VMware Horizon 2111: Master Virtual Desktop

Last Modified: Dec 25, 2021 @ 3:49 am


Use this post to build a virtual desktop that will be used as the parent image (aka source image, aka master image, aka gold image) for additional virtual desktops. There’s a separate article for RDS Session Host.

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

ūüí° = Recently Updated

Change Log

Virtual Hardware

Lieven D‚Äôhoore has a desktop VM build checklist at¬†VMware Horizon View ‚Äď Windows 10 Golden Image Creation

  1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. For New Hard disk, consider setting Thin provision.
  3. Make sure the virtual desktop is using a SCSI controller.
  4. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  5. When building the master virtual desktop, you will probably boot from an ISO.
  6. Before using Horizon Administrator to create a pool based off of this master image, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  7. There’s no need for the Floppy drive so remove it.
  8. If you have any Serial ports, remove them.


VMware TechZone Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop


Power Options

  1. Run Power Options. Right-click the Start Menu to access Power Options.
  2. Click Additional power settings.
  3. Select Ultimate Performance, or click the arrow to show more plans, and select High performance.
  4. Next to the power plan, click Change plan settings.
  5. Change the selection for Turn off the display to Never, and click Save changes.
  6. You can also configure these setting using group policy.

System Settings

  1. Domain Join. Use sysdm.cpl to join the machine to the domain. Also see VMware 2150495 Computer-based Global Policy Objects (GPOs) that require reboot are not applied on instant clones.
  2. In System control panel applet (sysdm.cpl), on the Remote tab, enable Remote Desktop.
  3. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with Instant Clones.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Microsoft MSI-X App Attach, Liquidware FlexApp) or App Streaming (e.g. ThinApp, Microsoft App-V). Note: logins are fastest if apps are installed in the master image. All app layering/streaming technologies introduce a logon delay. You can use Microsoft FSLogix App Masking to hide applications and Start Menu shortcuts that users should not see.


VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment contains exclusions for Horizon View, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) Рhttp://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)


Symantec links:

Trend Micro

Trend Micro Links:


Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems:¬†we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation‚ÄĒIntended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session‚ÄĒIntended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP


CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Horizon Agent

Horizon Agent Installation/Upgrade

Install Horizon Agent on the master virtual desktop. Upgrades are performed in-place.

  1. Latency – In Horizon 2111 (8.4) and newer, maximum latency between Horizon Agent machine and Connection Server is 120ms. Older versions of Horizon have lower maximum latencies.
  2. See VMware 2149393 Supported Windows 10 Guest Operating Systems for Horizon Agent and Remote Experience, for Horizon 8 2006 and Later
  3. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
    3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
      C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" config set appinfo disabled true
  4. Download Horizon Agent 2111 (8.4).
  5. Run the downloaded VMware-Horizon-Agent-x86_64-2111-8.4.0.exe.
  6. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1
  7. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Network protocol configuration page, select IPv4, and click Next.
  10. In the Custom Setup page, there are several features not enabled by default. Feel free to enable them.
    1. If you want USB Redirection, then enable that feature.
    2. If you run Skype, then enable VMware Virtualization Pack for Skype for Business. See Configure Skype for Business at VMware Docs for details.
    3. You can install¬†Instant Clone Agent, or View Composer Agent, but not both. Since Horizon 2006 (8.0) and newer supports Instant Clones in all editions, there’s no need for Composer Agent.
    4. Horizon Agent 2006 (8.0) and newer does not include Persona.
    5. If you want Scanner Redirection, then enable that feature. Note: Scanner Redirection will impact host density.
    6. Horizon Performance Tracker adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.

    7. Horizon 2006 (8.0) and newer no longer include ThinPrint (aka Virtual Printing). VMware Integrated Printing is the replacement for ThinPrint and requires Horizon Client 4.10 or newer.
    8. Horizon 2006 (8.0) and newer no longer includes vRealize Operations for Horizon.
  11. Click Next when done making selections.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes when asked to restart.
  15. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  16. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  17. There’s also an IE add-on.
  18. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 (8.0) and newer are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, then you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

  • Group Policy Preferences¬†can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are¬†Enabled¬†and¬†ConfigFilePath¬†as detailed at¬†Perform Installation with Computer Environment Settings Support¬†at VMware Docs. For the list of additional registry values, see¬†FlexEngine Configuration for Computer Environment Settings¬†at VMware Docs.
  • Command line install looks something like below. The command line installer switch sets the same¬†ConfigFilePath¬†and¬†Enabled¬†registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2111-10.4-GA\VMware Dynamic Environment Manager Enterprise 2111 10.4 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

To install DEM Agent:

  1. Windows 10 Compatibility – See VMware 57386 VMware Dynamic Environment Manager and Windows 10 Versions Support Matrix
  2. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  3. Based on your entitlement, download either DEM 2111 (10.4) Enterprise Edition or DEM 2111 (10.4) Standard Edition.

  4. Run the extracted VMware Dynamic Environment Manager Enterprise 2111 10.4 x64.msi.
  5. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  6. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. In Choose Setup Type page, click Custom.
  9. In the¬†Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
  10. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed. Click Next.
  11. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  12. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  13. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value. (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1
  14. DEM is enabled using Group Policy and configured using the DEM Management Console.

Logon Monitoring

By default, in services.msc, the VMware Horizon View Logon Monitor service is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

  1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
  2. Create a string value called FavAppList.
  3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:
Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see Configure Favorite Applications Displayed by Unity Touch at VMware Docs.

ClonePrep ‚Äď Rearm

By default, when Horizon creates Instant Clones, one of the tasks that ClonePrep performs is to rearm licensing. You can prevent rearm by setting the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga
    • SkipLicenseActivation¬† (DWORD) = 0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g. clipboard redirection, client printers, etc.) based on how the user connects, see VMware Blog Post VMware Horizon View Secret Weapon. The article describes configuring VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through. Full script is included in the article.

Microsoft FSLogix

Why FSLogix?

Microsoft FSLogix has two major features:

  • Profile Container is an alternative to VMware DEM Personalization.
  • App Masking is an alternative to VMware App Volumes.

DEM has three categories of features: Personalization, User Settings, and Computer Settings. FSLogix Profile Container only replaces the Personalization feature set. You typically do FSLogix Profile Container for profiles and use DEM for User Settings and Computer Settings. Here are some advantages of DEM Profile Container over DEM Personalization:

  • FSLogix Profile Container saves the entire profile but DEM Personalization requires you to specify each setting location that you want to save. FSLogix is “set and forget” while DEM Personalization requires tweaking for each application.
  • At logon, DEM Personalization must download and unzip each application’s profile settings, which takes time. FSLogix simply mounts the user’s profile disk, which is faster than¬†DEM Personalization.
  • FSLogix Profile Container has special support for roaming caches and search indexes produced by Microsoft Office products (e.g. Outlook .ost file).
  • FSLogix is owned, developed and supported by Microsoft.

Here are some FSLogix Challenges as compared to DEM Personalization:

  • FSLogix Profile disk consumes significant disk space. The default maximum size for a FSLogix profile disk is 30 GB per user.
  • High Availability for FSLogix Profile disks file share is challenging. The file server High Availability capability must be able to handle .vhdx files that are always open. DFS Replication is not an acceptable HA solution. One option is Microsoft Scale Out File Server (SOFS) cluster. Another option is Nutanix Files.

VMware App Volumes has some drawbacks, including the following:

  • Completely separate infrastructure that must be built, maintained, and troubleshooted.
  • Introduces delays during logon as AppStacks are mounted.
  • AppStacks can sometimes conflict with the base image or other AppStacks.

An alternative approach is to install all apps on the base image and use FSLogix App Masking to hide unauthorized apps from unauthorized users. No delays during logon.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

FSLogix Installation

Do the following to install Microsoft FSLogix on the Horizon Agent machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
  2. Download the VMware OS Optimization Tool.
  3. Run VMwareOSOptimizationTool-x86_64.exe.
  4. On the Optimize tab, choose a template.
  5. Then click Analyze on the bottom of the window.
  6. Near the top of the window click the Common Options button and make your selections on each of the pages. Click OK when done.

  7. The top right box named Analysis Summary shows the number of optimizations not yet applied.
  8. Review the optimizations and make changes as desired. Then on the bottom right, click Optimize.
  9. The History tab lets you rollback the optimizations.
  10. The Finalize tab contains tasks that should be run every time you seal your parent image.
  11. The Update tab lets you re-enable Windows Update so you can update the parent image.

Additional Optimizations

Additional Windows 10 Optimizations


  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks. For example:
  4. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.

  5. Shutdown the master virtual desktop.
  6. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  7. Take a snapshot of the master virtual desktop. Instant Clones requires a snapshot.

Related Pages

28 thoughts on “VMware Horizon 2111: Master Virtual Desktop”

      1. We’re seeing a huge problem with RAM in-guest with 7.13.1 instant clones. The sessions are freezing on users (not Windows), forcing them to disconnect the entire client and re-login. No problems on 7.12 linked clones 2 weeks ago. We’ve gone from 4gb/VM to 8gb/VM and still having the issue. VMware support is no help. Ugh!

        1. Does Task Manager show the process that is consuming the RAM?

          When the users disconnect, do they reconnect to the same session? Or does it start a new session? If same session, then it could be a client-side problem.

          1. Anything from Edge to Blast are adding up. Funny thing is that no matter how much ram we give the master image, it always ends up consuming 90% on average. Then there’s a spike and the user gets frozen. Doubtful on client side. We’re using 3-4 different zero clients plus personal PCs and Macs. Moving to Horizon 2006 tonight to see if that alleviates the issue.

        2. Carl is the best and he is the first person to listen to, but for what it’s worth we had a very similar experience as what you’re describing. Check your video driver against the matrix here (https://kb.vmware.com/s/article/2078739), and if your video driver is newer than what is shown, follow the resolution steps and be careful when updating the image.

          1. I completely forgot about that KB and those issues. I followed the steps, and we are still having the problem this morning! Connect with me on twitter @philvirtual and maybe we can swap troubleshooting steps.

  1. We just upgraded from 7.11 to Horizon 8 version 2103. Is it normal for the actual VMs in a non-persistent/Instant clone pool to have snapshots on them in this version? I’m seeing these snapshots appear right after the VM is created. I’ve tried re-working the Master Image 3 or 4 times and it’s still happening. Just curious if you have any insight. Thanks!

      1. Sorry for the delayed response. Given the impacted user experience we’re currently dealing with, I checked with VMware support. Thought I’d update you. Your theory seems to be correct.

        Their response:
        I have checked for the base-snapshot query and it seems it’s expected behavior in 8.0 and later version because of smart provision feature which creates the VDI without CP-parent.

  2. Hi Carl!
    You’re guides are SO awesome and thorough! Thank you so much for being an essential resource for me over the years.
    Do you think you’ll be adding Windows 11 and TPM instructions to this?
    The KMS needed for vCenter to support such encryption has a LOT of gotchyas. We’ve successfully deployed at least a PyKMIP server to get over the hurdle of encryption ability without having to pay for it but could not, for example, easily convert a Windows 10 master image to an encrypted one. Still playing with options there tho. Once available and encrypted we can add the TPM device to get past Windows 11 install / upgrade requirements but not until then.

      1. Oh I didn’t realize 7 had a built in provider! Probably is the same underlying implementation and would be way safer to upgrade vSphere to 7 before attempting with the silly Ubuntu appliance we set up in 6.7 u3. Thanks so much!!
        For what it’s worth I was able to clone my Win10 golden image in 6.7 without encryption (as the new VM has no snapshots, a stop gap to performing the encryption) and then convert it to the encrypted policy so my PyKMIP server is indeed working.
        Bypassing TPM seems scary for a production VDI environment. I do need Windows updates to continue to work.
        With encrypted VMs there are a lot of things to consider; vMotion, time it takes to make snapshots, backup software compatibilities, etc. Think it warrants a write up of those in this article? I’d trust something written by you way more than anyone I google lol.

        1. I was able to build a gold image with the links above with a vtpm in them just fine. Installed horizon client and snapped it. But with I deploy the pool I get this.

          A specified parameter was not correct: spec.disk.backing.crypto Expected CryptoSpecDecrypt:

          Any ideas?

          1. Did you ever get a fix for this? I’m getting the exact same issue…

            spec.disk.backing.crypto Expected CryptoSpecDecrypt:

  3. Hi Carl, nice article i have few doubts is listed below,

    1. Why we have to choose SCSCI controller instead of SATA, that too any specific on that?
    2. i am using instant clone over here will it affect because of choosing SCSCI controller Master Image?
    3. It is mandatory to join the machine in Domain if i am using instant clone?
    4. After optimization we have to Windows update ?
    5. Software need to install before optimization or after?

    Kindly clarify we have are planning to new environment to deploy.


    1. Many customers switch to paravirtual intead of LSI Logic.

      I haven’t tried not joining the master to the domain so I don’t know if it works or not. I usually join it so I can make sure GPOs with computer-level settings are applied to my master image.

      No matter when you run optimization, in subsequent months you’ll need to boot your master and update it. That means you will doing installs and updates after optimization is applied. Unless you rebuild your master every month.

      1. NOT joining to the domain works perfectly fine. Actually seeing the clones appear in the domain in that case is a sign things are working. However, I have run into KMS licensing issues when Microsoft’s KMS exists purely in the domain (Active Directory-based activation). In that example (the non-domain joined master) a Windows Activation issue will appear if DNS isn’t pointing to the traditional KMS license server (typically a domain joined PC which may have network layer issues in attempts to access) and that’s carried over to the clones which, for a brief moment on user login, will show activation issues until the OS is successfully activated on the domain Active Directory-based activation.
        What we’ve done is kept the master images domain joined but put them in an OU that DOESN’T get any GPOs but so long as you put them in their own OU and don’t have anything in the root (top level) that you don’t want on your master’s that’s good enough too. When the clones get made they get put in an entirely different OU. Best of both worlds, a far as we’re concerned.

  4. Carl,
    I’m trying to redeploy a windows pool with an updated template. The VMs in the pool are created successfully, but the guest customization to join the domain doesn’t work anymore. The Machine name shows the correct name for the newly created vm, but the DNS name on all the new VMs show the template hostname. Any thoughts?

  5. I can’t able to start the analyse using VMware Optimisation tool.I’m getting below error:

    Error:Selected Template for VMware\windows10 and server 2016 or later.xml can not be loaded

  6. When you have a desktop Pool, with a Master VM where the VM’s get their setup from, can you run a new Snapshot over those machines?

  7. Hey Carl,

    Thank you so much for the guide, i have managed to install everything but I’m having an issue in the end when i log in with the domain user through the client/browser, I can’t see all the installed applications! its like its not seeing the changes in the master image.

    my local admin applications and settings are not shown in the domain users, any idea what I have done wrong?

  8. Hi Carl, I’m installing Horizon Agent 2012-8.1.0-17352461. After the feature selection section there is a dialog box for Remote Desktop Protocol Config in which it states the VMWare Horizon Agent requires the RDP support to be turned on. It also offers a button to decline. What is this protocol actually for, and if it’s required, why offer the option to disable?

  9. Good article, good looking.
    I have one question
    After using VMware OSOT during Windows 10 optimization, why is there an additional Microsoft VDI optimization guide?
    Are the values ‚Äč‚Äčfor optimization using VMware OSOT and MS VDI different?

    1. You can look at multiple optimization guides/tools and make your own determination as to what optimizations should be applied.

Leave a Reply