Horizon Group Policy and Profiles

Last Modified: Dec 22, 2016 @ 6:53 pm

Navigation

💡 = Recently Updated

Roaming Profiles Overview

VMware has three options for persisting user settings when the user logs off:

  • Persona can be used for virtual desktops. This is preferred over Microsoft’s roaming profiles. VMware seems to be deprecating Persona in favor of User Environment Manager.
  • Microsoft Roaming Profiles – Persona is not supported on Remote Desktop Session Host so use Microsoft’s native roaming profiles instead.
    • Microsoft’s Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms then each RDS farm should have separate roaming profile shares.
  • User Environment Manager – If you are licensed for Horizon Enterprise then you can use VMware’s User Environment Manager. This is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
    • User Environment Manager runs on top of other profile solutions. User Environment Manager can run on top of mandatory profiles so that anything not saved by User Environment Manager is discarded on logoff.
    • Or you can use User Environment Manager to persist settings for specific applications and use roaming profiles (Persona or Microsoft) to persist the remaining settings.
    • VMware has published a KB article 2118056 Migrate VMware Persona Management to VMware User Environment Manager.

Roaming Profiles File Shares

File Shares Summary

Detailed steps for creating the profile shares are detailed in the next sections. This section provides a summary of the required shares.

  • In general, DFS Namespaces are supported for each of these shares but the namespace must point to only one target (no multi-master replication).
  • The User Environment Manager Configuration folder can be replicated.
  • Folder Redirection should be configured for all roaming profile methods. You can either create a new file share or you can redirect profile folders to the users’ home directories.

For All Profile Types, if you are not redirecting profile folders to the users’ home directories then create one file share for Folder Redirection:

  • \\server\Redirect
    • Admins = Full Control
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

If User Environment Manager, create two file shares:

  • \\server\UEMConfig – stores UEM configuration
    • UEM Admins = Full Control
    • UEM Users = Read
    • UEM Support = Read
  • \\server\UEMProfiles
    • UEM Admins = Full Control
    • UEM Support = Modify
    • UEM Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

If Persona, create one file share for each operating system and bitness:

  • \\server\PersonaWin7x64
    • Persona Admins = Full Control
    • Persona Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\PersonaWin10x64
    • Persona Admins = Full Control
    • Persona Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

If Microsoft Roaming Profiles, create multiple file shares. Each RDS farm needs a separate profile share.

  • \\server\RDSProfiles1
    • Horizon Admins = Full Control
    • Horizon Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\RDSProfiles2
    • Horizon Admins = Full Control
    • Horizon Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Create and Share the Folders

  1. On your file server, make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it PersonaWin10x64RDSProfilesFarm1, UEMConfig, or UEMProfiles or similar. If you need both Persona and Microsoft roaming profiles, create separate folders for each. If using UEM, create the UEM shares as summarized earlier.
  3. Open the folder’s Properties.
  4. On the Sharing tab, click Advanced Sharing.
  5. Check the box to share the folder.
  6. Click Permissions.
  7. Give Full Control to Everyone. Click OK.
  8. For Persona and RDSProfiles shares, click Caching.
  9. Select No files or programs. Click OK and then click Close.

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares summary except for the UEMConfig folder.

Lieven D’hoore has VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions.

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

VMware Fling – Horizon View Persona Management Share Validation Tool:

  1. Download the tool and extract it.
  2. From a command line, run VMWVvpValidator.exe with the share parameter, the path to the Persona or RDSProfiles share, and the group that should have access to the share.
  3. This will create a VMWVvpValidatortxt file in the same folder that contains the executable. Open it.
  4. Scroll down and there should be no errors. If there are, fix them as detailed in the report.

Access Based Enumeration

Also enable access based enumeration. With this setting enabled, users can only see folders to which they have access.

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to reboot.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO Templates

Windows Group Policy Templates

Unfortunately there are some differences between the GPO templates for 2012 R2 and the GPO templates for Windows 8.1/10. You’ll need to download the full set of templates.

Follow the procedure at http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates for Windows 10.

Horizon Templates

Some of the policy settings in this topic require loading templates from Horizon 7.0.3 View GPO Bundle, which can be downloaded from VMware.com.

User Environment Manager Templates

If you are licensed for User Environment Manager, copy the UEM templates to PolicyDefinitions. Note: UEM 9.1 can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

  1. Go to the extracted User Environment Manager 9.1 files and in the Administrative Templates (ADMX) folder, copy the files and the folder.
  2. Go to your sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder. If you have a PolicyDefinitions folder, paste the files in this folder.
  3. If you don’t have PolicyDefinitions in your sysvol then you can alternatively paste them to C:\Windows\PolicyDefinitions on the machine where you are running Group Policy Management Console. However, if you edit group policy from a different machine then you’ll need to copy the files to the same location on that machine too.

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon Agent computer objects (virtual desktops and Remote Desktop Session Hosts).
  2. Then create sub-OUs, one for each pool or RDS Farm.
  3. Move the Horizon Agent machines from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools then link it to the parent OU. Or you can link it to pool-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
  6. Create and link two new GPOs to the Session host OU (in addition to the Horizon Agent Computer Settings GPO). One of the GPOs is called Horizon Agent All Users (including admins) and the other is called Horizon Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.

  7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.
  8. Click the Horizon Agent Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab and click Add.
  10. Find your Horizon Admins group and click OK.
  11. Change the Permissions to Edit settings and click OK.
  12. Then on the Delegation tab click Advanced.
  13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Horizon Admins with Edit Settings But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each Horizon Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for User Environment Manager then you can skip this section.

  1. Right-click one of the Remote Desktop Session Host sub-OUs and create a new GPO.
  2. Name it Horizon Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of Persona. Note: each RDS farm should have a separate roaming profile share.
  3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group and give it Edit Settings permission.
  4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.

  5. Right-click a virtual desktop sub-OU and click Create a GPO in this domain.
  6. Name it Horizon Agent Persona Win10 or similar and click OK. Each operating system version should point to a different file share so include the operating system version in the GPO name.
  7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group and give it Edit Settings permission.
  8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU and click Link an Existing GPO.
  9. Select the Horizon Agent Persona Win10 GPO and click OK.
  10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
  11. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.

Agent Computer Settings

These GPO settings should be applied to the Horizon Agents.

General Computer Settings

  1. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  2. Configure the GPO Computer Settings as detailed at http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  3. In addition, VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products has a list of recommended ciphers for Windows. These ciphers are configured at Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_RC4_128_SHA
    The article also details how to enable TLS 1.2 in Windows.

Remote Desktop Users Group

  1. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups and click Add Group.
  3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
  4. In the bottom half of the window, click Add to specify that this group is a member of:
  5. Enter Remote Desktop Users and click OK twice.

User Environment Manager Group Policy

User Environment Manager works for both virtual desktops and Remote Desktop Session Hosts, so there’s no need to configure separate profiles for both of those environments.

Also, the User Environment Manager GPO settings are user settings, not computer settings.

Note: UEM 9.1 can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

From Chris Halstead VMware User Environment Manager (UEM) – Part 1 – Overview / Installation and VMware Deployment Guide VMware User Environment Manager Deployed in 60 Minutes or Less:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. User Environment Manager requires one computer setting. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
  4. Double-click Always wait for the network at computer startup and logon.
  5. Enable the setting and click OK.
  6. Close the group policy editor.
  7. The remaining settings are user settings. Edit the Horizon Agent All Users GPO. This GPO should apply to the Horizon Agents and Loopback processing should already be enabled on those machines.
  8. Go to User Configuration | Policies | Administrative Templates | VMware UEM | FlexEngine.
  9. If you are running User Environment Manager on top of mandatory profiles, then double-click Certificate support for mandatory profiles.
  10. Enable the setting and click OK.
  11. Double-click Flex config files.
  12. Enable the setting.
  13. Enter \\server\uemconfig\general. The general folder will be created by User Environment Manager. Click OK.
  14. Double-click FlexEngine Logging.
  15. Enable the setting.
  16. Enter \\server\uemprofiles\%username%\logs. User Environment Manager will create these folders. Click OK.
  17. A new setting in UEM 9.0 is Paths unavailable at logon. By default, users are blocked from logging in if the UEM file share is not reachable.

  18. Double-click the setting Profile archive backups.
  19. Enable the setting.
  20. Type in \\server\uemprofiles\%username%\backups.
  21. Enter the number of desired backups, check the box for daily backups, and click OK.
  22. Double-click Profile archives.
  23. Enable the setting.
  24. Type in \\server\uemprofiles\%username%\archives and click OK.
  25. Double-click the setting RunFlexEngine as Group Policy Extension.
  26. Enable the setting and click OK.
  27. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
  28. Double-click Logoff.
  29. Click Add.
  30. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
  31. In the Script Parameters field, enter -s.
  32. Click OK.
  33. Click OK.

User Environment Manager is configured in a separate console application. See the instructions at http://www.carlstalhood.com/vmware-user-environment-manager/.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts.

If you are using User Environment Manager with Mandatory profiles then skip this section.

Roaming profiles (Persona) are optional for persistent virtual desktops. They are most applicable to non-persistent virtual desktops.

  1. VMware article 2105270 – Verify that ICMP is enabled between the Horizon Agent and the domain controller, and as well as the Horizon Agent and the Persona Management Repository
  2. Edit one of the Horizon Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
  3. In the Horizon Agent GPO, go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
  4. Click Add.
  5. Browse to the downloaded and extracted Horizon 7.0.3 GPO Bundle (Horizon View Extras Bundle 4.3.0).
  6. Select the ViewPM.adm file and click Open and then click Close.
  7. Configure the following GPO settings:
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  8. Go to Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > VMware Horizon Agent Configuration > Persona Management > Roaming & Synchronization.
  9. On the right, double-click Manage user persona.
  10. Enable the setting. It defaults to 10 minutes. Click OK.
  11. Double-click Persona repository location and enable the setting.
  12. Enter the path to the file share created for Persona. Append %username%.
  13. Check the box next to Override Active Directory user profile path. Click OK.
  14. Double-click Roam local settings folders and enable it. Click OK.
  15. Double-click Files and folders excluded from roaming and enable it. Then click Show.
  16. Enter the values shown below and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
  17. Double-click Files and folders excluded from roaming (exceptions) and enable it. Then click Show.
  18. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  19. Configure %AppData%\Thinstall as a folder to background download. If they are using Thinapps, this will speed up the launch time of Thinapps.  If they aren’t there is no harm done.

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using User Environment Manager with Mandatory profiles then skip this section.

  1. Edit the Horizon Agent RDS Farm1 Profiles GPO.
  2. Configure the following GPO settings.
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Delete cached copies of roaming profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  3. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles.
  4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
  5. Enable the setting and enter the path to the file share. Do not append %username%.
  6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration > Policies > Administrative Templates > Control Panel > Personalization.
  8. Open the setting Force a specific visual style file.
  9. Enable the setting and enter the following path:
    %windir%\resources\Themes\Aero\aero.msstyles
  10. VMware recommends enabling RunOnce as detailed at http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

PCoIP Configuration

Steve Dunne:

Here are some general PCoIP optimization settings:

  1. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  2. In the Horizon Agent GPO, go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
  3. Click Add.
  4. Browse to the downloaded and extracted Horizon 7.0.3 GPO Bundle (Horizon View Extras Bundle 4.3.0).
  5. Select the pcoip.adm file, click Open, and then click Close.
  6. Expand Administrative Templates > Classic Administrative Templates > PCoIP Session Variables. Click Overridable Administrator Defaults.
  7. On the right, double-click Configure clipboard redirection.
  8. Enable the setting and select Enabled in both directions. Click OK.
  9. Horizon 7.0.2 adds the ability to filter specific clipboard formats.
  10. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, VMware recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

  • PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
  • All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the Horizon Client and the Horizon Agent.
  • If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111.
  • USB performance across the WAN can be slow.
  • Webcams are only supported using RTAV (Real-Time Audio-Video).
  • USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon Agent 6.0.1 and Horizon Client 3.1.
  • Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
  • USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
  • In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
  • Client Downloadable only GPO settings are downloaded to the Horizon Client when the Horizon Client first connects to the Horizon Agent.
  • USB GPO Settings on the Horizon Agent can either override or merge the Horizon Client USB GPO settings. Merge means that if Horizon Client settings exist then the Horizon Agent settings are ignored.
  • The Exclude All Devices setting is overridden by other Include
  • USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
  • How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

  1. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  2. In the Horizon Agent GPO, go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
  3. Click Add.
  4. Browse to the downloaded and extracted Horizon 7.0.3 GPO Bundle (Horizon View Extras Bundle 4.3.0).
  5. Select the vdm_agent.adm file, click Open, and then click Close.
  6. Expand Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration and click View USB Configuration.
  7. On the right, double-click Exclude Device Family.
  8. Change the selection to Enabled.
  9. Enter o:audio-in;o:video.
  10. If you want to block USB storage devices, add o:storage to the list. Click OK.

Blast Settings

Horizon Client 4.0 can use UDP when connecting to Horizon 7 Agents using Blast. UDP only applies to the full Horizon Client since HTML Access only uses the TCP protocol. VMware recommends not using UDP and instead force clients to use TCP. TCP can be WAN optimized while UDP cannot. See VMworld 2016: EUC7601 – Advances in Remote Display Protocol at YouTube for details.  💡

Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

  1. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  2. Go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
  3. Click Add.
  4. Browse to the downloaded and extracted Horizon 7.0.3 GPO Bundle (Horizon View Extras Bundle 4.3.0).
  5. Select the vdm_blast.adm file, click Open, and then click Close.
  6. Expand Administrative Templates > Classic Administrative Templates and click VMware Blast.
  7. On the right, double-click Configure clipboard redirection.
  8. Enable the setting and then make your choice. Click OK.
  9. On the right, double-click UDP Protocol.
  10. You can optionally enable UDP protocol. Note: VMware does not recommend this. Click OK.
  11. New in 7.0.2 is H.264 Quality Levels

  12. Also, 7.0.2 adds clipboard format filtering.
  13. If enabled UDP protocol, then on your master image, reboot the machine so it reads the GPO settings. Look in the file C:\ProgramData\VMware\VMware Blast\Blast-Service.log to make sure UDP is enabled. If not, reboot the machine again. After it’s enabled, snapshot the master machine and push it to your Pools.

URL Content Redirection

URL Content Redirection is a new feature in Horizon 7 that allows IE URLs to be redirected from Agent-to-Client or from Client-to-Agent. This feature requires:

  • URL Redirection component installed from command line on Horizon 7 Agent.
  • URL Redirection component installed from command line on Horizon Client 4.0.
  • If Horizon Client is installed on a Horizon Agent machine, you can install URL Redirection for one or the other, but not both.
  • Internet Explorer 9 or later only
  • GPO Settings

URL Redirection GPO settings apply to both Horizon Agents and Horizon Clients depending on the source of the redirection. For Agent-to-Client redirection, edit a GPO that applies to the Horizon Agents. For Client-to-Agent redirection, edit a GPO that applies to the Horizon Clients.

  1. Go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
  2. Click Add.
  3. Browse to the downloaded and extracted Horizon 7.0.3 GPO Bundle (Horizon View Extras Bundle 4.3.0).
  4. Select the urlRedirection.adm file, click Open, and then click Close.
  5. Expand Administrative Templates > Classic Administrative Templates and click VMware Horizon URL Redirection.
  6. On the right, double-click IE policy: Automatically activate newly installed plugins and enable it. If you don’t configure this then users are required to activate the IE add-on manually.
  7. On the right, double-click Url Redirection Enabled and enable the setting. The setting description says it’s enabled by default but actually it’s not.
  8. On the right, double-click Url Redirection Protocol ‘http’.
  9. For Agent-to-Client, configure clientRules and agentRules. clientRules are redirected from Agent-to-Client. However, agentRules override clientRules. This lets you redirect every URL to client but keep some URLs on the agent. Separate multiple rules with a semicolon.
  10. For Client-to-Agent, configure agentRules. Anything that matches will be redirected to the remoteItem (name of published icon) accessible through brokerHostname.
  11. Repeat this configuration for Url Redirection Protocol ‘https’. You typically want the same configuration in both settings.

User Lockdown Settings

Edit the Horizon Agent Non-Admin Users GPO and configure the settings detailed at http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown.

User Application Settings

Edit the Horizon All Users GPO and configure settings for applications (Internet Explorer, Office, etc.) as detailed at http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie and http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#office2013.

Redirected Profile Folders

In addition to roaming profiles, also configure Redirected Profile Folders as detailed at http://www.carlstalhood.com/citrix-profile-management/#redirected. Anything redirected will not be copied locally by Persona, RDS profiles, or VMware UEM.

VMware Flash Optimizer

  1. Horizon 6 Agent installs something called the Flash Optimizer. When a user launches Internet Explorer, a prompt is displayed to Enable the add-on. To get rid of this message, do the following.
  2. We need the add-on CLSID. In Internet Explorer, click the gear icon and click Manage add-ons.

  3. Highlight the VMware Adobe Flash Optimizer and click More information on the bottom left.
  4. Click Copy.
  5. Paste the contents into Notepad. Then look for the Class ID line and copy it.
  6. Edit the Horizon Agent All Users GPO.
  7. Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.
  8. On the right, open Add-on List.
  9. Enable the setting and click Show.
  10. In the Value name field, paste in the Class ID, including the curly braces.
  11. In the Value field, enter 1 to force the add-on to be enabled. Click OK twice.

Related Pages

3 thoughts on “Horizon Group Policy and Profiles”

  1. Enforcement should not be required. Enforcement overrides Block Inheritance and GPOs set lower in the tree. I usually put Horizon Agents in a new OU and link GPOs directly to that OU. Thus there’s nothing to Enforce.

  2. Carl, following the tutorial steps I notice that the policies I create are not enforced by default. I take it I am to enforce them on the respective containers, but just pointing out that your tutorial steps do not show it (and even the screenshots show the “Enforced” check menu item to be de-selected). For the AD-ignorant among us (myself included) this would be helpful. Less head-scratching as to why our GPOs are not being applied. Thanks for the info regardless, great site!

Leave a Reply