VMware Horizon 7.13.3 – Master RDS Host

Last Modified: Mar 22, 2023 @ 6:00 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host (RDSH) that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

Change Log

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • Windows Server 2019 is supported for Horizon Agents 7.7 and newer.
  • Windows Server 2016 is supported for Horizon View Agents 7.0.3 and newer.
  • For 2012 R2 or newer, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. In Windows Server 2012 R2, on the left, click Change settings.
  3. If Windows Server 2016, click Advanced Options.
  4. If Windows Server 2012 R2, check the box next to Give me updates for other Microsoft products when I update Windows, and click OK.
  5. If Windows Server 2016, check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

  6. Windows Update will automatically start checking for updates.
  7. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

  • On May 17, 2016, Microsoft released a Convenience Rollup for Windows 2008 R2 and Windows 7. This Rollup includes almost all fixes released after SP1 through April 2016. See the article for the list of excluded hotfixes.

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

Remote Desktop Session Host

Role and Features – Windows Server 2012 and newer

If this session host is Windows Server 2008 R2, then skip to the next section.

Horizon Agent 7.10 and newer can install the RDSH Role automatically.

To install the RDSH role manually (required in Horizon Agent 7.9 and older):

  1. In Server Manager, open the Manage menu, and click Add Roles and Features.
  2. On the Installation Type page, leave it set to Role-based or feature-based installation.
  3. Click Next until you get to the Server Roles page.
  4. Check the box next to Remote Desktop Services and click Next.
  5. If Windows Server 2012 R2, expand User Interfaces and Infrastructure, and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc. This feature is already installed in Windows Server 2016.
  6. To verify Remote Desktop Services licensing, in the Features page, expand Remote Server Administration Tools > Role Administration Tools > , expand Remote Desktop Services Tools, and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
  7. In the Select role services page, check the box next to Remote Desktop Session Host, and click Next.
  8. Then click Install. Restart is required.

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2, then the instructions are slightly different.

  1. In Server Manager, right-click Roles, and click Add Roles.
  2. In the Before You Begin page, click Next.
  3. In the Select Server Roles page, check the box next to Remote Desktop Services, and click Next.
  4. In the Introduction to Remote Desktop Services page, click Next.
  5. In the Select Role Services page, check the box next to Remote Desktop Session Host, and click Next.
  6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
  7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication, and click Next.
  8. In the Specify Licensing Mode page, select Per User, and click Next.
  9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine), and click Next.
  10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
  11. In the Confirm Installation Selections page, click Install.
  12. In the Installation Results page, click Close.
  13. Click Yes when you are prompted to restart now.
  14. Login to the server. Then click Close.

Remote Desktop Users

In Computer Management (compmgmt.msc), at Local Users and Groups > Groups, edit Remote Desktop Users and add a group like Domain Users. Users can’t login to RDSH unless they are members of this local group. Instead of configuring this group manually on each parent image, you can also use Group Policy to configure it.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 and newer is using group policy (local group policy or domain group policy). This also works for Windows Server 2008 R2.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the Remote Desktop Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled, and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services (or Remote Desktop Services), and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

Install/Upgrade VMware Horizon Agent

View Agent for RDS Hosted Apps Desktops is missing a few features. (source = 2150305 Feature Support Matrix for Horizon Agent)

  • Only Windows 2016 supports Generic USB Redirection. USB Flash Drives and hard drives are supported on 2012 R2.
  • Serial port redirection is available in Horizon Agent 7.6 and newer
  • No Persona. Instead use VMware Dynamic Environment Manager (Horizon Enterprise only), or Microsoft’s roaming profiles, or Microsoft FSLogix Profile Container.
  • Instant-Clones for RDSH was added in Horizon Agent 7.1.
  • Real-time Audio Video is supported on Windows 2016 RDS Hosts. VMware 2148202 Real-Time Audio-Video limitations for remote desktops and apps on Windows Server 2016.

To install View Agent on Remote Desktop Services, do the following:

  1. Windows Server 2019 is supported with Horizon 7.7 and newer.
  2. vSphere 7.0 is supported with Horizon 7.12 and newer.
  3. VMware vSphere 6.7 U1 and VMware vSAN 6.7 Update 1 are supported with Horizon 7.7 and newer.
  4. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
    3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
  5. Download Horizon 7.13.3 Agent.
  6. Run the downloaded VMware-Horizon-Agent-x86_64-7.13.3.exe.
  7. If you want the URL Content Redirection feature, then you must run the Agent installer with the following switches: /v URL_FILTERING_ENABLED=1
  8. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  9. In the License Agreement page, select I accept the terms, and click Next.

    • In Horizon Agent 7.10 and newer, if RDSH is not installed, then the Horizon Agent installer can install it for you.


    • In older versions, if you see a message about Desktop OS Configuration, then you need to cancel the installer, and install the Remote Desktop Session Host role.
  10. In the Network protocol configuration page, select IPv4, and click Next.
  11. In the Custom Setup page, several features are disabled by default. Feel free to enable them.
    1. USB Redirection is an option.
    2. In Horizon Agent 7.1 and newer, VMware Horizon Instant Clone Agent is an option. You can enable either Instant Clone Agent, or Composer Agent, but not both. Or you can leave both deselected so you can add the machine to a Manual RDS Farm. You can’t add this RDS Host to a Manual RDS Farm unless both options are deselected.
    3. Horizon 7.2 and newer have VMware Virtualization Pack for Skype for Business as an option. See Configure Skype for Business at VMware Docs for details.
    4. Scanner Redirection is an option. Note: Scanner Redirection will impact host density.
    5. In Horizon 7.6 and newer, Serial Port Redirection is an option for RDS. This requires Horizon Client 4.9.
    6. Horizon 7.3 through Horizon 7.9 have HTML5 Multimedia Redirection. In Horizon 7.10 and newer, HTML5 Browser Redirection seems to be installed automatically (not an optional component). To enable and configure these features, see HTML5 Redirection in Horizon Group Policy.
    7. Horizon 7.6 and newer have an option for Geolocation Redirection. The feature requires a plugin for Internet Explorer 11 and Horizon Client 4.9. No other browsers are supported. See Configuring Geolocation Redirection at VMware Docs.
    8. Horizon 7.5 and newer have an option for Horizon Performance Tracker, which adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.

    9. Horizon 7.7 and newer have a Hybrid Logon option.
    10. Horizon 7.7 and newer have a VMware Integrated Printing or VMware Advanced Printing option, which replaces the older ThinPrint technology. VMware Advanced Printing requires Horizon Client 4.10 or newer.
    11. If you enable VMware Integrated Printing, then you must disable Virtual Printing, which is higher in the list.

  12. Click Next when done making selections.
  13. Click OK to acknowledge the USB redirection message.
  14. If you see the Register with Horizon 7 Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected both View Composer Agent and Instant Clone Agent features.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes to restart the server.
  18. Horizon Agent 7.13 and newer let you Modify the features that were selected during installation. In older versions, you must uninstall Horizon Agent and reinstall it.
    • If you click Modify from Apps & features (or Programs and Features), it will tell you to open an elevated command prompt and run the command shown in the window.
    • You can’t change from Manual to Instant Clone or back again using this method.
  19. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  20. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  21. There’s also a new IE add-on.
  22. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

Dynamic Environment Manager (DEM) is the new name for User Environment Manager (UEM).

If you are licensed for Dynamic Environment Manager (Horizon Enterprise Edition), install the Dynamic Environment Manager (DEM) Enterprise Agent.

  • DEM Enterprise has the same or more features that has always been included in Horizon Enterprise. DEM Standard is a reduced-feature version for Horizon 8 Standard Edition.
  • Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at VMware Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at VMware Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2212-10.8-GA\VMware Dynamic Environment Manager Enterprise 2106 10.3 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

UEM 9.6 and newer are supported on Windows Server 2019.

To install the DEM Enterprise Agent:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Based on your entitlement, download either DEM 2212 (10.8) Enterprise Edition, or DEM 2212 (10.8) Standard Edition.

  3. Run the extracted VMware Dynamic Environment Manager Enterprise 2212 10.8 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the Management Console. The Management Console is typically installed on an administrator workstation, not on a master image.

  8. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed. Click Next.
  9. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  10. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  11. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value: (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm.

In Horizon 7.8 and newer, you can edit Load Balancing rules directly in Horizon Administrator. You cannot yet configure these settings in Horizon Console. For existing RDS Farms, edit the RDS Farm to see the new settings. Or when creating a new RDS Farm a new page asks you for these settings.

In Horizon 7.7 and older, you can change the load balancing algorithm to be performance-based by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at VMware Docs.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

  1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
  2. Open Services, and configure the VMware Horizon View Script Host service to run automatically.

  3. Then start the service.
  4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
  5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
  6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
  7. After setting the registry value, restart the VMware Horizon View Agent service.
  8. After you later add this RDS Host to a RDS Farm in Horizon Administrator, click the Dashboard view.
  9. Expand RDS Farms, expand the farm, and click the RDS Host.
  10. Make sure the Server load is reported.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

Trend Micro

Trend Micro Slow login on Citrix environment after installing OfficeScan (OSCE): The following registries can be used to troubleshoot the issue. These registries will allow a delay on the startup procedure of OSCE until the system has launched successfully. This avoids deadlock situations during login.

Citrix CTX136680 – Slow Server Performance After Trend Micro Installation. Citrix session hosts experience slow response and performance more noticeable while users try to log in to the servers. At some point the performance of the servers is affected, resulting in issues with users logging on and requiring the server to be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the affected servers. Add new DWORD Value as:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilterParameters] “DisableCtProcCheck”=dword:00000001

Trend Micro Links:

Sophos

CTX238012 Logon process to VDAs is extremely slow when Citrix UPM is enabled. Set the following registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application
    • DisableAsyncScans (DWORD) = 1

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Install Applications

Install applications that will be executed on these machines.

VMware Tech Paper Best Practices for Delivering Microsoft Office 365 In VMware Horizon 7 with Published Applications describes how to install Office365 ProPlus Click-to-run with Shared Computer Activation.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to VMware DEM Personalization.
  • App Masking is an alternative to VMware App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of DEM Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

VMware App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the extracted VMwareOSOptimizationTool.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. On the Optimize tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
  7. The History tab lets you rollback the optimizations.

Seal and Snapshot

  1. Go to the properties of the C: drive, and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
  9. Shutdown the master session host.
  10. Edit the Settings of the master virtual machine, and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  11. Take a snapshot of the master session host. View Composer and Instant Clone require a snapshot.

  12. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon Composer, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon Agent – uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
  8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

Related Pages

73 thoughts on “VMware Horizon 7.13.3 – Master RDS Host”

  1. Hi Carl,

    I might have a very dumb question here but i would just like to know the possibility of ruling out RDSH as an option before trying this out in an other env like citrix. So, I have a MacOS based application that has to be delivered on an application pool. Is there a way to do with horizon?
    Appreciate any thoughts. Thank you!

    1. Apple has very strict hardware requirements for running macOS. The only way to do it is to install Horizon Agent on a Mac hardware machine. Unfortunately, there isn’t enough demand to justify VMware or Citrix from developing this.

  2. Is it possible or recommended to have RDS hosts reside in a different site than its connection servers? I’ve got a Horizon pod at one data center and now because of capacity limitations we are looking to add RDS hosts to publish a set of apps at a different data center separated by VPN link. Should we consider the Cloud Pod setup instead or you have any suggestions? Thanks!

    1. I think the agents use JMS to communicate with Connection Servers and I suspect that JMS has the same low latency requirements as the Connection Servers. Most companies do Cloud Pod Architecture.

  3. Hola Carl, espero te encuentres bien… Antes que nada quería felicitarle por esta excelente publicación.
    Actualmente presento problemas, tengo un servidor de licencias RDS esta entregando las licencias de manera aleatoria a unos usuarios si, a otros no le asigna.
    La licencia es asignada al usuario iniciar sesión, los perfiles de los usuarios esta configurado en un UEM cpn un roaming profiles. Tienes alguna recomendación, ya he revisado de todo pero no logro encontrar la falla-

    Quedo atento gracias

    1. I assume your RDS Licensing is configured for Per User mode. In RDS Licensing > Review Configuration, does it show it’s joined to the TS License Servers AD Group? How do you know if the license is assigned or not?

  4. Carl, I appreciate this so much, you made it easier for me to get up and running on Horizon. I think one of the weirdest thing is I needed static IP addresses on my servers. I found where someone slipped a batch file as a post synchronization script when doing farm maintenance to set static IP’s. Surprised this isn’t an option anywhere.

  5. Hi Carl, thank you for the awesome post! I am wondering if you recommend joining the golden image vm to the domain to get the proper gpo applied to it before finalizing and sealing it? I was reading this VMware kb and it almost seems as if we should do that to ensure we get any computer based gpo entries when the images are pushed. Thoughts?

    https://kb.vmware.com/s/article/2150495

      1. Ok I’m hitting an issue in my image and wondering if this is a cause….

        Do you also remove it from the domain before sealing and finalizing? Or leave it?

        1. Leave it.

          What issue? GPO settings are mostly just registry values. You can check the registry to ensure the value you want is there. If the registry values are in the image, then there are no timing issues when the machine boots and computer settings haven’t applied yet.

          1. https://www.reddit.com/r/sysadmin/comments/iqwqpx/mapped_drive_shows_disconnectedbut_works/?utm_medium=android_app&utm_source=share

            Long story short, we have a single mapped network drive that will most of the time show as disconnected with a red x on it, even though it works still. But applications are unable to reference it in that state. Clicking into it does not remove the disconnected state. And it is very resistant to most traditional methods of removal and adding.

            Wondering if this is a case of policies like wait for network and loopback processing and other gpo not applying because they aren’t added until I reboot the hosts post maintenance/deploy once they are on the domain.

  6. Carl,
    I want the rds app (Like Chrome) in one windows server 2016 , how can I use multi Web Pages, like one is yahoo, the other is google.

    Thank u.

  7. Hi Carl. We implemented mandatory profile with uem in our RDS Servers (Which were using local profiles earlier) but when some of the users try to use their application through those rds servers they are getting error ” The user profile service failed the sign-in. User profile cannot be loaded”. Not sure why this is happening for some users. Have you ever came across something like this ? Thanks and regards.

  8. Has anyone run into problems with audio drivers not installing on Server 2019? A post on Reddit recently confirms several others have the same issue. https://www.reddit.com/r/vmware/comments/ekxe43/horizonserver_2019_rdsrtavsound_semifailure/

    Installed Horizon Agent 7.10.1 on Server 2019 using the RDS role. The Agent install includes the Real-Time Audio-Video option (RTAV). System audio, like Windows sounds, play at the client. Video and audio play on the client in IE. Audio from within Chrome does not.

    The volume mixer shows the sound device as “Audio Render Device” and System Sounds and VLC appear there as well. Chrome does not.

    The 2019 “Sound” panel in the Settings application shows blank under “Choose your output device”.

    I believe VMtools installs the audio driver “VMware Virtual Audio (DevTap)” but this doesn’t get installed on Server 2019 or 2016 so you can’t select anything as an output device in the Sounds setting panel.

      1. Thanks for the reply. We were using Chrome as a test with YouTube. Our real issue is getting Avaya One-X Communicator working on 2019 RDS via Horizon. It fails due to a lack of audio output devices. This led us down the path of looking at what was available in the sound settings and we found the output device drop down grayed out. On Win 10 this shows VMware Virtual Audio (DevTap). I’ve tried the latest version of VMTools (11.0.5) without luck.

        I’ve opened a support case with Vmware. Hoping they have a solution.

  9. Hello Carl, great article! I am in the process of upgrading an existing Windows 7 VDI environment. I would like to use a broker server for high availability and to make server maintenance easier without disrupting users. I have (remote) users that access a Windows Servers outside of our VDI environment using RDC and users inside the VDI environment that will access the server using VMware Horizon. My question is, can I use a Microsoft Windows Server as my broker agent and point the View Connection server to this IP or FQDN? Ideally I would like to have 1 broker for both sets of users.

    Thanks!
    Robert

    1. Are you asking about RDSH (multi-session Remote Desktop Session Host)? You can certainly install Horizon Agent on your RDSH servers and use Horizon to add the RDSH machines to RDS Farms, Application Pools, and Desktops pools.

      Horizon Agent also supports single-session Windows Server if you enable it in Global Settings.

      1. Hello Carl, thanks for the quick reply. No I’m talking about having multiple session host servers with a broker server. I would like to set this up with a Windows broker server instead of using VMware Horizon as the broker. The Windows Server would also handle the users’ configuration with user profile disks This would allow me to have HA for my VDI & non-VDI users that access a server with RDS. Since I don’t have experience with this, not sure if I can point my View Connection Server to the Windows broker server to support high availability in that environment.

        Thanks!

        1. RDS is its own broker. There’s a Windows role called RD Connection Broker. In newer Windows, you use the Server Manager Role Wizard to install the RDS Deployment. RDS Broker and Horizon Broker do not talk to each other. I can’t think of any product that talks to both Horizon broker and RDS broker.

      2. Hello again Carl. Wanted to check if you saw my 12/10 reply. Do you know if this setup is possible? I have done multiple online searches and don’t see any reference to this type of setup. I may try to set this up in a test environment.

        Thanks!

  10. i pointed the primary connection server during installation of horizon agent and i also have connction server replica. What if the connection server primary goes does down? How will horizon agent communicate to the connection server replica?

      1. No. Im talking about during installation of horizont agent you will ask to input the server name or ip address of the connection server. So if i input the ip address of the primary connection server. What if primary goes down? How will my horizon agent agent will able to communicate to primary? Is my desktop or remote app able to access using connection server replica?

        1. Instead of entering the primary connection server, you enter a FQDN that resolves to a load balancing VIP that load balances the multiple Connection Servers. The load balancer can detect outages of your Connection Servers and stop sending traffic to the failed server.

          1. i currently testing horizon. i have connection server primary and replica. i turn off the connection server primary and i cant access my application of my connection server replica? i thought replica will handle all the session?

          2. Yes, as long as the Horizon Client is pointing to a Connection Server that is still up, it will work. Technically after installation, all Connection Servers are the same.

      2. I thought if my primary is down i will still be able to access published apps and desktop using connection server replica, regardless of what connrction server ip address i input during installation of horizon agent.

        1. Correct. But Horizon Client usually only points to a single DNS name. If that DNS name is only one server, then it won’t fail over automatically. That’s where load balancers come in.

  11. Hi Carl. When installing the Horizion agent, does not “Vmware Horizion View Composer” or “VMware Horizon Instant Clone” options. The ‘register with connection server’ screen does not appear. Whay?
    Windows Server 2016.

    1. If you select Composer or Instant Clone, then there’s no need to register with connection server because Horizon Administrator will push the Connection Server address to the linked clones automatically. If you’re not doing Composer or Instant Clone, then you need to enter the address of a Connection Server so Horizon Agent knows what to connect to.

        1. What version of Horizon Agent?

          Are you installing it on a VMware virtual machine in ESXi? Is VMware Tools installed?

          1. Thanks for the answers. It turned out that the server was deployed on Hiper-V. After the transfer of the server to vShare everything worked.

  12. Carl,

    Thank you, for this information.
    my question is : if i have 10 RDS servers , in Microsoft configuration i should have brokers server who control the communication between client and servers , when we use this with Horizon for publish apps , who will play the role of broker server,
    should i configure my servers as Microsoft configuration, broker and servers. ?
    Or horizon connection server will play the role brokers for the farm pool of servers . ?

    Thank

  13. Hi Carl,

    I test a Linux thin client with Windows Server RDS (Agent 7.8). In Blast session and Windows Server 2008 R2, the session only last for a very short period (1-2 seconds) and then withdraw from the session.

    In Blast session and Windows Server 2012 R2, the session work normally.
    In PCoIP session and Windows Server 2008 R2 (or 2012 R2), the session work normally.

    I’ve also tested Horizon Client for Windows. All session (PCoIP or Blast, same connection server, Windows Server 2008R2 or Windows Server 2012R2 desktp/app) work normally.

    I’ve performed full Windows updates on Windows Server 2008R2, but the problem remains the same. Also, this problem only happen in ESXi 6.7 + Agent 7.8 combinations:

    – ESXi 6.0 + Agent 7.8 -> Result: Pass
    – ESXi 6.7 + Agent 7.7 -> Result: Pass
    – ESXi 6.7 + Agent 7.8 -> Result: Fail

    Any idea where might go wrong?

    Thanks,
    Owen

    1. I am experiencing the exact same thing as you Owen. Did you or anyone else find a solution to this?

      Currently we are running ESXi 6.7 + Agent 7.10. When launching an app that’s hosted on a Server 2008 machine, the user session logs in for about 1-3 seconds, much like you saw and then the session disconnects.

      It doesn’t do it for all users which is weird. I was able to log in using a Windows 10 Horizon client and on HTML access but on mac horizon client, it fails. Other users varies.

      Any suggestions?

  14. Hi Carl. I congratulate you for your blog. It’s done really well and has helped me a lot for the realization of my infrastructure. I have a farm with 6 physical RDS servers and 2 brockers in cluster. Everything works perfectly. I recently followed your guide to create an automatic farm with view composers and it also seems to work fine. The rsd servers are cloned, joined to domain and viewed from the horizon as functioning. When I try to deploy a new app on this new farm, a strange thing happens. Not all applications appear from the list of installed applications. If I choose one from the list I can complete the wizard but then I get the “Fail to get information.” Error. Do you have any suggestions? Thanks in advance.

  15. Cannot thank you enough for the time and effort you’ve put into helping the virtualization janitors of the world. Recently, I stood up a new pool using RDSH and everything went exactly according to the information you presented above. EXCEPT that I couldn’t get usb scanners to redirect. The view horizon client indicates that the usb scanner link is passed through, but the scanner never appears to the RDSH session. Ran an SR w/ vmware, the engineer informed me that scanner redirect isn’t supported with RDSH. If that is the reality, I have to start from scratch. Is this the reality?

  16. Hey Carl,
    My biggest complaint about RDS instant clone farms is that you cannot see the status of an image maintenance operation. You get a very generic “Publishing” status on the summary page of the farm, but you cannot see the pending image on each RDS host, and you cannot tell for certain that the host has been replaced by the new image.

    Do you know any way to get a better status on RDS farms for instant clone operations? Often we find that the summary page for the farm will update saying that the operation has been completed, but it becomes obvious that it just timed out for some hosts where users were logged in for too long.

    It would be nice if it looked the same as the Desktop Pools for instant clones.

    1. In 7.12 (not sure about earlier) you get a progress bar on the farm’s Summary page for the publishing operation, and the RDS Hosts tab shows you current and pending image/snapshot for each host.

  17. Hi Carl,
    I have followed the steps & published the app & HSD.
    Able to launch application successfully. But Desktop not launching

    Error
    “Client is not allowed to user this desktop. Please contact your system administrator”

  18. Hi Carl,

    First off, thanks a bunch for your website!

    I have multiple RDS servers for my application pool. Is it possible for a user to always get the same RDS server or always get a specific application on a specific RDS server? I have one difficult user who wants to be able to access their frequently accessed files in MS Access from the drop down list.

    Thanks.

  19. Hi Carl, I have a weird issue. Can’t find answer anywhere. I have a 7.5 Horizon environment with 2 Microsoft RDSH 2012 R2 Servers. I have published many RDP connections because my workplace has need for remote users to get back into their physical desktops. Also, have published certain applications. What sometimes happens, users land on the RDSH server itself instead of the application launching for them. I opened a case with VMware and they told me their is a known bug with server 2012 R2 and they recommend going to 2016.

    I will have to plan and schedule that but have you run into instances where unity does not seem to work and users log into an RDSH server instead of their application launching? Thanks much in advance. Rgds,

  20. Hi Carl,

    Many thanks for the he great post. My questions, can i create multiple RDS hosts with similar applications and settings and add the same connection server for all of them and create one application pool.

    please reply in brief what i need to do to achieve this?

    BR

    Adil

  21. hello,

    i was wondering if anyone has tested MS project on an RDS host and could successfully open files from the local disk on a Mac. or if anyone can test it.
    I just run into this weird one.

    thanks
    ioannis

  22. Carl,
    have to say first thanks for this blog, you have saved me many times.
    I have had RDSH working for a long time, when i update the agent from 7.2. to 7.3 all of my RDSH machines come up with configuration error after the image push. If i snap back to 7.2 and rebuild everything works.
    Any ideas?

    Thanks

    1. hi. got the same problem. my solution was to check the vmware script host service. it was not running after the update.

  23. Hi Carl – had a question about recomposing these RDS hosts after adding a few more applications and updates. I see there is a warning because it will get a new SID is there any issues you forsee with this? I can only think if an app was tied to a SID but I don’t have anything like this as far as I know.

    1. Linked clones usually share the same local machine SID. Domain SIDs are different for each machine account. I don’t think pool creation or recompose changes the SID unless SysPrep is used. QuickPrep and Instant Clone shouldn’t affect SIDs.

  24. in Remote Desktop Licensing Configuration section, under point 3, you have added the license servers to use. Can you please explain those license servers? Did u configure them previously or are they just some names that you have used?

  25. Hi Carl – thanks for the great guide. Quick question. When installing the Horizion agent, I find that if I choose either of the “Vmware Horizion View Composer” or “VMware Horizon Instant Clone” options, the ‘register with connection server’ screen does not appear. If I go back and remove either of those choices and click next, the registration window appears again.

    I’ve been having trouble getting Horizon to deploy Automated RDSH hosts. It seems to create the parent but them bombs with the following error. I’ve tried deploying using both the Instant Clone and Composer options in the Agent (though obviously not simultaneously) with no luck.

      1. Same issue here, seen in 7.0.x as well as with 7.3.1 now – “When installing the Horizion agent, I find that if I choose either of the “Vmware Horizion View Composer” or “VMware Horizon Instant Clone” options, the ‘register with connection server’ screen does not appear. If I go back and remove either of those choices and click next, the registration window appears again.”
        Scratching my head currently if this a classic Layer 8 or something else?

        1. That’s expected. With Composer or Instant Clone, Connection Server will push the VCS address to the Agent. Without Composer or Instant Clone, you must manually enter the VCS address.

          1. Thanks Carl! Didnt find this information in the docs. Confusing stuff. If you do choose one of those 2 options, you cannot use this RDSH host for a manual farm though, as it wont show up as a registered RDSH host. Spooky stuff 🙂

  26. i have a problem when i tried to deploy RDS Farm, my RDS server is 2012R2 standard. After i installed RDS, it worked fine and can access RDS server from external as well. However, when i installed the Hoziron Agent to connect to Horizon Connection Server, my RDS server is not able to remote desktop from external, all application which i published also can’t launch from external ( either internet or local but network from other subnet). From local and same subnet, everything still works fine, no firewall block ( i tried to filter from my checkpoint but can’t find any useful log).

    1. You’re trying to do a direct RDP connection instead of using Horizon Client to use PCoIP, Blast, or RDP?

      1. Thanks, i solved the issue in local. Due to the horizon client will disable your tls1.0 and win 7 and win 2008r2 only support 1.0 if you haven’t installed the kb. However, from internet, I already nat port 443, 80 and 4172(udp and tcp) but when i used client to connect from internet, only port 443 and 80 was seen on firewall, can’t see 4172

  27. Carl,
    Great blog btw. It has been a lifesaver on many excursions. I am having an issue with the IE Enhanced Security Configuration setting not taking effect for users (non-administrators). I’m using Windows Server 2012 R2 Standard. I turned IE ESC “off” as you describe using Server Manager for both admins and users. When I log in as a regular user, the IE ESC is still enabled. Am I missing something?

Leave a Reply

Your email address will not be published. Required fields are marked *