Omnissa Horizon True SSO with UAG SAML

Last Modified: Jul 27, 2024 @ 10:24 am

Navigation

Change Log

Overview

To configure SAML on Unified Access Gateway (UAG) you must have the following versions:

  • UAG 3.8 or newer
  • Connection Servers 7.11 or newer
  • For Windows 10 version 2004, deploy Horizon 2103 (8.2) or newer.

True SSO is optional.

  • SAML does not provide the user’s password to Horizon, which means that Horizon cannot perform single sign-on to the Horizon Agent machine and thus the Horizon Agent machine will prompt the user to login again. This usually means the user has to login twice.
  • To eliminate the second logon on the Horizon Agent machine, implement True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Horizon Enrollment Servers ask Microsoft Certificate Authority servers to generate the SSO certificates for each user. This is an identity operation and thus the Horizon Enrollment Servers should be treated like Domain Controllers.

When you use Horizon Client to connect to a UAG that is SAML-enabled:

  1. It opens the default browser and prompts the user to sign into your SAML Identity Provider. If the user is already signed in then the user won’t see any sign-in prompt.
  2. After sign-in, the browser will then prompt the user to open Horizon Client.
  3. If the user locks the desktop then the user will need to know the local Active Directory password to unlock it.

Certificate Authority

Horizon Enrollment Servers can use a Microsoft Certificate Authority that already exists. Or you can install Microsoft Certificate Authority on the Horizon Enrollment Servers. If you have two Enrollment Servers, then install Microsoft Certificate Authority on both of the servers.

  1. Install Microsoft Certificate Authority from Server Manager > Manage > Add Roles and Features.
  2. Select Active Directory Certificate Services.
  3. The only Role Service needed for True SSO is Certification Authority.

The Microsoft Certificate Authority must be an Enterprise CA.

  1. After role installation, click the flag icon and then click the link to Configure Active Directory Certificate Services.
  2. In the Setup Type page, select Enterprise CA.
  3. In the CA Type page, if you already have a Root CA, then you can select Subordinate CA. Otherwise, you need at least one Root CA in your environment.

After Microsoft CA is installed, run the following commands:

certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
sc stop certsvc
sc start certsvc

If you just built a new Certificate Authority server then True SSO won’t work until you run gpupdate /force on all of your Domain Controllers and Horizon Agent machines. Or wait several hours for group policy to update.

Certificate Template

  1. On the Certificate Authority machine, from Start Menu, run Certification Authority.
  2. Right-click the Certificate Templates node and click Manage.
  3. Right-click the Smartcard Logon template and click Duplicate Template.
  4. On the Compatibility tab, change the drop-down for Certification Authority to Windows Server 2008 R2.
  5. Change the drop-down for Certificate recipient to Windows 7 / Server 2008 R2.
  6. On the General tab, name it True SSO or similar.
  7. Change the Validity Period to 1 day or similar.
  8. On the Request Handling tab, change the drop-down for Purpose to Signature and smartcard logon.
  9. Check the box next to For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
  10. On the Cryptography tab, change the drop-down for Provider Category to Key Storage Provider.
  11. On the Server tab, check the top box for Do not store certificates and requests in the CA database.
  12. Uncheck the bottom box for Do not include revocation information in issued certificates.
  13. On the Issuance Requirements tab, check the box next to This number of authorized signatures and enter 1 as the value.
  14. Change the drop-down for Policy type required in signature to Application policy.
  15. Change the drop-down for Application policy to Certificate Request Agent.
  16. At the bottom, change the selection to Valid existing certificate.
  17. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  18. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  19. Back in the Certificate Templates Console, right-click the Enrollment Agent (Computer) template and click Properties.
  20. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  21. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  22. Close the Certificate Templates Console.
  23. Back in the Certification Authority Console, with Certificate Templates highlighted on the left, if your environment has multiple CAs but this CA is dedicated to True SSO, then delete all templates from the right. Note: Domain Controllers must have certificates installed so make sure you have at least one other CA that is issuing Domain Controller certificates.
  24. Right-click Certificate Templates and click New > Certificate Template to Issue.
  25. Select Enrollment Agent (Computer) and click OK.
  26. Issue another certificate template but this time select the True SSO template.
  27. Your CA should now show the two templates.
  28. If you have a second CA, and if it is dedicated to True SSO, then delete all templates from that CA. Then configure it to issue the same two templates.

Enrollment Server

Horizon Enrollment Server must be installed on dedicated machine(s) that don’t have any other Horizon components installed.

  1. Login to the new Horizon Enrollment Server that has at least 4 GB of RAM.
  2. Run certlm.msc.
  3. Expand Personal, then right-click Certificates, expand All Tasks, and click Request New Certificate.

    1. In the Before You Begin page, click Next.
    2. In the Select Certificate Enrollment Policy page, click Next.
    3. In the Request Certificates page, check the box next to Enrollment Agent (Computer) and then click Enroll.
    4. In the Certificate Installation Results page, click Finish.
    5. Notice the expiration date on the Enrollment Agent certificate. Make sure you renew it before it expires.
  4. Go to the downloaded Horizon software and run VMware-Horizon-Connection-Server-x86_x64.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, change the selection to Horizon Enrollment Server and click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. If Microsoft CA is installed on the Enrollment Server, then run regedit.
    1. Go to HKLM\Software\VMware, Inc.\VMware VDM.
    2. Create a new Key named Enrollment Service.
    3. Under Enrollment Service, create a new String (REG_SZ) value named PreferLocalCa and set it to 1.
    4. Also add string values for UseKerberosAuthenticationToCa = false and UseNTLMAuthenticationToCa = true
  12. If you have two Enrollment Servers, then repeat this entire section on the other server. This includes requesting the Enrollment Agent certificate, installing the Enrollment Server software, and setting the PreferLocalCa registry value.

Trust

  1. Log in to a Connection Server and run certlm.msc.
  2. On the left, expand VMware Horizon View Certificates and then click Certificates.
  3. On the right, find the certificate with the Friendly Name vdm.ec, right-click it, expand All Tasks, and then click Export. All Connection Servers have the same certificate so you only need to export from one of the Connection Servers.
  4. In the Export Private Key page, select No, do not export the private key, and then click Next.
  5. In the Export File Format page, leave it set to DER, and then click Next.
  6. Save the certificate to a file that you can access from your Enrollment Server(s).
  7. Log in to an Enrollment Server and run certlm.msc.
  8. On the left, right-click VMware Horizon View Enrollment Server Trusted Roots, expand All Tasks, and click Import.
  9. In the Welcome to the Certificate Import Wizard page, click Next.
  10. In the File to Import page, browse to the certificate that you exported from the Connection Server and then click Next.
  11. In the Certificate Store page, VMware Horizon View Enrollment Server Trusted Roots should already be selected so just click Next.
  12. In the Completing the Certificate Import Wizard page, click Finish.
  13. Repeat the certificate import process on the other Horizon Enrollment Server.

SAML to UAG

  1. Login to your SAML Identity Provider (IdP) and create an application for Unified Access Gateway.
  2. For Okta, see Omnissa Tech Zone.
  3. Azure AD has a gallery application to make configuration easier. Or use the following values:
    • Identifier = https://*.HORIZON_UAG_FQDN.com/portal
    • Reply URL (Assertion Consume Service URL = https://<HORIZON_UAG_FQDN>/portal/samlsso
  4. When done, it should look something like this:
  5. Download the Federation Metadata XML from your Identity Provider. The Metadata Url doesn’t seem to work.
  6. Login to your UAG admin page (https://<HORIZON_UAG_FQDN>:9443/admin).
  7. Select Configure Manually.
  8. Scroll down to the section named Identity Bridging Settings and click Upload Identity Provider Metadata.
  9. In Unified Access Gateway 2312 and newer, click Upload IDP Metadata.
  10. Click Select in the IDP Metadata row.
  11. Browse to the metadata .xml file and then click Save.
  12. At the top of the page, next to Edge Service Settings click SHOW.
  13. Next to Horizon Settings click the gear icon.
  14. At the bottom of the page, click More.
  15. At the top of the page, change the drop-down for Auth Methods to SAML.
  16. Change the drop-down for Identity Provider to the SAML Identifier in the Metadata that you just imported.
  17. At the bottom of the page click Save.
  18. Login to Horizon Console.
  19. In the left menu, go to Settings > Servers.
  20. On the right, click the tab named Connection Servers.
  21. Highlight a Connection Server that UAG talks to and click Edit.
  22. Switch to the tab named Authentication.
  23. Change the drop-down for Delegation of Authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.
  24. Click the button named Manage SAML Authenticators.
  25. Click Add.
  26. Change the selection for Type to Static. Dynamic seems to only be valid for Omnissa Access.
  27. Go to your Metadata .xml file and edit it with a text editor. Then copy its contents to your clipboard.
  28. Back in Horizon Console, in the SAML Metadata field, paste in the contents.
  29. Give your SAML 2.0 Authenticator a name and click OK.
  30. Click OK to close the Manage SAML Authenticators window.
  31. Edit other Connection Servers that UAG talks to and go to the Authentication tab.
  32. Set SAML 2.0 Authenticator to Allowed and then click the Manage SAML Authenticators button.
  33. The previously created SAML Authenticator should already be there so just click Edit.
  34. At the bottom, check the box next to Enabled for Connection Server and then click OK. Repeat on any other Connection Server that UAG talks to.
  35. In Horizon Console, if you go to Monitor > Dashboard and then click VIEW in the System Health section.
  36. On the left go to Other Components. On the right go to the tab named SAML 2.0. You should see your SAML Authenticator.

Enable True SSO

Login to one of the Connection Servers and open a Command Prompt as administrator. The commands in this section have case sensitive parameter names. These commands are vdmutil, not vdmadmin.

Run the following command to add each Enrollment Server. Notes:

  • For the --authPassword fields, you enter "*" (with quotes) to be prompted to enter the password instead of specifying it at the command line.
  • --authAs fields do not include the domain name since domain is a different field.
vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn,enroll-server2-fqdn

Run the following command to see the available certificate authorities and certificate templates for a particular domain.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

Run the following command to enable the Enrollment Servers for a particular domain. This syntax configures the Enrollment Servers as active/passive (failover). Note: certificateServer is the CA name from the previous command and not the server’s FQDN.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --secondaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1,ca2-common-name --mode enabled

Run the following command to see the SAML Authenticators configured in Horizon Console.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator

Run the following command to enable True SSO for a particular SAML Authenticator. Enter either ENALBED or ALWAYS.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-name --truessoMode {ENABLED|ALWAYS}

For more info, see Command-line Reference for Configuring True SSO at Omnissa Docs.

If you prefer to load balance your Enrollment Servers instead of active/passive, do the following:

  1. On a Connection Server, run adsiedit.msc.
  2. Change the Connection Point to dc=vdi,dc=vmware,dc=int.
  3. Change the Computer to localhost and then click OK.
  4. On the left, expand Properties, and then click Global.
  5. On the right, double-click Common.
  6. Find pae-NameValuePair in the list and Edit it.
  7. Enter cs-view-certsso-enable-es-loadbalance=true and then click Add.
  8. Click OK a couple times to close everything.

You can view the status of True SSO in Horizon Console.

  1. In Horizon Console, go to Monitor > Dashboard and on the right, in the System Health section, click VIEW.
  2. With Components selected on the left, on the right is a tab named TrueSSO.

Omnissa Horizon 2406: Cloud Pod Architecture

Last Modified: Jul 29, 2024 @ 9:03 am

Navigation

This article applies to all Horizon versions 2006 (8.0) and newer.

Change Log

Planning

Cloud Pod Architecture lets you publish a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Global Entitlements – Entitlements are the same thing as published icons. When you create an entitlement (local or global), you are publishing an icon from a pool.
    • For local entitlement, the icon is only published from one pool.
    • For global entitlement, the icon can be published from multiple pools. The pools can be in one pod or from multiple pods.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • For applications, only one application per global entitlement.
  • Pod Federation – Global entitlements can’t be created until a Pod Federation is created. This federation could be one pod or multiple pods.
    • The pods can be separated into sites. Each site can contain multiple pods.
  • Global Load Balancing – Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a globally available Horizon Connection Server. The connected Horizon Connection Server then uses Global Entitlements to select a site/pod/pool.
    • When a user launches a Global Entitlement, the Connection Server selects a pod based on the Global Entitlement Scoping, which can be All Sites, Within site, or Within Pod. This is from the perspective of the Connection Server the user is currently connected to. Horizon will prefer the local pod if possible.
    • Users or groups can be assigned to Home Sites. Global Entitlements can be configured to prefer Home Sites over the normal site/pod selection criteria.
  • Dedicated Assignment – For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • Firewall Ports – The Horizon Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 135, TCP 22389, TCP 22636, and TCP 8472. Make sure these ports are open. More info at Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture

  • RBAC – Horizon Console includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Cloud Pod Architecture Topology Limits Horizon 8 at Omnissa Docs:

  • Max users = 250,000
  • Max Pods = 50
  • Max Sessions per Pod = 12,000
  • Max Sites = 15
  • Max Connection Servers per Pod = 7
  • Max Horizon Connection Server Instances = 350

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route Blast/PCoIP through a Horizon Connection Server in the remote pod. In fact, the Horizon Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this Blast/PCoIP traffic.
  • Note: Horizon Cloud Universal Broker doesn’t have this problem.

For more information on multi-datacenter design for Horizon, see Workspace ONE and Horizon Reference Architecture, which includes the following:

  • Omnissa Access
  • App Volumes
  • Horizon Cloud Pod Architecture
  • Dynamic Environment Manager
  • SQL AlwaysOn Availability Groups
  • Networking
  • Storage (e.g., vSAN)
  • Active Directory
  • Distributed File System
  • Global Load Balancing

Initialize First Pod

  1. In Horizon Console, expand Settings and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. On the right, feel free to rename the federation by clicking the Edit button. This is the Federation, not the Pod.

    • Enter a new name.
  6. On the left, expand Settings, and click Sites.
  7. On the right, in the top half, highlight the first site, and then click the Edit button to rename the Default First Site to be more descriptive. Sites can contain multiple pods. Site is typically a geo location or data center.

    • Enter a Site name.
    • Site URL is a feature in 2406 and newer. It lets you specify a datacenter-specific FQDN that Blast is redirected to when Cloud Pod Architecture chooses a Horizon Agent machine in that site. This avoids sending the Blast connection across the datacenter interconnect. UAG 2406 and newer supports the feature.
  8. Click the Site to highlight it to reveal the Pods on the bottom half of the window.
  9. Highlight the pod on the bottom and click Edit to make the name more descriptive.

    • Enter a Pod name.
  10. See Omnissa 2080522 Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to Horizon Console in the second pod.
  2. On the left, expand Settings, and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon Connection Server that is already joined to the federation.
  5. Enter credentials and click OK.
  6. The Join status is displayed.
  7. On the left, expand Settings, and click Sites.
  8. If this pod is in a different site, then in the top half of the window click Add to create a new site.
  9. Give the site a name and click OK.

    • Site URL is a feature in 2406 and newer. It lets you specify a datacenter-specific FQDN that Blast is redirected to when Cloud Pod Architecture chooses a Horizon Agent machine in that site. This avoids sending the Blast connection across the datacenter interconnect. UAG 2406 and newer supports the feature.
  10. Highlight the first site.
  11. On the bottom, highlight the new pod, and click Edit.
  12. Rename the pod and put it in the 2nd site. Click OK.
  13. The top of Horizon Console shows you which Pod you are administering. You might have to refresh the page to see the correct Pod name after it was renamed.

Global Entitlements

Global Entitlements contain one or more Local Pools from one or more pods. Connections to the Global Entitlement can be load balanced across the member pods and pools.

Do not create both Global Entitlements and Local Entitlements for the same pool otherwise users might see two icons. Create the local pool, but don’t entitle it (i.e. don’t assign users). Instead, create a Global Entitlement and add the local pool to it.

  1. Before creating a Global Entitlement go to Inventory > Desktops or Inventory > Applications, click a pool name, scroll down to the Pool Settings section and record the settings. Your Global Entitlement must have the same settings.
  2. In Horizon Console, on the left, expand Inventory, and click Global Entitlements.
  3. On the right, click Add.
  4. In the Type page, select Desktop Entitlement or Application Entitlement, and click Next.
  5. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one Global Entitlement per application so include the application name.
    • Horizon 2006 and newer can specify a Display Name that is different than the name of the entitlement.
    • Horizon 2103 and newer can set a Federation Access Group to restrict administrator access to this Global Entitlement. You can create Federation Access Groups in the Horizon Console at Settings > Administrators, and on the right is a tab named Federation Access Groups. You can edit the Global Entitlement later to specify a Federation Access Group.
  6. Scroll down.
  7. Scroll down for more settings:
    1. You can configure tag restrictions (Connection Server restrictions) from this wizard.
    2. You can select a Category Folder where the published icon will be placed on the client’s Start Menu or Desktop. This feature requires Horizon Client 4.6 and newer.
    3. Configure Category Folder. You can type in a new folder or select an existing one. Specify whether the shortcut should appear on the Start Menu, Desktop, or both.
  8. Scroll down to the Policies section and configure the following. Note: these settings must match the Local Pool or you won’t be able to add the Local Pool to the Global Entitlement. Some of these settings can’t be changed without deleting the Global Entitlement and recreating it.
    1. For Desktop Entitlements, the User Assignment field (Floating or Dedicated) must match the Local Pools.
    2. Scope determines from which which site/pod the Local Pool is selected. Users connect to a specific Connection Server. Scope specifies if the Local Pool can be selected from any any pod in any site, from any pod in the same site as the Connection Server that the user connected to, or from the same pod as the Connection Server that the user connected to. For Dedicated Assignment pools, the user always connects to the assigned desktop no matter which Connection Server the user initially connected to.
    3. The Use home site checkbox tells the global entitlement to respect user home sites. When you assign a user to a home site, when the user launches the global entitlement, it tries to find a Local Pod in the same site as the user’s home site. This helps keep the user’s session close to the user’s data (e.g. home directory, roaming profile).
    4. Change the Default display protocol to VMware Blast. These settings must match the Local Pools.
    5. Horizon 2306 (8.10) and newer have a Session Distribution Policy to distribute sessions across the local resources in the Global Entitlement. Horizon 2309 (8.11) supports either Session Count or Load Index.
    6. For Desktop entitlements, you can allow users to Restart their machines or use Session Collaboration, or initiate separate sessions from different client devices. These settings must match the Local Pools.
    7. For Application entitlements, there’s a Pre-launch checkbox. If you need the Pre-launch feature, then enable the Pre-launch checkbox on at least one application, and entitle the application to the users that need the Pre-launch feature. These settings must match the Local Pools.
    8. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published icon to that computer AD group. The published icon can then only be accessed from the client computers in the AD group.

      Notes:

    9. For Application Entitlements, there’s a selection for Multi-Session Mode. Pre-launch must be disabled to enable this setting.
    10. Make other selections.
  9. Click Next when done.
  10. In the Users and Groups page, add users that can see the icon associated with the Global Entitlement. Click Next.
  11. In the Ready to Complete page, click Finish.
  12. Global Entitlements won’t work until you add some Local Pools to it. Make sure your Horizon Console is connected to the Pod that has the Local Pool.
  13. On the left, expand Inventory and click Global Entitlements.
  14. On the right, click the link for the name of the Global Entitlement. Global Entitlements are synced to every pod.
  15. Switch to the Local Pools tab and click Add.
  16. Select the local pools you want to add and click Add. Remember, only add one app per Global Entitlement. Also, you can only add pools from the local pod. To add pools from a different pod, you must point your Horizon Console browser to the other pod and edit the Global Entitlement from there.
  17. If the GUI won’t let you add the local pool then try it from the command line to see the actual problem. lmvutil parameter names are case sensitive. Some settings can only be changed by deleting the Global Entitlement and recreating it.
  18. Point your Horizon Console to another pod and view the Global Entitlements.
  19. On the right, click the hyperlink for the name of the Global Entitlement and follow the same procedure to add Local Pools. Horizon will automatically load balance user connections across all local pools based on the Scope policy (All Sites, Within Site, or Within Pod) in the Global Entitlement and Home Sites.
  20. A backup global entitlement delivers remote desktops or published applications when the primary global entitlement fails to start a session because of problems such as insufficient pool capacity or unavailable pods.
    1. Create a new Global Entitlement containing the backup pools.
      • The new Global Entitlement for backup should have the same settings as the production Global Entitlement.
      • You don’t have to assign anybody to the new Global Entitlement that will be the backup.
    2. Add Local Pools to the new Global Entitlement that will be the backup for when prod is down.
    3. Edit the production Global Entitlement.
    4. Scroll down to Backup Global Entitlement and click Browse.
    5. Change the selection to Backup Global Entitlement, select the Global Entitlement that will backup this one. Click Submit.
  21. Horizon Console, at Inventory > Desktops can show if a Local Pool is a member of a Global Entitlement. Scroll to the right to see the Global Entitlement column. This column doesn’t seem to be visible for Applications.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added, which allows you to search for sessions across federated pods. Brokering Pod is the pod containing the Connection Sever that the user initially connected to to get the list of icons as opposed to the pod that contains the Local Pool that the session is actually launched from.
  2. The Monitor > Dashboard in Horizon Console shows the health of remote pods.

Home Sites

The Home Sites feature causes Global Entitlements to prefer local pools in the user’s Home Site before looking for pools in remote sites.

  1. Configure your Cloud Pod Architecture with multiple Sites and at least one Pod per Site.
  2. In Horizon Console, on the left, click Users and Groups.
  3. On the right, switch to the Home Site Assignment tab and click Add.
  4. Find a user or group for this home site, and click Next.
  5. Select the site to assign the users to and click Finish. This list of sites comes from your Cloud Pod Sites configuration.
  6. Home Sites can be assigned to both users and groups. User assignments override group assignments.
  7. Edit your Global Entitlement and ensure that Use Home Site is checked. You can optionally require that each user has a Home Site.
  8. Each Global Entitlement can have its own Home Site configuration that overrides the global Home Site configuration.
    • In Horizon Console, click the hyperlink for the Global Entitlement’s name, switch to the tab named Home Site Override, and then click Add.

  9. Since you could have a combination of default Home Site for user, default Home Site for group, and Global Entitlement-specific Home Sites, it’s helpful to know which Home Site is effective for each user and Entitlement.
    • In Horizon Console, in the Users and Groups node, switch to the Home Site Resolution tab. Find a user, and it will show you the Home Site Resolution for a specific Global Entitlement.

Related Pages

Omnissa Horizon 2406: RDS Farms/Pools

Last Modified: Jul 30, 2024 @ 4:28 am

Navigation

This post applies to all Horizon versions 2006 (aka 8.0) and newer.

Change Log

  • 2023 Oct 28 – Published AppsSingle Application Launch Limit in Horizon 2309
  • 2021 Jan 10 – Disable Published Application in Horizon 2012 (8.1) and newer.
  • 2021 Jan 9 – updated screenshots for Horizon 2012 (8.1)
  • 2020 Aug 14 – updated entire article for Horizon 2006 (8.0)

Overview

This post details Horizon configuration for Remote Desktop Session Host (RDS) Horizon Agents. Virtual Desktops are detailed at Master Virtual Desktop and Virtual Desktop Pools.

Before following this procedure, build a master RDS Session Host.

Before you can publish applications or RDS desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts, then these are different RDS Farms.

Once the RDS Farms are created, you publish icons from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

Omnissa Tech Paper Best Practices For Published Applications And Desktops in Horizon:

  • vSphere Best Practices – Hardware, Network Adapters, ESXi BIOS Settings, ESXi Power Management
  • Core Services Best Practices – Active Directory, DNS, DHCP, NTP, KMS, RDS Licensing
  • ESXi Host Sizing Best Practices
  • RDSH Configuration Best Practices – Optimization
  • Horizon 7 Best Practices – Instant Clones, Load Balancing
  • User Environment Management Best Practices – Horizon Smart Policies, Folder Redirection, User Profiles, Printers, Hardware Graphics Acceleration
  • App Volumes Best Practices – dedicated AppStacks
  • Antivirus Best Practices
  • Maintenance Operations Best Practices – scheduled reboots

RDS Farms – Instant Clones

For a description of Instant Clones, see Instant Clones for RDSH in VMware Horizon 7.1 YouTube video.

  1. You select a snapshot from a master image.
  2. Horizon creates a template VM that boots from the master snapshot. After some prep, the template VM shuts down and creates a new snapshot.
  3. The template snapshot is copied to a Replica VM on every LUN (datastore) that will host RDS Farm VMs.
  4. For each datastore, Horizon creates a Parent VM on every host in the cluster. This parent VM is powered on and running at all times.
    • Horizon 2306 (8.10) and newer now default to no longer creating parent virtual machines.
  5. The linked clones can finally be created by forking the parent VM to new linked clone VMs. Notes:
    1. Once the Parent VMs are created, creating/recreating linked clones is fast. But it takes time to create all of the Parent VMs.
    2. And the Parent VMs consume RAM on every host. If you have multiple datastores and/or multiple pools, then there are multiple Parent VMs per host, all of them consuming RAM.
  6. You can schedule a periodic reboot of the Instant Clones, which causes the Instant Clone machines to refresh (revert) from the parent VM.
  7. Instant Clones require Distributed vSwitch and Distributed Port Group with Static Binding and Fixed Allocation. Standard vSwitch is not supported. Multi VLAN and vGPU for Instant Clones in VMware Horizon 7.1 YouTube video.

Create an Automatic RDS Farm

Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.

Master Image Preparation

  1. Make sure your RDS gold Agent has the VMware Horizon Instant Clone Agent feature installed.
  2. Make sure your RDS master Agent is configured for DHCP.
  3. Computer Group Policy – Make sure the Master VM is in the same OU as the Instant Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See Omnissa 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  4. Shut down the master image.
  5. Edit the specs of the master VM to match the specs you want the linked clones to have.
  6. Take a snapshot of the master image.
  7. In Horizon Console, on the left, expand Inventory, and click Farms.
  8. On the right, click Add.
  9. In the Type page, select Automated Farm, and click Next.
  10. In the vCenter Server page, select Instant Clone, select the vCenter Server, and then click Next. Notice that Composer is no longer an option.
  11. In the Storage Optimization page, click Next.
  12. In the Identification and Settings page:
    1. Enter a name for the Farm. A VM folder with the same name will be created in vCenter.
    2. Note: There’s no place to set the Display Name here. You do that later when creating a Desktop Pool.
    3. Scroll down to the Farm Settings section.
    4. Horizon supports Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    5. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    6. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in Global Settings.
    7. There’s a Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    8. Max sessions per RDS Host will block connections if this number is exceeded. You can leave it set to Unlimited.
  13. Click Next.
  14. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  15. In the Provisioning Settings page:
    1. Enter a Naming Pattern. Make sure the name includes {n:fixed=3} or something like that. Computer names must be 15 characters or less.
    2. In Farm Sizing, enter the number of machines to create.
  16. Click Next.
  17. In the vCenter Settings page, click Browse next to each option and make a selection. These are self-explanatory. Make sure VM Folder Location doesn’t have any spaces in it. Scroll down to see all options. Then click Next.
  18. In the Guest Customization page:
    1. Select an OU to place the new virtual machines. This should be an OU that is configured with group polices for the RDSH machines.
    2. Consider the Allow reuse of pre-existing computer accounts check box.
  19. Click Next.
  20. In the Ready to Complete page, click Submit.

To view the status of RDS Farm creation:

  1. Click the farm name.
  2. The bottom of the Summary tab shows you the State of the Publishing progress.

  3. You can watch the progress in vSphere Client. It goes through a couple longer tasks, including cloning the snapshot, and creating a digest file.
  4. Eventually the tab named RDS Hosts will show the new virtual machines.
  5. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Add more RDS Hosts to an Automatic Farm

To add RDS hosts to an existing RDS Automatic Farm.

  1. On the left, expand Inventory, and click Farms.
  2. Click the link for an automated farm.
  3. On the right, click Edit.
  4. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  5. It should not take long to add the new VM.
  6. The RDS Hosts tab of the RDS farm shows the new RDS host(s).

Update an Automatic Farm

Master Image Preparation

  1. Power on the master session host.
  2. Login and make changes.
  3. After making your changes, shut down the master session host.
  4. Right-click the virtual machine, and take snapshot. You must create a new snapshot.
  5. Name the snapshot, and click OK.
  6. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  7. Delete one or more of the snapshots.
  8. In Horizon Console, go to Inventory > Farms.
  9. Click the farm name’s link.
  10. On the Summary tab, click Maintain, and then click Schedule.
  11. One option is to schedule Recurring reboots, which revert the RDS Hosts to a clean state.
  12. To push out an updated Master Image, change the Schedule to Immediate.
  13. Select Start Now, or select Start at a future date/time. Click Next.
  14. In the Image page, uncheck the box next to Use current golden image, select the new snapshot, and click Next.
  15. In the Scheduling page, decide if the reboot should wait for users to logoff or force them off and then click Next.
  16. In the Ready to Complete page, click Finish.
  17. The RDS Farm’s Summary tab (scroll down) shows you that it’s publishing the new image.

  18. After the image is published, on the RDS Hosts tab, you can check on the status of the maintenance task.

Instant Clones Maintenance

To perform Instant Clone Maintenance:

  1. If you click an Instant Clones RDS Farm name…
  2. And switch to the RDS Hosts tab, you can select a machine, and then click Recover, this causes the VM to be deleted and recreated, thus reverting to the master image snapshot.

  3. On the Summary tab of the RDS Farm, you can click Maintain > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting causes the VMs to revert to the master image snapshot.
  4. Specify how often you want the reboot to occur, and then click Next.
  5. In the Image page, you don’t have to change the snapshot. Click Next.
  6. Decide what to do about logged on users, and click Next.
  7. In the Ready to Complete page, click Finish.
  8. If you click the Maintain menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
  9. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
  10. ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

RDS Farms – Manual

If you are building your RDSH Machines manually (e.g. cloned manually in vCenter; no Instant Clones), then add the manually created machines to a Manual Farm.

  • All RDS machines added to a single Manual Farm should be identical because Horizon will load balance across the servers in the farm.

To create a manual RDS Farm:

  1. Make sure the Instant Clone Agent is not installed on your manual RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.

    • Verify registration at Settings > Registered Machines.
  2. On the left, expand Inventory, and click Farms.
  3. On the right, click Add.
  4. In the Type page, select Manual Farm, and click Next.
  5. In the Identification and Settings page, enter a name for the Farm. Scroll down.
  6. Scroll down to the Farm Settings section.
    1. There is a pre-launch option. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    2. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    3. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in Configuration > Global Settings.
    4. There is an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
  7. Click Next.
  8. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  9. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts that are registered with Horizon Console. Click Next.
  10. In the Ready to Complete page, click Submit.
  11. If you click the farm name…
  12. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.

Publish Desktop

To publish a desktop from a load balanced RDS Farm (Automatic Farm or Manual Farm):

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool, and click Next.
  4. In the Desktop Pool ID page, enter an ID and name. They can be different. The ID cannot contain spaces. Click Next.
  5. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu.
    2. You can type in a new category folder name or select an existing one. Also select Shortcut Locations.
    3. There is a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group.
    4. Notes on Client Restrictions:
  6. Click Next.
  7. In the Select an RDS farm page, select a farm, and click Next. The farm can be either Instant Clone or Manual.
  8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Submit.
  9. In the Entitlements window, click Add.
  10. Browse to an Active Directory group, and click OK.
  11. Then click Close.
  12. If you go to Inventory > Farms, click your farm name, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm. An RDS Farm can only belong to one Desktop Pool.

Publish Applications

To publish apps from an RDS Farm (automatic farm or manual farm):

  1. In Horizon Console, on the left, expand Inventory, and click Applications.
  2. On the right, click Add, and then click Add from Installed Applications.
  3. In the Select Applications page, select a RDS Farm.
  4. The purpose of this wizard is to publish applications from an RDS Farm and then assign them to users (aka entitlement). The entitlements (aka user assignments) will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually.
  5. Select one or more applications. Notice that File Explorer is not one of the options. You can manually add that application later. Scroll down.
  6. There are additional options at the bottom of the Select Applications page. Notice the Entitle users box is checked by default.

    1. There’s a Pre-launch option for published applications. You can optionally enable it on at least one application, and then entitle the pre-launch application to the users that need the Pre-launch feature.
    2. Horizon 2309 and newer let you restrict applications to a Single Application Launch Limit.
    3. You can assign tags for Connection Server restrictions, which lets you control visibility of icons for internal users vs external users.
    4. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop.
    5. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes on Client Restriction:
  7. Click Next when done.
  8. The Edit Applications page lets you rename (Display name) the published icons. Click Submit when done.
  9. Click Add to select a group that can see all of the applications that you selected. This is the normal entitlement process.

    1. There is an option for Unauthenticated users, which is detailed at Entitle Unauthenticated Access Users to Published Applications at Omnissa Docs.
    2. Before you can configure Uauthenticated Access on published applications, you must add a Domain Account that will be used for anonymous access at Users and Groups > Unauthenticated Access.
    3. Then go to Settings > Servers and Edit a Connection Server.
    4. On the Authentication tab…
    5. …enable Unauthenticated Access, and select the Default unauthenticated access user account.
    6. Back in your entitlement, you select Unauthenticated Users, and entitle it to the Domain User that is your anonymous account.
  10. You can run the Add Application Pool wizard again to publish more applications with different entitlements (aka user assignments).
  11. If you click the name one of the application pools…
  12. …on the Entitlements tab, you can change the entitlements

Manual Application Publishing

Instead of publishing an existing application from the Start Menu, you can add an application manually:

  1. Go to Inventory > Applications, click Add, and select Add Manually.
  2. File Explorer is an application that has to be added manually. Select an RDS Farm and then enter the path to the application.

  3. When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast.
  4. There are more settings at the bottom of the page.

Icon for Published Application

  1. You can select an Application Pool, then open the Application Icon menu and click Associate Application Icon.

Published App Monitoring

If you click a Farm name, you can view Sessions connected to that Farm and the published application each user is running. Monitor > Sessions does not show published application information, but RDS Farm > Sessions does.

  1. In Horizon Console, on the left, expand Inventory and click Farms.
  2. On the the right, click the link for one of the farms.
  3. Switch to the tab named Sessions.
  4. As you scroll down the table you’ll see sessions with Type = Application.
  5. If you scroll to the right, you’ll see the Application Name in the far-right column.

Show application pools associated with RDS Farm

  1. If you go to Inventory > Farms, click your farm name…
  2. …and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. You can click the link for a pool to be taken to the pool’s property pages.

Disable Application

Horizon 2012 (8.1) and newer let you disable an application pool. Go to Inventory > Applications, select one or more applications, click the More menu, and click Disable Application Pool.

When the application is disabled, the application icon is removed from Horizon Client at next refresh. If the user tries to launch the icon before it has been removed, then the message is “This application is currently not available”.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session, then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop, then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool in Horizon Console at Omnissa Docs.

Do the following to configure Anti-Affinity in Horizon Console:

  1. On the left, go to Inventory > Applications.
  2. On the right, edit an existing application pool.
  3. Scroll down. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of process name matches that can run on a single RDS Host.

Related Pages

Omnissa Horizon 2406: Master RDS Host

Last Modified: Jul 28, 2024 @ 4:20 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host (RDSH) that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all Horizon versions 2006 (aka 8.0) and newer.

Change Log

Hardware

  • The session host pools will use the same hardware specs (e.g., vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • Set the vCPUs to 8. Two is the minimum.
  • Typical memory for an 8-vCPU session host is 24 – 48 GB (e.g., 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Adapter. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
  5. Click Add Configuration Params.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

See Omnissa Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.

The latest versions of VMware Tools resolve security vulnerabilities.

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. Click Advanced Options.
  3. Check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

  4. Windows Update will automatically start checking for updates.
  5. Install any updates it recommends.

Local Administrators Group

Add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

Install/Upgrade Horizon Agent

To install Horizon Agent on Remote Desktop Session Host (RDSH), do the following:

  1. Latency – In Horizon 2106 (8.3) and newer, maximum latency between Horizon Agent machine and Connection Server is 120ms. Older versions of Horizon have lower maximum latencies.
  2. Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 are supported.
    • Windows Server 2022 is supported in Horizon 2111 (8.4) and newer.
  3. VMware Tools – install VMware Tools before you install Horizon Agent.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See Omnissa Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
  4. Horizon 2312.1 (8.12.1) is the latest version.
  5. Horizon 2312.1 (8.12.1) is an Extended Service Branch, which is supported for three years from its January 2024 release date.
  6. Horizon 2212 (8.8) is an Extended Service Branch, which is supported for three years from its January 2023 release date.
  7. Download Horizon Agent 2406 (8.13), or Horizon Agent 2312 (8.12.1) ESB.

  8. Run the downloaded VMware-Horizon-Agent-x86_64-2406-8.13.0.exe.
  9. If you want the URL Content Redirection feature, then you must run the Agent installer with the following switches: /v URL_FILTERING_ENABLED=1.
  10. If you want the UNC Path Redirection feature in 8.7 and newer, then you must run the Agent installer with the following switches: /v ENABLE_UNC_REDIRECTION=1. You can combine the two switches.
  11. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  12. In Desktop OS Configuration page, select RDS Mode and click Next.

    1. Click OK to install the role.
    2. Restart the machine.
    3. After restart, login, and re-run the Agent installer.
  13. In the Network protocol configuration page, select IPv4, and click Next.
  14. In the Custom Setup page, several features are disabled by default. Horizon Smart Policies in Dynamic Environment Manager (DEM) can control some of these features but only if the features are installed.
    1. USB Redirection is an option.
    2. If this RDS Host will be a master image for an Instant Clone farm, then install the VMware Horizon Instant Clone Agent. For manual farms, don’t select this feature.
    3. Scanner Redirection is an option. Note: Scanner Redirection will impact host density.
    4. Serial Port Redirection is an option.
    5. There’s an option for Horizon Performance Tracker, which adds a program to the Agent machine that can show the user performance of the remote session. You can publish the Tracker.

    6. In Horizon 2206 and newer, Storage Drive Redirection provides faster performance than Client Drive Redirection.
  15. Click Next when done making selections.
  16. Click OK to acknowledge the USB redirection message.
  17. If you see the Register with Horizon Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected the Instant Clone Agent feature. Registration is necessary for Manual RDS Farms (no Instant Clones).
  18. In the Ready to Install the Program page, Horizon Agent 2306 and newer have an option to Automatically restart system on successful completion. Click Install.
  19. In the Installer Completed page, click Finish.
  20. Click Yes to restart the server.
  21. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  22. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  23. There’s also an IE add-on.
  24. URL Content Redirection is configured using group policy.
  25. To verify installation of the UNC Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UncRedirection.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 (8.0) and newer are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, they you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at Omnissa Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2406-10.13-GA\VMware Dynamic Environment Manager Enterprise 2406 10.13 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

To install DEM Agent:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  2. DEM 2406 (10.13) is the latest release.
    1. Horizon 2312 (8.12) ESB release comes with DEM 2312 (10.12).
    2. Horizon 2212 (8.8) ESB release comes with DEM 2212 (10.8).
  3. Based on your entitlement, download either DEM 2406 (10.13) Enterprise Edition, or DEM 2406 (10.13) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  4. Run the extracted VMware Dynamic Environment Manager Enterprise 2406 10.13 x64.msi.
  5. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, check the box next to I accept and click Next.
  6. In the Destination Folder page, click Next.
  7. In Choose Setup Type page, click Custom.
  8. In the Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
  9. In DEM 2111 and older, in the Choose License File page, if installing on a Horizon Agent, then no license file is needed. DEM 2203 and newer no longer ask for licenses since DEM Console installs the license in the DEM Configuration Share. Click Next.
  10. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  11. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  12. DEM is enabled using Group Policy and configured using the DEM Management Console.

Logon Monitoring

See Omnissa 93158 Information about changes in logon timing data format in Horizon form Horizon 8 2111 and Later.

By default, in services.msc, the VMware Horizon View Logon Monitor service is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

Remote Desktop Users

In Computer Management (compmgmt.msc), at Local Users and Groups > Groups, edit Remote Desktop Users and add a group like Domain Users. Users can’t login to RDSH unless they are members of this local group. Instead of configuring this group manually on each parent image, you can also use Group Policy to configure it.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 and newer is using group policy (local group policy or domain group policy).

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the Remote Desktop Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled, and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Remote Desktop Services, and click RD Licensing Diagnoser. If you don’t see this option, then install it as a Windows Feature under RSAT.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

Antivirus

Omnissa Tech Zone Antivirus Considerations in a Horizon Environment contains exclusions for Horizon, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

For Instant Clones, Defender ATP on-boarding script should run as ClonePrep post-sync script. See Tristan Tyson On-boarding VMware Horizon View Instant-Clone VDI Pools into Microsoft Defender Advanced Threat Protection.

Install Applications

Install applications that will be executed on these machines.

Omnissa Tech Zone Best Practices for Delivering Microsoft Office 365 In Horizon describes how to install Office365 ProPlus Click-to-run with Shared Computer Activation.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to DEM Personalization.
  • App Masking is an alternative to Omnissa App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of DEM Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

Omnissa App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Eligibility Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://learn.microsoft.com/en-us/fslogix/how-to-install-fslogix#download-fslogix and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

Windows OS Optimization Tool

  1. See Windows Operating System Optimization Tool Guide at Omnissa Tech Zone for details on this tool.
  2. Download the Windows OS Optimization Tool.
  3. Run VMwareOSOptimizationTool-x86_64.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. Near the top of the window click the Common Options button and make your selections on each of the pages. Click OK when done.

  7. The top right box named Analysis Summary shows the number of optimizations not yet applied.
  8. Review the optimizations and make changes as desired. Then on the bottom right, click Optimize.
  9. The History tab lets you rollback the optimizations.
  10. The Finalize tab contains tasks that should be run every time you seal your parent image.
  11. The Update tab lets you re-enable Windows Update so you can update the parent image.

Seal and Snapshot

  1. Make sure the parent session host is configured for DHCP.
  2. Session hosts commonly have DHCP reservations.

  3. The VMware OS Optimization Tool has a Finalize tab that contains tasks that should be run every time you seal your parent image.
  4. Go to the properties of the C: drive, and on the Tools tab, click Optimize to defrag the drive.
  5. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  6. Run antivirus sealing tasks. For example:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool
    2. Symantec: run the ClientSideClonePrepTool
  7. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
  8. Shutdown the parent session host.
  9. Edit the Settings of the parent virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  10. If Instant Clones, take a snapshot of the master session host.

  11. Use can now use Horizon Console to create RDS Farms.

Full Clone Post-Cloning Tasks

If you use vCenter to clone the machine instead of using Horizon Instant Clones, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon Agent – for manual farms, uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
  8. Horizon Console – In Horizon Console, add the new machine to a Remote Desktop Services farm.

Related Pages

Omnissa Horizon 2406: Virtual Desktop Pools

Last Modified: Jul 30, 2024 @ 5:18 am

This article details Horizon pool configuration for Virtual Desktops. RDS Farms and pools are detailed in a separate article at https://www.carlstalhood.com/vmware-horizon-8-rds-farms-pools/.

Navigation

This post applies to all Horizon versions 2006 (8.0) and newer.

Change Log

Non-Persistent – Instant Clones

All editions of Horizon 2006 and newer include Instant Clones so there is no need to use Composer. Composer is deprecated in Horizon 2006. Composer was removed from Horizon 2012 (8.1) and newer.

Notes on Instant Clones:

  • The master VM snapshot is copied to every LUN containing instant clones. Composer does the same.
  • If you deploy 12+ VMs per host of the same pool, then “Parent” machines are created on each ESXi host for each datastore. These “parent” machines are powered on and consume CPU/Memory/Disk resources. If you have six hosts and three datastores containing instant clones, then Horizon creates 18 parent virtual machines. Composer does not need parent virtual machines.
    • For lower density, Horizon 2006 and newer support Smart Provisioning, which eliminates the need for “Parent” machines. See the Smart Provisioning YouTube video for an overview.
    • Horizon 2306 (8.10) and newer now default to no longer creating parent virtual machines.
  • Horizon 2306 (8.10) and newer support Persistent Disks with dedicated Instant Clones. See Omnissa 93091 Guidelines for Persistent Disk Migration from Horizon 7 Environments to Horizon 8.
    • An alternative is Microsoft FSLogix, or App Volumes Writable Volumes
  • See Instant-Clone Desktop Pools at Omnissa Docs.

Infrastructure Prep

  • Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.
  • Each desktop pool points to one vSphere cluster.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
    • Instant Clones in Horizon 8.1 and newer support all port bindings, including ephemeral. Older versions of Horizon, including Horizon 7.x, require static port binding.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
  • KMS Licensing is required, preferably using Active Directory-based activationMAK licensing (Omnissa Docs) is not supported until Horizon 2212 and newer.
  • The virtual desktop pools will use the same hardware specs (e.g., vCPUs, memory size, network label, GPU) specified on the master virtual desktop. Adjust accordingly.
  • The master image should be in the same vSphere cluster where the instant clone virtual desktops will be created.
  • ESXi must be version 6 update 1 or newer
  • Master VM must be version hardware version 11 or newer
  • In Horizon Console, add Instant Clone Domain Accounts
  • In Horizon Console, enable View Storage Accelerator on your vCenter connection.
  • If you upgrade vCenter from version 6.5 or older to version 6.7 or later, then you must upgrade your ESXi hosts to version 6.7 or later at the same time. Afterwards, take a new snapshot of the master image and perform a push operation.
  • Windows 11 – Omnissa says don’t add vTPM to the gold image. Instead add the vTPM when creating the Instant Clone pool or Full Clone pool. There are various methods of installing Windows 11 without a vTPM. See Omnissa KB article 85960 Horizon and Horizon Cloud readiness for Microsoft Windows 11.
  • vTPM requires a Key Provider. vSphere 7 has a Native Key Provider that does not need any additional servers or licenses.
    1. In vSphere Client, in Inventory, click the vCenter object. On the right, on the Configure tab, scroll down to Key Providers and add a Native Key Provider.
    2. After it’s added, select it and then click Back-up to activate it.

Disk space

  • One or more LUNs (datastores) for storage of the virtual desktops.
  • By default, Replicas are copied to each LUN that contains virtual desktops.
    • It’s possible to place the Replica and the instant clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops.
    • Note: NFS VAAI requires the Replica to be copied to each virtual desktop LUN.
  • .vswp files – Plan for disk space for memory swap and graphics memory overhead. If the master virtual desktop has 4 GB of RAM configured and if none of its memory is reserved then each linked clone will have a 4 GB .vswp file.
    • To reduce the size of the .vswp files, edit each virtual desktop and reserve its memory. Whatever memory is reserved will be subtracted from the .vswp file size.
  • Instant Clone Delta disks – Delta disks start small whenever the virtual desktop boots and grow until the user logs off of the virtual desktop and it reboots.

Non-Persistent, Floating, Automatic, Instant Clone Desktop Pool

Master Image Preparation

Do the following on the master image that the virtual desktops will link to:

  1. Video Memory – shut down the master, Edit Settings (hardware) in vSphere client, expand Video card, and set video memory. More video memory means more client monitors. The maximum number of displays and maximum resolution of client monitors depends on the ESXi version, the Horizon version, and the Windows version with newest versions providing the greatest number of client monitors.
  2. DHCP – Make sure the master VM is configured for DHCP.
  3. Join domain – Join the master VM to the domain.
  4. Computer Group Policy – Make sure the Master VM is in the same OU as the Instant Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See Omnissa 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  5. KMS Licensing or Active Directory-Based Activation (recommended) is required.
  6. Snapshot – Shut down the master image and take a new snapshot.

Floating Pool

Use Horizon Console to create an Instant Clone pool:

  1. Login to Horizon Console.
  2. On the left, under Inventory, click Desktops.
  3. On the right, if you select an existing pool, you can click Duplicate to copy the settings to a new pool.
  4. On the right, click Add.
  5. In the Type page, select Automated desktop pool.
  6. In the vCenter Server page, select Instant Clone, select a vCenter server, and click Next. Notice that Composer is no longer an option.
  7. In the User Assignment page, select Floating, and click Next.
  8. In the Storage Optimization page, if you want to use storage tiering, check the box for Select separate datastores for replica and OS disk. Click Next.
  9. In the Desktop Pool Identification page, do the following:
    1. Give the pool a unique ID, which is not shown to the users. Horizon creates a vCenter VM folder with the same name as the Pool ID.
    2. Enter a Display name, which is shown to the users.
    3.  If you intend to use Omnissa Access, then leave Access group set to /. Otherwise, if you intend to delegate administration of this pool, then select an Access group that the delegated administrators have been assigned to.
  10. Click Next.
  11. In the Provisioning Settings page, do the following:
    • In Virtual Machine Naming, enter a Naming Pattern. You can use {n:fixed=3} to specify the location for incremented numerals in the machine names. Make sure the naming pattern does not conflict with any existing machines. Remember, the maximum computer name length is 15 characters.
      • Horizon 2103 (8.2) and newer let you Specify Names Manually instead of using a naming pattern.
    • In Desktop Pool Sizing, enter the maximum number of desktops to create. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here. If your desktop pool size exceeds a single VLAN, then you can create multiple pools and combine them into a Cloud Pod Global Entitlement.
    • Select Provision all machines up-front to create all of the machines now.
    • Or select Provision machines on demand, which tells Horizon to create the machines (up to the maximum) as users connect.
    • If you’re not creating all machines up-front, then specify the Number of spare (powered on) machines. As users connect, Horizon creates more machines to try to keep this number of spare machines running and waiting for a new connection.
  12. If Windows 11, consider checking the box to Add vTPM Device to VMs.
  13. Click Next.
  14. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option and make your selection.

    • If the Golden Image VM (aka Parent VM or Master VM) is not showing up in the list, then check the box next to Show all parent VMs and click the … next to the VM to see the issue.
    • Instant Clones monitors/resolution – the number of monitors configured on the Master Image (snapshot) is displayed. If not correct, delete the snapshot, edit the master VM’s Hardware Settings, expand video card, make your desired changes, and take another snapshot.
    • Scroll down for more settings.
    • VM Folder Location – Horizon will create a folder under the location (e.g., datacenter) you choose. Make sure the folder names don’t have any spaces in them.
    • Datastores – select one or more datastores on which the virtual desktops will be placed.
    • If you selected to put Replica on a different datastore, then you’ll have another Browse button for Replica disk datastores.
    • When selecting Networks, you can use the Network from the parent image, or uncheck the box and select a different network.
  15. In Horizon 2206 and newer, in the VM Compute Profile Settings section, you can change the CPU, RAM, and Cores per socket assigned to each new virtual desktop.
  16. Click Next when done.
  17. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop.

      1. Change the selection to Select a category folder from the folder list.
      2. You can type in a new category, or select an existing one.
      3. Then click Submit.
    2. In the Desktop Pool Settings page, Horizon Enterprise Edition lets you select a Session Type, which means you can optionally publish applications from virtual desktops.
    3. Change the selection for Logoff after disconnect to After, and specify a disconnect timer.

      • You can also use Group Policy to configure this. The GPO overrides the pool setting. Install the Horizon GPO Templates if you haven’t already. Edit a GPO that applies to the Horizon Agents. Find the Disconnect Session Time Limit (VDI) setting at VMware View Agent Configuration > Agent Configuration.
      • Horizon also has an Idle Time Until Disconnect (VDI) for virtual desktops. Note: RDSH idle timer is configured using Microsoft RDSH GPO settings, not Horizon GPO settings.
    4. You can allow users to restart their machines.
    5. If you choose Dedicated assignment instead of Floating assignment, there’s an option for Refresh OS disk after logoff. Leaving it set to Always is strongly recommended. The other options cause the delta disk to grow, and will cause data loss surprise for the users when you later push a new image. Instant Clones floating assignment pools always refresh on logoff.
    6. Reclaim VM disk space is also an option for Dedicated assignment pools. Floating assignment pools always refresh on logoff so there’s no need to reclaim disk space.
  18. Click Next.
  19. In the Remote Display Settings page:
    1. In 3D Renderer, there’s an option for NVIDIA GRID VGPU if you have GPUs installed.
    2. There’s an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.  See Session Collaboration for details.
  20. Click Next.
  21. In the Guest Customization page,
    1. Next to AD container, click Browse, and select the OU where virtual desktop computer objects will be placed. You can type (paste) into the AD container field.
    2. Consider checking the box next to Allow reuse of pre-existing computer accounts.
  22. Click Next.
  23. In the Ready to Complete page, you may entitle users now, or leave it unchecked and do it later. Click Submit.

If you opted to add entitlements now:

  1. In the Add Entitlements window, click Add.
  2. Find a group that will have permission to log into these desktops, and click OK.
  3. Then click OK.

To check the status of the virtual desktops:

  1. Go to Inventory > Desktops.
  2. You might have to click the refresh icon on the top right to see the new pool.
  3. Click the link for the pool name.
  4. On the Summary page, if you scroll down, the vCenter Server section has a State field where you can see the status of the pool creation process.  It takes several minutes to publish the master image snapshot. After the snapshot is copied to the Replica, vSphere creates a digest file for View Storage Accelerator, which takes a few more minutes.
  5. Horizon Console has a Pending Image progress bar that doesn’t update automatically. To refresh it, scroll up and click the refresh icon.

  6. You can watch the progress in vSphere Client’s Recent Tasks list. In high-density pools, Instant Clones are forked from the cp-parent machine. In low-density pools, Instant Clones are cloned from the cp-replica.


  7. Eventually the pool’s tabs named Machines and Machines (InstantClone Details) will show the new machines.
  8. iccleanup.cmd can show you (list) the structure of the Instant Clones. For higher-density pools, there is a cp-parent at the bottom of the hierarchy. For Smart Provisioning of lower-density pools, there is no cp-parent.

If you wish to automate the creation of the pool, Aresh Sarkari at Automating Desktop Pool creation using PowerCLI – VMware Horizon 7.x explains New-HVPool -spec 'C:\temp\DesktopPool\LinkedClone.json' and the contents of the JSON file.

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

  1. In Horizon Console, go to Inventory > Desktops.
  2. Click the link for a pool name.
  3. Switch to the Entitlements tab to see the existing entitlements.
  4. Click Add entitlements.
  5. In the Add Entitlements window, click Add.
  6. Find a group that will have permission to log into these desktops, and click OK.
  7. Then click OK.

Add Machine to Pool

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click the link for an existing Desktop Pool.
  3. At the top, click Edit.
  4. Switch to the Provisioning Settings tab, scroll down, and change the Max number of machines. Then click OK.
  5. With Instant Clones, this won’t take very long. In high-density pools, the new machine is forked from the cp-parent. In low-density pools, the new machine is cloned from the cp-replica.

  6. If you open the pool, the tabs named Machines and Machines (InstantClone Details) show the new machines.

Update a Pool

Master Image Preparation

  1. Power on the master/parent virtual desktop.
  2. After making your changes, shut down the master virtual desktop.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  5. Delete one or more of the snapshots.
  6. In Horizon Console, go to Inventory > Desktops.
  7. Click the link for a pool name.
  8. On the Summary tab, click Maintain, and then click Schedule.
  9. In the Image page, select the new snapshot. Notice the snapshot’s monitor/resolution settings. Click Next.
  10. In the Scheduling page, decide when to apply this new image. If you select Force users to log off, notice you can customize the logoff message in Global Settings. Click Next.
  11. In the Ready to Complete page, click Finish.
  12. The pool’s Summary tab, near the bottom, indicates that the image is being pushed.

  13. You can click the tab named Machines (InstantClone Details) to check on the status of the push task. Notice the Pending Image.
  14. The snapshot is copied to each datastore.
  15. The snapshot is attached to a Replica, powered on, then powered off. Digest is then computed.
  16. Then the Replica is attached to a parent, and the parent is powered on. This all takes a bit of time. But the existing Instant Clones remain accessible until the Replica preparation is complete.
  17. Once Replicas are prepared, each machine is rebooted once.
  18. Eventually the Pending Image field will be cleared and the desktops are available again.

Host Maintenance – Instant Clones

Horizon 2012 (8.1) and newer have an option to Disable ParentVMs so vSphere Update Manager can put the hosts into maintenance mode. This uses the parentless Smart Provisioning technology. Find the option at Settings > Servers, select a vCenter server, click the More menu, and select Disable ParentVMs.

ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

Instant-Clone Maintenance Utilities at Omnissa Docs:

  • IcCleanup.cmd – use this utility to unprotect and delete some or all of the internal VMs created by instant clones. This is the easiest method of cleaning up Instant Clone internal machines.
  • IcUnprotect.cmd – use this utility to unprotect folders and VMs, delete VMs, and detect VMs whose master image or snapshot is deleted.
  • IcMaint.cmd – This command deletes the master images, which are the parent VMs in vCenter Server, from the ESXi host, so that the host can be put into maintenance mode. This utility generally isn’t needed. Also see Omnissa 2144808 Entering and exiting maintenance mode for an ESXi host that has Horizon instant clones.

Persistent Full Clones – Automated

Horizon can clone your Template machine to a specified number of Full Clones. Once Full Clones are created, you’ll need a Software Deployment tool, like Microsoft SCCM, to manage the Full Clones.

Customization Specification

Horizon uses a Customization Specification to specialize each machine cloned from the template:

  1. In vSphere Client, open the Menu and click Policies and Profiles.
  2. Make sure you have a Customization Specification with the settings detailed in the next few steps. You can create a new Customization Specification.
  3. In the Computer name page, set it to Use the virtual machine name.
  4. In the Windows license page, you can optionally set it to Include server license information but change it to Per seat.
  5. In the Network page, make sure the networks are set to DHCP. Once the machines are created you can manually set them to Static or configure DHCP reservations.
  6. In the Workgroup or domain page, enter credentials to join the new Full Clones to the domain.

Gold Image Template

  1. On the gold image machine, in sysdm.cpl > Advanced > User Profiles > Settings, make sure there are no local profiles other than your administrator profile and the Default Profile. Delete all others. Sysprep frequently fails if there is more than one profile on the template.
  2. If you have SCCM Client installed on your Gold Image, then see Prepare the client computer for imaging.
  3. Shut down the Gold Image.
  4. Right-click the gold image, expand Template, and then click Convert to Template.
  5. Before creating a pool, test deploying a new machine from the template to make sure SysPrep is successful.
    1. Right-click the Template and click New VM from This Template.
    2. In the Select clone options page, check the boxes next to Customize the operating system and Power on virtual machine after creation.
    3. In the Customize guest OS page, select the Customization Specification you created earlier.
    4. If cloning fails, then see Broadcom 2001932 Locations of sysprep log files. Store apps (aka UWP apps) are a frequent cause of SysPrep failures. You can convert your Template back to a Virtual Machine, power it on, fix the problem, power it off, and then convert it to a Template again.

Automated Full Clone Pool

  1. In Horizon Console, in the left menu, expand Inventory and then click Desktops.
  2. On the right, click Add.
  3. In the Type page, select Automated Desktop Pool and click Next.
  4. In the vCenter Server page, select Full Virtual Machines. Select your vCenter Server and then click Next.
  5. In the User Assignment page, you usually want Dedicated assignment.
  6. Automatic Assignment is an optional feature that avoids you having to manually assign users to each full clone desktop. But manual assignments give you more control over capacity planning. Click Next.
  7. In the Storage Optimization page, click Next.
  8. In the Desktop Pool Identification page, give the pool an ID (no spaces) and a Display Name that is shown to users. Horizon creates a vCenter virtual machine folder with the same name as the ID. Click Next.
  9. In the Provisioning Settings page, specify a Naming Pattern. You can hover your mouse over the information icon to see the syntax. Then scroll down.
  10. After scrolling down, specify the number of machines to create. If you specify All Machines Up-Front, then Horizon will create the Maximum Machines. If you specify Spare (Powered On) Machines, then Horizon will try to preserve this specified number of unassigned machines. Click Next.
  11. In the vCenter Settings page, click Browse next to Template and select the template you created earlier.
  12. Click Browse next to the other fields and specify where you want the new machines to be created. Make sure VM Folder Location doesn’t have any spaces in it. Click Next.
  13. In the Desktop Pool Settings page, these settings are the same as Instant Clones, but Remote Machine Power Policy might be different. Scroll down.
  14. After scrolling down, notice the option for Show Assigned Machine Name instead of the pool name. Hover your mouse over the information icons. Click Next when done.
  15. In the Remote Display Settings page, specify video settings and then click Next. Horizon 2106 (8.3) and newer let you choose 5K and 8K monitors for Blast only.
  16. In the Advanced Storage Options page, note that View Storage Accelerator is just a read cache (no write caching). If your storage can handle the reads then enabling this feature probably isn’t necessary. Click Next.
  17. In the Guest Customization page, select the Customization Specification that you created earlier. Consider checking the box next to Allow Reuse of Existing Computer Accounts.
  18. Horizon 2212 (8.8) and newer let you specify the OU for the new machines. Otherwise, they are created in the Computers container unless you pre-create the computer accounts in your desired OU. Click Next.

  19. In the Ready to Complete page, you can optionally Entitle users After Adding Pool. Click Submit. Note: users must both be entitled to the pool and assigned to an individual machine.

Machine Administration

  1. Cloning progress – Use vSphere Client Recent Tasks to watch the progress of the cloning. It will take time for the cloning to complete plus time for SysPrep to complete.
  2. If you click the Pool name link and then switch to the Machines tab, you should eventually see the new machines.
  3. Assign User to Machine – You can select a machine, click the drop-down for More Commands, and then Assign User.
  4. Machine alias – By default, the pool’s Display name is displayed to each user. You can instead change it to the individual Machine Name, or to an administrator-specified machine alias.
    1. Go to the pool’s Summary tab and click Edit.
    2. Switch to the tab named Desktop Pool Settings.
    3. Scroll down and find the checkboxes for Show Assigned Machine Name and Show Machine Alias Name. If you select Alias Name, then an additional command appears on the Machines page.
    4. After editing the pool and enabling Show Machine Alias Name, On the Machines tab, select a machine, and then click the drop-down for Update Machine Aliases. The Alias is shown to the user instead of the pool’s Display Name or the actual machine name.
  5. Add Machines – To create more Full Clone machines from the same template:
    1. Click the name (link) of the pool.
    2. On the Summary tab, click Edit.
    3. On the Provisioning Settings tab, scroll down and enter a larger Maximum Machines.

  6. Update Template – If you plan to create more Full Clone machines in the next few months, then you should update your Template by converting it to a virtual machine, update the virtual machine, and then convert it back to a Template. Note that the updated Template only applies to new Full Clones and has no effect on existing Full Clones. To update existing Full Clones, use a Software Deployment tool like Microsoft SCCM.

Related Pages

Omnissa Horizon 2406: Master Virtual Desktop

Last Modified: Jul 28, 2024 @ 4:22 am

Navigation

Use this post to build a virtual desktop that will be used as the parent image (aka source image, aka master image, aka gold image) for additional virtual desktops. There’s a separate article for RDS Session Host.

This post applies to all Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

Virtual Hardware

Omnissa Tech Zone Manually Creating Optimized Windows Images for Horizon VMs

  1. The virtual desktop pools will use the same hardware specs (e.g., vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. For New Hard disk, consider setting Thin provision.
  3. Make sure the virtual desktop is using a SCSI controller.
  4. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  5. When building the master virtual desktop, you will probably boot from an ISO.
  6. Before using Horizon Console to create a pool based off of this master image, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure that ISO file is not configured.
  7. There’s no need for the Floppy drive so remove it.
  8. If you have any Serial ports, remove them.

Windows

Omnissa TechZone Manually Creating Optimized Windows Images for Horizon VMs

Preparation

  • Windows 11 Versions – Windows 11 is supported with Horizon 2111 (8.4) and newer.
    • Windows 11 22H2 is supported with Horizon Agent 2209 (8.7) and DEM Agent 2209 (10.7) and newer.
    • Omnissa says don’t add vTPM to the gold image. Instead add the vTPM when creating the Instant Clone pool or Full Clone pool. There are various methods of installing Windows 11 without a vTPM. See Omnissa KB article 85960 VMware Horizon and Horizon Cloud readiness for Microsoft Windows 11.
    • vTPM requires a Key Provider. vSphere 7 and newer have a Native Key Provider that does not need any additional servers or licenses.
      1. In vSphere Client, in Inventory, click the vCenter object. On the right, on the Configure tab, scroll down to Key Providers and add a Native Key Provider.
      2. After it’s added, select it and then click Back-up to activate it.

  • Windows 10 Versions
  • VMware Tools. Install the latest version of VMware Tools and Guest Introspection (formerly known as vShield Endpoint) Driver prior to installing the Horizon Agent.
  • For the AppVolumes Agent and Imprivata OneSign agent (if applicable), don’t install them until Horizon Agent is installed.

Power Options

  1. Run Power Options. Right-click the Start Menu to access Power Options.
  2. Click Additional power settings.
  3. Select Ultimate Performance, or click the arrow to show more plans, and select High performance.
  4. Next to the power plan, click Change plan settings.
  5. Change the selection for Turn off the display to Never and click Save changes.
  6. You can also configure these setting using group policy.

System Settings

  1. Domain Join. Use sysdm.cpl to join the machine to the domain. Also see Omnissa 2150495 Computer-based Global Policy Objects (GPOs) that require reboot are not applied on instant clones.
  2. In System control panel applet (sysdm.cpl), on the Remote tab, enable Remote Desktop.
  3. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with Instant Clones.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. Omnissa App Volumes, Microsoft MSI-X App Attach, Liquidware FlexApp) or App Streaming (e.g. ThinApp, Microsoft App-V). Note: logins are fastest if apps are installed in the master image. All app layering/streaming technologies introduce a logon delay. You can use Microsoft FSLogix App Masking to hide applications and Start Menu shortcuts that users should not see.

Antivirus

Omnissa Tech Zone Antivirus Considerations in a Horizon Environment contains exclusions for Horizon, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Microsoft’s virus scanning recommendations (e.g., exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

For Instant Clones, Defender ATP on-boarding script should run as ClonePrep post-sync script. See Tristan Tyson On-boarding VMware Horizon View Instant-Clone VDI Pools into Microsoft Defender Advanced Threat Protection.

Horizon Agent

Horizon Agent Installation/Upgrade

Install Horizon Agent on the master virtual desktop. Upgrades are performed in-place.

  1. Latency – In Horizon 2111 (8.4) and newer, maximum latency between the Horizon Agent machine and Connection Server is 120ms. Older versions of Horizon have lower maximum latencies.
  2. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. The latest versions of VMware Tools resolve security vulnerabilities.
    2. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    3. See Omnissa Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
  3. Horizon 2406 (8.13) is the latest version.
  4. Horizon 2312.1 (8.12.1) is an Extended Service Branch, which is supported for three years from its January 2024 release date.
  5. Horizon 2212 (8.8) is an Extended Service Branch, which is supported for three years from its January 2023 release date. The Agent was not updated for version 8.8.1.
  6. Download Horizon Agent 2406 (8.13) ESB, or Horizon Agent 2312.1 (8.12) ESB.

  7. Run the downloaded VMware-Horizon-Agent-x86_64-2406-8.13.0.exe.
  8. If you want the URL Content Redirection feature, then you must run the Agent installer with the following switches: /v URL_FILTERING_ENABLED=1
  9. If you want the UNC Path Redirection feature in 8.7 and newer, then you must run the Agent installer with the following switches: /v ENABLE_UNC_REDIRECTION=1. You can combine the two switches.
  10. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  11. In the Network protocol configuration page, select IPv4, and click Next.
  12. In the Custom Setup page, there are several features not enabled by default. Horizon Smart Policies in Dynamic Environment Manager (DEM) can control some of these features but only if the features are installed.
    1. If you want USB Redirection, then enable that feature.
    2. Horizon Agent 2006 (8.0) and newer does not include Persona.
    3. If you want Scanner Redirection, then enable that feature. Note: Scanner Redirection will impact host density.
    4. Horizon Performance Tracker adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.

    5. Horizon 2006 (8.0) and newer no longer include ThinPrint (aka Virtual Printing). VMware Integrated Printing is the replacement for ThinPrint and requires Horizon Client 4.10 or newer.
    6. In Horizon 2206 and newer, Storage Drive Redirection provides faster performance than Client Drive Redirection.
  13. Click Next when done making selections.
  14. If you see the Remote Desktop Protocol Configuration screen, then select Enable and click Next.
  15. In the Ready to Install the Program page, Horizon Agent 2306 and newer have an option to Automatically restart system on successful completion. Click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes when asked to restart.
  18. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  19. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  20. There’s also an IE add-on.
  21. URL Content Redirection is configured using group policy.
  22. To verify installation of the UNC Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UncRedirection.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 (8.0) and newer are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, then you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at Omnissa Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2406-10.13-GA\VMware Dynamic Environment Manager Enterprise 2406 10.13 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

To install DEM Agent:

  1. Windows 10 Compatibility – See VMware 57386 VMware Dynamic Environment Manager and Windows 10 Versions Support Matrix
  2. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  3. DEM 2406 (10.13) is the latest release.
    1. Horizon 2312 (8.12) ESB release comes with DEM 2312 (10.12).
    2. Horizon 2212 (8.8) ESB release comes with DEM 2212 (10.8).
  4. Based on your entitlement, download either DEM 2406 (10.13) Enterprise Edition, or DEM 2406 (10.13) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  5. Run the extracted VMware Dynamic Environment Manager Enterprise 2406 10.13 x64.msi.
  6. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, check the box next to I accept and click Next.
  7. In the Destination Folder page, click Next.
  8. In Choose Setup Type page, click Custom.
  9. In the Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
  10. In DEM 2111 and older, in the Choose License File page, if installing on a Horizon Agent, then no license file is needed. DEM 2203 and newer no longer ask for licenses since DEM Console installs the DEM license in the DEM Configuration Share. Click Next.
  11. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  12. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  13. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value:
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1
  14. DEM is enabled using Group Policy and configured using the DEM Management Console.

Logon Monitoring

See Omnissa 93158 Information about changes in logon timing data format in Horizon form Horizon 8 2111 and Later.

By default, in services.msc, the VMware Horizon View Logon Monitor service is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

  1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
  2. Create a string value called FavAppList.
  3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:
Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see Configure Favorite Applications Displayed by Unity Touch at Omnissa Docs.

ClonePrep – Rearm

By default, when Horizon creates Instant Clones, one of the tasks that ClonePrep performs is to rearm licensing. You can prevent rearm by setting the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga
    • SkipLicenseActivation  (DWORD) = 0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g., clipboard redirection, client printers, etc.) based on how the user connects, see Managing VMware Horizon View Secret Weapon with Puppet Enterprise. The article describes using Puppet to change PCoIP settings. You can also configure VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to DEM Personalization.
  • App Masking is an alternative to App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of FSLogix Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

Omnissa App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Eligibility Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

Windows OS Optimization Tool

  1. See Windows OS Optimization Tool for Horizon Guide at Omnissa Tech Zone for details on this tool.
  2. Download the Windows OS Optimization Tool. Versions 1.2 and newer support Windows 11 22H2.
  3. Run VMwareOSOptimizationTool-x86_64.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. Near the top of the window click the Common Options button and make your selections on each of the pages. Click OK when done.

  7. The top right box named Analysis Summary shows the number of optimizations not yet applied.
  8. Review the optimizations and make changes as desired. Then on the bottom right, click Optimize.
  9. The History tab lets you rollback the optimizations.
  10. The Finalize tab contains tasks that should be run every time you seal your parent image.
  11. The Update tab lets you re-enable Windows Update so you can update the parent image.

Additional Optimizations

Additional Windows 10 Optimizations

Snapshot

  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks. For example:
  4. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.

  5. Shutdown the master virtual desktop.
  6. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  7. Take a snapshot of the master virtual desktop. Instant Clones requires a snapshot.

Related Pages

Omnissa Horizon 8 Console Configuration

Last Modified: Jul 27, 2024 @ 8:26 am

Navigation

This post applies to all Omnissa Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

  • 2023 July 8 – Global SettingsHorizon Agent Restrictions in Horizon 2306 (8.10) and newer
  • 2021 Sep 30 – Horizon Console – added step to disable CORS for Horizon 2106 and newer to fix HTML Access
  • 2021 Jan 8 – updated entire article for Horizon 2012 (8.1)
  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka Horizon 8)

Preparation

Horizon Service Account

  1. Create an account in Active Directory that Omnissa Horizon will use to login to vCenter. This account can also be used by Instant Clones to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for Horizon

This role has all permissions needed for both full clones and instant clones. See Privileges Required for the vCenter Server User With Instant Clones at Omnissa Docs.

See the Product Interoperability Matrix for supported vCenter versions.

Create vSphere Role:

  1. In vSphere Web Client, click the hamburger menu icon and then click Administration.
  2. In the Roles node, click NEW to add a Role.
  3. Give the new role a name.
  4. If you are using vTPM, then on the left, click Cryptographic operations. On the right, enable Clone, Decrypt, Direct Access, Encrypt, and Manage KMS. Scroll down on the right to see more Cryptographic operations permissions.

    1. While still in Cryptographic operations, scroll down and enable Migrate and Register host.
  5. On the left, click Datastore. On the right, enable Allocate space, and Browse datastore.
  6. On the left, click Folder. On the right, enable Create folder, and Delete folder.
  7. On the left, click Global. On the right, enable Act as vCenter Server, Disable Methods, and Enable Methods, and then scroll down on the right to see more Global permissions.

    1. While still in Global, enable Manage custom attributes, and Set custom attribute.
  8. On the left, click Host. On the right, in the Configuration section, enable Advanced Settings. Then scroll down on the right to see more Host settings.

    1. While still in Host, scroll down to the Inventory section and click Modify cluster.
  9. On the left, click Network. On the right, enable Assign network.
  10. For Virtual SAN, enable Profile-driven storage and everything under it.
  11. On the left, click Resource. On the right, enable Assign virtual machine to resource pool, and Migrate powered on virtual machine.
  12. On the left, click Virtual Machine. On the right, click Change Configuration to enable all Configuration permissions. Scroll down on the right to see more Virtual machine permissions.

    1. While still in Virtual Machine, scroll down and select everything under Edit Inventory.
    2. While still in Virtual Machine, scroll down to the Interaction section, enable Connect devices, and then click See more privileges.
    3. While still in Virtual Machine, scroll down and enable Perform wipe or shrink operations,  Power off, Power on, Reset, and Suspend.
    4. While still in Virtual Machine, scroll down to the Provisioning section and enable Allow disk access, Clone template, and Clone virtual machine. Then click See more privileges.
    5. While still in Virtual Machine, scroll down and enable Customize guest, Deploy template, and Read customization specifications.
    6. While still in Virtual Machine, scroll down and click Snapshot Management to enable all Snapshot permissions.
  13. Click Create.

Assign role to service account:

  1. Create an account in Active Directory that Horizon will use to login to vCenter.
  2. In vSphere Web Client, in Hosts and Clusters view, browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  3. On the right, select the tab named Permissions.
  4. Click the plus icon to add a permission.
  5. In the Add Permission dialog box, do the following:
    1. Change the User domain.
    2. Search for the service account.
    3. Change the Role to the one you created in the previous section.
    4. Check the box next to Propagate to children.
  6. Click OK.
  7. The service account is now listed on the Permissions tab.

Active Directory Delegation for Instant Clones

Horizon Instant Clones create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at Omnissa Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

Horizon 2103 (8.2) and newer support PostgreSQL. See Prepare a PostgreSQL Database for Event Reporting at Omnissa Docs.

Horizon 2106 (8.3) and newer support SSL to the events database. See SSL Connection to Event Database at Omnissa Docs.

A new empty SQL database is needed for storage of Horizon Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Properties > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it OmnissaHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login and click Properties.
  7. On the User Mapping page, check the Map box next to the OmnissaHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Horizon Consoles

On the desktop of the Horizon Connection Server is an icon to launch Horizon Administrator Console. Don’t use Internet Explorer.

The URL entered in the browser must either be https://127.0.0.1/admin, or the Secure Tunnel URL (Horizon Console > Settings > Servers > Connection Servers tab > Edit). By default, the Secure Tunnel URL is the FQDN of the Connection Server.

If you don’t use one of these URLs then you’ll see a Login Failed message.

If you want to use a different URL than the Secure Tunnel URL (e.g., short name instead of FQDN, or load balanced name instead of server name), then go to C:\Program Files\VMware\VMware View\Server\sslgateway\conf, edit or create locked.properties file, and enter the following:

allowUnexpectedHost=true
checkOrigin=false
enableCORS=false

More details at Omnissa 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon and 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. allowUnexpectedHost defaults to false in Horizon 2306 and Horizon 2212.1 and newer. Another option is to add portalHost entries as detailed at Allow HTML Access Through a Gateway at Omnissa Docs.

Licensing

Horizon Licenses are available either as product keys or as cloud subscription licenses. For cloud subscription licenses, Horizon 2406 and newer can activate the license without needing an Edge Gateway. For older versions of Horizon, download the Edge Gateway from the Horizon Cloud next-gen control plane and connect it to a Connection Server. See Deploying a Horizon Edge Gateway for Horizon 8 Environments at Omnissa Tech Zone.

In the Horizon Console:

  1. Open Horizon Console.
  2. Login using a Horizon administrator account.
  3. On the left, expand Settings and click Product Licensing and Usage.
  4. You’ll be asked to activate SaaS or Term/Perpetual license. Term and Perpetual are license keys.
  5. If SaaS subscription, then login to Horizon Cloud and complete the wizard.
  6. If Term or Perpetual, then enter your license key.
  7. If Term or Perpetual, then licensing information is displayed:
    • License expiration is shown.
    • Instant Clones are available in all editions.
    • Application Remoting (published applications) requires Horizon Advanced Edition.
    • Teams Optimization requires Horizon Advanced Edition.
    • Session Collaboration requires Horizon Enterprise Edition.
    • Help Desk tool is available in all editions.
    • App Volumes requires Horizon Enterprise Edition.
    • Smart Policies (Dynamic Environment Manager) requires Horizon Enterprise Edition.
    • Rest APIs require Horizon Enterprise Edition.

Horizon Administrators

To configure Horizon Administrators:

  1. In Horizon Console, expand Settings, and click Administrators.
  2. On the right, near the top, click Add User or Group.
  3. In the Select administrators or groups page, click Add.
  4. Enter the name of a group that you want to grant Horizon Administrator permissions to, and click Find.
  5. After the group is found, check the box next to the group (or highlight the group), and then click OK.
  6. Continue adding groups, or just click Next.
    Note: This wizard only lets you select one role; so, only add groups that will have the same role assigned. You can run the wizard multiple times.
  7. In the Select a role page, select the role (e.g. Administrators or Help Desk Administrators, which grants access to the Help Desk tool). Then click Next.
  8. Select an Access Group to which the permission will be applied and then click Finish.
    • Access Groups let you designate permissions to specific pools instead of to all pools.
    • Federation Access Groups are available in Horizon 2103 (8.2) and newer and let you restrict admin permissions to specific Global Entitlements (Cloud Pod Architecture).
    • In Horizon 2206 and newer, Help Desk role can be assigned to Access Groups.

Help Desk Website

Horizon has a web-based Help Desk tool built into Horizon Connection Server.

  • In Horizon Console, simply enter a user name in the search box at the top of the page.

The Desktops and Applications tabs let you see what the user is entitled to. You can even export these lists.

On the Sessions tab, click a session to see more details.

On the Details tab, scroll down to find action buttons like Remote Assistance. These buttons are kind of hidden.

Keep scrolling down and you’ll see Logon Segments.

The Processes tab lets you end processes in the user’s session.

Notes on the Help Desk feature:

  • Enterprise Licensing – Help Desk tool requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. The Product Licensing page indicates if Help Desk is licensed or not.
  • Horizon has a built-in Help Desk Administrators role that enables members to use the Help Desk tool.

    • Add Help Desk users to the Administrators and Groups tab, and assign them one of the Help Desk roles.
  • 15 minutes of History – There’s only 15 minutes of collected metric data.

See Using Horizon Help Desk Tool in Horizon Console at Omnissa Docs.

vCenter Connection

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clones
  • Update virtual machines using Instant Clones

See the Product Interoperability Matrix for supported vCenter versions.

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Client, go to the vCenter Server > Configure > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

To add the vCenter connection:

  1. In Horizon Console expand Settings, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
    4. Horizon 2106 (8.3) and newer have a Deployment Type drop-down. If on-premises, leave it set to General.
  4. Click Next.
  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.

  6. In Horizon 2012 and newer, View Composer is no longer an option.
    1. In Horizon 2006, in the View Composer page, select Do not use View Composer. There’s no need to use Composer since all editions of Horizon 2006 and newer include Instant Clones. Click Next.
  7. In the Storage page, do the following:
    1. Reclaim VM disk space requires IOPS during its operation. It’s only useful for the rare persistent Instant Clones use case and thus is generally unchecked.
    2. Check the box to Enable View Storage Accelerator and increase the host cache size up to 32768. Notes:
      • View Storage Accelerator is required for Instant Clones replica disks.
      • The cache size value is removed from RAM and that RAM is no longer accessible to virtual machines.
      • Higher host cache sizes should speed up Instant Clone Smart Provisioning (without parent image).
  8. Click Next.
  9. In the Ready to Complete page, click Submit.

Instant Clone Domain Accounts

If you plan to use Instant-Clone to create non-persistent virtual desktops, then add an administrator account that can join machines to the domain.

  1. In Horizon Console 2012 and newer, on the left expand Settings, and click Domains.

    1. In Horizon Console 2006, on the left, expand Settings and click Instant Clone Domain Accounts.
  2. On the right, the Connection Server tab shows the domains that the Connection Servers see.
  3. On the tab named Instant Clone Engine Domain Accounts, click Add.
  4. Select the domain.
  5. Enter credentials of a service account that can join machines to the domain. Click OK.

Restrict Remote Access

The Users and Groups node has a Remote Access tab. If you add groups or users to this tab, then only these groups and users can login through Unified Access Gateway (UAG).

Users not in the list can’t login through Unified Access Gateway (UAG).

Disable Secure Tunnel

By default, internal Horizon Clients connect to Horizon Agents by tunneling (proxying) Blast or PCoIP through a Horizon Connection Server. It would be more efficient if the internal Horizon Clients connect directly to the Horizon Agents instead of going through a Connection Server.

  • If the tunnels are enabled, and if you reboot the Connection Server, then user connections will drop.
  • If the tunnels are disabled, then rebooting the Connection Server will not affect existing connections.

To disable the tunnels:

  1. In Horizon Console, on the left, expand Settings, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server to highlight it, and click Edit.
  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the PCoIP Secure Gateway.
  5. For Blast Secure Gateway, change it to Use Blast Secure Gateway for only HTML Access connections to machine. Click OK.

Event Database and Syslog

To add the Events Database:

  1. In Horizon Console, on the left, expand Settings and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. In the Edit Event Database dialog box, do the following:
    1. Enter the name of the SQL server.
    2. Select Microsoft SQL Server as the Database type. Note: Horizon 2103 (8.2) and newer have an option for PostgreSQL.
    3. Enter the name of the database.
    4. Enter the SQL account credentials (no Windows authentication).
    5. Optionally, enter HE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple Horizon installations.
  4. Click OK.
  5. Horizon 2106 (8.3) and newer support SSL to the events database. See SSL Connection to Event Database at Omnissa Docs.
  6. On the right, in the Event Settings section, you can click Edit to change the age of events shown in Horizon Console or Horizon Administrator.
  7. To add a Syslog server, look on the right side of the page.
  8. There are configuration options for logging to a file (Events to File System).
  9. You can go to Monitor > Events to view the events in the database.

Event Queries

Omnissa utility – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – Horizon View Events Database Export Utility: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. In Horizon Console, on the left, expand Settings and click Global Settings.
  2. On the right, under Global Settings, in the General Settings tab, click Edit.
  3. Set the Horizon Console session timeout. 4320 minutes (72 hours) is the maximum.
  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user and requires the user to logon to Horizon Connection Server again.

    • Horizon 2206 and newer let you configure messages shown to users before the forcible timeout occurs.
  5. Under Client-dependent settings you can set an idle timeout. This is a disconnect, not logoff.

    • In a pool’s Desktop Pool Settings, you can configure Log Off After Disconnect.
  6. Other methods of configuring an idle timeout for desktop sessions:
  7. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of Horizon Console.
  8. The Send domain list option is unchecked by default, which means users must enter a domain name instead of picking one from a list. Check this box (and uncheck Hide domain list) to restore functionality from Horizon 7.7 and earlier. See VMware Blog Post Changes in Logon for VMware Horizon.
  9. Make other changes as desired. Click OK when done.
  10. Horizon 2306 (8.10) and newer let you restrict which versions of Horizon Agent that users can connect to. Find it at Settings > Global Settings > Horizon Agent Restrictions.

Log On as Current User is also disabled by default. To enable this client feature:

  1. In Horizon Console, on the left, expand Settings, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Highlight a Connection Server and click Edit.
  4. Switch to the Authentication tab.
  5. Scroll down. Check the box next to Accept logon as current user. Click OK.

Client Version Restrictions

Horizon can restrict connections to a minimum version of Horizon Client.

  1. In Horizon Console, on the left, expand Settings, and click Global Settings.
  2. On the right, switch to the tab named Client Restriction Settings.
  3. Click Edit.
  4. For each client type, enter a minimum version number. Additional options are available if you scroll down.
  5. Block Additional Clients blocks all clients other than the ones you selected. One use case is to block HTML Access.
  6. You can customize the message that users see if their client is too old. This feature requires Horizon Client 2006 (aka 8.0) or newer.
  7. Click OK when done.
  8. The client version is enforced when you try to launch an icon.

Global Policies

By default, Multimedia Redirection is disabled. You can enable it in Global Policies.

  1. In Horizon Console, go to Settings > Global Policies.
  2. On the right, click Edit Policies.
  3. Set Multimedia redirection (MMR) to Allow, and click OK. Notice that Multimedia redirection is not encrypted.

Backups

Connection Server LDAP Backup can be configured in Horizon Console.

  1. in Horizon Console, on the left, expand Settings and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select a Horizon Connection Server, and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
  4. To change automatic backup settings, Edit the Horizon Connection Server, and switch to the Backup tab.
  5. You can schedule automatic backups. See Omnissa 1008046 Performing an end-to-end backup and restore for Horizon.

Related Pages

Omnissa Horizon Connection Server 2406 (8.13)

Last Modified: Jul 27, 2024 @ 7:49 am

Navigation

This post applies to all Omnissa Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon Connection Server.

Notes regarding upgrades:

  • For supported upgrade paths (which version can be upgraded to which other version), see Omnissa Interoperability Matrix.
  • Horizon 7 license key does not work in Horizon 2006 (8.0) and newer. You’ll need to upgrade your license key to Horizon 8.
  • Horizon 8.x no longer supports Horizon Clients 5.x and older.
  • According to Omnissa 78445 Update sequence for Horizon 7.X and its compatible VMware products, App Volumes Managers are upgraded before upgrading Connection Servers.
  • Upgrade all Connection Servers during the same maintenance window.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • Horizon 2006 (8.0) and newer do not support Security Servers. The replacement is Unified Access Gateway.
    • Composer was removed from Horizon 2012 (8.1) and newer. All editions of Horizon 2006 (8.0) and newer support Instant Clones. See Modernizing VDI for a New Horizon at Omnissa Tech Zone for migration instructions.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
    • Once the first Connection Server is upgraded, Horizon 2006 (8.0) and newer lets you upgrade the remaining Connection Servers concurrently.
    • After upgrading all Connection Servers to Horizon 2012 (8.1) or newer, see Omnissa 80781 Knowledge DML scripts for data population of new columns in view Events Database to backfill the Events Database with column data to improve Events query performance.
  • Upgrade the Horizon Group Policy template (.admx) files in sysvol.
  • Upgrade the Horizon Agents.
  • DEM Console should not be upgraded until all DEM Agents are upgraded.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded any time before the rest of the infrastructure is upgraded.

Install/Upgrade Horizon Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between Standard and Replica.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 4,000 user connections.

Horizon 2406 (8.13) is the latest release.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at Omnissa Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022.
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8.
  4. Horizon 2312 and newer no longer support Windows Server 2012 R2.
  5. Horizon 2006 (8.0) and newer no longer need Flash.
  6. Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.
  7. Download Horizon 2406 (8.13) Horizon Connection Server.
  8. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.13.0.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  10. In the Destination Folder page, click Next.
  11. In the Installation Options page, select Horizon Standard Server, and click Next.
  12. In the Data Recovery page, enter a password, and click Next.
  13. In the Firewall Configuration page, click Next.
  14. In the Initial Horizon Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  15. In the User Experience Improvement Program page, uncheck the box, and click Next.
  16. In the Operational Data Collection page, click Next.
  17. In the Ready to Install the Program page, click Install.
  18. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Horizon Connection Server Replica

Additional Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have at least 10 GB of RAM and 4 vCPU.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has at least 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at Omnissa Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022.
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8.
  4. Horizon 2312 and newer no longer support Windows Server 2012 R2.
  5. Horizon 2006 (8.0) and newer no longer need Flash.
  6. Download Horizon 2406 (8.13) Horizon Connection Server.
  7. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.13.0.exe.
  8. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon Replica Server, and click Next.
  11. In the Source Server page, enter the name of another Horizon Connection Server in the pod. Then click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, click Finish.
  15. Load balance your multiple Horizon Connection Servers.
  16. Horizon Console > Settings > Servers > Connection Servers tab shows multiple servers in the pod.

Horizon Connection Server Certificate

Horizon Console Certificate Management

Horizon 2212 and newer have a Certificate Management section in the Horizon Console under Settings. Horizon 2312 and newer can manage cluster certificates in addition to machine certificates.

    1. The Administrators role in Horizon does not include the Certificate Management permission. Go to Settings > Administrators. On the right, switch to the tab named Role Privileges. Click Add.
    2. Name the role CertificateManagement or similar. Select the Manage Certificates privilege, which might be on page 2. Click OK.
    3. Switch to the tab named Administrators and Groups. Select your Horizon Admins group and click Add Permissions.
    4. Select your new CertificateManagement role and click Finish.
    5. If you log out, log back in, and then go to Settings > Certificate Management, the buttons should no longer be grayed out. You can either import an existing cert, or click Generate CSR to create a new cert. If you click Generate CSR, then there’s no way to use this interface to combine the signed certificate with the key, so it’s probably better to use some other method of creating a certificate and export it as a .pfx file.
    6. Click Import to upload a PFX file to the Connection Server that you are currently connected to. For Machine Identity, you’ll have to repeat this process on each Connection Server.
    7. In certlm.msc on the Connection Server, notice that it sets the vdm friendly name on the imported cert, but it doesn’t remove the vdm friendly name from the old cert. You’ll need to manually remove the vdm friendly name from the old cert.
    8. Then open services.msc and restart the VMware Horizon View Security Gateway Component.
    9. Repeat this process on the other Connection Servers.

Install Cert Manually

Alternatively, install a certificate without using Horizon Console:

  1. Run certlm.msc. Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several minutes before you can connect to Horizon Administrator Console.
  12. Horizon Console > Monitor > Dashboard > System Health > View > Components > Connection Servers should show the TLS Certificate as Valid.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the Omnissa.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 2406 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. There’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    link.win64=/downloads/VMware-Horizon-Client-2406-8.13.0-9986028157.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start, so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon portal page.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, and Fingerprints, is disabled by default. To enable: (source = Configure Biometric Authentication at Omnissa Docs)

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using Citrix NetScaler.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-2402-ltsr-and-licensing/#rdlicensing.

Antivirus

Omnissa Tech Zone Antivirus Considerations in a VMware Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Run the following command to enable the timing profiler on each Connection Server instance to view logon segments in the Help Desk tool. See Omnissa Docs for more info.

vdmadmin -I -timingProfiler -enable

Related Pages

Horizon Group Policy and Profiles

Last Modified: Jul 29, 2024 @ 3:27 am

Navigation

This post applies to all Horizon versions 7.0, and newer, including Horizon 2406 (8.13).

💡 = Recently Updated

Change Log

Roaming Profiles Options

There are several options for persisting user profile settings when the user logs off:

  • Dynamic Environment Manager (DEM) – DEM is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
    • In Horizon 2006 (8.0) and newer, DEM Personalization features are available in all editions of Horizon.
    • In Horizon 7, only Horizon Enterprise Edition is entitled to Dynamic Environment Manager.
    • Dynamic Environment Manager (DEM) is the new name for User Environment Manager (UEM). VMware renamed User Environment Manager 9.9 and newer to DEM to avoid confusion with Workspace ONE Unified Endpoint Management (also UEM), which is actually AirWatch mobility management. User Environment Manager is sometimes called “little UEM”, while AirWatch is sometimes called “big UEM”.
    • DEM persists settings for specific applications instead of persisting the entire profile. Saved application settings are stored in separate .zip files (aka profile archives) for each application so you can restore one .zip file without affecting the other .zip files. Many of these DEM profile archive .zip files can be restored to multiple operating system versions, whereas other monolithic profile solutions are tied to a specific operating system version.
    • DEM restores profile archives on top of other profile solutions. One option is mandatory profiles so that anything not saved by DEM is discarded on logoff.
    • Omnissa KB article 2118056 Migrate Persona Management to Dynamic Environment Manager.
  • Persona saves the entire user profile, meaning it is a “set and forget” roaming profile solution that is similar to Microsoft’s native roaming profiles or Citrix Profile Management.
    • Persona is not included in Horizon 2006 (8.0) and newer. If you are using Persona in Horizon 7, then before upgrading, see Omnissa Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • Persona is included in all editions of Horizon 7.
    • However, Persona doesn’t work on newer versions of Windows 10, Persona doesn’t work on RDSH Horizon Agents, and Persona doesn’t work on Instant Clones.
    • In practice, DEM is the only viable profile option from Omnissa, but DEM requires Horizon 7 Enterprise Edition, or upgrade to Horizon 2006 (8.0)
  • App Volumes Writable Volumes – App Volumes Writable Volumes can store the user’s profile and roam the writable volume to different Horizon Agent machines.
    • App Volumes requires Horizon Enterprise Edition.
    • App Volumes is a separate infrastructure (e.g. separate servers, separate agents) that must be built, learned, maintained, and supported.
    • Writable Volumes are stored as .vmdk files on vSphere datastores. For backup/restore, you can replicate the .vmdk files to multiple datastores, including multiple data centers.
    • When Writable Volumes are combined with DEM, then Outlook search indexes can be stored on the Writable Volumes.
    • Writable Volumes can only be mounted on one Horizon Agent machine at a time.
  • Persistent Disks – Horizon Composer can generate persistent disks for each dedicated desktop machine. User profile is redirected to the persistent disk so the user profile will be available after the machine is refreshed.
    • In Horizon 2006 (8.0) and newer, Composer and Persistent Disks are deprecated. Composer has been removed from Horizon 2012 (8.1) and newer. Before upgrading, see Omnissa Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • Persistent Disk only stores the user’s profile. It does not store user-installed applications. If you need to persist user-installed applications, then implement App Volumes Writable Volumes instead.
    • Persistent Disks were brought to Instant Clones in Horizon 2306 (8.10) and newer. See Using Persistent Disks for Dedicated Instant Clones at Omnissa Docs.
    • Persistent Disks are only an option for Dedicated Assignment pools, meaning that the Persistent Disks do not float between machines. Administrators can manually detach a Persistent Disk from one machine and attach it to a different machine.
    • Persistent Disks are stored as .vmdk files on vSphere datastores. How do you back them up and restore them, especially if they are not currently mounted on a running virtual machine?
  • Microsoft FSLogix – FSLogix Profile Containers can store the entire user profile in a .vhdx file that is stored on a file share.
    • FSLogix is free for almost all virtual desktop and RDSH customers. If you’re not licensed for DEM, then FSLogix is a viable alternative.
    • FSLogix is known for roaming the Outlook Search Index and other special Office 365 files.
    • FSLogix Profile Container is very similar to Persistent Disks and Microsoft User Experience Virtualization in that the entire profile is stored in the .vhdx file. Watch out for disk space consumption on the file share. And concurrent access to the .vhdx can be challenging.
    • FSLogix Profile Container configuration is “set and forget” since it doesn’t need separate configuration for each application.
  • Microsoft Roaming Profiles – a last-case alternative is native Microsoft roaming profiles. However, there are many limitations.
    • Microsoft’s Roaming Profiles cause longer login times since the entire profile is downloaded before the user can interact with the desktop or application. This is not a problem in other roaming profile solutions.
    • Microsoft’s Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms (or multiple desktop pools) then each RDS farm should have separate roaming profile shares.

Roaming Profiles File Shares

File Shares Design

This section provides a summary of the required shares. See Create and Share the Folders for Detailed steps for creating the profile shares.

There are typically several types of file share paths:

  • Roaming Profiles – stores DEM profile archives, FSLogix .vhdx Profile Containers, etc.
    • Roaming profiles (or DEM profile archives) are stored in a separate sub-folder for each user that only the one user has access to.
    • FSLogix, Persona and Microsoft Roaming Profiles are monolithic profiles that are tied to a specific operating system version. If you are supporting multiple operating systems, or if users are connecting to multiple, concurrent pools/farms, then create a separate Roaming Profile share path for each operating system version. For example, you might have separate Roaming Profile shares for Windows 10 and Windows Server 2019.
      • Theoretically, DEM Personalization Archives can be used across multiple operating system versions.
  • Folder Redirection – stores profile folders that you want to persist, but you don’t want to store with the roaming profile. These folders are typically Documents, Downloads, Desktop, and Favorites. Folder Redirection speeds up restoration of roaming profiles. AppData should not be redirected to this file share path.
    • Each user has a separate sub-folder that only the one user has access to.
    • Folder Redirection can be accessed from multiple operating system versions so there’s no need to create multiple Folder Redirection share paths.
  • Home Directories – users store Documents and other personal data in Home Directories.
    • Folder Redirection can be stored in Home Directories instead of in a separate Folder Redirection file share path.
    • Home Directories might be located on multiple file servers. If these file servers are in branch offices instead of data centers, then Folder Redirection should be stored on file servers in the data center that contains Horizon Agents.
  • DEM Configuration Share – Dynamic Environment Manager (DEM) stores its configuration in a file share.

These file shares for a particular user can only be located in one data center. Neither Omnissa nor Microsoft support multi-master replication (aka merge replication) of user profiles, home directories, and folder redirection. If you use DFS Namespaces, then the DFS Namespace path must point to only one target.

  • Horizon users should connect to Horizon Agents in the same data center as the file servers that contain the user’s profile, folder redirection, and home directory. If you have active Horizon Agents in multiple data centers, then you can configure Horizon Cloud Pod Home Sites so that specific users connect to specific data centers. If users connect to a Horizon Agent that is not in the same data center as the user’s file servers, then the files are retrieved across the Data Center Interconnect, which might take longer than desired.
  • The DEM Configuration Share is primarily read-only so multi-master replication is less of a concern.

Here are NTFS permissions for each of the profile file share types:

DEM Profile Archives share:

  • \\server\DEMProfiles
    • DEM Admins = Full Control
    • DEM Support = Modify
    • DEM Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Dynamic Environment Manager (DEM) Configuration share:

  • \\server\DEMConfig – stores DEM configuration
    • DEM Admins = Full Control
    • DEM Users = Read
    • DEM Support = Read
    • Domain Computers = Read – for DEM computer ADMX

Non-DEM Monolithic Roaming Profiles share: (example includes multiple shares for multiple operating systems)

  • \\server\Profiles\Win10
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\Profiles\Win19
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Folder Redirection share:

  • \\server\Redirect
    • Admins = Full Control
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

According to Omnissa 2113665 Imports and exports in VMware Dynamic Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Create and Share the Folders

  1. On your file server, make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it  DEMConfig, or DEMProfiles or similar. See File Shares Design for design info on the share paths that should be created.
  3. Open the folder’s Properties.
  4. On the Sharing tab, click Advanced Sharing.
  5. Check the box to share the folder.
  6. Click Permissions.
  7. Give Full Control to Everyone. Click OK.
  8. Click Caching.
  9. Select No files or programs. Click OK twice, and then click Close.
  10. According to Omnissa 2113665 Imports and exports in Dynamic Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares design except for the DEMConfig folder.

Lieven D’hoore has VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions.

  1. Open the Properties of the new shared folder.
  2. On the Security tab, click Advanced.

    1. Click Disable Inheritance.
    2. Click Convert inherited permissions.
    3. Click OK to close Advanced Security Settings.
  3. On the Security tab, click Edit.

    1. For the Everyone or the Authenticated Users entry or the Users entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
    2. Add CREATOR OWNER, and give it Full Control. This grants users Full Control of the folders they create.
    3. Click OK to close the Permissions window.
  4. Click Advanced again.
  5. Highlight the Everyone permission entry or the Authenticated Users permission entry or the Users permission entry and click Edit.
  6. At the top of the window, change the Applies to selection to This folder only. This prevents the Everyone permission from flowing down to newly created profile folders.
  7. Remove all other permission entries that grant access to Users, Domain Users, Everyone, or Authenticated Users. There should only be one of these types of permission entries.
  8. Click OK twice to close the Security and Properties windows.

Access Based Enumeration

With access based enumeration enabled, users can only see folders to which they have access.

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it.
  3. Right-click the new share, and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration and click OK.

GPO Templates

Windows Group Policy Templates

Unfortunately, there are some differences between the GPO templates for Windows Server, and the GPO templates for  Windows 10. You’ll need to download the full set of templates.

Follow the procedure at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates (.admx) for Windows 10.

Horizon Group Policy Templates

Some of the policy settings in this topic require group policy templates from the Horizon GPO Bundle, which can be downloaded from the Omnissa Horizon Download Page.

For Horizon 2406 (8.13), download Horizon GPO Bundle 8.13 (VMware-Horizon-Extras-Bundle-2406-8.13.0)

For Horizon 2312.1 (8.12.1) ESB, download Horizon GPO Bundle 8.12.1 (VMware-Horizon-Extras-Bundle-2312-8.12.1).

Install the Group Policy files:

  1. Go to the downloaded VMware-Horizon-View-Extras-Bundle.zip file and extract the files.
  2. Copy the .admx files and en-US folder to the clipboard.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.

  4. Horizon 7.13 has an .admx file in the ThinPrint\ADMX folder. Horizon 2006 (8.0) and newer no longer include ThinPrint, so this .admx is not available in Horizon 2006 (8.0) and newer.
    1. Copy the .admx file, and en-US folder, to the clipboard.
    2. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.
  5. When you edit group policy objects, you can now edit Horizon settings.

Dynamic Environment Manager GPO Templates

Download and copy the DEM GPO ADMX templates to PolicyDefinitions. DEM can also work without Active Directory (Group Policy); see Omnissa 2148324 Configuring advanced DEM settings in NoAD mode for details.

In Horizon 2006 (8.0) and newer, DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different ADMX templates.

In Horizon 7, DEM is only available for Horizon Enterprise Edition customers. Horizon 7 Enterprise Edition customers can download DEM Enterprise Edition.

  1. Based on your entitlement, download either DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  2. Go to the extracted Dynamic Environment Manager files, and in the Administrative Templates (ADMX) folder, copy the files and the folder.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the files and folder. Overwrite any older files.

  4. If you are upgrading from UEM 9.8 or older to DEM 9.9 or newer, then look in PolicyDefinitions for VMware UEM.admx files and delete them.
  5. You will find VMware DEM GPO settings in the User Half of a GPO.

VMware DEM FlexEngine Advanced Settings are available in a different GPO template.

  1. Go to https://kb.omnissa.com/s/article/2145286.
  2. Click the link to download the ADMX file.
  3. Extract the files. Then copy the file and folder.
  4. Go to your PolicyDefinitions folder and paste them.

Microsoft Edge GPO Templates

Horizon Browser Redirection requires installation of an Edge extension. Install the Edge GPO Templates so you can force install the Edge extension.

  1. Download the Edge ADMX templates from Microsoft Edge for business. Select your version of Edge and then click GET POLICY FILES.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \windows\admx folder, copy the msedge*.admx files and the en-US folder.
  4. Go to PolicyDefinitions in your SYSVOL (e.g., \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files and en-US folder.

Google Chrome GPO Templates

Horizon Browser Redirection requires installation of a Chrome extension. Install the Chrome GPO Templates so you can force install the Chrome extension.

  1. Download the Google Chrome ADMX templates from Set Chrome Browser policies on managed PCs.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \policy_templates\windows\admx folder, copy the chrome.admx and google.admx files.
  4. Go to PolicyDefinitions in your SYSVOL (e.g. \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files.
  5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy the en-US folder.
  6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon Agent computer objects (virtual desktops and Remote Desktop Session Hosts).
  2. Then create sub-OUs, one for each pool or RDS Farm.
  3. Move the Horizon Agent machines from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools, then link it to the parent OU. Or you can link it to pool-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
  6. Create and link two new GPOs to the Session host OU (in addition to the Horizon Agent Computer Settings GPO). One of the GPOs is called Horizon Agent All Users (including admins), and the other is called Horizon Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU, or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.

  7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.
  8. Click the Horizon Agent Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab, and click Add.
  10. Find your Horizon Admins group, and click OK.
  11. Change the Permissions to Edit settings, and click OK.
  12. Then on the Delegation tab, click Advanced.
  13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Horizon Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each Horizon Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for Dynamic Environment Manager, then you can skip this section.

  1. Right-click one of the Remote Desktop Session Host sub-OUs, and create a new GPO.
  2. Name it Horizon Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of Persona. Note: each RDS farm should have a separate roaming profile share.
  3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.

  5. Right-click a virtual desktop sub-OU, and click Create a GPO in this domain.
  6. Name it Horizon Agent Persona Win10 or similar, and click OK. Each operating system version should point to a different file share, so include the operating system version in the GPO name.
  7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU, and click Link an Existing GPO.
  9. Select the Horizon Agent Persona Win10 GPO, and click OK.
  10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
  11. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.

Agent Computer Settings

These GPO settings should be applied to the Horizon Agents.

General Computer Settings

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Configure the GPO Computer Settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.

Remote Desktop Users Group

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups, and click Add Group.
  3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
  4. In the bottom half of the window, click Add to specify that this group is a member of:
  5. Enter Remote Desktop Users, and click OK twice.

VMware Integrated Printing

Horizon 7.7 and newer have a new Universal Print Driver named VMware Integrated Printing or VMware Advanced Printing, which replaces ThinPrint. Integrated Printing is an optional feature of the Horizon Agent installer and requires Horizon Client 4.10 for Windows, Horizon Client 5.1 for Linux and Horizon Client 5.1 for Mac.

You can use Group Policy to configure Integrated Printing. (e.g. select whether Native Print Drivers are preferred over the Universal Print Driver). The GPO settings only apply if the VMware Integrated Printing feature is installed on the Horizon Agent.

  1. Make sure the Horizon 2012 (8.1) or newer GPO Templates are installed. Some Integrated Printing GPO settings are available in Horizon 7.7 and newer.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | VMware Integrated Printing (or VMware Advanced Printing). This node only appears in ADMX templates from Horizon 7.7 and newer.
    • In Horizon 2012 (8.1) and newer, the GPO settings were moved under the VMware View Agent Configuration folder.
    • In Horizon 2012 (8.1) and newer, the Integrated Printing settings are also available in the user half at User Configuration > Policies > Administrative Templates > VMware View Agent Configuration > VMware Integrated Printing. User settings override computer settings.
  4. Horizon 2106 (8.3) and newer have a setting name Default settings for UPD printers that lets you set duplex, color, and compression defaults.

  5. In Horizon 2012 (8.1) and newer, Do not change default printer prevents the client default printer from overriding the remote default printer.
  6. Edit the setting Printer Driver Selection.
  7. Enable the setting, and then consider setting it to Always use UPD to avoid needing to install any printer drivers on the Horizon Agent machines. This is particularly beneficial for multi-user RDSH machines.
  8. In Horizon 2012 (8.1) and newer, Printer Name Schema lets you change the names of the redirected printers.

  9. Horizon 2303 and newer have Enable server printer redirection, which causes the Horizon Agent to connect directly to the print servers instead of routing the print job through the Horizon Client. Print drivers are probably needed on the Agent machine.
  10. Horizon 7.8 and newer supports filtering of redirected client printers.

VMware Integrated Printing also supports Location Based Printing.

  1. In the Horizon 7.7 or newer Extras Bundle (GPO templates), find the file named LBP.xml.
  2. Edit the file. This is an XML document that can contain multiple <Policy> nodes. The file is commented.
  3. When done editing the LBP.xml file, copy it to C:\ProgramData\VMware on each Horizon Agent machine. It’s probably easiest to use Group Policy Preferences (or computer startup script) to download this file when the Horizon Agent machines boots.

Dynamic Environment Manager (DEM) Group Policy

Most of the Dynamic Environment Manager GPO settings are user settings, not computer settings. DEM 2006 (aka 10.0) and newer support ADMX files for computers.

Note: UEM 9.1 can also work without Active Directory (Group Policy); see Omnissa 2148324 Configuring advanced UEM settings in NoAD mode for details.

From Omnissa Tech Zone Quick-Start Tutorial for VMware Dynamic Environment Manager and Chris Halstead VMware User Environment Manager (UEM) – Part 1 – Overview / Installation.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Dynamic Environment Manager requires one computer setting. Edit the Horizon Agent Computer Settings GPO.

    1. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
    2. Double-click Always wait for the network at computer startup and logon.
    3. Enable the setting, and click OK.
    4. Close the group policy editor.
  3. If you use DEM 9.10 or newer to roam File Type Associations, then enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
  4. The remaining settings are user settings. Edit the Horizon Agent All Users GPO. This GPO should apply to the Horizon Agents, and Loopback processing should already be enabled on those machines.
  5. Go to User Configuration | Policies | Administrative Templates | VMware DEM | FlexEngine.
  6. If you are running Dynamic Environment Manager on top of mandatory profiles, then double-click Certificate support for mandatory profiles.

    1. Enable the setting, and click OK.
  7. Double-click Flex config files.

    1. Enable the setting.
    2. Enter \\server\demconfig\general. The general folder will be created by the Dynamic Environment Manager management console. Click OK.
  8. Double-click FlexEngine Logging.

    1. Enable the setting.
    2. Enter \\server\demprofiles\%username%\logs. Dynamic Environment Manager will create these folders. Click OK.
  9. UEM 9.0 and newer has a setting named Paths unavailable at logon. By default, users are blocked from logging in if the DEM file share is not reachable.

  10. Double-click the setting Profile archive backups.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\backups.
    3. Enter the number of desired backups, check the box for daily backups, and click OK.
  11. In DEM 2111 and newer, you can store Profile Archives in OneDrive for Business by configuring the setting OneDrive for Business integration.
  12. To store Profile archives in a file share, double-click Profile archives.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\archives.
    3. Check the box next to Retain file modification dates. Source = Anyway to save ‘Date Modified’? at VMware Communities.
    4. Click OK.
  13. In DEM 2111 and newer, simply enable the setting Run FlexEngine at logon and logoff.
  14. For DEM prior to version 2111, configure the group policy extension and logoff script:
    1. Double-click the setting RunFlexEngine as Group Policy Extension.
    2. Enable the setting, and click OK.
    3. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
    4. Double-click Logoff.
    5. Click Add.
    6. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
    7. In the Script Parameters field, enter -s.
    8. Click OK.
  15. If you are using the Privilege Elevation feature, consider enabling Privilege elevation logging to the Windows event log.

  16. Same for Application blocking logging to the Windows event log.
  17. You can download and install a separate ADMX file containing DEM Advanced Settings.
    1. You can use group policy to Disable DEM agent features on certain OUs. For example, you might not want Personalization on some pools.
    2. DEM 2111 and newer can enable DEM ADMX Settings to override GPOs by enabling the setting Override existing user policy settings.
  18. If DEM 2006 or newer, you can optionally enable DEM Computer ADMX settings.
    1. In the DEM Config share, make sure Domain Computers has Read permission to the folders.
    2. Edit a GPO that applies computer settings to the Horizon Agent machines (e.g. Horizon Agent Computer Settings).
    3. Go to Computer Configuration | Preferences | Windows Settings | Registry.
    4. Add a New Registry Item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = Enabled
      3. Value type = REG_DWORD
      4. Value data = 1. Click OK.
    5. Create another registry item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = ConfigFilePath
      3. Value type = REG_SZ
      4. Value data = the path to your DEM Config share, including the general folder. Click OK.
      5. For more registry values, see Omnissa Docs FlexEngine Configuration for Computer Environment Settings.

Now that DEM is enabled, you can configure Dynamic Environment Manager by using a separate console application. See the instructions at https://www.carlstalhood.com/vmware-user-environment-manager/.

DEM Changelog

From YouTube video User Environment Manager 9.6 What’s New Overview:

  1. On the left, click the node named Management Console under VMware DEM
  2. On the right, UEM 9.6 adds two new settings for Changelog.
  3. Log changes to disk stores the log in the DEM share at \\server\DEMConfig\Changelog\general. Note that administrators usually have permission to modify this location so they could modify this changelog.
  4. Log changes to the Windows event log stores the log in the Application Log in Event Viewer of the local console machine and not in any central server.
  5. You can also enable the Changelog in the DEM Management Console by clicking the ribbon button named Configure.
  6. Switch to the tab named Configuration Changelog to enable the two settings.
  7. Each configuration item in DEM Management Console shows a tab named Changelog after changes are recorded.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts, Instant Clones, or newer versions of Windows 10. It also does not apply to Horizon 2006 (8.0) and newer.

If you are using Dynamic Environment Manager then skip this section.

  1. Verify that ICMP is enabled between the Horizon Agent and the domain controller, and as well as the Horizon Agent and the Persona Management Repository.
  2. Install the Horizon GPO ADMX files if you haven’t already.
  3. Edit one of the Horizon Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
  4. Configure the following GPO settings:
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  5. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Persona Management | Roaming & Synchronization.
  6. On the right, double-click Manage user persona.
  7. Enable the setting. It defaults to 10 minutes. Click OK.
  8. Double-click Persona repository location, and enable the setting.
  9. Enter the path to the file share created for Persona. Append %username%.
  10. Check the box next to Override Active Directory user profile path. Click OK.
  11. Double-click Roam local settings folders, and enable it. Click OK.
  12. Double-click Files and folders excluded from roaming, and enable it. Then click Show.
  13. Enter the values shown below, and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
  14. Double-click Files and folders excluded from roaming (exceptions), and enable it. Then click Show.
  15. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  16. Configure %AppData%\Thinstall as a folder to background download. If you are using Thinapps, this will speed up the launch time of Thinapps.

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using Dynamic Environment Manager or FSLogix, then skip this section.

  1. Edit the Horizon Agent RDS Farm1 Profiles GPO.
  2. Configure the following GPO settings.
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Delete cached copies of roaming profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  3. Go to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles.
  4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
  5. Enable the setting and enter the path to the file share. Do not append %username%.
  6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration | Policies | Administrative Templates | Control Panel | Personalization.
  8. Open the setting Force a specific visual style file.
  9. Enable the setting and enter the following path:
    %windir%\resources\Themes\Aero\aero.msstyles

  10. VMware recommends enabling RunOnce as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

Horizon Agent Settings

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration. Click Agent Configuration.
  4. Horizon 2306 and newer have a setting called Allow FIDO2 authenticator access. Combine it with FIDO2 allow list, which defaults to only allowing Chrome, Edge, and Firefox.

  5. RDSH idle timer is configured using Microsoft RDSH GPO settings and are not Horizon-specific. The Horizon 2106 and newer GPO templates have the RDS timers in the VMware View Agent Configuration node or you can configure the RDS timers in the normal Microsoft Remote Desktop Session Host node. Both sets of GPO settings set the same registry values.
  6. Horizon 7.10 and newer has an Idle Time Until Disconnect (VDI) for virtual desktops. This setting does not apply to RDSH.
  7. In Horizon 7.10 or newer, you can use Group Policy to configure a Disconnect Session Time Limit for virtual desktops. This GPO setting overrides the pool setting Logoff after Disconnect.
  8. If Horizon 7.8 or newer, on the right, double-click DPI Synchronization Per Connection.
  9. This setting is disabled by default. You can optionally enable it so DPI is reconfigured on reconnect instead of only on initial logon.
  10. Horizon 2106 and newer have a Screen-capture blocking setting. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half.

    • Screen-capture blocking requires Horizon Agent 2106 and Horizon Client 2106 (8.3). To prevent older Horizon Clients from connecting, in Horizon Console, go to Settings > Global Settings. On the right is a tab named Client Restriction Settings. Click Edit. Check the boxes for the various client operating systems and enter 8.3.0 (2106) as the required minimum version.

  11. Horizon 2303 and newer have a setting called Screen-capture For Media Offloaded Solution. This setting adds a Print Screen button to the Horizon Client toolbar. When pressed, the screenshot is saved to the Pictures folder on the remote desktop. The advantage of this feature is that it captures Teams redirection, Multimedia Redirection, multiple monitors, and Watermark.



  12. Horizon 2111 and newer have a setting for Key Logger Blocking. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half. Use Client Restriction Settings to prevent Horizon Clients older than 2111 from connecting.

PCoIP Configuration

Steve Dunne:

Here are some general PCoIP optimization settings:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | PCoIP Session Variables. Click Overridable Administrator Defaults.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and select Enabled in both directions. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting named Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold.


  8. Horizon 7.0.2 and newer have the ability to filter specific clipboard formats.
  9. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, Omnissa recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.

Real-Time Audio-Video

Omnissa validated Horizon 7.9’s Real-Time Audio-Video feature with Microsoft Teams. Here are sizing recommendations:

  • Minimum setting of 4vCPU 4GB RAM as a published desktop configuration
  • RTAV video resolution configured with 640 x 480p

Real-Time Audio-Video (RTAV) is one of the options that can be selected when installing Horizon Agent. To ensure that Audio is captured by RTAV instead of by USB redirection, exclude audio from USB redirection is described in the next section.

To configure RTAV video resolution, do the following:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration, expand View RTAV Configuration and click View RTAV Webcam Settings.
  4. On the right, double-click Resolution – Default image resolution height in pixels
  5. Enable the setting and set it to 480 pixels. Click OK.
  6. On the right, double-click Resolution – Default image resolution width in pixels.
  7. Enable the setting and enter 640. Click OK.
  8. There are two more GPO settings for Max height and width. If these are not configured then there is no maximum.

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

  • PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
  • All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the Horizon Client and the Horizon Agent.
  • If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111.
  • USB performance across the WAN can be slow.
  • Webcams are only supported using RTAV (Real-Time Audio-Video).
  • USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon Agent 6.0.1 and Horizon Client 3.1.
  • Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
  • USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
  • In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
  • Client Downloadable only GPO settings are downloaded to the Horizon Client when the Horizon Client first connects to the Horizon Agent.
  • USB GPO Settings on the Horizon Agent can either override or merge the Horizon Client USB GPO settings. Merge means that if Horizon Client settings exist then the Horizon Agent settings are ignored.
  • The Exclude All Devices setting is overridden by other Include
  • USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
  • How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Policies | Administrative Templates | VMware View Agent Configuration, and click View USB Configuration.
  4. On the right, double-click Exclude Device Family.
  5. Change the selection to Enabled.
  6. Enter o:audio-in;o:video.
  7. If you want to block USB storage devices, add o:storage to the list. Click OK.

Blast Settings

The full Horizon Client 4.0 and newer can use UDP when connecting to Horizon 7 Agents using Blast.

  • Omnissa Tech Zone VMware Blast Extreme Optimization Guide
  • VMware Blog Post Deep Dive into VMware Horizon Blast Extreme Adaptive Transport – Blast Extreme Adaptive Transport is enabled by default in VMware Horizon View 7.1 and Horizon Client 4.4. If the clients are connecting from outside the demilitarized zone (DMZ), you would also need to have VMware Unified Access Gateway (not Security Server) to take full advantage of the new transport. The adaptive transport will automatically sense the network for UDP availability and will fallback to legacy Blast TCP if UDP is not available.

Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

If you want file transfer in HTML5 Blast, then you must configure clipboard from server-to-client (or both directions).

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. In Horizon 2012 (8.1) and newer, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration and click Clipboard Redirection.
    1. In versions earlier than Horizon 2012 (8.1), expand Policies | Administrative Templates, and click VMware Blast.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and then make your choice. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting to Configure drag and drop direction. In Horizon 2012 (8.1) and newer it’s under the separate VMware View Agent Configuration | Drag and Drop node instead of VMware Blast.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. In Horizon 2012 (8.1) and newer it’s under the separate VMware View Agent Configuration | Drag and Drop node instead of VMware Blast.


  8. In the VMware Blast node, Horizon 2212 and newer have a setting called Blast Optimizer that adjusts multiple settings for better user experience or better performance.

  9. Horizon 2312 and newer support Build to Lossless.
  10. Horizon 2303 and newer have a setting called Cursor Warping that moves the client mouse when sudden cursor movements are detected in the remote Agent.

  11. Horizon 7.6 and newer have settings to add DSCP markings to the Blast protocol. See VMware Blast Policy Settings at Omnissa Docs.
  12. On the right, double-click UDP Protocol.
  13. You can optionally enable UDP protocol. Click OK.
  14. Horizon 7.4 introduced the H.264 High Color Accuracy setting.

  15. Horizon 7.0.2 and newer have a setting for H.264 Quality Levels.

  16. If you enabled UDP protocol, then on your master image, reboot the machine so it reads the GPO settings. Look in the file C:\ProgramData\VMware\VMware Blast\Blast-Service.log to make sure UDP is enabled. If not, reboot the machine again. After it’s enabled, snapshot the master machine and push it to your Pools.

Watermark

Horizon 2006 (8.0) and newer has a Watermark feature. It works for both apps and desktops.

For limitations of this feature, see Configuring a Digital Watermark at Omnissa Docs.

  1. Make sure the Horizon 2006 or newer GPO Templates are installed.
  2. Edit the Horizon Agent All Users Settings GPO. This is a User GPO setting so make sure GPO Loopback Processing is enabled in the Computer Settings GPO.
  3. Go to User Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Watermark.
  4. Edit the setting Watermark Configuration.
  5. See the Help text for explanation of the setting.

Teams Optimization

Horizon Agent 2006 (or newer) and Horizon Client 2006 (or newer) can offload Microsoft Teams media (audio/video) to the client device. Horizon 7.13 with Horizon Client 5.5 can offload Microsoft Teams media (audio/video) to the client device.

Newer versions of Horizon support more Teams features:

  • Horizon 2312 (8.12) and newer support blur backgrounds, select effects, or select an available background image.
  • Horizon 2306 (8.10) and newer support simulcast, which allows multiple streams at multiple resolutions.
  • Horizon 2303 (8.9) and newer support individual application sharing in VDI and RDSH desktop sessions.
  • Horizon 2203 (8.5) and newer support Give and take control of screen sharing.
  • Horizon 2106 (8.3) and newer can offload to Linux and Mac clients in addition to Windows clients.
  • E911 and Location-Based Routing require Mac client (2111 and later) and Windows client (5.5.4 and later; 2111 and later) only. Not supported for Linux client.

In Horizon 2212 and newer, Teams Optimization is enabled by default. In older Horizon, it is disabled by default. For requirements and limitations, see Configuring Media Optimization for Microsoft Teams at Omnissa Docs.

  1. Make sure the Horizon 7.13 or Horizon 2006 or newer GPO Templates are installed.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer  Configuration | Policies | Administrative Templates | VMware View Agent Configuration | VMware HTML5 Features | VMware WebRTC Redirection Features.
  4. Edit the setting Enable Media Optimization for Microsoft Teams.
  5. Set it to Enabled.

Browser Content Redirection

Browser Content Redirection redirects the contents of the browser to be rendered by the client machine instead of the Horizon Agent machine. Browser Content Redirection in Horizon 2106 and newer supports both Chrome and Edge. HTML5 Multimedia Redirection is the older feature. See Omnissa Docs.

  1. Edit a GPO that applies to the Horizon Agents.
  2. Expand Computer Configuration, expand Administrative Templates, expand VMware View Agent Configuration, and click VMware HTML5 Features.
  3. On the right, enable the setting Enable VMware HTML5 Features. This setting is only available in Horizon 7.10 and newer.

  4. In Horizon 7.10 and newer:
    1. On the left, under VMware HTML5 Features, click VMware Browser Redirection.
    2. On the right, enable the setting Enable VMware Browser Redirection.
    3. Also enable the setting Enable Browser Redirection feature for Microsoft Edge (Chromium) Browser. This setting requires Horizon 2106 (8.3) or newer.
    4. On the right, configure the setting Enable URL list for VMware Browser Redirection.
    5. Enable the setting and click Show.
    6. Add a list of URLs that you want the client to render. Use wildcards in the path.
  5. The older feature is HTML5 Multimedia Redirection, which you can optionally enable. See Configuring HTML5 Multimedia Redirection at Omnissa Docs.

  6. Install the Edge GPO Templates if you haven’t already.
  7. In either the computer half or user half of a group policy, expand Policies, expand Administrative Templates, expand Microsoft Edge, and click Extensions.
  8. On the right, double-click the setting Control which extensions are installed silently.

    1. Enable the setting and click Show.
    2. For Horizon Browser Redirection in Horizon 7.10 and newer, enter the following:
      demgbalbngngkkgjcofhdiiipjblblob;https://clients2.google.com/service/update2/crx

    3. For the older HTML5 Multimedia Redirection in Horizon 7.3 and newer, enter the following. You can do either extension, but not both. If you enable both extensions, then they will conflict with each other.
      ljmaegmnepbgjekghdfkgegbckolmcok;https://clients2.google.com/service/update2/crx

    4. When you log into a Horizon Agent session, the extension should automatically be added to Edge.
  9. Install the Chrome GPO Templates if you haven’t already.
  10. In either the computer half or user half of a group policy, expand Policies, expand Administrative Templates, expand Google, expand Google Chrome, and click Extensions.
  11. On the right, double-click the setting Configure the list of force-installed apps and extensions.

    1. Enable the setting and click Show.
    2. For Horizon Browser Redirection in Horizon 7.10 and newer, enter the following:
      demgbalbngngkkgjcofhdiiipjblblob;https://clients2.google.com/service/update2/crx

    3. For the older HTML5 Multimedia Redirection in Horizon 7.3 and newer, enter the following. You can do either extension, but not both. If you enable both extensions, then they will conflict with each other.
      ljmaegmnepbgjekghdfkgegbckolmcok;https://clients2.google.com/service/update2/crx

    4. When you log into a Horizon Agent session, the extension should automatically be added to Chrome.
  12. When you navigate to a URL on the configured URL List, if the redirection feature is working, then the Chrome extension will show REDR.

  13. And you’ll see HTML5VideoPlayer.exe on the client side.

UNC Path Redirection

Horizon 2209 and newer can redirect network links inside Outlook from agent-to-client or from client-to-agent.

  1. Install the Horizon 2209 or newer GPO ADMX files if you haven’t already.
  2. In the computer half of a GPO, find the settings under Computer Configuration | Policies | Administrative Templates and click VMware Horizon UNC Path Redirection.
  3. First enable the feature by setting Enable UNC Path Redirection.
  4. Then configure UNC Path Redirection Filter Rule. For agent-to-client, add paths in the Client Rules box. The other boxes are for client-to-agent. Regular Expressions are supported as detailed at Omnissa Docs.
  5. When installing Horizon Agent 2209 or higher, add /v ENABLE_UNC_REDIRECTION=1 to the command line.
  6. When installing Horizon Client 2209 or higher, add /v ENABLE_UNC_REDIRECTION=1 to the command line.

URL Content Redirection

URL Content Redirection allows web browser URLs to be redirected from Agent-to-Client or from Client-to-Agent. This feature requires:

  • URL Redirection component installed from command line on Horizon Agent.
  • URL Redirection component installed from command line on Horizon Client.
  • If Horizon Client is installed on a Horizon Agent machine, you can install URL Redirection for one or the other, but not both.
  • Internet Explorer 9 or later only
  • GPO Settings

URL Redirection GPO settings apply to both Horizon Agents and Horizon Clients depending on the source of the redirection. For Agent-to-Client redirection, edit a GPO that applies to the Horizon Agents. For Client-to-Agent redirection, edit a GPO that applies to the Horizon Clients.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Expand Computer Configuration | Policies | Administrative Templates and click VMware Horizon URL Redirection.
  3. On the right, double-click IE policy: Automatically activate newly installed plugins, and enable it. If you don’t configure this, then users are required to activate the IE add-on manually.
  4. On the right, double-click Url Redirection Enabled and enable the setting. The setting description says it’s enabled by default, but actually it’s not.
  5. On the right, double-click Url Redirection Protocol ‘http’.
  6. For Agent-to-Client, configure clientRules and agentRules. clientRules are redirected from Agent-to-Client. However, agentRules override clientRules. This lets you redirect every URL to client but keep some URLs on the agent. Separate multiple rules with a semicolon.
  7. For Client-to-Agent, configure agentRules. Anything that matches will be redirected to the remoteItem (name of published icon) accessible through brokerHostname.
  8. In the User half of a GPO that applies to Horizon Agents with Loopback Processing enabled, Horizon 7.4 added a new policy setting to automatically install the URL Content Redirection extension in Chrome. This setting should be applied to both the Horizon Agents, and the Horizon Clients.

Collaboration Settings

Horizon 7.4 and newer have a Collaboration feature, which has some group policy settings.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates, expand VMware View Agent Configuration, and click Collaboration.

  4. On the right, you can configure settings like the Maximum number of invited collaborators. The limit is 10.

User Lockdown Settings

Edit the Horizon Agent Non-Admin Users GPO, and configure the settings detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown.

User Application Settings

Edit the Horizon All Users GPO and configure settings for applications (Internet Explorer, Office, etc.) as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie and https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#office2013.

Redirected Profile Folders

In addition to roaming profiles, configure Redirected Profile Folders as detailed at https://www.carlstalhood.com/citrix-profile-management/#redirected. Anything redirected will not be copied locally by Persona, RDS profiles, or DEM.

Related Pages