existing Computer Accounts.
  18. Horizon 2212 (8.8) and newer let you specify the OU for the new machines. Otherwise, they are created in the Computers container unless you pre-create the computer accounts in your desired OU. Click Next.

  19. In the Ready to Complete page, you can optionally Entitle users After Adding Pool. Click Submit. Note: users must both be entitled to the pool and assigned to an individual machine.

Machine Administration

  1. Cloning progress – Use vSphere Client Recent Tasks to watch the progress of the cloning. It will take time for the cloning to complete plus time for SysPrep to complete.
  2. If you click the Pool name link and then switch to the Machines tab, you should eventually see the new machines.
  3. Assign User to Machine – You can select a machine, click the drop-down for More Commands, and then Assign User.
  4. Machine alias – By default, the pool’s Display name is displayed to each user. You can instead change it to the individual Machine Name, or to an administrator-specified machine alias.
    1. Go to the pool’s Summary tab and click Edit.
    2. Switch to the tab named Desktop Pool Settings.
    3. Scroll down and find the checkboxes for Show Assigned Machine Name and Show Machine Alias Name. If you select Alias Name, then an additional command appears on the Machines page.
    4. After editing the pool and enabling Show Machine Alias Name, On the Machines tab, select a machine, and then click the drop-down for Update Machine Aliases. The Alias is shown to the user instead of the pool’s Display Name or the actual machine name.
  5. Add Machines – To create more Full Clone machines from the same template:
    1. Click the name (link) of the pool.
    2. On the Summary tab, click Edit.
    3. On the Provisioning Settings tab, scroll down and enter a larger Maximum Machines.

  6. Update Template – If you plan to create more Full Clone machines in the next few months, then you should update your Template by converting it to a virtual machine, update the virtual machine, and then convert it back to a Template. Note that the updated Template only applies to new Full Clones and has no effect on existing Full Clones. To update existing Full Clones, use a Software Deployment tool like Microsoft SCCM.

Related Pages

Omnissa Horizon 2412: Master Virtual Desktop

Last Modified: Jan 31, 2025 @ 10:46 am

205 Comments

Navigation

Use this post to build a virtual desktop that will be used as the parent image (aka source image, aka master image, aka gold image) for additional virtual desktops. There’s a separate article for RDS Session Host.

This post applies to all Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

Virtual Hardware

Omnissa Tech Zone Manually Creating Optimized Windows Images for Horizon VMs

  1. The virtual desktop pools will use the same hardware specs (e.g., vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. For New Hard disk, consider setting Thin provision.
  3. Make sure the virtual desktop is using a SCSI controller.
  4. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  5. When building the master virtual desktop, you will probably boot from an ISO.
  6. Before using Horizon Console to create a pool based off of this master image, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure that ISO file is not configured.
  7. There’s no need for the Floppy drive so remove it.
  8. If you have any Serial ports, remove them.

Windows

Omnissa TechZone Manually Creating Optimized Windows Images for Horizon VMs

Preparation

  • Windows 11 Versions – Windows 11 is supported with Horizon 2111 (8.4) and newer.
    • Windows 11 22H2 is supported with Horizon Agent 2209 (8.7) and DEM Agent 2209 (10.7) and newer.
    • Omnissa says don’t add vTPM to the gold image. Instead add the vTPM when creating the Instant Clone pool or Full Clone pool. There are various methods of installing Windows 11 without a vTPM. See Omnissa KB article 85960 Omnissa Horizon and Horizon Cloud readiness for Microsoft Windows 11.
    • vTPM requires a Key Provider. vSphere 7 and newer have a Native Key Provider that does not need any additional servers or licenses.
      1. In vSphere Client, in Inventory, click the vCenter object. On the right, on the Configure tab, scroll down to Key Providers and add a Native Key Provider.
      2. After it’s added, select it and then click Back-up to activate it.

  • Windows 10 Versions
  • VMware Tools. Install the latest version of VMware Tools and Guest Introspection (formerly known as vShield Endpoint) Driver prior to installing the Horizon Agent.
  • For the AppVolumes Agent and Imprivata OneSign agent (if applicable), don’t install them until Horizon Agent is installed.

Power Options

  1. Run Power Options. Right-click the Start Menu to access Power Options.
  2. Click Additional power settings.
  3. Select Ultimate Performance, or click the arrow to show more plans, and select High performance.
  4. Next to the power plan, click Change plan settings.
  5. Change the selection for Turn off the display to Never and click Save changes.
  6. You can also configure these settings using group policy.

System Settings

  1. Domain Join. Use sysdm.cpl to join the machine to the domain. Also see Omnissa 2150495 Computer-based Global Policy Objects (GPOs) that require reboot are not applied on instant clones.
  2. In System control panel applet (sysdm.cpl), on the Remote tab, enable Remote Desktop.
  3. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with Instant Clones.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. Omnissa App Volumes, Microsoft MSI-X App Attach, Liquidware FlexApp) or App Streaming (e.g. ThinApp, Microsoft App-V). Note: logins are fastest if apps are installed in the master image. All app layering/streaming technologies introduce a logon delay. You can use Microsoft FSLogix App Masking to hide applications and Start Menu shortcuts that users should not see.

Antivirus

Omnissa Tech Zone Antivirus Considerations in a Horizon Environment contains exclusions for Horizon, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Microsoft’s virus scanning recommendations (e.g., exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

For Instant Clones, Defender ATP on-boarding script should run as ClonePrep post-sync script. See Tristan Tyson On-boarding VMware Horizon View Instant-Clone VDI Pools into Microsoft Defender Advanced Threat Protection.

Horizon Agent

Horizon Agent Installation/Upgrade

Install Horizon Agent on the master virtual desktop. Upgrades are performed in-place.

  1. Latency – In Horizon 2111 (8.4) and newer, maximum latency between the Horizon Agent machine and Connection Server is 120ms. Older versions of Horizon have lower maximum latencies.
  2. Group Policy – Don’t upgrade Horizon Agent to version 2412 until the Horizon group policy settings are reconfigured under the Omnissa nodes instead of under the VMware nodes.
  3. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. The latest versions of VMware Tools resolve security vulnerabilities.
    2. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    3. See Omnissa Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
  4. Horizon 2412 (8.14) is the latest version.
  5. Horizon 2312.1 (8.12.1) is an Extended Service Branch, which is supported for three years from its January 2024 release date.
  6. Horizon 2212 (8.8) is an Extended Service Branch, which is supported for three years from its January 2023 release date. The Agent was not updated for version 8.8.1.
  7. Download Horizon Agent 2412 (8.14), or Horizon Agent 2312.1 (8.12) ESB.
  8. Run the downloaded Omnissa-Horizon-Agent-x86_64-2412-8.14.0.exe.
  9. If you want the URL Content Redirection feature, then you must run the Agent installer with the following switches: /v URL_FILTERING_ENABLED=1
  10. If you want the UNC Path Redirection feature in 8.7 and newer, then you must run the Agent installer with the following switches: /v ENABLE_UNC_REDIRECTION=1. You can combine the two switches.
  11. In the Welcome to the Installation Wizard for Omnissa Horizon Agent page, click Next.
  12. In the Network protocol configuration page, select IPv4, and click Next.
  13. In the Custom Setup page, there are several features not enabled by default. Horizon Smart Policies in Dynamic Environment Manager (DEM) can control some of these features but only if the features are installed.
    1. If you want USB Redirection, then enable that feature.
    2. Horizon Agent 2006 (8.0) and newer does not include Persona.
    3. If you want Scanner Redirection, then enable that feature. Note: Scanner Redirection will impact host density.
    4. Horizon Performance Tracker adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.

    5. In Horizon 2206 and newer, Storage Drive Redirection provides faster performance than Client Drive Redirection.
  14. Click Next when done making selections.
  15. If you see the Remote Desktop Protocol Configuration screen, then select Enable and click Next.
  16. In the Ready to Install the Program page, Horizon Agent 2306 and newer have an option to Automatically restart system on successful completion. Click Install.
  17. In the Installer Completed page, click Finish.
  18. Click Yes when asked to restart.
  19. If you want to know what features were selected during installation, look in HKLM\Software\Omnissa\Horizon\Installer\Features_HorizonAgent (or HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent). Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  20. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\Omnissa\Horizon\Agent\bin\UrlRedirection (or C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection).
  21. URL Content Redirection is configured using group policy.
  22. To verify installation of the UNC Content Redirection feature, check for the presence of C:\Program Files\Omnissa\Horizon\Agent\bin\UncRedirection (or C:\Program Files\VMware\VMware View\Agent\bin\UncRedirection).

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 (8.0) and newer are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, then you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at Omnissa Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above. 
    msiexec /i "\\fs01\bin\Omnissa\DEM\Omnissa-DEM-Enterprise-2412-10.14\Omnissa Dynamic Environment Manager Enterprise 2412 10.14 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

To install DEM Agent:

  1. Windows 10 Compatibility – See Omnissa 57386 Omnissa Dynamic Environment Manager and Windows 10 Versions Support Matrix
  2. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  3. DEM 2412 (10.14) is the latest release.
  4. Based on your entitlement, download either DEM 2412 (10.14) Enterprise Edition, or DEM 2412 (10.14) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  5. Run the extracted Omnissa Dynamic Environment Manager Enterprise 2412 10.14 x64.msi.
  6. In the Welcome to the Omnissa Dynamic Environment Manager Enterprise Setup Wizard page, check the box next to I accept and click Next.
  7. In the Destination Folder page, click Next.
  8. In Choose Setup Type page, click Custom.
  9. In the Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
  10. In the Ready to install Omnissa Dynamic Environment Manager Enterprise page, click Install.
  11. In the Completed the Omnissa Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  12. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value:
    • HKLM\Software\Omnissa\Omnissa VDM\Agent\USB
      • UemFlags (DWORD) = 1
  13. DEM is enabled using Group Policy and configured using the DEM Management Console.

Logon Monitoring

See Omnissa 93158 Information about changes in logon timing data format in Horizon form Horizon 8 2111 and Later.

By default, in services.msc, the Omnissa Horizon Logon Monitor service (or VMware Horizon View Logon Monitor service) is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

ClonePrep – Rearm

By default, when Horizon creates Instant Clones, one of the tasks that ClonePrep performs is to rearm licensing. You can prevent rearm by setting the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\omn-instantclone-ga (or vmware-viewcomposer-ga)
    • SkipLicenseActivation  (DWORD) = 0x1

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to DEM Personalization.
  • App Masking is an alternative to App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of FSLogix Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

Omnissa App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Eligibility Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

Windows OS Optimization Tool

  1. See Windows OS Optimization Tool for Horizon Guide at Omnissa Tech Zone for details on this tool.
  2. Download the Windows OS Optimization Tool. Versions 1.2 and newer support Windows 11 22H2.
  3. Run VMwareOSOptimizationTool-x86_64.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. Near the top of the window click the Common Options button and make your selections on each of the pages. Click OK when done.

  7. The top right box named Analysis Summary shows the number of optimizations not yet applied.
  8. Review the optimizations and make changes as desired. Then on the bottom right, click Optimize.
  9. The History tab lets you rollback the optimizations.
  10. The Finalize tab contains tasks that should be run every time you seal your parent image.
  11. The Update tab lets you re-enable Windows Update so you can update the parent image.

Additional Optimizations

Additional Windows 10 Optimizations

Snapshot

  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks. For example:
  4. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.

  5. Shutdown the master virtual desktop.
  6. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  7. Take a snapshot of the master virtual desktop. Instant Clones requires a snapshot.

Related Pages

Omnissa Horizon 8 Console Configuration

Last Modified: Jan 29, 2025 @ 2:00 pm

70 Comments

Navigation

This post applies to all Omnissa Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

  • 2023 July 8 – Global SettingsHorizon Agent Restrictions in Horizon 2306 (8.10) and newer
  • 2021 Sep 30 – Horizon Console – added step to disable CORS for Horizon 2106 and newer to fix HTML Access
  • 2021 Jan 8 – updated entire article for Horizon 2012 (8.1)
  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka Horizon 8)

Preparation

Horizon Service Account

  1. Create an account in Active Directory that Omnissa Horizon will use to login to vCenter. This account can also be used by Instant Clones to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for Horizon

This role has all permissions needed for both full clones and instant clones. See Privileges Required for the vCenter Server User With Instant Clones at Omnissa Docs.

See the Product Interoperability Matrix for supported vCenter versions.

Create vSphere Role:

  1. In vSphere Web Client, click the hamburger menu icon and then click Administration.
  2. In the Roles node, click NEW to add a Role.
  3. Give the new role a name.
  4. If you are using vTPM, then on the left, click Cryptographic operations. On the right, enable Clone, Decrypt, Direct Access, Encrypt, and Manage KMS. Scroll down on the right to see more Cryptographic operations permissions.

    1. While still in Cryptographic operations, scroll down and enable Migrate and Register host.
  5. On the left, click Datastore. On the right, enable Allocate space, and Browse datastore.
  6. On the left, click Folder. On the right, enable Create folder, and Delete folder.
  7. On the left, click Global. On the right, enable Act as vCenter Server, Disable Methods, and Enable Methods, and then scroll down on the right to see more Global permissions.

    1. While still in Global, enable Manage custom attributes, and Set custom attribute.
  8. On the left, click Host. On the right, in the Configuration section, enable Advanced Settings. Then scroll down on the right to see more Host settings.

    1. While still in Host, scroll down to the Inventory section and click Modify cluster.
  9. On the left, click Network. On the right, enable Assign network.
  10. For Virtual SAN, enable Profile-driven storage and everything under it.
  11. On the left, click Resource. On the right, enable Assign virtual machine to resource pool, and Migrate powered on virtual machine.
  12. On the left, click Virtual Machine. On the right, click Change Configuration to enable all Configuration permissions. Scroll down on the right to see more Virtual machine permissions.

    1. While still in Virtual Machine, scroll down and select everything under Edit Inventory.
    2. While still in Virtual Machine, scroll down to the Interaction section, enable Connect devices, and then click See more privileges.
    3. While still in Virtual Machine, scroll down and enable Perform wipe or shrink operations,  Power off, Power on, Reset, and Suspend.
    4. While still in Virtual Machine, scroll down to the Provisioning section and enable Allow disk access, Clone template, and Clone virtual machine. Then click See more privileges.
    5. While still in Virtual Machine, scroll down and enable Customize guest, Deploy template, and Read customization specifications.
    6. While still in Virtual Machine, scroll down and click Snapshot Management to enable all Snapshot permissions.
  13. Click Create.

Assign role to service account:

  1. Create an account in Active Directory that Horizon will use to login to vCenter.
  2. In vSphere Web Client, in Hosts and Clusters view, browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  3. On the right, select the tab named Permissions.
  4. Click the plus icon to add a permission.
  5. In the Add Permission dialog box, do the following:
    1. Change the User domain.
    2. Search for the service account.
    3. Change the Role to the one you created in the previous section.
    4. Check the box next to Propagate to children.
  6. Click OK.
  7. The service account is now listed on the Permissions tab.

Active Directory Delegation for Instant Clones

Horizon Instant Clones create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at Omnissa Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

Horizon 2103 (8.2) and newer support PostgreSQL. See Prepare a PostgreSQL Database for Event Reporting at Omnissa Docs.

Horizon 2106 (8.3) and newer support SSL to the events database. See SSL Connection to Event Database at Omnissa Docs.

A new empty SQL database is needed for storage of Horizon Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Properties > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it OmnissaHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login and click Properties.
  7. On the User Mapping page, check the Map box next to the OmnissaHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Horizon Consoles

On the desktop of the Horizon Connection Server is an icon to launch Horizon Administrator Console. Don’t use Internet Explorer.

The URL entered in the browser must either be https://127.0.0.1/admin, or the Secure Tunnel URL (Horizon Console > Settings > Servers > Connection Servers tab > Edit). By default, the Secure Tunnel URL is the FQDN of the Connection Server.

If you don’t use one of these URLs then you’ll see 421 Unknown or a Login Failed message.


If you want to use a different URL than the Secure Tunnel URL (e.g., short name instead of FQDN, or load balanced name instead of server name), then go to C:\Program Files\Omnissa\Horizon\Server\sslgateway\conf or C:\Program Files\VMware\VMware View\Server\sslgateway\conf, edit or create locked.properties file, and enter the following:

allowUnexpectedHost=true
checkOrigin=false
enableCORS=false

More details at Omnissa 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon and 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. allowUnexpectedHost defaults to false in Horizon 2306 and Horizon 2212.1 and newer. Another option is to add portalHost entries as detailed at Allow Omnissa Horizon Web Client Through a Gateway at Omnissa Docs.

Then restart Omnissa Horizon Secure Gateway service.

Licensing

Horizon Licenses are available either as product keys or as cloud subscription licenses. For cloud subscription licenses, Horizon 2406 and newer can activate the license without needing an Edge Gateway but the Edge Gateway is still recommended to avoid renewing the activation every 90 days. Download the Edge Gateway from the Horizon Cloud next-gen control plane and connect it to a Connection Server. See Deploying a Horizon Edge Gateway for Horizon 8 Environments at Omnissa Tech Zone.

VMware Horizon 8 license keys must be replaced by Omnissa Horizon 8 license keys within 60 days of upgrading to Horizon 2412 or newer.

In the Horizon Administrator Console:

  1. Open Horizon Administrator Console and login.
  2. On the left, expand Settings and click Product Licensing and Usage.
  3. You’ll be asked to activate SaaS subscription license or Term/Perpetual license. Term and Perpetual are license keys.
  4. If SaaS subscription, then login to Horizon Cloud and complete the wizard.
  5. If Term or Perpetual, then enter your license key.
  6. If Term or Perpetual, then licensing information is displayed:
    • License expiration is shown.
    • Instant Clones are available in all editions.
    • Application Remoting (published applications) requires Horizon Advanced Edition.
    • Teams Optimization requires Horizon Advanced Edition.
    • Session Collaboration requires Horizon Enterprise Edition.
    • Help Desk tool is available in all editions.
    • App Volumes requires Horizon Enterprise Edition.
    • Smart Policies (Dynamic Environment Manager) requires Horizon Enterprise Edition.
    • Rest APIs require Horizon Enterprise Edition.

Horizon Administrators

To configure Horizon Administrators:

  1. In Horizon Console, expand Settings, and click Administrators.
  2. On the right, near the top, on the Administrators and Groups tab, click Add.
  3. In the Select administrators or groups page, click Add.
  4. Enter the name of a group that you want to grant Horizon Administrator permissions to and click Find.
  5. After the group is found, check the box next to the group (or highlight the group), and then click OK.
  6. Continue adding groups or just click Next.
    Note: This wizard only lets you select one role; so, only add groups that will have the same role assigned. You can run the wizard multiple times.
  7. In the Select a role page, select the role (e.g. Administrators or Help Desk Administrators, which grants access to the Help Desk tool). Then click Next.
  8. Select an Access Group to which the permission will be applied and then click Finish.
    • Access Groups let you designate permissions to specific pools instead of to all pools.
    • Federation Access Groups are available in Horizon 2103 (8.2) and newer and let you restrict admin permissions to specific Global Entitlements (Cloud Pod Architecture).
    • In Horizon 2206 and newer, Help Desk role can be assigned to Access Groups.

Help Desk Website

Horizon has a web-based Help Desk tool built into Horizon Connection Server.

  • In Horizon Console, simply enter a username in the User Search box at the top of the page.

The Desktops and Applications tabs let you see what the user is entitled to. You can even export these lists.

On the Sessions tab, click a session to see more details.

On the Details tab, scroll down to find action buttons like Remote Assistance. These buttons are kind of hidden.

Keep scrolling down and you’ll see Logon Segments.

The Processes tab lets you end processes in the user’s session.

Notes on the Help Desk feature:

  • Enterprise Licensing – Help Desk tool requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. The Product Licensing page indicates if Help Desk is licensed or not.
  • Horizon has a built-in Help Desk Administrators role that enables members to use the Help Desk tool.

    • Add Help Desk users to the Administrators and Groups tab and assign them one of the Help Desk roles.
  • 15 minutes of History – There’s only 15 minutes of collected metric data.

See Using Horizon Help Desk Tool in Horizon Console at Omnissa Docs.

vCenter Connection

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clones
  • Update virtual machines using Instant Clones

See the Product Interoperability Matrix for supported vCenter versions.

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Client, go to the vCenter Server > Configure > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

To add the vCenter connection:

  1. In Horizon Console expand Settings, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
    4. Horizon 2106 (8.3) and newer have a Deployment Type drop-down. If on-premises, leave it set to General.
  4. Click Next.
  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.

  6. In Horizon 2012 and newer, View Composer is no longer an option.
    1. In Horizon 2006, in the View Composer page, select Do not use View Composer. There’s no need to use Composer since all editions of Horizon 2006 and newer include Instant Clones. Click Next.
  7. In the Storage page, do the following:
    1. Reclaim VM disk space requires IOPS during its operation. It’s only useful for the rare persistent Instant Clones use case and thus is generally unchecked.
    2. Check the box to Enable View Storage Accelerator and increase the host cache size up to 32768. Notes:
      • View Storage Accelerator is required for Instant Clones replica disks.
      • The cache size value is removed from RAM and that RAM is no longer accessible to virtual machines.
      • Higher host cache sizes should speed up Instant Clone Smart Provisioning (without parent image).
  8. Click Next.
  9. In the Ready to Complete page, click Submit.

Instant Clone Domain Accounts

If you plan to use Instant-Clone to create non-persistent virtual desktops, then add an administrator account that can join machines to the domain.

  1. In Horizon Console 2012 and newer, on the left expand Settings, and click Domains.
  2. On the right, the Connection Server tab shows the domains that the Connection Servers see.
  3. On the tab named Domain Accounts, click Add.
  4. Select the domain.
  5. Enter credentials of a service account that can join machines to the domain. Click OK.

Restrict Remote Access

The Users and Groups node has a Remote Access tab. If you add groups or users to this tab, then only these groups and users can login through Unified Access Gateway (UAG).

Users not in the list can’t login through Unified Access Gateway (UAG).

Disable Secure Tunnel

By default, internal Horizon Clients connect to Horizon Agents by tunneling (proxying) Blast or PCoIP through a Horizon Connection Server. It would be more efficient if the internal Horizon Clients connect directly to the Horizon Agents instead of going through a Connection Server.

  • If the tunnels are enabled, and if you reboot the Connection Server, then user connections will drop.
  • If the tunnels are disabled, then rebooting the Connection Server will not affect existing connections.

To disable the tunnels:

  1. In Horizon Console, on the left, expand Settings, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server to highlight it and click Edit.
  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the PCoIP Secure Gateway.
  5. For Blast Secure Gateway, change it to Use Blast Secure Gateway for only HTML Access connections to machine. Click OK.

Event Database and Syslog

To add the Events Database:

  1. In Horizon Console, on the left, expand Settings and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. In the Edit Event Database dialog box, do the following:
    1. Enter the name of the SQL server.
    2. Select Microsoft SQL Server as the Database type. Note: Horizon 2103 (8.2) and newer have an option for PostgreSQL.
    3. Enter the name of the database.
    4. Enter the SQL account credentials (no Windows authentication).
    5. Optionally, enter HE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple Horizon installations.
  4. Click OK.
  5. Horizon 2106 (8.3) and newer support SSL to the events database. See SSL Connection to Event Database at Omnissa Docs.
  6. On the right, in left column, in the Event Settings section, you can click Edit to change the age of events shown in Horizon Console or Horizon Administrator.
  7. To add a Syslog server, look on the right side of the page.
  8. You can go to Monitor > Events to view the events in the database.

Global Settings

  1. In Horizon Administrator Console, on the left, expand Settings and click Global Settings.
  2. On the right, under Global Settings, in the General Settings tab, click Edit.
  3. Under Horizon Console Settings, set the Horizon Console Idle Session Timeout. 4320 minutes (72 hours) is the maximum. 
  4. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of Horizon Console.
  5. Under SSO Settings, you can set an idle timeout. This is a disconnect, not logoff.

    • In a pool’s Desktop Pool Settings, you can configure Log Off After Disconnect.
  6. Other methods of configuring an idle timeout for desktop sessions:
  7. Under Client Settings, Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user and requires the user to logon to Horizon Connection Server again.
  8. The Send domain list option is unchecked by default, which means users must enter a domain name instead of picking one from a list. Check this box (and uncheck Hide domain list) to restore functionality from Horizon 7.7 and earlier. See VMware Blog Post Changes in Logon for VMware Horizon.
  9. Make other changes as desired. Click OK when done.
  10. Horizon 2306 (8.10) and newer let you restrict which versions of Horizon Agent that users can connect to. Find it at Settings > Global Settings > Horizon Agent Restrictions.

Log On as Current User is also disabled by default. To enable this client feature:

  1. In Horizon Console, on the left, expand Settings, and click Servers. On the right, switch to the Connection Servers tab. Highlight a Connection Server and click Edit.
  2. Switch to the Authentication tab.
  3. Scroll down. Check the box next to Accept logon as current user. Click OK.

Client Version Restrictions

Horizon can restrict connections to a minimum version of Horizon Client.

  1. In Horizon Console, on the left, expand Settings, and click Global Settings.
  2. On the right, switch to the tab named Client Restriction Settings.
  3. Click Edit.
  4. For each client type, enter a minimum version number. Additional options are available if you scroll down.
  5. Block Additional Clients blocks all clients other than the ones you selected. One use case is to block HTML Access.
  6. You can customize the message that users see if their client is too old. This feature requires Horizon Client 2006 (aka 8.0) or newer.
  7. Click OK when done.
  8. The client version is enforced when you try to launch an icon.

Global Policies

By default, Multimedia Redirection is disabled. You can enable it in Global Policies.

  1. In Horizon Console, go to Settings > Global Policies. On the right, click Edit Policies.
  2. Set Multimedia redirection (MMR) to Allow and click OK. Notice that Multimedia redirection is not encrypted.

Backups

Connection Server LDAP Backup can be configured in Horizon Console.

  1. in Horizon Console, on the left, expand Settings and click Servers. On the right, switch to the Connection Servers tab. Select a Horizon Connection Server and click Backup Now. Backups can be found in C:\programdata\Omnissa\Horizon\backups or C:\ProgramData\VMware\VDM\backups.
  2. To change automatic backup settings, Edit the Horizon Connection Server, and switch to the Backup tab. You can schedule automatic backups.

Related Pages

Omnissa Horizon Connection Server 2412 (8.14)

Last Modified: Jan 29, 2025 @ 10:56 am

333 Comments

Navigation

This post applies to all Omnissa Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon Connection Server.

Notes regarding upgrades:

  • For supported upgrade paths (which version can be upgraded to which other version), see Omnissa Interoperability Matrix.
  • Horizon 2412 (8.14) and newer require newer Omnissa license keys.
  • Horizon 7 license key does not work in Horizon 2006 (8.0) and newer. You’ll need to upgrade your license key to Horizon 8.
  • Horizon 8.x no longer supports Horizon Clients 5.x and older.
  • According to Omnissa 78445 Update sequence for Horizon 7, Horizon 8, and compatible Omnissa products, App Volumes Managers are upgraded before upgrading Connection Servers.
  • Upgrade all Connection Servers during the same maintenance window.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • Horizon 2006 (8.0) and newer do not support Security Servers. The replacement is Unified Access Gateway.
    • Composer was removed from Horizon 2012 (8.1) and newer. All editions of Horizon 2006 (8.0) and newer support Instant Clones. See Modernizing VDI for a New Horizon at Omnissa Tech Zone for migration instructions.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
    • Once the first Connection Server is upgraded, Horizon 2006 (8.0) and newer lets you upgrade the remaining Connection Servers concurrently.
    • After upgrading all Connection Servers to Horizon 2012 (8.1) or newer, see Omnissa 80781 Knowledge DML scripts for data population of new columns in view Events Database to backfill the Events Database with column data to improve Events query performance.
  • Upgrade the Horizon Group Policy template (.admx) files in sysvol.
  • Upgrade the Horizon Agents.
  • DEM Console should not be upgraded until all DEM Agents are upgraded.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded any time before the rest of the infrastructure is upgraded.

Install/Upgrade Horizon Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between Standard and Replica.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 4,000 user connections.

Horizon 2412 (8.14) is the latest release.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at Omnissa Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022. Windows Server 2025 is not yet supported
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for Omnissa Horizon 8.
  4. Horizon 2312 and newer no longer support Windows Server 2012 R2.
  5. Horizon 2006 (8.0) and newer no longer need Flash.
  6. Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.
  7. Download Horizon 2412 (8.14) Horizon Connection Server.
  8. Run the downloaded Omnissa-Horizon-Connection-Server-x86_64-2412-8.14.0.exe.
  9. In the Welcome to the Installation Wizard for Omnissa Horizon Connection Server page, click Next.
  10. In the Destination Folder page, click Next.
  11. In the Installation Options page, select Horizon Standard Server, and click Next.
  12. In the Data Recovery page, enter a password, and click Next.
  13. In the Firewall Configuration page, click Next.
  14. In the Initial Horizon Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  15. In the User Experience Improvement Program page, uncheck the box, and click Next.
  16. In the Operational Data Collection page, click Next.
  17. In the Ready to Install the Program page, click Install.
  18. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Horizon Connection Server Replica

Additional Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have at least 10 GB of RAM and 4 vCPU.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has at least 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at Omnissa Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022. Windows Server 2025 is not yet supported
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for Horizon 8.
  4. Horizon 2312 and newer no longer support Windows Server 2012 R2.
  5. Horizon 2006 (8.0) and newer no longer need Flash.
  6. Download Horizon 2412 (8.14) Horizon Connection Server.
  7. Run the downloaded Omnissa-Horizon-Connection-Server-x86_64-2412-8.14.0.exe.
  8. In the Welcome to the Installation Wizard for Omnissa Horizon Connection Server page, click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon Replica Server, and click Next.
  11. In the Source Server page, enter the name of another Horizon Connection Server in the pod. Then click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, click Finish.
  15. Load balance your multiple Horizon Connection Servers.
  16. Horizon Console > Settings > Servers > Connection Servers tab shows multiple servers in the pod.

Horizon Connection Server Certificate

Horizon Console Certificate Management

Horizon 2212 and newer have a Certificate Management section in the Horizon Console under Settings. Horizon 2312 and newer can manage cluster certificates in addition to machine certificates.

  • The Administrators role in Horizon does not include the Certificate Management permission.

    1. Go to Settings > Administrators. On the right, switch to the tab named Role Privileges. Click Add.
    2. Name the role CertificateManagement or similar. Select the Manage Certificates privilege, which might be on page 2. Click OK.
    3. Switch to the tab named Administrators and Groups. Select your Horizon Admins group and click Add Permissions.
    4. Select your new CertificateManagement role and click Finish.
    5. If you log out, log back in, and then go to Settings > Certificate Management, the buttons should no longer be grayed out. You can either import an existing cert, or click Generate CSR to create a new cert. If you click Generate CSR, then there’s no way to use this interface to combine the signed certificate with the key, so it’s probably better to use some other method of creating a certificate and export it as a .pfx file.
    6. Click Import to upload a PFX file to the Connection Server that you are currently connected to. For Machine Identity, you’ll have to repeat this process on each Connection Server.
    7. In certlm.msc on the Connection Server, notice that it sets the vdm friendly name on the imported cert, but it doesn’t remove the vdm friendly name from the old cert. You’ll need to manually remove the vdm friendly name from the old cert.
    8. Then open services.msc and restart the Omnissa Horizon Secure Gateway service or VMware Horizon View Security Gateway Component service.
    9. Repeat this process on the other Connection Servers.

Install Cert Manually

Alternatively, install a certificate without using Horizon Console:

  1. Run certlm.msc. Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then open services.msc and restart the Omnissa Horizon Secure Gateway service or VMware Horizon View Security Gateway Component service. It will take several minutes before you can connect to Horizon Administrator Console.
  12. Horizon Console > Monitor > Dashboard > System Health > View > Components > Connection Servers should show the Machine Identity Certificate as Valid.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install Omnissa Horizon Client link redirects to the Omnissa.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. These instructions changed in Connection Server 2406.
  2. On the Horizon Connection Server, go to C:\Program Files\Omnissa\Horizon\Server\broker\webapps\portal or C:\Program Files\VMware\VMware View\Server\broker\webapps\portal.
  3. Create a new folder called downloads.
  4. Copy the downloaded Horizon Client 2412 for Windows to the new C:\Program Files\Omnissa\Horizon\Server\broker\webapps\portal\downloads folder.
  5. Run Notepad as administrator.
  6. Open the file C:\ProgramData\Omnissa\Horizon\portal\portal-links-web-client.properties or   C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  7. Go back to the downloads folder and copy the Horizon Client filename.
  8. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. There’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client. 
    link.win64=/portal/downloads/Omnissa-Horizon-Client-2412-8.14.0-12437220870.exe
  9. Then Save the file.
  10. Restart the Omnissa Horizon Servlet Host service or the VMware Horizon View Web Component service or restart the entire Connection Server.
  11. It will take a few seconds for the ws_TomcatService process to start, so be patient. If you get a 503 error, then the service is not done starting.
  12. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  13. Repeat these steps on each Connection Server.

Portal Branding

Paolo Valsecchi at VMware Horizon 8: customize the login page details how to brand the Horizon portal page.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, and Fingerprints, is disabled by default. To enable: (source = Configure Biometric Authentication at Omnissa Docs)

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using Citrix NetScaler.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-2402-ltsr-and-licensing/#rdlicensing.

Antivirus

Omnissa Tech Zone Antivirus Considerations in a Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Run the following command to enable the timing profiler on each Connection Server instance to view logon segments in the Help Desk tool. See Omnissa Docs for more info.

vdmadmin -I -timingProfiler -enable

Related Pages

EUC Weekly Digest – August 1, 2020

Last Modified: Nov 7, 2020 @ 6:34 am

Leave a comment

Interesting EUC items from last week:

Citrix Virtual Apps and Desktops

Citrix Workspace app

Citrix ADC

Citrix ADM

Citrix Gateway

Citrix Cloud

VMware

Microsoft

For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

EUC Weekly Digest – July 25, 2020

Last Modified: Nov 7, 2020 @ 6:34 am

Leave a comment

Interesting EUC items from last week:

Citrix Virtual Apps and Desktops

  • Citrix LTSR Assistant updated July 23 – Added support for Citrix Virtual Apps and Desktops 7 1912 LTSR Cumulative Update 1.

Citrix VDA

Citrix StoreFront

Citrix Workspace app

Citrix Gateway

VMware

Microsoft

For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

EUC Weekly Digest – July 18, 2020

Last Modified: Nov 24, 2020 @ 9:16 am

Leave a comment

Interesting EUC items from last week:

Citrix Virtual Apps and Desktops

  • Supported Databases for Citrix – SQL 2019 is Supported with CU6 or higher for Citrix Virtual Apps and Desktops 7.15 LTSR, but not PVS 7.15? – Citrix Knowledgebase article

Citrix App Layering

Citrix Workspace app

Citrix ADC

Citrix Gateway

Citrix Endpoint Management

VMware

For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

EUC Weekly Digest – July 11, 2020

Last Modified: Nov 7, 2020 @ 6:34 am

Leave a comment

Interesting EUC items from last week:

Citrix Virtual Apps and Desktops

Citrix VDA

Citrix App Layering

Citrix ADC

Citrix ADM

VMware

Other

  • NVIDIA vGPU software 11.0 – unlicense grace period, support for Windows 10 2004 as a guest OS, support for CVAD 2006, support for Citrix Hypervisor 8.2

For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

EUC Weekly Digest – July 4, 2020

Last Modified: Nov 7, 2020 @ 6:34 am

10 Comments

Interesting EUC items from last week:

Citrix Virtual Apps and Desktops

Citrix VDA

Citrix Provisioning

Citrix StoreFront

Citrix Workspace app

Citrix ADC

Citrix Gateway

  • New nFactor EPA section describing how to do SmartAccess using nFactor EPA – carlstalhood.com

Citrix Endpoint Management

VMware

For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

EUC Weekly Digest – June 27, 2020

Last Modified: Nov 24, 2020 @ 9:16 am

Leave a comment

Interesting EUC items from last week:

Citrix Virtual Apps and Desktops

Citrix WEM and Profile Management

Citrix Workspace app

Citrix ADC

Citrix Gateway

Microsoft

For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.