Horizon

VMware Horizon

https://www.vmware.com/au/products/horizon.html

https://docs.vmware.com/en/VMware-Horizon/index.html

https://www.carlstalhood.com/vmware-horizon-7-configuration/

Virtual Desktops and Apps Enable Anywhere, Anytime Access. VMware Horizon enables a digital workspace with the efficient delivery of virtual desktops and applications that equips workers anywhere, anytime, and on any device.

Horizon Architecture Planning

Horizon Architecture Planning

Horizon Installation

Horizon Installation

Horizon Administration

Horizon Administration

Horizon Upgrade

Horizon Upgrade

Setup Virtual Desktop

Setting Up Virtual Desktops in Horizon

Setting Up Published Desktops and Applications in Horizon

Published Desktops and Applications

Setting Up Linux Desktops in Horizon

Setting Up Linux Desktops in Horizon

Configuring Remote Desktop Features in Horizon

Configuring Remote Desktop in Horizon

VMware Horizon Security

VMware Horizon Security

Horizon Client and Agent Security

VMware Horizon Security

Setting Up TLS Certificates for Horizon

VMware Horizon Security

Administering Cloud Pod Architecture in Horizon

VMware Horizon Security

VMware vRealize Orchestrator Plug-In for VMware Horizon

VMware Horizon Security

View Agent Direct-Connection Plug-In Administration

VMware View Agent Direct-Connectio Plug-In Administration

VMware OS Optimization Tool

https://flings.vmware.com/vmware-os-optimization-tool

Network Ports in VMware Horizon 7

https://techzone.vmware.com/resource/network-ports-vmware-horizon-7

Network Ports in Horizon 7

Workspace ONE

Workspace ONE Document

https://docs.vmware.com/en/VMware-Workspace-ONE/index.html

Workspace ONE UEM Document

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/index.html

Unified Access Gateway Document

https://docs.vmware.com/en/Unified-Access-Gateway/index.html

VMware Identity Manager Integrations Documentation

VMware Identity Manager has been renamed to VMware Workspace ONE Access

https://www.vmware.com/support/pubs/vidm_webapp_sso.html

https://www.carlstalhood.com/vmware-identity-manager/

Mastering Workspace ONE

https://techzone.vmware.com/mastering-workspace-one

Windows 10 Management

https://techzone.vmware.com/understanding-windows-10-management

Workspace ONE Resources

https://techzone.vmware.com/resource/workspace-one

VMware Workspace ONE and Horizon Reference Architecture

https://techzone.vmware.com/reference-architecture

Horizon View API and Automation

Horizon View API - 7.13

https://developer.vmware.com/apis/1093/view

Horizon View API - 2106

https://developer.vmware.com/apis/1175/view

Horizion 7.13

https://docs.vmware.com/en/VMware-Horizon-7/index.html

Horizon 7.13 supports Windows 7

Virtual Desktops in Horion 7.13

References

VMware Horizon 2106 - Virtual Desktop Pools

https://www.carlstalhood.com/vmware-horizon-8-virtual-desktop-pools/

Create Horizon Desktop Pool using PowerCLI https://roderikdeblock.com/create-horizon-desktop-pool-using-powercli/

Horizon Infrastructure Design

It is recommended to implement Horizon domain with its own vCenter servers, ESXi hosts for hosting VDI desktop pools

Important:
When troubleshooting VMware Horizon VDI desktop pool creating error, 
    vCenter will equery the ESXi hosts and datastores for all its managed ESXi hosts and datastore,
    it will throw error and not able to create VDI desktop pool if there is issue with ESXi hosts not in Horizon cluster and datastores.

Horizon Domains

A Horizon domain automates deployment of VMware Horizon components and supporting infrastructure to enable you to deliver Virtual Desktop Infrastructure (VDI) and Remote Desktop Session Host (RDSH) desktops and applications. These can be delivered as persistent, linked clone, or instant clone desktops. The Horizon domain can include VMware App Volumes for dynamic application mounting and User Environment Manager for a persistent end user experience.

Components of a Horizon Domain

Example of a deployed Horizon domain

Horizon Connection Server

Horizon Connection Server is a software service that acts as a broker for client connections. Horizon Connection Server provides the following management capabilities:

1. Authenticates users with Active Directory (AD) and directs the request to the appropriate VM, physical PC, or Microsoft RDS host.
2. Establishes secure connections between users and remote desktops and applications.
3. Entitles users to specific desktops and pools.

You use Horizon Client to log in to Horizon Connection Server.

Client devices
    Users can access their personalized virtual desktop or remote application, from laptop, desktop, thin-client, etc
Horizon Client
    The client software for accessing remote desktops and applications 
    It installs on a tablet, a phone, a Windows, Linux, or Mac PC or laptop, a thin client
Horizon agent
    We install the Horizon agent service on all VMs, physical systems, and Microsoft RDS hosts
    They as sources for remote desktops and applications. 
    On VMs, this agent communicates with Horizon Client to provide features such as connection monitoring, 
    Virtual Printing, Horizon Persona Management, and access to locally connected USB devices

App Volumes - Managed Application Containers

We deliver applications to desktops by way of virtual disks.

Application Package
    A read-only volume that contains any number of Windows applications. 
    Multiple packages can be mapped to an individual system or user.
Writable volume
    A user-specific volume where the user can preserve data. 
    Writable volumes can be employed to store user-installed applications and local profile information, 
    such as application settings, application licensing information, and data.
     A user can be assigned only one writable volume at a time.

Virtual Desktops

Desktop pools includes

1. We can deploy desktops that run on VMs and physical machines.
2. Create one VM as a golden image, and Horizon can generate a pool of virtual desktops cloned from the golden image
    a. Creating a golden image includes creating the VM using vSphere Web Client
    b. installing the guest operating system
    c. installing VMware Tools
    
    Create Virtual Machine -> Optimized Golden Image -> Image Clones (golden image)

Steps to prepare the Windows virtual machine

There are following steps to create windows virtual machine as Golden Image

1. Create a VM in vSphere
2. Install operating system
3. Install VMware Tools
    Important: 
        VMware tools need to be installed just after OS installation
        VMware tools need to be installed before Horizon Agent installation
4. Prepare Windows for Remote Desktop deployment
    Enable Remote Desktop
5. Prepare Windows for desktop use
    Install applications (if required as base image, consider App volume)
6. Configure the Windows firewall service to restart after failures
7. Install Horizon agent
    Select components
        VMware Horizon Instant Clone Agent (If used for Install clone VM)
        Horizon Performance Tracker
8. Optimize Windows OS performance
    Run OSOT - OS Optimization Tool
9. Prepare the VM as a golden image (master image)

Windows Optimization

Windows was designed for hardware, specifically desktops, and for that hardware to serve one user at a time. Many default Windows settings are unnecessary or even detrimental when applied to a virtual environment.

You can take steps to optimize guest OS performance for a remote desktop deployment.

For Windows VMs that are set up to be virtual desktops, disable the Windows power settings and let the Horizon Connection Server suspend the VM when it is not in use. Suspend must be enabled when the desktop pool is configured.

Best practice is to disable power options for VMs

Windows performance tunning

To improve VM performance, make the following configuration changes

1. Do not connect a floppy drive, CD, or DVD at startup
2. Disable unused ports, such as COM1, COM2, and LPT
    Delete these ports if they are not required.
3. Adjust display properties
    a. Select a basic theme
    b. Set the background to a solid color
    c. Set the screensaver to None.
4. Disable the Windows Search service, unless the user requirements call for it
5. Delete all event logs.
6. Run Disk Cleanup to remove temporary files, empty the Recycle Bin, and remove other unneeded files.

You can make the following configuration changes to improve VM performance

1. Select a high-performance power option
2. Do not set a sleep timer, standby, hibernation, or any other power option that might make the VM unreachable.
3. Remove or minimize system restore points
4. Turn off system protection on the C: drive
5. Disable unnecessary services.
6. Set the sound scheme to No Sounds.
7. Open Windows Media Player and verify the use of default settings.
8. Turn off automatic computer maintenance features.
9. Adjust settings for best performance. 
10. Delete hidden uninstall folders in C:\Windows.
11. Delete all hidden update folders except the $hf_mig$ folder
12. Disable paging of the Windows OS
13. Remove Microsoft Messenger
14. Turn off disk performance counters by running the diskperf –n command

VMware OS Optimization Tool

https://flings.vmware.com/vmware-os-optimization-tool

https://techzone.vmware.com/resource/vmware-operating-system-optimization-tool-guide

https://techzone.vmware.com/manually-creating-optimized-windows-images-vmware-horizon-vms#_1150977

The optimization tool includes customizable templates to control Windows system services and features, as per best practice across multiple systems.

Manually creating optimized Windows image for VMware Horizon VM

Manually Creating Optimized Windows Image for Horizon VM

Virtual Machine Compute Optimizer

https://flings.vmware.com/virtual-machine-compute-optimizer

The Virtual Machine Computer Optimizer (VMCO) is a Powershell script and module that uses the PowerCLI module to capture information about the Hosts and VMS running in your vSphere environment, and reports back on whether the VMs are configured optimally based on the Host CPU and memory.

Steps to prepare the Linux virtual machine

Supported Linux operating systemss for Horizon agents

Product                 Version                 Architecture
-----------------------------------------------------------
Ubuntu                  18.04 and 20.04         64
RHEL Workstation        7.8, 7.9, 8.2, 8.3      64
SUSE Linux Enterprise Desktop 12.x/15.x         64
SUSE Linux Enterprise Server  12.x/15.x         64

There are following steps to create linux virtual machine as Golden Image

1. Create a Linux virtual machine
2. Configure display and video RAM
    such as 64M
3. Install guest Linux operating system
4. Download and install update
    a. apt-get update && apt-get upgrade  # ubuntu
    b. dnf update   # RHEL
    c. yum update   # Centos
5. Install Open VM Tools
    sudo ./vmware-install.pl
6. Install dependence packages for Horizon agent for Linux
    a. Ubuntu
        sudo apt-get install python python-dbus python-gobject
        sudo apt-get install lightdm
    b. RHEL
        sudo ndf python python-dbus python-gobject lightdm
7. Install NVIDIA vGPU drivers
8. Setup Active Directory integration
9. Install Horizon agent for Linux

Horizon Agent for Linux Features

The following are the key features supported for Horizon Linux desktops

1. Instant clone desktops running Linux distributions can perform an offline domain join with Active Directory (AD) 
    using PowerBroker Identity Services Open (PBISO)
2. Audio input and output redirection
3. Client drive redirection.
4. USB redirection.
5. The Federal Information Processing Standard (FIPS) 140-2
6. H.264 to improve performance of Blast extreme for a Horizon desktop, especially under a low-bandwidth network.
7. Manual pool and instant clone floating desktop pool.
8. Multiple monitors.
9. Session collaboration
10. Single sign-on, smart card redirection, and True SSO suppor

Install the Horizon agent for Linux

tar -xzvf VMware-horizonagent-linux-x86_64-<xxx>.tar.gz
    Where <xxx> is the latest release version
sudo ./install_viewagent.sh
sudo service viewagent status 

Optimizing Linux desktops

To improve desktop performance

1. Disable Compiz
2. Disable unnecessary services
    Bluetooth
    Postfix
    Netfs
    Mdmonitor
3. Install Linux update
    yum check-update    # Centos / RHEL
    agt-get update  # Ubuntu
4. Select Linux agent version that matches the connection server

Horizon group policy admx template files

Horizon ADMX template files provide group policy settings to control and optimize VMware Horizon components.

The Horizon Agent configuration vdm_agent.admx contains policy settings related to the authentication and environmental components of Horizon Agent.

Horizon Agent configuration template settings include

a. AllowDirectRDP
b. CommandsToRunOnConnect
c. Enable multi-media acceleration
d. Enable flash multi-media redirection (MMR)
e. Force MMR to use software overlay
f. Default Proxy Server

Real-Time Audio-Video Kernel-Mode Webcam Driver

https://kb.vmware.com/s/article/2053754

Guidelines for Using Real-Time Audio-Video with 3rd-Party Applications on Horizon View Desktops (2053754)

Configuring Media Optimization for Microsoft Teams Skype for Business

https://www.vmware.com/au/products/horizon/skype-for-business.html

Creating Golden Image or Master Image

A VM template is a gold copy of a VM that can be used to create and provision new VMs.

You must create a VM template before you can create an automated pool that contains full VMs

1. A template includes an installed guest OS and a set of applications.
2. You create VM templates in vSphere Client.
3. Create a VM template from a previously configured VM or convert a previously configured VM to a VM template

Horizon Pools

Virtual machine pools deploy desktops from VM templates.

# Important - essential for a desktop pool deployment
1. Proper configuration of VM templates applied with the steps required
2. add desktops to the Horizon Connection Server inventory

Steps to Create Desktop Pool

Desktop pools are logical containers that represent one or more unique use cases. Do these high-level steps to create a desktop pool

1. Create a desktop VM based on the requirements of the use case.
2. Install a guest OS and VMware Tools.
3. Optimize the image.
4. Install Horizon Agent.
5. Create a VM Template.
6. Create a desktop pool based on the requirements of the use case

Creating Templates and Customization Specifications

You can use a VM to create a template for eventual use in an automated pool. Creating a template consists of the following high-level tasks:

1. Remove the VM from the domain.
    Important: Remove the VM from the domain
2. Shut down the VM. 
3. Convert the new VM to a template. 
4. Create a customization specification
    a. Set the computer name to the VM name
    b. Use DHCP
    c. Join the AD domain
    d. Generate a new security identifier
    e. Delete existing user accounts
    f. Do not log in automatically as an administrator
    g. Save the customization specification.

Testing Deployment and Customization

To test deployment and customization, do the following high-level steps

1. Deploy a new VM from the template to test the customization specification. 
2. Confirm information about the new VM
    a. Does it successfully deploy
    b. Is the VM automatically joined to the AD domain
    c. Is the VM registered in the DNS forward and reverse zones
3. Power off the VM. 
4. Confirm that the deployed VM is a valid VMware Horizon VM by creating a manual pool.

Add Virtual Machines from Image Catalog

Instead of creating and optimizing the VM for your automatic pool, you can use an existing managed image in the image catalog template.

Prerequisites
a. Horizon Universal License
b. Horizon pod must be Cloud-connected to Horizon Cloud Service using Horizon Cloud Connector.
c. Establish authentication trust between all the vCenter Server instances that contain managed images.
d. Prepare an image in vCenter and import the image into the Horizon Cloud Image Catalog
e. Publish the image.

3D Rendering for Desktops

Horizon desktop pools can be configured with following types of graphics rendering

1. Disabled
2. Hardware
    VMs do not start unless a hardware GPU is installed on the host
3. Software
    Allows user to run DirectX 9 and OpenGL 2.1 applications without requiring a physical GPU, 
    even if it is installed on the host, for less demanding 3D applications such as Microsoft Office 2010, and Google Earth.
4. Automatic
    Uses hardware 3D when available. When hardware 3D is unavailable the desktop returns to using software 3D rendering
5. Manage using vSphere Client
    Configure graphics for each desktop separately through the vSphere Client
    Useful for testing or manual desktop pools.

Desktops can take advantage of Virtual Shared Graphics Acceleration (vSGA), Virtual Dedicated Graphics Acceleration (vDGA), or shared GPU hardware acceleration (NVIDIA GRID vGPU)

Enabling Horizon Storage Accelerator

You can enable View Storage Accelerator for desktop pools to enable ESXi hosts to cache VM disk data

1. Enables desktops to read common data blocks from the ESXi host’s cache and not from the disks during I/O storms caused when multiple VMs switch on, or run antivirus scans, immediately.
2. Lowers the demand on the storage array, which uses less storage I/O bandwidth to support your VMware Horizon deployment.
3. Verify that Enable Horizon Storage Accelerator feature is selected for vCenter Server

Group Policy Administrative Templates

Horizon includes several component-specific ADMX template files that can be used to provide group policy settings that allow you to control and optimize Horizon components.

Restricted Entitlements

Using restricted entitlements, you associate one or more pools with a specific connection server.

1. By default, all pools are accessible by way of any Horizon Connection Server.
2. Restrict a pool to a Horizon Connection Server by assigning both with the same tag label.

Important: 
    Assign the pool and connection server with the same tag label, such as 
        a. Internal
        b. External

3. Tags can be alphanumeric strings with no spaces.
4. The user can access a desktop in a pool only if the user is entitled to the desktop and is connected to the correct Horizon Connection Server.

Tag-Matching Rules

Connection Server   Pool                Access Permitted
---------------------------------------------------------------
No tags             No tags             Yes
No tags             One or more tags    No. If a pool has a tag, 
                                        then at least one connection server must have the same tag
One or more tags    No tags             Yes
One or more tags    One or more tags    Only when tags match

Global policies and overriding pool-level policis

Global policies apply to all desktops, global policies can be overridden for a specific pool or desktop.

Overriding User-Level Policies

You can configure user-level policies to affect distinct users. User-level policy settings take precedence over the equivalent global and pool-level policy settings.

VMware Horizon Client Options

With VMware Horizon Clients for Windows, Mac, iOS, Linux, Chrome, and Android you can connect to your VMware Horizon virtual desktop from your device of choice giving you access from any location.

SSO Timeout Configuration

When Horizon Client connects with Horizon Connection Server, SSO is enabled by default. You can configure a timeout for entering user SSO credentials.

1. Configure SSO timeout by selecting Settings -> Global Settings or by setting a time limit in Horizon LDAP.
2. You can configure the grace period for logging out after a warning displays. 

Horizon Performance Tracker Feature

The Horizon Performance Tracker is a utility that runs in a remote desktop and monitors the display protocol performance and system resource use.

1. Enable the Horizon Performance Tracker on a virtual desktop when installing the agent.
2. Run Horizon Performance Tracker inside a remote desktop

The Horizon Performance Tracker is a setup option in the Horizon Agent installer.

Configuring VMware Horizon Client

The vdm_client.admx file is a template for the AD GPOs that can be opened and centrally managed with the Microsoft Group Policy Editor./

1. The client system must be a member of the AD.
2. RDP settings for the client are user-based.
3. The GPO must also be applied to the user organizational unit (OU).
4. USB policy settings can be defined for both Horizon Agent and Horizon Client.

URL Content Redirection

Redirects designated URLs (such as URLs outside the intranet) to open in a client or agent desktop.

1. Agent-to-Client redirection: Horizon Agent sends the URL to Horizon Client, which opens the URL in the default browser on the client VM.
2. Client-to-Agent redirection: Horizon Client opens a remote desktop, the link is opened in the default browser for the protocol on the desktop.

Supported browsers: Internet Explorer, Chrome, and Microsoft Edge
Install Horizon Agent and Horizon Client from the command line, use /v option to enable URL content redirection
    /v URL_FILTERING_ENABLED=1 

The urlRedirection-enUS.admx template file contains settings that enable you to control whether a URL link is opened on the client (agent-to-client redirection), in a remote desktop, or application (client-to-agent redirection)

Configuring Client-to-Agent Redirection

You can configure and manage client-to-agent redirection settings by running vdmutil commands on the Horizon Connection Server host

1. Create a URL content redirection
vdmutil --createURLSetting --urlSettingName url-filtering 
    --urlRedirectionScope GLOBAL [--description value] [--urlScheme value] 
    [--entitledApplication value | --entitledDesktop value] [--agentURLPattern value]

2. Assign URL Content Redirection to AD users or groups
vdmutil --addUserURLSetting --urlSettingName value --userName value

3. Enable the URL Content Redirection feature in Horizon Agent.

Client Drive Redirection - CDR

Client drive redirection enables users to access files and folders on the endpoint from within a VDI session.

When you deploy Horizon Client and Horizon Agent with CDR, folders and files are sent across the network with encryption. The ADMX template file vdm_agent_cdr.admx contains policy settings related to the CDR feature.

Enabling and Configuring Session Collaboration

To invite users to join a remote desktop session, enable Allow Session Collaboration

1. At the desktop pool level for VDIs
2. At the farm level for RD Sessions Host.
3. You can use group policy settings to configure the session collaboration feature.

VMware Integrated Printing

VMware Integrated Printing support

1. Client Printer Redirection
    Print from a remote desktop to any local or network printer that is on their client computer.
2. Location-based printing
    Map printers that are physically near client systems to remote desktops, 
    enabling users to print to network printers from their remote desktops.

Instant Clone

https://docs.vmware.com/en/VMware-Horizon-7/7.13/virtual-desktops/GUID-D7C0150E-18CE-4012-944D-4E9AF5B28347.html

Requirements for Instant Clones

The requirements for instant clones include:

# Infrastructure requirements:
1. Horizon Connection Server (Horizon 7 or later)
2. Horizon Agent (Version 7 or later) with Instant Clones feature installed
3. Supported version of vSphere

# Golden image requirements:
1. Virtual Hardware 11
2. VMXNET3
3. Windows 10 and Linux
4. Port group with static binding (if using DVS)
5. Ephemeral binding not supported

Note: 
    Certain services and tasks in the golden image desktop can cause the OS disk of an instant clone to expand incrementally, 
    even if the VM is idle. If we disable these services and tasks, we can control the OS disk growth.

Instant Clone Desktop

Instant clones are identical virtual desktops, provisioned just-in-time by cloning a golden image in vCenter Server

1. When a user tries to log in, Instant clones are instantaneously created in a powered-on state, ready for users to connect to.
2. The golden image used for cloning Instant clones is a powered-on VM. Being powered-on allows better provisioning, updates, and memory use.
3. Clones share the disk and memory of the golden image for reads, resulting in space and memory efficiency.
4. Clones simplify desktop management and patching for administrators.

# In making an instant clone
a. A running golden image is quiesced and hot-cloned to produce derivative VMs.
b. The child VM uses the Copy-On-Write technique

# Instant clones have the following compatibility requirements:
1. vSphere 6.0 Update 1 or later.
2. Virtual machine hardware version 11 or later.

As a best practice, configure distributed virtual switches in the vSphere environment. 
It is mandatory to configure distributed virtual switches in the vSphere environment for dedicated instant clones.

# Instant clones have the following multi-LAN compatibility requirements:
1. vSphere 6.0 Update 1 or later.
2. ESXi 6.0 U1 or newer.
3. Virtual distributed switch only. There is no support for the standard switch.
4. Port group can be static, dynamic, or ephemeral.

An instant-clone desktop pool has the following key characteristics:

1. The provisioning of instant clones is faster than View Composer linked clones.
2. Instant clones are always created in a powered-on state, ready for users to connect to. 
    Guest customization and joining the Active Directory domain are completed as part of the initial power-on workflow.
3. For dedicated instant-clone desktop pools, users are assigned a particular remote desktop and return to the same desktop at each login. 
    When a user logs out, a resync operation on the golden image retains the VM name and the Mac IP address of the VM after logoff. 
    You can optionally configure the instant-clone desktop pool to not refresh after log off.
4. For floating instant-clone desktop pools, users are assigned random desktops from the pool. 
    When a user logs out, the desktop VM is deleted. 
    New clones are created according to the provisioning policy, which can be on-demand or up-front.
5. With the push-image operation, you can re-create the pool from any snapshot of any golden image. 
    You can use a push image to roll out operating system and application patches.
6. When clones are created, Horizon 7 selects a datastore to achieve the best distribution of the clones across the datastores. 
    No manual rebalancing is necessary.
7. View storage accelerator is automatically enabled.
8. Transparent page sharing is automatically enabled.
9. Instant clones and Storage vMotion are compatible. 
    When you create an instant-clone desktop pool on a Storage DRS datastore, 
    the Storage DRS cluster does not appear in the list in the desktop pool creation wizard. 
    However, you can select individual Storage DRS datastores.
10. In Horizon 7 version 7.0.3 or later, internal validation checks determine if the instant clone and internal template 
    have valid IP addresses and a network connection. 
    If a virtual machine has a NIC that cannot be assigned an IP address during provisioning, instant-clone provisioning fails.
11. You can add a Virtual Trusted Platform Module (vTPM) device to instant clone desktop pools.
    a. To set up the Key Management Server cluster, which is a prerequisite, 
        see Set up the Key Management Server Cluster in the vSphere Security document.
    b. For compatibility requirements, see Securing Virtual Machines with Virtual Trusted Platform Module in the vSphere Security document.
    c. The golden image used for vTPM Instant Clone pools must have VBS enabled when creating the VM, 
        as well as the local security policy set to enable VBS inside the guest.
    d. You can also select or deselect the option to add or remove a vTPM during a push-image operation.

When the golden image is quiesced, a script cleans up certain aspects of the golden image. The clean-up of the golden image allows the child VMs to receive a unique media access control (MAC) address, a universally unique identifier (UUID), and other information when they are instantiated.

Smart Provisioning

Low-density instant clone pools (less than 12 clones per host in the selected cluster) are provisioned directly from the replica VM without a golden image

1. Eliminating golden images for smaller pools results in memory and disk space savings.
2. Used when the benefit of memory utilization outweighs the fast provisioning. For example, vGPU provisioning and RDSH server provisioning.

If the initial size of an instant clone pool is less than 12 VMs per host, but the pool is later increased

1. A pool is initially created without a golden image.
2. When the pool size is above the minimum density level, a golden image is added, and all new instant clones are created from the golden image.
3. When the existing instant clones that were created without a golden image are logged off, they are recreated from the golden image.
4. Enabled by default.

If the initial size of an instant clone pool is greater than 12 VMs per host, but the pool is later reduced to 12 or fewer clones:

1. A pool is initially created with golden image.
2. When the pool size is reduced under the minimum density level, new VMs are created without a golden image and existing instant clones switch on logoff from being created with a golden image to being an instant clone without a golden image.

Instant clones have the following restrictions

1. Virtual volumes and VAAI native NFS snapshots are not supported.
2. Sysprep and QuickPrep are not available to customize your desktop.
    ClonePrep is used
3. Persona management is not supported.

You cannot set a minimum number of ready (provisioned) VMs during instant clone maintenance operations. This feature is not required because the speed of creating instant clones means that some desktops are always available even during maintenance operations.

Instant clone components

The instant clone creation process generates the following components in vCenter server

    1. Golden VM (Per Pool)
            |
    2. Template (Per Pool)
            |
    3. Replica (Per Datastore)
            |
    4. Parent (Per Host Per Datastore)
            |   
    5. Desktop VMs

Configuring the golden image

Before we create the instant clone, we must prepare and configure the golden image.

1. Create a golden image.
2. Perform application installation and optimization.
3. Use the OS Optimization Tool.
4. Install Horizon Agent with instant clones.

Note:
a. Select Instant Clone component.
b. DO NOT select Composer component

5. Configure other compatible agents, such as App Volumes and FlexEngin

Template VM files

VMware Horizon creates a clone of the golden image snapshot

1. cp-template stored in the folder ClonePrepInternalTemplateFolder
2. Little of the disk is used
3. The template is powered-on during cloning but then powered off

Replica VM files

The replica VM files has the following characteristics

1. The replica is a full clone of the template VM.
2. The replica is thin provisioned.
3. It is named cp-replica-[GUID] in vCenter Server in the ClonePrepReplicaVmFolder folder.
4. The replica has shared read disk for desktop VMs

Parent VMs

Before deploying an instant clone pool, we need to prepare a golden image in vCenter Server. A golden image has the following characteristics:

1. In a powered-on state
    so that the cloned desktop VMs can use the memory and disk pages for read operations.
2. To facilitate forking, a copy of the golden image is created on every host and every data store in the cluster.
3. Named as cp-parent-[GUID] in vCenter Server in ClonePrepParentVmFolder.

# The parent VM files
1. The golden image is powered on, as a result, the vswap file size is equal to the allocated virtual memory.
2. A small delta disk captures the disk-write I/O created during the start-up process and the VMX Overhead VSwap file.
3. Placed in the ClonePrepReplicaVmFolder folder

Desktop VM Files

A desktop VM has the following characteristics:

1. It is named as defined in the VMware Horizon console Pool Settings.
2. Stored in the data stores selected in the Pool Settings for desktops.
3. Has a small disk space use that can expand over time but it is deleted when the user logs out.

Instant clone engine domain account requirements

https://docs.vmware.com/en/VMware-Horizon/2106/horizon-installation/GUID-E91881F4-F8C0-48A5-A1A4-61577E287E29.html

Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account on the container for the instant-clone computer accounts.

1. Login to Horizon Connection Server administration console
2. Navigate to Settings -> Domains
3. Select Instant Clone Engine Domain Accounts
4. Click Add

Create instant clone desktop pools process

Creating an instant-clone desktop pool follows the same high-level workflow as when creating other desktop pools:

1. Create the golden image
2. Take a snapshot of the golden image
3. Create an instant clone desktop pool
4. Entitle the desktop pool
5. Deploy the desktop

ClonePrep

ClonePrep is a VMware guest customization tool for instant clones. The tool allows you to perform the following customization:

1. Change the VM name.
2. Change the VM password.
3. Performs an instant clones join to an Active Directory domain.
4. Activate Microsoft licensing using a KMS server.

No power cycle operations are required with ClonePrep, and Sysprep and QuickPrep are not supported.

vSphere DRS, vSphere HA and vSphere vMotion support

1. Initial host placement of desktops is done by the instant-clone engine.
2. vSphere DRS can move desktops after an initial placement.
3. vSphere HA is supported to start desktops after a host failure.
4. vSphere vMotion is supported but not vSphere Storage vMotion

Instant Clone Maintenance Operations

Change the image of an instant clone desktop pool to push out changes or to revert to a previous image.

The Maintain drop-down menu contains there options, Schedule, Reschedule, Cancel

1. Login to Horizon Connection Server administration console
2. Navigate to Inventory -> Desktops
3. Select the desktop pool
4. Under Summary, navigate to Maintenace and select the drop down mention option:
    a. Schedule
    b. Reschedule
    c. Cancel

When a push image is scheduled, the priming occurs immediately even if the scheduled time to push it is in the future. As such, priming can be a background task before the actual push of the desktops occurs.

Publishing events are tracked in Events Database and can be viewed under the Events tab in Pool Details.

Duplicate an Automated Desktop Pool in Horizon Console

You can duplicate an automated desktop pool from an existing pool. When you duplicate a pool, the existing desktop pool's settings are copied into the duplicate desktop pool, allowing you to create a new pool without having to fill in each setting manually.

With this feature, you can streamline pool creation because you do not have to type every option in the wizard to add a desktop pool. You can ensure that desktop pool attributes are standardized by using the pre-filled values in the wizard.

# Deplicate an Automated Desktop Pool
a. You can duplicate automated desktop pools that contain full virtual machines, linked clones, or instant clones. 
b. You cannot duplicate manual desktop pools, or published desktop pools.

When you duplicate a desktop pool, you cannot change certain settings:

1. Desktop pool type
2. Clone type, either instant clone, linked clone, or full virtual machine
3. User assignment, either dedicated or floating
4. vCenter Server instance

Clone an Automated Desktop Pool

You can clone an automated desktop pool from an existing pool. When you clone a pool, the existing desktop pool's settings are copied into the Add Desktop Pool wizard, allowing you to create a new pool without having to fill in each setting manually.

With this feature, you can streamline pool creation because you do not have to type every option in the Add Desktop Pool wizard. You can ensure that desktop pool attributes are standardized by using the pre-filled values in the wizard.

# Clone an Automated Desktop Pool
a. You can clone automated desktop pools that contain full virtual machines or View Composer linked clones. 
b. You cannot clone automated desktop pools of instant clones, manual desktop pools, or RDS desktop pools.

When you clone a desktop pool, you cannot change certain settings:

1. Desktop pool type
2. Clone type, either linked clone or full virtual machine
3. User assignment, either dedicated or floating
4. vCenter Server instance

Microsoft Remote Desktop Service Desktop and Application Pools

Application pools require the RDS running on Windows Server host systems, which must be properly configured. For maximum performance, the session load must be balanced across Remote Desktop Sessions Host (RDSH). VM Application Pools allow you to stream applications from Windows 10 desktops to devices that support the Horizon Client.

Published Desktops and Published Applications

We can create published desktops associated with an RDS farm, and published applications that run on RDS hosts.

Key concepts

1. Remote Desktop Session Host (RDSH): A VM or a physical server that hosts applications and desktop sessions to access remotely.
2. Remote Desktop Session farm: A group of individual RDSHs that are considered equivalent by VMware Horizon.
3. RDS Application pool: One or more RDSHs in one or more farms, host entitled applications.
4. RDS Desktop pool: An entitled desktop pool hosted by an RDSH in one or more farms.

The remote desktop service server (RDSH) requires the followings:

1. Remote Desktop Service Host role installed
2. Remote Desktop licensing

Installing Horizon Agent for RDSH Automated Pool

Install Horizon Agent in the RD Session Host golden image. The Horizon agent performs the following functions:

1. Communicates with Horizon Connection Server.
2. Supports the PCoIP and BLAST protocols.

Start menu shortcut

Add application shortcuts to the desktop and Start menu of Windows client devices. You can use Horizon Console to create shortcuts for the following types of VMware Horizon resources.

1. Published applications
2. Desktops
3. Global entitlements

# How to create start menu shortcut
1. Edit the application pool and click Browse under Category Folder
2. On Category Folder popup window, choose "Select a category folder from the folder list
    a. Shortcut location
        i. StartMenu/Launcher
        ii. Desktop

RDSH Instant Clones

An RDSH can be rapidly provisioned to populate an application farm using instant clones. It it similar to an instant-clone pool, an instant-clone farm is created from a golden image using the vmFork technology.

RDSH Immediate Maintenance

Immediate maintenance process

1. Old RDSHs are deleted
2. New golden images are created if updating to a new snapshot
3. New RDSH instant clones are created
4. A minimum number of RDSHs are kept available during maintenance

RDSH Recurring Maintenance

Recurring maintenance is for all RDS servers on a farm

1. Schedule daily, weekly, or monthly.
2. Delete and recreate the RDSH instant clones.
3. Update to a new gold snapshot.
4. Subsequent times use the same gold snapshot.
5. A minimum number of RDSHs remain available during maintenance.

# Use cases
a. Regular regeneration of the RDSH instant clones.
b. Automatically keep the farm in optimal condition.

RDS Server Load Index

In RDS farms, we can view the Server Load Index in teh VMware Horizon console dashboard.

0       No load
100     full load

Horizon Monitor

In Horizon console, navigate to Monitor section.

1. Under System Health, click View
2. From the left navigation pane select Components, and right pane tabs
    a. The Connection Servers
    b. Gateway
    c. Event Database
    d. View Composer Servers
    e. True SSO

They display information about the service components, we can use the service component details to perform troubleshooting tasks.

Help Desk tool

Use the Help Desk tool to get the status of VMware Horizon user sessions and to perform troubleshooting and maintenance operations

1. Click Monitor > Help Desk.
2. Enter a user name in the search bar at the top of the page to view a user session status.

Horizon Connection Server

Horizon Connection Server has the following features

1. It is a desktop connection broker that maintains a VM assignment
    a. Includes Horizon Console for complete Horizon infrastructure configuration
    b. Configurations managed by AD LDS: No external database required
2. A vCenter Server instance to provision VMs
    a. Existing VMs are dedicated to a user
    b. Automated pools of full and instant-clone VMs.
3. Users can be matched to these VMs with
    a. Dedicated user assignments
    b. Floating user assignments
4. Authenticates users with Active Directory (AD) and directs the request to the appropriate VM, physical PC, or Microsoft RDS host.
5. Establishes secure connections between users and remote desktops and applications.
6. Entitles users to specific desktops and pools

Horizon Connection Server supports:

1. True SSO
2. RSA SecurID
3. RADIUS
4. mart-card authentication

Horizon Connection Server System Requirements

Horizon Connection Server has the following requirements

1. 4 vCPUs  minimum
2. 4 GB
   10 GB    # deployment of 50 or more desktops
3. Windows server 2012 R2 onward
4. Network
    a. static IP
    b. Horizon Connection Server System Requirements
    c. Cloud Pod Architecture are required for a group of replicated Connection Server instances across the Networks.

Horizon Connection Server installation types:

1. Horizon Standard Server
    First Horizon server installation in the Horizon Pod
2. Horizon Replica Server
    2nd, up to 6 replica in the same Horizon Pod
3. Horizon Enrollment Server

Must install AD DS and AD LDS tools on Connection Server.

Horizon Connection Server deployment options

Deployment options

1. eneral (vSphere On-Premises)
2. AWS (VMware Cloud on AWS)
3. Dell EMC (VMware Cloud on Dell EMC)
4. Azure (Azure VMware Solution)
5. Google Cloud (Google Cloud VMware Engine)
6. Oracle Cloud (Oracle Cloud)

Horizon Enrollment Server

https://docs.vmware.com/en/VMware-Horizon/2106/horizon-console-administration/GUID-63B1EA25-FBED-465B-B695-7C1982CE860A.html

The enrollment server requests short-lived certificates on behalf of the users you specify. These short-term certificates are the mechanism True SSO uses for authentication to avoid prompting users for Active Directory credentials.

You must install and set up at least one enrollment server, and the enrollment server cannot be installed on the same host as Connection Server. VMware recommends that you have two enrollment servers for purposes of failover and load balancing. If you have two enrollment servers, by default one is preferred and the other is used for failover. You can change this default, however, so that the connection server alternates sending certificate requests to both enrollment servers.

Horizon Connection Server Deployment Options Considerations

The deployment type cannot be edited, if during installation the wrong deployment type is selected the following steps must be taken:

1. Uninstall the Connection Server and the LDAP instance.
2. Reinstall using the appropriate deployment type or install it on a new virtual machine.

In a multiple cloud deployment, you must consider:

1. You must use a separate Horizon pod for each deployment type.
2. All the connection servers in a Horizon POD must have the same deployment type.
3. The option to choose a deployment type is presented only during the standard server installation. All the successive replica installations inherit the same deployment type

Horizon Console access

https://<horizon-server>/admin

Add vCenter Server system to Horizon

After successful deployment of the first Horizon server, enter the license and then add vCenter server system to Horizon.

1. A vCenter Server system can be from outside the domain.
2. must have certain vCenter Server privileges.

If a VMware Horizon administrator is not an administrator in vCenter Server, 
we must assign a vCenter Server role that permits the Horizon Connection Server conduct its operations.

Enable View Storage Accelerator can improves storage read throughput, by configuring the setting in Horizon vCenter configuration page.

1. To configure this feature for a desktop pool, you must explicitly enable View Accelerator for each desktop pool. 
2. The setting here only permits the ESXi hosts to support the caching operation.

Configuring Syslog Servers and Flat-File Shares

You configure a Syslog server, a flat-file location, or both. You can configure multiple Syslog servers and one flat-file location.

The flat-file location requires a Universal Naming Convention (UNC) for the shared file and credentials to access the UNC.

Data can be sent to a Syslog server or a flat-file.

1. For a Syslog server, you must have its DNS name or IP address of the Syslog server and the UDP port number (the default number is port 514).
2. If you enable file-based logging of events, events are stored in a local log file.

The default destination of the Syslog output is 
    %PROGRAMDATA%\VMware\VDM\events\

It is possible to also use a vdmadmin command to configure file-based logging of events in a Syslog format.

AD LDS database

The easiest way to connect to the AD LDS database is by using ADSI Edit ( Active Directory Service Interfaces Editor). ADSI Edit is available on any Windows Server that has the Horizon Connection Server software installed.

1. Open adsiedit.msc
2. configure the connection settings
    a. Path
        LDAP://localhost:389/dc=vdi,dc=<domain>,dc=<name>
    b. Connection Point
        Select or type a Distinguished Name or Naming Content
        dc=vdi,dc=<domain>,dc=<name>
    c. Computer
        Select or type a domain or server (Server | Domain [:port])
        localhost:389

To verify AD LDS replication between Horizon standard server and replica servers

repadmin /showrepl localhost:389 DC=vdi,dc=<domain>,dc=<name>
Verify both inbound and outbound replication

Authentication and Certification

Before you can configure SAML 2.0 (Security Assertion Markup Language) to delegate authentication to a Workspace ONE portal, you must meet these prerequisites:

1. Pair a Horizon Connection Server instance with an SAML 2.0 authentication server.
2. Set up your SAML 2.0 authenticator server with a signed certificate authority (CA) certificate.
3. Install and configure Workspace ONE.

The Workspace ONE portal and VMware Horizon integration implementation use the SAML 2.0 standard to establish a relation of mutual trust, which is essential for single sign-on (SSO):

1. When SSO is configured and enabled, users who log in to Workspace ONE with AD credentials can use remote desktops and applications without repeated logins.
2. When Workspace ONE and VMware Horizon are integrated, Workspace Portal Manager generates a unique SAML artifact whenever a user logs in to Workspace ONE and clicks a desktop or application icon. Workspace Portal Manager uses this SAML artifact to create a universal resource identifier (URI). The URI contains data about the Horizon Connection Server instance where the desktop or application pool resides.

Configuring a SAML 2.0 authenticator to delegate authentication to VMware Workspace ONE portal requires these prerequisites:

1. Workspace ONE portal is installed and configured.
2. Horizon Connection Server is paired with a SAML 2.0 Authentication server.
3. SAML 2.0 authenticator applies a certificate signed by a certificate authority (CA).

Setting up a Workspace ONE and VMware Horizon integration involves configuring Workspace ONE with VMware Horizon information and configuring VMware Horizon to delegate the authentication to the Workspace ONE portal:

1. To delegate responsibility for authentication to Workspace ONE Portal, you must create a SAML authenticator in VMware Horizon.
2. A SAML authenticator contains the trust and metadata exchange between VMware Horizon and the Workspace ONE portal.
3. You then associate a SAML authenticator with a Horizon Connection Server instance.

How to enable Workspace ONE mode

1. Edit Connection Server instance
2. on Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator)
    Select Required
3. On SAML Authenticator
    a. Select/Enable "Enable Workspace ONE server mode"
    b. In Workspace ONE server Hostname
        Enter <workspaceONE-server-FQDN>
    c. Select "Block connections from clients that don't support Workspace ONE mode

When Workspace ONE mode is configured, you can only connect to the server by way of a Workspace ONE Web portal.

RSA two-factor authentication

Two-factor authentication with RSA SecurID

1. Configure it for a Horizon Connection Server instance
2. It is verified before providing verifying AD credentials
3. A user PIN and a hardware or software authentication code generate the SecureID token

# How to configure a Horizon Connection Server instance for the RSA SecurID authentication method: 1.
1. Install and configure the RSA SecurID software on the Horizon Connection Server instance.
2. To configure RSA Secure ID two-factor authentication, select View Configuration > Servers 
3. Select the Horizon Connection Server instance and click Edit. 
4. Click the Authentication tab. 
5. From the 2 Factor authentication drop-down menu, select RSA Secure ID.
6. If you want RSA SecurID to compare names against Windows user names and deny access to names that do not match, 
    select Enforce SecurID and Windows user name matching.
7. When the states of the Horizon Agent and the RSA Authentication Manager are not synchronized, 
    select the Clear node secret check box. AD clears the node secret on the Horizon Agent and resets the LDAP value.
8. Click Upload File, enter the location of the sdconf.rec file, or click Browse to search for the file.
9. Click OK to save your changes

RADIUS authentication

You can configure a Horizon Connection Server instance where RADIUS One Time Password (OTP) authentication is required before they enter their AD credentials.

To configure a Horizon Connection Server instance for authentication by RADIUS
1. Select View Configuration > Servers. 
2. Select the Horizon Connection Server instance and click Edit. 
3. Click the Authentication tab. 
4. From the 2 Factor authentication drop-down menu, select RADIUS.
5. Select the Enforce 2-Factor and Windows user name matching check box 
    if you want RADIUS to cto compare names against Windows user names and deny access to names that do not match.
6. Click Create New Authenticator
7. Enter a Label and Description which define the primary RADIUS server. 
8. Enter the Hostname/Address values of the primary RADIUS server.
9. Enter Authentication Port and Accounting Port values. 
    RADIUS authenticators supported by Horizon Connection Server are PAP, CHAP, MS-CHAP1, and MS-CHAP2.
10. Select the Authentication Type of your RADIUS server.
11. Enter a case-sensitive text string in the Shared Secret text box. 
    This text string is used to verify transactions between the Horizon Connection Server instance and the RADIUS server.
12. Enter the Server Timeout value to set the number of seconds the Horizon Connection Server instance waits 
    for a response from the RADIUS server before it tries to connect again.
13. For Max Retries values, enter the number of tries a user gets to connect to the authentication server 
    (using the preceding timeout) before it reports a failed connection.
14. Click Next.
15. If you want to use a secondary RADIUS server in the absence of the primary, 
    select the Use secondary sever if primary is unavailable check box and enter the details of the secondary server.
16. Click Finish

Smart Cards authentication

VMware Horizon supports smart cards and smart card readers that use PKCS11 or Microsoft CryptoAPI provider.

Horizon Role-Based access administration and permission

Roles and privileges

The VMware Horizon access and control system is similar to the vCenter Server access control system. In the Horizon Connection Server, you can use role-based delegated administration to selectively assign administrative rights to specific AD users or groups.

Horizon Connection Server - Permission

The combination of a role, an administrator user or group, and an access group is a permission:

1. The role defines the actions that can be performed.
2. The user or group indicates who can perform the action.
3. The access group contains the objects that are the target of the action.

Horizon Console includes predefined roles that you can assign to your administrator users and groups. Following are some frequently used predefined roles.

Role                        Applies to              Description
                            an Access Group  
--------------------------------------------------------------------------
Administrators                  Yes             Perform all administrative functions
Administrators 
    (Read-Only)                 Yes             View VMware Horizon 
                                                but not modify all administrative functions
Inventory Administrators        Yes             Perform all desktop, session, and pool-related operations
Global Configuration            No              VMware Horizon and modify global policies and settings
    and Policy Administrators   
Local Administrators            Yes             Administrator of a local pod
                                                No rights to manage Cloud Pod Architecture or the Global Data Layeer     

Access Groups

You can create access groups under the root access group (/) to subdivide desktop pools:

1. You can delegate different access groups to different administrators.
2. A maximum of 100 access groups exists, including the root access group.
3. Access groups cannot be nested.

An administrator with multiple roles acquires the sum of all privileges.

Other considerations

1. Roles are inherited from the root access group.
2. Roles that contain only global privileges cannot be applied to access groups.

By default, automated desktop pools, manual desktop pools, and farms are created in the root access group, which appears as / or Root(/) in Horizon Console:

1. RDS desktop pools and application pools inherit their farm's access group.
2. You can create access groups under the root access group to delegate the administration of specific pools or farms to different administrators.
3. You cannot change the access group of an RDS desktop pool or an application pool directly. You must change the access group of the farm that the RDS desktop pool or the application pool belongs to.

# How to add pool to a new access group
1. Login to Horizon console
2. Navigate to Inventory -> Desktops
3. From the Access Group drop down menu on the command bar
    a. Select new Acces Group
        enter the access group name, and click Submit
    b. Select Change Access Group
        select the new access group

Horizon Connection Server TLS Certificate

VMware Horizon includes a self-signed certificate when a Horizon Connection Server instance is installed. This certificate could be changed to the CA singed certificate.

Private and Public Keys

A public key uses asymmetric algorithms to encrypt messages into an unreadable format. A public key is widely accessible. A private key is used to decrypt the message. A private key is known solely by the owner.

Configuring TLS Certificates in Horizon

Horizon Connection Server instances, Unified Access Gateway (UAG), and load-balancer instances require an SSL server certificate for SSL connections.

Setting Up TLS Certificates

To set up TLS server certificates for VMware Horizon servers in a pod of replicated Horizon Connection Server instances, perform these steps on all instances in the pod

1. Get a new signed TLS certificate from a CA.
2. Import the TLS certificate into the Windows local computer certificate store.
3. Modify the certificate friendly name to vdm

Important: 
    The certificate friendly name need to be vdm
    a. In certlm.msc
    b. Select the connection server certificate
    c. Select Detail tab
    d. Navigate to Friendly name, and click Edit and change to vdm

4. If an intermediate CA, signed your server certificate, then import the intermediate certificates into the Windows local computer certificate store.
5. Configure clients to trust the root and intermediate certificates.

True SSO

True SSO provides a way to authenticate to Microsoft Windows, retaining all the users’ normal domain privileges, without requiring them to provide AD credentials.

With True SSO, a user can log into Workspace ONE using any non-AD method (for example, RSA SecurID credentials). After a user is authenticated, they can use any entitled desktop or app (hosted from any domain) without being prompted for a password.

True SSO uses SAML (Security Assertion Markup Language) to send the User Principal Name (for example, jdoe@example.com) to the identity provider’s authentication system to access AD credentials. Horizon then generates a unique, short-lived certificate for the Windows login process.

True SSO Process

1. A user authenticates to VMware Identify Manager. The administrator can select from an extensive set of authentication methods (RSA SecurID, RADIUS, Biometric, and so on). After authentication, the user selects a desktop or application to use from Workspace ONE.
2. Horizon Client is launched with the user’s identity, and credentials are directed to the Horizon Connection Server, the broker for VMware Horizon.
3. The broker, Horizon Connection Server, verifies the user’s identity with VMware Identify Manager by sending a SAML assertion.
4. Using the Certificate Enrollment Service, VMware Horizon requests that the Microsoft Certificate Authority (CA) generate a temporary, short-lived certificate on behalf of that user.

Note:
    Horizon Certificate Enrollment Server provides certificate enrollment service

5. VMware Horizon presents the certificate to the Windows operating system.
6. Windows verifies the authenticity of the certificate with Active Directory.
7. The user is logged in to the Windows desktop or application, and a remote session is initiated on the Horizon Client

Supported Authentication Methods

Workspace ONE supports the following authentication methods with True SSO

a. RSA SecurID 
b. Kerberos
c. RADIUS authentication
d. RSA Adaptive Authentication
e. Standards-based third-party identity providers

Workspace ONE also supports integration with third-party identity providers (IdPs) to federate user authentication in the enterprise.

Workspace ONE also supports user name and password credentials, and well as smart card logins, but for either of these, true SSO is not needed

VMware digital workspace user experience and Workspace ONE

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/index.html

With the digital workspace, it provides the these benefits:

1. Access applications and resources through a unified application catalog.
2. Simplified access and login to applications through Web and mobile SSO.
3. Easy access to virtual desktops and applications

The digital workspace is powered by three VMware components

1. Workspace ONE UEM: Provides unified endpoint management and capabilities to ensure that each device is properly managed and complies with the organization's IT policies. 2 Workspace ONE Access: Provides identity and access management and provisions Web application accesses. Workspace ONE Access also uses various authentication protocols and conditional access to make sure that only the right users access the resources through a convenient method.
2. VMware Horizon: Provides VDI, application infrastructure, and access to virtual resources.

The Workspace ONE Intelligent Hub application and the Hub Service integrate the Workspace ONE components.

Workspace ONE Access Console

Workspace ONE Access supports two deployment models

1. VMware SaaS-hosted
2. on-premises deployment model (specially requested case)

Use the tenant URL
    https://<tenant-url>

The console organizes configurations and management by tabs. The tabs give you access to the following management pages:

a. Dashboard
b. Users & Groups
c. Catalog
d. Identity & Access Management
    i. Manage
    ii. Setup
e. Roles

Identity Management in Workspace ONE Access

Workspace ONE Access enhances identity management with features that allow an administrator to import users into the Workspace ONE Access console and enable various user authentication methods.

The identity management features of Workspace ONE Access include the following:

1. Integrate with existing corporate directories.
2. Associate directories and IdPs with various authentication methods.
3. Integrate with existing third-party IdPs

Example: okta, Ping identity

4. Support Just-In-Time Provisioning (JIT)

Integrating VMware Horizon pods with VMware Identity Manager

1. Deploy and configure Horizon servers.
2. Deploy VMware Horizon desktop and application pools, with entitlements set for AD users and groups.
3. Synchronize AD users and groups who are entitled to an application and desktop pools in VMware Horizon Connection server instances to the VMware Identity Manager service

Note: using Directory Sync

Configuring VMware Horizon in the VMware Identity Manager Console

Configuring the VMware Horizon settings in your VMware Identity Manager console integrates the VMware Horizon virtual resources with your Workspace ONE environment and displays the resources in the Workspace ONE Catalog for end users to access.

You follow the steps below to configure the VMware Horizon settings:

1. n the VMware Identity Manager console, navigate to Catalog > Virtual Apps > Virtual App Configuration.
2. You select the VMware Horizon option that matches your VMware Horizon infrastructure type, Horizon Cloud or Horizon View On-Premises.
3. You then supply the VMware Horizon connection server hostname and credentials. If you integrate with Horizon View On-Premises, you also select a VMware Identity Manager Connector for this integration.
4. Click Sync to perform an initial synchronization and monitor the sync result.

Horizon Protocol

Remote Display Protocol

Remote Display Protocol is a special set of data transfer rules that transfers data of desktop hosted at source location to display on a client's screen at a different location.

1. VMware Blast Extreme
2. PCoIP (PC over IP)
3. Microsoft RDP
If enable the HTML Access client, available with the HTML Access feature, the Blast Extreme protocol is used,

VMware Blast

https://docs.vmware.com/en/VMware-Horizon/2106/horizon-remote-desktop-features/GUID-220442CF-EA01-470E-A381-1BED9BC0B81C.html

Configure VMware blast options

https://docs.vmware.com/en/VMware-Horizon-Client-for-Windows/2106/horizon-client-windows-installation/GUID-75F6046C-D43A-4264-80AC-B150524CEC71.html

VMware Blast extreme optimization guide

https://techzone.vmware.com/resource/vmware-blast-extreme-optimization-guide

The VMware Blast ADMX template file (vdm_blast.admx) contains policy settings for the VMware Blast display protocol. After the policy is applied, the settings are stored in the registry key HKLM\Software\Policies\VMware, Inc.\VMware Blast\config.

These settings apply to HTML Access and all Horizon Client platforms.

Applying VMware Blast Policy Settings

If the following VMware Blast policies change during a client session, Horizon Client detects the change and immediately applies the new setting.

1. H264
2. Audio Playback
3. Max Session Bandwidth
4. Min Session Bandwidth
5. Max Frame Rate
6. Image Quality

# For all other VMware Blast policies that cannot be changed in real time
Microsoft GPO update rules apply. GPOs can be updated manually or by restarting the Horizon Agent machine.

The VMware BLAST protocol is configured at the following locations

1. Desktop pool
2. RD Session Host farm

Blast uses BENIT session layer protocol

1. BENIT is a session layer protocol on top of TCP and Adaptive Transport.
2. BENIT is designed to withstand temporary network losses up to maximum configurable time without disrupting higher-level applications.

Codec Options

The Blast Codec improves on Adaptive and on H.264 encoders by delivering sharper images and fonts. Similar to a video codec, the Blast codec works with motion detection, motion vectors, and inter-predicted macroblocks. The encoder switch dynamically shifts codecs, depending on the content type.

1. For text and still images, Blast Extreme uses the VMware Blast or JPG/PNG codec.
2. For streaming video, Blast Extreme automatically shifts to H.264.

High Efficiency Video Coding, H.265

High Efficiency Video Coding (HEVC), also known as H.265 is the successor to H.264.

1. HEVC reduces your bandwidths by providing up to 50 percent better compression with the same quality as H.264.
2. HEVC requires much higher CPU processing power to encode and decode
3. ESXi (or RDSH) have NVIDIA Tesla or new GPUs to offload encoding installed in ESXi hosts are required
4. Clients must have physical GPUs that support the H.265 decode. Most client devices manufactured since 2015 have H.265 support

HEVC can also support higher quality at similar compression ratios as H.264, but again at the cost of more processing power with no bandwidth savings.

Display Protocol Codecs: H.264

H.264 requires more processing power, compared to other codecs. However, H.264 processing can be offloaded to the graphics cards (GPU) on the device.

1. Most of the client devices (including cell phones and most thin clients) support H.264 GPU decode support
2. H.264 encoding on servers can be offloaded to NVIDIA Tesla GPUs, freeing CPUs in VMware ESXiTM hosts.

Horizon client configuration

1. Access VMware Horizon Client property
2. VMware Blast
    Select "Allow H.264 Decoding"
3. On the desktop pool
    Connect Via -> VMware Blast (default)

A user does not select a display protocol setting based on their network conditions (Excellent, Typical, Poor). BLAST selects the optimal transport for you. Horizon Client for Windows senses current network conditions and selects one or more transports, automatically.

PCoIP

1. PCoIP is a high-performance protocol
2. PCoIP is a secure protocol that uses both encryption and compression.
3. PCoIP is provided by VMware through codevelopment with Teradici.
4. PCoIP is a multicodec solution, including codecs for video, graphics, texts, and images

Microsoft RDP

1. RDP 10.0 has true multiple-monitor support for up to 16 monitors.
2. RDP supports the 128-bit encryption.

To ensure that secure RDP communications, you can tunnel your RDP session through Horizon Connection Server over a LAN or through a Unified Access (UAG) Gateway over a WAN.

Graphic card - 3D renderer configuration

When we deploy or edit full-clone virtual machine pools, you can configure 3D graphics rendering for your desktops. The pool can use VMware Blast or PCoIP as the default display protocol.

When you enable the 3D Renderer setting, you can configure the Max number of monitors setting for one or two monitors. You cannot select more than two monitors. The Max resolution of any one monitor setting is set to 1920x1200 pixels.

When you enable the 3D Renderer setting, if you select the Automatic, Software, or Hardware parameter, you can configure the amount of vRAM that is assigned to the VMs in the pool. To do so, move the slider in the Configure vRAM for 3D Guests dialog box. The minimum vRAM size is 64 MB.

The Automatic setting is the best choice for many VMware Horizon deployments that require 3D rendering. This setting ensures that some type of 3D rendering takes place even if GPU resources are reserved.

When we create or edit a desktop pool of VMs, you can configure 3D graphics rendering for the desktops. Desktops can take advantage of Virtual Shared Graphics Acceleration (vSGA), Virtual Dedicated Graphics Acceleration (vDGA), or shared GPU hardware acceleration (NVIDIA GRID vGPU). vDGA and NVIDIA GRID vGPU are vSphere features that use physical graphics cards installed on the ESXi hosts and that manage the graphics processing unit (GPU) resources among the VMs.

# vDGA
1. Virtual Dedicated Graphics Acceleration (vDGA) technology, also known as GPU pass-through, 
    provides the VM with unrestricted, fully dedicated access to one of the host’s GPUs.
2. Virtual Dedicated Graphics Acceleration (vDGA) dedicates a single physical GPU on an ESXi host to a single VM.

Software-Accelerated Graphics

CPU rendering is used by 3D-enabled desktops without a physical GPU

1. CPU rendering is available with a supported vSphere.
2. Run DirectX 9 and OpenGL 2.1 applications without a physical GPU.
3. CPU rendering is a good alternative for less demanding 3D applications such as Windows Aero themes, Microsoft Office, or Google Earth.
4. The VMs must be virtual hardware version 8 or later

Comparing Types of Graphics Acceleration

Type                Virtual Shared                  Virtual Shared Pass-Through         Virtual Dedicated
                    Graphics Acceleration           Graphics Acceleration               Graphics Acceleration
Name                vSGA                                vGPU or MxGPU                       vDGA                                         
Consolidation       High (limited by video memory)      Up to 1:32                          None (1:1)
Performance level   Lightweight                     Lightweight or Workstation              Workstation
Compatibility       Limited                         Full but not all applications           Maximum
                                                    are certified
Video encoding      Software                            Hardware                            Hardware
and decoding
vSphere vMotion     Yes                                     Yes                             No

VMware Horizon does not control 3D rendering. The 3D Renderer setting that is set in vSphere Web Client for a VM determines the type of 3D graphics rendering that takes place. Use this setting when configuring NVIDIA GRID vGPU, Intel vDGA or AMD Multiuser GPU, or vSGA.

How to install graphics cards VIB for use in Horizon environment

1. Prepare for the VIB Update 
2. Uninstall the Old VIB 
3. Install the New VIB 
4. Verify the VIB Installation 
5. Install Horizon Agent in the Parent Virtual Machine 
6. Updating the Parent Virtual Machine with New Drivers 
7. Take a Snapshot of the Parent Virtual Machine 
8. Create an Automated Desktop Pool of Windows Instant Clone Virtual Machines 
9. Test an Individual Windows Instant Clone Virtual Machine

Horizon Scalability

To manage large desktop environments in a multiserver configuration by using replica servers and the Cloud Pod Architecture.

Horizon Replica Servers

The replica server is the same as the original Horizon Connection Server instance, but participating in AD LDS replication.

1. Horizon Connection Server supports only a single network interface.
2. The host system must be a member of the AD domain.

Horizon Data and AD Lightweight Directory Service

Horizon Connection Server instances store data in AD LDS. AD LDS stores VMware Horizon data and reference AD data, such as entitlements, pool parameters, and system configuration. It is automatically replicated between the connection servers.

The first Horizon Connection Server instance that is installed is called the standard server. You install the second and subsequent servers as replicas. Changes made by any server are automatically replicated to all others. This replication takes place in the same way that AD domain controllers update users and groups in the domain.

By default, the replication between all Horizon Connection Server instances takes place across TCP port 389. 

VMware Horizon Pods

A pod can contain up to 20,000 sessions as well as seven Horizon Connection Server instances. For environments exceeding 20,000 users, pods can be integrated using hardware load balancers and Cloud Pod Architecture.

Cloud Pod Architecture

The Cloud Pod Architecture links multiple VMware Horizon pods (data centers). Cloud Pod Architecture provides the following benefits.

1. Simplifies the administrative effort required to manage a large-scale VMware Horizon deployment.
2. Provides a single URL for user access: Appears as a single environment, across multiple data center deployments and across geographies.
3. Simplifies Data Recovery and active-active design scenarios.
4. Supports global roaming users.
5. Scales up to 250,000 users, 50 Horizon pods, and 15 sites.
6. Supports active-active and disaster recovery use cases of VMware Horizon deployments
7. Appears as a single VMware Horizon environment to the user
8. Simplifies administration

a. Single global entitlement to provide user access to pools across multiple VMware Horizon pods.
b. Centralized session management across multiple pods.
c. Uses a data layer replicated across all Horizon Connection Server instances.

You use Horizon Console and the lmvutil command to modify and maintain the Cloud Pod Architecture environment.
Note: lmvutil is installed as part of the VMware Horizon installation.

Pod Federations

A pod federation can span multiple sites and data centers simultaneously and uses the Global Data Layer to share key data.

VMware Interpod API - VIPI

The VIPA address is a high-performance mesh network between connection servers in all pods.

1. Bidirectional TLS on port 8472 is used to protect and verify the VIPA address interpod communication channel.
2. One connection server per pod manages the interpod communication using the VIP address.
3. Every connection server in every pod has its own self-signed certificate, stored in the local key vault.

a. Certificates are replaced every seven days.
b. Use lmvutil if a certificate becomes compromised or you want to update it sooner than 7 days
    i. --createPendingCertificate
    ii --activatePendingCertificate

Horizon Connection Server instances use the VIPA address communication channel to initiate new desktops, find existing desktops, and share health status data and other information. VMware Horizon configures the VIPA address interpod communications channel when you initialize the Cloud Pod Architecture feature.

Initializing Cloud Pod Architecture

You can initialize the Cloud Pod Architecture feature from any Horizon Connection Server instance in a pod

1. You must initialize the Cloud Pod Architecture feature one time, on the first pod in a pod federation.
2. After initialization, the federation contains
    a. The initialized pod.
    b. A single site.
3. When you add pods to the pod federation, the new pods join the initialized pod
4. Additions to the inventory
    i. Global Entitlements appears under Inventory.
    ii. Sites appear under Settings

Global Entitlements

Global entitlements provide the link between users and their desktops and applications, regardless of where those desktops and applications reside in the pod federation.

1. Each entitlement contains a list of users or groups, a list of pools, and a scope policy.
2. Each pool named in a global entitlement is a normal desktop or application pool created with Horizon Console.
3. Global entitlements are useful for single-pod environments.
4. When you use global entitlements, configuring and managing local entitlements is not required.

Global Entitlements - Search Order

The search order of the Horizon Connection Server is weighted to spread the load across pods, but with preference to local resources.

1. It looks at local resources first. If unsuccessful, tries the site and tries across the federation.
2. If a remote pod is selected, a Horizon Connection Server instance is selected randomly from the remote pod to service the request.
3. Mobile users can nominate a home site. The desktop or application search then begins at the home site, regardless of the user location.

When a user requests a desktop from a global entitlement, the Cloud Pod Architecture feature searches for an available desktop in the pools that are associated with that global entitlement. By default, the Cloud Pod Architecture feature gives preference to desktops in the local pod, the local site, and pods in other sites, in that order

Horizon Security

Horizon client connects to Horizon connection Server and VMs

Horizon Client and Horizon Connection Server communicate over a TLS connection. Initial session authentication is always encrypted on port 443. When the session is established, traffic flows between Horizon Client and Horizon Connection Server over the ports 4172 (PCoIP), 8443 (Blast), or 443 (RDP)

Horizon client and Unified Access Gateway

When using a Unified Access Gateway, the tunnel is established between Horizon Client and the Unified Access Gateway. When the session is established, all traffic flows through the Unified Access Gateway directly to Horizon Agent.

Enable direct connections

You enable direct connections for each Horizon Connection Server by deselecting the Use Secure Tunnel connection to machine.

1. Access Horizon Connection Server properties in Horizon Console
2. Under HTTP(s) Secure Tunnel
    Select "Use Secure Tunnel connection to machine"

Restricting Horizon Connections

Using restricted entitlements, you associate one or more pools with a specific Horizon Connection Server.

1. Access desktop pool property
2. Select General tab
3. Under Tags, type the tag name
    such as Internal, External

Note:
1. The tag name configured in desktop pool must match the connection server tag name for restriction to take effect.
2. You can assign one or more tags

Unified Access Gateway

Unified access gateway can be deployed from the OVF package, and select the VM configuration.

Best practice: do not change the CPU, memory, or disk space to smaller values than the default OVF settings.

Networking requirements

1. One network interface: External, internal, and management traffic are all on one subnet.
2. Two network interfaces: External traffic is on one subnet, another subnet handles internal and management traffic.
3. Three network interfaces: External, internal, and management traffic all have a subnet. Using three network interfaces is the most secure deployment

Unified Access Gateway Authentication Mechanisms

The following authentication mechanisms are available

1. AD credentials
2. RSA SecurID
3. RADIUS
4. Smart cards
5. Security Assertion Markup LangUnified Access Gateway (SAML) For all authentication mechanisms except smart card, authentication is proxied to Horizon Connection Server.

Front-End Firewall Rule

Source              Protocol    Port    Destination     Notes
--------------------------------------------------------------------
Horizon Client      TCP         80      UAG             80 (HTTP)
Horizon Client      TCP         443     UAG             443 (HTTPS)
Horizon Client      TCP/UDP     4172    UAG             PCoIP
Client Web Browser  TCP         8443    UAG             HTML Acces

Back-End Firewall Rules

Horizon Desktop Source      Protocol    Port    Destination
----------------------------------------------------------------------------------------
Unified Access Gateway      TCP         443     Horizon Connection Server or load balancer
Unified Access Gateway      TCP         3389    Horizon desktop
Unified Access Gateway      TCP         9427    Horizon desktop
Unified Access Gateway      TCP/UDP     4172    Horizon desktop
Unified Access Gateway      TCP         32111   Horizon desktop
Unified Access Gateway      TCP         22443   Horizon desktop
Horizon Agent               UDP         4172    UAG

Horizon View Client - External Client

Horizon View client external access to internal Horizon VDI desktop pool VMs, ports requriements

https://ports.vmware.com/home/Horizon

The external client need the following ports to VMware Unified Access Gateways in DMz:

443, 4172 (TCP and UDP)

When using F5 load balancer VIP to load balancing UAG appliances, even F5 VIPs using SNAT, it is still requied to have firewall connection from the external Horizon view client to DMZ UAG external IP address on 4172 (TCP, UDP) when using PCoIP clients.

All external connections terminated at DMZ F5 and UAG servers, and UAG proxy Horizon client connections to internal Connection Servers, and the VDI desktop pool VMs.

Troubleshooting

Conflicting vCenter Server Unique IDs

If you have multiple vCenter Server instances configured in your environment, an attempt to add a new instance might fail because of conflicting unique IDs. You try to add a vCenter Server instance to VMware Horizon, but the unique ID of the new vCenter Server instance conflicts with an existing instance.

# Cause
Two vCenter Server instances cannot use the same unique ID. By default, a vCenter Server unique ID is randomly generated, but you can edit it.
# Solution
1. In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings.
2. Type a new unique ID and click OK.

Understanding VMware Horizon Services

The operation of Connection Server instances depends on several services that run on the system. You might sometimes find it necessary to stop and start these services manually when troubleshooting problems with the operation of VMware Horizon.

Note:
    Stop only the VMware Horizon Connection Server service on a Connection Server host. Do not stop any other component services.

Add the CA Certificate to a Server Truststore File

Connection Server instances use this information to authenticate smart card users and administrators.

1. Obtain the root or intermediate certificates that were used to sign the certificates on the smart cards presented by your users or administrators.
2. Verify that the keytool utility is added to the system path on your Connection Server host.

# Procedure
1. On your Connection Server host, use the keytool utility to import the root certificate, intermediate certificate, 
    or both into the server truststore file.
    keytool -import -alias alias -file root_certificate -keystore truststorefile.key -storetype JKS
2. Copy the truststore file to the SSL gateway configuration folder on the Connection Server host.
    install_directory\VMware\VMware View\Server\sslgateway\conf\truststorefile.key

Schedule VMware Horizon Configuration Backups

You can schedule your VMware Horizon configuration data to be backed up at regular intervals. VMware Horizon backs up the contents of the Horizon LDAP repository in which your Connection Server instances store their configuration data.

You can back up the configuration immediately by selecting the Connection Server instance and clicking Backup Now.

# Procedure
1. In Horizon Console, select Settings > Servers.
2. On the Connection Servers tab, select the Connection Server instance to be backed up and click Backup Now.
3. On the Backup tab, specify the Horizon configuration backup settings to configure the backup frequency, 
    maximum number of backups, and the folder location of the backup files.
4. (Optional) Change the data recovery password.
    a. Click Change data recovery password.
    b. Type and retype the new password
    c. (Optional) Type a password reminder.
    d. Click OK.
5. Click OK.

Export and Import Configuration Data from Horizon Connection Server

You can back up configuration data of a Horizon Connection Server instance by exporting the contents of its Horizon LDAP repository.

You use the vdmexport command to export the Horizon LDAP configuration data to an encrypted LDIF file.

# In Command prompt
    vdmexport > Myexport.LDF    # By default, the exported data is encrypted
    vdmexport -f Myexport.LDF -v    # You can export the data in plain text format (verbatim)
# You can export the data in plain text format with passwords and sensitive data removed (cleansed)
    vdmexport -f Myexport.LDF -c

Note:
Do not import an LDIF file in cleansed format, which is plain text with passwords and other sensitive data removed. 
If you do, critical configuration information will be missing from the restored Horizon LDAP repository.

To import the LDF file, yy default, the vdmimport command-line utility is installed in the C:\Program Files\VMware\VMware View\Server\tools\bin directory.

vdmimport -d -p mypassword -f MyEncryptedxport.LDF > MyDecryptedexport.LDF
vdmimport -f MyDecryptedexport.LDF

# The following commands decyrypt and import a Cloud Pod Architecture global LDIF configuration file.
vdmimport -d -p mypassword -f MyEncryptedCPAexport.LDF > MyDecryptedCPAexport.LDF
vdmimport -g -f MyDecryptedCPAexport.LDF

Using DCT to Collect Logs for Remote Desktop Features and Components

You can set log levels and generate log files in a Data Collection Tool (DCT) bundle for a specific remote desktop feature, or all remote desktop features, on a Horizon Agent for Windows, Horizon Client for Windows, Horizon Client for Mac, or Horizon Client for Linux system.

# The DCT scripts are installed in the following directories and run from the agent and client installation paths.
1. Horizon Agent for Windows: C:\Program Files\VMware\VMware View\Agent\DCT\support.bat
2. Horizon Client for Windows: C:\Program Files (x86)\VMware\VMware Horizon View Client\DCT\support.bat
3. Horizon Client for Mac: /Applications/VMware Horizon Client.app/Contents/Library/dct/HorizonCollector.sh
4. Horizon Client for Linux: /usr/bin/vmware-view-log-collector
    sudo /usr/lib/vmware/viewagent/bin/dct-debug.sh

Set log level

# Procedure
1. Select Start > All Programs > VMware > Set View Connection Server Log Levels.
2. In the Choice text box, type a numeric value to set the logging level and press Enter.
Option  Description
---------------------
0       Resets the logging level to the default value.
1       Selects a normal level of logging.
2       Selects a debug level of logging (default).
3       Selects full logging.

Troubleshooting with Horizon connection server logs and VMware Managed Object Browser (MOB)

https://kb.vmware.com/s/article/1027744

When there are errors in provisioning Horizon desktop pool, troubleshooting by analysing Horizon Connection Server debug log

# In Windows connection server, Horizon Connection Server log locations
DriveLetter:ProgramData\VMware\VDM\logs

# To query VMware MOB for configuration and settings
https://<vCenter-FQDN>/mob/moid?=<value-to-query>
    Example:  https://<vCenter-fqdn>/mob/moid?=host-12345   # identify esxi host name which is having issue when provision VDI desktop pool

Collecting VMware Horizon View (vdm) log bundles

https://kb.vmware.com/s/article/1017939

The KB article provides detail information about collecting logs from Horizon related components:

1. Horizon Connection Server, Horizon Security Server, Horizon Enrollment Server
2. Horizon Composer Server
3. VMware Unified Access Gateway
4. Horizon Agent
5. Horizon client
    a. Windows View Client
    b. Mac View client
    c. iPad View client
    d. Linux View client
    e. PCoIP Zero client
6. Horizon Persona Management

For Horizon client install log file location or Horizon client install failed logs see Location of VMware View log files (KB 1027744)

Using the vdmadmin Command

You can use vdmadmin to perform administration tasks that are not possible from within the user interface or to perform administration tasks that need to run automatically from scripts.

PowerCLI

Install VMware PowerCLI

Install-Module -Name Vmware.PowerCLI

Note: Horizon PowerCLI module is included in VMware PowerCLI
    Import-Module -Name VMware.VimAutomation.HorizonView

Connection Server services issue

1. Verify connection server system resouces, min 4 vCPU and 8GB memory
2. Verify connection service services stauts
3. Verify connection services is running on TCP 443 and 80

a. Ensure Connection Server is running as dedicated server
b. Ensure there is no other IIS or other application is running on the server
c. Verify antivirus and security software on the server

4. Check vdm log

# Unhide hidden file and folder, then
a. \\Program Data\VMware\vdm\logs
b. Check for "ICE start"

AD LDS Replication issue

https://kb.vmware.com/s/article/1021805

https://kb.vmware.com/s/article/2091974

https://kb.vmware.com/s/article/1021805

After installing the 1st Connection server, any new connection servers will be replica server. They all funcation as replication partners.

1. Check AD LDS replication status

# Verify replication status
    repadmin.exe /showrepl localhost:389 dc=vdi,dc=vmware,dc=int
# Force replication
    repadmin.exe /replicate:389 remote-host-FQDN:389 dc=vdi,dc=vmware,dc=int
# Check and ensure replication is not disabled
    repadmin /options localhost:389 -DISABLE_OUTBOUND_REPL -DISABLE_INBOUND_REPL

2. Check AD LDS schema master, if required transfer the FSMO role to another connection server

# Method 1: Microsoft LDAP Browser
1. In one of the Connection Servers, log in as an Administrator
2. To launch the Microsoft LDAP browser, click Start > Run, type ldp and press Enter
3. Click Connection > Connect and set the Server IP to 127.0.0.1 and the port to 389
4. Click OK
5. Click Connection > Bind
6. Under Bind Type, select the Bind as currently logged on user option
7. Click OK
8. Click View > Tree
9. In the BaseDN, click the down arrow and select CN=Schema,CN=Configuration,CN={GUID-ID}
10. In the right panel, note the value of the attribute fSMORoleOwner

# Method 2
a. regsvr32 schmgmt.dll
b. localhost:389    # connect to local AD LDS
c. Check Active Directory Schema object and Operational master
If required, transfer the schema master FSMO role to another Connection Server

Note:
 If none of the Connection Servers in the replica set owns the schema role, 
 you can force ownership by installing a new Connection Server, 
 or seize the role by using Microsoft's ntdsutil command. For more information, 
 see Microsoft article 255504

3. Check vdm log, and search for replication
4. Check Windows Applications and Services log -> ADAM (VmwareDMDS) log for replication issue

Check ADAM [VMwareVDMS] replication issue

5. Check replication options
6. After fixing the replication issue, restart Connection Server

If existing Connection Server not able to be fixed and needs to be reuilt

1. Remove Connection Server software and uninstall AD LDS role
a. Access Control Panel
b. Uninstall VMware View Connection Server software
c. Uninstall AD LDS Instance VMwareVDMDS software
d. Restart the server

2. Remove AD LDS Role
a. Remove Active Directory Lightweight Directory Services
b. Restart the server

3. Remove orphaned or retired Connection Server object from Connection Server AD LDS
a. Login to other Connection Server
b. Run
    vdmadmin.exe -S -r -s <orphaned-retired-ConnectionServer> 

4. Re-install Connection Server software
a. Install Connection Server software, select Replica Servver option
b. check AD LDS replication after successfully re-install Connection Server software
    repadmin.exe /showrepl localhost:389 dc=vdi,dc=vwmare,dc=int

Create a Data Collection Tool Bundle for Horizon Agent

To assist VMware Technical Support in troubleshooting Horizon Agent, you might need to use the vdmadmin command to create a Data Collection Tool (DCT) bundle. You can also obtain the DCT bundle manually, without using vdmadmin.

For your convenience, you can use the vdmadmin command on a Connection Server instance to request a DCT bundle from a remote desktop. The bundle is returned to Connection Server.

You can alternatively log in to a specific remote desktop and run a support command that creates the DCT bundle on that desktop.

# Procedure
Open a command prompt and run the command to generate the DCT bundle.
Option                                          Action
--------------------------------------------------------------------------------
On View Connection Server, using vdmadmin   
                        To specify the names of the output bundle file, desktop pool, and machine, 
                        use the -outfile, -d, and -m options with the vdmadmin command.
                            vdmadmin -A [-b authentication_arguments] -getDCT -outfile local_file -d desktop -m machine
On the remote desktop   Change directories to c:\Program Files\VMware\VMware View\Agent\DCT and 
                        run the following command:
                            support

# Example
Create the DCT bundle for the machine machine1 in the desktop pool dtpool2 and write it to the zip file C:\myfile.zip.
    vdmadmin -A -d dtpool2 -m machine1 -getDCT -outfile C:\myfile.zip

Rebalance Linked-Clone Virtual Machines

A rebalance operation evenly redistributes linked-clone virtual machines among available datastores.

You can also use the rebalance operation to migrate linked-clone virtual machines to another datastore.

Note:
Do not use vSphere Client or vCenter Server to migrate or manage linked-clone virtual machines.

# Prerequisites
1. Decide when to schedule the rebalance operation. By default, View Composer starts the operation immediately.
    You can schedule only one rebalance operation at a time for a given set of linked clones. 
    You can schedule multiple rebalance operations if they affect different linked clones.
2. Decide whether to force all users to log off as soon as the operation begins or 
    wait for each user to log off before rebalancing that user's linked-clone desktop.
    a. If you force users to log off, 
        Horizon 7 notifies users before they are disconnected and allows them to close their applications and log off.
    b. If you force users to log off, 
        the maximum number of concurrent rebalance operations on remote desktops that require logoffs is 
        half the value of the Max concurrent View Composer maintenance operations setting.
3. Verify that provisioning for the desktop pool is enabled. When pool provisioning is disabled, 
    Horizon 7 stops the virtual machines from being customized after they are rebalanced.
4. If your deployment includes replicated View Connection Server instances, verify that all instances are the same version.

# Procedure
Option              Action
To rebalance all virtual machines in the pool   
            a. In View Administrator, select Catalog > Desktop Pools.
            b. Select the pool to rebalance by double-clicking the pool ID in the left column.
            c. On the Inventory tab, click Machines.
            d. Use the Ctrl or Shift keys to select multiple all the machine IDs in the left column.
            e. Select Rebalance from the View Composer drop-down menu.

To rebalance a single virtual machine   
            a. In View Administrator, select Resources > Machines.
            b. Select the machine to rebalance by double-clicking the machine ID in the left column.
            c. On the Summary tab, select Rebalance from the View Composer drop-down menu.

Cloud Pod Architecture - Global ADAM DB:

Note: Ports (22389) and location of the DB (vdiglobal) differ.

# Check replication neighbors
    repadmin.exe /showrepl localhost:22389 dc=vdiglobal,dc=vmware,dc=int

# Check replication is not disabled:
    repadmin /options localhost:22389
    Note: results should be: Current DSA options: (none)
 
# Ensure replication is not disabled:
    repadmin /options localhost:22389 -DISABLE_OUTBOUND_REPL -DISABLE_INBOUND_REPL
 
# Force replication:
    repadmin.exe /replicate localhost:22389 remote-host-FQDN:22389 dc=vdiglobal,dc=vmware,dc=int

Horizon Instant Clone VM Antivirus

1. Schedule antivirus and software updates to run at non-peak hours, when few users are likely to be logged in.
2. Stagger or randomize when updates occur.
3. Use agent-less antivirus software that is compatible with the VMware NSX Guest Introspection capabilities.

Schema master unavailability

The schema master node is deleted when a Connection Server instance is removed using vdmadmin -S command without a clean uninstallation of LDAP instance.

# Solution
1. If the installation error occurs due to the unavailability of the schema master node, 
    bring up all nodes in the LDAP cluster specified in the error message.
    If bringing up all nodes in the LDAP cluster does not resolve the issue, 
    then the error can occur because the schema master node is removed from the cluster.

# Horizon server is version 2006 and later
2. If the schema master node is removed from the LDAP cluster, you must make another node the schema master node on the cluster.
    a. To make the current node the schema master node on the cluster for a local LDAP instance, enter the following command:
        vdmadmin -X -seizeSchemaMaster
    b. To Make the current node the schema master node on the cluster for a global LDAP instance in a Cloud Pod Architecture environment, 
        enter the following command.
        vdmadmin -X -seizeSchemaMaster -global

# If none of the nodes are upgraded to VMware Horizon version 2006 on the cluster
    a. To make the current node the schema master node on the cluster for a local LDAP instance, enter the following command:
    dsmgmt "roles" "connections" "connect to server localhost:389" "quit" "transfer schema master" "quit" "quit"
    b. To make the current node the schema master node on the cluster for a global LDAP instance, enter the following command:
    dsmgmt "roles" "connections" "connect to server localhost:22389" "quit" "transfer schema master" "quit" "quit"

Horizon 7 Sizing Limits and Recommendations

https://kb.vmware.com/s/article/2150348

UAG Secure Protocols

1. PCoIP Secure Gateway connections are required if you use Unified Access Gateway appliances for PCoIP connections from outside the corporate network. 2. Blast Secure Gateway connections are required if you use Unified Access Gateway appliances for Blast Extreme or HTML Access connections from outside the corporate network.
2. Tunneled connections are required if you use Unified Access Gateway appliances for RDP connections from outside the corporate network and for USB and multimedia redirection (MMR) acceleration with a PCoIP or Blast Secure Gateway connection.

Horizon Pods

A Horizon pod is a unit of organization determined by VMware Horizon scalability limits. You can create a Horizon pod with a number of building blocks. Each Horizon pod is a unit of management and has a separate Horizon Console management user interface.

Restricting Remote Desktop Access

You can use the restricted entitlements feature to restrict remote desktop access based on the Horizon Connection Server instance that a user connects to.

With restricted entitlements, you assign one or more tags to a Connection Server instance. Then, when configuring a desktop pool, you select the tags of the Connection Server instances that you want to be able to access the desktop pool. When users log in through a tagged Connection Server instance, they can access only those desktop pools that have at least one matching tag or no tags.

For example, your VMware Horizon deployment might include two Connection Server instances. The first instance supports your internal users. The second instance is paired with an Unified Access Gateway appliance and supports your external users. To prevent external users from accessing certain desktops, you could set up restricted entitlements as follows:

1. Assign the tag "Internal" to the Connection Server instance that supports your internal users.
2. Assign the tag "External" to the Connection Server instance that is paired with the Unified Access Gateway appliance and supports your external users.
3. Assign the "Internal" tag to the desktop pools that should be accessible only to internal users.
4. Assign the "External" tag to the desktop pools that should be accessible only to external users.

External users cannot see the desktop pools tagged as Internal because they log in through the Connection Server tagged as External, and internal users cannot see the desktop pools tagged as External because they log in through the Connection Server tagged as Internal.

You can also use restricted entitlements to control desktop access based on the user-authentication method that you configure for a particular Connection Server instance. For example, you can make certain desktop pools available only to users who have authenticated with a smart card.

The restricted entitlements feature only enforces tag matching. You must design your network topology to force certain clients to connect through a particular Connection Server instance.

Firewall Rules for Horizon Agent

To open the default network ports, the Horizon Agent installer optionally configures Windows firewall rules on virtual desktops and RDS hosts.

The Horizon Agent installer configures the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389.

# TCP and UDP Ports Opened During Horizon Agent Installation
Protocol                                Ports
------------------------------------------------------
Multimedia redirection (MMR)            TCO 9427
and client drive redirection (CDR)
PCoIP                                   RDS Host  
                                            TCP 4172
                                            UDP 4172 (bidirectional)
                                        Virtual Desks
                                            TCP 4172 and 4173
                                            UDP 4172 and 4182
Blast                                   TCP 22443
                                        UDP 22443 (bidrectional)

HTML Access                             TCP 22443

Horizon Agent Services

Horizon Agent Services
Service Name        Startup Type        Description
---------------------------------------------------------------------------------------------------------------------
VMware Blast        Automatic           Provides services for HTML Access and for using the VMware Blast display protocol
                                        for connecting with native clients.
--------------------------------------------------
VMware Horizon 
View Agent          Automatic           Provides services for Horizon Agent.
--------------------------------------------------
VMware Horizon 
View Script Host    Disabled            Supports the running of start session scripts, 
                                        if any, that configure desktop security policies before a desktop session begins. 
                                        Policies are based on the client device and the user's location.
--------------------------------------------------
VMware Netlink 
Supervisor Service  Automatic           Supports the scanner redirection and the serial port redirection features 
                                        by providing monitoring services for transferring information between kernel and user space processes.
--------------------------------------------------
VMware Scanner 
Redirection Agent   Automatic           Provides services for the scanner redirection feature.
--------------------------------------------------
VMware Serial Com 
Redirection 
Agent Service       Automatic           Provides services for the serial port redirection feature
--------------------------------------------------
VMware Snapshot 
Provider            Manual              Provides services for virtual machine snapshots, which are used for cloning.
--------------------------------------------------
VMware Tools        Automatic           Supports the synchronization of objects between the host and guest operating systems, 
                                        which enhances the performance of virtual machine guest operating systems and 
                                        improves the management of virtual machines.

Reinstall Horizon Connection Server with a Backup Configuration

In certain situations, you might have to reinstall the current version of a Connection Server instance and restore the existing VMware Horizon configuration by importing a backup LDIF file that contains the Horizon LDAP configuration data.

# Prerequisites
Verify that the Horizon LDAP configuration was backed up to an encrypted LDIF file.

# Precedure
1. Install Connection Server with a new configuration.
2. Decrypt the encrypted LDIF file.
    vdmimport -d -p mypassword -f MyEncryptedexport.LDF > MyDecryptedexport.LDF
3. Import the decrypted LDIF file to restore the Horizon LDAP configuration.
    vdmimport -f MyDecryptedexport.LDF
Note 
    At this stage, the VMware Horizon configuration is not yet accessible. 
    Clients cannot access Connection Server or connect to their desktops.
4. Uninstall the Connection Server from the computer by using the Windows Add/Remove Programs utility.
Note:
    Do not uninstall the Horizon LDAP configuration, called the AD LDS Instance VMwareVDMDS instance. 
    You can use the Add/Remove Programs utility to verify that the AD LDS Instance VMwareVDMDS instance 
    was not removed from the Windows Server computer.
5. Reinstall Connection Server.
    At the installer prompt, accept the existing Horizon LDAP.

Modify the Certificate Friendly Name

To configure a Connection Server instance to recognize and use an TLS certificate, you must modify the certificate Friendly name to vdm.

# Prerequisites
Verify that the server certificate is imported into the Certificates (Local Computer) 
    > Personal 
    > Certificates folder in the Windows Certificate Store. 
    See Import a Signed Server Certificate into a Windows Certificate Store.

# Procedure
1. In the MMC window on the Windows Server host, expand the Certificates (Local Computer) node and select the Personal > Certificates folder.
2. Right-click the certificate that is issued to the VMware Horizon server host and click Properties.
3. On the General tab, delete the Friendly name text and type vdm.
4. Click Apply and click OK.
5. Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm.
    a. Locate any other server certificate, right-click the certificate, and click Properties.
    b. If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.

Configuring View Storage Accelerator for vCenter Server

You can enable View Storage Accelerator on desktop pools that contain instant clones and desktop pools that contain full virtual machines. This feature uses the Content Based Read Cache (CBRC) feature in ESXi hosts. Instead of reading the entire OS or application from the storage system over and over, a host can read common data blocks from cache.

CBRC uses ESXi host memory to cache virtual machine disk data, thus reducing IOPS required and improve performance during boot storms, when many machines start up or run anti-virus scans at once. By reducing the number of IOPS during boot storms, View Storage Accelerator lowers the demand on the storage array, which lets you use less storage I/O bandwidth to support your Horizon deployment. The feature is also beneficial when administrators or users load applications or data frequently.

You can enable or disable View Storage Accelerator globally and then enable or disable it for individual desktop pools. The steps to enable or disable View Storage Accelerator are different for instant-clone desktop pools and desktop pools that contain full virtual machines.

Important
    If you plan to use this feature and you are using multiple Horizon pods that share some ESXi hosts, 
    you must enable the View Storage Accelerator feature for all pools that are on the shared ESXi hosts. 
    Having inconsistent settings in multiple pods can cause instability of the virtual machines on the shared ESXi hosts.

Enable View Storage Accelerator Globally in Horizon Console

# Procedure
1. In Horizon Console, navigate to Settings > Servers.
2. On the vCenter Server tab, click Add and complete the Add vCenter Server wizard pages that precede the Storage Settings page.
3. On the Storage Settings page, select Enable View Storage Accelerator.
    This option is selected by default.
4. Specify a default host cache size.
    The default cache size applies to all ESXi hosts that are managed by this vCenter Server instance.
    The default value is 1,024MB. The cache size must be between 100MB and 32,768MB.
5. To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit cache size.
    a. In the Host cache dialog box, check Override default host cache size.
    b. Type a Host cache size value between 100MB and 32,768MB and click OK.
6. On the Storage Settings page, click Next.
7. After reviewing the settings on the Ready to Complete page, click Submit.

Enabling View Storage Accelerator for Individual Desktop Pools

For instant clone pools, View Storage Accelerator is only needed for replica virtual machines. This is enabled automatically for individual pools and cannot be turned off on a pool level.

How to remove View Composer from Horizon

We must delete all linked clone desktop pools first before we can remove View Composer from Horizon

# Procedure
1. Remove the linked-clone desktop pools created by View Composer.
    a. In Horizon Console, select Inventory > Desktops.
    b. Select a linked-clone desktop pool and click Delete.
        A dialog box warns that you will permanently delete the linked-clone desktop pool from Horizon. 
        If the linked-clone virtual machines are configured with persistent disks, you can detach or delete the persistent disks.
    c. Click OK.
        The virtual machines are deleted from vCenter Server. In addition, 
        the associated View Composer database entries and the replicas created by View Composer are removed.
    d. Repeat these steps for each linked-clone desktop pool created by View Composer.
2. Navigate to Settings > Servers.
3. On the vCenter Servers tab, select the vCenter Server instance with which View Composer is associated.
4. Click Edit.
5. On the View Composer tab, under View Composer Server Settings, select Do not use View Composer, and click OK.

Upgrade Connection Servers in a Replicated Group - In-place Upgrade

This procedure describes upgrading Connection Server instances. This procedure describes an in-place upgrade.

# Procedure
1. If you are using a load balancer to manage a group of Connection Server instances, 
disable the server that hosts the Connection Server instance that you are about to upgrade.
    a. Log in to Horizon Console.
    b. Go to Settings > Servers and click the Connection Servers tab.
    c. Select the Connection Server instance in the list and click the Disable button above the table.
    d. To confirm disabling the server, click OK.
2. On the host of the Connection Server instance, download and run the installer for the new version of Connection Server.
    You do not need to stop any services before performing the upgrade. The installer stops and restarts services as necessary. 
    In fact, the VMwareVDMDS service must be running to upgrade the Horizon LDAP database.
    The installer determines that an older version is already installed and performs an upgrade. 
    The installer displays fewer installation options than during a fresh installation.
    The Horizon LDAP database is also upgraded.
3. Verify that the VMware Horizon Connection Server service restarts after the installer wizard closes.
4. Log in to VMware Horizon and enable the Connection Server instance that you just upgraded.
    a. Go to Settings > Servers and click the Connection Servers tab.
    b. Select the Connection Server instance in the list and click the Enable button above the table.
    c. In the Version column, verify that the new version is displayed.
5. Go to Settings > Product Licensing and Usage, click Edit License, enter the license key, and click OK.
6. If you are using a load balancer for managing this Connection Server instance, enable the server that you just upgraded.
7. Verify that you can log in to a remote desktop.
8. To upgrade each Connection Server instance in the group, repeat the previous steps.
9. Use the vdmexport.exe utility to back up the newly upgraded Horizon LDAP database.
    If you have multiple instances of Connection Server in a replicated group, you need only export the data from one instance.
10. Log in to and examine the Horizon Console to verify that the vCenter Server icon is green.

Upgrade to the Latest Version of Connection Server on a Different Machine

As part of your upgrade, you can migrate Connection Server to a new machine.

# Procedure
1. Verify that an upgraded instance of Connection Server is running and is accessible to the new machine where you plan to install Connection Server.
    When you install Connection Server on the new host, you will point to this existing instance.
2. On the new machine, install a replicated instance of Connection Server.
T   he Horizon LDAP on the new instance will replicate that of the upgraded source instance.
3. If applicable, uninstall Connection Server from the old host by using the Windows Add/Remove Programs utility.
4. In Horizon Console, go to Settings > Servers > Connection Servers tab and determine hether 
    the Connection Server instance that was uninstalled still appears in the list.
5. If the uninstalled Connection Server instance still appears in the list, use a vdmadmin command to remove it.
    vdmadmin.exe -S -s server_name -r

# Results
A new instance of Connection Server is added to a group and an old instance is removed.
# What to do next
Upgrade the other VMware Horizon servers.

icmaint.cmd utility

Use the icmaint.cmd utility to mark a host for maintenance with the ON option.

Note: 
    Marking a host for maintenance deletes the golden images, which are the parent VMs in vCenter Server from the ESXi host. 

Upgrading vSphere Components Separately in a VMware Horizon Environment

If you upgrade vSphere components separately from VMware Horizon components, you must back up some VMware Horizon data and reinstall some VMware Horizon software.

When you upgrade vSphere components separately from VMware Horizon components, you must perform the following additional tasks:

1. Before you upgrade vCenter Server, back up the vCenter Server database.
2. Before you upgrade vCenter Server, back up the Horizon Directory database from a Horizon Connection Server instance by using the vdmexport.exe utility.

Setting Up Virtual Desktops in Horizon

Activating Windows on Instant Clones

To activate Windows with volume activation, you use Key Management Service (KMS), which requires a KMS license key.

Before you create an instant-clone desktop pool, you must use volume activation to activate Windows on the golden image.

Disable Windows Hibernation in the Golden Image

Disabling hibernation reduces the size of an instant clone's virtual disk.

# Command
    powercfg.exe /hibernate off

ClonePrep

ClonePrep is a VMware customization process run during instant clone deployment to personalize each desktop clone created from the parent image. During the initial startup of each desktop, ClonePrep:

1. Creates a new computer account in Active Directory for each desktop.
2. Gives the instant clone desktop a new name.
3. Joins the desktop to the appropriate domain.

Functional differences between ClonePrep and SysPrep

Function                            ClonePrep   Sysprep
----------------------------------------------------------------------------
Removing local accounts             No          Yes
Changing Security Identifiers (SID) No          Yes
Removing parent from domain         No          Yes
Changing computer name              Yes         Yes
Joining the new instance            Yes         Yes
    to the domain
Generating new SID                  No          Yes
Language, regional settings,        No          Yes
date, and time customization                    
Number of reboots                   0           2
Requires configuration              No          Yes
    file and Sysprep
KMS license activation              Yes         No (performed by Agent)
Post customization script, 
    pre-shutdown script             Yes         No

ClonePrep Guest Customization

ClonePrep ensures that all instant clones join an Active Directory domain. The clones have the same computer security identifiers (SIDs) as the golden image. ClonePrep also preserves the globally unique identifiers (GUIDs) of applications, although some applications generate a new GUID during customization.

ClonePrep uses the Windows CreateProcess API to run scripts.

Enable NVIDIA GRID vGPU for Instant-Clone Pools

You can configure NVIDIA GRID vGPU in ESXi hosts and in the golden image in vSphere Client. If you are only using a single vGPU profile per vSphere cluster, set the GPU assignment policy for all GPU hosts within the cluster to the best performance mode in order to maximize performance.

NVIDIA GRID vGPU has these potential constraints:

1. RDP is not supported.
2. The virtual machines must be hardware version 11 or later.

Procedure
1. Install NVIDIA GRID vGPU in the physical ESXi hosts.
2. In vCenter Server hardware graphics configuration, select the Host Graphics tab, and in Edit Host Graphics Settings, 
    select Shared Direct.
    Note: ESXi host uses the NVIDIA GRID card for vGPU.
3. Prepare a golden image with NVIDIA GRID vGPU configured, including selecting the vGPU profile you want to use.
4. Take a snapshot of the golden image.
5. In Horizon Console, when you create an instant-clone pool, select this golden image and snapshot.

Support hardware graphic cards

Preparing for vDGA Capabilities

Virtual Dedicated Graphics Acceleration (vDGA) provides direct pass-through to a physical GPU, providing a user with unrestricted, dedicated access to a single GPU. Before you attempt to create a desktop pool that has vDGA capabilities, you must perform certain configuration tasks on the virtual machines and ESXi hosts.

# Procedure
1. Install the graphics card on the ESXi host.
2. Verify that VT-d or AMD IOMMU is enabled on the ESXi host.
3. Enable pass-through for the GPU in the ESXi host configuration and reboot.
4. Add a PCI device to the virtual machine and select the appropriate PCI device to enable GPU pass-through on the virtual machine.
5. Reserve all memory when creating the virtual machine.
6. Configure virtual machine video card 3D capabilities.
7. Obtain the GPU drivers from the GPU vendor and install the GPU device drivers in the guest operating system of the virtual machine.
8. Install VMware Tools and Horizon Agent in the guest operating system and reboot.
9. After you perform these tasks, you must add the virtual machine to a manual desktop pool 
    so that you can access the guest operating system using PCoIP or VMware Blast Extreme. 
    In a PCoIP or VMware Blast session, you can then activate the NVIDIA, AMD, or Intel display adapter in the guest operating system.

Patching an Instant-Clone Desktop Pool

To patch a pool of instant-clone desktops, you can use the push-image operation for a rolling patching process with zero downtime.

The workflow for the patching process includes the following steps:

1. Prepare a new golden image and snapshot based on the updated operating system image or applications.
2. Schedule a push-image operation with the updated golden image and snapshot. When the push-image operation starts, Horizon deletes old instant-clone desktops that are unused and quickly creates new instant clones based on the new image. The new clones are ready for users to log in.
3. Old instant-clone desktops that are in-use remain undisturbed. When the user logs out, Horizon deletes the old instant clone and recreates a new instant clone based on the updated image. The new instant clone is ready for the next user to log in.
4. Once all the users have logged out, Horizon patches the entire pool.

# Procedure
1. In Horizon Console, select Inventory > Desktops
2. Click the pool ID.
3. On the Summary tab, click Maintain > Schedule.
    The Schedule Push Image window opens.
4. Follow the prompts.
    You can schedule the task to start immediately or sometime in the future. 
    For clones with user sessions, you can specify whether to force the users to log out or to wait. 
    When the users log out, Horizon recreates the clones.
5. Click Finish.

Reschedule or Cancel a Push-Image Operation

You can reschedule or cancel a push-image operation on an instant-clone desktop pool.

# Procedure
1. In Horizon Console, select Inventory > Desktops.
2. Click the pool ID.
    The Summary tab shows the current image and pending image information.
3. Select Maintain > Reschedule or Maintain > Cancel.
4. Follow the prompts.

Instant-Clone Maintenance Utilities

On the Connection Server are three utilities that you can use for the maintenance of instant-clone VMs in vCenter Server and the clusters that the VMs are in.

# located in C:\Program Files\VMware\VMware View\Server\tools\bin
a. utilitiesIcMaint.cmd
b. IcUnprotect.cmd
c. IcCleanup.cmd

IcMaint.cmd

Typically, when you put the ESXi host into maintenance mode, Horizon will automatically delete the parent VM so that the host can go into maintenance mode without any manual intervention.

After the command is run on the host, the InstantClone.Maintenance annotation value is set to 1 and the golden image VMs are deleted. After the golden image VMs are deleted, the InstantClone.Maintenance annotation value is set to 2 and no more golden image VMs are created on the host. When you run this command again with -maintenance OFF, the InstantClone.Maintenance annotation value is cleared for the host to become available for hosting golden image VMs.

# Syntax:
    IcMaint.cmd -vc hostname_or_IP_address -uid user_ID -hostName ESXi_hostname -maintenance ON|OFF

Parameters:
    -vc host name or IP address of vCenter Server
    -uid vCenter Server user ID
    -hostname ESXi host name
    -maintenance ON|OFF

IcUnprotect.cmd

After ClonePrep creates folders and VMs, you can use this utility to unprotect folders and VMs, delete VMs, and detect VMs whose golden image or snapshot is deleted. ClonePrep is the mechanism that customizes instant clones during the creation process.

An internal service for instant clones that runs during instant clone operations, detects if any internal folders need to be reprotected. If these folders are not empty then the service automatically protects the folders again.

Syntax:
    IcUnprotect.cmd -vc hostname_or_IP_address -uid user_ID [-includeFolders][-skipCertVeri]

Parameters:
-action
    You can use the following options for this parameter:
    a. unprotect. Unprotect internal VMs.
    b. delete. Delete internal VMs.
    c. detect. Detect and list internal VMs whose golden image or snapshot is deleted.
    If you don't specify the -action parameter, the internal VMs are unprotected by default.
-vc host name or IP address of vCenter Server
-uid vCenter Server user ID
-clientId instant-clone client ID (Optional)
    If clientId is not specified, protection is removed from all ClonePrep VMs in all data centers.
-domain domain name (Optional)
    You can use multiple domain names separated by comma and no space.
-host host name (Optional)
    You can use multiple host names separated by comma and no space.
-datastore datastore name (Optional)

IcCleanup.cmd

You can use this utility to unprotect and delete some or all of the internal VMs created by instant clones. This utility also provides a list command to group internal VMs into the hierarchical structure according to their golden VM and the snapshot used to create the instant clone pool.

# Syntax:
    iccleanup.cmd -vc vcName -uid userId [-skipCertVeri] [-clientId clientUuid]

Parameters:
-vc host name or IP address of vCenter Server
-uid vCenter Server user ID
-skipCertVeri Skip the vCenter Server certificate verification (Optional)
-clientId Client UUID
    the unique ID for the server cluster made up of Connection Server and one or more replica servers. (Optional)

Configuring All Desktop Pool Types

Using a Naming Pattern for Desktop Pools

You can provision the machines in a pool by providing a naming pattern and the total number of machines you want in the pool. By default, Horizon uses your pattern as a prefix in all the machine names and appends a unique number to identify each machine.

Length of the Naming Pattern in a Machine Name

Machine names have a 15-character limit, including your naming pattern and the automatically generated number.

# Maximum Length of the Naming Pattern in a Machine Name
If You Set This Number of Machines in the Pool  This Is the Maximum Prefix Length
1-99                                            13 characters
100-999                                         12 characters
1,000 or more                                   11 characters

Using a Token in a Machine Name

You can place the automatically generated number anywhere else in the name by using a token. When you type the pool name, type n surrounded by curly brackets to designate the token.

When a machine is created, Horizon replaces {n} with a unique number. You can generate a fixed-length token by typing

# Token
    {n:fixed=number of digits}

Examining GPU Resources on an ESXi Host

To better manage the GPU resources that are available on an ESXi host, you can examine the current GPU resource reservation. The ESXi command-line query utility, gpuvm, lists the GPUs that are installed on an ESXi host and displays the amount of GPU memory that is reserved for each virtual machine on the host. Note that this GPU memory reservation is not the same as virtual machine VRAM size.

# To run the utility
    type gpuvm from a shell prompt on the ESXi host. 
    You can use a console on the host or an SSH connection.

Reducing Storage Requirements with Instant Clones

Instant clones leverage vSphere vmFork technology to quiesce a running base image, or parent VM, and rapidly create and customize a pool of virtual desktops.

Instant clones share the virtual disks with the parent VM at the time of creation. Each instant clone acts like an independent desktop with a unique host name and IP address, yet the instant clone requires significantly less storage. Instant clones reduce the required storage capacity by 50 to 90 percent.

Configure View Storage Accelerator for Desktop Pools

You can enable View Storage Accelerator on pools that contain instant clones and on pools that contain full-clone virtual machines. This feature uses the Content Based Read Cache (CBRC) feature in ESXi hosts.

CBRC uses ESXi host memory to cache virtual machine disk data, reduce IOPS, and improve performance during boot storms, when many machines start up or run anti-virus scans at once. By reducing the number of IOPS during boot storms, View Storage Accelerator lowers the demand on the storage array, which lets you use less storage to support your Horizon deployment. The feature is also beneficial when administrators or users load applications or data frequently.

When a virtual machine is created, Horizon indexes the contents of each virtual disk file. The indexes are stored in a virtual machine digest file. At runtime, the ESXi host reads the digest files and caches common blocks of data in memory. To keep the ESXi host cache up to date, Horizon regenerates the digest file at regular intervals.

After View Storage Accelerator is enabled globally, you can enable or disable it for individual full-clone desktop pools. For instant-clone desktop pools, View Storage Accelerator is only needed for replica VMs and is enabled automatically for individual pools. It cannot be turned off on a pool level. To disable, you must disable View Storage Accelerator globally, and this step will also disable the feature for full clone pools.

# Procedure
1. In Horizon Console, display the Advanced Storage Options tab in the pool creation wizard.
Option                              Description
-----------------------------------------------
New desktop pool (recommended)      Start the Add Pool wizard to begin creating an automated desktop pool. 
                                    Follow the wizard configuration prompts until you reach the Advanced Storage Options page.
Existing desktop pool               Select the existing pool, click Edit, and click the Advanced Storage Options tab.
                                    If you modify View Storage Accelerator settings for an existing desktop pool, 
                                    the changes do not take effect until the virtual machines in the desktop pool are powered off.
2. To enable View Storage Accelerator for the pool, make sure that the Use View Storage Accelerator check box is selected.
    This setting is selected by default. To disable the setting, uncheck the Use View Storage Accelerator box. 
    You cannot select a disk type. View Storage Accelerator is performed on the whole virtual machine.
3. (Optional) In the Regenerate storage accelerator after text box, specify the interval, in days, 
    after which the regeneration for View Storage Accelerator digest files take place.
    Note: The default regeneration interval is seven days.

Reclaim Disk Space for vSphere 6.7U1 and later on vSAN datastores

This topic is relevant if you are using vSAN datastores. Prior to vSphere with vSAN 6.7U1, there is no space reclamation support. Starting with 6.7U1, vSAN space reclamation is supported with the vCenter UNMAP feature on vSAN datastores. It is disabled by default.

# Procedure
1. Check that the UNMAP feature is enabled in the ESXi host.
    Run the following commands from the command line:
esxcfg-advcfg -g /VSAN/GuestUnmap
    The value of the "GuestUnmap" option is 0.
esxcfg-advcfg -g /VSAN/Unmap
    The value of the "Unmap" option is 1.
2. Enable guest UNMAP in all ESXi hosts.
    Run the following command:
esxcfg-advcfg -s 1 /VSAN/GuestUnmap
    Then, check the UNMAP feature for the guest operating system. Run the following command:
esxcfg-advcfg -g /VSAN/GuestUnmapThe value of the GuestUnmap option is 1.

Creating RDS Desktop Pools

One of the tasks that you perform to give users remote access to session-based desktops is to create a Remote Desktop Services (RDS) desktop pool. An RDS desktop pool has properties that can satisfy some specific needs of a remote desktop deployment

An RDS desktop pool is one of three types of desktop pools that you can create. This type of pool was known as a Microsoft Terminal Services pool in previous Horizon 7 releases.

An RDS desktop pool and an RDS desktop have the following characteristics:

1. An RDS desktop pool is associated with a farm, which is a group of RDS hosts. Each RDS host is a Windows server that can host multiple RDS desktops.
2. An RDS desktop is based on a session to an RDS host. In contrast, a desktop in an automated desktop pool is based on a virtual machine, and a desktop in a manual desktop pool is based on a virtual or physical machine.
3. An RDS desktop supports the RDP, PCoIP, and VMware Blast display protocols.
4. An RDS desktop pool is only supported on Windows Server operating systems that support the RDS role and are supported by Horizon 7.
5. Horizon 7 provides load balancing of the RDS hosts in a farm by directing connection requests to the RDS host that has the least number of active sessions.
6. Because an RDS desktop pool provides session-based desktops, it does not support operations that are specific to a linked-clone desktop pool, such as refresh, recompose, and rebalance.
7. If an RDS host is a virtual machine that is managed by vCenter Server, you can use snapshots as base images. You can use vCenter Server to manage the snapshots. The use of snapshots on RDS host virtual machines is transparent to Horizon 7.

Windows Services and Tasks That Cause Disk Growth in Instant Clones and Linked Clones

https://docs.vmware.com/en/VMware-Horizon-7/7.13/virtual-desktops/GUID-2A5822C3-C88C-4B4D-90CC-10CB41C39EC7.html#GUID-2A5822C3-C88C-4B4D-90CC-10CB41C39EC7__TABLE_9DEA41B7B73F458485084392D41FE4EA

Certain services and tasks in Windows 7, Windows 8/8.1, and Windows 10 can cause the OS disk of an instant clone or linked clone to grow incrementally, even when the machine is idle. If you disable these services and tasks, you can control the OS disk growth.

Services that affect OS disk growth also generate I/O operations. You can evaluate the benefits of disabling these services for full clones as well.

# Service or Task
1. Windows Hibernation
2. Windows Scheduled Disk Defragmentation
3. Windows Update Service
4. Windows Diagnostic Policy Service
5. Prefetch/Superfetch
6. System Restore
7. Microsoft Feeds Synchronization task (msfeedssync.exe)

Optimize Guest Operating System Performance

https://docs.vmware.com/en/VMware-Horizon-7/7.13/virtual-desktops/GUID-06DF65D1-7151-479A-B388-162535251F6F.html#GUID-06DF65D1-7151-479A-B388-162535251F6F

Instant clone provisioning fails with error - VM exceeds maximum supported disk size per VM (70950)

# Cause
1. The View Storage Accelerator feature has a limit of 512GB on the maximum combined size of all disks attached to a VM. 
2. The View Storage Accelerator feature is automatically enabled for Instant Clone pools.

# Resolution
Create a primary image where the total combined size of all the disks does not equal or exceed 512GB.

Entering and exiting maintenance mode for an ESXi host that has Horizon instant clones

https://kb.vmware.com/s/article/2144808

# Method 1 - From vSphere Client
1. Select the host that you want to put in maintenance mode. 
    If you are using the vSphere web client, make sure that the plug-in to edit Annotations is installed.
2. Look up Annotations in the host's Summary tab and set InstantClone.Maintenance to 1
3. Wait up to 3 minutes and the parent VMs on this host will be deleted. Also, the value for InstantClone.Maintenance will change to 2
4. Put the host in maintenance mode. 
    Note: This host will no longer be used for provisioning
5. Perform maintenance
6. Take the host out of maintenance mode
7. Clear the InstantClone.Maintenance annotation value
8. As new provisioning happens, parent VMs and then instant clones will be created on this host

Method 2. From Connection Server
1.       From the Connection Server, run IcMaint.cmd to delete the parent VMs and put the host in maintenance mode. 
    See  The syntax is:
https://docs.vmware.com/en/VMware-Horizon-7/7.0/com.vmware.horizon-view.desktops.doc/GUID-6025D684-2E05-4857-9C24-18F16DDC38FD.html

-vc host name or IP address of vCenter Server -uid vCenter Server user ID-hostname  ESXi host name-maintenance ON|OFF

Desktop pool maintenance and cleanup

1. Orphaned Instant Clones https://subscription.packtpub.com/book/virtualization_and_cloud/9781782170167/8/ch08lvl1sec78/modifying-cluster-settings

2. VMware Horizon – Desktop Pool Maintenance & Cleanup https://tech.iot-it.no/vmware/vmware-horizon-view-7-6/vmware-horizon-desktop-pool-maintenance-cleanup/

3. How to delete VMware Horizon Instant Clones https://virtualizationreview.com/articles/2020/04/30/delete-instant-clones.aspx

4. Instant Clone Maintenance Utilities https://docs.vmware.com/en/VMware-Horizon-7/7.13/virtual-desktops/GUID-6025D684-2E05-4857-9C24-18F16DDC38FD.html

PS C:\Program Files\VMware\VMware View\Server\tools\bin> .\icunprotect.cmd -action unprotect -vc vCenter-FQDN -uid vcenter-admin -password vcenteradmin-passsword -host esxihost.fqdn -vmType replica -includefolders -skipCertVeri
2022-09-19 12:24:11,338 - ERROR (Logger.java:88)[error]  - org.apache.commons.cli.UnrecognizedOptionException: Unrecognized option: -includefolders
usage: icunprotect.cmd [-action <ACTION>] -vc <vCenter name | IP> -uid <UID> [-password <PASSWORD>] [-clientId <CLIENT_ID>] [-domain <multiple domain names separated by ',' no space>] [
-host <multiple host names separated by ',' no space>] [-datastore <multiple datastore names separated by ',' no space>] [-vmName <multiple VM names separated by ',' no space>] [-vmType
 <multiple VM types separated by ',' no space>] [-includeFolders] [-skipCertVeri]

Unprotect specified Internal VMs for ClonePrep
 -action <ACTION>                                                  Action : unprotect/delete/detect(Detect and list Internal vms whose master vm/snapshot is deleted)
 -vc <vCenter name | IP>                                           *vCenter hostname/ip
 -uid <UID>                                                        *vCenter User Id
 -password <PASSWORD>                                              *vCenter password
 -clientId <CLIENT_ID>                                             Instant Clone Client Id (Optional)
 -domain <multiple domain names separated by ',' no space>         Domain Names (Optional)
 -host <multiple host names separated by ',' no space>             Host Names (Optional)
 -datastore <multiple datastore names separated by ',' no space>   Datastore Names (Optional)
 -vmName <multiple VM names separated by ',' no space>             VM Names (Optional)
 -vmType <multiple VM types separated by ',' no space>             Internal VM types (Optional) : template, replica, parent
 -includeFolders                                                   Unprotect folders also
 -skipCertVeri                                                     Skip Certification Verification

* Required arguments

 If no action is provided, then do unprotect.

 If no clientId is provided then protection will be removed from all ClonePrep VMs in all datacenters

# Horizon Instant Clone Maintenance
https://www.vbrit.net/horizon/horizon-instant-clone-maintenance

# Horizon v7.13 and onward - Unprotecting and deleting Horizon Instant Clone objects
https://vmwarebits.com/unprotectinstantclones


# Manually deleting replica virtual machines in VMware Horizon View (1008704)
https://kb.vmware.com/s/article/1008704

# How to delete orphaned Instant Clones Template and Replica VM’s?
https://roderikdeblock.com/how-to-delete-orphaned-instant-clones-template-and-replica-vms/



For View Composer 3.0 (View 5.1and later), run this command:
sviconfig -operation=UnprotectEntity -DsnName=name_of_DSN -DbUsername=Composer_DSN_User_Name -DbPassword=Composer_DSN_Password -VcUrl=https://vCenter_Server_address/sdk -VcUsername=Domain\User_of_vCenter_Server_account_name -VcPassword=vCenter_Server_account_password -InventoryPath=/Datacenter_name/vm/VMwareViewComposerReplicaFolder/Replica_Name -Recursive=true


# Instant-Clone Maintenance Utilities
https://docs.vmware.com/en/VMware-Horizon-7/7.10/virtual-desktops/GUID-6025D684-2E05-4857-9C24-18F16DDC38FD.html



# Finding and removing unused replica virtual machines in the VMware Horizon View (2009844)
https://kb.vmware.com/s/article/2009844


# Removing Old cp-templates, cp-replicas, and cp-parents
https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Removing-Old-cp-templates-cp-replicas-and-cp-parents/td-p/1835420


# Horizon View 7 orphaned VM
https://open-sourced.be/horizon-view-7-orphaned-vm/

Horizon Agents Uninstallation

#Un-installing VMware App Volumes Agent
Write-Host "Un-installing the App Volumes Agent" -ForegroundColor Green
Get-Package -Name 'App Volumes **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Client
#Write-Host "Un-installing the VMware Horizon Client" -ForegroundColor Green
#Get-Package -Name 'VMware Horizon Cli**' | Uninstall-Package

#sleep -Seconds 60

#Un-installing VMware Dynamic Environment Agent
Write-Host "Un-installing the Dynamic Environment Agent" -ForegroundColor Green
Get-Package -Name 'VMware Dynamic **' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Horizon Agent
Write-Host "Un-installing the VMware Horizon Agent" -ForegroundColor Green
Get-Package -Name 'VMware Horizon Ag**' | Uninstall-Package

sleep -Seconds 60

#Un-installing VMware Tools Agent
Write-Host "Un-installing the VMware Tools Agent" -ForegroundColor Green
Get-Package -Name 'VMware Tools' | Uninstall-Package

sleep -Seconds 60

# Restart the computer
Write-Host "Restarting the computer post the VMware EUC Agents Un-install" -ForegroundColor Green
Restart-Computer -Force

VMware Horizon 7 – Cloud Pod Architecture

https://www.carlstalhood.com/vmware-horizon-7-cloud-pod-architecture/

Sample Windows 10 Gold Image Creation

https://www.ituda.com/vmware-horizon-view-windows-10-golden-image-creation/

Horzion OS OT Tools does quite a lot of settings mentioned in the article

Horizon 8 Master Virtual Desktop

https://www.carlstalhood.com/vmware-horizon-8-master-virtual-desktop/

Create Optimized Windows Master Image

https://techzone.vmware.com/manually-creating-optimized-windows-images-vmware-horizon-vms#overview

https://www.carlstalhood.com/vmware-horizon-7-master-virtual-desktop/

VMware Horizon View agent “Configuration Error”

https://www.virtual-allan.com/vmware-horizon-view-agent-configuration-error/

In the Horizon View admin GUI, it was standing with “Waiting for other agents to start” or something like that, and after avail it just said “configuration error”. I did som searching, but i did not find anything about this error, so it was time for some hardcore troubleshooting.

So first I looked at the logs on the View Connection Server logs, but everything looked normal.

The I looked at the logs on the VDI machine, and found this:

Failed to open Session Monitor, status unexpected, error=2. Windows Session Tracker watcher will retry in 10 seconds This was i both the “log-yyyy-mm-dd.txt” file and the “debug–yyyy-mm-dd.txt” that is in the “C:\ProgramData\VMware\VDM\logs” directory.

I had to find out what this monitor was, and after som searching, I found that it’s in the “device manager” as a “System device”.

The solution I used was to uninstall the agent agent, check the device manager afterward, and found that only was one back, And i just “uninstalled” this. After a reboot I reinstalled the Horizon View Agent, and everything was back to normal.

# Need to ensure "Horizon Session Monitor" under
    Device Manager -> System Device -> Horizon Session Manager

Ensure it is running