VMware Horizon 7 – RDS Farms/Pools

Last Modified: Nov 11, 2020 @ 1:18 pm

Navigation

This post applies to all VMware Horizon 7 versions including 7.13 (ESB) and 7.10.3 (ESB).

Change Log

Overview

This post details VMware Horizon configuration for Remote Desktop Session Host (RDS) Horizon Agents. Virtual Desktops are detailed at Master Virtual Desktop and Virtual Desktop Pools.

Before following this procedure, build a master RDS Session Host.

Before you can publish applications or RDS desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts, then these are different RDS Farms.

Horizon 7.7 and newer support up to 200 RDS farms, and each farm with up to 500 RDS hosts.

  • Horizon 7.6 and older support up to 200 RDS farms, and each farm with up to 200 RDS hosts.

Once the RDS Farms are created, you publish icons from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

VMware Tech Paper Best Practices For Published Applications And Desktops in VMware Horizon 7:

  • vSphere Best Practices – Hardware, Network Adapters, ESXi BIOS Settings, ESXi Power Management
  • Core Services Best Practices – Active Directory, DNS, DHCP, NTP, KMS, RDS Licensing
  • ESXi Host Sizing Best Practices
  • RDSH Configuration Best Practices – Optimization
  • Horizon 7 Best Practices – Instant Clones, Load Balancing
  • User Environment Management Best Practices – Horizon Smart Policies, Folder Redirection, User Profiles, Printers, Hardware Graphics Acceleration
  • App Volumes Best Practices – dedicated AppStacks
  • Antivirus Best Practices
  • Maintenance Operations Best Practices – scheduled reboots

RDS Farms – Instant Clones and Composer Linked Clones

Horizon 7.1 and newer offers two methods of creating RDS Farm linked clones:

  • Instant Clones
  • Composer Linked Clones

Instant Clones are the preferred method. Here is the process: Instant Clones for RDSH in VMware Horizon 7.1 YouTube video

  1. You select a snapshot from a master image.
  2. Horizon creates a template VM that boots from the master snapshot. After some prep, the template VM shuts down and creates a new snapshot.
  3. The template snapshot is copied to a Replica VM on every LUN (datastore) that will host RDS Farm VMs.
  4. For each datastore, Horizon creates a Parent VM on every host in the cluster. This parent VM is powered on and running at all times.
  5. The linked clones can finally be created by forking the parent VM to new linked clone VMs. Notes:
    1. Once the Parent VMs are created, creating/recreating linked clones is fast. But it takes time to create all of the Parent VMs.
    2. And the Parent VMs consume RAM on every host. If you have multiple datastores and/or multiple pools, then there are multiple Parent VMs per host, all of them consuming RAM.
  6. You can schedule a periodic reboot of the Instant Clones, which causes the Instant Clone machines to refresh (revert) from the parent VM.
  7. Instant Clones require Distributed vSwitch and Distributed Port Group with Static Binding and Fixed Allocation. Standard vSwitch is not supported. Multi VLAN and vGPU for Instant Clones in VMware Horizon 7.1 YouTube video.

The other RDS Linked Clone option is Horizon Composer. Here are some notes:

  • When Composer creates Linked Clones, Composer uses SysPrep with Customization Specifications. SysPrep is slow.
  • SysPrep is also used whenever the RDS farm is updated with a new master image snapshot.
  • No View Storage Accelerator.
  • No Rebalance.
  • No Refresh. The machines are persistent until you Recompose the farm.
    • The delta disks continue to grow until you Recompose the farm.
    • You can enable Space Reclamation to shrink the delta disks as files are deleted.

Customization Specification – Composer Linked Clones only

If you are using Instant Clones (7.1 and newer), then skip to creating the RDS farm. Customization Specifications are only needed for Composer Linked Clones.

  1. In vCenter, from the Home page, click Customization Specification Manager.
  2. Click the icon to create a new Customization Specification.
  3. In the Specify Properties page, give the spec a name and click Next.
  4. In the Set Registration Information page, enter your normal settings and click Next.
  5. In the Set Computer Name page, select Use the virtual machine name and click Next.
  6. In the Enter Windows License page, select Per seat and click Next.
  7. In the Set Administrator Password page, enter the local administrator password and click Next.
  8. In the Time Zone page, select the time zone and click Next.
  9. In the Run Once page, click Next.
  10. In the Configure Network page, leave it set to Use standard network settings. Horizon requires the VMs to be configured for DHCP. Click Next.
  11. In the Set Workgroup or Domain page, enter credentials that can join the machines to the domain, and click Next.
  12. In the Set Operating System Options page, leave the box checked, and click Next.
  13. In the Ready to complete page, click Finish.

Create an Automatic RDS Farm

If you upgrade vCenter to 6.7, then you must upgrade your ESXi hosts to 6.7 at the same time. Afterwards, take a new snapshot of the master image and perform a push operation. See Upgrade Instant-Clone Desktop Pools at VMware Docs.

Master Image Preparation

  1. Make sure your RDS master Agent has the VMware Horizon Instant Clone Agent feature, or the VMware Horizon View Composer Agent feature installed. You can install one or the other, but not both. Instant Clone Agent is the preferred option.
  2. Make sure your RDS master Agent is configured for DHCP.
  3. Computer Group Policy – Make sure the Master VM is in the same OU as the Linked Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See VMware 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  4. Shut down the master image.
  5. Edit the specs of the master VM to match the specs you want the linked clones to have.
  6. Take a snapshot of the master image.

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to create a new RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

  1. In Horizon Console, on the left, expand Inventory, and click Farms.
  2. On the right, click Add.
  3. In the Type page, select Automated Farm, and click Next.
  4. In the vCenter Server page, select Instant Clone, select the vCenter Server, and then click Next.
  5. In the Storage Optimization page, click Next.
  6. In the Identification and Settings page:
    1. Enter a name for the Farm. A VM folder with the same name will be created in vCenter.
    2. Note: There’s no place to set the Display Name here. You do that later when creating a Desktop Pool.
    3. Scroll down to the Farm Settings section.
    4. In the Identification and Settings page, in Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.
    5. Horizon 7.2 and newer support Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    6. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    7. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in Global Settings.
    8. To access the Pools/Farm from a web browser using HTML Blast, check the Enabled box next to Allow HTML Access.
    9. There’s a Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    10. Max sessions per RDS Host will block connections if this number is exceeded.
  7. Click Next.
  8. In the Provisioning Settings page:
    1. Enter a Naming Pattern. Make sure the name includes {n:fixed=3} or something like that.
    2. In Farm Sizing, enter the number of machines to create.
  9. Click Next.
  10. In the vCenter Settings page, click Browse next to each option and make a selection. These are self-explanatory. Then click Next.
  11. Horizon Administrator 7.8 and newer let you configure Load Balancing Settings for the RDS Farm. You cannot yet configure these settings in Horizon Console. After the RDS Farm is created, you can use Horizon Administrator to edit these settings.
  12. In the Guest Customization page:
    1. Select an OU to place the new virtual machines. This should be an OU that is configured with group polices for the RDSH machines.
    2. Consider the Allow reuse of pre-existing computer accounts check box.
  13. Click Next.
  14. In the Ready to Complete page, click Submit.

To view the status of RDS Farm creation:

  1. Click the farm name.
  2. The bottom of the Summary tab shows you the State of the Publishing progress.

  3. You can watch the progress in vSphere Client. It goes through a couple longer tasks, including cloning the snapshot, and creating a digest file.
  4. Eventually the tab named RDS Hosts will show the new virtual machines.
  5. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Horizon Administrator

  1. In Horizon Administrator, on the left, expand Resources, and click Farms.
  2. On the right, click Add.
  3. In the Type page, select Automated Farm, and click Next.
  4. In the vCenter Server page, select Instant clones or View Composer linked clones depending on which agent you have installed on your RDS master Agent machine.
  5. Select the vCenter Server, and click Next.
  6. In the Identification and Settings page, enter a name for the Farm. A VM folder with the same name will be created in vCenter.
  7. In the Farm Settings section, set Default Display protocol to VMware Blast.
  8. In Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.
  9. Horizon 7.2 and newer support Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
  10. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  11. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  12. To access the Pools/Farm from a web browser using HTML Blast, check the Enabled box next to Allow HTML Access.
  13. Horizon 7.4 adds a new Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
  14. Click Next.
  15. Horizon 7.8 and later have a Load Balancing Settings page that lets you configure the load evaluator rules without having to modify any script. In general, use stable, non-fluctuating rules like session count and Memory usage. Note that CPU usage tends to wildly fluctuate and can prematurely disable connections to an RDS Host. Click Next when done configuring rules.
  16. In the Provisioning Settings page, enter a naming pattern. Make sure the name includes {n:fixed=3} or something like that.
  17. Enter the number of machines to create, and click Next.
  18. In the Storage Optimization page, click Next.
  19. In the vCenter Settings page, click Browse next to each option, and make a selection.
  20. When selecting a datastore, Instant Clones sets the Storage Overcommit to Unbounded automatically. For Composer Linked Clones, set it to Unbounded. Click OK, and then click Next.

  21. If Composer, in the Advanced Storage Options page, decide if you want space reclamation or not. Space reclamation does reduce disk space but increases IOPS while the operation is occurring. If space reclamation is enabled, also configure a Blackout window so the increased IOPS does not affect production usage. Scroll down.
  22. If you scroll down, you’ll see an option for Transparent Page Sharing. By default it is disabled. You can enable it by setting it to Global. This should reduce some memory consumption. Click Next.
  23. For both Instant Clones and Composer, in the Guest Customization page, select an OU.
  24. Consider the Allow reuse of pre-existing computer accounts check box.
  25. For Composer Linked Clones, select a customization specification, and click Next.
  26. In the Ready to Complete page, click Finish.
  27. If you double-click the farm, on the RDS Hosts tab, you can see the progress of the farm creation operation.
  28. Horizon 7.7 and newer show you the status of RDS Drain Mode, which can be enabled on the RDS Host by running change logon /drain.
  29. If Composer, since RDS Farms use SysPrep, it will take some time before they become available.
  30. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Add more RDS Hosts to an Automatic Farm – Instant Clones and Composer Linked Clones

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to add RDS hosts to an existing RDS Automatic Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

  1. On the left, expand Inventory, and click Farms.
  2. On the right, select an existing Automated Farm, and click Edit.
  3. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  4. If the parent VM is already running on destination host/datastore, then it should only take a minute to add the new VM.
  5. The RDS Hosts tab of the RDS farm shows the new RDS host(s).

Horizon Administrator

  1. On the left, expand Resources, and click Farms.
  2. On the right, highlight an existing Automated Farm, and click Edit.
  3. Switch to the Provisioning Settings tab, and change the Max number of machines. Then click OK.
  4. For Instant Clones, if the parent VM is already running on destination host/datastore, then it should only take a minute to add the new VM.
  5. Composer Linked Clones use SysPrep, which takes a while to add the virtual machines. The new VMs reboot several times during the provisioning and customization process.
  6. The farm now has new RDS host(s).

Update an Automatic Farm – Instant Clones and Composer Linked Clones

Master Image Preparation

  1. Power on the master session host.
  2. Login and make changes.
  3. After making your changes, shut down the master session host.
  4. Right-click the virtual machine, and take snapshot. You must create a new snapshot.
  5. Name the snapshot, and click OK.
  6. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  7. Delete one or more of the snapshots.

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to add RDS hosts to an existing RDS Automatic Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

  1. In Horizon Console, go to Inventory > Farms.
  2. Click the farm name’s link.
  3. On the Summary tab, click Maintain, and then click Schedule.
  4. One option is to schedule Recurring reboots, which revert the RDS Hosts to a clean state.
  5. To push out an updated Master Image, change the Schedule to Immediate.
  6. Select Start Now, or select Start at a future date/time. Click Next.
  7. In the Image page, uncheck the box next to Use current parent VM image, select the new snapshot, and click Next.
  8. In the Scheduling page, decide if the reboot should wait for users to logoff, decide when to apply this new image, and then click Next.
  9. In the Ready to Complete page, click Finish.
  10. The RDS Farm’s Summary tab (scroll down) shows you that it’s publishing the new image.

  11. On the RDS Hosts tab, you can check on the status of the maintenance task.
  12. It will take a few minutes to create a new parent VM. Once the parent VM is created, the Instant Clones are quickly deleted and recreated.

Horizon Administrator

  1. In View Administrator, go to Resources > Farms.
  2. Double-click a farm name.
  3. For Composer Linked Clones, before beginning the Maintenance/Recompose operation, edit the Farm, and on the Provisioning Settings tab, consider specifying a minimum number of ready machines during Instant Clone (or View Composer) maintenance operations. If you leave this set to 0, then all machines will be in maintenance mode, and nobody can connect until Maintenance/Recompose is complete. Instant Clones are recreated quickly enough that this setting might not be needed.
  4. If Instant Clones, on the Summary tab, click Maintenance, and then click Schedule.
  5. If Composer Linked Clones, on the Summary tab, click Recompose.
  6. Instant Clones lets you either schedule recurring reboots, or you can change the Schedule to Immediate to update the machines now (or one time in the future). Click Next.
  7. In the Image page, uncheck the box next to Use current parent VM image, select the new snapshot, and click Next.

  8. In the Scheduling page, decide if the reboot should wait for users to logoff, decide when to apply this new image, and then click Next.

  9. In the Ready to Complete page, click Finish.

  10. On the RDS Hosts tab, you can check on the status of the maintenance/recompose task.
  11. Horizon 7.7 and newer show you the status of RDS Drain Mode, which can be enabled on the RDS Host by running change logon /drain.
  12. If Instant Clones, it will take a few minutes to create a new parent VM. Once the parent VM is created, the Instant Clones are quickly deleted and recreated.
  13. If Composer Linked Clones, Composer uses SysPrep, which means this will take a while.

Instant Clones Maintenance

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to perform Instant Clone Maintenance. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

  1. If you click an Instant Clones RDS Farm name…
  2. And switch to the RDS Hosts tab, you can select a machine, and then click Recover, this causes the VM to be deleted and recreated, thus reverting to the master image snapshot.

  3. On the Summary tab of the RDS Farm, you can click Maintain > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting causes the VMs to revert to the master image snapshot.
  4. Specify how often you want the reboot to occur, and then click Next.
  5. In the Image page, you don’t have to change the snapshot. Click Next.
  6. Decide what to do about logged on users, and click Next.
  7. In the Ready to Complete page, click Finish.
  8. If you click the Maintain menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
  9. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
  10. In Horizon 7.1 and newer, ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

Horizon Administrator

  1. If you double-click an RDS Farm that contains Instant Clones, and switch to the RDS Hosts tab, you can right-click a machine, and click Recover. This causes the VM to be deleted and recreated, thus reverting to the master image snapshot.

  2. On the Summary tab of the RDS Farm, you can click Maintenance > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting cases the VMs to revert to the master image snapshot.
  3. Specify how often you want the reboot to occur, and then click Next.
  4. In the Image page, you don’t have to change the snapshot. Click Next.
  5. Decide what to do about logged on users, and click Next.
  6. In the Ready to Complete page, click Finish.
  7. If you click the Maintenance menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
  8. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
  9. In Horizon 7.1 and newer, ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

RDS Farms – Manual

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to publish a manual RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

  1. Make sure neither the View Composer Agent nor the Instant Clone Agent is installed on your RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.
  2. In Horizon Console, go to Settings >Registered Machines and make sure your manually-built RDS Host is registered and listed on the RDS Hosts tab.
  3. On the left, expand Inventory, and click Farms.
  4. On the right, click Add.
  5. In the Type page, select Manual Farm, and click Next.
  6. In the Identification and Settings page, enter a name for the Farm.
  7. Scroll down to the Farm Settings section.

    1. There is a pre-launch option. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    2. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    3. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
    4. Check the Enabled box next to Allow HTML Access.
    5. There is an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
  8. Click Next.
  9. Horizon Administrator 7.8 and newer let you configure Load Balancing Settings for the RDS Farm. You cannot yet configure these settings in Horizon Console. After the RDS Farm is created, you can use Horizon Administrator to edit these settings.
  10. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
  11. In the Ready to Complete page, click Submit.
  12. If you click the farm name…
  13. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.

Horizon Administrator

To create a manual RDS Farm (no linked clones), do the following:

  1. Make sure neither the View Composer Agent nor the Instant Clone Agent is installed on your RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.
  2. In View Administrator, expand View Configuration and click Registered Machines. Make sure your manually-built RDS Host is registered and listed on the RDS Hosts tab.

  3. In View Administrator, on the left, expand Resources and click Farms.
  4. On the right, click Add.
  5. In the Type page, select Manual Farm and click Next.
  6. In the Identification and Settings page, enter a name for the Farm.
  7. In the Farm Settings section, set the Default display protocol to VMware Blast.
  8. Horizon 7.2 adds pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
  9. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  10. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  11. Check the Enabled box next to Allow HTML Access.
  12. Horizon 7.4 adds a new Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
  13. Click Next.
  14. Horizon 7.8 and later have a Load Balancing Settings page that lets you configure the load evaluator rules without having to modify any script. In general, use stable, non-fluctuating rules like session count and Memory usage. Note that CPU usage tends to wildly fluctuate and can prematurely disable connections to an RDS Host. Click Next when done configuring rules.
  15. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
  16. In the Ready to Complete page, click Finish.
  17. If you double-click the farm name…
  18. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.

Publish Desktop

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to publish a desktop from an RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click Add.
  3. In the Type page, select RDS desktop Pool, and click Next.
  4. In the Desktop Pool ID page, enter an ID and name. They can be different. The ID cannot contain spaces. Click Next.
  5. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu. This feature requires Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
    2. You can type in a new category folder name, or select an existing one. Also select Shortcut Locations.
    3. Horizon 7.3 and newer have a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group.
    4. Notes on Client Restrictions:
      • Windows clients only. If this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
  6. Click Next.
  7. In the Select an RDS farm page, select a farm, and click Next.
  8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Submit.
  9. In the Entitlements window, click Add.
  10. Browse to an Active Directory group, and click OK.
  11. Then click Close.
  12. If you go to Inventory > Farms, click your farm name, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm. An RDS Farm can only belong to one Desktop Pool.

Horizon Administrator

To publish a desktop from an RDS farm, do the following:

  1. In View Administrator, on the left, expand Catalog, and click Desktop Pools.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool, and click Next.
  4. In the Desktop Pool Identification page, enter an ID and name. They can be different. Click Next.
  5. In the Desktop Pool Settings page:
    1. Horizon 7.3 and newer let you select a Category Folder where the published icon will be placed on the client’s Start Menu. This feature requires Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
    2. Horizon 7.5 and newer let you put the shortcut on the endpoint’s desktop.
    3. Horizon 7.3 and newer have a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group. Notes:
      • Windows clients only. If the this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
    4. Horizon 7.7 and newer have an option to Allow user to initiate separate sessions from different client devices.
  6. Click Next.
  7. In the Select an RDS farm page, select a farm, and click Next.
  8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Finish.
  9. In the Entitlements window, click Add.
  10. Browse to an Active Directory group, and click OK.
  11. Then click Close.
  12. If you go to Resources > Farms, double-click your farm, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm.

Publish Applications

Horizon Console

This section uses Horizon Console (https://<View_Connection_Server>/newadmin) to publish a desktop from an RDS Farm. If you prefer Horizon Administrator, or if your Horizon isn’t 7.5 or newer, then skip to the next section.

  1. In Horizon Console, on the left, expand Inventory, and click Applications.
  2. On the right, click Add, and then click Add from Installed Applications.
  3. In the Select Applications page, select a RDS Farm.
  4. The purpose of this wizard is to publish and entitle applications from an RDS Farm. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually.
  5. Select one or more applications. Notice that File Explorer is not one of the options. You can manually add that application later.
  6. There are additional options at the bottom of the Select Applications page. Notice the Entitle users box is checked by default.

    1. There’s a Pre-launch option for published applications. You can optionally enable it on at least one application, and then entitle the pre-launch application to the users that need the Pre-launch feature.
    2. You can assign tags for Connection Server restrictions, which lets you control visibility of icons for internal users vs external users.
    3. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop. This feature requires Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
    4. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes on Client Restriction:
      • Windows clients only. If this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
  7. Click Next when done.
  8. The Edit Applications page lets you rename the published icons. Click Submit when done.
  9. Click Add to select a group that can see these icons. This is the normal entitlement process.

    1. There is an option for Unauthenticated users, which is detailed at Providing Unauthenticated Access for Published Applications at VMware Docs.
    2. Before you can configure Uauthenticated Access on published applications, you must add a Domain Account that will be used for anonymous access at Users and Groups > Unauthenticated Access.
    3. Then go to Settings > Servers and Edit a Connection Server.
    4. On the Authentication tab…
    5. …enable Unauthenticated Access, and select the Default unauthenticated access user account.
    6. Horizon 7.6 and newer have a Login Deceleration Level option, which requires Horizon Client 4.9. See Configure Login Deceleration for Unauthenticated Access to Published Applications at VMware Docs.
    7. Back in your entitlement, you select Unauthenticated Users, and entitle it to the Domain User that is your anonymous account.
  10. You can run the Add Application Pool wizard again to publish more applications with different entitlements.
  11. If you click the name one of the application pools…
  12. …on the Entitlements tab, you can change the entitlements

In Horizon Console 7.11 and newer, if you click a Farm name, you can view Sessions connected to that Farm and the published application each user is running. Monitor > Sessions does not show published application information, but RDS Farm > Sessions does.

  1. In Horizon Console, on the left, expand Inventory and click Farms.
  2. On the the right, click the link for one of the farms.
  3. Switch to the tab named Sessions.
  4. As you scroll down the table you’ll see sessions with Type = Application.
  5. If you scroll to the right, you’ll see the Application Name in the far-right column.

Icon for Published Application

  1. In Horizon 7.9 and newer, you can select an Application Pool, then open the Application Icon menu and click Associate Application Icon.

  2. In older Horizon, use PowerShell to change the icons. See the YouTube video Customizing Horizon RDSH Application Icons.

Show application pools associated with RDS Farm:

  1. If you go to Inventory > Farms, click your farm name…
  2. …and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. You can click the link for a pool to be taken to the pool’s property pages.

Instead of publishing an existing application from the Start Menu, you can add an application manually:

  1. Go to Inventory > Applications, click Add, and select Add Manually.
  2. File Explorer is an application that has to be added manually.

  3. When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast (Source = RDS Desktop being presented when opening an app at VMware Communities)

Horizon Administrator

  1. In View Administrator, on the left, expand Catalog, and click Application Pools.
  2. On the right, click Add.
  3. The purpose of this wizard is to publish applications from an RDS Farm, and entitle them. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times, and select different applications. Once the applications are published, you can change their entitlements individually.
  4. At the top of the window, select an RDS farm.
  5. Select one or more applications.
  6. There are additional options at the bottom of the window.

    1. Horizon 7.2 and newer have a Pre-launch option for published applications. Enable it on at least one application, and entitle the application to the users that need the Pre-launch feature.
    2. Horizon 7.7 and newer have an option for Multi-session Mode, which lets users launch multiple sessions from different clients.
    3. Horizon 7.2 and newer have the ability to assign tags (Connection Server restrictions) to RDS Desktop Pools.
    4. Horizon 7.3 and newer let you select a Category Folder where the published icon will be placed on the client’s Start Menu. This applies to Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
    5. Horizon 7.5 and newer lets you put the shortcut on the endpoint’s desktop.
    6. Horizon 7.3 adds a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes:
      • Windows clients only. If the this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
  7. Click Next when done.
  8. Or you can add an application manually by changing the radio button to Add application pool manually. Notice that Explorer is not one of the listed applications, so Explorer will need to be added manually.

    • When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast (Source = RDS Desktop being presented when opening an app at VMware Communities)
  9. Notice the Entitle users box is checked by default. All of the applications in this list will receive the same entitlements. Click Finish.
  10. Then click Add to select a group that can see these icons.
  11. Horizon 7.1 and newer supports Unauthenticated users, which is detailed at Providing Unauthenticated Access for Published Applications at VMware Docs. Click OK when done.




  12. You can run the wizard again to publish more applications with different entitlements.
  13. If you double-click one of the application pools, on the Entitlements tab, you can change the entitlements.
  14. In Horizon 7.1 and newer, icons for the published apps can be changed using PowerShell. See the YouTube video Customizing Horizon RDSH Application Icons.
  15. If you go to Resources > Farms, double-click your farm, and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. Notice you can’t really do anything from here.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool at VMware Docs.

Do the following to configure Anti-Affinity in Horizon Console or Horizon Administrator:

  1. On the left, go to Inventory > Applications or go to Catalog > Application Pools.
  2. On the right, edit an existing application pool.

  3. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of process name matches that can run on a single RDS Host.

Related Pages

VMware Horizon 7.13.3 – Master RDS Host

Last Modified: Mar 22, 2023 @ 6:00 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host (RDSH) that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

Change Log

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • Windows Server 2019 is supported for Horizon Agents 7.7 and newer.
  • Windows Server 2016 is supported for Horizon View Agents 7.0.3 and newer.
  • For 2012 R2 or newer, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. In Windows Server 2012 R2, on the left, click Change settings.
  3. If Windows Server 2016, click Advanced Options.
  4. If Windows Server 2012 R2, check the box next to Give me updates for other Microsoft products when I update Windows, and click OK.
  5. If Windows Server 2016, check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

  6. Windows Update will automatically start checking for updates.
  7. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

  • On May 17, 2016, Microsoft released a Convenience Rollup for Windows 2008 R2 and Windows 7. This Rollup includes almost all fixes released after SP1 through April 2016. See the article for the list of excluded hotfixes.

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

Remote Desktop Session Host

Role and Features – Windows Server 2012 and newer

If this session host is Windows Server 2008 R2, then skip to the next section.

Horizon Agent 7.10 and newer can install the RDSH Role automatically.

To install the RDSH role manually (required in Horizon Agent 7.9 and older):

  1. In Server Manager, open the Manage menu, and click Add Roles and Features.
  2. On the Installation Type page, leave it set to Role-based or feature-based installation.
  3. Click Next until you get to the Server Roles page.
  4. Check the box next to Remote Desktop Services and click Next.
  5. If Windows Server 2012 R2, expand User Interfaces and Infrastructure, and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc. This feature is already installed in Windows Server 2016.
  6. To verify Remote Desktop Services licensing, in the Features page, expand Remote Server Administration Tools > Role Administration Tools > , expand Remote Desktop Services Tools, and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
  7. In the Select role services page, check the box next to Remote Desktop Session Host, and click Next.
  8. Then click Install. Restart is required.

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2, then the instructions are slightly different.

  1. In Server Manager, right-click Roles, and click Add Roles.
  2. In the Before You Begin page, click Next.
  3. In the Select Server Roles page, check the box next to Remote Desktop Services, and click Next.
  4. In the Introduction to Remote Desktop Services page, click Next.
  5. In the Select Role Services page, check the box next to Remote Desktop Session Host, and click Next.
  6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
  7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication, and click Next.
  8. In the Specify Licensing Mode page, select Per User, and click Next.
  9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine), and click Next.
  10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
  11. In the Confirm Installation Selections page, click Install.
  12. In the Installation Results page, click Close.
  13. Click Yes when you are prompted to restart now.
  14. Login to the server. Then click Close.

Remote Desktop Users

In Computer Management (compmgmt.msc), at Local Users and Groups > Groups, edit Remote Desktop Users and add a group like Domain Users. Users can’t login to RDSH unless they are members of this local group. Instead of configuring this group manually on each parent image, you can also use Group Policy to configure it.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 and newer is using group policy (local group policy or domain group policy). This also works for Windows Server 2008 R2.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the Remote Desktop Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled, and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services (or Remote Desktop Services), and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

Install/Upgrade VMware Horizon Agent

View Agent for RDS Hosted Apps Desktops is missing a few features. (source = 2150305 Feature Support Matrix for Horizon Agent)

  • Only Windows 2016 supports Generic USB Redirection. USB Flash Drives and hard drives are supported on 2012 R2.
  • Serial port redirection is available in Horizon Agent 7.6 and newer
  • No Persona. Instead use VMware Dynamic Environment Manager (Horizon Enterprise only), or Microsoft’s roaming profiles, or Microsoft FSLogix Profile Container.
  • Instant-Clones for RDSH was added in Horizon Agent 7.1.
  • Real-time Audio Video is supported on Windows 2016 RDS Hosts. VMware 2148202 Real-Time Audio-Video limitations for remote desktops and apps on Windows Server 2016.

To install View Agent on Remote Desktop Services, do the following:

  1. Windows Server 2019 is supported with Horizon 7.7 and newer.
  2. vSphere 7.0 is supported with Horizon 7.12 and newer.
  3. VMware vSphere 6.7 U1 and VMware vSAN 6.7 Update 1 are supported with Horizon 7.7 and newer.
  4. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
    3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
  5. Download Horizon 7.13.3 Agent.
  6. Run the downloaded VMware-Horizon-Agent-x86_64-7.13.3.exe.
  7. If you want the URL Content Redirection feature, then you must run the Agent installer with the following switches: /v URL_FILTERING_ENABLED=1
  8. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  9. In the License Agreement page, select I accept the terms, and click Next.

    • In Horizon Agent 7.10 and newer, if RDSH is not installed, then the Horizon Agent installer can install it for you.


    • In older versions, if you see a message about Desktop OS Configuration, then you need to cancel the installer, and install the Remote Desktop Session Host role.
  10. In the Network protocol configuration page, select IPv4, and click Next.
  11. In the Custom Setup page, several features are disabled by default. Feel free to enable them.
    1. USB Redirection is an option.
    2. In Horizon Agent 7.1 and newer, VMware Horizon Instant Clone Agent is an option. You can enable either Instant Clone Agent, or Composer Agent, but not both. Or you can leave both deselected so you can add the machine to a Manual RDS Farm. You can’t add this RDS Host to a Manual RDS Farm unless both options are deselected.
    3. Horizon 7.2 and newer have VMware Virtualization Pack for Skype for Business as an option. See Configure Skype for Business at VMware Docs for details.
    4. Scanner Redirection is an option. Note: Scanner Redirection will impact host density.
    5. In Horizon 7.6 and newer, Serial Port Redirection is an option for RDS. This requires Horizon Client 4.9.
    6. Horizon 7.3 through Horizon 7.9 have HTML5 Multimedia Redirection. In Horizon 7.10 and newer, HTML5 Browser Redirection seems to be installed automatically (not an optional component). To enable and configure these features, see HTML5 Redirection in Horizon Group Policy.
    7. Horizon 7.6 and newer have an option for Geolocation Redirection. The feature requires a plugin for Internet Explorer 11 and Horizon Client 4.9. No other browsers are supported. See Configuring Geolocation Redirection at VMware Docs.
    8. Horizon 7.5 and newer have an option for Horizon Performance Tracker, which adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.

    9. Horizon 7.7 and newer have a Hybrid Logon option.
    10. Horizon 7.7 and newer have a VMware Integrated Printing or VMware Advanced Printing option, which replaces the older ThinPrint technology. VMware Advanced Printing requires Horizon Client 4.10 or newer.
    11. If you enable VMware Integrated Printing, then you must disable Virtual Printing, which is higher in the list.

  12. Click Next when done making selections.
  13. Click OK to acknowledge the USB redirection message.
  14. If you see the Register with Horizon 7 Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected both View Composer Agent and Instant Clone Agent features.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes to restart the server.
  18. Horizon Agent 7.13 and newer let you Modify the features that were selected during installation. In older versions, you must uninstall Horizon Agent and reinstall it.
    • If you click Modify from Apps & features (or Programs and Features), it will tell you to open an elevated command prompt and run the command shown in the window.
    • You can’t change from Manual to Instant Clone or back again using this method.
  19. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  20. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  21. There’s also a new IE add-on.
  22. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

Dynamic Environment Manager (DEM) is the new name for User Environment Manager (UEM).

If you are licensed for Dynamic Environment Manager (Horizon Enterprise Edition), install the Dynamic Environment Manager (DEM) Enterprise Agent.

  • DEM Enterprise has the same or more features that has always been included in Horizon Enterprise. DEM Standard is a reduced-feature version for Horizon 8 Standard Edition.
  • Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at VMware Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at VMware Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2212-10.8-GA\VMware Dynamic Environment Manager Enterprise 2106 10.3 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

UEM 9.6 and newer are supported on Windows Server 2019.

To install the DEM Enterprise Agent:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Based on your entitlement, download either DEM 2212 (10.8) Enterprise Edition, or DEM 2212 (10.8) Standard Edition.

  3. Run the extracted VMware Dynamic Environment Manager Enterprise 2212 10.8 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the Management Console. The Management Console is typically installed on an administrator workstation, not on a master image.

  8. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed. Click Next.
  9. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  10. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  11. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value: (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm.

In Horizon 7.8 and newer, you can edit Load Balancing rules directly in Horizon Administrator. You cannot yet configure these settings in Horizon Console. For existing RDS Farms, edit the RDS Farm to see the new settings. Or when creating a new RDS Farm a new page asks you for these settings.

In Horizon 7.7 and older, you can change the load balancing algorithm to be performance-based by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at VMware Docs.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

  1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
  2. Open Services, and configure the VMware Horizon View Script Host service to run automatically.

  3. Then start the service.
  4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
  5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
  6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
  7. After setting the registry value, restart the VMware Horizon View Agent service.
  8. After you later add this RDS Host to a RDS Farm in Horizon Administrator, click the Dashboard view.
  9. Expand RDS Farms, expand the farm, and click the RDS Host.
  10. Make sure the Server load is reported.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

Trend Micro

Trend Micro Slow login on Citrix environment after installing OfficeScan (OSCE): The following registries can be used to troubleshoot the issue. These registries will allow a delay on the startup procedure of OSCE until the system has launched successfully. This avoids deadlock situations during login.

Citrix CTX136680 – Slow Server Performance After Trend Micro Installation. Citrix session hosts experience slow response and performance more noticeable while users try to log in to the servers. At some point the performance of the servers is affected, resulting in issues with users logging on and requiring the server to be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the affected servers. Add new DWORD Value as:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilterParameters] “DisableCtProcCheck”=dword:00000001

Trend Micro Links:

Sophos

CTX238012 Logon process to VDAs is extremely slow when Citrix UPM is enabled. Set the following registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application
    • DisableAsyncScans (DWORD) = 1

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Install Applications

Install applications that will be executed on these machines.

VMware Tech Paper Best Practices for Delivering Microsoft Office 365 In VMware Horizon 7 with Published Applications describes how to install Office365 ProPlus Click-to-run with Shared Computer Activation.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to VMware DEM Personalization.
  • App Masking is an alternative to VMware App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of DEM Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

VMware App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the extracted VMwareOSOptimizationTool.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. On the Optimize tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
  7. The History tab lets you rollback the optimizations.

Seal and Snapshot

  1. Go to the properties of the C: drive, and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
  9. Shutdown the master session host.
  10. Edit the Settings of the master virtual machine, and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  11. Take a snapshot of the master session host. View Composer and Instant Clone require a snapshot.

  12. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon Composer, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon Agent – uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
  8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

Related Pages

VMware Horizon 7 – Virtual Desktop Pools

Last Modified: Mar 8, 2022 @ 8:04 am

This article details Horizon pool configuration for Virtual Desktops. RDS Farms and pools are detailed in a separate article at https://www.carlstalhood.com/vmware-horizon-7-rds-farmspools/.

Navigation

This post applies to all VMware Horizon 7 versions including 7.13 (ESB) and 7.10.3 (ESB).

Change Log

Non-Persistent – Instant Clone vs Composer

In general, use Instant Clone, if possible. Here are some advantages of Instant Clone over Composer:

  • No Composer server needed.
  • Faster provisioning and recompose, and lower IOPS during these operations.
  • If multiple datastores, rebalance is automatic.
    • With Composer, rebalance is a manual operation.
  • Composer features like Disposable Disks and disk space reclamation are not needed with Instant Clones.

Requirements for Instant Clones:

  • Horizon Enterprise licenses
    • All editions of Horizon 7.13 includes Instant Clone licensing. Since Composer was removed from Horizon 8, start migrating to Instant Clones.
  • ESXi 6 Update 1 or newer
  • Virtual Machine hardware version 11 or newer
  • View Storage Accelerator must be enabled

Notes on Instant Clones:

  • Horizon 7.9 and newer support delaying desktop refresh (not recommended), just like you can with Composer.
  • Horizon 7.3 and newer support dedicated desktop pools.
  • Horizon 7.1 and newer support Linked Clones for RDS Pools.
  • The master VM snapshot is copied to every LUN containing instant clones. Composer does the same.
  • Instant Clone pools create “Parent” machines on each ESXi host for each datastore. These “parent” machines are powered on and consume CPU/Memory/Disk resources. If you have six hosts and three datastores containing instant clones, then Horizon creates 18 parent virtual machines.
    • For lower density pools, Horizon 7.13 supports Smart Provisioning, which eliminates the need for “Parent” machines when there are less than 12 single-pool VMs per host. See the Smart Provisioning YouTube video for an overview.
    • Prior to Horizon 7.13, Instant Clone pools always create Parent machines no matter the size of the Instant Clone pool.
    • Composer does not need parent virtual machines.
  • Persistent disks are not supported with Instant Clones
    • An alternative is VMware App Volumes Writable Volumes
  • Persona is not supported with Instant Clones.
  • See Instant-Clone Desktop Pools at VMware Docs.
  • Also see VMware Technical White Paper VMware Horizon 7 Instant-Clone Desktops and RDSH Servers

Infrastructure Prep

  • Each desktop pool points to one vSphere cluster.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
    • Instant clones require static port binding with the elastic port allocation. Do not change the port binding to ephemeral.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
  • KMS Licensing is required – MAK licensing is not supported
  • The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label, GPU) specified on the master virtual desktop. Adjust accordingly.
  • The master image should be in the same vSphere cluster where the linked clone virtual desktops will be created.
  • If Instant Clone:
    • ESXi must be version 6 update 1 or newer
    • Master VM must be version hardware version 11 or newer
    • In Horizon Administrator, add Instant Clone Domain Accounts
    • In Horizon Administrator, enable View Storage Accelerator on your vCenter connection.
    • If you upgrade vCenter to 6.7, then you must upgrade your ESXi hosts to 6.7 at the same time. Afterwards, take a new snapshot of the master image and perform a push operation. See Upgrade Instant-Clone Desktop Pools at VMware Docs.

Disk space

  • One or more LUNs (datastores) for storage of the virtual desktops.
  • By default, Replicas are copied to each LUN that contains virtual desktops.
    • It’s possible to place the Replica and the linked clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops.
    • Note: NFS VAAI requires the Replica to be copied to each virtual desktop LUN.
  • .vswp files – Plan for disk space for memory swap and graphics memory overhead. If the master virtual desktop has 4 GB of RAM configured and if none of its memory is reserved then each linked clone will have a 4 GB .vswp file.
    • To reduce the size of the .vswp files, edit each virtual desktop and reserve its memory. Whatever memory is reserved will be subtracted from the .vswp file size.
  • Linked clone Delta disks – Delta disks start small whenever the virtual desktop boots and grow until the virtual desktop is refreshed. To keep delta disks small, refresh the virtual desktops immediately after the user logs off. Otherwise, the delta disk could potentially grow to the same size as the C: drive.
  • If Composer:
    • Persistent disks can be used to store the user’s profile (but not user-installed applications). To enable Persistent disks, the pool must be Dedicated Assignment. You can place the persistent disks on a LUN that is separate from the linked clones LUN. How do you back up the persistent disks? A better option is to use VMware User Environment Manager instead of Persistent disks.
    • Disposable disks. In Dedicated Assignment pools, you have the option of creating Disposable Disks. These disks are always stored with the virtual desktop (you can’t choose a dedicated disposable disk LUN). If you’re planning to frequently refresh the desktops, there’s no point in using Disposable disks.

Floating (Non-Persistent) Automatic Linked Clone Desktop Pool

Master Image Preparation

Do the following on the master image that the virtual desktops will link to:

  1. Video Memory – if Instant Clones, shut down the master, Edit Settings (hardware) in vSphere client, expand Video card, and set video memory. More video memory means more client monitors. The maximum number and maximum resolution of client monitors depends on the ESXi version, the Horizon version, and the Windows version with newest versions providing the greatest number of client monitors. For example, Horizon 7.9 supports six monitors in Windows 10 version 1803 and later.
  2. DHCP – Make sure the master VM is configured for DHCP.
  3. Join domain – Join the master VM to the domain.
  4. Computer Group Policy – Make sure the Master VM is in the same OU as the Linked Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See VMware 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  5. KMS Licensing is required.
  6. Provisioning Agent – When installing Horizon Agent, select the imaging component you intend to use. You can install Instant Clone, or Composer, but not both.
    • All editions of Horizon 7.13 includes Instant Clone licensing. Since Composer was removed from Horizon 8, start migrating to Instant Clones.
  7. If Instant Clone, Persona must be disabled.
  8. Snapshot – Shut down the master image and take a new snapshot.

Floating Pool – Horizon Console

In Horizon 7.5 and newer, you can use the new Horizon Console (https://ConnectionServerFQDN/newadmin) to create an Instant Clone pool.

In Horizon 7.8 and newer, you can use the new Horizon Console (https://ConnectionServerFQDN/newadmin) to create a Composer pool, including Persistent Disks.

If prefer to use Horizon Administrator, then skip ahead to Floating Pool – Horizon Administrator.

  1. Login to Horizon Console (https://ConnectionServerFQDN/newadmin)
  2. On the left, under Inventory, click Desktops.
  3. In Horizon Console 7.10 and newer, on the right, if you select an existing pool, you can click Duplicate to copy the settings to a new pool.
  4. On the right, click Add.
  5. In the Type page, select Automated desktop pool.
  6. In the vCenter Server page, select Instant Clone, select a vCenter server, and click Next.
  7. In the User Assignment page, select Floating, and click Next.
  8. In the Storage Optimization page, if you want to use storage tiering, check the box for Select separate datastores for replica and OS disk. Click Next.
  9. In the Desktop Pool Identification page, do the following:
    1. Give the pool a unique ID, which is not shown to the users. Horizon creates a vCenter VM folder with the same name as the Pool ID.
    2. Enter a Display name, which is shown to the users.
    3.  If you intend to use Identity Manager, then leave Access group set to /. Otherwise, if you intend to delegate administration of this pool, then select an Access group that the delegated administrators have been assigned to.
  10. Click Next.
  11. In the Provisioning Settings page, do the following:
    1. in Virtual Machine Naming, enter a Naming Pattern. You can use {n:fixed=3} to specify the location for incremented numerals in the machine names. Make sure the naming pattern does not conflict with any existing machines.
    2. In Desktop Pool Sizing, enter the maximum number of desktops to create. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here.
    3. Select Provision all machines up-front to create all of the machines now.
    4. Or select Provision machines on demand, which tells Horizon to create the machines (up to the maximum) as users connect.
    5. If you’re not creating all machines up-front, then specify the Number of spare (powered on) machines. As users connect, Horizon creates more machines to try to keep this number of spare machines running and waiting for a new connection.
  12. Click Next.
  13. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option, and make your selection.
  14. If the Parent VM (aka Master VM) is not showing up in the list, then check the box next to Show all parent VMs and click the … next to the VM to see the issue.
  15. Instant Clones monitors/resolution – If Instant Clones, the number of monitors configured on the Master Image (snapshot) is displayed. If not correct, delete the snapshot, edit the master VM’s Hardware Settings, expand video card, make your desired changes, and take another snapshot.
  16. Scroll down for more settings.
  17. Datastores – select one or more datastores on which the virtual desktops will be placed.
    • If you selected to put Replica on a different datastore, then you’ll have another Browse button for Replica disk datastores.
  18. When selecting Networks, you can use the Network from the parent image, or uncheck the box and select a different network.
  19. Click Next when done.
  20. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop. This applies to Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.

      1. Change the selection to Select a category folder from the folder list.
      2. You can type in a new category, or select an existing one.
      3. Newer versions of Horizon have an option to put the icon on desktop or Start Menu.
      4. Then click Submit.
    2. In the Desktop Pool Settings page, Horizon 7.9 and newer let you select a Session Type, which means you can optionally publish applications from virtual desktops.
    3. Change the selection for Automatically logoff after disconnect to After, and specify a disconnect timer.

      • Note: In Horizon 7.10 or newer, you can also use Group Policy to configure this. The GPO overrides the pool setting. Install the Horizon 7.10 GPO Templates if you haven’t already. Edit a GPO that applies to the Horizon Agents. Find the Disconnect Session Time Limit (VDI) setting at VMware View Agent Configuration > Agent Configuration.
      • Horizon 7.10 also has an Idle Time Until Disconnect (VDI) for virtual desktops. RDSH idle timer is configured using Microsoft RDSH GPO settings, not Horizon GPO settings.
    4. You can allow users to restart their machines.
    5. If you choose Dedicated assignment instead of Floating assignment, there’s an option for Refresh OS disk after logoff. Leaving it set to Always is strongly recommended. The other options cause the delta disk to grow, and will cause data loss surprise for the users when you later push a new image. Instant Clones floating assignment pools always refresh on logoff.
    6. Reclaim VM disk space is also an option for Dedicated assignment pools. Floating assignment pools always refresh on logoff so there’s no need to reclaim disk space.
  21. Click Next.
  22. In the Remote Display Settings page:
    1. In 3D Renderer, there’s an option for NVIDIA GRID VGPU if you have GPUs installed.
    2. Check the box next to HTML Access.
    3. There’s an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.  See Session Collaboration for details.
  23. Click Next.
  24. In the Guest Customization page,
    1. Next to AD container, click Browse, and select the OU where virtual desktop computer objects will be placed. You can type (paste) into the AD container field.
    2. Consider checking the box next to Allow reuse of pre-existing computer accounts.
  25. Click Next.
  26. In the Ready to Complete page, you may entitle users now, or leave it unchecked and to it later. Click Submit.

If you opted to add entitlements now:

  1. In the Add Entitlements window, click Add.
  2. Find a group that will have permission to log into these desktops, and click OK.
  3. Then click OK.

To check the status of the virtual desktops:

  1. Go to Inventory > Desktops.
  2. You might have to click the refresh icon on the top right to see the new pool.
  3. Click the link for the pool name.
  4. On the Summary page, if you scroll down, the vCenter Server section has a State field where you can see the status of the pool creation process.  It takes several minutes to publish the master image snapshot. After the snapshot is copied to the Replica, vSphere creates a digest file for View Storage Accelerator, which takes a few more minutes.
  5. Horizon Console 7.11 and newer has a Pending Image progress bar that doesn’t update automatically. To refresh it, scroll up and click the refresh icon.

  6. You can watch the progress in vSphere Client’s Recent Tasks list.


  7. Eventually the pool’s tabs named Machines and Machines (InstantClone Details) will show the new machines.

If you wish to automate the creation of the pool, Aresh Sarkari at Automating Desktop Pool creation using PowerCLI – VMware Horizon 7.x explains New-HVPool -spec 'C:\temp\DesktopPool\LinkedClone.json' and the contents of the JSON file.

Floating Pool – Horizon Administrator

  1. In View Administrator, on the left, expand Catalog, and click Desktop Pools.
  2. On the right, you can clone an existing pool. This action copies many of the settings from the existing pool into the new pool.
  3. Or just click Add.
  4. In the Type page, select Automated Desktop Pool, and click Next.
  5. In the User Assignment page, select Floating, and click Next.
  6. In the vCenter Server page, select either Instant clones, or View Composer linked clones.
    • All editions of Horizon 7.13 includes Instant Clone licensing. Since Composer was removed from Horizon 8, start migrating to Instant Clones.
  7. Select the vCenter server, and click Next.

  8. Pool name – In the Desktop Pool Identification page, enter a name for the pool. Horizon creates a vCenter VM folder with the same name as the Pool ID.
  9. Display name is the name of the icon displayed in Horizon Client.
  10. Access Group – Assign the pool to an Access group to restrict delegated administration. Note: If you intend to integrate with VMware Identity Manager (aka Workspace ONE), then make sure you select the root (/) Access group. Other Access Groups won’t work. Click Next.
  11. In the Pool Settings page, do the following:
    1. Horizon 7.3 lets you select a Category Folder where the published icon will be placed on the client’s Start Menu. This applies to Horizon Client 4.6 and newer. See Create Shortcuts for a Desktop Pool at VMware Docs.
    2. Horizon 7.5 adds an option to put the shortcut on the endpoint’s Desktop.
    3. Change the selection for Automatically logoff after disconnect to After, and specify a disconnect timer.
    4. If View Composer, change the selection for Delete or refresh desktop on logoff to Refresh Immediately. Instant Clones always refresh after logoff.
    5. Horizon 7.1 and newer allows users to restart machines gracefully, instead of a reset.
    6. Scroll down.
    7. In the Remote Display Protocol section, select a Default display protocol. New in Horizon 7 is VMware Blast.
    8. In Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.
    9. Composer and Instant Clone have different options for 3D Renderer. Horizon 7.1 adds an option for NVIDIA GRID VGPU when creating Instant Clones.

      • Monitors/Resolution – If Composer, increase the number of monitors and resolution. This causes more video memory to be allocated to the VMs. If Instant Clone, these settings are configured on the Master VM’s settings in vSphere Client.
    10. Check the box next to HTML Access.
    11. Horizon 7.4 adds the Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    12. Click Next.
  12. In the Provisioning Settings page, enter a naming pattern. You can use {n:fixed=3} to specify the location for the incremented numerals. Make sure the naming pattern does not conflict with any existing machines. Note: Instant Clones does not support manual machine names.
  13. Enter the maximum number of desktops to create. You can create all of them now or wait to create them as users connect. When a user connects to one of these desktops, Horizon immediately creates another desktop (up to the maximum) and powers it on.
    1. In Horizon 6.2 and newer, the maximum number of desktops per pool is 2,000. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here.
  14. Enter the number of spare (idle, unassigned, unused) desktops you want powered on. Horizon maintains this number up to the maximum number of desktops.
  15. Click Next.

  16. If Horizon Composer, in the Disposable File Redirection page, select Do not redirect disposable files, and click Next. Since we’re refreshing the desktops on logoff, there’s no need for a separate disposable disk.
  17. In the Storage Optimization page, if you want to use storage tiering, check the box for Select separate datastores for replica and OS disk. Click Next.
  18. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option, and make your selection.
  19. Horizon 7.1 adds the ability to select multiple Networks for the Instant Clones.
  20. If the Parent VM is not showing up in the list then check the box next to Show all parent VMs and click the next to the VM to see the issue.
  21. Instant Clones monitors/resolution – If Instant Clones, the number of monitors configured on the Master Image (snapshot) is displayed. If not correct, delete the snapshot, edit the master VM’s Hardware Settings, expand video card, make your desired changes, and take another snapshot.
  22. Datastores – select one or more datastores on which the virtual desktops will be placed.
  23. If Composer – select your Storage Overcommit preference. Since you are refreshing desktops on every logoff, they should stay small, so Unbounded is probably acceptable. VMware recommends no more than 140 virtual desktops per VAAI-enabled LUN. If the LUN is not VAAI enabled, 64 is the maximum. If Instant Clone, Unbounded is the only option. Click OK when done.

  24. For Select Replica Disk Datastores, select one datastore for the replica, and then click OK.
  25. Then click Next.
  26. If Instant Clone, View Storage Accelerator and Transparent Page Sharing are enabled by default and can’t be disabled. Storage reclamation doesn’t make sense for Instant Clone.
  27. If Composer, in the Advanced Storage Options page, be aware of the following:
    • View Storage Accelerator creates digest files, which consumes disk space. Creation of the digest files requires IOPS. Make sure to set the blackout times so that this digest creation does not happen during peak hours.
    • Reclaim VM disk space is not useful for non-persistent desktops.
  28. If you scroll down, there’s a new Transparent Page Sharing Scope. The default is no sharing. Use one of the other options to enable sharing. Click Next.
  29. In the Guest Customization page, next to AD container, click Browse, and select the OU where virtual desktop computer objects will be placed. Horizon 7.3 lets you type (paste) into the AD container field.
  30. Consider checking the box next to Allow reuse of pre-existing computer accounts. Click Next.

  31. In the Ready to Complete page, you may entitle users now or later. Click Finish.
  32. To check the status of the virtual desktops, go to Catalog > Desktop Pools.
  33. Double-click the pool name.
  34. If you scroll down, the vCenter Server section has a State field.
  35. vSphere Client shows recent tasks.
  36. On the Inventory tab, click Machines (View Composer or InstantClone Details). There’s a refresh button.
  37. You can also view the status of the desktops by looking at the Dashboard.
  38. Your VMs should eventually have a status of Available.
  39. If you encounter issues with View Composer, see VMware 2087379 VMware Horizon View Composer help center
  40. If Instant Clone, the Master VM and the snapshot used by the Instant Clones must not be deleted.

Entitle Virtual Desktops

Horizon Console

This section uses the new Horizon Console to add a entitle a Desktop Pool. If you prefer to use Horizon Administrator, then skip to the next section.

To make a pool accessible by a user, it must be entitled.

  1. In Horizon Console (https://ConnectionServerFQDN/newadmin), go to Inventory > Desktops.
  2. Click the link for a pool name.
  3. On the Summary tab, click the Entitlements drop-down, and then click Add entitlement. Or you can go to pool’s Entitlements tab and add from there.
  4. In the Add Entitlements window, click Add.
  5. Find a group that will have permission to log into these desktops, and click OK.
  6. Then click OK.

Horizon Administrator

To make a pool accessible by a user, it must be entitled.

  1. Go to Catalog > Desktop Pools.
  2. Double-click the pool name.
  3. On the Summary tab, click Entitlements, and then Add entitlement.
  4. In the Add Entitlements window, click Add.
  5. Find a group that will have permission to log into these desktops, and click OK.
  6. Then click OK.
  7. For a Persistent pool, go to the Inventory tab to see the desktops. Select a desktop and under More Commands click Assign User.
  8. Find the user and click OK. Repeat to assign users to additional desktops.

Add Machine to Pool

Horizon Console

This section uses Horizon Console to add a machine to an Instant Clone Pool. If you prefer to use Horizon Administrator, then skip to the next section.

  1. In Horizon Console (https://ConnectionServerFQDN/newadmin), on the left, expand Inventory, and click Desktops.
  2. On the right, highlight an existing Desktop Pool, and click Edit.
  3. Switch to the Provisioning Settings tab, scroll down, and change the Max number of machines. Then click OK.
  4. With Instant Clones, this won’t take very long.
  5. If you open the pool, the tabs named Machines and Machines (InstantClone Details) show the new machines.

Horizon Administrator

  1. On the left, expand Catalog, and click Desktop Pools.
  2. On the right, highlight an existing Automated Desktop Pool, and click Edit.
  3. Switch to the Provisioning Settings tab, and change the Max number of machines. Then click OK.
  4. With Instant Clones, this won’t take very long.
  5. With Composer, it might take a few minutes for the machine to boot a couple times while running QuickPrep.
  6. The pool now has new machines.

Update a Pool

Master Image Preparation

  1. Power on the master/parent virtual desktop.
  2. After making your changes, shut down the master virtual desktop.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  5. Delete one or more of the snapshots.

Horizon Console

This section uses Horizon Console. If you prefer Horizon Administrator, then skip to the next section.

  1. In Horizon Console, go to Inventory > Desktops.
  2. Click the link for a pool name.
  3. For Instant Clones, on the Summary tab, click Maintain, and then click Schedule.
  4. In the Image page, select the new snapshot. Notice the snapshot’s monitor/resolution settings. Click Next.
  5. In the Scheduling page, decide when to apply this new image. If you select Force users to log off, notice you can customize the logoff message in Global Settings. Click Next.
  6. In the Ready to Complete page, click Finish.
  7. The pool’s Summary tab, near the bottom, indicates that the image is being pushed.

  8. You can click the tab named Machines (InstantClone Details) to check on the status of the push task. Notice the Pending Image.
  9. The snapshot is copied to each datastore.
  10. The snapshot is attached to a Replica, powered on, then powered off. Digest is then computed.
  11. Then the Replica is attached to a parent, and the parent is powered on. This all takes a bit of time. But the existing Instant Clones remain accessible until the Replica preparation is complete.
  12. Once Replicas are prepared, each machine is rebooted once.
  13. Eventually the Pending Image field will be cleared and the desktops are available again.

Horizon Administrator

  1. In View Administrator, go to Inventory > Pools.
  2. Double-click a pool name.
  3. For Instant Clones, on the Summary tab, click Push Image, and then click Schedule.
  4. Or if Composer, click View Composer, and then click Recompose.
  5. In the Image page, select the new snapshot. Notice the snapshot’s monitor/resolution settings. Click Next.
  6. In the Scheduling page, decide when to apply this new image, and then click Next.
  7. In the Ready to Complete page, click Finish.
  8. On the Inventory tab, you can click Machines (InstantClone Details) or Desktops (View Composer Details) to check on the status of the push/recompose task. Notice the Pending Image.
  9. For both provisioning methods, the snapshot is copied to each datastore.
  10. For Instant Clone, the snapshot is attached to a Replica, powered on, then powered off. Digest is then computed. Then the Replica is attached to a parent, and the parent is powered on. This takes a bit of time. But the Instant Clones remain accessible until the Replica preparation is complete.
  11. Once Replicas are prepared, for Instant Clones, each machine is rebooted once. While with Composer, each virtual machine is rebooted three times, which can be painful. Composer consumes considerable IOPS and time during Recompose operation. To speed up Recompose, switch to Instant Clones.
  12. Eventually the Pending Image field will be cleared and the desktops are available again.

Host Maintenance – Instant Clones

In Horizon 7.1 and newer, ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

Instant-Clone Maintenance Utilities at VMware Docs:

  • IcUnprotect.cmd – use this utility to unprotect folders and VMs, delete VMs, and detect VMs whose master image or snapshot is deleted.
  • IcMaint.cmd – This command deletes the master images, which are the parent VMs in vCenter Server, from the ESXi host, so that the host can be put into maintenance mode. In Horizon 7.0.3, this utility is the only method to prepare a Instant Clone ESXi host for maintenance mode. Also see VMware 2144808 Entering and exiting maintenance mode for an ESXi host that has Horizon instant clones.
  • IcCleanup.cmd – use this utility to unprotect and delete some or all of the internal VMs created by instant clones. This command is available in Horizon 7.10 and newer.

Related Pages

VMware Horizon 7.13.3 – Master Virtual Desktop

Last Modified: Mar 22, 2023 @ 6:00 am

Navigation

Use this post to build a virtual desktop that will be used as the parent image or source image for additional virtual desktops. There’s a separate article for RDS Session Host.

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

💡 = Recently Updated

Change Log

Virtual Hardware

Lieven D’hoore has a desktop VM build checklist at VMware Horizon View – Windows 10 Golden Image Creation

  1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. For New Hard disk, consider setting Thin provision.
  3. Make sure the virtual desktop is using a SCSI controller.
  4. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  5. When building the master virtual desktop, you will probably boot from an ISO.
  6. Before using View Administrator to create a pool, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  7. There’s no need for the Floppy drive so remove it.
  8. If you have any Serial ports, remove them.
  9. In Device Manager, after installing VMware Tools, make sure the video driver is VMware SVGA 3D.
  10. If not, you can use the driver at C:\Program Files\Common Files\VMware\Drivers\video_wddm.

Windows

VMware TechZone Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop

Preparation

Windows 7 VMXNET 3 Networking Hotfix

For Windows 7 machines:

  1. Ensure the vSphere network port group allows a sufficient number of connected virtual machines.
  2. Make sure Windows 7 Service Pack 1 is installed.
  3. The recommended hotfix for fixing VMXNET 3 is the 3125574 Convenience Rollup.

    1. Run windows6.1-kb3125574-v4-x64.msi.
  4. Or, the minimum hotfix is 2550978 http://support.microsoft.com/kb/2550978.

    1. Run Windows6-1-KB2550978.msu.
  5. Click Yes when asked to install the hotfix.
  6. Click Restart Now.
  7. After installing either hotfix, follow http://support.microsoft.com/kb/315539 to delete ghost NICs.

From Microsoft KB article http://support.microsoft.com/kb/235257: For desktop VMs using VMXnet3 NICs, you can significantly improve the peak video playback performance of your View desktop by simply setting the following registry setting to the value recommended by Microsoft:

  • HKLM\System\CurrentControlSet\Services\Afd\Parameters\FastSendDatagramThreshold to 1500

Windows 7 Black Screen Hotfix

For Windows 7 machines, request and install Microsoft hotfix 2578159: The logon process stops responding in Windows. More info at VMware 2073945 Reconnecting to the VDI desktop with PCoIP displays a black screen.

Windows 7 SHA2 Hotfix

For Windows 7 machines, install Microsoft Security Advisory 3033929, Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2.

Windows 7 Hotfix for AppVolumes

For Windows 7 machines, install the Microsoft hotfix for mountmgr.sys.  More info at VMware 2126775 Logging in to a virtual machine fails or is slow at the Welcome Screen when using VMware AppVolumes,

Power Options

  1. Run Power Options. In Windows 8 and newer, right-click the Start Menu to access Power Options.
  2. Click the arrow to show more plans, and select High performance.
  3. Next to High performance, click Change plan settings.
  4. Change the selection for Turn off the display to Never, and click Save changes.

System Settings

  1. Domain Join. For linked clones, join the machine to the domain. For Instant Clones, see VMware 2150495 Computer-based Global Policy Objects (GPOs) that require reboot are not applied on instant clones.
  2. In System control panel applet (right-click the Start Menu > System), click Remote settings.
  3. Enable Remote Desktop.
  4. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with View Composer.

Windows Profiles v3/v4 Hotfix

Roaming user profiles are tied to the operating system version so profiles on Windows 8.1-based, Windows 10-based, or Windows Server 2012 R2-based computers are incompatible with roaming user profiles in earlier versions of Windows.

Profiles are compatible only between the following client and server operating system pairs:

  • v6 = Windows 10 1607 and newer, Windows Server 2016, Windows Server 2019
  • v5 = Windows 10 1511 and older
  • v4 = Windows 8.1 and Windows Server 2012 R2
  • v3 = Windows 8 and Windows Server 2012
  • v2 = Windows 7 and Windows Server 2008 R2

If Windows 8, install hotfix http://support.microsoft.com/kb/2887239.

If Windows 8.1, ensure update rollup 2887595 is installed. http://support.microsoft.com/kb/2890783

After you apply this update, you must create a registry key before you restart the computer.

  1. Run regedit.
  2. Locate and then tap or click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters
  3. On the Edit menu, point to New, and then tap or click DWORD Value.
  4. Type UseProfilePathExtensionVersion.
  5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
  6. In the Value data box, type 1, and then tap or click OK.
  7. Exit Registry Editor.

After you configure the UseProfilePathExtensionVersion registry entry, you have to restart the computer. Then, Windows 8.1 creates a user profile and appends the suffix “.v4” to the profile folder name to differentiate it from version 2 of the profile in Windows 7 and version 3 of the profile in Windows 8. Then, Windows 8.1-based computers that have update rollup 2887595 installed and the UseProfilePathExtensionVersion registry entry configured use version 4 of the profile.

Windows 8 creates a new copy of the user profile and appends the suffix “.v3” in the profile folder name to differentiate it from the original version 2 profile for Windows 7. After that, Windows 8-based computers that have this hotfix installed and the UseProfilePathExtensionVersion registry entry configured use the version 3 profile for users.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Unidesk) or App Streaming (e.g. ThinApp, Microsoft App-V).

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7 contains exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp, etc.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

Trend Micro

Trend Micro Slow login on Citrix environment after installing OfficeScan (OSCE): The following registries can be used to troubleshoot the issue. These registries will allow a delay on the startup procedure of OSCE until the system has launched successfully. This avoids deadlock situations during login.

Citrix CTX136680 – Slow Server Performance After Trend Micro Installation. Citrix session hosts experience slow response and performance more noticeable while users try to log in to the servers. At some point the performance of the servers is affected, resulting in issues with users logging on and requiring the server to be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the affected servers. Add new DWORD Value as:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilterParameters] “DisableCtProcCheck”=dword:00000001

Trend Micro Links:

Sophos

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Horizon Agent

Horizon Agent Installation/Upgrade

Install Horizon Agent on the master virtual desktop. Upgrades are performed in-place.

  1. See VMware 2149393 Supported versions of Windows 10 on Horizon Agent.
    1. Windows 10 version 1903 is supported by Horizon Agent 7.8 and newer.
    2. Windows 10 version 1809 is supported by Horizon Agents 7.5.1 and newer.
  2. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
    3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
      C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" config set appinfo disabled true
  3. Check the video driver to make sure it is VMware SVGA 3D.
  4. Download Horizon 7.13.3 Agent.
  5. Run the downloaded VMware-Horizon-Agent-x86_64-7.13.3.exe.
  6. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1
  7. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Network protocol configuration page, select IPv4, and click Next.
  10. In the Custom Setup page, there are several features not enabled by default. Feel free to enable them.
    1. If you want USB Redirection, then enable that feature.
    2. Horizon 7.2 and newer have VMware Virtualization Pack for Skype for Business. See Configure Skype for Business at VMware Docs for details.
    3. You can install Instant Clone Agent, or View Composer Agent, but not both.

    4. According to Instant-Clone Desktop Pools at VMware Docs, Persona is not supported with Instant Clones.

    5. If you want Scanner Redirection, then enable that feature. Note: Scanner Redirection will impact host density.
    6. Horizon 7.3 through Horizon 7.9 have HTML5 Multimedia Redirection. In Horizon 7.10 and newer, HTML5 Browser Redirection seems to be installed automatically. To enable and configure these features, see HTML5 Redirection in Horizon Group Policy.
    7. Horizon 7.6 and newer have an option for Geolocation Redirection. The feature requires a plugin for Internet Explorer 11 and Horizon Client 4.9. No other browsers are supported. See Configuring Geolocation Redirection at VMware Docs.
    8. Horizon 7.5 and newer have Horizon Performance Tracker, which adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.

    9. Horizon 7.7 and newer have a VMware Integrated Printing or VMware Advanced Printing option, which replaces the older ThinPrint technology. VMware Integrated Printing requires Horizon Client 4.10 or newer.
    10. If you enable VMware Integrated Printing, then you must disable Virtual Printing, which is higher in the list.

  11. Click Next when done making selections.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes when asked to restart.
  15. Horizon Agent 7.13 and newer let you Modify the features that were selected during installation. In older versions, you must uninstall Horizon Agent and reinstall it.
    • If you click Modify from Apps & features (or Programs and Features), it will tell you to open an elevated command prompt and run the command shown in the window.
    • You can’t change from Manual to Instant Clone or back again using this method.
  16. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  17. For Horizon Persona (not with Instant Clones), enable the Microsoft Software Shadow Copy Provider service. See Windows 10 with Persona management not syncing at VMware Communities.
  18. If Windows 10 version 1709 with View Composer, you might have to delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Security. See VMware 51518 Production Support for VMware Horizon 7.4, 7.3.2, and 7.2 with Win 10 1709 Semi-Annual Channel (SAC) Guest OS
  19. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  20. There’s also a new IE add-on.
  21. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

Dynamic Environment Manager (DEM) is the new name for User Environment Manager (UEM).

If you are licensed for Dynamic Environment Manager (Horizon Enterprise Edition), install the Dynamic Environment Manager (DEM) Enterprise Agent.

  • DEM Enterprise has the same or more features that has always been included in Horizon Enterprise. DEM Standard is a reduced-feature version for Horizon 8 Standard Edition.
  • Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at VMware Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at VMware Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2212-10.8-GA\VMware Dynamic Environment Manager Enterprise 2106 10.3 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

To install DEM Agent:

  1. Windows 10 Compatibility – See VMware 57386 VMware Dynamic Environment Manager and Windows 10 Versions Support Matrix
  2. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  3. Based on your entitlement, download either DEM 2212 (10.8) Enterprise Edition, or DEM 2212 (10.8) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  4. Run the extracted VMware Dynamic Environment Manager Enterprise 2212 10.8 x64.msi.
  5. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  6. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the Management Console. The Management Console is typically installed on an administrator workstation, not on a master image.

  9. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed. Click Next.
  10. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  11. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  12. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value. (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

  1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
  2. Create a string value called FavAppList.
  3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:
Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see Configure Favorite Applications Displayed by Unity Touch at VMware Docs.

Composer – Rearm

By default, when View Composer creates linked clones and runs QuikPrep, one of the tasks is to rearm licensing. You can prevent rearm by setting the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga
    • SkipLicenseActivation  (DWORD) = 0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g. clipboard redirection, client printers, etc.) based on how the user connects, see VMware Blog Post VMware Horizon View Secret Weapon. The article describes configuring VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through. Full script is included in the article.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to VMware DEM Personalization.
  • App Masking is an alternative to VMware App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of DEM Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

VMware App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the extracted VMwareOSOptimizationTool.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. On the Optimize tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
  7. The History tab lets you rollback the optimizations.
  8. The Finalize tab contains tasks that should be run every time you seal your master image.

Additional Optimizations

Additional Windows 10 Optimizations

Additional Windows 7 Optimizations

Microsoft has compiled a list of links to various optimization guides.

It’s a common practice to optimize a Windows 7 virtual machine (VM) template (or image) specifically for VDI use. Usually such customizations include the following.

  • Minimize the footprint, e.g. disable some features and services that are not required when the OS is used in “stateless” or “non-persistent” fashion. This is especially true for disk-intensive workloads since disk I/O is a common bottleneck for VDI deployment. (Especially if there are multiple VMs with the same I/O patterns that are timely aligned).
  • Lock down user interface (e.g. optimize for specific task workers).

With that said the certain practices are quite debatable and vary between actual real-world deployments. Exact choices whether to disable this or that particular component depend on customer requirements and VDI usage patterns. E.g. in personalized virtual desktop scenario there’s much less things to disable since the machine is not completely “stateless”. Some customers rely heavily on particular UI functions and other can relatively easily trade them off for the sake of performance or standardization (thus enhance supportability and potentially security). This is one of the primary reasons why Microsoft doesn’t publish any “VDI Tuning” guide officially.

Though there are a number of such papers and even tools published either by the community or third parties. This Wiki page is aimed to serve as a consolidated and comprehensive list of such resources.

Daniel Ruiz XenDesktop Windows 7 Optimization and GPO’s Settings

Microsoft Whitepaper Performance Optimization Guidelines for Windows 7 Desktop Virtualization

Snapshot

  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks:
  4. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
  5. Shutdown the master virtual desktop.
  6. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  7. Take a snapshot of the master virtual desktop. View Composer requires a snapshot.

Related Pages

VMware Horizon 7.13.3 Security Server

Last Modified: Mar 22, 2023 @ 5:48 am

Navigation

This post applies to all VMware Horizon 7 versions, including 7.13.3.

💡 = Recently Updated

Change Log

Preparation

The newer Horizon Console does not support Security Servers. The older Flash-based Horizon Administrator won’t work for much longer, so take it as a clue that you should deploy Unified Access Gateways (UAG) to replace your Security Servers. Horizon 8 also does not support Security Servers.

Security Servers are intended to be deployed in the DMZ.

Horizon Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Unified Access Gateway. Note: Some of the newer Blast Extreme functionality only works in Unified Access Gateway. See Configure the Blast Secure Gateway at VMware Docs.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If your load balancer (e.g. NetScaler ADC, F5) is able to provide persistence across multiple port numbers, then you only need one public IP. For example, in NetScaler, this is called Persistency Groups.

If your load balancer doesn’t support persistence across multiple port numbers, then create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

Firewall Rules for View Connection Server at VMware Docs.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP and UDP 8443 (for Blast)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at VMware Docs.
  • TCP 8009 (AJP13) to the paired internal Horizon Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon Agents.
  • TCP and UDP 22443 (HTML Blast) to all internal Horizon Agents.
  • TCP 9427 (MMR) to all internal Horizon Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at VMware Docs

Pairing Password

The newer Horizon Console does not support Security Servers. The older Flash-based Horizon Administrator won’t work for much longer, so take it as a clue that you should deploy Unified Access Gateways to replace your Security Servers.

  1. VMware Code Script to manage Horizon 7.x Security Servers via the View-API without needing the FLEX based Administrator Console
  2. In Horizon Administrator, on the left, expand View Configuration, and click Servers.
  3. On the right, switch to the Connection Servers tab.
  4. Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands, and click Specify Security Server Pairing Password.
  5. Enter a temporary password, and click OK.

Install – Security Server

  1. Ensure the Horizon Security Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported for the Horizon Security Server 7.8 and newer.
  3. Login to the Horizon Security Server.
  4. Download Horizon 7.13.3 Horizon Connection Server.
  5. If you are upgrading an existing Security Server, then you must prepare it for upgrade:

    1. In Horizon Administrator (Flash/Flex console), on the left, expand View Configuration, and click Servers.
    2. On the right, switch to the tab named Security Servers.
    3. Highlight the Security Server, then click the menu named More Commands and click Prepare for Upgrade or Reinstallation.
    4. Click OK to remove the IPSec rules.
  6. On the Security Server, run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  7. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon 7 Security Server, and click Next.
  11. In the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  12. In the Paired Horizon 7 Connection Server Password page, enter the pairing password specified earlier, and click Next.
  13. In the Horizon 7 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN, while the middle URL is an IP address. These can be changed later. Click Next.
  14. In the Firewall Configuration page, click Next.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.

SSL

Security Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the public FQDN of the Security Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon 7 Security Server service.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Right-click the Connection Server that is paired with the Security Server, and click Edit. Note: you can’t configure this directly on the Horizon Security Server, and instead must configure it on the paired Horizon Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to machine. Also, make sure HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

VMware Horizon 7.13.3 Configuration

Last Modified: Mar 22, 2023 @ 5:46 am

Navigation

This post applies to all VMware Horizon 7 versions including 7.13.3.

💡 = Recently Updated

Change Log

Preparation

Horizon Service Account

  1. Create an account in Active Directory that Horizon View will use to login to vCenter. This account can also be used by Composer and Instant Clones to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for View Composer

This role has all permissions needed for both full clones and linked clones. See Privileges Required for the vCenter Server User and View Composer and Instant Clone Privileges Required for the vCenter Server User at VMware Docs.

See the Product Interoperability Matrix for supported vCenter versions.

Create vSphere Role:

  1. In vSphere Web Client, go to Administration.
  2. In the Roles node, click the plus icon to add a Role.
  3. If you are using vTPM, then on the left, click Cryptographic operations. On the right, enable Clone, Decrypt, Direct Access, Encrypt, and Manage KMS. Scroll down on the right to see more Cryptographic operations permissions.

    1. While still in Cryptographic operations, scroll down and enable Migrate and Register host.
  4. On the left, click Datastore. On the right, enable Allocate space, Browse datastore, and Low level file operations.
  5. On the left, click Folder. On the right, enable Create folder, and Delete folder.
  6. On the left, click Global. On the right, enable Act as vCenter Server, Disable Methods, and Enable Methods, and then scroll down on the right to see more Global permissions.

    1. While still in Global, enable, Manage custom attributes, Set custom attribute, and System tag.
  7. On the left, click Host. On the right, in the Configuration section, enable Advanced Settings. Then scroll down on the right to see more Host settings.

    1. While still in Host, scroll down to the Inventory section and click Modify cluster.
  8. On the left, click Network. On the right, enable All Network Privileges.
  9. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down
  10. On the left, click Resource. On the right, enable Assign virtual machine to resource pool, and Migrate powered off virtual machine.
  11. On the left, click Storage views. On the right, enable View.
  12. On the left, click Virtual Machine. On the right, click Change Configuration to enable all Configuration permissions. Scroll down on the right to see more Virtual machine permissions.

    1. While still in Virtual Machine, scroll down and click Edit Inventory to enable all Inventory permissions.
    2. While still in Virtual Machine, scroll down to the Interaction section, enable Connect devices, and then click See more privileges.
    3. While still in Virtual Machine, scroll down and enable Perform wipe or shrink operations,  Power Off, Power On, Reset, and Suspend.
    4. While still in Virtual Machine, scroll down to the Provisioning section and enable Allow disk access, Clone template, and Clone virtual machine. Then click See more privileges.
    5. While still in Virtual Machine, scroll down and enable Customize guest, Deploy template, and Read customization specifications.
    6. While still in Virtual Machine, scroll down and click Snapshot Management to enable all Snapshot permissions.
  13. Click Next.
  14. Name it Horizon or similar. Then click Finish

Assign role to service account:

  1. Create an account in Active Directory that Horizon View will use to login to vCenter.
  2. In vSphere Web Client, in Hosts and Clusters view, browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  3. On the right, select the tab named Permissions.
  4. Click the plus icon to add a permission.
  5. In the Add Permission dialog box, do the following:
    1. Change the User domain.
    2. Search for the service account.
    3. Change the Role to the one you created in the previous section.
    4. Check the box next to Propagate to children.
  6. Click OK.
  7. The service account is now listed on the Permissions tab.
  8. From VMware Docs Configure a vCenter Server User for Horizon 7 and View Composer: If you install Horizon Composer on the same machine as Windows vCenter Server, you must make the Horizon service account a local system administrator on the Windows vCenter Server machine.
    • If you install Horizon Composer on a different machine than Windows vCenter Server, you do not have to make the Horizon service account a local administrator on the Windows vCenter Server machine. However, the Horizon service account must be a local administrator on the Horizon Composer standalone machine.
  9. On the Horizon Composer server, right-click the Start button, and click Computer Management.
  10. Go to System Tools > Local Users and Groups > Groups. Double-click Administrators. Add the Horizon service account, and click OK.

Active Directory Delegation for Instant Clones and Composer

Horizon Composer and Instant Clones create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at VMware Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

A new empty SQL database is needed for storage of View Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Properties > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it VMwareHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model, and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login, and click Properties.
  7. On the User Mapping page, check the Map box next to the VMwareHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Horizon Consoles

On the desktop of the Horizon Connection Server is an icon to launch Horizon 7 Administrator Console.

Horizon 7.5 and newer have two administrator consoles:

  • Horizon Console (HTML5)
  • Horizon Administrator (Flex) – Flash-based

In Horizon versions 7.5 through 7.10, Horizon Console was not yet feature complete so most administrators continue to use the Flash-based Horizon Administrator. In these versions, you can access Horizon Console by navigating to https://viewConnectionServer/newadmin (add /newadmin to the end of your Connection Server FQDN). Or click the Horizon Console link at the top right of the Horizon Administrator console.

In Horizon 7.10 and newer, Horizon Console is feature complete and is now the primary administrator interface. The Flash-based Horizon Administrator is now deprecated.

In Horizon 7.11 and later:

  • When you connect to Horizon Administrator (/admin at the end of the Connection Server URL), you are prompted to choose between Horizon Console and Horizon Administrator. In prior versions of Horizon, going to /admin always opens the Flash-based administrator console.
  • If you navigate to /newadmin, it will redirect you to /admin where you can choose between the two consoles.
  • You can go directly to the Flash-based administrator console by navigating to /flexadmin.

Horizon Console 7.11 and newer’s Dashboard can show you the CPU/Memory of the Connection Servers:

  1. On the top left, expand Monitor and click Dashboard.
  2. On the right, in the top-left block named System Health, click VIEW.
  3. With Components selected on the left, the first tab on the right is Connection Servers. It shows you a list of Connection Servers in the pod and each server’s CPU and Memory Consumption.

Licensing

As of Horizon 7.9, Horizon Licensing can be configured in either the new HTML5-based Horizon Console or the classic Flash-based Horizon Administrator.

  1. Open Horizon Console or Horizon Administrator.
  2. Login using a Horizon administrator account.

  3. In Horizon Console on the left, expand Settings and click Product Licensing and Usage.

    1. Or in Horizon Administrator, on the left, under View Configuration, click Product Licensing and Usage.
  4. In the right pane, on the top left, click Edit License.

  5. In the Edit License window, enter your license serial number, and click OK.
  6. Licensing information is displayed:
    • License expiration is shown.
    • Application Remoting (published applications) requires Horizon Advanced Edition.
    • Skype Optimization requires Horizon Advanced Edition.
    • In Horizon 7.13, Instant Clones are available in all editions of Horizon. Prior to 7.13, Instant Clones requires Horizon Enterprise Edition.
    • Session Collaboration requires Horizon Enterprise Edition.
    • Help Desk tool requires Horizon Enterprise Edition.

Horizon Administrators

To configure Horizon Administrators:

  1. In Horizon Console 7.8 or newer, on the left, expand Settings, and click Administrators.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Administrators.
  2. On the right, near the top, click Add User or Group.

  3. In the Select administrators or groups page, click Add.

  4. Enter the name of a group that you want to grant Horizon Administrator permissions to, and click Find.
  5. After the group is found, check the box next to the group (or highlight the group), and then click OK.

  6. Continue adding groups, or just click Next.
    Note: This wizard only lets you select one role; so, only add groups that will have the same role assigned. You can run the wizard multiple times.
  7. In the Select a role page, select the role (e.g. Administrators). Newer versions of Horizon include a built-in Help Desk Administrators role, which grants access to the Help Desk tool. Then click Next.

  8. Select an access group to which the permission will be applied and then click Finish.
    • Access Groups let you designate permissions to specific pools instead of to all pools.
    • Note: If you intend to integrate Horizon with VMware Identity Manager (aka VMware Access), then only pools in the Root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk Website

Horizon 7.2 and newer have a new web-based Help Desk tool built into Horizon Connection Server.

  • In Horizon Console (Horizon 7.5 and newer), simply enter a user name in the search box.
  • VMware also has an alternative Horizon Helpdesk Utility Fling
  • For Horizon 7.2 through 7.4, go to https://HorizonFQDN/helpdesk (e.g. https://view.corp.com/helpdesk).

The Desktops and Applications tabs let you see what the user it entitled to. You can even export these lists.

On the Sessions tab, click a session to see more details.

On the Details tab, scroll down to find action buttons like Remote Assistance. These buttons are kind of hidden.

Keep scrolling down and you’ll see Logon Segments.

The Processes tab lets you end processes in the user’s session.

Notes on the Help Desk feature:

  • Enterprise Licensing – Help Desk tool requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. In Horizon 7.3 and newer, the Product Licensing page indicates if Help Desk is licensed or not.

  • In Horizon 7.2, only Full Horizon Administrators can login to the Help Desk web page.
  • Horizon 7.3 and newer have built-in Help Desk Administrators roles that can log into the Help Desk tool.

    • Add Help Desk users to the Administrators and Groups tab, and assign them one of the Help Desk roles.

  • 15 minutes of History – There’s only 15 minutes of collected metric data. Use vRealize Operations for Horizon for longer historical monitoring.
  • See Rob Beekmans Helpdesk functionality added to VMware Horizon 7.2.
  • According to Pascal van de Bor Horizon 7.2: With a little helpdesk from my friends, checkOrigin needs to be disabled to prevent the “Authentication failed, invalid domain, username or password. Please try again” error.

See Troubleshooting Users in Horizon Help Desk Tool at VMware Docs.

vCenter Connection, and optional Horizon Composer

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clones or Horizon Composer
  • Update virtual machines using Instant Clones or Horizon Composer

See the Product Interoperability Matrix for supported vCenter versions.

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Web Client, go to the vCenter Server > Manage > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

  1. In Horizon Console 7.8 or newer, on the left, expand Settings, and click Servers.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.

  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
  4. Click Next.

  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.


  6. In the View Composer page, if you are using Horizon Composer, then do the following:
    1. Select Standalone View Composer Server.
    2. Enter the FQDN of the Composer Server, and the credentials of an account to access the Horizon Composer server. The service account must be a local administrator on the Horizon Composer Server.
  7. Click Next.

  8. If you see an invalid certificate, click View Certificate. Then click Accept.


  9. If you are using Horizon Composer, then in the View Composer Domains page, do the following:
    1. Click Add.

    2. Enter the Full domain name of where the virtual desktop computer objects will be created.
    3. Enter the Active Directory service account credentials that has permission to create computer objects, and click Submit.

  10. Then click Next.
  11. In the Storage page, do the following:
    1. Reclaim VM disk space requires IOPS during its operation. This feature is not needed for Instant Clones.
    2. Check the box to Enable Horizon Storage Accelerator, and increase the host cache size to 2048. Notes:
      • Horizon Storage Accelerator is required for Instant Clones.
      • Horizon Storage Accelerator causes digest files to be created, thus increasing disk space requirements and increasing how long it takes to Recompose a pool.
  12. Click Next.

  13. In the Ready to Complete page, click Submit.

Instant Clone Domain Accounts

If you plan to use Instant-Clone to create non-persistent virtual desktops, then add an administrator account that can join machines to the domain.

  1. In Horizon Console 7.9 or newer, on the left, expand Settings and click Instant Clone Domain Accounts.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Instant Clone Domain Accounts.
  2. On the right, click Add.

  3. Select the domain.
  4. Enter credentials of a service account that can join machines to the domain. Click OK.

Disable Check Origin

If you connect to Horizon Connection Server using any DNS name (e.g. load balancing DNS name) that doesn’t match the server’s DNS name, then it might not work unless you disable Origin Check as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.

Restrict Remote Access

The Users and Groups node has a new Remote Access tab. You can configure this in either the Horizon Console or in Horizon Administrator.

If you add groups or users to this tab, only these groups and users can login through Unified Access Gateway (UAG) or Security Server.

Users not in the list can’t login through Unified Access Gateway (UAG) or Security Server.

Disable Secure Tunnel

By default, internal Horizon Clients connect to Horizon Agents by tunneling (proxying) Blast or PCoIP through a Horizon Connection Server. It would be more efficient if the internal Horizon Clients connect directly to the Horizon Agents instead of going through a Connection Server.

  • If the tunnels are enabled, and if you reboot the Connection Server, then user connections will drop.
  • If the tunnels are disabled, then rebooting the Connection Server will not affect existing connections.

To disable the tunnels in either Horizon Console or Horizon Administrator:

  1. In Horizon Console, on the left, expand Settings, and click Servers.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.

  3. Click the Connection Server to highlight it, and click Edit.

  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the two Gateways. Click OK.
  5. Note: if you are using HTML5 Blast internally, then disabling the Blast Secure Gateway will cause HTML5 Blast connections to go directly to the Horizon Agent, and the Agent certificate is probably not trusted. Newer versions of Horizon have an option to use Blast Secure Gateway only for HTML Access.

Event Database and Syslog

  1. In Horizon Console 7.9 or newer, on the left, expand Settings and click Event Configuration.

    • Or in Horizon Administrator, expand View Configuration, and click Event Configuration.
  2. On the right, under Event Database, click Edit.

  3. In the Edit Event Database dialog box, do the following:
    1. Enter the name of the SQL server.
    2. Select Microsoft SQL Server as the Database type.
    3. Enter the name of the database.
    4. Enter the SQL account credentials (no Windows authentication).
    5. Optionally, enter VE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple View installations.
  4. Click OK.

  5. On the right, in the Event Settings section, you can click Edit to change the age of events shown in Horizon Console or Horizon Administrator.

  6. To add a Syslog server, look on the right side of the page.

  7. There are configuration options for logging to a file (Events to File System).

  8. You can go to Monitor > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware View 6.0.x is extremely slow (2094580): Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utility: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. In Horizon Console 7.9 or newer, on the left, expand Settings and click Global Settings. Or in Horizon Administrator, on the left, under View Configuration, click Global Settings.

  2. On the right, under Global Settings, in the General Settings tab (or General section), click Edit.

  3. Set the Connection Server Session Timeout (7.13 only) or View Administrator session timeout, which applies to both administrators and help desk. 4320 minutes (72 hours) is the maximum.


  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user, and requires the user to logon to Horizon Connection Server again.

  5. Under Client-dependent settings you can set an idle timeout. This is a disconnect, not logoff.

  6. To configure an idle timeout for desktop sessions:
  7. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of Horizon Administrator.

  8. In Horizon 7.8 and newer, the Send domain list option in Horizon Console and Horizon Administrator is unchecked by default, which means users must enter a domain name instead of picking one from a list. Check this box to restore functionality from Horizon 7.7 and earlier. See VMware Blog Post Changes in Logon for VMware Horizon. Note: This setting is configurable in Horizon Console 7.10 and newer.

  9. Make other changes as desired. Click OK when done.

Horizon 7.8 and newer disable “Log On as Current User” by default. To enable this client feature:

  1. In Horizon Console 7.10 or newer, on the left, expand Settings, and click Servers.

    • Or in Horizon Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.

  3. Highlight a Connection Server and click Edit.

  4. Switch to the Authentication tab.

  5. Scroll down. Check the box next to Accept logon as current user. Click OK.

Horizon 7.11 and newer can restrict connections to a minimum version of Horizon Client. 💡

  1. In Horizon Console 7.11 or newer, on the left, expand Settings, and click Global Settings.
  2. On the right, switch to the tab named Client Restriction Settings.
  3. Click Edit.
  4. For each client type, enter a minimum version number. Click OK when done.
  5. The client version is enforced when you try to launch an icon.

Global Policies

By default, Multimedia Redirection is disabled. You can enable it in Global Policies.

  1. In Horizon Console 7.8 or newer, go to Settings > Global Policies. Or in Horizon Administrator, go to Policies > Global Policies.

  2. On the right, click Edit Policies.

  3. Set Multimedia redirection to Allow, and click OK. Notice that Multimedia redirection is not encrypted.

Backups

Connection Server LDAP Backup and Composer Database Backups can be configured in Horizon Administrator, or in Horizon Console.

  1. in Horizon Console 7.8 or newer, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, expand View Configuration, and click Servers.

  2. On the right, switch to the Connection Servers tab.

  3. Select a Horizon Connection Server, and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.

  4. To change automatic backup settings, Edit the Horizon Connection Server, and switch to the Backup tab.

  5. you can schedule automatic backups. This also backs up the View Composer database but not the vCenter database. See VMware 1008046 Performing an end-to-end backup and restore for VMware View Manager.

Tips

VMware Blog Post Top 10 Tips for a Successful Horizon VDI

Related Pages

VMware Horizon 7.13.3 Connection Server

Last Modified: Mar 22, 2023 @ 5:43 am

Navigation

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon 7 Standard Connection Server.

Notes regarding upgrades:

  • Upgrade all Connection Servers during the same maintenance window.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • Upgrade Horizon Composer before upgrading the Connection Servers.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
      • If upgrading from version 7.7 or older to version 7.8 or newer, then be aware of authentication changes.
    • For Security Servers, in Horizon Administrator, go to paired Connection Server, More Commands > Prepare for Upgrade or Reinstallation.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Install Horizon 7 Standard Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

Horizon 7.13.3 is the last release of Horizon 7 and will be supported until May 2023. VMware recommends upgrading all Horizon 7 implementations to Horizon 8.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Docs.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  5. The older Horizon Administrator (/flexadmin) is a Flash-based console. After December 2020, Chrome will no longer support Flash.
    • Horizon Console (/newadmin) is HTML5 and does not need Flash.
  6. Download Horizon 7.13.3 View Connection Server.
  7. If Horizon Toolbox is installed, uninstall it.
  8. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  10. If you are upgrading from version 7.7 or older to version 7.8 or newer, then acknowledge the authentication changes warning by clicking OK.
  11. In the License Agreement page, select I accept the terms, and click Next.
  12. In the Destination Folder page, click Next.
  13. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  14. In the Data Recovery page, enter a password, and click Next.
  15. In the Firewall Configuration page, click Next.
  16. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  17. In the User Experience Improvement Program page, uncheck the box, and click Next.
  18. In the Ready to Install the Program page, click Install.
  19. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.
  20. If you upgraded to Horizon 7.8 or newer and want to re-enable Logon as current user:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, go to View Configuration > Servers.

    2. On the right, switch to the tab named Connection Servers.
    3. Highlight the server you just upgraded and click Edit.

    4. Switch to the tab named Authentication.

    5. Scroll down, check the box next to Accept logon as current user and then click OK.

  21. If you upgraded to Horizon 7.8 or newer and want to re-enable sending the domain list to Horizon Client:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Global Settings. Or in Horizon Administrator, on the left, go to View Configuration > Global Settings.
    2. On the right, in the General section, click the Edit button.

    3. Near the bottom, check the box next to Send domain list. You might want to uncheck Hide domain list in client user interface. Then click OK.

Install Horizon 7 Replica Connection Server

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Download Horizon 7.13.3 View Connection Server.
  5. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  6. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Installation Options page, select Horizon 7 Replica Server, and click Next.
  10. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Load balance your multiple Horizon Connection Servers.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 5.2 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder, and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    link.win64=/downloads/VMware-Horizon-Client-5.2.0-14570289.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service, or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon 7.1 and newer portal page.

LDAP Edits

Horizon Console Timeout

The HTML5 Horizon Console (https://MyConnectionServer/newadmin) has a default timeout of 10 minutes. Changing the Horizon Administrator timeout will not affect the Horizon Console timeout. You can use adsiedit.msc to increase the Horizon Console timeout.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-APISessionTimeout, and click Edit.
  7. Enter a value in minutes. Click OK.

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = vDelboy – How to Enable Touch ID in VMware Horizon 6.2 and Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using NetScaler 12.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-7-15-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Horizon 7.2 and newer include a web-based Help Desk Tool. Run the following command to enable the timing profiler on each Connection Server instance to view logon segments.

vdmadmin -I -timingProfiler -enable

Logon Monitoring

The VMware Logon Monitor Fling is built into Horizon 7.1 and newer.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent. The Fling website has a PDF that explains how to also store them on a file share.

Inside each session log file are logon time statistics. 

VMware Horizon 7.13.3 Composer

Last Modified: Mar 22, 2023 @ 5:46 am

Navigation

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

Change Log

Planning

If you’re doing Instant Clones, then you don’t need Horizon Composer. Composer is only needed for the older method of creating Linked Clones. However, Instant Clones requires Horizon Enterprise Edition, so maybe Composer is your only option.

  • Instant Clones in Standard Edition – In Horizon 7.13, all editions of Horizon, including Standard Edition, include licensing for Instant Clones. Horizon 8 removes Composer, so start migrating to Instant Clones today.

vCenter Server planning:

  • A single vCenter Server can handle 10,000 VMs. However, this is a single point of failure. VMware recommends separate vCenter servers for each 2,000 or 4,000 VMs. More vCenter Servers means more concurrent vCenter operations, especially if your pools are configured for Refresh on Logoff.
    • Horizon 7.2 and newer supports 4,000 VMs per vCenter Server.
    • Horizon 7.1 and older supports 2,000 VMs per vCenter Server.
  • Each ESXi cluster is managed by one vCenter Server.
  • Don’t use existing vCenter servers. Build separate vCenter servers for the vSphere clusters that host Agent VMs. Horizon licenses include vCenter licenses, so there’s no excuse to not use separate vCenter servers.

Horizon View Composer server planning:

A remote SQL Server is needed for databases:

  • vCenter database
  • Horizon Composer database
  • Horizon Events database
  • Supported SQL versions are listed on the Solution/Database Interoperability tab at VMware Product Interoperability Matrices.

SQL Server Preparation

Only SQL Authentication is supported.

  1. Open the properties of the SQL Server.
  2. On the Security page, make sure SQL Server authentication is enabled.
  3. Create a new SQL database for View Composer.
  4. Call it VMwareHorizonComposer or similar. Then switch to the Options page.
  5. Select your desired Recovery model, and click OK.
  6. View Composer only supports SQL authentication on remote SQL servers. Expand Security, right-click Logins, and click New Login to create a new SQL login.
  7. Name the new account.
  8. Select SQL Server authentication.
  9. Enter a password for the new account.
  10. Uncheck the box next to Enforce password policy.
  11. Then switch to the User Mapping page.
  12. On the User Mapping page, in the upper half, check the Map box for VMwareHorizonComposer.
  13. On the bottom, check the box for the db_owner role, and click OK.

SQL Native Client

  1. Download SQL Native Client (sqlncli.msi).
  2. On the Horizon View Composer server, run sqlncli.msi.
  3. In the Welcome to the Installation Wizard for SQL Server 2012 Native Client page, click Next.
  4. In the License Agreement page, select I accept, and click Next.
  5. In the Feature Selection page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the Completing the SQL Server 2012 Native Client installation page, click Finish.

ODBC

  1. On the Horizon View Composer server, run ODBC Data Sources (64-bit) from the Start Menu.
  2. On the System DSN tab, click Add.
  3. Select SQL Server Native Client, and click Finish.
  4. Enter the name HorizonComposer for the DSN, and enter the SQL server name. Click Next.
  5. Change the selection to With SQL Server authentication, and enter the credentials of the new ViewComposer SQL account. Then click Next.
  6. Check the box next to Change the default database, and select the VMwareHorizonComposer database. Then click Next.
  7. Click Finish.
  8. Click OK twice.

Install/Upgrade Composer

  1. Upgrade can be performed in-place.
  2. Windows Server 2019 is supported with Horizon Composer 7.8 and newer.
  3. Don’t install on Horizon Connection Server: Horizon Composer cannot be installed on the Horizon Connection Server. Composer and Connection Server must be separate machines.
  4. Extra Memory for vCenter: If you install Horizon Composer on a Windows vCenter server, VMware recommends adding 8 GB of RAM to the server. See VMware 2105261 Intermittent provisioning issues and generic errors when Composer and vCenter Server are co-installed
    1. vCenter Service Account: if you install Horizon Composer on a Windows vCenter server, login as the same account that was used to install vCenter. See VMware 2017773 Installing or upgrading View Composer fails with error: The wizard was interrupted before VMware View Composer could be completely installed
  5. Internet access for CRL checking: If the Horizon Composer server does not have Internet access, see VMware 2081888 Installing Horizon View Composer fails with the error: Error 1920 Service VMware Horizon View Composer (svid) failed to start
  6. Certificate: If you install a certificate now, Composer installer will prompt you to select it during installation. Or, you can replace the certificate later.
  7. Download: Horizon 7.13.3 (ESB) Composer.
  8. Install: Run the downloaded VMware-viewcomposer-7.13.3.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Composer page, click Next.
  10. In the License Agreement page, select I accept the terms, and click Next.
  11. In the Destination Folder page, click Next.
  12. In the Database Information page, enter the name of the ODBC DSN.
  13. Enter the SQL account credentials (no Windows accounts), and click Next. For remote SQL databases, only SQL accounts will work. The SQL account must be db_owner of the database.
  14. The VMware Horizon 7 Composer Port Settings page appears. If you already installed a valid certificate on the Composer server, select Use an existing SSL certificate, and select the certificate. Click Next.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes when asked to restart the computer.
  18. If you encounter installation issues, see VMware 2087379 VMware Horizon View Composer help center

After Upgrade, Accept Untrusted Certificate

If you upgraded Composer, then go to Horizon Console or Horizon Administrator and verify the certificate. Ideally, Composer should be using a Trusted Certificate. Or you might have to Accept an untrusted certificate.

In Horizon Console 7.10 or newer: (scroll down for Horizon Administrator instructions)

  1. On the left, expand Monitor and click Dashboard.
  2. On the right, in the top left box labelled System Health, click View.
  3. With Components selected on the left, on the right, switch to the tab named View Composer Servers.
  4. Click the link for Untrusted Certificate.
  5. Scroll down and Accept the certificate.

Or in Horizon Administrator:

  1. On the top left, click Dashboard.
  2. On the right, expand View Composer Servers and click the red Composer server.
  3. Next to Untrusted certificate, click Verify.
  4. Click the button labelled View Certificate.
  5. At the bottom, click the button labelled Accept.

Administrator Permissions

If Horizon View Composer is installed on a standalone server (not on vCenter), Horizon Connection Server will need a service account with administrator permissions on the Horizon View Composer server. Add your Horizon View Composer Service Account to the local Administrators group.

Composer Certificate

  1. Open the MMC Certificates snap-in (certlm.msc).
  2. Make sure your Composer certificate private key is exportable. Try exporting the certificate, and make sure Yes, export the private key is a selectable option.

  3. Stop the VMware Horizon 7 Composer service.
  4. In the certificates console, double-click your Composer certificate. On the Details tab, note the Thumbprint.
  5. Run Command Prompt as Administrator
  6. Change the directory to C:\Program Files (x86)\VMware\VMware View Composer.
  7. Run sviconfig -operation=replacecertificate -delete=false.
  8. Select the certificate that matches the thumbprint you noted earlier.
  9. Then restart the VMware Horizon 7 Composer service.

SQL Database Maintenance

SQL password: The password for the SQL account is stored in C:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe.config. To change the password, run SviConfig ‑operation=SaveConfiguration as detailed at VMware 1022526 The View Composer service fails to start after the Composer DSN password is changed.

Database Move: To move the database to a new SQL server, you must uninstall Composer and reinstall it. See VMware 2081899 VMware Horizon View Composer fails to work properly after migrating the Composer database to a new SQL server

Related Pages

Citrix SCOM Management Pack – NetScaler (1.17.93)

Last Modified: Nov 6, 2020 @ 7:12 am

Navigation

💡 = Recently Updated

Requirements

  • NetScaler Platinum Edition
  • NetScaler 9.3 or newer
  • System Center Operations Manager 2012 or newer

Citrix Blog Post SCOM NetScaler Management Pack Resource Consumption & Performance Overview:

  • For 14,000 NetScaler objects, extra 3 GB of RAM is needed on the SCOM monitoring agent. CPU is minimal.
  • For more than 14,000 NetScaler objects, the Agent started dropping data due to workflows.
  • Performance overview at Citrix Docs

NetScaler Pack

Full documentation at http://docs.citrix.com/en-us/scom-management-packs/netscaler/1-17.html.

Install Citrix NetScaler Pack

  1. On the System Center Operations Manager server, go to the downloaded Citrix SCOM Management Pack for NetScaler, and run Citrix_SCOM_Management_Pack_for_NetScaler.1.17.93exe.
  2. In the Welcome to the setup wizard for Citrix SCOM Management Pack for NetScaler page, click Next.
  3. In the View Relevant Product Configuration page, click Next.
  4. If you see a page indicating that an older version is already installed, click Next.
  5. In the License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Choose Destination Location page, click Next.
  7. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack, and click Install.
  8. In the Completed the setup page, click Next.
  9. In the All post-install actions were successfully completed page, click Finish.

MP Agent Installation Account

Configure the MP Agent Installation Account as detailed for the XAXD Pack.

NetScaler Monitoring Account

On the NetScaler appliances, run the following commands to add a local account, and bind it to a restrictive cmdPolicy. Replace the password with a secure password. If you leave the password off the command, then NetScaler will prompt you.

add system cmdPolicy polNetScalerMonitoring ALLOW (^show\s+system\s+\S+)|(^show\s+system\s+\S+\s+.*)|(^show\s+configstatus)|(^show\s+configstatus\s+.*)|(^shell\s+nsconmsg\s+-K\s+\S+\s+.*)

add system user usrNetScalerMonitoring MyPassword

bind system user usrNetScalerMonitoring read-only 1

bind system user usrNetScalerMonitoring polNetScalerMonitoring 1

show system user usrNetScalerMonitoring

SCOM Device Discovery

  1. System Center Operations Manager uses SNMP to communicate with NetScaler. If Windows Firewall is enabled on the SCOM server, enable some Inbound and Outbound rules.
  2. Inbound Rule: Operations Manager Ping Response.
  3. Inbound Rule: Operations Manager SNMP Response.
  4. Inbound Rule: Operations Manager SNMP Trap Listener.
  5. Outbound Rule: Operations Manager Ping Request.
  6. Outbound Rule: Operations Manager SNMP Request.
  7. Make sure the NetScaler is configured with an SNMP community string with ALL permission at System > SNMP > Community.
  8. If you have SNMP Managers configured, then make sure SCOM is in the list.
  9. In SCOM Console, go to the Administration workspace, right-click, and click Discovery Wizard.
  10. Select Network devices, and click Next.
  11. In the General Properties page, give the discovery rule a name. Select a SCOM server, and resource pool to run the discovery rule. Then click Next.
  12. In the Discovery Method page, select Explicit discovery, and click Next.
  13. In the Default Accounts page, if you are using SNMPv2 (instead of SNMPv3) to connect to NetScaler, then you can add the community string now. Click Create Account.
  14. In the Introduction page, click Next.
  15. In the General Properties page, give the community string a display name, and click Next.
  16. In the Credentials page, enter the community string, and click Create.
  17. Then click Next.
  18. In the Devices page, click Add.
  19. Enter the hostname of the device.
  20. Select the SNMP version.
  21. If SNMPv2, select the community string. If SNMPv3, you can add the user account now.
  22. Click OK when done.
  23. Add more devices. Then click Next.
  24. In the Schedule Discovery page, select how often you want this rule to run, and click Next.
  25. In the Summary page, click Create.
  26. Click Yes to distribute the accounts.
  27. In the Completion page, click Close. The rule will run now.
  28. You  can also go to Administration > Network Management > Discovery Rules, and run the rule manually.
  29. And Network Devices Pending Management will show you discovery issues.
  30. The NetScaler appliance needs to be discovered and listed in the Network Devices node.
  31. You can use a SNMP Tester tool on the SCOM server to verify SNMP communication with NetScaler.  💡
  32. Also see CTX219765 Monitoring NetScaler with SCOM Management Packs – Understanding Discovery.  💡

Install Citrix NetScaler Agent

The Citrix SCOM Agent for NetScaler must be installed on the same SCOM server that is running the device discovery rule.

  1. If upgrading, uninstall the older Agent for NetScaler.
  2. On the SCOM servers that are running the SNMP Discovery Rule, go to \\scom01\CitrixMPShare\NetScaler MP, and run MPNSAgent.exe.
  3. In the Welcome to the setup wizard for Citrix SCOM Management Pack Agent for NetScaler page, click Next.
  4. If you see a page indicating that an older version is already installed, click Next.
  5. In the License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In the  Destination Data Folder page, click Install.
  8. In the Completed the setup wizard page, click Finish.

NetScaler Monitoring RunAs Account

  1. In SCOM console, go to Administration workspace, right-click, and click Create Run As Account.
  2. In the Introduction page, click Next.
  3. In the General Properties page, change the account type to Basic Authentication.
  4. Give the account a display name and click Next.
  5. In the Credentials page, enter the credentials of the local monitoring account on the NetScalers, and click Next.
  6. In the Distribution Security page, best practice is to select More secure. But you’ll need to manually specify every agent that should receive these credentials. Click Create.
  7. In the Completion page, click Close.
  8. In the Administration workspace, go to Run As > Profiles.
  9. Double-click Citrix NetScaler Appliance Action Account.
  10. In the Introduction page, click Next.
  11. In the General Properties page, click Next.
  12. In the Run As Accounts page, click Add.
  13. Select the previously created NetScaler monitoring account.
  14. Change the selection to A selected class, group, or object. Then click Select > Object.
  15. Search for the NetScaler appliances these credentials apply to, click Add, and then click OK.
  16. Then click OK.
  17. Click Save.
  18. In the Completion page, if the Run As account is configured for Secure Distribution then click the link to specify Agents to receive the credentials.

Use Management Pack

In the Monitoring workspace, under Citrix NetScaler, your appliance should eventually show up. These views should give you an inventory of the NetScaler configuration, current health status, etc.

Related Pages

Citrix SCOM Management Packs – XenApp/XenDesktop (2017_10_27)

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

Change Log

Requirements

  • XenApp/XenDesktop Platinum Edition with current Subscription Advantage
  • XenApp/XenDesktop version 6.0 or newer
  • Citrix Licensing Server 11.13.1 or newer
  • System Center Operations Manager 2012 or newer

Citrix provided an overview of the SCOM Management Packs during a breakout session at Synergy 2016.

Licensing Pack

See Citrix Docs for Full Documentation of the Licensing Pack.

  1. Download the Citrix SCOM Management Pack Bundle and extract it.
  2. Extract the Citrix_SCOM_Management_Pack_for_LicenseServer.zip file.
  3. In SCOM Console, go to Administration, right-click Management Packs, and click Import Management Packs.
  4. Click Add, and click add from disk.
  5. Browse to the extracted License Server Management Pack, and select all three files. Click Open.
  6. Click Install.
  7. Click Close when done.
  8. Go to Administration > Device Management > Agent Managed.
  9. Double-click your license server.
  10. On the Security tab, check the box next to Allow this agent to act as a proxy, and click OK.
  11. If you go to Monitoring > Citrix License Server > License Server State, you’ll eventually see your license server.

XenApp/XenDesktop Pack

See Citrix Docs for Full Documentation of the XenApp/XenDesktop Pack.

Links:

To upgrade:

  • Install the updated SCOM Pack on the SCOM Server.
  • Run the Install MPXAXD Agent task, and override the UpgradeAgent parameter to true.
  • In-place upgrade the Machine Agent.
  • Import updated SLA Dashboard Management Pack.

Install/Upgrade Citrix XenAppXenDesktop Pack

To install or upgrade:

  1. To upgrade, simply run the installer again as detailed in the next step.
  2. Download the Citrix SCOM Management Pack Bundle.
  3. On the System Center Operations Manager server, run Citrix_SCOM_Management_Pack_for_XenAppXenDesktop.exe.
  4. In the Welcome to the setup wizard for Citrix SCOM Management Pack for XenApp and XenDesktop page, click Next.
  5. In the View Relevant Product Configuration page, click Next.
  6. If upgrading, the installer will detect the older version. Click Next to begin the upgrade. For new installs, skip to the next step.
  7. In the License Agreement page, check the box next to I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack. Feel free to uncheck Enable the product to send anonymous usage statistics to Citrix. Click Install.
  10. In the Completed the setup for Citrix SCOM Management Pack for XenApp and XenDesktop page, click Next.
  11. In the All post-install actions were successfully executed page, click Finish.

Citrix XAXD Pack Action Account

  1. Create a new account. This account must be an administrator on all monitored Citrix machines: Controllers, VDAs, etc.
  2. In Citrix Studio, add the action account with Read-only permissions.



  3. In SCOM console, go to Administration workspace, right-click, and click Create Run As Account.
  4. In the Introduction page, click Next.
  5. In the General Properties page, change the account type to Windows.
  6. Give the account a display name and click Next.
  7. In the Credentials page, enter the previously created action account credentials and click Next.
  8. In the Distribution Security page, best practice is to select More secure. But you’ll need to manually specify every agent that should receive these credentials. Click Create.
  9. In the Completion page, click Close.
  10. In the Administration workspace, go to Run As > Profiles.
  11. Double-click Citrix XenApp/XenDesktop Monitoring Account.
  12. In the Introduction page, click Next.
  13. In the General Properties page, click Next.
  14. In the Run As Accounts page, click Add.
  15. Select the previously created action account, and click OK.
  16. Click Save.
  17. In the Completion page, if the Run As account is configured for Secure Distribution, then click the link to specify Agents to receive the credentials.

MP Agent Installation Account

Several of the Management Packs require an additional agent to be installed on top of the SCOM agent. Create an Active Directory account that will be used by the agent installer to connect to the file share on the System Center Operations Manager server. This configuration is used by several of Citrix’s Management Packs.

  1. In Active Directory, create a new regular account for Management Pack Agent installation.
  2. On the System Center Operations Manager server, open Computer Management.
  3. Edit the CitrixMPShareUsers local group.
  4. Add the MP Agent Installation Account. Also add the Citrix Admins group. Click OK.
  5. In SCOM Console, go to the Administration workspace, right-click, and click Create Run As Account.
  6. In the Introduction page, click Next.
  7. In the General Properties page, change the account type to Windows.
  8. Give the account a display name and click Next.
  9. In the Credentials page, enter the previously created Agent Installation account credentials, and click Next.
  10. In the Distribution Security page, best practice is to select More secure. But you’ll need to manually specify every agent that should receive these credentials. Click Create.
  11. In the Completion page, click Close.
  12. In the Administration workspace, go to Run As > Profiles.
  13. Double-click Citrix Management Pack Network Share Account.
  14. In the Introduction page, click Next.
  15. In the General Properties page, click Next.
  16. In the Run As Accounts page, click Add.
  17. Select the previously created Management Pack Agent installation account, and click OK.
  18. Click Save.

SCOM Proxy Agent

All Microsoft SCOM Agents running Citrix Agents must be marked as a Proxy Agent.

  1. In the SCOM Console, go to the Administration workspace, expand Device Management, and click Agent Managed.
  2. Double-click your SCOM Agent.
  3. On the Security tab, check the box next to Allow this agent to act as a proxy, and click OK.

Director URL

  1. On the SCOM server, run XenApp and XenDesktop MP Configuration.
  2. In Management Pack 3.12 and newer, the first time you launch the tool, you’ll be taken to the Configuration encryption tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text when running a SCOM Task to install or upgrade the agent.

  3. For environments with more than 100 Delivery Groups, 600 Server OS machines, and 1,500 applications, see Configuring SCOM Administrator at Citrix Docs to configure the SCOM Connector by specifying a SCOM Administrator on the SCOM Administrator tab.
  4. On the Director URL tab, click Add.
  5. Enter the XenDesktop Site name (farm name).
  6. Enter the Director URL for the farm, and click OK twice.

Push Citrix XAXD Agent

To push the XAXD Agent:

  1. In the SCOM Console, go to Monitoring workspace, expand Citrix Library, and click XenApp/XenDesktop Delivery Controller Computers.
  2. Select a Delivery Controller.
  3. On the bottom right, in the XAXD Delivery Controller Computer Role Tasks pane, click Check Installation Prerequisites.
  4. Click Run.
  5. Review the report, and then click Close.
  6. Now click the Install Citrix MPXAXD Agent task.
  7. If desired, you can override the Task Parameters. See the documentation for details.
  8. In 3.12 and newer, you must override the Encryption Password parameter, and specify the password you entered in the Configuration Tool.
  9. If upgrading, set UpgradeAgent to true. Then click Run.
  10. When done, review the task output, and then click Close.
  11. If you see an Error about the service logon account…

    1. Then go to the Delivery Controller, open Services, and reconfigure Citrix MPXAXD Agent service to run as a local administrator that has read-only permissions in Citrix Studio.
  12. The agent will eventually report as Healthy.
  13. You can verify configuration by running the Check Requirements and Configuration task. You might have to also run the Update Configuration task.

  14. If you scroll down, you’ll see the agent version.
  15. Citrix CTX224736 Citrix SCOM Management Pack for XenApp and XenDesktop 7.x – Disabling monitoring of VDA Services in large environments: In large environments, with 500+ Server OS machines, disable monitoring of VDA services on Server OS machines.
  16. Citrix CTX225735 Citrix SCOM MP Agents – Support Information Logging: The information in the SCOM MP Agent log files might be insufficient to troubleshoot certain issues. You can set additional product logging by modifying the log level registry key.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Comtrade\<SCOM MP Agent>
      • LogLevel (REG_SZ) = ERROR, WARN, INFO, or DEBUG
    • The log files are located at %ProgramData%\Citrix\SCOM MP Agent\logs
    • Logging configuration for some agents is located in the mp_config.ini file.
  17. Citrix CTX230082 Citrix SCOM Management Pack for XenApp and XenDesktop – Monitoring failure on connections live for more than 24 hours. If any Session A in the monitored environment last longer than 24 hours, any new sessions that start after the 24-hour retention period but before Session A ends will not be monitored properly.  💡
    • HKEY_LOCAL_MACHINE\SOFTWARE\ComTrade\XenDesktop MP Agent
      • ConnectionEventsMaxAgeInHours (DWORD) = number of hours you expect the longest connections in the monitored environment to last

Install Citrix Machine Proxy Agent

To monitor the performance of the VDAs, install the Citrix Machine Agent on any Windows Server 2012 or newer machine (Windows Server 2008 R2 is not supported). This Agent will use PSRemoting to connect to a Delivery Controller to enumerate the VDAs in the farm. The Agent will then use WinRM to pull performance data and session data from the VDAs.

  1. Enable PSRemoting on the Delivery Controllers.
  2. On the VDAs, run winrm quickconfig.
  3. The Machine Agent uses an account to connect to Delivery Controller and VDAs. You can use the same Action Account created earlier for the Management Pack. This account must be a read-only administrator in XenDesktop and it must have administrator permissions to all Controllers and VDAs.

  4. To verify WinRM, run Command Prompt as the action account.

  5. Run winrm identify -r:http://myvda.corp.local:5985 -auth:Kerberos. It should connect.
  6. Go to any Windows Server 2012 or newer machine that you want to run the VDA Machine Agent on. The Machine Agent uses WinRM to connect to the VDAs. One option is to install it on one of the Delivery Controllers.
  7. Connect to \\scom01\CitrixMPShare.
  8. Copy XenDesktop Machine MP to the local machine.
  9. Run Support.exe /checkprereq to verify prerequisites.

  10. Then run MPXAXDMachineAgent.exe.
  11. In the Welcome to the setup wizard for Citrix SCOM Management Pack Machine Agent for XenApp and XenDesktop page, click Next.
  12. The installer will detect the previously installed version. Click Next.
  13. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  14. In the Destination Folder page, click Next.
  15. In the Destination Data Folder page, click Next.
  16. In the Agent Service Account page, enter the service account (action account) credentials, and click Next.
  17. In the Delivery Controllers page, enter the hostnames of the Delivery Controllers you want this agent to monitor, and click Install.
  18. In the Completed the setup wizard for Citrix SCOM Management Pack Machine Agent for XenApp and XenDesktop page, click Finish.
  19. In SCOM console, go to Monitoring > Citrix Library > XenApp/XenDesktop Machine Monitoring.
  20. Select a Proxy computer.
  21. On the bottom right, run the Update Configuration task.
  22. Then run the Check Requirements task.

If the Machine Agent Proxy Computer is monitoring a large environment, then see the following. Environments with more than 100 Delivery Groups, 600 Server OS machines, and 1,500 applications are considered large.

New Reports

3.14 adds new Application – Usage report as described in Citrix Blog Post What’s New with the Citrix SCOM Management Packs – Nov 2017.

3.9 adds two new Reports as described in Citrix Blog Post Monitor Site Infrastructure & Delivery Group Availability with Citrix SCOM Management Pack for XenApp and XenDesktop:

  • Site – Infrastructure Availability report – availability of a Site infrastructure over time. Availability is determined by health (availability) of most important Citrix services on the Delivery controller computers, and availability of configured hosting connections.
  • Delivery Group – Availability – availability of desktops provided with the selected Delivery Group

3.8 adds two new Reports as described in Citrix Blog Post Analyzing Application/Desktop Usage with Citrix SCOM Management Pack for XenApp and XenDesktop.

  • Application – User Activity report – see for a selected application which users have been using it and when. For each specific usage you also get usage duration, IP address of the client computer, and machine name on which the application was running.

  • Delivery Group – Desktop User Activity report – shows which users have been using desktop and when for each selected Delivery Group. It is almost identical to the “Application – User Activity” report, except that the delivery group is selected instead of application and you get desktop usages in the specific delivery group instead of application usages.

Customize Management Pack

Citrix Blog Post Increasing the Application Discovery Limit in Citrix SCOM Management Pack: That limit is around 1,500 applications. Now, you can discover more than 1,500 applications using the following method. We have tested the discovery of up to 4,500 applications in our lab environment.

The existing management pack has five discoveries for applications. Each discovery can discover approximately 300 applications. We have created a custom management pack that includes an additional 10 discoveries to be able to discover a total of 4,500 applications. See the Blog Post for the download link.

SLA Dashboards

The XAXD Pack has an extra Management Pack that adds SLA Targets and dashboards.

  1. In SCOM Console, go to Administration workspace, right-click Management Packs and click Import Management Packs.
  2. Click Add and then click Add from disk.
  3. Connecting to the online catalog is not required.
  4. Browse to C:\Program Files\Citrix\XenDesktop MP (orC:\Program Files\Comtrade\XenDesktop MP) and select the Citrix.XenApp.And.XenDesktop.SLADashboards Management Pack. Click Open.
  5. Click Install.
  6. Click Close when done.
  7. Go to the Monitoring workspace, expand Citrix XenApp and XenDesktop, expand Dashboards, and click Delivery Group SLA Dashboard.
  8. On the right, click the gear icon, and click Configure.
  9. In the General Properties page, click Next.
  10. In the Scope page, click Add.
  11. Select the Desktop OS  Delivery Group Health and Server OS Delivery group Health SLAs and click Add. Then click OK.
  12. Click Finish.
  13. On the left, click the Site SLA Dashboard.
  14. On the right, look for the lower gear icon and click Configure. You might have to click the Site SLAs pane first.
  15. In the General Properties page, click Next.
  16. In the Scope page, click Add.
  17. Select Site Health and click Add. Then click OK.
  18. Click Finish.
  19. If you go to Authoring > Service Level Tracking, you can create more SLAs. See the documentation for details.
  20. The XAXD pack also adds a bunch of reports.

StoreFront Pack

Full documentation at http://docs.citrix.com/en-us/scom-management-packs/storefront/1-12.html.

Install Citrix StoreFront Pack

  1. Download the Citrix SCOM Management Pack Bundle.
  2. On the System Center Operations Manager server, run Citrix_SCOM_Management_Pack_for_StoreFront.exe.
  3. In the Welcome to the setup wizard for Citrix SCOM Management Pack for StoreFront page, click Next.
  4. In the View Relevant Product Configuration page, click Next.
  5. The installer could detect an older version. Click Next.
  6. In the License Agreement page, check the box next to I accept the terms and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack, and click Install.
  9. In the Completed the setup for the Citrix SCOM Management Pack for StoreFront page, click Next.
  10. In the All post-install actions were successfully executed page, click Finish.

MP Agent Installation Account

Configure the MP Agent Installation Account as detailed earlier for the XAXD Pack.

SCOM Proxy Agent

All Microsoft SCOM Agents running Citrix Agents must be marked as a Proxy Agent.

  1. In the SCOM Console, go to the Administration workspace, expand Device Management and click Agent Managed.
  2. Double-click your SCOM Agent.
  3. On the Security tab, check the box next to Allow this agent to act as a proxy, and click OK.

Probe Account

The StoreFront Management Pack logs into StoreFront using an account. StoreFront must be configured with Explicit Authentication.

  1. On the SCOM server, run StoreFront MP Configuration.
  2. In Management Pack 1.11 and newer, the first time you launch the tool, you’ll be taken to the Encryption Password tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text run running a SCOM Task to install or upgrade the agent.

  3. On the StoreFront availability tab, click Add.
  4. Enter credentials that can log into StoreFront. Make sure the userPrincipalName suffix or domain name matches one of the allowed domains configured on StoreFront (Source = CTX222920 Error: “StoreFront Store Service Probe Failed” While Using Citrix SCOM Management Pack for StoreFront). Click OK twice.
  5. Click OK.

Push Citrix StoreFront Agent

  1. If the StoreFront Server is Windows 2008 R2, install Microsoft hotfix 2847346 Svchost.exe running NSI service leaks memory and non-paged pool memory leak Tag NSpc. Also see Citrix CTX225624 Citrix SCOM MP for Storefront causes high memory utilization on Windows Server 2008 R2.
  2. In the SCOM Console, go to Monitoring workspace, expand Citrix Library, and click StoreFront Computers.
  3. Select a StoreFront server.
  4. On the bottom right, in the StoreFron Server Computer Role Tasks pane, click Check Installation Prerequisites.
  5. Click Run.
  6. Review the report, and then click Close.
  7. Now click the Install Citrix MPSF Agent task.
  8. If desired, you can override the Task Parameters. See the documentation for details.
  9. In 1.11 and newer, you must override the Encryption Password parameter, and specify the password you entered in the Configuration Tool.
  10. If upgrading, override UpgradeAgent, and set it to true.
  11. Then click Run.
  12. When done, review the report, and then click Close.
  13. The agent will eventually report as Healthy.
  14. You can verify configuration and version by running the Check Requirements and Configuration task. You might have to also run the Update Configuration task.

Provisioning Services Pack

Full Documentation is at http://docs.citrix.com/en-us/scom-management-packs/provisioning-services/1-19.html.

Install Citrix Provisioning Services Pack

  1. Download the Citrix SCOM Management Pack Bundle.
  2. On the System Center Operations Manager server, run Citrix_SCOM_Management_Pack_for_ProvisioningServices.exe.
  3. In the Welcome to the InstallShield wizard for Citrix SCOM Management Pack for Provisioning Services page, click Next.
  4. In the View Relevant Product Configuration page, click Next.
  5. If an older version is detected, click Next to upgrade it.
  6. In the License Agreement page, check the box next to I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack, and click Install.
  9. In the Completed the setup for Citrix SCOM Management Pack for Provisioning Services page, click Next.
  10. In the All post-install actions were successfully executed page, click Finish.

MP Agent Installation Account

Configure the MP Agent Installation Account as detailed earlier for the XAXD Pack.

SCOM Proxy Agent

All Microsoft SCOM Agents running Citrix Agents must be marked as a Proxy Agent.

  1. In the SCOM Console, go to the Administration workspace, expand Device Management, and click Agent Managed.
  2. Double-click your SCOM Agent.
  3. On the Security tab, check the box next to Allow this agent to act as a proxy and click OK.
  4. If you have many Provisioning Services servers, you can run Provisioning Services MP Configuration from the Start Menu, and enable Proxy using this tool.
  5. In Management Pack 1.17 and newer, the first time you launch the tool, you’ll be taken to the Configuration encryption tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text run running a SCOM Task to install or upgrade the agent.

  6. Then you can configure the Proxy tab.

Farm Account

The Provisioning Services Management Pack needs to log into the Provisioning Services farm.

  1. Create a service account and make it a full Provisioning Services farm administrator.
  2. On the SCOM server, run Provisioning Services MP Configuration.
  3. In Management Pack 1.17 and newer, the first time you launch the tool, you’ll be taken to the Configuration encryption tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text run running a SCOM Task to install or upgrade the agent.

  4. On the Provisioning Services tab, click Add.
  5. Enter a farm name. You’ll need this farm name later.
  6. Enter credentials for a full farm administrator, and click OK.
  7. Click OK.

Push Citrix Provisioning Services Agent

  1. In the SCOM Console, go to Monitoring workspace, expand Citrix Library, and click Provisioning Services Computers.
  2. Select a Provisioning Services server.
  3. On the bottom right, in the Tasks pane, click Check Installation Prerequisites.
  4. Click Run.
  5. Review the report, and click Close.
  6. Now click the Install Citrix MPPVS Agent task.
  7. If desired, you can override the Task Parameters. For example, UpgradeAgent can be overridden to true. See the documentation for details.
  8. In 1.18 and newer, you must override the Encryption Password parameter, and specify the password you entered in the Configuration Tool.
  9. Then click Run.
  10. When done, review the report, and click Close.
  11. Run the Set Farm Name on Citrix MPPVS Agent task.
  12. Override the Task Parameter.
  13. Specify the farm name. This should match the farm account created earlier. Then click Override.
  14. Click Run.
  15. Review the task output, and click Close.
  16. The agent will eventually report as Healthy.
  17. You can verify configuration by running the Check Requirements and Configuration task. You might have to also run the Update Configuration task.

  18. From John Haggerty in the comments: If you see: “Connection to PVS Soap Server Failed”, and if C:\ProgramData\Citrix\Provisioning Services MP Agent\mppvs_agt.log says “Security Support Provider Interface (SSPI) authentication failed”, then configure Kerberos Authentication for Citrix MPPVS Agent service. To enable Kerberos authentication, perform the following steps:
    1. Set “Log On” account for “Citrix MPVPS Agent” service to the account you are using for MPPVS.
    2. In command prompt, go to “%Program Files%\Citrix\Provisioning Services MP Agent” and execute PVSMonitorSvc.exe /setconnection runninguser
    3. Restart “Citrix MPVPS Agent” service and after a minute run check requirements tool to check if agent is ok now.
    4. NOTE: Issue will be resolved in next discovery cycle (by default 5 minutes).

Related Pages