Author: Carl Stalhood

Navigation

This post applies to all VMware Horizon 7 versions including 7.13 (ESB) and 7.10.3 (ESB).

• Change Log
• Planning
• Initialize First Pod
• Additional Pods – Join Federation
• Global Entitlements
• Monitoring
• Home Sites

Change Log

• 2019 Jul 7 – Home Sites – updated override instructions for Horizon Console 7.9
• 2019 Mar 23 – added Horizon Console screenshots to entire article
• 2018 Jan 28 – in Planning section, added TCP 135 to firewall rules list (source = Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture)

Planning

Cloud Pod Architecture lets you publish a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

• Global Entitlements – Entitlements are the same thing as published icons. When you create an entitlement (local or global), you are publishing an icon from a pool.
  • For local entitlement, the icon is only published from one pool.
  • For global entitlement, the icon can be published from multiple pools. The pools can be in one pod or from multiple pods.
  • Don’t configure both global and local entitlements for the same pool.
  • A single pool can only belong to one global entitlement.
  • For applications, only one application per global entitlement.
• Pod Federation – Global entitlements can’t be created until a Pod Federation is created. This federation could be one pod or multiple pods.
  • The pods can be separated into sites. Each site can contain multiple pods.
• Global Load Balancing – Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a globally available Horizon Connection Server. The connected Horizon Connection Server then uses Global Entitlements to select a site/pod/pool.
  • When a user launches a Global Entitlement, the Connection Server selects a pod based on the Global Entitlement Scoping, which can be All Sites, Within site, or Within Pod. This is from the perspective of the Connection Server the user is currently connected to. Horizon will prefer the local pod if possible.
  • Users or groups can be assigned to Home Sites. Global Entitlements can be configured to prefer Home Sites over the normal site/pod selection criteria.
• Dedicated Assignment – For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
• Firewall Ports – The Horizon Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 135, TCP 22389, TCP 22636, and TCP 8472. Make sure these ports are open. More info at Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture.
  
• RBAC – View Administrator includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Cloud Pod Limits in Horizon 7.11 and newer:

• Max users = 250,000
• Max Pods = 50
• Max Sessions per Pod = 12,000
• Max Sites = 15
• Max Connection Servers per Pod = 7
• Max Horizon Connection Server Instances = 350

Cloud Pod Limits in Horizon 7.8 and newer:

• Max users = 250,000
• Max Pods = 50
• Max Sessions per Pod = 10,000
• Max Sites = 15
• Max Connection Servers per Pod = 7
• Max Horizon Connection Server Instances = 350

Cloud Pod Limits in Horizon 7.6:

• Max users = 200,000
• Max Pods = 25
• Max Sessions per Pod = 10,000
• Max Sites = 10
• Max Connection Servers per Pod = 7
• Max Horizon Connection Server Instances = 175

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

• Use F5 GTM or NetScaler GSLB to connect users to a Horizon Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
• The Horizon Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
• User’s PCoIP session goes through the initially connected Horizon Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route Blast/PCoIP through a Horizon Connection Server in the remote pod. In fact, the Horizon Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this Blast/PCoIP traffic.

For more information on multi-datacenter design for Horizon 7, see VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture, which is an 88-page document that includes the following:

• Identity Manager
• App Volumes
• Horizon 7 Cloud Pod Architecture
• User Environment Manager
• SQL AlwaysOn Availability Groups
• Nnetworking
• Storage (e.g vSAN)
• Active Directory
• Distributed File System
• Global Load Balancing

Initialize First Pod

As of Horizon 7.8, Cloud Pod can be configured in Horizon Console (https://myConnectionServer/newadmin).

1. In Horizon Console, expand Settings and click Cloud Pod Architecture. Or in View Administrator, on the left, expand View Configuration, and click Cloud Pod Architecture.
   
   
2. On the right, click Initialize the Cloud Pod Architecture feature.
3. Click OK to initialize.
   
   
4. A status page is displayed.
   
   
5. If prompted, click OK to reload the client.
   
   • Then on the left, expand View Configuration, and click Cloud Pod Architecture.
     
6. On the right, feel free to rename the federation by clicking the Edit button.
   
   
   1. Enter a new name.
      
      
7. On the left, expand Settings (or View Configuration), and click Sites.
   
   
8. On the right, in the top half, highlight the first site, and then click the Edit button to rename the Default First Site to be more descriptive.
   
   
   1. Enter a Site name.
      
      
9. Click the Site to highlight it to reveal the Pods on the bottom half of the window.
10. Highlight the pod and click Edit to make the name more descriptive.
    
    
    1. Enter a Pod name.
       
       
11. See VMware 2080522 Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

1. Connect to View Administrator or Horizon Console in the second pod.
2. On the left, expand Settings (or View Configuration), and click Cloud Pod Architecture.
3. On the right, click Join the pod federation.
   
   
4. Enter the name of an existing Horizon Connection Server that is already joined to the federation.
5. Enter credentials, and click OK.
   
   
6. The Join status is displayed.
   
7. If prompted, click OK to reload the client.
   
8. On the left, expand Settings (or View Configuration, and click Sites.
   
   
9. If this pod is in a different site, then in the top half of the window click Add to create a new site.
   
   
10. Give the site a name, and click OK.
    
    
11. Highlight the first site.
12. On the bottom, highlight the new pod, and click Edit.
    
    
13. Rename the pod and put it in the 2nd site. Click OK.
    
    
14. In Horizon 7.7 and newer, the top of Horizon Administrator shows you which Pod you are administering. You might have to refresh the page to see the correct Pod name after it was renamed.
    
    

Global Entitlements

Pools and Entitlements are two different things. You can create a pool without entitling anybody to the pool.

Local Entitlements and Global Entitlements are two different things. Global Entitlements are created separately, and then you assign pools from multiple pods to the Global Entitlement.

Do not create both Global Entitlements and Local Entitlements for the same pool otherwise users might see two icons. Create the local pool, but don’t entitle it. Instead, create a Global Entitlement and add the local pool to it.

1. In Horizon Console (or View Administrator), on the left, expand Inventory (or Catalog), and click Global Entitlements.
   
   
2. On the right, click Add.
   
   
3. In the Type page, select Desktop Entitlement or Application Entitlement, and click Next.
   
   
4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name.
   
5. Horizon 7.2 and newer lets you configure tag restrictions (Connection Server restrictions) from this wizard.
   
6. Horizon 7.3 and newer lets you select a Category Folder where the published icon will be placed on the client’s Start Menu. This feature requires Horizon Client 4.6 and newer.
7. Horizon 7.5 and newer let you put the published icon on the endpoint’s desktop too. See Create Shortcuts for a Desktop Pool at VMware Docs.
   
   
   1. Configure Category Folder.
      
      
8. Scroll down to the Policies section and configure the following:
   1. The Use home site checkbox tells the global entitlement to respect user home sites.
      
   2. Change the Default display protocol to VMware Blast.
      
      • In Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.
   3. In newer versions of Horizon, you can allow users to reset/restart their machines.
      
   4. Check the box next to HTML Access.
      
   5. Horizon 7.2 adds a Pre-launch checkbox. If you need the Pre-launch feature, then enable the Pre-launch checkbox on at least one application, and entitle the application to the users that need the Pre-launch feature.
      
   6. Horizon 7.3 adds a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published icon to that computer AD group. The published icon can then only be accessed from the client computers in the AD group.
      
      Notes:
      • Windows clients only. If the this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
   7. Horizon 7.7 and newer have a selection for Multi-Session Mode. Pre-launch must be disabled to enable this setting.
      
   8. Make other selections.
9. Click Next when done.
   
10. In the Users and Groups page, add users that can see the icon associated with the Global Entitlement. Click Next.
    
    
11. In the Ready to Complete page, click Finish.
    
    
12. Double-click the new global entitlement or click the link for the name of the Global Entitlement.
    
    
13. Switch to the Local Pools tab.
    
14. On the Local Pools tab, click Add.
    
    
15. Select the local pools you want to add and click Add. Remember, only add one app per Global Entitlement. Also, you can only add pools from the local pod. To add pools from a different pod, you must point your Horizon Administrator or Horizon Console to the other pod and edit the Global Entitlement from there.
    
    
16. Go to another pod and view the Global Entitlements.
17. On the right, double-click the Global Entitlement or click the hyperlink for the name of the Global Entitlement.
    
    
18. On the Local Pools tab, click Add to add pools from this pod.
    
    
19. Horizon Console 7.11 and newer can configure backup global entitlements. A backup global entitlement delivers remote desktops or published applications when the primary global entitlement fails to start a session because of problems such as insufficient pool capacity or unavailable pods.
    1. Create a Backup Global Entitlement containing the backup pools. You don’t have to assign anybody to the Backup Global Entitlement.
    2. Edit the production Global Entitlement.
       
    3. Under Backup Global Entitlement, click Browse.
       
    4. Change the selection to Backup Global Entitlement, select the Backup Global Entitlement and click Submit.
       
20. Horizon Console 7.11 and newer at Inventory > Desktops can show if a Local Pool is a member of a Global Entitlement.
    

Monitoring

1. Once Global Entitlements are enabled, a new Search Sessions node is added, which allows you to search for sessions across federated pods. The Search Sessions node is available in Horizon Console 7.9.
   
   
2. The Dashboard in Horizon Administrator shows the health of remote pods. The Dashboard has not yet been added to Horizon Console.
   

Home Sites

The Home Sites feature causes Global Entitlements to prefer pools in the user’s Home Site before looking for pools in remote sites.

Horizon 7 lets you configure Home Sites for users from within Horizon Administrator. Horizon 7.8 lets you configure Home Sites for users from within Horizon Console.

1. Configure your Cloud Pod Architecture with multiple Sites and at least one Pod per Site.
2. In Horizon Console or Horizon Administrator, on the left, click Users and Groups.
   
   
3. On the right, switch to the Home Site tab (or Home Site Assignment tab).
   
4. Click Add.
   
   
5. Find a user or group for this home site, and click Next.
   
   
6. Select the site to assign the users to and click Finish.
   
   
7. Home Sites can be assigned to both users and groups. User assignments override group assignments.
   
   
8. Edit your Global Entitlement and ensure that Use Home Site is checked. You can optionally require that each user has a Home Site.
   
9. Each Global Entitlement can have its own Home Site configuration that overrides the global Home Site configuration.
   • In Horizon Console, click the hyperlink for the Global Entitlement’s name, switch to the tab named Home Site Override, and then click Add.
     
     
   • In Horizon Administrator, double-click a Global Entitlement, switch to the Home Site Override tab, and click Add.
     
10. Since you could have a combination of default Home Site for user, default Home Site for group, and Global Entitlement-specific Home Sites, it’s helpful to know which Home Site is effective for each user and Entitlement.
    • In Horizon Console, in the Users and Groups node, switch to the Home Site Resolution tab. Find a user, and it will show you the Home Site Resolution.
      
    • In Horizon Administrator, on the Users and Groups page, on the Home Site tab, if you switch to the Resolution sub-tab, you can find a user name, click Look Up and see which Home Site is assigned to the user for each entitlement.
      

Related Pages

• Back to VMware Horizon 7

Navigation

This post applies to all VMware Horizon 7 versions including 7.13 (ESB) and 7.10.3 (ESB).

• Change Log
• RDS Farms Overview
• RDS Farms – Instant Clones and Composer Linked Clones
  • Customization Specification – Composer only
  • Create an Automatic RDS Farm
    • Master Image Preparation
    • Create Automatic RDS Farm – Horizon Console
    • Create Automatic RDS Farm – Horizon Administrator
  • Add RDS Host to Automatic RDS Farm
    • Add RDS Host – Horizon Console
    • Add RDS Host – Horizon Administrator
  • Update an Automatic Farm
    • Master Image Preparation
    • Update RDS Farm – Horizon Console
    • Update RDS Farm – Horizon Administrator
  • Instant Clones Maintenance
    • Instant Clones Maintenance – Horizon Console
    • Instant Clones Maintenance – Horizon Administrator
• RDS Farms – Manual
  • Manual Farm – Horizon Console
  • Manual Farm – Horizon Administrator
• Publish Desktop
  • Publish Desktop – Horizon Console
  • Publish Desktop – Horizon Administrator
• Publish Applications
  • Publish Apps – Horizon Console
  • Publish Apps – Horizon Administrator
  • Anti-affinity

Change Log

• 2019 Jul 7 – change icon for published application
• 2019 Jul 6 – updated Horizon Console instructions for Horizon 7.9
• 2019 Mar 23 – Create Automatic RDS Farm – Horizon Administrator – added Load Balancing instructions for Horizon Administrator
• 2019 Jan 23 – Create an Automatic RDS Farm – added link to Upgrade Instant-Clone Desktop Pools at VMware Docs – if vCenter 6.7, must upgrade hosts to ESXi 6.7.
• 2018 June 8 – added Horizon Console instructions for creating an RDS Farm and other RDS tasks.
• 2018 May 13 – Published Apps, added Explorer /separate switch from RDS Desktop being presented when opening an app at VMware Communities
• 2018 Mar 15 – in Update Farm section, added link to VMware 2129528 Virtual Machine changes are not saved in App Volumes
• 2018 Mar 7 – in the Create Automatic Farm section, added link to Adam Gleeson’s limitations of VMware Horizon Virtual Desktop Session Collaboration
• 2018 Jan 8 – in the Create Automatic Farm section, added the Session Collaboration checkbox in Farm Settings.

Overview

This post details VMware Horizon configuration for Remote Desktop Session Host (RDS) Horizon Agents. Virtual Desktops are detailed at Master Virtual Desktop and Virtual Desktop Pools.

Before following this procedure, build a master RDS Session Host.

Before you can publish applications or RDS desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts, then these are different RDS Farms.

Horizon 7.7 and newer support up to 200 RDS farms, and each farm with up to 500 RDS hosts.

• Horizon 7.6 and older support up to 200 RDS farms, and each farm with up to 200 RDS hosts.

Once the RDS Farms are created, you publish icons from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

VMware Tech Paper Best Practices For Published Applications And Desktops in VMware Horizon 7:

• vSphere Best Practices – Hardware, Network Adapters, ESXi BIOS Settings, ESXi Power Management
• Core Services Best Practices – Active Directory, DNS, DHCP, NTP, KMS, RDS Licensing
• ESXi Host Sizing Best Practices
• RDSH Configuration Best Practices – Optimization
• Horizon 7 Best Practices – Instant Clones, Load Balancing
• User Environment Management Best Practices – Horizon Smart Policies, Folder Redirection, User Profiles, Printers, Hardware Graphics Acceleration
• App Volumes Best Practices – dedicated AppStacks
• Antivirus Best Practices
• Maintenance Operations Best Practices – scheduled reboots

RDS Farms – Instant Clones and Composer Linked Clones

Horizon 7.1 and newer offers two methods of creating RDS Farm linked clones:

• Instant Clones
• Composer Linked Clones

Instant Clones are the preferred method. Here is the process: Instant Clones for RDSH in VMware Horizon 7.1 YouTube video

1. You select a snapshot from a master image.
2. Horizon creates a template VM that boots from the master snapshot. After some prep, the template VM shuts down and creates a new snapshot.
3. The template snapshot is copied to a Replica VM on every LUN (datastore) that will host RDS Farm VMs.
4. For each datastore, Horizon creates a Parent VM on every host in the cluster. This parent VM is powered on and running at all times.
5. The linked clones can finally be created by forking the parent VM to new linked clone VMs. Notes:
   1. Once the Parent VMs are created, creating/recreating linked clones is fast. But it takes time to create all of the Parent VMs.
   2. And the Parent VMs consume RAM on every host. If you have multiple datastores and/or multiple pools, then there are multiple Parent VMs per host, all of them consuming RAM.
6. You can schedule a periodic reboot of the Instant Clones, which causes the Instant Clone machines to refresh (revert) from the parent VM.
7. Instant Clones require Distributed vSwitch and Distributed Port Group with Static Binding and Fixed Allocation. Standard vSwitch is not supported. Multi VLAN and vGPU for Instant Clones in VMware Horizon 7.1 YouTube video.
   

The other RDS Linked Clone option is Horizon Composer. Here are some notes:

• When Composer creates Linked Clones, Composer uses SysPrep with Customization Specifications. SysPrep is slow.
• SysPrep is also used whenever the RDS farm is updated with a new master image snapshot.
• No View Storage Accelerator.
• No Rebalance.
• No Refresh. The machines are persistent until you Recompose the farm.
  • The delta disks continue to grow until you Recompose the farm.
  • You can enable Space Reclamation to shrink the delta disks as files are deleted.

Customization Specification – Composer Linked Clones only

If you are using Instant Clones (7.1 and newer), then skip to creating the RDS farm. Customization Specifications are only needed for Composer Linked Clones.

1. In vCenter, from the Home page, click Customization Specification Manager.
   
2. Click the icon to create a new Customization Specification.
   
3. In the Specify Properties page, give the spec a name and click Next.
   
4. In the Set Registration Information page, enter your normal settings and click Next.
   
5. In the Set Computer Name page, select Use the virtual machine name and click Next.
   
6. In the Enter Windows License page, select Per seat and click Next.
   
7. In the Set Administrator Password page, enter the local administrator password and click Next.
   
8. In the Time Zone page, select the time zone and click Next.
   
9. In the Run Once page, click Next.
   
10. In the Configure Network page, leave it set to Use standard network settings. Horizon requires the VMs to be configured for DHCP. Click Next.
    
11. In the Set Workgroup or Domain page, enter credentials that can join the machines to the domain, and click Next.
    
12. In the Set Operating System Options page, leave the box checked, and click Next.
    
13. In the Ready to complete page, click Finish.
    

Create an Automatic RDS Farm

If you upgrade vCenter to 6.7, then you must upgrade your ESXi hosts to 6.7 at the same time. Afterwards, take a new snapshot of the master image and perform a push operation. See Upgrade Instant-Clone Desktop Pools at VMware Docs.

Master Image Preparation

1. Make sure your RDS master Agent has the VMware Horizon Instant Clone Agent feature, or the VMware Horizon View Composer Agent feature installed. You can install one or the other, but not both. Instant Clone Agent is the preferred option.
   
2. Make sure your RDS master Agent is configured for DHCP.
   
3. Computer Group Policy – Make sure the Master VM is in the same OU as the Linked Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See VMware 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
   
4. Shut down the master image.
5. Edit the specs of the master VM to match the specs you want the linked clones to have.
   
6. Take a snapshot of the master image.
   

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to create a new RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

1. In Horizon Console, on the left, expand Inventory, and click Farms.
2. On the right, click Add.
   
3. In the Type page, select Automated Farm, and click Next.
   
4. In the vCenter Server page, select Instant Clone, select the vCenter Server, and then click Next.
   
5. In the Storage Optimization page, click Next.
   
6. In the Identification and Settings page:
   1. Enter a name for the Farm. A VM folder with the same name will be created in vCenter.
   2. Note: There’s no place to set the Display Name here. You do that later when creating a Desktop Pool.
   3. Scroll down to the Farm Settings section.
      
   4. In the Identification and Settings page, in Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.
      
   5. Horizon 7.2 and newer support Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
   6. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
      
   7. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in Global Settings.
      
   8. To access the Pools/Farm from a web browser using HTML Blast, check the Enabled box next to Allow HTML Access.
   9. There’s a Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
      
   10. Max sessions per RDS Host will block connections if this number is exceeded.
       
7. Click Next.
8. In the Provisioning Settings page:
   1. Enter a Naming Pattern. Make sure the name includes {n:fixed=3} or something like that.
   2. In Farm Sizing, enter the number of machines to create.
9. Click Next.
   
10. In the vCenter Settings page, click Browse next to each option and make a selection. These are self-explanatory. Then click Next.
    
11. Horizon Administrator 7.8 and newer let you configure Load Balancing Settings for the RDS Farm. You cannot yet configure these settings in Horizon Console. After the RDS Farm is created, you can use Horizon Administrator to edit these settings.
    
12. In the Guest Customization page:
    1. Select an OU to place the new virtual machines. This should be an OU that is configured with group polices for the RDSH machines.
    2. Consider the Allow reuse of pre-existing computer accounts check box.
13. Click Next.
    
14. In the Ready to Complete page, click Submit.
    

To view the status of RDS Farm creation:

1. Click the farm name.
   
2. The bottom of the Summary tab shows you the State of the Publishing progress.
   
   
3. You can watch the progress in vSphere Client. It goes through a couple longer tasks, including cloning the snapshot, and creating a digest file.
   
4. Eventually the tab named RDS Hosts will show the new virtual machines.
   
5. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Horizon Administrator

1. In Horizon Administrator, on the left, expand Resources, and click Farms.
   
2. On the right, click Add.
   
3. In the Type page, select Automated Farm, and click Next.
   
4. In the vCenter Server page, select Instant clones or View Composer linked clones depending on which agent you have installed on your RDS master Agent machine.
5. Select the vCenter Server, and click Next.
   
6. In the Identification and Settings page, enter a name for the Farm. A VM folder with the same name will be created in vCenter.
   
7. In the Farm Settings section, set Default Display protocol to VMware Blast.
8. In Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.
   
9. Horizon 7.2 and newer support Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
   
10. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
11. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
    
12. To access the Pools/Farm from a web browser using HTML Blast, check the Enabled box next to Allow HTML Access.
    
13. Horizon 7.4 adds a new Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    
14. Click Next.
15. Horizon 7.8 and later have a Load Balancing Settings page that lets you configure the load evaluator rules without having to modify any script. In general, use stable, non-fluctuating rules like session count and Memory usage. Note that CPU usage tends to wildly fluctuate and can prematurely disable connections to an RDS Host. Click Next when done configuring rules.
    
16. In the Provisioning Settings page, enter a naming pattern. Make sure the name includes {n:fixed=3} or something like that.
17. Enter the number of machines to create, and click Next.
    
18. In the Storage Optimization page, click Next.
    
19. In the vCenter Settings page, click Browse next to each option, and make a selection.
    
20. When selecting a datastore, Instant Clones sets the Storage Overcommit to Unbounded automatically. For Composer Linked Clones, set it to Unbounded. Click OK, and then click Next.
    
    
21. If Composer, in the Advanced Storage Options page, decide if you want space reclamation or not. Space reclamation does reduce disk space but increases IOPS while the operation is occurring. If space reclamation is enabled, also configure a Blackout window so the increased IOPS does not affect production usage. Scroll down.
    
22. If you scroll down, you’ll see an option for Transparent Page Sharing. By default it is disabled. You can enable it by setting it to Global. This should reduce some memory consumption. Click Next.
    
23. For both Instant Clones and Composer, in the Guest Customization page, select an OU.
24. Consider the Allow reuse of pre-existing computer accounts check box.
    
25. For Composer Linked Clones, select a customization specification, and click Next.
    
26. In the Ready to Complete page, click Finish.
    
27. If you double-click the farm, on the RDS Hosts tab, you can see the progress of the farm creation operation.
    
28. Horizon 7.7 and newer show you the status of RDS Drain Mode, which can be enabled on the RDS Host by running change logon /drain.
    
29. If Composer, since RDS Farms use SysPrep, it will take some time before they become available.
30. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Add more RDS Hosts to an Automatic Farm – Instant Clones and Composer Linked Clones

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to add RDS hosts to an existing RDS Automatic Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

1. On the left, expand Inventory, and click Farms.
2. On the right, select an existing Automated Farm, and click Edit.
   
3. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
   
4. If the parent VM is already running on destination host/datastore, then it should only take a minute to add the new VM.
5. The RDS Hosts tab of the RDS farm shows the new RDS host(s).
   

Horizon Administrator

1. On the left, expand Resources, and click Farms.
2. On the right, highlight an existing Automated Farm, and click Edit.
   
3. Switch to the Provisioning Settings tab, and change the Max number of machines. Then click OK.
   
4. For Instant Clones, if the parent VM is already running on destination host/datastore, then it should only take a minute to add the new VM.
5. Composer Linked Clones use SysPrep, which takes a while to add the virtual machines. The new VMs reboot several times during the provisioning and customization process.
6. The farm now has new RDS host(s).
   

Update an Automatic Farm – Instant Clones and Composer Linked Clones

Master Image Preparation

1. Power on the master session host.
   
2. Login and make changes.
   • If App Volumes agent is installed, you might have to disable svservice before you can make changes. See VMware 2129528 Virtual Machine changes are not saved in App Volumes.
3. After making your changes, shut down the master session host.
   
4. Right-click the virtual machine, and take snapshot. You must create a new snapshot.
   
5. Name the snapshot, and click OK.
   
6. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
   
7. Delete one or more of the snapshots.
   

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to add RDS hosts to an existing RDS Automatic Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

1. In Horizon Console, go to Inventory > Farms.
2. Click the farm name’s link.
   
3. On the Summary tab, click Maintain, and then click Schedule.
   
4. One option is to schedule Recurring reboots, which revert the RDS Hosts to a clean state.
   
5. To push out an updated Master Image, change the Schedule to Immediate.
6. Select Start Now, or select Start at a future date/time. Click Next.
   
7. In the Image page, uncheck the box next to Use current parent VM image, select the new snapshot, and click Next.
   
8. In the Scheduling page, decide if the reboot should wait for users to logoff, decide when to apply this new image, and then click Next.
   
9. In the Ready to Complete page, click Finish.
   
10. The RDS Farm’s Summary tab (scroll down) shows you that it’s publishing the new image.
    
    
11. On the RDS Hosts tab, you can check on the status of the maintenance task.
    
12. It will take a few minutes to create a new parent VM. Once the parent VM is created, the Instant Clones are quickly deleted and recreated.
    

Horizon Administrator

1. In View Administrator, go to Resources > Farms.
2. Double-click a farm name.
   
3. For Composer Linked Clones, before beginning the Maintenance/Recompose operation, edit the Farm, and on the Provisioning Settings tab, consider specifying a minimum number of ready machines during Instant Clone (or View Composer) maintenance operations. If you leave this set to 0, then all machines will be in maintenance mode, and nobody can connect until Maintenance/Recompose is complete. Instant Clones are recreated quickly enough that this setting might not be needed.
   
4. If Instant Clones, on the Summary tab, click Maintenance, and then click Schedule.
   
5. If Composer Linked Clones, on the Summary tab, click Recompose.
   
6. Instant Clones lets you either schedule recurring reboots, or you can change the Schedule to Immediate to update the machines now (or one time in the future). Click Next.
   
7. In the Image page, uncheck the box next to Use current parent VM image, select the new snapshot, and click Next.
   
   
8. In the Scheduling page, decide if the reboot should wait for users to logoff, decide when to apply this new image, and then click Next.
   
   
9. In the Ready to Complete page, click Finish.
   
   
10. On the RDS Hosts tab, you can check on the status of the maintenance/recompose task.
11. Horizon 7.7 and newer show you the status of RDS Drain Mode, which can be enabled on the RDS Host by running change logon /drain.
    
12. If Instant Clones, it will take a few minutes to create a new parent VM. Once the parent VM is created, the Instant Clones are quickly deleted and recreated.
13. If Composer Linked Clones, Composer uses SysPrep, which means this will take a while.
    

Instant Clones Maintenance

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to perform Instant Clone Maintenance. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

1. If you click an Instant Clones RDS Farm name…
   
2. And switch to the RDS Hosts tab, you can select a machine, and then click Recover, this causes the VM to be deleted and recreated, thus reverting to the master image snapshot.
   
   
3. On the Summary tab of the RDS Farm, you can click Maintain > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting causes the VMs to revert to the master image snapshot.
   
4. Specify how often you want the reboot to occur, and then click Next.
   
5. In the Image page, you don’t have to change the snapshot. Click Next.
   
6. Decide what to do about logged on users, and click Next.
   
7. In the Ready to Complete page, click Finish.
   
8. If you click the Maintain menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
   
9. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
   
10. In Horizon 7.1 and newer, ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.
    

Horizon Administrator

1. If you double-click an RDS Farm that contains Instant Clones, and switch to the RDS Hosts tab, you can right-click a machine, and click Recover. This causes the VM to be deleted and recreated, thus reverting to the master image snapshot.
   
   
2. On the Summary tab of the RDS Farm, you can click Maintenance > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting cases the VMs to revert to the master image snapshot.
   
3. Specify how often you want the reboot to occur, and then click Next.
   
4. In the Image page, you don’t have to change the snapshot. Click Next.
   
5. Decide what to do about logged on users, and click Next.
   
6. In the Ready to Complete page, click Finish.
   
7. If you click the Maintenance menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
   
8. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
   
9. In Horizon 7.1 and newer, ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.
   

RDS Farms – Manual

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to publish a manual RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

1. Make sure neither the View Composer Agent nor the Instant Clone Agent is installed on your RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.
   
2. In Horizon Console, go to Settings >Registered Machines and make sure your manually-built RDS Host is registered and listed on the RDS Hosts tab.
   
3. On the left, expand Inventory, and click Farms.
4. On the right, click Add.
   
5. In the Type page, select Manual Farm, and click Next.
   
6. In the Identification and Settings page, enter a name for the Farm.
   
7. Scroll down to the Farm Settings section.
   
   1. There is a pre-launch option. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
   2. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
   3. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
   4. Check the Enabled box next to Allow HTML Access.
      
   5. There is an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
8. Click Next.
9. Horizon Administrator 7.8 and newer let you configure Load Balancing Settings for the RDS Farm. You cannot yet configure these settings in Horizon Console. After the RDS Farm is created, you can use Horizon Administrator to edit these settings.
   
10. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
    
11. In the Ready to Complete page, click Submit.
    
12. If you click the farm name…
    
13. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.
    

Horizon Administrator

To create a manual RDS Farm (no linked clones), do the following:

1. Make sure neither the View Composer Agent nor the Instant Clone Agent is installed on your RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.
   
2. In View Administrator, expand View Configuration and click Registered Machines. Make sure your manually-built RDS Host is registered and listed on the RDS Hosts tab.
   
   
3. In View Administrator, on the left, expand Resources and click Farms.
   
4. On the right, click Add.
   
5. In the Type page, select Manual Farm and click Next.
   
6. In the Identification and Settings page, enter a name for the Farm.
   
7. In the Farm Settings section, set the Default display protocol to VMware Blast.
   
8. Horizon 7.2 adds pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
   
9. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
10. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
11. Check the Enabled box next to Allow HTML Access.
    
12. Horizon 7.4 adds a new Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    
13. Click Next.
14. Horizon 7.8 and later have a Load Balancing Settings page that lets you configure the load evaluator rules without having to modify any script. In general, use stable, non-fluctuating rules like session count and Memory usage. Note that CPU usage tends to wildly fluctuate and can prematurely disable connections to an RDS Host. Click Next when done configuring rules.
    
15. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
    
16. In the Ready to Complete page, click Finish.
    
17. If you double-click the farm name…
    
18. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.
    

Publish Desktop

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to publish a desktop from an RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

1. In Horizon Console, on the left, expand Inventory, and click Desktops.
2. On the right, click Add.
   
3. In the Type page, select RDS desktop Pool, and click Next.
   
4. In the Desktop Pool ID page, enter an ID and name. They can be different. The ID cannot contain spaces. Click Next.
   
5. In the Desktop Pool Settings page:
   1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu. This feature requires Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
      
   2. You can type in a new category folder name, or select an existing one. Also select Shortcut Locations.
      
   3. Horizon 7.3 and newer have a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group.
      
   4. Notes on Client Restrictions:
      • Windows clients only. If this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
6. Click Next.
7. In the Select an RDS farm page, select a farm, and click Next.
   
8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Submit.
   
9. In the Entitlements window, click Add.
   
10. Browse to an Active Directory group, and click OK.
11. Then click Close.
    
12. If you go to Inventory > Farms, click your farm name, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm. An RDS Farm can only belong to one Desktop Pool.
    

Horizon Administrator

To publish a desktop from an RDS farm, do the following:

1. In View Administrator, on the left, expand Catalog, and click Desktop Pools.
   
2. On the right, click Add.
   
3. In the Type page, select RDS Desktop Pool, and click Next.
   
4. In the Desktop Pool Identification page, enter an ID and name. They can be different. Click Next.
   
5. In the Desktop Pool Settings page:
   1. Horizon 7.3 and newer let you select a Category Folder where the published icon will be placed on the client’s Start Menu. This feature requires Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
      
   2. Horizon 7.5 and newer let you put the shortcut on the endpoint’s desktop.
      
   3. Horizon 7.3 and newer have a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group. Notes:
      • Windows clients only. If the this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
   4. Horizon 7.7 and newer have an option to Allow user to initiate separate sessions from different client devices.
6. Click Next.
   
7. In the Select an RDS farm page, select a farm, and click Next.
   
8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Finish.
   
9. In the Entitlements window, click Add.
   
10. Browse to an Active Directory group, and click OK.
11. Then click Close.
    
12. If you go to Resources > Farms, double-click your farm, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm.
    

Publish Applications

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to publish a desktop from an RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

1. In Horizon Console, on the left, expand Inventory, and click Applications.
2. On the right, click Add, and then click Add from Installed Applications.
   
3. In the Select Applications page, select a RDS Farm.
   
4. The purpose of this wizard is to publish and entitle applications from an RDS Farm. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually.
5. Select one or more applications. Notice that File Explorer is not one of the options. You can manually add that application later.
   
6. There are additional options at the bottom of the Select Applications page. Notice the Entitle users box is checked by default.
   
   1. There’s a Pre-launch option for published applications. You can optionally enable it on at least one application, and then entitle the pre-launch application to the users that need the Pre-launch feature.
   2. You can assign tags for Connection Server restrictions, which lets you control visibility of icons for internal users vs external users.
   3. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop. This feature requires Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
      
   4. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes on Client Restriction:
      • Windows clients only. If this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
7. Click Next when done.
8. The Edit Applications page lets you rename the published icons. Click Submit when done.
   
9. Click Add to select a group that can see these icons. This is the normal entitlement process.
   
   1. There is an option for Unauthenticated users, which is detailed at Providing Unauthenticated Access for Published Applications at VMware Docs.
      
   2. Before you can configure Uauthenticated Access on published applications, you must add a Domain Account that will be used for anonymous access at Users and Groups > Unauthenticated Access.
      
   3. Then go to Settings > Servers and Edit a Connection Server.
      
   4. On the Authentication tab…
      
   5. …enable Unauthenticated Access, and select the Default unauthenticated access user account.
      
   6. Horizon 7.6 and newer have a Login Deceleration Level option, which requires Horizon Client 4.9. See Configure Login Deceleration for Unauthenticated Access to Published Applications at VMware Docs.
   7. Back in your entitlement, you select Unauthenticated Users, and entitle it to the Domain User that is your anonymous account.
      
10. You can run the Add Application Pool wizard again to publish more applications with different entitlements.
11. If you click the name one of the application pools…
    
12. …on the Entitlements tab, you can change the entitlements
    

In Horizon Console 7.11 and newer, if you click a Farm name, you can view Sessions connected to that Farm and the published application each user is running. Monitor > Sessions does not show published application information, but RDS Farm > Sessions does.

1. In Horizon Console, on the left, expand Inventory and click Farms.
   
2. On the the right, click the link for one of the farms.
   
3. Switch to the tab named Sessions.
   
4. As you scroll down the table you’ll see sessions with Type = Application.
   
5. If you scroll to the right, you’ll see the Application Name in the far-right column.
   

Icon for Published Application

1. In Horizon 7.9 and newer, you can select an Application Pool, then open the Application Icon menu and click Associate Application Icon.
   
   
2. In older Horizon, use PowerShell to change the icons. See the YouTube video Customizing Horizon RDSH Application Icons.
   

Show application pools associated with RDS Farm:

1. If you go to Inventory > Farms, click your farm name…
   
2. …and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. You can click the link for a pool to be taken to the pool’s property pages.
   

Instead of publishing an existing application from the Start Menu, you can add an application manually:

1. Go to Inventory > Applications, click Add, and select Add Manually.
   
2. File Explorer is an application that has to be added manually.
   
   
3. When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast (Source = RDS Desktop being presented when opening an app at VMware Communities)

Horizon Administrator

1. In View Administrator, on the left, expand Catalog, and click Application Pools.
   
2. On the right, click Add.
   
3. The purpose of this wizard is to publish applications from an RDS Farm, and entitle them. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times, and select different applications. Once the applications are published, you can change their entitlements individually.
4. At the top of the window, select an RDS farm.
5. Select one or more applications.
   
6. There are additional options at the bottom of the window.
   
   1. Horizon 7.2 and newer have a Pre-launch option for published applications. Enable it on at least one application, and entitle the application to the users that need the Pre-launch feature.
   2. Horizon 7.7 and newer have an option for Multi-session Mode, which lets users launch multiple sessions from different clients.
   3. Horizon 7.2 and newer have the ability to assign tags (Connection Server restrictions) to RDS Desktop Pools.
   4. Horizon 7.3 and newer let you select a Category Folder where the published icon will be placed on the client’s Start Menu. This applies to Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
   5. Horizon 7.5 and newer lets you put the shortcut on the endpoint’s desktop.
      
   6. Horizon 7.3 adds a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes:
      • Windows clients only. If the this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
7. Click Next when done.
8. Or you can add an application manually by changing the radio button to Add application pool manually. Notice that Explorer is not one of the listed applications, so Explorer will need to be added manually.
   
   • When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast (Source = RDS Desktop being presented when opening an app at VMware Communities)
9. Notice the Entitle users box is checked by default. All of the applications in this list will receive the same entitlements. Click Finish.
   
10. Then click Add to select a group that can see these icons.
11. Horizon 7.1 and newer supports Unauthenticated users, which is detailed at Providing Unauthenticated Access for Published Applications at VMware Docs. Click OK when done.
    
    
    
    
    
12. You can run the wizard again to publish more applications with different entitlements.
13. If you double-click one of the application pools, on the Entitlements tab, you can change the entitlements.
    
14. In Horizon 7.1 and newer, icons for the published apps can be changed using PowerShell. See the YouTube video Customizing Horizon RDSH Application Icons.
    
15. If you go to Resources > Farms, double-click your farm, and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. Notice you can’t really do anything from here.
    

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

• If the user already has a session then anti-affinity is ignored.
• If the application is launched from within an RDS Desktop then anti-affinity is ignored.
• Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool at VMware Docs.

Do the following to configure Anti-Affinity in Horizon Console or Horizon Administrator:

1. On the left, go to Inventory > Applications or go to Catalog > Application Pools.
2. On the right, edit an existing application pool.
   
   
3. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
4. In the Anti-Affinity Count field, enter the maximum number of process name matches that can run on a single RDS Host.
   
   

Related Pages

• Back to VMware Horizon 7

Navigation

Use this post to build a Windows Server Remote Desktop Session Host (RDSH) that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

• Change Log
• Hardware
  • NIC Hotplug – Disable
  • VMware Tools
• Windows
  • Disable Internet Explorer Enhanced Security Config
  • Windows Update
  • Windows Server 2008 R2 Hotfixes
  • Local Administrators Group
• Remote Desktop Session Host
  • Role and Features – Windows Server 2012, Windows Server 2016, and Windows Server 2019
  • Windows Roles – Windows Server 2008 R2
  • Remote Desktop Users
  • Remote Desktop Licensing Configuration
  • C: Drive Permissions
• VMware Installs/Upgrades
  • VMware Horizon Agent 7.x
  • Dynamic Environment Manager (DEM) Agent
• Horizon Agent Load Balancing Script
• Antivirus
• Install Applications
• Microsoft FSLogix
  • Why FSLogix?
  • FSLogix Installation
• VMware OS Optimization Tool
• Seal and Snapshot
• Full Clone Post-Cloning Tasks

Change Log

• 2023 Mar 22 – updated Install Horizon Agent section for Horizon Agent 7.13.3
  • Updated Install DEM Agent section for DEM 2212 (aka 10.8)
• 2022 Mar 11 – updated Install Horizon Agent section for Horizon Agent 7.13.2
• 2021 July 16 – Updated Install DEM Agent section for DEM 2106 (aka 10.3)
• 2021 May 31 – added FSLogix section
• 2021 May 29 – Apps – added list of special VDI installers
• 2021 May 27 – updated Install Horizon Agent section for Horizon Agent 7.13.1
• 2020 Oct 24 – updated download links for Horizon 7.10.3 (ESB)
• 2020 Oct 16 – updated Install Horizon Agent section for Horizon Agent 7.13
  • Updated Install DEM Agent section for DEM 2009 (aka 10.1)
• 2020 July 2 – Install Horizon Agent – added info from VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x
• 2020 Jun 5- Antivirus – added link to Interoperability of VMware Carbon Black and Horizon (79180)
• 2020 Jun 5 – updated download links for Horizon 7.10.2 (ESB)
• 2020 Apr 3 – VMware OS Optimization Tool updated April 2020
• 2020 Mar 18 – updated Install Horizon Agent section for Horizon Agent 7.12
  • Updated Install DEM Agent section for DEM 9.11

Hardware

• The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
• Windows Server 2019 is supported for Horizon Agents 7.7 and newer.
• Windows Server 2016 is supported for Horizon View Agents 7.0.3 and newer.
• For 2012 R2 or newer, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
• Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
• For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  
• The session host should be configured with a VMXNET 3 network adapter.
  
• When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  
• There’s no need for the Floppy drive so remove it.
  
• If you have any Serial ports, remove them.

NIC Hotplug – Disable

1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
   
2. To disable this functionality, power off the virtual machine.
3. Once powered off, right-click the virtual machine, and click Edit Settings.
   
4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
   
5. Click Add Row.
6. On the left, enter devices.hotplug. On the right, enter false.
7. Then click OK a couple times to close the windows.
   
8. The VM can then be powered on.

VMware Tools

See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

1. In Server Manager, switch to the Local Server page.
2. On the far right, click the link for On next to IE Enhanced Security Configuration.
   
3. Click Off for both Administrators and Users. Click OK.
   

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
   
2. In Windows Server 2012 R2, on the left, click Change settings.
   
3. If Windows Server 2016, click Advanced Options.
   
4. If Windows Server 2012 R2, check the box next to Give me updates for other Microsoft products when I update Windows, and click OK.
   
5. If Windows Server 2016, check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.
   
   
6. Windows Update will automatically start checking for updates.
7. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

• On May 17, 2016, Microsoft released a Convenience Rollup for Windows 2008 R2 and Windows 7. This Rollup includes almost all fixes released after SP1 through April 2016. See the article for the list of excluded hotfixes.
  

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
   
2. Add the Horizon Admins group to the local Administrators group.
   

Remote Desktop Session Host

Role and Features – Windows Server 2012 and newer

If this session host is Windows Server 2008 R2, then skip to the next section.

Horizon Agent 7.10 and newer can install the RDSH Role automatically.

To install the RDSH role manually (required in Horizon Agent 7.9 and older):

1. In Server Manager, open the Manage menu, and click Add Roles and Features.
   
2. On the Installation Type page, leave it set to Role-based or feature-based installation.
   
3. Click Next until you get to the Server Roles page.
4. Check the box next to Remote Desktop Services and click Next.
   
5. If Windows Server 2012 R2, expand User Interfaces and Infrastructure, and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc. This feature is already installed in Windows Server 2016.
   
6. To verify Remote Desktop Services licensing, in the Features page, expand Remote Server Administration Tools > Role Administration Tools > , expand Remote Desktop Services Tools, and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
   
7. In the Select role services page, check the box next to Remote Desktop Session Host, and click Next.
   
8. Then click Install. Restart is required.
   

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2, then the instructions are slightly different.

1. In Server Manager, right-click Roles, and click Add Roles.
   
2. In the Before You Begin page, click Next.
3. In the Select Server Roles page, check the box next to Remote Desktop Services, and click Next.
   
4. In the Introduction to Remote Desktop Services page, click Next.
5. In the Select Role Services page, check the box next to Remote Desktop Session Host, and click Next.
   
6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication, and click Next.
   
8. In the Specify Licensing Mode page, select Per User, and click Next.
   
9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine), and click Next.
   
10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
    
11. In the Confirm Installation Selections page, click Install.
12. In the Installation Results page, click Close.
13. Click Yes when you are prompted to restart now.
14. Login to the server. Then click Close.

Remote Desktop Users

In Computer Management (compmgmt.msc), at Local Users and Groups > Groups, edit Remote Desktop Users and add a group like Domain Users. Users can’t login to RDSH unless they are members of this local group. Instead of configuring this group manually on each parent image, you can also use Group Policy to configure it.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 and newer is using group policy (local group policy or domain group policy). This also works for Windows Server 2008 R2.

1. For local group policy, run gpedit.msc.
   
2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
   
3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the Remote Desktop Licensing Servers. Click OK.
   
4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled, and select Per User. Click OK.
   
5. In Server Manager, open the Tools menu, expand Terminal Services (or Remote Desktop Services), and click RD Licensing Diagnoser.
   
6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.
   

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

1. Open the Properties dialog box for C:\.
   
2. On the Security tab, click Advanced.
   
3. Highlight the line containing Users with Create Folders permission, and click Remove.
   
4. Highlight the line containing Users with Create Files permission, and click Remove.
5. Click OK to close the Advanced Security Settings window.
   
6. Click Yes to confirm the permissions change.
   
7. If you see any of these Error Applying Security windows, click Continue.
   
8. Click OK to close the C: drive properties.

Installs

Install/Upgrade VMware Horizon Agent

View Agent for RDS Hosted Apps Desktops is missing a few features. (source = 2150305 Feature Support Matrix for Horizon Agent)

• Only Windows 2016 supports Generic USB Redirection. USB Flash Drives and hard drives are supported on 2012 R2.
• Serial port redirection is available in Horizon Agent 7.6 and newer
• No Persona. Instead use VMware Dynamic Environment Manager (Horizon Enterprise only), or Microsoft’s roaming profiles, or Microsoft FSLogix Profile Container.
• Instant-Clones for RDSH was added in Horizon Agent 7.1.
• Real-time Audio Video is supported on Windows 2016 RDS Hosts. VMware 2148202 Real-Time Audio-Video limitations for remote desktops and apps on Windows Server 2016.

To install View Agent on Remote Desktop Services, do the following:

1. Windows Server 2019 is supported with Horizon 7.7 and newer.
2. vSphere 7.0 is supported with Horizon 7.12 and newer.
3. VMware vSphere 6.7 U1 and VMware vSAN 6.7 Update 1 are supported with Horizon 7.7 and newer.
4. VMware Tools – Only install Horizon Agent after you install VMware Tools.
   1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
   2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
   3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
5. Download Horizon 7.13.3 Agent.
   
6. Run the downloaded VMware-Horizon-Agent-x86_64-7.13.3.exe.
   
7. If you want the URL Content Redirection feature, then you must run the Agent installer with the following switches: /v URL_FILTERING_ENABLED=1
   
8. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
   
9. In the License Agreement page, select I accept the terms, and click Next.
   
   • In Horizon Agent 7.10 and newer, if RDSH is not installed, then the Horizon Agent installer can install it for you.
     
     
     
   • In older versions, if you see a message about Desktop OS Configuration, then you need to cancel the installer, and install the Remote Desktop Session Host role.
     
10. In the Network protocol configuration page, select IPv4, and click Next.
    
11. In the Custom Setup page, several features are disabled by default. Feel free to enable them.
    1. USB Redirection is an option.
       
    2. In Horizon Agent 7.1 and newer, VMware Horizon Instant Clone Agent is an option. You can enable either Instant Clone Agent, or Composer Agent, but not both. Or you can leave both deselected so you can add the machine to a Manual RDS Farm. You can’t add this RDS Host to a Manual RDS Farm unless both options are deselected.
       
    3. Horizon 7.2 and newer have VMware Virtualization Pack for Skype for Business as an option. See Configure Skype for Business at VMware Docs for details.
       
    4. Scanner Redirection is an option. Note: Scanner Redirection will impact host density.
       
    5. In Horizon 7.6 and newer, Serial Port Redirection is an option for RDS. This requires Horizon Client 4.9.
       
    6. Horizon 7.3 through Horizon 7.9 have HTML5 Multimedia Redirection. In Horizon 7.10 and newer, HTML5 Browser Redirection seems to be installed automatically (not an optional component). To enable and configure these features, see HTML5 Redirection in Horizon Group Policy.
       
    7. Horizon 7.6 and newer have an option for Geolocation Redirection. The feature requires a plugin for Internet Explorer 11 and Horizon Client 4.9. No other browsers are supported. See Configuring Geolocation Redirection at VMware Docs.
       
    8. Horizon 7.5 and newer have an option for Horizon Performance Tracker, which adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.
       
       
    9. Horizon 7.7 and newer have a Hybrid Logon option.
       
    10. Horizon 7.7 and newer have a VMware Integrated Printing or VMware Advanced Printing option, which replaces the older ThinPrint technology. VMware Advanced Printing requires Horizon Client 4.10 or newer.
        
    11. If you enable VMware Integrated Printing, then you must disable Virtual Printing, which is higher in the list.
        
        
12. Click Next when done making selections.
13. Click OK to acknowledge the USB redirection message.
    
14. If you see the Register with Horizon 7 Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected both View Composer Agent and Instant Clone Agent features.
    
15. In the Ready to Install the Program page, click Install.
    
16. In the Installer Completed page, click Finish.
    
17. Click Yes to restart the server.
    
18. Horizon Agent 7.13 and newer let you Modify the features that were selected during installation. In older versions, you must uninstall Horizon Agent and reinstall it.
    • If you click Modify from Apps & features (or Programs and Features), it will tell you to open an elevated command prompt and run the command shown in the window.
      
    • You can’t change from Manual to Instant Clone or back again using this method.
      
19. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?
    
    • To add features to an existing Horizon Agent installation, use the command line as detailed by Terence Luk at Add features to an existing VMware Horizon View 7.x Agent install.
      
20. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
    
21. There’s also a new IE add-on.
    
22. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

Dynamic Environment Manager (DEM) is the new name for User Environment Manager (UEM).

If you are licensed for Dynamic Environment Manager (Horizon Enterprise Edition), install the Dynamic Environment Manager (DEM) Enterprise Agent.

• DEM Enterprise has the same or more features that has always been included in Horizon Enterprise. DEM Standard is a reduced-feature version for Horizon 8 Standard Edition.
• Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

• Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at VMware Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at VMware Docs.
  
• Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.

  msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2212-10.8-GA\VMware Dynamic Environment Manager Enterprise 2106 10.3 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

  

UEM 9.6 and newer are supported on Windows Server 2019.

To install the DEM Enterprise Agent:

1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
2. Based on your entitlement, download either DEM 2212 (10.8) Enterprise Edition, or DEM 2212 (10.8) Standard Edition.
   
   
3. Run the extracted VMware Dynamic Environment Manager Enterprise 2212 10.8 x64.msi.
   
4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
   
5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
   
6. In the Destination Folder page, click Next.
   
7. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the Management Console. The Management Console is typically installed on an administrator workstation, not on a master image.
   
   
8. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed. Click Next.
   
9. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
   
10. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
    
11. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value: (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm.

In Horizon 7.8 and newer, you can edit Load Balancing rules directly in Horizon Administrator. You cannot yet configure these settings in Horizon Console. For existing RDS Farms, edit the RDS Farm to see the new settings. Or when creating a new RDS Farm a new page asks you for these settings.

In Horizon 7.7 and older, you can change the load balancing algorithm to be performance-based by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at VMware Docs.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
   
2. Open Services, and configure the VMware Horizon View Script Host service to run automatically.
   
   
3. Then start the service.
   
4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
   
7. After setting the registry value, restart the VMware Horizon View Agent service.
   
8. After you later add this RDS Host to a RDS Farm in Horizon Administrator, click the Dashboard view.
9. Expand RDS Farms, expand the farm, and click the RDS Host.
   
10. Make sure the Server load is reported.
    

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

• Symantec TECH91070 Citrix and terminal server best practices for Endpoint Protection.
• Symantec TECH197344 Virtualization best practices for Endpoint Protection 12.1.x and SEP 14.x
• Symantec TECH180229 Endpoint Protection – Non-persistent Virtualization Best Practices
• Symantec TECH123419 How to prepare Symantec Endpoint Protection clients on virtual disks for use with Citrix Provisioning Server has a script that automates changing the MAC address registered with Symantec.
• Citrix Blog Post How to prepare a Citrix Provisioning Services Target Device for Symantec Endpoint Protection
• If profiles are deleted on logoff, set Symantec registry value CloseUserLogFile to 1. Symantec TECH210170 Citrix user sessions are held open by ccSvcHst.exe during log off

Trend Micro

Trend Micro Slow login on Citrix environment after installing OfficeScan (OSCE): The following registries can be used to troubleshoot the issue. These registries will allow a delay on the startup procedure of OSCE until the system has launched successfully. This avoids deadlock situations during login.

Citrix CTX136680 – Slow Server Performance After Trend Micro Installation. Citrix session hosts experience slow response and performance more noticeable while users try to log in to the servers. At some point the performance of the servers is affected, resulting in issues with users logging on and requiring the server to be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the affected servers. Add new DWORD Value as:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilterParameters] “DisableCtProcCheck”=dword:00000001

Trend Micro Links:

• Trend Micro Docs – Trend Micro Virtual Desktop Support
• Trend Micro Docs – VDI Pre-Scan Template Generation Tool
• Trend Micro 1056314 – Configuring the OfficeScan (OSCE) Virtual Desktop Infrastructure (VDI) client/agent
• Trend Micro 1055260 – Best practice for setting up Virtual Desktop Infrastructure (VDI) in OfficeScan
• Trend Micro 1056376 – Frequently Asked Questions (FAQs) about Virtual Desktop Infrastructure/Support In OfficeScan

Sophos

CTX238012 Logon process to VDAs is extremely slow when Citrix UPM is enabled. Set the following registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application
  • DisableAsyncScans (DWORD) = 1

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

• Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
• Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

• Install Traps Agent for Windows:
  • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
  • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Install Applications

Install applications that will be executed on these machines.

• Choose installers that install to C:\Program Files instead of to %appdata%. Search for VDI or Enterprise versions of the following applications. These VDI versions do not auto-update so you’ll have to update them manually.
  • Google Chrome – Chrome Enterprise
  • Microsoft Edge – Edge for Business
  • Microsoft Teams – Teams for VDI
  • Microsoft OneDrive – Install the sync app per machine
  • Zoom – Zoom VDI
  • WebEx – WebEx VDI
  • Cisco Jabber – Jabber VDI
  • Etc.

VMware Tech Paper Best Practices for Delivering Microsoft Office 365 In VMware Horizon 7 with Published Applications describes how to install Office365 ProPlus Click-to-run with Shared Computer Activation.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

• Profile Container is an alternative to VMware DEM Personalization.
• App Masking is an alternative to VMware App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of DEM Profile Container over DEM Personalization:

• FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
• At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
• FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
• FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

• FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
• High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

VMware App Volumes has some drawbacks, including the following:

• Completely separate infrastructure that must be built, maintained, and troubleshooted.
• Introduces delays during logon as AppStacks are mounted.
• AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
   
2. Extract the downloaded .zip file.
3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
   
4. Check the box next to I agree to the license terms and conditions and click Install.
   
5. In the Setup Successful page, click Restart.
   
6. Make sure the Windows Search service is set to Automatic and Running.
   
7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.
   

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

VMware OS Optimization Tool

1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
2. Download the VMware OS Optimization Tool VMware fling.
   
3. Run the extracted VMwareOSOptimizationTool.exe.
   
4. On the Optimize tab, choose a template.
5. Then click Analyze on the bottom of the window.
   
6. On the Optimize tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
   
7. The History tab lets you rollback the optimizations.
   

Seal and Snapshot

1. Go to the properties of the C: drive, and run Disk Cleanup.
   
2. On the Tools tab, click Optimize to defrag the drive.
   
3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
5. Make sure the master session host is configured for DHCP.
   
6. Session hosts commonly have DHCP reservations.
   
   
7. Run antivirus sealing tasks:
   1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
   2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
8. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
   
9. Shutdown the master session host.
   
10. Edit the Settings of the master virtual machine, and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
    
11. Take a snapshot of the master session host. View Composer and Instant Clone require a snapshot.
    
    
12. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon Composer, then after the machine is cloned, do the following on the cloned machine:

1. Static IP – Configure a static IP address (or DHCP reservation).
2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
4. Active Directory OU – Move the Active Directory computer object to the correct OU.
5. Horizon Agent – uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

Related Pages

• Back to VMware Horizon 7