VMware Horizon 2111: Master RDS Host

Last Modified: Dec 3, 2021 @ 7:01 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host (RDSH) that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

Change Log

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • Set the vCPUs to 8. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Adapter. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
  5. Click Add Configuration Params.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. If Windows Server 2016 or 2019, click Advanced Options.

    • In Windows Server 2012 R2, on the left, click Change settings.
  3. If Windows Server 2016 or 2019, check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

    • If Windows Server 2012 R2, check the box next to Give me updates for other Microsoft products when I update Windows, and click OK.
  4. Windows Update will automatically start checking for updates.
  5. Install any updates it recommends.

Local Administrators Group

Add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

Install/Upgrade VMware Horizon Agent

To install Horizon Agent on Remote Desktop Session Host (RDSH), do the following:

  1. Latency – In Horizon 2106 (8.3) and newer, maximum latency between Horizon Agent machine and Connection Server is 120ms. Older versions of Horizon have lower maximum latencies.
  2. Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 are supported.
    • Windows Server 2022 is supported in Horizon 2011 (8.4) and newer.
  3. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
    3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
  4. Download Horizon Agent 2111. Horizon 2111 is an Extended Service Branch, which is supported for three years.
  5. Run the downloaded VMware-Horizon-Agent-x86_64-2111-8.4.0.exe.
  6. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1
  7. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In Desktop OS Configuration page, select RDS Mode and click Next.

    1. Click OK to install the role.
    2. Restart the machine.
    3. After restart, login, and re-run the Agent installer.
  10. In the Network protocol configuration page, select IPv4, and click Next.
  11. In the Custom Setup page, several features are disabled by default. Feel free to enable them.
    1. USB Redirection is an option.
    2. For Instant Clone RDS Farms, select VMware Horizon Instant Clone Agent. For Manual RDS Farms (no Instant Clone), don’t select the Instant Clone Agent.
    3. VMware Virtualization Pack for Skype for Business is an option. See Configure Skype for Business at VMware Docs for details.
    4. Scanner Redirection is an option. Note: Scanner Redirection will impact host density.
    5. Serial Port Redirection is an option.
    6. There’s an option for Horizon Performance Tracker, which adds a program to the Agent machine that can show the user performance of the remote session. You can publish the Tracker.

    7. For unauthenticated users, there’s a Hybrid Logon option.
  12. Click Next when done making selections.
  13. Click OK to acknowledge the USB redirection message.
  14. If you see the Register with Horizon Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected both View Composer Agent and Instant Clone Agent features. Registration is necessary for Manual RDS Farms (no Instant Clones).
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes to restart the server.
  18. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  19. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  20. There’s also an IE add-on.
  21. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 (8.0) and newer are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, they you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable computer settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at VMware Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at VMware Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2111-10.4-GA\VMware Dynamic Environment Manager Enterprise 2111 10.4 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

To install DEM Agent:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  2. Based on your entitlement, download either DEM 2111 (10.4) Enterprise Edition or DEM 2111 (10.4) Standard Edition.

  3. Run the extracted VMware Dynamic Environment Manager Enterprise 2111 10.4 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In Choose Setup Type page, click Custom.
  8. In the Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
  9. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed.
  10. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  11. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  12. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value. (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1
  13. DEM is enabled using Group Policy and configured using the DEM Management Console.

Logon Monitoring

By default, in services.msc, the VMware Horizon View Logon Monitor service is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

Remote Desktop Users

In Computer Management (compmgmt.msc), at Local Users and Groups > Groups, edit Remote Desktop Users and add a group like Domain Users. Users can’t login to RDSH unless they are members of this local group. Instead of configuring this group manually on each parent image, you can also use Group Policy to configure it.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 and newer is using group policy (local group policy or domain group policy).

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the Remote Desktop Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled, and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Remote Desktop Services, and click RD Licensing Diagnoser. If you don’t see this option, then install it as a Windows Feature under RSAT.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

Antivirus

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment contains exclusions for Horizon View, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

Trend Micro

Trend Micro Links:

Sophos

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Install Applications

Install applications that will be executed on these machines.

VMware Tech Zone Best Practices for Delivering Microsoft Office 365 In VMware Horizon 7 with Published Applications describes how to install Office365 ProPlus Click-to-run with Shared Computer Activation.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to VMware DEM Personalization.
  • App Masking is an alternative to VMware App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of DEM Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

VMware App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the extracted VMwareOSOptimizationTool.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. Near the top of the window click the Common Options button and make your selections on each of the pages. Click OK when done.

  7. Review the optimizations and make changes as desired. Then on the bottom right, click Optimize.
  8. The History tab lets you rollback the optimizations.
  9. The Finalize tab contains tasks that should be run every time you seal your parent image.
  10. The Update tab lets you re-enable Windows Update so you can update the parent image.

Seal and Snapshot

  1. Make sure the parent session host is configured for DHCP.
  2. Session hosts commonly have DHCP reservations.

  3. The VMware OS Optimization Tool has a Finalize tab that contains tasks that should be run every time you seal your parent image.
  4. Go to the properties of the C: drive, and on the Tools tab, click Optimize to defrag the drive.
  5. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  6. Run antivirus sealing tasks. For example:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  7. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
  8. Shutdown the parent session host.
  9. Edit the Settings of the parent virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  10. If Instant Clones, take a snapshot of the master session host.

  11. Use can now use Horizon Console to create RDS Farms.

Full Clone Post-Cloning Tasks

If you use vCenter to clone the machine instead of using Horizon Instant Clones, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon Agent – for manual farms, uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
  8. Horizon Console – In Horizon Console, add the new machine to a Remote Desktop Services farm.

Related Pages

6 thoughts on “VMware Horizon 2111: Master RDS Host”

  1. Hi Carl, very good article – thanks a lot! If not building a master image, when would be the best moment for AD-Domain Membership: Before or after installing Horizon Agent?

  2. Hi Carl,

    I was wondering if you had a best practice guide on how to manage snapshots of application changes on a particular RDS Master Host VM. We currently installing multiple apps to our Master but need more guidance on proper use of snapshots for each application installed?

    1. Some customers clone their RDS Master before they make any changes to it, especially if the app they’re installing requires an extended testing period.

      Otherwise, just remember to clean up snapshots periodically.

  3. Carl, very nice article. I just followed it blindly to create an instant clone RDS Farm. One issue I ended up with: I couldn’t logon to the RDS farm because the Horizon users were not added to the Remote Desktop Users group, so it might be worth adding it in your article?

Leave a Reply to Carl Stalhood Cancel reply