VMware Horizon 2006: Master Virtual Desktop

Navigation

Use this post to build a virtual desktop that will be used as the parent image (aka source image, aka master image, aka gold image) for additional virtual desktops. There’s a separate article for RDS Session Host.

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

• Change Log
• Virtual Hardware
• Windows
  • Preparation
  • Power Options
  • System Settings
• Install Applications
• Antivirus
• Horizon Agent
  • Horizon Agent Installation/Upgrade
  • Dynamic Environment Manager (DEM) Agent Installation/Upgrade
  • Logon Monitoring
  • Unity Touch
  • ClonePrep – Rearm
  • Dynamic PCoIP Policies
• VMware OS Optimization Tool
  • Additional Optimizations
• Snapshot

💡 = Recently Updated

Change Log

• 2020 Oct 18 – DEM Agent – updated for DEM 2009
• 2020 Aug 14 – updated entire article for Horizon 2006 (aka 8.0)

Virtual Hardware

Lieven D’hoore has a desktop VM build checklist at VMware Horizon View – Windows 10 Golden Image Creation

1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
   • When using Microsoft Teams with Real-Time Audio-Video (RTAV), VMware recommends that the virtual desktop have a minimum of 4vCPU and 4 GB RAM. See System Requirements for Real-Time Audio-Video at VMware Docs.
2. For New Hard disk, consider setting Thin provision.
   
3. Make sure the virtual desktop is using a SCSI controller.
   
4. The master virtual desktop should be configured with a VMXNET 3 network adapter.
   
5. When building the master virtual desktop, you will probably boot from an ISO.
6. Before using Horizon Administrator to create a pool based off of this master image, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
   
7. There’s no need for the Floppy drive so remove it.
8. If you have any Serial ports, remove them.

Windows

VMware TechZone Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop

Preparation

• Windows 10 Versions
  • VMware 2149393 Supported Windows 10 Guest Operating Systems for Horizon Agent and Remote Experience, for Horizon 8 2006 and Later
    • Horizon 2006 seems to require Windows 10 version 1909 or newer. 1903 and older are not supported with Horizon Agent 2006.
  • VMware 51663 Windows 10 Guest OS support FAQ for Horizon 7.x and 6.x.
  • Office 365 ProPlus is not supported on LTSC. See Changes to Office and Windows servicing and support.
  • Visual Studio 2017 and newer are not supported on LTSC. See Visual Studio 2019 Product Family System Requirements.
• Windows 7 is not supported in Horizon 2006. See VMware article 76934 Windows 7 & 8 Support Plan for VMware Horizon.
• VMware Tools. Install the latest version of VMware Tools and Guest Introspection (formerly known as vShield Endpoint) Driver prior to installing the Horizon 7 Agent.
  • See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
• Teradici Audio Driver – http://www.teradici.com/web-help/teradici_virtual_audio_driver/1.2.2/release_notes/
• For the AppVolumes Agent and Imprivata OneSign agent (if applicable), don’t install them until Horizon Agent is installed.

Power Options

1. Run Power Options. Right-click the Start Menu to access Power Options.
   
2. Click Additional power settings.
   
3. Select Ultimate Performance, or click the arrow to show more plans, and select High performance.
   
4. Next to the power plan, click Change plan settings.
   
5. Change the selection for Turn off the display to Never, and click Save changes.
   
6. You can also configure these setting using group policy.
   

System Settings

1. Domain Join. Use sysdm.cpl to join the machine to the domain. Also see VMware 2150495 Computer-based Global Policy Objects (GPOs) that require reboot are not applied on instant clones.
   
2. In System control panel applet (sysdm.cpl), on the Remote tab, enable Remote Desktop.
   
3. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with Instant Clones.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Microsoft MSI-X App Attach, Liquidware FlexApp) or App Streaming (e.g. ThinApp, Microsoft App-V). Note: logins are fastest if apps are installed in the master image. All app layering/streaming technologies introduce a logon delay. You can use Microsoft FSLogix App Masking to hide applications and Start Menu shortcuts that users should not see.

Antivirus

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment contains exclusions for Horizon View, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

• Symantec TECH91070 Citrix and terminal server best practices for Endpoint Protection.
• Symantec TECH197344 Virtualization best practices for Endpoint Protection 12.1.x and SEP 14.x
• Symantec TECH180229 Endpoint Protection – Non-persistent Virtualization Best Practices

Trend Micro

Trend Micro Links:

• Trend Micro Docs – Trend Micro Virtual Desktop Support
• Trend Micro Docs – VDI Pre-Scan Template Generation Tool
• Trend Micro 1056314 – Configuring the OfficeScan (OSCE) Virtual Desktop Infrastructure (VDI) client/agent
• Trend Micro 1055260 – Best practice for setting up Virtual Desktop Infrastructure (VDI) in OfficeScan
• Trend Micro 1056376 – Frequently Asked Questions (FAQs) about Virtual Desktop Infrastructure/Support In OfficeScan

Sophos

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

• Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
• Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

• Install Traps Agent for Windows:
  • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
  • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Horizon Agent

Horizon Agent Installation/Upgrade

Install Horizon Agent on the master virtual desktop. Upgrades are performed in-place.

1. See VMware 2149393 Supported Windows 10 Guest Operating Systems for Horizon Agent and Remote Experience, for Horizon 8 2006 and Later
2. VMware Tools – Only install Horizon Agent after you install VMware Tools.
   1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
   2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
   3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)

      C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" config set appinfo disabled true

3. Download Horizon Agent 2006.
   
4. Run the downloaded VMware-Horizon-Agent-x86_64-8.0.0.exe.
   
5. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1

6. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
   
7. In the License Agreement page, select I accept the terms, and click Next.
   
8. In the Network protocol configuration page, select IPv4, and click Next.
   
9. In the Custom Setup page, there are several features not enabled by default. Feel free to enable them.
   1. If you want USB Redirection, then enable that feature.
      
   2. If you run Skype, then enable VMware Virtualization Pack for Skype for Business. See Configure Skype for Business at VMware Docs for details.
      
   3. You can install Instant Clone Agent, or View Composer Agent, but not both. Since Horizon 2006 supports Instant Clones in all editions, there’s no need for Composer Agent.
      
   4. Horizon Agent 2006 does not include Persona.
   5. If you want Scanner Redirection, then enable that feature. Note: Scanner Redirection will impact host density.
      
   6. Horizon Performance Tracker adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.
      
      
   7. Horizon 2006 no longer includes ThinPrint (aka Virtual Printing). VMware Integrated Printing is the replacement for ThinPrint and requires Horizon Client 4.10 or newer.
      
   8. Horizon 2006 no longer includes vRealize Operations for Horizon.
10. Click Next when done making selections.
11. In the Ready to Install the Program page, click Install.
    
12. In the Installer Completed page, click Finish.
    
13. Click Yes when asked to restart.
    
14. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?
    
    • To add features to an existing Horizon Agent installation, use the command line as detailed by Terence Luk at Add features to an existing VMware Horizon View 7.x Agent install.
      
15. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
    
16. There’s also an IE add-on.
    
17. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 are entitled to Dynamic Environment Management (DEM).

• Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, then you probably don’t need DEM Standard Edition.
• Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

Windows 10 Compatibility:

• DEM 2006 (aka 10.0) and newer support Windows 10 version 2004.

To install DEM Agent:

1. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
2. Based on your entitlement, download either DEM 2009 (aka 10.1) Enterprise Edition or DEM 2009 (aka 10.1) Standard Edition.
   
   
3. Run the extracted VMware Dynamic Environment Manager Enterprise 10.1 x64.msi.
   
4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
   
5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
   
6. In the Destination Folder page, click Next.
   
7. In Choose Setup Type page, click Custom.
   
8. In the Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
   
9. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed. Click Next.
   
10. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
    
11. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
    
12. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value. (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1
13. DEM is enabled using Group Policy and configured using the DEM Management Console.
    • DEM can also be enabled without Active Directory (Group Policy); see VMware article 2148324 Configuring advanced UEM settings in NoAD mode for details.

Logon Monitoring

By default, in services.msc, the VMware Horizon View Logon Monitor service is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
2. Create a string value called FavAppList.
3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:

Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see Configure Favorite Applications Displayed by Unity Touch at VMware Docs.

ClonePrep – Rearm

By default, when Horizon creates Instant Clones, one of the tasks that ClonePrep performs is to rearm licensing. You can prevent rearm by setting the following registry key:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga
  • SkipLicenseActivation  (DWORD) = 0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g. clipboard redirection, client printers, etc.) based on how the user connects, see VMware Blog Post VMware Horizon View Secret Weapon. The article describes configuring VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through. Full script is included in the article.

VMware OS Optimization Tool

1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
2. Download the VMware OS Optimization Tool VMware fling.
   
3. Run the extracted VMwareOSOptimizationTool.exe.
   
4. Go to the Public Templates tab and download or update your templates.
   
5. On the Optimize tab, choose a template.
   
6. Then click Analyze on the bottom of the window.
7. On the Optimize tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
   
8. The History tab lets you rollback the optimizations.
   
9. The Finalize tab contains tasks that should be run every time you seal your master image.
   

Additional Optimizations

Additional Windows 10 Optimizations

• James Rankin Improving Windows 10 logon time:
  • Use Remove-AppXProvisionedPackage to remove Modern apps. See the article for a list of apps to remove. Also see James Rankin Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #3: MODERN APPS
  • Import a Standard Start Tiles layout (Export-StartLayout)
  • Create a template user profile
• Carl Luberti (Microsoft) Windows 10 VDI Optimization Script

Snapshot

1. Make sure the master virtual desktop is configured for DHCP.
   
2. If connected to the console, run ipconfig /release.
   
3. Run antivirus sealing tasks. For example:
   • Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
   • Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
4. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
   
   
5. Shutdown the master virtual desktop.
   
6. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
   
7. Take a snapshot of the master virtual desktop. Instant Clones requires a snapshot.
   
   

Related Pages

• Back to VMware Horizon 2006