Horizon Group Policy and Profiles

Last Modified: Sep 28, 2019 @ 9:56 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer

ūüí° = Recently Updated

Change Log

Roaming Profiles Options

There are several options for persisting user profile settings when the user logs off:

  • VMware Dynamic Environment Manager (DEM) ‚Äď If you are licensed for Horizon Enterprise Edition, then you can use VMware‚Äôs Dynamic Environment Manager. DEM is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
    • VNware Dynamic Environment Manager (DEM) is the new name for VMware User Environment Manager (UEM). VMware renamed User Environment Manager 9.9 and newer to DEM to avoid confusion with Workspace ONE Unified Endpoint Management (also UEM), which is actually AirWatch mobility management. User Environment Manager is sometimes called “little UEM”, while AirWatch is sometimes called “big UEM”.
    • DEM persists settings for specific applications instead of persisting the entire profile. Saved application settings are stored in separate .zip files (aka profile archives) for each application so you can restore one .zip file without affecting the other .zip files. Many of these DEM profile archive .zip files can be restored to multiple operating system versions, whereas other monolithic profile solutions are tied to a specific operating system version.
    • DEM restores profile archives on top of other profile solutions. One option is mandatory profiles so that anything not saved by DEM is discarded on logoff.
    • VMware KB article 2118056 Migrate VMware Persona Management to VMware User Environment Manager.
  • VMware Persona saves the entire user profile, meaning it is a “set and forget” roaming profile solution that is similar to Microsoft’s native roaming profiles or Citrix Profile Management.
    • VMware Persona is included in all editions of Horizon.
    • However, Persona doesn’t work on newer versions of Windows 10, Persona doesn’t work on RDSH Horizon Agents, and Persona doesn’t work on Instant Clones.
    • In practice, DEM is the only viable profile option from VMware, but DEM requires Horizon Enterprise Edition.
  • VMware App Volumes Writable Volumes – App Volumes Writable Volumes can store the user’s profile and roam the writable volume to different Horizon Agent machines.
    • App Volumes requires Horizon Enterprise Edition.
    • App Volumes is a separate infrastructure (e.g. separate servers, separate agents) that must be built, learned, maintained, and supported.
    • Writable Volumes are stored as .vmdk files on vSphere datastores. For backup/restore, you can replicate the .vmdk files to multiple datastores, including multiple data centers.
    • When Writable Volumes are combined with DEM, then Outlook search indexes can be stored on the Writable Volumes.
  • VMware Persistent Disks – VMware Horizon Composer can generate persistent disks for each dedicated desktop machine. User profile is redirected to the persistent disk so the user profile will be available after the machine is refreshed.
    • Persistent Disk only stores the user’s profile. It does not store user-installed applications. If you need to persist user-installed applications, then implement App Volumes Writable Volumes instead.
    • Persistent Disks require VMware Horizon Composer and are not available with Instant Clones. VMware seems to be deprecating Composer in favor of Instant Clones.
    • Persistent Disks are only an option for Dedicated Assignment pools, meaning that the Persistent Disks do not float between machines. Administrators can manually detach a Persistent Disk from one machine and attach it to a different machine.
    • Persistent Disks are stored as .vmdk files on vSphere datastores. How do you back them up and restore them, especially if they are not currently mounted on a running virtual machine?
  • Microsoft FSLogix – one FSLogix configuration is to store the entire user profile in a .vhdx file (aka Profile Container) that is stored on a file share.
    • FSLogix is free for almost all virtual desktop and RDSH customers. If you’re not licensed for DEM, then FSLogix is a viable alternative.
    • FSLogix is known for roaming the Outlook Search Index and other special Office 365 files.
    • FSLogix Profile Container is very similar to VMware Persistent Disks and Microsoft User Experience Virtualization in that the entire profile is stored in the .vhdx file. Watch out for disk space consumption on the file share.
    • FSLogix Profile Container configuration is “set and forget” since it doesn’t need separate configuration for each application.
  • Microsoft Roaming Profiles – a last-case alternative is native Microsoft roaming profiles. However, there are many limitations.
    • Microsoft‚Äôs Roaming Profiles cause longer login times since the entire profile is downloaded before the user can interact with the desktop or application. This is not a problem in other roaming profile solutions.
    • Microsoft‚Äôs Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms (or multiple desktop pools) then each RDS farm should have separate roaming profile shares.

Roaming Profiles File Shares

File Shares Design

This section provides a summary of the required shares. See Create and Share the Folders for Detailed steps for creating the profile shares.

There are typically several types of file share paths:

  • Roaming Profiles¬†– stores DEM profile archives, FSLogix .vhdx Profile Containers, etc.
    • Roaming profiles (or profile archives) are stored in a separate sub-folder for each user that only the one user has access to.
    • FSLogix, VMware Persona and Microsoft Roaming Profiles are monolithic profiles that are tied to a specific operating system version. If you are supporting multiple operating systems, or if users are connecting to multiple, concurrent pools/farms, then create a separate Roaming Profile share path for each operating system version. For example, you might have separate Roaming Profile shares for Windows 10 and Windows Server 2019.
  • Folder Redirection – stores profile folders that you want to persist but you don’t want to store with the roaming profile. These folders are typically Documents, Downloads, Desktop, and Favorites. Folder Redirection speeds up restoration of roaming profiles. AppData should not be redirected to this file share path.
    • Each user has a separate sub-folder that only the one user has access to.
    • Folder Redirection can be accessed from multiple operating system versions so there’s no need to create multiple Folder Redirection share paths.
  • Home Directories – users store Documents and other personal data in Home Directories.
    • Folder Redirection can be stored in Home Directories instead of in a separate Folder Redirection file share path.
    • Home Directories might be located on multiple file servers. If these file servers are in branch offices instead of data centers, then Folder Redirection should be stored on file servers in the data center that contains Horizon Agents.
  • DEM Configuration Share – VMware Dynamic Environment Manager (DEM) stores its configuration in a file share.

These file shares for a particular user can only be located in one data center. Neither VMware nor Microsoft support multi-master replication (aka merge replication) of user profiles, home directories, and folder redirection. If you use DFS Namespaces, then the DFS Namespace path must point to only one target.

  • Horizon users should connect to Horizon Agents in the same data center as the file servers that contain the user’s profile, folder redirection, and home directory. If you have active Horizon Agents in multiple data centers, then you can configure Horizon Cloud Pod Home Sites so that specific users connect to specific data centers.¬†If users connect to a Horizon Agent that is not in the same data center as the user’s file servers, then the files are retrieved across the Data Center Interconnect, which might take longer than desired.
  • The DEM Configuration Share is primarily read-only so multi-master replication is less of a concern.

Here are NTFS permissions for each of the profile file share types:

DEM Profile Archives share:

  • \\server\DEMProfiles
    • DEM Admins = Full Control
    • DEM Support = Modify
    • DEM Users = Read/Execute, Create Folders ‚Äď this folder only
    • Creator Owner = Full Control

Dynamic Environment Manager (DEM) Configuration share:

  • \\server\DEMConfig – stores DEM configuration
    • DEM Admins = Full Control
    • DEM Users = Read
    • DEM Support = Read

Non-DEM Monolithic Roaming Profiles share: (example includes multiple shares for multiple operating systems)

  • \\server\Profiles\Win10
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders ‚Äď this folder only
    • Creator Owner = Full Control
  • \\server\Profiles\Win19
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders ‚Äď this folder only
    • Creator Owner = Full Control

Folder Redirection share:

  • \\server\Redirect
    • Admins = Full Control
    • Users = Read/Execute, Create Folders ‚Äď this folder only
    • Creator Owner = Full Control

According to VMware 2113665 Imports and exports in VMware User Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Create and Share the Folders

  1. On your file server, make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it  DEMConfig, or DEMProfiles or similar. See File Shares Design for design info on the share paths that should be created.
  3. Open the folder’s Properties.
  4. On the Sharing tab, click Advanced Sharing.
  5. Check the box to share the folder.
  6. Click Permissions.
  7. Give Full Control to Everyone. Click OK.
  8. Click Caching.
  9. Select No files or programs. Click OK twice, and then click Close.
  10. According to VMware 2113665 Imports and exports in VMware User Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares design except for the DEMConfig folder.

Lieven D’hoore has VMware Horizon View ‚Äď Script to create Persona Management Repositories, Shares and Permissions.

  1. Open the Properties of the new shared folder.
  2. On the Security tab, click Advanced.

    1. Click Disable Inheritance.
    2. Click Convert inherited permissions.
    3. Click OK to close Advanced Security Settings.
  3. On the Security tab, click Edit.

    1. For the Everyone or the Authenticated Users entry or the Users entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
    2. Add CREATOR OWNER, and give it Full Control. This grants users Full Control of the folders they create.
    3. Click OK to close the Permissions window.
  4. Click Advanced again.
  5. Highlight the Everyone permission entry or the Authenticated Users permission entry or the Users permission entry and click Edit.
  6. At the top of the window, change the Applies to selection to This folder only. This prevents the Everyone permission from flowing down to newly created profile folders.
  7. Remote all other permission entries that grant access to Users, Domain Users, Everyone, or Authenticated Users. There should only be one of these types of permission entries.
  8. Click OK twice to close the Security and Properties windows.

VMware Fling – Horizon View Persona Management Share Validation Tool:

  1. Download the tool, and extract it.
  2. From a command line, run VMWVvpValidator.exe with the share parameter, the path to the Persona or RDSProfiles share, and the group that should have access to the share.
  3. This will create a VMWVvpValidatortxt file in the same folder that contains the executable. Open it.
  4. Scroll down and there should be no errors. If there are, fix them as detailed in the report.

Access Based Enumeration

With access based enumeration enabled, users can only see folders to which they have access.

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it.
  3. Right-click the new share, and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration and click OK.

GPO Templates

Windows Group Policy Templates

Unfortunately, there are some differences between the GPO templates for Windows Server, and the GPO templates for  Windows 10. You’ll need to download the full set of templates.

Follow the procedure at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates (.admx) for Windows 10.

Horizon Group Policy Templates

Some of the policy settings in this topic require group policy templates from the Horizon GPO Bundle, which can be downloaded from the VMware Horizon Download Page.

For Horizon 7.10, download Horizon 7.10.0 View GPO Bundle (aka VMware-Horizon-Extras-Bundle-5.2.0).

For Horizon 7.5.2 (ESB), download VMware Horizon 7.5.0 View GPO Bundle.

  1. Go to the downloaded VMware-Horizon-View-Extras-Bundle.zip file, and extract the files.
  2. Copy the .admx files, and en-US folder, to the clipboard.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines¬†(if PolicyDefinitions doesn’t exist¬†in SYSVOL), and paste the .admx files. Overwrite any older files.

  4. Horizon 7.3 and newer have an .admx file in the ThinPrint\ADMX folder.
  5. Copy the .admx file, and en-US folder, to the clipboard.
  6. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines¬†(if PolicyDefinitions doesn’t exist¬†in SYSVOL), and paste the .admx files. Overwrite any older files.
  7. When you edit group policy objects, you can now edit Horizon settings.

Dynamic Environment Manager GPO Templates

If you are licensed for Dynamic Environment Manager (formerly known as User Environment Manager), copy the DEM GPO ADMX templates to PolicyDefinitions. Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

  1. Download Dynamic Environment Manager 9.9.0 or¬†User Environment Manager 9.4.1¬†(ESB) if you haven’t already.

  2. Go to the extracted Dynamic Environment Manager files, and in the Administrative Templates (ADMX) folder, copy the files and the folder.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines¬†(if PolicyDefinitions doesn’t exist¬†in SYSVOL), and paste the files and folder. Overwrite any older files.

  4. If you are upgrading from UEM 9.8 or older to DEM 9.9 or newer, then look in PolicyDefinitions for VMware UEM.admx files and delete them.
  5. You will find VMware DEM GPO settings in the User Half of a GPO.

Chrome GPO Templates

VMware Horizon Browser Redirection requires installation of a Chrome extension. Install the Chrome GPO Templates so you can force install the Chrome extension.

  1. Download the Google Chrome ADMX templates from Set Chrome Browser policies on managed PCs.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \policy_templates\windows\admx folder, copy the chrome.admx and google.admx files.
  4. Go to PolicyDefinitions in your SYSVOL (e.g. \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files.
  5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy the en-US folder.
  6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon Agent computer objects (virtual desktops and Remote Desktop Session Hosts).
  2. Then create sub-OUs, one for each pool or RDS Farm.
  3. Move the Horizon Agent machines from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools, then link it to the parent OU. Or you can link it to pool-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
  6. Create and link two new GPOs to the Session host OU (in addition to the Horizon Agent Computer Settings GPO). One of the GPOs is called Horizon Agent All Users (including admins), and the other is called Horizon Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU, or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.

  7. Modify the properties of both of these GPOs, and disable the Computer Configuration portion of the GPO.
  8. Click the Horizon Agent Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab, and click Add.
  10. Find your Horizon Admins group, and click OK.
  11. Change the Permissions to Edit settings, and click OK.
  12. Then on the Delegation tab, click Advanced.
  13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Horizon Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each Horizon Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for Dynamic Environment Manager, then you can skip this section.

  1. Right-click one of the Remote Desktop Session Host sub-OUs, and create a new GPO.
  2. Name it Horizon Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of Persona. Note: each RDS farm should have a separate roaming profile share.
  3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.

  5. Right-click a virtual desktop sub-OU, and click Create a GPO in this domain.
  6. Name it Horizon Agent Persona Win10 or similar, and click OK. Each operating system version should point to a different file share, so include the operating system version in the GPO name.
  7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU, and click Link an Existing GPO.
  9. Select the Horizon Agent Persona Win10 GPO, and click OK.
  10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
  11. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.

Agent Computer Settings

These GPO settings should be applied to the Horizon Agents.

General Computer Settings

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Configure the GPO Computer Settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  3. In addition, VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products has a list of recommended ciphers for Windows. These ciphers are configured at Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_RC4_128_SHA
    The article also details how to enable TLS 1.2 in Windows.

Remote Desktop Users Group

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups, and click Add Group.
  3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
  4. In the bottom half of the window, click Add to specify that this group is a member of:
  5. Enter Remote Desktop Users, and click OK twice.

VMware Integrated Printing

Horizon 7.7 and newer have a new Universal Print Driver named VMware Integrated Printing or VMware Advanced Printing, which replaces ThinPrint. Integrated Printing is an optional feature of the Horizon Agent installer and requires Horizon Client 4.10 for Windows, Horizon Client 5.1 for Linux and Horizon Client 5.1 for Mac.

You can use Group Policy to select whether Native Print Drivers are preferred over the Universal Print Driver. The GPO settings only apply if the VMware Integrated Printing feature is installed on the Horizon Agent.

  1. Make sure the Horizon 7.7 or newer GPO Templates are installed.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | VMware Integrated Printing (or VMware Advanced Printing). This node only appears in ADMX templates from Horizon 7.7 and newer.
  4. Edit the setting Printer Driver Selection.
  5. Enable the setting, and then consider setting it to Always use UPD to avoid needing to install any printer drivers on the Horizon Agent machines. This is particularly beneficial for multi-user RDSH machines.

Horizon 7.8 and newer supports filtering of redirected client printers.

VMware Integrated Printing also supports Location Based Printing.

  1. In the Horizon 7.7 or newer Extras Bundle (GPO templates), find the file named LBP.xml.
  2. Edit the file. This is an XML document that can contain multiple <Policy> nodes. The file is commented.
  3. When done editing the LBP.xml file, copy it to¬†C:\ProgramData\VMware on each Horizon Agent machine. It’s probably easiest to use Group Policy Preferences (or computer startup script) to download this file when the Horizon Agent machines boots.

Dynamic Environment Manager (DEM) Group Policy

Most of the Dynamic Environment Manager GPO settings are user settings, not computer settings.

Note: UEM 9.1 can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

From Chris Halstead VMware User Environment Manager (UEM) ‚Äď Part 1 ‚Äď Overview / Installation and VMware Deployment Guide VMware User Environment Manager Deployed in 60 Minutes or Less:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Dynamic Environment Manager requires one computer setting. Edit the Horizon Agent Computer Settings GPO.

    1. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
    2. Double-click Always wait for the network at computer startup and logon.
    3. Enable the setting, and click OK.
    4. Close the group policy editor.
  3. The remaining settings are user settings. Edit the Horizon Agent All Users GPO. This GPO should apply to the Horizon Agents, and Loopback processing should already be enabled on those machines.
  4. Go to User Configuration | Policies | Administrative Templates | VMware DEM | FlexEngine.
  5. If you are running Dynamic Environment Manager on top of mandatory profiles, then double-click Certificate support for mandatory profiles.

    1. Enable the setting, and click OK.
  6. Double-click Flex config files.

    1. Enable the setting.
    2. Enter \\server\demconfig\general. The general folder will be created by the Dynamic Environment Manager management console. Click OK.
  7. Double-click FlexEngine Logging.

    1. Enable the setting.
    2. Enter \\server\demprofiles\%username%\logs. Dynamic Environment Manager will create these folders. Click OK.
  8. UEM 9.0 and newer has a setting named Paths unavailable at logon. By default, users are blocked from logging in if the DEM file share is not reachable.

  9. Double-click the setting Profile archive backups.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\backups.
    3. Enter the number of desired backups, check the box for daily backups, and click OK.
  10. Double-click Profile archives.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\archives.
    3. Check the box next to¬†Retain file modification dates. Source =¬†Anyway to save ‘Date Modified’? at VMware Communities.
    4. Click OK.
  11. Double-click the setting RunFlexEngine as Group Policy Extension.

    1. Enable the setting, and click OK.
  12. If you are using the Privilege Elevation feature, consider enabling Privilege elevation logging to the Windows event log.

  13. Same for Application blocking logging to the Windows event log.
  14. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
  15. Double-click Logoff.

    1. Click Add.
    2. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
    3. In the Script Parameters field, enter -s.
    4. Click OK.

Dynamic Environment Manager is configured in a separate console application. See the instructions at https://www.carlstalhood.com/vmware-user-environment-manager/.

DEM Changelog

From YouTube video¬†User Environment Manager 9.6 What’s New Overview:

  1. On the left, click the node named Management Console under VMware DEM
  2. On the right, UEM 9.6 adds two new settings for Changelog.
  3. Log changes to disk stores the log in the DEM share at \\server\DEMConfig\Changelog\general. Note that administrators usually have permission to modify this location so they could modify this changelog.
  4. Log changes to the Windows event log stores the log in the Application Log in Event Viewer of the local console machine and not in any central server.
  5. You can also enable the Changelog in the DEM Management Console by clicking the ribbon button named Configure.
  6. Switch to the tab named Configuration Changelog to enable the two settings.
  7. Each configuration item in DEM Management Console shows a tab named Changelog after changes are recorded.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts, Instant Clones, or newer versions of Windows 10.

If you are using Dynamic Environment Manager then skip this section.

  1. Verify that ICMP is enabled between the Horizon Agent and the domain controller, and as well as the Horizon Agent and the Persona Management Repository (source = VMware KB article 2105270 Logging in to a VMware Horizon View desktop for the first time fails to download all of the files by Persona Management Profiles)
  2. Install the Horizon GPO ADMX files if you haven’t already.
  3. Edit one of the Horizon Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
  4. Configure the following GPO settings:
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  5. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Persona Management | Roaming & Synchronization.
  6. On the right, double-click Manage user persona.
  7. Enable the setting. It defaults to 10 minutes. Click OK.
  8. Double-click Persona repository location, and enable the setting.
  9. Enter the path to the file share created for Persona. Append %username%.
  10. Check the box next to Override Active Directory user profile path. Click OK.
  11. Double-click Roam local settings folders, and enable it. Click OK.
  12. Double-click Files and folders excluded from roaming, and enable it. Then click Show.
  13. Enter the values shown below, and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
  14. Double-click Files and folders excluded from roaming (exceptions), and enable it. Then click Show.
  15. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  16. Configure %AppData%\Thinstall as a folder to background download. If you are using Thinapps, this will speed up the launch time of Thinapps.

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using Dynamic Environment Manager, then skip this section.

  1. Edit the Horizon Agent RDS Farm1 Profiles GPO.
  2. Configure the following GPO settings.
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Delete cached copies of roaming profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  3. Go to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles.
  4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
  5. Enable the setting and enter the path to the file share. Do not append %username%.
  6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at¬†https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration | Policies | Administrative Templates | Control Panel | Personalization.
  8. Open the setting Force a specific visual style file.
  9. Enable the setting and enter the following path:
    %windir%\resources\Themes\Aero\aero.msstyles

  10. VMware recommends enabling RunOnce as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

Horizon Agent Settings

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration. Click Agent Configuration.
  4. Horizon 7.10 and newer has an Idle Time Until Disconnect (VDI) for virtual desktops. Note: RDSH idle timer is configured using Microsoft RDSH GPO settings, not Horizon GPO settings. ūüí°
  5. In Horizon 7.10 or newer, you can use Group Policy to configure a Disconnect Session Time Limit for virtual desktops. This GPO setting overrides the pool setting Logoff after Disconnect.
  6. If Horizon 7.8 or newer, on the right, double-click DPI Synchronization Per Connection.
  7. This setting is disabled by default. You can optionally enable it so DPI is reconfigured on reconnect instead of only on initial logon.

PCoIP Configuration

Steve Dunne:

Here are some general PCoIP optimization settings:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | PCoIP Session Variables. Click Overridable Administrator Defaults.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and select Enabled in both directions. Click OK.
  5. Horizon 7.6 and newer have a setting for¬†Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting named Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for¬†Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. ūüí°


  8. Horizon 7.0.2 and newer have the ability to filter specific clipboard formats.
  9. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, VMware recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.

Real-Time Audio-Video

VMware validated Horizon 7.9’s Real-Time Audio-Video feature with Microsoft Teams. Here are sizing recommendations:

  • Minimum setting of 4vCPU 4GB RAM as a published desktop configuration
  • RTAV video resolution configured with 640 x 480p

Real-Time Audio-Video (RTAV) is one of the options that can be selected when installing Horizon Agent. To ensure that Audio is captured by RTAV instead of by USB redirection, exclude audio from USB redirection is described in the next section.

To configure RTAV video resolution, do the following:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration, expand View RTAV Configuration and click View RTAV Webcam Settings.
  4. On the right, double-click Resolution РDefault image resolution height in pixels
  5. Enable the setting and set it to 480 pixels. Click OK.
  6. On the right, double-click Resolution РDefault image resolution width in pixels.
  7. Enable the setting and enter 640. Click OK.
  8. There are two more GPO settings for Max height and width. If these are not configured then there is no maximum.

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

  • PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
  • All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the Horizon¬†Client and the Horizon Agent.
  • If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111.
  • USB performance across the WAN can be slow.
  • Webcams are only supported using RTAV (Real-Time Audio-Video).
  • USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon Agent 6.0.1 and Horizon Client 3.1.
  • Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
  • USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
  • In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
  • Client Downloadable only GPO settings are downloaded to the Horizon¬†Client when the Horizon¬†Client first connects to the Horizon Agent.
  • USB GPO Settings on the Horizon Agent can either override or merge the Horizon¬†Client USB GPO settings. Merge means that if Horizon¬†Client settings exist then the Horizon Agent settings are ignored.
  • The Exclude All Devices setting is overridden by other Include
  • USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
  • How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Policies | Administrative Templates | VMware View Agent Configuration, and click View USB Configuration.
  4. On the right, double-click Exclude Device Family.
  5. Change the selection to Enabled.
  6. Enter o:audio-in;o:video.
  7. If you want to block USB storage devices, add o:storage to the list. Click OK.

Blast Settings

The full Horizon Client 4.0 and newer can use UDP when connecting to Horizon 7 Agents using Blast.

  • VMware Blog Post¬†Deep Dive into VMware Horizon Blast Extreme Adaptive Transport¬†–¬†Blast Extreme Adaptive Transport is enabled by default in VMware Horizon View 7.1 and Horizon Client 4.4. If the clients are connecting from outside the demilitarized zone (DMZ), you would also need to have VMware Unified Access Gateway (not Security Server) to take full advantage of the new transport. The adaptive transport will automatically sense the network for UDP availability and will fallback to legacy Blast TCP if UDP is not available.

Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

If you want file transfer in HTML5 Blast, then you must configure clipboard from server-to-client (or both directions). (Source = VMware UEM release notes)

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. Expand Policies | Administrative Templates, and click VMware Blast.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and then make your choice. Click OK.
  5. Horizon 7.6 and newer have a setting for¬†Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting to Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for¬†Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. ūüí°


  8. Horizon 7.6 and newer have settings to add DSCP markings to the Blast protocol. See VMware Blast Policy Settings at VMware Docs.
  9. On the right, double-click UDP Protocol.
  10. You can optionally enable UDP protocol. Click OK.
  11. Horizon 7.4 introduced the H.264 High Color Accuracy setting.

  12. Horizon 7.0.2 and newer have a setting for H.264 Quality Levels.

  13. Also, 7.0.2 adds clipboard format filtering.
  14. If enabled UDP protocol, then on your master image, reboot the machine so it reads the GPO settings. Look in the file¬†C:\ProgramData\VMware\VMware Blast\Blast-Service.log to make sure UDP is enabled. If not, reboot the machine again. After it’s enabled, snapshot the master machine and push it to your Pools.

HTML5 Redirection

VMware Browser Redirection requires Horizon 7.10 GPO Templates or newer, Horizon Agent 7.10 or newer, and Horizon Client 5.2 or newer. VMware Browser Redirection only supports Chrome.

HTML5 Multimedia Redirection is the older feature in Horizon 7.3 and newer.

  1. Edit a GPO that applies to the Horizon Agents.
  2. Expand Computer Configuration, expand Administrative Templates, expand VMware View Agent Configuration, and click VMware HTML5 Features.
  3. On the right, enable the setting Enable VMware HTML5 Features. This setting is probably only available in Horizon 7.10 and newer.

  4. In Horizon 7.10 and newer:
    1. On the left, under VMware HTML5 Features, click VMware Browser Redirection.
    2. On the right, enable the setting Enable VMware Browser Redirection.
    3. On the right, configure the setting Enable URL list for VMware Browser Redirection.
    4. Enable the setting and click Show.
    5. Add a list of URLs that you want the client to render. Use wildcards in the path.
  5. The older feature is VMware HTML5 Multimedia Redirection, which you can optionally enable. See Configuring HTML5 Multimedia Redirection at VMware Docs.
  6. Install the Chrome GPO Templates if you haven’t already.
  7. In either the computer half or user half of a group policy, expand Policies, expand Administrative Templates, expand Google, expand Google Chrome, and click Extensions.
  8. On the right, double-click the setting Configure the list of force-installed apps and extensions.

    1. Enable the setting and click Show.
    2. For VMware Horizon Browser Redirection in Horizon 7.10 and newer, enter the following:
      demgbalbngngkkgjcofhdiiipjblblob;https://clients2.google.com/service/update2/crx

    3. For the older HTML5 Multimedia Redirection in Horizon 7.3 and newer, enter the following. You can do either extension, but not both. If you enable both extensions, then they will conflict with each other.
      ljmaegmnepbgjekghdfkgegbckolmcok;https://clients2.google.com/service/update2/crx

    4. When you log into a Horizon Agent session, the extension should automatically be added to Chrome.
  9. When you navigate to a URL on the configured URL List, if the redirection feature is working, then the Chrome extension will show REDR.

  10. And you’ll see HTML5VideoPlayer.exe on the client side.

URL Content Redirection

URL Content Redirection is a new feature in Horizon 7 that allows IE URLs to be redirected from Agent-to-Client or from Client-to-Agent. This feature requires:

  • URL Redirection component installed from command line on Horizon 7 Agent.
  • URL Redirection component installed from command line on Horizon Client 4.0.
  • If Horizon Client is installed on a Horizon Agent machine, you can install URL Redirection for one or the other, but not both.
  • Internet Explorer 9 or later only
  • GPO Settings

URL Redirection GPO settings apply to both Horizon Agents and Horizon Clients depending on the source of the redirection. For Agent-to-Client redirection, edit a GPO that applies to the Horizon Agents. For Client-to-Agent redirection, edit a GPO that applies to the Horizon Clients.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Expand Computer Configuration | Policies | Administrative Templates, and click VMware Horizon URL Redirection.
  3. On the right, double-click¬†IE policy: Automatically activate newly installed plugins, and enable it. If you don’t configure this, then users are required to activate the IE add-on manually.
  4. On the right, double-click¬†Url Redirection Enabled and enable the setting. The setting description says it’s enabled by default, but actually it’s not.
  5. On the right, double-click Url¬†Redirection Protocol ‘http’.
  6. For Agent-to-Client, configure clientRules and agentRules. clientRules are redirected from Agent-to-Client. However, agentRules override clientRules. This lets you redirect every URL to client but keep some URLs on the agent. Separate multiple rules with a semicolon.
  7. For Client-to-Agent, configure agentRules. Anything that matches will be redirected to the remoteItem (name of published icon) accessible through brokerHostname.
  8. In the User half of a GPO that applies to Horizon Agents with Loopback Processing enabled, Horizon 7.4 added a new policy setting to automatically install the URL Content Redirection extension in Chrome. This setting should be applied to both the Horizon Agents, and the Horizon Clients.

Collaboration Settings

Horizon 7.4 and newer have a Collaboration feature, which has some group policy settings.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates, expand VMware View Agent Configuration, and click Collaboration.

  4. On the right, you can configure settings like the Maximum number of invited collaborators. The limit is 10.

User Lockdown Settings

Edit the Horizon Agent Non-Admin Users GPO, and configure the settings detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown.

User Application Settings

Edit the Horizon All Users GPO and configure settings for applications (Internet Explorer, Office, etc.) as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie and https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#office2013.

Redirected Profile Folders

In addition to roaming profiles, configure Redirected Profile Folders as detailed at https://www.carlstalhood.com/citrix-profile-management/#redirected. Anything redirected will not be copied locally by Persona, RDS profiles, or VMware DEM.

VMware Flash Optimizer

  1. Horizon Agent installs something called the Flash Optimizer. When a user launches Internet Explorer, a prompt is displayed to Enable the add-on. To get rid of this message, do the following.
  2. We need the add-on CLSID. In Internet Explorer, click the gear icon and click Manage add-ons.

  3. Highlight the VMware Adobe Flash Optimizer and click More information on the bottom left.
  4. Click Copy.
  5. Paste the contents into Notepad. Then look for the Class ID line and copy it.
  6. Edit the Horizon Agent All Users GPO.
  7. Go to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Security Features | Add-on Management.
  8. On the right, open Add-on List.
  9. Enable the setting, and click Show.
  10. In the Value name field, paste in the Class ID, including the curly braces.
  11. In the Value field, enter 1 to force the add-on to be enabled. Click OK twice.

Related Pages

36 thoughts on “Horizon Group Policy and Profiles”

  1. Has anyone had luck with VMware Browser Redirection? I have followed the steps outlined here and compared these with what VMware has listed, but it does not seem to work. Please let me know if you were able to make it work. We need to redirect http://www.youtube.com and any other video playing sites to keep our session bandwidth low.

  2. Hi Carl,
    We are trying to tick both “Allow H.264 Decoding” and “Allow High Color Accuracy” on the Horizon View Client via GPO.
    We have enabled 2 GPO’s but hasn’t made any difference.

    H.264 and H.264 High Color Accuracy

    Can you help?

  3. Carl, I’m having an issue where the computer configuration from a GPO isn’t getting applied to my Horizon Desktops. It works fine in the template, but when I push it to the desktops it seems that it is not picking up the folder redirection. For example, when I refresh/recompose a desktop and I login the files don’t get written to the file server. But if I reboot the VDI the redirection will start working. What can I do to fix this? Horizon 7.8 – Win10-1903

    1. GPO Loopback Processing is enabled in one of the GPOs? You can check the registry under HKLM\Software\Policies to make sure the Loopback setting applied.

      1. I talked to VMWare support. They don’t know why AD doesn’t work sometimes. However, he suggested that I install the horizon admx files on the master image and gpedit there on the master image. It seems to work, but I don’t think it’s the right answer. I feel I’ve cheated.

  4. Have an issue with Persona Management (Horizon 7.5.1) not working properly when non-Adminstrator users log in to non-persistent VMs. The permissions on the profile folder and share are set based on the information here and the validator tool shows they’re correct. What I observe if I watch the folder contents when I’m logged on with my non-Admin account is when I logoff the VM a GUID-type named folder is created and exists for about 15 seconds, then disappears, with nothing written to the folder. The same folder is created then disappears on the profile upload interval (default of 10 minutes).

    If I perform the same test with a domain admin account logged into the VM is a folder with a GUID type name is created, then it’s contents (NTUSER.dat etc) are written out to the profile folder and the GUID folder disappears.

    Any suggestions on what to check are appreciated. Thanks!

    1. What version of Windows? Persona seems to be broken in newer versions of Windows 10 and newer versions of Horizon.

      Are you able to run procmon to see the permissions problem?

      1. Windows 10 Enterprise 1803. Got it working today. Turned out to be a couple different problems. First is apparently 7.5.1 Horizon Agent can be intermittent with folder redirection and persona stuff, so downgraded to 7.4 Agent, which got folder redirection working consistently. Turning off Local Settings folders in Profiles got the profile working, so now I need to figure out what in particular in AppData\Local is causing the problem. Saw a post someplace that said the issue might be AppData\Local\Microsoft\WindowsApps.

  5. Dear Carl,

    I sincerely appreciate your efforts in writing down all of the above. The screenshots show a lot and also the descriptions are quite helpful. Yet I have to ask: why is this not part of the official documentation? Setting up UEM by following the handbook labeled “Installing and Configuring VMware User Environment Manager” does not cover *any* of the Group Policy Settings as you described in your chapter “Create Group Policy Objects” and I really ask myself why; because I have an installation that by now is pretty messed up and things stopped working because of different versions in different documentations (partially private blogs (mostly outdated) and the official manual as stated above). That’s too bad as I have lost track where things went wrong ūüėź

    1. Are you asking about the Microsoft settings? Vendors usually can’t document anything beyond their specific products or features. That’s why I have this site. ūüôā

  6. Hi Carl, we have exact the same configuration as above, but we use Kemp load balancers. We are currently in a test environment.

    When we connect from an external network and we shutdown the UAG that we are connected with, the session freezes. We have to disconnect and reconnect to make sure the session can continue. So it does not balance us automatically to the other UAG.

    I know that kemp is not your expertise, but can you maybe give us some suggestions?
    Waiting for your response.

    Best regards,
    Behroez Moosavi

  7. Am I reading this correctly – If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111. Does that mean if there is no side channel access the security server will try to redirect USB 32111 directly to the view agent? Doesn’t that break the idea of the secure tunnel? Is there a way to force this traffic to be tunneled?

  8. Please any one help me in this issue

    am try many time to solve bellow, in VMWVvpValidator.exe Tool but i cant continue to next step,

    when am run cmd and try following command:

    c:\windows\system32>”\sql01\bin\VMware\Horizon 6\Share_Validator\VMWVvpValidator.exe” share \\sql02\rdsprofiles ” everyone”

    Result: The network name cannot be found.

    note that my server and share folder of profile is : \\KB009Xv2\PersonaWin7x64

    1. Yes. ADMX files define the available settings, not the actual settings. Of course new features in the ADMX files won’t work on older versions. Newer ADMX files usually add registry keys, but don’t change the already existing registry keys.

      1. Is there a list existing of what ADMX policies should be applied to Client and which should be applied to the Agent?

        Having some trouble with setting the High Color Accuracy. Currently I have it set on both the agent and the client, And they show in both of the registrys, yet when you launch the app, High color accuracy is not selected. I have to check it to make it use that function.

        1. Yes! Did you ever figure this out? Doesn’t make a lot of sense to have every user configure this themeselves…

          1. I still have not yet figured it out. Still looking for something that denotes what should be applied where.

          2. I’ve tested quite extensively but have now opened an SR for this issue.
            Applying the VMware Blast Computer Policies to the Agent and Client Machines changes nothing in the Client.

            In the VMware Client Policies there is no policy to define the color accuracy (only HEVC).

  9. When using Persona, 7.5.1, and Win 10 1803, I am unable to get the Start menu to roam. I also tried agent 7.6 with no luck. My research indicates it is a Microsoft issue. But I also cannot find documentation if agent 7.6 supports 1803.

  10. Hi Carl if you use UEM, is it best to stick GPO Computer settings in AD and User settings done in VMWare UEM? Does the policies process faster when you create the ADMX’s in UEM?

  11. Appears you can tackle folder redirection either via GPO settings or within the UEM configuration. Is there an advantage to using one over the other?

    1. I personally prefer Windows GPO folder redirection over using any UEM tool. I almost never have problems with Microsoft GPO, but the UEM tools tend to have various issues with it.

      1. Hey Carl, quick question on the DSCP marking GPO/ADMX with Horizon 7.6 and above: what is the intention for the use on that? My interpretation is that from the Horizon Agent running on the virtual desktop, packets relating to the blast protocol (those packets using tcp/udp 22443) can be optionally tagged with a Differentiated Services Code Point. Do you know if this is correct? I would like to use this feature as it would be advantageous in my network to prioritize Blast Traffic inside my network over some links that may get congested at various times.

          1. Same here. I am having an issue where the policy doesn’t seem to be working. I opened up a VMware SR for this and I am at level 2 and they are telling me these settings are only for Linux and MAC, which doesn’t make much since because as far as I know, Linux and MAC do not really deal with Group Policies or Windows Registry settings… Very frustrating currently.

            Using the ADMX files from the Horizon 7.6 bundle, I have DSCP marking enabled and from the agent both tcp and udp, I am assigning DSCP 46 (Expedited Forwarding). I can see on my virtual desktops that the registry key is present from the article. When I do a wireshark dump, the DSCP value in the IP header is set to CS0 and not EF. For now I am controlling DSCP markings with a Windows QoS Policy (Computer Configuration > Policies > Windows Settings > Policy-based QoS) and using VMBlastW.exe and VMBlastS.exe to assign DSCP 46 and this seems to be working, but I would rather use the VMware Bundled GPO ADMX template set.

          2. The 7.6 documentation says not for Windows. That clause was removed in 7.8 documentation.

  12. There are two instances where you reference VMware Horizon Agent Configuration in regard to Group Policy. The correct name is VMware View Agent Configuration. The screenshots show the correct name. Thank you for all your hard work. You have made my job infinitely easier!

  13. After we apply the Group Policy setting that allows ClipBoard redirection, the Windows “Snipping Tool” will disconnect users if they are connected via web page.
    Can anyone else confirm, or try that and see if they see the same thing?

  14. Enforcement should not be required. Enforcement overrides Block Inheritance and GPOs set lower in the tree. I usually put Horizon Agents in a new OU and link GPOs directly to that OU. Thus there’s nothing to Enforce.

  15. Carl, following the tutorial steps I notice that the policies I create are not enforced by default. I take it I am to enforce them on the respective containers, but just pointing out that your tutorial steps do not show it (and even the screenshots show the “Enforced” check menu item to be de-selected). For the AD-ignorant among us (myself included) this would be helpful. Less head-scratching as to why our GPOs are not being applied. Thanks for the info regardless, great site!

Leave a Reply