Horizon Configuration

This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Workspace ONE and Horizon solutions. This chapter provides information about common configuration and deployment tasks for VMware Horizon. It is not intended to replace the product documentation but to reference and supplement it with additional guidance.

Horizon Installation and Configuration

This section provides an overview of the VMware Horizon® 8 deployment process, points to specific documents for detailed instructions, and lists certain settings that were used in this reference architecture.

Prerequisites

Before starting, certain other infrastructure components must be in place and configured. Refer to Environment Infrastructure Design, and see the following sections in that chapter:

  • Management VMware vSphere® cluster, as described in the vSphere section
  • VDI vSphere cluster, as described in the vSphere section
  • Active Directory, as described in the Active Directory section
  • DNS, as described in the DNS section
  • DHCP, as described in the DHCP section
  • Certificate Authority, as described in the Certificate Authority section
  • A load balancer, as described in the Load Balancing sections in Horizon Architecture.

You must also create a Windows 2019 RDSH VM template, using the guidelines in Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop.

Installation Steps

This section outlines the Horizon installation steps.

  1. Set up the required administrator users and groups in Active Directory.
  2. If you have not yet done so, install and set up VMware ESXi hosts and VMware vCenter Server®.
  3. Install and set up Connection Servers. Also install the event database.
  4. Create one or more VMs that can be used as a template for full-clone desktop pools or as a golden image for instant-clone desktop pools.
  5. Set up an RDSH server VM and install applications to be remoted to end users.
  6. Create desktop pools, application pools, or both.
  7. Entitle users to desktops and published applications.
  8. Install VMware Horizon® Client on end users’ machines and have end users access their remote desktops and applications.
  9. (Optional) Set up and configure enrollment servers to enable True SSO. See Setting Up True SSO.
  10. (Optional) Create and configure additional administrators to allow different levels of access to specific inventory objects and settings.
  11. (Optional) Configure policies to control the behavior of Horizon components, desktop and application pools, and end users. See Configuring Settings for Client Sessions.
  12. (Optional) For added security, integrate smart card authentication or a RADIUS two-factor authentication solution, especially where external access is allowed. This is covered in Unified Access Gateway Architecture.

Preparation

Build Windows 2019 VMs: at least two for Connection Servers and two for the enrollment servers (required for True SSO).

Follow the hardware specifications in Reference Architecure VM Specifications and assign the VMs static IP addresses.

Deployment

This guide is not intended to replace the Horizon documentation. Follow the relevant section of the Horizon Installation documentation to install the following components in the following order:

  1. Install the first standard Connection Server – See Install Horizon Connection Server with a New Configuration.
  2. Install a replica Connection Server – See Install a Replicated Instance of Horizon Connection Server.
  3. Install and configure the Horizon Cloud Connector – See Enabling VMware Horizon for Subscription Licenses and Horizon Control Plane Services.
    Note: This is required when using services from the Horizon Control Plane or subscription-based licensing.
  4. Install enrollment servers – See Setting Up True SSO in the Horizon documentation and Setting Up True SSO.

Post-Installation Configuration

Connect to the first Connection Server and perform the following tasks in the following order:

  1. Apply the perpetual license key – See Install the Perpetual Product License Key in Horizon Console.
    Note: This step is not necessary if subscription licensing is being used and you have deployed the Horizon Cloud Connector.
  2. Add vCenter Server and configure the View Storage Accelerator – See Configuring VMware Horizon for the First Time.
  3. Add instant clone domain administrators – See Add an Instant-Clone Domain Administrator.
  4. Configure event reporting – See Configuring Event Reporting.
  5. Assign administrators and roles – See Configuring Role-Based Delegated Administration.
  6. Register Unified Access Gateways – See Monitoring Unified Access Gateway in Horizon Console. These gateways provide visibility on the dashboard.

For each of the Connection Servers, configure the following.

Table 1: Connection Server Configuration Tasks

Task

Detail

General settings

Because we are using Unified Access Gateway for external connectivity, ensure that the following fields are deselected:

  • HTTP(S) Secure Tunnel 
  • PCoIP Secure Gateway 

If HTML Access is not being used, select the option for Do not use Blast Secure Gateway under Blast Secure Gateway.

If HTML Access is to be used, we can tunnel through the Connection Server and have it provide the SSL certificate. This can remove the requirement for each virtual desktop to have a trusted SSL certificate.

In the Blast Secure Gateway section, select the option Use Blast Secure Gateway for only HTML Access connections to machine. Set the Blast External URL to the Connection Server FQDN, with port 8443. For example,  https://s1hcs1.domain.com:8443

Authentication

Follow the steps in Configure a SAML Authenticator in Horizon Console to set up the Workspace ONE Access as a SAML authenticator.

Backup

Define a backup schedule and location for the Connection Server configuration according to Backing Up and Restoring VMware Horizon Configuration Data.

Origin checking

With multiple Connection Servers fronted by a load balancer, it is necessary to change origin checking on each server. If origin checking is left enabled, the load balanced name used to initiate a connection would not match the actual server name. This can cause the connection server to reject the request. One indication of this is when using HTML Access or the Horizon Administrator console from Google Chrome or Safari browsers.

To disable origin checking, create a locked.properties file in the C:\Program Files\VMware\VMware View\Server\sslgateway\conf directory.

Enter the following entries as detailed in Cross-Origin Resource Sharing.

checkOrigin=false

balancedHost=horizon.example.com

portalHost.1=unified-access-gateway-name-1.example.com

portalHost.2=unified-access-gateway-name-2.example.com

Restart the Connection Server services.

 

Certificates

When you first install Horizon, it uses self-signed certificates. VMware does not recommend that you use these in production. At a high level, the steps for replacing the certificates on the Connection Servers and the Composer server are:

  1. Create a certificate signing request (CSR) configuration file. This file is used to generate the CSR to request a certificate.
  2. Once you receive the signed certificate, import it.
  3. Configure Horizon to use the signed certificate.

For the full process, see Configuring TLS Certificates for VMware Horizon Servers.

Cloud Pod Architecture

If multiple Horizon pods are being used, Cloud Pod Architecture (CPA) should be configured. This is especially useful when configuring multiple sites, where each site should have its own separate pod. More detail on Cloud Pod Architecture can be found in Horizon Architecture.

Create the Pod Federation

  1. Connect to the Horizon Administrator console on one of the Connection Servers in the first pod (Site 1).
  2. Choose the task to initialize the Cloud Pod Architecture feature.
  3. Rename the pod federation if desired.
  4. Rename the site.
  5. Rename the pod if desired.

Join Another Pod to the Federation

  1. Connect to the Horizon Administrator console on one of the Connection Servers in the that pod (Site 2).
  2. Choose the option to join the pod federation.
  3. Enter the FQDN of a Connection Server from the first pod, along with credentials.
  4. If this pod is in another physical location, create a new site.
  5. Edit the newly added pod.
    1. Rename the pod if desired.
    2. Move the pod to the appropriate site.

See Setting Up Cloud Pod Architecture in Horizon Console for full instructions.

Desktop Pool Settings

The following table lists specific desktop pool settings that were used in this reference architecture.

Table 2: Configuration Settings for Instant-Clone Desktop Pools

Configuration Item

Settings for Instant-Clone Pools

Desktop Pool Definition

Type: Automated

User Assignment: Floating

vCenter Server: Instant clones

Desktop Pool Settings

Remote Machine Power Policy: N/A

Delete or refresh machine on logout: N/A

Default display protocol: VMware Blast

3D renderer: N/A or NVIDIA GRID vGPU (depending on use case)

HTML access: Enabled

Provisioning Settings

Provision all machines up-front: Selected

Guest Customization

AD container: Dedicated OU for this type of desktop

 

RDS Farm Settings

The following table lists specific RDSH server farm settings that were used in this reference architecture.

Table 3: Configuration Settings for RDSH Server Farms

Configuration Item

Settings for RDSH Server Farms

Desktop Pool Definition

Type: Automated

Identification and Settings

Default display protocol: VMware Blast

HTML access: Enabled

Max sessions per RDS host: 30 or greater, depending on server hardware and VM specifications

Guest Customization

AD container: Dedicated OU for this type of desktop

Predefined specification

 

Setting Up True SSO

True SSO provides users with SSO to Horizon desktops and applications regardless of the authentication mechanism used. See the True SSO section in Horizon Architecture for more details.

Note: When deploying in Horizon Cloud on Microsoft Azure, see Setting Up True SSO for Horizon Cloud Service on Microsoft Azure for specific platform instructions.

The high-level steps that need to be completed to deploy True SSO for Horizon are:

  1. Configure Horizon and Workspace ONE Access Integration.
  2. Install and configure Microsoft Certificate Authority service.
  3. Set up a certificate template for use with True SSO.
  4. Install and configure the enrollment servers.
  5. Add Workspace ONE Access as a SAML Authenticator to the Connection Servers.
  6. Add the Horizon pods to Workspace ONE Access.

For more information on how to install and configure True SSO, see Setting Up True SSO.

Horizon and Workspace ONE Access Integration

As a prerequisite, integrate Horizon and Workspace ONE Access. This consists of three high-level steps:

  1. Deploy Workspace ONE Access Connectors and configure Active Directory synchronization.
  2. Create one or more virtual apps collections in Workspace ONE Access.
  3. Configure SAML authentication on the Horizon Connection Servers.

Full details on this is given in Platform Integration.

Set Up a Microsoft Enterprise Certificate Authority

  1. Add the Active Directory Certificate Services Server role using the Add Roles and Features Wizard. The only role service required is Certification Authority.
  2. Once installed, configure Active Directory Certificate Services using the following values.

Table 4: Settings for Active Directory Certificate Services

Configuration Item

Setting

Role Services

Certification Authority

Setup Type

Enterprise CA

CA Type

Root CA or Subordinate CA, depending on your preference for PKI deployments. Choose Root CA if you are not integrating into an existing PKI.

Private Key

Create a new private key

Cryptology

Key length: 2048 (recommended)

Hash algorithm: SHA256 (recommended)

CA Name

Change if desired.

Validity Period

Leave as default of 5 years.

  1. The final configuration is done by opening a command prompt, as an Administrator, and running the following commands:

 

  1. Enable non-persistent certificate processing and help reduce the CA database growth rate:
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
  1. Ignore offline CRL (certificate revocation list) errors on the CA:

certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
  1. Restart the Certificate Authority Service so that these changes can take effect.

sc stop certsvc

sc start certsvc

Repeat these steps (1 to 3) on each Certificate Authority server. Also see Set Up an Enterprise Certificate Authority.

Create and Issue a Certificate Template

As preparation, create an active directory security group for the enrollment server computer accounts. This will be used when creating the certificate template and assigning permissions to the enrollment servers. A group makes adding new enrollment servers easier.

  1. Create a new certificate template by first opening the Certification Authority administrative tool.
    1. Expand the tree in the left pane, right-click Certificate Templates and select Manage. Right-click the Smartcard Logon template and select Duplicate Template.
    2. Do not click OK until you have completed all the configurations listed in the following table.

Table 5: Configuration Settings for the Certificate Template

Configuration Item

Setting

Compatibility

Certification Authority: Windows Server 2008 R2

Certificate recipient: Windows 7 / Server 2008 R2

General

Template display name: True SSO

Template name: TrueSSO

Validity period: 1 hour

Renewal period: 0 hours

Request Handling

Purpose: Signature and smartcard logon

Select Allow private key to be exported.

Select For automatic renewal of smart card certificates.

Cryptography

Provider category: Key Storage Provider

Algorithm name: RSA

Minimum key size: 2048

Request hash: SHA256

Can be different depending on the security standards.

Server

Select Do not store certificates and requests in the CA database.

De-select Do not include revocation information in issued certificates.

Issuance Requirements

Select This number of authorized signatures.

Value: 1

Policy type required in signature: Application Policy

Application Policy: Certificate Request Agent

Require the following for enrollment: Valid existing certificate

Subject Name

Leave as is.

Security

Add the group you created for the enrollment servers in preparation and give this read and enroll permissions.

 

  1. Before closing the Certificate Template console, change the permissions on the Enrollment Agent (Computer) template.
    Add the security group that you created for the enrollment server computer accounts and give it read and enroll permissions.
  2. Close the Certificate Template console.
  3. Issue the True SSO certificate template.
    1. Right-click Certificate Templates and select New > Certificate Template to Issue.
    2. Select the new True SSO template you just created.
      This step is required for all certificate authorities that issue certificates based on this template. Repeat the issuance on all certificate authority servers.
  4. Issue the Enrollment Agent (Computer) certificate template.
    1. Right-click Certificate Templates and select New > Certificate Template to Issue.
    2. Select the Enrollment Agent (Computer) Template.
      This step is required for all certificate authorities that issue certificates based on this template. Repeat the issuance on all certificate authority servers

See Create Certificate Templates Used with True SSO.

Enrollment Server Setup

The next steps are to install the Horizon enrollment service, enable it to request certificates, and pair it the Connection Servers. See Install and Set Up an Enrollment Server.

Install the Enrollment Server Service

  1. Run the Horizon Connection Server installer.
  2. Select the Horizon Enrollment Server role.

Install the Enrollment Agent (Computer) Certificate.

This authorizes this enrollment server to act as an Enrollment Agent and generate certificates on behalf of users.

  1. Open the Microsoft Management Console (MMC) and select Add/Remove Snap-in > Certificates > Computer account > Local computer.
  2. Expand Certificates > Personal folder.
  3. Right-click All tasks > Request New Certificate.
  4. Request and enroll the Enrollment Agent (Computer) certificate.

Configure Connection Server Pairing

Next, configure Connection Server pairing so that the enrollment service will trust the Connection Server when it prompts the enrollment servers to issue the short-lived certificates for Active Directory users.

  1. Export certificate from Connection Server:
    1. On one of the Connection Servers, open the Microsoft Management Console (MMC) and select Add/Remove Snap-in > Certificates > Computer account > Local computer.
    2. Expand Certificates > VMware Horizon View Certificates > Certificates folder.
    3. Right-click the certificate file with the friendly name vdm.ec, and select All Tasks > Export.
    4. In the Certificate Export wizard, accept the defaults, including leaving the No, do not export the private key radio button selected.
    5. Save the file with a meaningful name such as s1-pod1-enrollclient.cer.
    6. This step only needs to be done from one of the Connection Servers in the pod.
  2. Import the certificate to the enrollment server:
    1. On the enrollment server, open the Microsoft Management Console (MMC) and select Add/Remove Snap-in > Certificates > Computer account > Local computer.
    2. Expand Certificates > VMware Horizon View Enrollment Server Trusted Roots folder.
    3. Right-click All tasks > Import and browse to the file you saved from the Connection Server export.
    4. Ensure that the certificate will be placed in the VMware Horizon View Enrollment Server Trusted Roots store.
  3. Configure the enrollment service to give preference to the local certificate authority when they are co-located:
    1. Edit the registry using regedit.exe as an administrator.
    2. Browse to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service. You must create the Enrollment Service key if it does not already exist.
    3. Right-click and add a new String Value (REG_SZ)
      Name: PreferLocalCa Value data: 1

Repeat steps 2 and 3 on each Enrollment Server. Also see Enrollment Server Configuration Settings.

Connection Server Configuration

The last configuration is to add the enrollment servers to the Horizon Connection Servers, and to enable the authenticators. On one of the Connection Servers in the pod, open a command prompt, as an administrator, and browse to C:\Program Files\VMware\VMware View\Server\tools\bin. You will use the vdmutil.exe command tool in the following steps. Note that some steps will require synchronization to occur. Use the list commands indicated below to ensure that the previous step has completed before moving on to the next step.

  1. Add the enrollment servers to environment.
  2. List enrollment servers to confirm their details.
  3. Create the connectors.
  4. List the SAML authenticator details.
  5. Enable TrueSSO for the SAML Authenticator

The parameters are case-sensitive.

In each of the commands you need to specify credential parameters:

  • --authAs <administrator> 
  • --authDomain <domain> 
  • --authPassword <Password>

The following tables provide the syntax and examples for performing each of these steps. For more information about these steps, also see Configure Horizon Connection Server for True SSO.

Table 6: Step 1: Add Enrollment Servers (ES) to Environment

Syntax

 

vdmutil --authAs <administrator> --authDomain <domain> --authPassword <Password> --truesso --environment --add --enrollmentServer <enrollment Server FQDN>

Example 1: Add first enrollment server

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --environment --add --enrollmentServer s1hes1.vmweuc.com  

Example 2: Add second enrollment server

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --environment --add --enrollmentServer s1hes2.vmweuc.com  

Table 7: Step 2: List Enrollment Servers (ES)

Syntax

 

vdmutil --authAs <administrator> --authDomain <domain> --authPassword <Password> --truesso --environment --list –EnrollmentServers

vdmutil --authAs <administrator> --authDomain <domain> --authPassword <Password> --truesso --environment --list –enrollmentServer <enrollment Server FQDN> --domain <domain FQDN>

Example 1: List enrollment servers

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --environment –-list --enrollmentServers

Example 2: List detail of first enrollment server

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --environment –-list --enrollmentServer s1hes1.vmweuc.com --domain vmweuc.com

Example 3; List detail of second enrollment server

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --environment --list –enrollmentServer s1hes2.vmweuc.com --domain vmweuc.com

 Table 8: Step 3: Create Connectors

Syntax

 

vdmutil --authAs <administrator> --authDomain <domain> --authPassword <Password> --truesso --create --connector --domain <domain FQDN> --template TrueSSO-template-name --primaryEnrollmentServer <enrollment Server FQDN> --certificateServer <Domain-CA> --mode enabled

Example: Create connector with primary and secondary servers and both certificate authorities

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --create --connector --domain vmweuc.com --template TrueSSO --primaryEnrollmentServer s1hes1.vmweuc.com --secondaryEnrollmentServer s1hes2.vmweuc.com --certificateServer vmweuc-S1HES1-CA,vmweuc-S1HES2-CA --mode enabled

Table 9: Step 4: List SAML Authenticator

Syntax

 

vdmutil --authAs <administrator> --authDomain <domain> --authPassword <Password> --truesso --list -–authenticator

Example

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --list –-authenticator

Table 10: Step 5: Enable TrueSSO for the SAML Authenticator

Syntax

 

vdmutil --authAs <administrator> --authDomain <domain> --authPassword <Password> --truesso --authenticator --edit --name <Workspace ONE Access FQDN> --truessoMode ENABLED

 

Example

vdmutil --authAs administrator --authDomain vmweuc --authPassword Password --truesso --authenticator --edit --name my.vmweuc.com --truessoMode ENABLED

Finally, in any pod with two enrollment servers, change load balancing to round robin instead of the default active/passive. This only needs to be done on one Connection Server per pod.

  1. On one of the Connection Servers, from Windows Administrative Tools, open ADSI Edit.
  2. Right-click Connect to and define the Connection Settings.
  3. For the Connection Point setting, choose the option for Select or type a Distinguished Name and type vdi
  4. For the Computer setting, type localhost:389
  5. Expand OU=Properties, select OU=Global, and double-click CN=Common in the right pane.
  6. Edit the pae-NameValuePair attribute.
  7. Add a new value cs-view-certsso-enable-es-loadbalance=true and click OK.

See Connection Server Configuration Settings.

Setting Up True SSO for Horizon Cloud Service on Microsoft Azure

For detailed information on how to install and configure True SSO, see Configure True SSO for Use with Your Horizon Cloud Environment.

The high-level steps that need to be completed are:

  1. Install and configure a Certificate Authority. See Set Up a Microsoft Enterprise Certificate Authority.
  2. Set up a certificate template on the Certificate Authority. See Create and Issue a Certificate Template.
  3. Download the Horizon Cloud pairing bundle from the Administration Console's Active Directory page.
    1. The pairing bundle is used when setting up the Enrollment Server.
    2. See Download the Horizon Cloud Pairing Bundle.
  4. Set up the Enrollment Server. See Set up the Enrollment Server.
  5. Configure the Enrollment Server to prefer to use the local Certificate Authority service. See Enrollment Server Configuration Settings.
    1. Edit the registry on the Enrollment servers using regedit.exe as an administrator.
    2. Browse to the following location: HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service. You must create the Enrollment Service key if it does not already exist.
    3. Right-click and add a new String Value (REG_SZ):
      Name: PreferLocalCa
      Value data: 1
    4. This process needs to be repeated on each enrollment server.

Cloud Pod Architecture Global Entitlement Settings

For this reference architecture, the following global entitlements were used.

Table 11: Global Entitlement Settings for Roaming User Use Case

GE Setting 

Value 

Name 

Roaming 

Scope 

All Sites (ANY) 

Entitlements 

VMWEUC\All_Sales_People 

Use home site 

Disabled 

This configuration allows anyone connecting to the federation through the global namespace, https://horizon.vmweuc.com for this environment, to get a desktop no matter which pod they get connected to.

This fits with our requirements because our global load balancer is configured to point the user to an available pod closest to their current geographical location.

If a member of the group VMWEUC\All_Sales_People is closest to Site 1, a session is brokered with the pod in Site 1. The same logic applies if that same member is closest to Site 2.

Table 12: Global Entitlement Settings for Power User Use Case

Global Entitlement Setting 

Value 

Name 

PowerUser 

Scope 

Within Site 

Entitlements 

VMWEUC\Site1-PowerUsers 

VMWEUC\Site2-PowerUsers 

Use home site 

Enabled 

Entitled user must have home site 

Enabled 

This global entitlement configuration splits a group of users, PowerUsers, into two groups. This allows for initial user placement by making sure all the members of PowerUsers are not working from the same data center.

This configuration also enables and forces the presence of a home site for the entitled groups in conjunction with defining the scope to be Within Site. This effectively means that the two groups are associated with a home site that dictates their preferred placement.

Home Site Configuration When Both Sites Are Operational 

The home site configuration for the two groups is as shown in the following table. 

Table 13: Initial Placement in Different Data Centers

Group

Domain 

Site

Site1-PowerUsers 

VMWEUC 

Site 1 

Site2-PowerUsers 

VMWEUC 

Site 2 

 

With this configuration, and under normal operating conditions, 

  • A member of Site1-PowerUsers is always given a desktop resource in Site 1.
  • A member in Site2-PowerUsers always gets a desktop resource in Site 2.

Home Site Override – Preparing for Failover 

The configuration shown in the preceding section is suitable when both sites are online and fully operational. But using just this global entitlement would cause issues because, in the event of either of the sites being unavailable, part of the user base would not be able to log in.

Additional configuration is required to reverse the logic so that users associated with a site that is currently offline can be temporarily allowed to connect and log in to another site.

For a given global entitlement, it is possible to configure a home site override option that does exactly this.

Table 14: Override Configurations to Use During an Outage

Group

Domain 

Site

Site1-PowerUsers 

VMWEUC 

Site 2

Site2-PowerUsers 

VMWEUC 

Site 1

Notice how this effectively overrides the home site configuration for those groups at the global entitlement level to reverse the logic, allowing members from group Site1-PowerUsers to connect to Site 2 and members from group Site2-PowerUsers to connect to Site 1.

Note: This change should only be made for the group impacted by a data center outage. At no point in time would both the override options be configured as depicted in the preceding table; the override should be configured only for the group impacted.

The home site override configuration should only be changed after a failed site’s resources have been fully failed over. The reverse-logic configuration is of no use if users access the site before their resources are available.

Horizon Group Policies

You can use standard Microsoft Group Policy Object (GPO) settings to configure VMware Horizon® virtual desktops and applications, and also use VMware-provided GPO administrative templates for fine-grained control of access to features.

OU GPO Best Practices

Use the following guidelines when applying GPO settings to organizational units (OUs):

  • Consider blocking inheritance on the OUs where Horizon desktops or RDSH servers will be provisioned.
  • Re-use GPOs.
  • Create separate OUs for users and computers.
  • Ensure that each GPO is enabled or disabled for Computer Settings and User Settings.
  • Group similar settings into one GPO.
  • Understand the difference between monolithic and functional GPOs:
    • Monolithic GPOs contain settings for many different areas and are quite large. All settings are in one place. Use monolithic GPOs for generic settings that apply to all users or computers. Monolithic GPOs are typically applied at the domain level or relatively high in the Active Directory hierarchy.
    • Functional GPOs contain a limited number of settings for a specific area. Functional GPOs are smaller GPOs that facilitate settings being defined for particular users or VMs. Functional GPOs are typically applied lower in the Active Directory hierarchy.
  • Link the GPOs to the OU structure (or site), and then use security groups to selectively apply these GPOs to particular users or computers.
  • Use loopback replace to ensure that only settings for the VM’s OU are applied to the session.

This chapter contains a list of group policy settings that would typically be applied (this is not an exhaustive list). Most other settings can be applied through VMware Dynamic Environment Manager (formerly called User Environment Manager) policies. As part of the Horizon and VMware Horizon® Cloud Services downloads, there is a VMware-Horizon-Extras-Bundle ZIP file that contains a set of group policy templates to assist in defining additional GPO settings.

Common GPO Settings for Desktop and RDSH Server VMs

The settings in this section apply to both VDI desktops and RDSH servers.

Table 15: Settings for Computer Configuration > Policies > Administrative Templates > System > Group Policy

Setting

Value

Configure user Group Policy loopback processing mode

Enabled
Mode: Replace

Configure Logon Script Delay

Disabled

Table 16: Settings for Computer Configuration > Policies > Administrative Templates > System > Logon

Setting

Value

Show first sign-in animation

Disabled

Always wait for the network at computer startup and logon

Enabled

Desktop Settings

The following settings apply only to VDI desktops.

Table 17: Settings for Computer Configuration > Policies > Administrative Templates > System > User Profiles

Setting

Value

Set roaming profile path for all users logging onto this computer

Enabled (Specify the mandatory profile path. This can be local or on a remote network share.)

Delete cached copies of roaming profiles

Enabled

RDSH Server OU-Level Settings

The following settings apply only to RDSH servers.

Table 18: Settings for Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing

Setting

Value

Use the specified Remote Desktop license servers

Enabled
(List license servers)

Hide notifications about RD Licensing problems that affect the RD Session Host server

Enabled

Set the Remote Desktop licensing mode

Enabled
(Match mode of licenses)

Table 19: Settings for Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles

Setting

Value

Use mandatory profiles on the RD Session Host server

Enabled

Set path for Remote Desktop Services Roaming User Profile

Enabled

User Configuration Settings

Various settings can be used to optimize the user experience while protecting the system. The following tables list a few basic, initial settings that would normally be applied. Because these are user settings, you must also use the loopback processing setting.

Table 20: Settings for User Configuration > Policies > Administrative Templates > Start Menu and Taskbar

Setting

Value

Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands

Enabled

Add Logoff to the Start Menu

Enabled

Table 21: Settings for User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer

Setting

Value

Automatically activate newly installed add-ons

Enabled

 

Table 22: Settings for User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Setting

Value

Site to Zone Assignment List

Zone assignments

Enabled

<URL of Workspace ONE Access> 1

Example: https://workspace.vmweuc.com   1

<URL of ThinApp Share> 1

Example: >\\vmweuc.com\files\ 1

What's Next?

Now that you have come to the end of this chapter, you can return to the landing page and search or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters explore the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon, App Volumes Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of components and services you need to create the platform capable of delivering what you want.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Horizon, App Volumes, Dynamic Environment Management, and more.

Filter Tags

Horizon Horizon Horizon Apps Horizon Cloud Service Document Reference Architecture Advanced Deploy