Category: Omnissa Horizon

Omnissa Dynamic Environment Manager (DEM) 2503

Last Modified: Apr 18, 2025 @ 5:50 am

295 Comments

Navigation

As of version 9.9, User Environment Manager (UEM) was renamed to Dynamic Environment Manager (DEM).

This post applies to all Dynamic Environment Manager (aka User Environment Manager) versions including DEM 2312 (10.12) ESB, DEM 2212 (10.8) ESB, DEM 2111 ESB (10.4), and DEM 9.9 (ESB).

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new installation, skip to the Installation Prerequisites section.

When upgrading an existing installation of DEM or UEM, upgrade the FlexEngine on the Horizon Agents first.

The newest FlexEngine can still interpret the INI files from older DEM console. After your clients (FlexEngine) have been upgraded, you can upgrade the management console, which allow for new options, like elevated privileges and others, which (when enabled) can now be correctly interpreted by the upgraded clients (FlexEngine). After that update the ADMX files.

DEM 2203 and newer move FlexEngine licensing to the configuration share and DEM console. If you are upgrading existing FlexEngines, then the previous license will continue functioning. New FlexEngines need the new licensing configuration method.

Installation Prerequisites

Before performing the procedures detailed on this page, make sure you’ve created the DEM File Shares, imported the DEM GPO ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for Dynamic Environment Manager.

Omnissa Tech Zone Antivirus Considerations in a Horizon Environment: exclusions for Horizon, App Volumes, User Environment Manager, ThinApp

Omnissa Workspace Tech Zone has an excellent Quick-Start Tutorial for Dynamic Environment Manager. It’s around 130 printed pages.

Local Profile

At user logon, DEM restores profile archives on top of a Windows profile, which is typically a local profile.

If your Horizon Agent machines are single-user, non-persistent that reboot at logoff, then local profiles are deleted at logoff.

If your Horizon Agent machines are multi-user machines (e.g. RDSH) that don’t reboot every day, then you might need a process to delete local profiles when the user logs off. Here are some options:

  • Schedule a delprof2.exe script that runs daily.
  • A more advanced option is to add users to the local Guests group, which causes their profile to be deleted at logoff.

DEM Console Installation

In Horizon 2006 (aka 8.0), DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different DEM capabilities.

  • Horizon 8 (2006+) Enterprise Edition and Horizon 7.13 Enterprise Edition are entitled to DEM Enterprise Edition, which has all features.
  • Horizon 8 (2006+) Standard Edition and Horizon 8 Advanced Edition are entitled to DEM Standard Edition, which is limited primarily to Personalization features. If you are using FSLogix Profile Containers, then you don’t need DEM Standard Edition.

DEM 2503 (10.15) is the latest release.

  1. DEM 2503 is an ESB release.
  2. Download DEM 2503 (10.15) Enterprise Edition
  3. Also download the license file.
  4. If upgrading, don’t upgrade the DEM Console until all of your DEM Agents have been upgraded.
  5. On your administrator machine, run the downloaded Omnissa Dynamic Environment Manager 2503 10.15 x64.msi.
  6. In the Welcome to the Omnissa Dynamic Environment Manager Enterprise Setup Wizard page, check the box next to I accept and click Next.
  7. In the Destination Folder page, click Next.
  8. In Choose Setup Type page, click Custom.
  9. In the Custom Setup page, change the selections so that only the console is selected and then click Next.
  10. In the Ready to install Omnissa Dynamic Environment Manager Enterprise page, click Install.
  11. In the Completed the Omnissa Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.

Configure Dynamic Environment Manager

Here is a summary of the major Dynamic Environment Manager functionality:

  • Personalization (aka import/export user settings) – saves application and Windows settings to a file share. This is the roaming profiles functionality of Dynamic Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
    • Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
    • Selfsupport tool – users can use this tool to restore their application settings.
    • DEM Standard Edition supports all Personalization features.
  • User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. Dynamic Environment Manager can configure any registry setting defined in an ADMX file.
    • DEM Standard Edition only has a limited set of User Environment settings (e.g., drive mappings). Most User Environment features require DEM Enterprise Edition.
    • Most settings in DEM are only for users, not computers. DEM 2006 (aka 10.0) and newer support ADMX templates for Computer Settings. In older DEM, use Group Policy to configure Computer Settings.
    • Best practice is to not mix Dynamic Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.
    • UEM 9.6 and newer support Windows Server 2019 as an Operating System condition.
  • Horizon Smart Policies – Use Horizon Conditions (e.g., client IP) to control device mappings (e.g., client printing) and PCoIP/Blast Bandwidth Profile.
  • Privilege Elevation (UEM 9.2 and newer) – allow apps to run as administrator even though user is not an administrator. Installers can also be elevated.

Links:

Initial Configuration (Easy Start)

To perform an initial configuration of Dynamic Environment Manager, do the following:

  1. Launch the DEM Management Console from the Start Menu.
  2. Enter the path to the DEMConfig share and click OK.
  3. In the ribbon, click Configure. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults and click OK.
  4. In the Personalization ribbon, on the far right, click Easy Start.
  5. Select your version of Office and click OK. Office 2019 and Office 2016 are essentially the same.
  6. Click OK when prompted that configuration items have been successfully installed.
  7. Review the pre-configured settings to make sure they are acceptable. For example, on the ribbon named User Environment, under Shortcuts, Dynamic Environment Manager might create a Wordpad shortcut that says (created by VMware UEM). You can either Disable this item or delete it.

  8. Go to the ribbon name User Environment. On the left, expand Windows Settings and click Policy Settings. On the right, if there is a setting to Remove Common Program Groups, then click Edit.

    1. Consider adding a condition so it doesn’t apply to administrators.

DEM Licensing

DEM 2203 and newer moved FlexEngine Agent licensing to the DEM Configuration Share and DEM Console.

  1. Download the Production License File from the same place you downloaded DEM:  DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition.
  2. In the DEM console, click the top-left star icon and then click License.
  3. Click Manage.
  4. Choose License File and then select the downloaded Omnissa-DEM-10.14.0-GA.lic file.
  5. Click OK.

DEM Console places the license info in the DEM Configuration Share file under \general\FlexRepository\AgentConfiguration.

Common Configurations

  1. DEM 2303 (10.9) and newer have a Search button to help you find configuration files.
  2. To roam the Start Menu in Windows 10 1703 and newer:
    1. Go to the ribbon named Personalization, click a folder, and click Create Config File.
    2. Select Use a Windows Common Setting and click Next.
    3. Select Windows 10 Start Menu – Windows 10 Version 1703 and higher. This option is only available in newer versions of DEM. It should work with Windows Server 2019, but it doesn’t apply to Windows Server 2016, which is actually version 1607.
    4. Enter a file name. DEM will create a .zip file for each user with this name. Click Finish when done.
  3. You can run Triggered Tasks when a session is reconnected, workstation is unlocked, or on a schedule (DEM 2306 and newer). This is useful for re-evaluating Smart Policies, as detailed below.

    • DEM 2111 and newer have a Trigger named App Volumes logon-time apps delivered. This was renamed from the older All AppStacks Attached trigger. It was renamed because App Volumes 2111 supports on-demand apps.

    • DEM 2306 (10.10) and newer have a Schedule trigger.

    • You can pick one of the predefined Actions or choose Run custom command to run a script. Some scripts might need an additional configuration under Privilege Elevation.
  4. UEM 9.3 and newer have a setting to store Outlook OST file on App Volumes writable volumes. Go to the ribbon named User Environment. Right-click App Volumes and create a setting. Check the box next to Store Offline Outlook Data File (.ost) on writable volume. Configure other fields as desired. Note: this setting only applies to new Outlook profiles.

Links:

Version History

DEM 2412 and newer have a Version History feature.

  1. On any ribbon, click Configure.
  2. On the Version History tab, enable the feature. This feature overrides Configuration Changelog logging to disk. Click OK to close the Settings window.
  3. Each configuration item in the DEM console has a Version History tab. You can click an older version and then click Restore to revert a change.

Horizon Smart Policies

Horizon Smart Policies let you control (e.g. disable) Horizon functionality for external users or other conditions.

  1. In UEM 9.0 and newer, go to User EnvironmentHorizon Smart Policies, and create a policy.
  2. DEM 9.11 has an expanded list of settings configurable using Horizon Smart Policies.
  3. DEM 2309 (10.11) and newer can control FIDO2 and Storage drive.
  4. DEM 2306 (10.10) and newer can control Browser Content Redirection.
  5. UEM 9.8 and newer have many Horizon Smart Policy Settings, including Drag and drop.
  6. On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions.

    • To detect external users, select Horizon Client Property > Client Location = External. UAG and Security Server set the session’s location to External.
  7. You can also enter a Horizon Client Property condition that corresponds to the ViewClient_ registry keys. In the Property field, type in a property name (remove ViewClient_ from the property name). See VMware Blog Post Enhancing Your VMware Horizon 7 Implementation with Smart Policies.

  8. There’s Endpoint Platform as a policy condition. Create a Policy, go to the Conditions tab, and select the Endpoint Platform condition.
  9. Some of the conditions have Matches Regex. For example, Endpoint name and Horizon Client Property > Pool name.

  10. To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks, and click Create. Or you can edit one of the existing Triggered Tasks settings.

    1. Change the Trigger to Session Reconnected.
    2. Change the Action to User Environment refresh. Select Horizon Smart Policies and click Save.

Application Blocking

  1. UEM 9.0 adds an Application Blocking feature. To enable it, go to User Environment > Application Blocking, and click the Global Configuration button.
  2. Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. These are the same conditions available in other policies and settings. Click OK.
  3. Then you can create an Application Blocking setting to designate the folders that users can run executables from, or what file hashes are allowed.
  4. You can add folders that allow or block apps. Any executable in these paths will be allowed or blocked. By default, executables in Windows and Program Files (including x86) are allowed.
  5. UEM 9.1 and newer allows File Hashes in addition to File Paths. Set the Type to Hash-based, click Add, browse to an executable, UEM will compute the hash, and add it to the list.
  6. UEM 9.2 and newer supports Publisher-based allow. Set the Type to Publisher-based, click Add, browse to an executable, UEM will read the certificate, and add it to the list. Note: A challenge with hash-bashed and publisher-based rules is that the policy might have to be updated whenever the app is updated.

Privilege Elevation

  1. UEM 9.2 adds a Privilege Elevation feature, which allows executables to run as administrator even if users are not administrators. To enable it, go to User Environment > Privilege Elevation, and click the Global Configuration button.
  2. Check the box to Enable Privilege Elevation. Specify Conditions where, if true, then Privilege Elevation is enabled. These are the same conditions available in other policies and settings.
  3. If you allow installers to be elevated, elevate the installer’s child processes too, check the box. This checkbox only applies to installers. Child processes of elevated applications is enabled when creating a Privilege Elevation configuration setting.
  4. When an application is elevated, the user can be asked to allow it. This prompt is intended to inform the user that the application has more permissions than it should, and thus be careful with this application. Click OK.
  5. Then you can create a Privilege Elevation setting to designate the applications that should be elevated. The applications can be specified by a path, a hash, or a publisher certificate. These are essentially the same options as Application Blocking.
  6. Path-based user-installed application lets you elevate installers. The other three options elevate applications, but not installers.
  7. The child processes checkbox applies to applications.
  8. UEM 9.4 adds Argument-based elevated application, which lets you elevate specific scripts and/or Control Panel applets.
  9. DEM Group Policy settings can be enabled to log both Application Blocking and Privilege Elevation to Event Viewer

Computer Settings

DEM Enterprise Edition 2006 and newer can deploy computer-based ADMX settings.

  • Domain Computers must have Read permission to the DEM Config file share.

DEM 2006 and newer Agents (FlexEngines) must be configured to enable computer settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. If you use group policy, then make sure the group policy applies to your master image. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at Omnissa Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above. 
    msiexec /i "\\fs01\bin\Omnissa\DEM\Omnissa-DEM-Enterprise-2503-10.15\Omnissa Dynamic Environment Manager Enterprise 2503 10.15 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

Do the following to enable Computer Environment settings in the DEM Console:

  1. In the DEM Management Console, at the right side of any ribbon, click Configure.
  2. At the bottom of the General tab, check the box next to Computer Environment.
  3. A new Computer Environment ribbon is added. DEM 2009 and newer have Startup Tasks and Shutdown Tasks.
  4. With ADMX-based Settings highlighted on the left, click Manage Templates in the ribbon.
  5. At the bottom of the window, click Add Folder.
  6. If you have PolicyDefinitions in your SYSVOL, then browse to that. Or you can point it to C:\Windows\PolicyDefinitions. Click OK.
  7. Click OK after import is successful. DEM copied the .admx files into the DEM Config share. You can run this again any time to update templates.
  8. With ADMX-based Settings selected on the left, click Create in the ribbon.
  9. At the bottom, click Select Categories.
  10. Select a category where your setting is located and click OK.
  11. At the top of the window click Edit Policies.
  12. Only the settings for your chosen categories are shown. Configure these settings the same way you would configure them in group policy. Then close the window.
  13. DEM shows the configured settings.
  14. On the Conditions tab, you can add conditions. Obviously the user-based conditions will not be available for computer-based settings.

Personalization and DEM Templates

Omnissa has provided a list of Personalization Templates to simplify your configuration.

  1. To save user settings at logoff and restore at logon, you must specify the settings to save.  Easy Start created a bunch of configurations on the Personalization ribbon. Note: DEM 9.11 adds a Search box to this ribbon.
  2. You can see what settings these save. On the tab named Import / Export, on the top right, click Manage, and then click Expand.

    1. Click Yes to expand it.

    2. After reviewing the config, click a different Personalization setting, and then click No to not save your changes.
  3. To save more profile settings at logoff, on the ribbon named Personalization, select a folder (or create a new folder), and then click Create Config File.
  4. A wizard appears. You can use one of the built-in Windows Common Setting or Application Templates. Or you can create your own.


    • DEM 9.10 and newer have a Windows Common Setting named Default applications – File type associations and protocols. For details, see Ivan de Mes at Managing File Type Associations (FTA) natively using Dynamic Environment Manager.

      • Also enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
      • To avoid a delay in applying FTAs after login, Omnissa 83679 recommends setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Serialize\StartupDelayInMSec (DWORD) = 0.
    • UEM 9.4 and newer have a Windows Common Setting for Windows 10 Start Menu – Windows 10 1703 and higher
  5. Download a template and import it.
    1. In the DEM Console, on the Personalization tab, click the Configure button to locate your DEM Configuration file share.

    2. Extract the downloaded templates to the General\Applications folder in the DEM Config Share.

    3. The downloaded template should then show up in the Personalization tab under the Applications folder. If you don’t see it, click the Refresh Tree icon.
  6. DirectFlex – to speed up logins, enable DirectFlex whenever possible. Instead of restoring the files during logon and thus delaying the login, DirectFlex restores the settings on-demand when the user launches the application. DirectFlex can be enabled on most application configurations. However, Windows settings (e.g. Start Menu) should be loaded during login rather than on-demand after login.

Additional DEM Configuration

User Environment Manager 8.7 and newer has a UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, DEM will put an .xml file in this folder. More information at Omnissa Docs.

From Omnissa 2113514 Enabling debug logging for a single user in Omnissa Dynamic Environment Manager: To configure FlexEngine to log at debug level for a single user, create an empty FlexDebug.txt file in the same folder as the standard log file for this user. This triggers FlexEngine to switch to debug logging for this particular user.

DEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine (aka DEM Agent) installed:

  1. .NET Framework 3.5 is required.
  2. In the Dynamic Environment Manager files, in the Optional Components folder, run Omnissa DEM Application Profiler 2412 10.14 x64.msi.
  3. In the Welcome to the Omnissa DEM Application Profiler Setup Wizard page, check the box next to I accept and then click Next.
  4. In the Custom Setup page, click Next.
  5. In the Ready to install Omnissa DEM Application Profiler page, click Install.
  6. In the Completed the Omnissa DEM Application Profiler Setup Wizard page, click Finish.

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using Dynamic Environment Manager.

DEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

  1. In the Dynamic Environment Manager Console, click the star icon on the top left, and click Configure under Helpdesk Support Tool.
  2. Click Add.
  3. In the Profile archive path field, enter the user folder share (the same one configured in Dynamic Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
  4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the Dynamic Environment Manager group policy object. Click OK.
  5. Click Save.
  6. Omnissa recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.

  7. On the Scope tab, change the filtering so it applies to DEM Support and DEM Admins. If this GPO applies to machines with group policy loopback processing enabled, then also add Domain Computers.
  8. Edit the GPO.
  9. Go to User Configuration | Policies | Administrative Templates | Omnissa DEM | Helpdesk Support Tool.
  10. Double-click the setting DEM configuration share.
  11. Enable the setting and enter the path to the DEMConfig share. Click OK.
  12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.

Do the following to install the support tool.

  1. Some support tool functions require the FlexEngine (aka DEM Agent) to be installed on the help desk machine.
  2. In the extracted Dynamic Environment Manager files is an Optional Components folder. From inside that folder run Omnissa DEM Helpdesk Support Tool 2412 10.14 x64.msi.
  3. In the Welcome to the Omnissa DEM Helpdesk Support Tool Setup Wizard page, check the box next to I accept and click Next.
  4. In the Destination Folder page, click Next.
  5. In the Ready to install Omnissa DEM Helpdesk Support Tool page, click Install.
  6. In the Completed the Omnissa DEM Helpdesk Support Tool Setup Wizard page, click Finish.

Once the Helpdesk Support Tool is installed, you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

Horizon Group Policy and Profiles

Last Modified: Apr 18, 2025 @ 1:32 am

84 Comments

Navigation

This post applies to all Horizon versions 7.0, and newer, including Horizon 2503 (8.15).

💡 = Recently Updated

Change Log

Roaming Profiles Options

There are several options for persisting user profile settings when the user logs off:

  • Dynamic Environment Manager (DEM) – DEM is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
    • In Horizon 2006 (8.0) and newer, DEM Personalization features are available in all editions of Horizon.
    • In Horizon 7, only Horizon Enterprise Edition is entitled to Dynamic Environment Manager.
    • Dynamic Environment Manager (DEM) is the new name for User Environment Manager (UEM). VMware renamed User Environment Manager 9.9 and newer to DEM to avoid confusion with Workspace ONE Unified Endpoint Management (also UEM), which is actually AirWatch mobility management. User Environment Manager is sometimes called “little UEM”, while AirWatch is sometimes called “big UEM”.
    • DEM persists settings for specific applications instead of persisting the entire profile. Saved application settings are stored in separate .zip files (aka profile archives) for each application so you can restore one .zip file without affecting the other .zip files. Many of these DEM profile archive .zip files can be restored to multiple operating system versions, whereas other monolithic profile solutions are tied to a specific operating system version.
    • DEM restores profile archives on top of other profile solutions. One option is mandatory profiles so that anything not saved by DEM is discarded on logoff.
    • Omnissa KB article 2118056 Migrate Persona Management to Dynamic Environment Manager.
  • Persona saves the entire user profile, meaning it is a “set and forget” roaming profile solution that is similar to Microsoft’s native roaming profiles or Citrix Profile Management.
    • Persona is not included in Horizon 2006 (8.0) and newer. If you are using Persona in Horizon 7, then before upgrading, see Omnissa Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • Persona is included in all editions of Horizon 7.
    • However, Persona doesn’t work on newer versions of Windows 10, Persona doesn’t work on RDSH Horizon Agents, and Persona doesn’t work on Instant Clones.
    • In practice, DEM is the only viable profile option from Omnissa, but DEM requires Horizon 7 Enterprise Edition, or upgrade to Horizon 2006 (8.0)
  • App Volumes Writable Volumes – App Volumes Writable Volumes can store the user’s profile and roam the writable volume to different Horizon Agent machines.
    • App Volumes requires Horizon Enterprise Edition.
    • App Volumes is a separate infrastructure (e.g. separate servers, separate agents) that must be built, learned, maintained, and supported.
    • Writable Volumes are stored as .vmdk files on vSphere datastores. For backup/restore, you can replicate the .vmdk files to multiple datastores, including multiple data centers.
    • When Writable Volumes are combined with DEM, then Outlook search indexes can be stored on the Writable Volumes.
    • Writable Volumes can only be mounted on one Horizon Agent machine at a time.
  • Persistent Disks – Horizon Composer can generate persistent disks for each dedicated desktop machine. User profile is redirected to the persistent disk so the user profile will be available after the machine is refreshed.
    • In Horizon 2006 (8.0) and newer, Composer and Persistent Disks are deprecated. Composer has been removed from Horizon 2012 (8.1) and newer. Before upgrading, see Omnissa Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • Persistent Disk only stores the user’s profile. It does not store user-installed applications. If you need to persist user-installed applications, then implement App Volumes Writable Volumes instead.
    • Persistent Disks were brought to Instant Clones in Horizon 2306 (8.10) and newer. See Using Persistent Disks for Dedicated Instant Clones at Omnissa Docs.
    • Persistent Disks are only an option for Dedicated Assignment pools, meaning that the Persistent Disks do not float between machines. Administrators can manually detach a Persistent Disk from one machine and attach it to a different machine.
    • Persistent Disks are stored as .vmdk files on vSphere datastores. How do you back them up and restore them, especially if they are not currently mounted on a running virtual machine?
  • Microsoft FSLogix – FSLogix Profile Containers can store the entire user profile in a .vhdx file that is stored on a file share.
    • FSLogix is free for almost all virtual desktop and RDSH customers. If you’re not licensed for DEM, then FSLogix is a viable alternative.
    • FSLogix is known for roaming the Outlook Search Index and other special Office 365 files.
    • FSLogix Profile Container is very similar to Persistent Disks and Microsoft User Experience Virtualization in that the entire profile is stored in the .vhdx file. Watch out for disk space consumption on the file share. And concurrent access to the .vhdx can be challenging.
    • FSLogix Profile Container configuration is “set and forget” since it doesn’t need separate configuration for each application.
  • Microsoft Roaming Profiles – a last-case alternative is native Microsoft roaming profiles. However, there are many limitations.
    • Microsoft’s Roaming Profiles cause longer login times since the entire profile is downloaded before the user can interact with the desktop or application. This is not a problem in other roaming profile solutions.
    • Microsoft’s Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms (or multiple desktop pools) then each RDS farm should have separate roaming profile shares.

Roaming Profiles File Shares

File Shares Design

This section provides a summary of the required shares. See Create and Share the Folders for Detailed steps for creating the profile shares.

There are typically several types of file share paths:

  • Roaming Profiles – stores DEM profile archives, FSLogix .vhdx Profile Containers, etc.
    • Roaming profiles (or DEM profile archives) are stored in a separate sub-folder for each user that only the one user has access to.
    • FSLogix, Persona and Microsoft Roaming Profiles are monolithic profiles that are tied to a specific operating system version. If you are supporting multiple operating systems, or if users are connecting to multiple, concurrent pools/farms, then create a separate Roaming Profile share path for each operating system version. For example, you might have separate Roaming Profile shares for Windows 10 and Windows Server 2019.
      • Theoretically, DEM Personalization Archives can be used across multiple operating system versions.
  • Folder Redirection – stores profile folders that you want to persist, but you don’t want to store with the roaming profile. These folders are typically Documents, Downloads, Desktop, and Favorites. Folder Redirection speeds up restoration of roaming profiles. AppData should not be redirected to this file share path.
    • Each user has a separate sub-folder that only the one user has access to.
    • Folder Redirection can be accessed from multiple operating system versions so there’s no need to create multiple Folder Redirection share paths.
  • Home Directories – users store Documents and other personal data in Home Directories.
    • Folder Redirection can be stored in Home Directories instead of in a separate Folder Redirection file share path.
    • Home Directories might be located on multiple file servers. If these file servers are in branch offices instead of data centers, then Folder Redirection should be stored on file servers in the data center that contains Horizon Agents.
  • DEM Configuration Share – Dynamic Environment Manager (DEM) stores its configuration in a file share.

These file shares for a particular user can only be located in one data center. Neither Omnissa nor Microsoft support multi-master replication (aka merge replication) of user profiles, home directories, and folder redirection. If you use DFS Namespaces, then the DFS Namespace path must point to only one target.

  • Horizon users should connect to Horizon Agents in the same data center as the file servers that contain the user’s profile, folder redirection, and home directory. If you have active Horizon Agents in multiple data centers, then you can configure Horizon Cloud Pod Home Sites so that specific users connect to specific data centers. If users connect to a Horizon Agent that is not in the same data center as the user’s file servers, then the files are retrieved across the Data Center Interconnect, which might take longer than desired.
  • The DEM Configuration Share is primarily read-only so multi-master replication is less of a concern.

Here are NTFS permissions for each of the profile file share types:

DEM Profile Archives share:

  • \\server\DEMProfiles
    • DEM Admins = Full Control
    • DEM Support = Modify
    • DEM Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Dynamic Environment Manager (DEM) Configuration share:

  • \\server\DEMConfig – stores DEM configuration
    • DEM Admins = Full Control
    • DEM Users = Read
    • DEM Support = Read
    • Domain Computers = Read – for DEM computer ADMX

Non-DEM Monolithic Roaming Profiles share: (example includes multiple shares for multiple operating systems)

  • \\server\Profiles\Win10
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\Profiles\Win19
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Folder Redirection share:

  • \\server\Redirect
    • Admins = Full Control
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

According to Omnissa 2113665 Imports and exports in Omnissa Dynamic Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Create and Share the Folders

  1. On your file server, make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it  DEMConfig, or DEMProfiles or similar. See File Shares Design for design info on the share paths that should be created.
  3. Open the folder’s Properties.
  4. On the Sharing tab, click Advanced Sharing.
  5. Check the box to share the folder.
  6. Click Permissions.
  7. Give Full Control to Everyone. Click OK.
  8. Click Caching.
  9. Select No files or programs. Click OK twice, and then click Close.
  10. According to Omnissa 2113665 Imports and exports in Omnissa Dynamic Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares design except for the DEMConfig folder.

Lieven D’hoore has VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions.

  1. Open the Properties of the new shared folder.
  2. On the Security tab, click Advanced.

    1. Click Disable Inheritance.
    2. Click Convert inherited permissions.
    3. Click OK to close Advanced Security Settings.
  3. On the Security tab, click Edit.

    1. For the Everyone or the Authenticated Users entry or the Users entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
    2. Add CREATOR OWNER, and give it Full Control. This grants users Full Control of the folders they create.
    3. Click OK to close the Permissions window.
  4. Click Advanced again.
  5. Highlight the Everyone permission entry or the Authenticated Users permission entry or the Users permission entry and click Edit.
  6. At the top of the window, change the Applies to selection to This folder only. This prevents the Everyone permission from flowing down to newly created profile folders.
  7. Remove all other permission entries that grant access to Users, Domain Users, Everyone, or Authenticated Users. There should only be one of these types of permission entries.
  8. Click OK twice to close the Security and Properties windows.

Access Based Enumeration

With access based enumeration enabled, users can only see folders to which they have access.

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it.
  3. Right-click the new share, and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration and click OK.

GPO Templates

Windows Group Policy Templates

Unfortunately, there are some differences between the GPO templates for Windows Server, and the GPO templates for  Windows 10. You’ll need to download the full set of templates.

Follow the procedure at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates (.admx) for Windows 10.

Horizon Group Policy Templates

Some of the policy settings in this topic require group policy templates from the Horizon GPO Bundle, which can be downloaded from the Omnissa Horizon Download Page.

For Horizon 2503 (8.15), download Horizon GPO Bundle 8.15 (Omnissa-Horizon-Extras-Bundle-2503-8.15.0)

Install the Group Policy files:

  1. Go to the downloaded Omnissa-Horizon-View-Extras-Bundle.zip file and extract the files.
  2. Copy the .admx files and en-US folder to the clipboard.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.

  4. Horizon 7.13 has an .admx file in the ThinPrint\ADMX folder. Horizon 2006 (8.0) and newer no longer include ThinPrint, so this .admx is not available in Horizon 2006 (8.0) and newer.
    1. Copy the .admx file, and en-US folder, to the clipboard.
    2. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.
  5. When you edit group policy objects, you can now add Horizon settings. Horizon older than 2412 had settings in the VMware nodes. Horizon 2412 and newer have settings in the Omnissa nodes. However, the previously configured VMware settings do not migrate automatically and instead must be reconfigured in the Omnissa nodes. Don’t upgrade your Horizon Agents until you finish reconfiguration of the GPO settings.
  6. After all Horizon Agents are upgraded to 2412 or newer, you can delete the older vdm .admx template files from PolicyDefinitions.

Dynamic Environment Manager GPO Templates

Download and copy the DEM GPO ADMX templates to PolicyDefinitions. DEM can also work without Active Directory (Group Policy); see Omnissa 2148324 Configuring advanced DEM settings in NoAD mode for details.

In Horizon 2006 (8.0) and newer, DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different ADMX templates.

In Horizon 7, DEM is only available for Horizon Enterprise Edition customers. Horizon 7 Enterprise Edition customers can download DEM Enterprise Edition.

  1. Download DEM 2503 (10.15) Enterprise Edition.
  2. Go to the extracted Dynamic Environment Manager files, and in the Administrative Templates (ADMX) folder, copy the files and the folder.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the files and folder. Overwrite any older files.

  4. If you are upgrading from DEM 2406 or older to DEM 2412 or newer, then look in PolicyDefinitions for VMware DEM.admx files and delete them.
  5. You will find Omnissa DEM GPO settings in the User Half of a GPO.

Omnissa DEM FlexEngine Advanced Settings are available in a different GPO template.

  1. Go to https://kb.omnissa.com/s/article/2145286.
  2. On the top right, click the link to download the ADMX file.
  3. Extract the files. Then copy the .admx file.
  4. Go to your PolicyDefinitions folder and paste the file.
  5. Go back to the extracted files and then copy the .adml file.
  6. Go to your PolicyDefinitions folder and paste the file under the en-US folder.
  7. Look in your PolicyDefinitions for VMware DEM FlexEngine Advanced Settings.admx and delete it.

Microsoft Edge GPO Templates

Horizon Browser Redirection requires installation of an Edge extension. Install the Edge GPO Templates so you can force install the Edge extension.

  1. Download the Edge ADMX templates from Microsoft Edge for business. Select your version of Edge and then click GET POLICY FILES.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \windows\admx folder, copy the msedge*.admx files and the en-US folder.
  4. Go to PolicyDefinitions in your SYSVOL (e.g., \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files and en-US folder.

Google Chrome GPO Templates

Horizon Browser Redirection requires installation of a Chrome extension. Install the Chrome GPO Templates so you can force install the Chrome extension.

  1. Download the Google Chrome ADMX templates from Set Chrome Browser policies on managed PCs.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \policy_templates\windows\admx folder, copy the chrome.admx and google.admx files.
  4. Go to PolicyDefinitions in your SYSVOL (e.g. \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files.
  5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy the en-US folder.
  6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon Agent computer objects (virtual desktops and Remote Desktop Session Hosts).
  2. Then create sub-OUs, one for each pool or RDS Farm.
  3. Move the Horizon Agent machines from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools, then link it to the parent OU. Or you can link it to pool-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
  6. Create and link two new GPOs to the Session host OU (in addition to the Horizon Agent Computer Settings GPO). One of the GPOs is called Horizon Agent All Users (including admins), and the other is called Horizon Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU, or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.

  7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.
  8. Click the Horizon Agent Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab, and click Add.
  10. Find your Horizon Admins group, and click OK.
  11. Change the Permissions to Edit settings, and click OK.
  12. Then on the Delegation tab, click Advanced.
  13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Horizon Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each Horizon Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for Dynamic Environment Manager, then you can skip this section.

  1. Right-click one of the Remote Desktop Session Host sub-OUs, and create a new GPO.
  2. Name it Horizon Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of Persona. Note: each RDS farm should have a separate roaming profile share.
  3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.

  5. Right-click a virtual desktop sub-OU, and click Create a GPO in this domain.
  6. Name it Horizon Agent Persona Win10 or similar, and click OK. Each operating system version should point to a different file share, so include the operating system version in the GPO name.
  7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU, and click Link an Existing GPO.
  9. Select the Horizon Agent Persona Win10 GPO, and click OK.
  10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
  11. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.

Agent Computer Settings

These GPO settings should be applied to the Horizon Agents.

General Computer Settings

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Configure the GPO Computer Settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.

Remote Desktop Users Group

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups, and click Add Group.
  3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
  4. In the bottom half of the window, click Add to specify that this group is a member of:
  5. Enter Remote Desktop Users, and click OK twice.

Horizon Integrated Printing

Horizon 7.7 and newer have a new Universal Print Driver named Horizon Integrated Printing.

You can use Group Policy to configure Integrated Printing. (e.g. select whether Native Print Drivers are preferred over the Universal Print Driver). The GPO settings only apply if the Horizon Integrated Printing feature is installed on the Horizon Agent.

  1. Make sure the Horizon 2012 (8.1) or newer GPO Templates are installed. Some Integrated Printing GPO settings are available in Horizon 7.7 and newer.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | Omnissa Horizon Agent Configuration | Omnissa Integrated Printing. This node only appears in ADMX templates from Horizon 7.7 and newer.
    • The Integrated Printing settings are also available in the user half at User Configuration > Policies > Administrative Templates > Omnissa Horizon Agent Configuration > Omnissa Integrated Printing. User settings override computer settings.
  4. Horizon 2106 (8.3) and newer have a setting name Default settings for UPD printers that lets you set duplex, color, and compression defaults.

  5. In Horizon 2012 (8.1) and newer, Do not change default printer prevents the client default printer from overriding the remote default printer.
  6. Edit the setting Printer Driver Selection.
  7. Enable the setting and then consider setting it to Always use UPD to avoid needing to install any printer drivers on the Horizon Agent machines. This is particularly beneficial for multi-user RDSH machines.
  8. In Horizon 2012 (8.1) and newer, Printer Name Schema lets you change the names of the redirected printers.

  9. Horizon 2303 and newer have Enable server printer redirection, which causes the Horizon Agent to connect directly to the print servers instead of routing the print job through the Horizon Client. Print drivers are probably needed on the Agent machine.
  10. Horizon 7.8 and newer supports filtering of redirected client printers.

Omnissa Integrated Printing also supports Location Based Printing.

  1. In the Horizon 7.7 or newer Extras Bundle (GPO templates), find the file named LBP.xml.
  2. Edit the file. This is an XML document that can contain multiple <Policy> nodes. The file is commented.
  3. When done editing the LBP.xml file, copy it to C:\ProgramData\VMware on each Horizon Agent machine. It’s probably easiest to use Group Policy Preferences (or computer startup script) to download this file when the Horizon Agent machines boots.

Dynamic Environment Manager (DEM) Group Policy

Most of the Dynamic Environment Manager GPO settings are user settings, not computer settings. DEM 2006 (aka 10.0) and newer support ADMX files for computers.

Note: UEM 9.1 can also work without Active Directory (Group Policy); see Omnissa 2148324 Configuring advanced UEM settings in NoAD mode for details.

From Omnissa Tech Zone Quick-Start Tutorial for VMware Dynamic Environment Manager and Chris Halstead VMware User Environment Manager (UEM) – Part 1 – Overview / Installation.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Dynamic Environment Manager requires one computer setting. Edit the Horizon Agent Computer Settings GPO.

    1. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
    2. Double-click Always wait for the network at computer startup and logon.
    3. Enable the setting, and click OK.
    4. Close the group policy editor.
  3. If you use DEM 9.10 or newer to roam File Type Associations, then enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
  4. The remaining settings are user settings. Edit the Horizon Agent All Users GPO. This GPO should apply to the Horizon Agents, and Loopback processing should already be enabled on those machines.
  5. Go to User Configuration | Policies | Administrative Templates | Omnissa DEM | FlexEngine.
  6. If you are running Dynamic Environment Manager on top of mandatory profiles, then double-click Certificate support for mandatory profiles.

    1. Enable the setting and click OK.
  7. Double-click Flex config files.

    1. Enable the setting.
    2. Enter \\server\demconfig\general. The general folder will be created by the Dynamic Environment Manager management console. Click OK.
  8. Double-click FlexEngine Logging.

    1. Enable the setting.
    2. Enter \\server\demprofiles\%username%\logs. Dynamic Environment Manager will create these folders. Click OK.
  9. UEM 9.0 and newer has a setting named Paths unavailable at logon. By default, users are blocked from logging in if the DEM file share is not reachable.

  10. Double-click the setting Profile archive backups.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\backups.
    3. Enter the number of desired backups, check the box for daily backups, and click OK.
  11. In DEM 2111 and newer, you can store Profile Archives in OneDrive for Business by configuring the setting OneDrive for Business integration.
  12. To store Profile archives in a file share, double-click Profile archives.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\archives.
    3. Check the box next to Retain file modification dates.
    4. Click OK.
  13. In DEM 2111 and newer, simply enable the setting Run FlexEngine at logon and logoff.
  14. For DEM prior to version 2111, configure the group policy extension and logoff script:
    1. Double-click the setting RunFlexEngine as Group Policy Extension.
    2. Enable the setting, and click OK.
    3. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
    4. Double-click Logoff.
    5. Click Add.
    6. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
    7. In the Script Parameters field, enter -s.
    8. Click OK.
  15. If you are using the Privilege Elevation feature, consider enabling Privilege elevation logging to the Windows event log.

  16. Same for Application blocking logging to the Windows event log.
  17. You can download and install a separate ADMX file containing DEM Advanced Settings.
    1. You can use group policy to Disable DEM agent features on certain OUs. For example, you might not want Personalization on some pools.
    2. DEM 2111 and newer can enable DEM ADMX Settings to override GPOs by enabling the setting Override existing user policy settings.
  18. If DEM 2006 or newer, you can optionally enable DEM Computer ADMX settings.
    1. In the DEM Config share, make sure Domain Computers has Read permission to the folders.
    2. Edit a GPO that applies computer settings to the Horizon Agent machines (e.g. Horizon Agent Computer Settings).
    3. Go to Computer Configuration | Preferences | Windows Settings | Registry.
    4. Add a New Registry Item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = Enabled
      3. Value type = REG_DWORD
      4. Value data = 1. Click OK.
    5. Create another registry item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = ConfigFilePath
      3. Value type = REG_SZ
      4. Value data = the path to your DEM Config share, including the general folder. Click OK.
      5. For more registry values, see Omnissa Docs FlexEngine Configuration for Computer Environment Settings.

Now that DEM is enabled, you can configure Dynamic Environment Manager by using a separate console application. See the instructions at https://www.carlstalhood.com/vmware-user-environment-manager/.

DEM Changelog

  1. On the left, click the node named Management Console under Omnissa DEM
  2. On the right, UEM 9.6 adds two new settings for Changelog.
  3. Log changes to disk stores the log in the DEM share at \\server\DEMConfig\Changelog\general. Note that administrators usually have permission to modify this location so they could modify this changelog.
  4. Log changes to the Windows event log stores the log in the Application Log in Event Viewer of the local console machine and not in any central server.
  5. You can also enable the Changelog in the DEM Management Console by clicking the ribbon button named Configure.
  6. Switch to the tab named Version History to enable the two settings.

    • Note that Version History overrides Logging to disk.

  7. Each configuration item in DEM Management Console shows a tab named Changelog after changes are recorded.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts, Instant Clones, or newer versions of Windows 10. It also does not apply to Horizon 2006 (8.0) and newer.

If you are using Dynamic Environment Manager then skip this section.

  1. Verify that ICMP is enabled between the Horizon Agent and the domain controller, and as well as the Horizon Agent and the Persona Management Repository.
  2. Install the Horizon GPO ADMX files if you haven’t already.
  3. Edit one of the Horizon Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
  4. Configure the following GPO settings:
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  5. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Persona Management | Roaming & Synchronization.
  6. On the right, double-click Manage user persona.
  7. Enable the setting. It defaults to 10 minutes. Click OK.
  8. Double-click Persona repository location, and enable the setting.
  9. Enter the path to the file share created for Persona. Append %username%.
  10. Check the box next to Override Active Directory user profile path. Click OK.
  11. Double-click Roam local settings folders, and enable it. Click OK.
  12. Double-click Files and folders excluded from roaming, and enable it. Then click Show.
  13. Enter the values shown below, and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
  14. Double-click Files and folders excluded from roaming (exceptions), and enable it. Then click Show.
  15. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  16. Configure %AppData%\Thinstall as a folder to background download. If you are using Thinapps, this will speed up the launch time of Thinapps.

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using Dynamic Environment Manager or FSLogix, then skip this section.

  1. Edit the Horizon Agent RDS Farm1 Profiles GPO.
  2. Configure the following GPO settings.
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Delete cached copies of roaming profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  3. Go to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles.
  4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
  5. Enable the setting and enter the path to the file share. Do not append %username%.
  6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration | Policies | Administrative Templates | Control Panel | Personalization.
  8. Open the setting Force a specific visual style file.
  9. Enable the setting and enter the following path: 
    %windir%\resources\Themes\Aero\aero.msstyles

  10. VMware recommends enabling RunOnce as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

Horizon Agent Settings

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | Omnissa Horizon Agent Configuration. Click Agent Configuration.
  4. Horizon 2306 and newer have a setting called Allow FIDO2 authenticator access. Combine it with FIDO2 allow list, which defaults to only allowing Chrome, Edge, and Firefox.

  5. RDSH idle timer is configured using Microsoft RDSH GPO settings and are not Horizon-specific. The Horizon 2106 and newer GPO templates have the RDS timers in the Omnissa Horizon Agent Configuration node or you can configure the RDS timers in the normal Microsoft Remote Desktop Session Host node. Both sets of GPO settings set the same registry values.
  6. Horizon 7.10 and newer has an Idle Time Until Disconnect (VDI) for virtual desktops. This setting does not apply to RDSH.
  7. In Horizon 7.10 or newer, you can use Group Policy to configure a Disconnect Session Time Limit for virtual desktops. This GPO setting overrides the pool setting Logoff after Disconnect.
  8. Horizon 2106 and newer have a Screen-capture blocking setting. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half.

    • Screen-capture blocking requires Horizon Agent 2106 and Horizon Client 2106 (8.3). To prevent older Horizon Clients from connecting, in Horizon Console, go to Settings > Global Settings. On the right is a tab named Client Restriction Settings. Click Edit. Check the boxes for the various client operating systems and enter 8.3.0 (2106) as the required minimum version.

  9. Horizon 2303 and newer have a setting called Screen-capture For Media Offloaded Solution. This setting adds a Print Screen button to the Horizon Client toolbar. When pressed, the screenshot is saved to the Pictures folder on the remote desktop. The advantage of this feature is that it captures Teams redirection, Multimedia Redirection, multiple monitors, and Watermark.



  10. Horizon 2111 and newer have a setting for Key Logger Blocking. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half. Use Client Restriction Settings to prevent Horizon Clients older than 2111 from connecting.

PCoIP Configuration

Steve Dunne:

Here are some general PCoIP optimization settings:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | PCoIP Session Variables. Click Overridable Administrator Defaults.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and select Enabled in both directions. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting named Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold.


  8. Horizon 7.0.2 and newer have the ability to filter specific clipboard formats.
  9. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, Omnissa recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.

Real-Time Audio-Video

Omnissa validated Horizon 7.9’s Real-Time Audio-Video feature with Microsoft Teams. Here are sizing recommendations:

  • Minimum setting of 4vCPU 4GB RAM as a published desktop configuration
  • RTAV video resolution configured with 640 x 480p

Real-Time Audio-Video (RTAV) is one of the options that can be selected when installing Horizon Agent. To ensure that Audio is captured by RTAV instead of by USB redirection, exclude audio from USB redirection is described in the next section.

To configure RTAV video resolution, do the following:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates | Omnissa Horizon Agent Configuration, expand View RTAV Configuration and click View RTAV Webcam Settings.
  4. On the right, double-click Resolution – Default image resolution height in pixels
  5. Enable the setting and set it to 480 pixels. Click OK.
  6. On the right, double-click Resolution – Default image resolution width in pixels.
  7. Enable the setting and enter 640. Click OK.
  8. There are two more GPO settings for Max height and width. If these are not configured then there is no maximum.

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

  • PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
  • All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the Horizon Client and the Horizon Agent.
  • If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111.
  • USB performance across the WAN can be slow.
  • Webcams are only supported using RTAV (Real-Time Audio-Video).
  • USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon Agent 6.0.1 and Horizon Client 3.1.
  • Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
  • USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
  • In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
  • Client Downloadable only GPO settings are downloaded to the Horizon Client when the Horizon Client first connects to the Horizon Agent.
  • USB GPO Settings on the Horizon Agent can either override or merge the Horizon Client USB GPO settings. Merge means that if Horizon Client settings exist then the Horizon Agent settings are ignored.
  • The Exclude All Devices setting is overridden by other Include
  • USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
  • How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Policies | Administrative Templates | Omnissa Horizon Agent Configuration and click Horizon USB Configuration.
  4. On the right, double-click Exclude Device Family.
  5. Change the selection to Enabled.
  6. Enter o:audio-in;o:video.
  7. If you want to block USB storage devices, add o:storage to the list. Click OK.

Blast Settings

The full Horizon Client 4.0 and newer can use UDP when connecting to Horizon 7 Agents using Blast.

  • Omnissa Tech Zone VMware Blast Extreme Optimization Guide
  • VMware Blog Post Deep Dive into VMware Horizon Blast Extreme Adaptive Transport – Blast Extreme Adaptive Transport is enabled by default in VMware Horizon View 7.1 and Horizon Client 4.4. If the clients are connecting from outside the demilitarized zone (DMZ), you would also need to have VMware Unified Access Gateway (not Security Server) to take full advantage of the new transport. The adaptive transport will automatically sense the network for UDP availability and will fallback to legacy Blast TCP if UDP is not available.

Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

If you want file transfer in HTML5 Blast, then you must configure clipboard from server-to-client (or both directions).

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. In Horizon 2012 (8.1) and newer, expand Computer Configuration | Policies | Administrative Templates | Omnissa Horizon Agent Configuration and click Clipboard Redirection.
    1. In versions earlier than Horizon 2012 (8.1), expand Policies | Administrative Templates, and click VMware Blast.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting and then make your choice. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting to Configure drag and drop direction. In Horizon 2012 (8.1) and newer it’s under the separate Omnissa Horizon Agent Configuration | Drag and Drop node instead of VMware Blast.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. In Horizon 2012 (8.1) and newer it’s under the separate Omnissa Horizon Agent Configuration | Drag and Drop node instead of VMware Blast.


  8. In the Horizon Blast node, Horizon 2212 and newer have a setting called Blast Optimizer that adjusts multiple settings for better user experience or better performance.