Managing User Experience with VMware Horizon 7 Enterprise Edition

VMware Horizon 7 version 7.9 and later

Overview

VMware Horizon® Enterprise Edition includes a comprehensive set of technologies to provide best-in-class virtual desktops and virtual applications. Since you are reading this guide, you have likely decided to architect and implement a VMware Horizon 7 virtual desktop or application solution.

Will you use full-clone, linked-clone, or instant-clone provisioning? Will you install applications in base images, deliver them virtually, or both? How will you ensure that end users get an experience they want while IT gains operational efficiencies? These and a number of additional questions will need to be answered based on your organization’s requirements.

If you have not already read the VMware Workspace ONE and VMware Horizon Enterprise Reference Architecture, you are encouraged to do so. In addition to all the technical detail about VMware End User Computing (EUC) technologies, the reference architecture provides a design methodology to ensure successful deployments. The following is an excerpt:

A technology solution should directly address the critical business requirements that justify the time and expense of putting a new set of capabilities in place. Each and every design choice should center on a specific business requirement. Business requirements could be driven by the end user or by the team deploying EUC services.

The last line is really important because it indicates the need to clearly define the needs of end users and of IT. A solution that is easy to manage but difficult to use will not be adopted by end users, whereas a solution that is easy to use but complex and difficult to manage will not be accepted by IT. Horizon 7 provides numerous benefits to both end users and IT, but you need to consider some tradeoffs.

Purpose of This Guide

The purpose of this document is to help you determine the best combination of Horizon 7 Enterprise Edition technologies for your organization’s needs. The goal is to augment the design concepts in the reference architecture and, specifically, the Horizon 7 Use Cases and Horizon 7 Use Case Services sections. The reference architecture demonstrates how a variety of use cases can be addressed by combining various components of Horizon 7.

Many customers have successfully implemented Horizon 7 by following the design principles outlined in the reference architecture. These principles generally allow you to realize the benefits of a modern approach to desktop and application lifecycle management by integrating several Horizon technologies. But, for one reason or another, you might decide not to implement all of the suggested technologies throughout your entire organization. So, how do you adapt the Horizon 7 design to meet your needs? Which Horizon components should you use to provide the best experience to end users and gain the most operational efficiencies for IT?

This document aims to help address these questions by stepping you through some common design decisions to help determine the right combinations of Horizon technologies for your use cases.

Note: This document contains many useful hyperlinks. Some links take you to other documents on the web, and some links are internal cross-references, which take you to other sections and chapters within this document. If you click an internal cross-reference link, after you read the linked section, you can simply click the Back button of your browser to go back to your original location in this document and continue from there.

Audience

This document is intended for IT architects planning to design and deploy a virtual desktop and application solution. Familiarity with VMware Horizon, VMware vSphereÒ, Windows operating systems, directory services, and supporting technologies is recommended.

Defining End-User Segments to Determine Relevant Services

The culture of an organization has a great influence over how computing devices are used and managed. The term managed refers to the lifecycle management practices of the computing device, such as application access and installation, user data storage, app and OS updates, and backup and recovery. For example, a software startup might provide complete autonomy for their employees in selecting and managing their OS, apps, and data, whereas a hospital might enforce strict PC management policies to ensure compliance with regulations.

Even within a given organization, different groups of end users will require more or less autonomy when it comes to device management. For example, a tenured professor may be granted more privileges to their computing devices than a visiting professor teaching a summer class. It is common to find a spectrum, ranging from fully user-managed to fully IT-managed within organizations.

By breaking down these different user requirements, balancing the needs of end users and IT, you can define user segments. User segments can help you define use cases, and ultimately build services. The following is a simplified depiction of the management spectrum, which will be referenced in later sections of this document.

Figure 1: Spectrum of Device-Management Practices

Why We Segment Users

Determining which segments you have in your organization is critical to building a successful Horizon solution. As IT practitioners, we often want to jump into the technology, to build a solution before properly architecting it.

Time and time again, virtualization projects start with a small-scale proof-of-concept (POC) deployment that does not account for various user segments that exist in the business. As consumers of this new service begin testing and realizing the benefits of the solution, it becomes difficult to take a step back and complete a user segmentation exercise. As the project pushes forward, users attempt to use the solution only to find it does not quite meet their needs. Many small issues arise that can escalate to the point of failed adoption.

This is why completing a user segmentation exercise before deploying virtual desktops and applications is so important. It affords you the ability to architect sub-services that meet the demands of various user segments. IT maintains control over which segments begin user acceptance testing (UAT) and when, ensuring that the appropriate sub-service has been built to meet the needs of that segment.

User segmentation should occur early in the project design. It might need to be revisited as new lines of business or groups of users are onboarded to the service or services you build. See Reference Architecture Design Methodology for more information on the recommended, cyclical design approach.

Completing a user segmentation exercise may seem like a daunting task. Looking at an organization with thousands of end users, dozens of departments, and multiple divisions, it might seem as though the number of required user segments is infinite. The chapters that follow provide some information and key decisions you should consider, which will help you divide users into a manageable number of segments.

Applications or Desktops for a Particular Segment?

The Horizon 7 Published Application service is defined for the Static Task Worker use case in Horizon 7 Use Case Services. This is a good example of a use case where a published application meets the needs of the end user. Horizon makes it easy to provision and manage RDSH servers and publish Windows applications.

Some applications, however, are not good candidates for RDSH. For example, the application might not be certified for Remote Desktop Services. Some use cases require end-user activities such as installing applications, which do not work well in a multi-user, shared environment. In these cases, a VDI desktop is the better option.

Although some customers choose to build only VDI or only published application services with Horizon, many customers choose to do both. Horizon allows you to easily create and manage published applications and desktops, as well as VDI, from a single management console.

Table 1: Determining Whether to Build an Application or Desktop Service, or Both

Question

Relevance

How many Windows applications are common to the segment?

For a small number of apps, you might choose to use RDSH-published apps.

For each app, is the app written to function in a multi-user, shared environment?

If the answer is No, you might choose to use VDI rather than RDSH for these apps.

Types of Desktop Services

Once you have decided to build a Desktop service, you should consider which type of desktops are applicable for a group of users. The following sections define three types. Each type has benefits, and some customers choose to use different types for different user segments.

Persistent Desktops

A persistent desktop is not necessarily required to provide a persistent user experience. For the purposes of this document, the following definitions are used:

  • Persistent desktop – A virtual machine with a lifecycle similar to that of a physical PC. It is deployed, used for an extended period of time by a given user or users, and is typically managed with traditional PCLM (PC lifecycle management) tools.
    A persistent desktop is analogous to moving a PC to the data center and providing remote access to it.
  • Persistent user experience – From the end user’s perspective, it feels like the desktop session they use day to day is coming from the same VM. Settings, apps, and data persist from session to session, even though users are accessing a different, or nonpersistent VM each time they connect.

Determining whether a given use case requires a persistent desktop as opposed to a persistent user experience is key. When done properly, the end-user experience is essentially the same either way. However, there are many implications for IT.

If you choose to create persistent desktops, Horizon full-clone VMs should be used as the provisioning method. A full clone is an independent copy of a VM. A full clone shares nothing with its master VM, and it operates entirely separately from the master VM used to create it. For more information, see Full Clones.

Some customers attempt to use linked-clone or instant-clone VMs for persistent desktops. Linked clones and instant clones use significantly less storage space than full clones because they access software on shared virtual disks. Some customers attempt to create persistent desktops by configuring linked clones to never be recomposed, by or configuring instant clones to never be refreshed.

These customers might assume these configurations can substitute for full-clone VMs, but these configurations are not recommended. They might result in loss of performance, excessive virtual disk growth, inability to upgrade the Horizon Agent, or other problems with user experience and desktop management. Linked clones and instant clones are discussed in more detail later in this document, in the sections Linked Clones and Instant Clones .

Why Choose Persistent Desktops?

It is common for existing vSphere customers to begin a VDI project using persistent desktops. This approach allows IT to use existing excess capacity and familiar technology and workflows to provision desktop VMs.

For relatively small implementations, persistent desktops might suffice. Traditional PCLM tools can be used to manage these VMs in nearly the same way you manage your fleet of physical PCs, and little management overhead is introduced.

User segments that require a high degree of user autonomy and unpredictable workloads might also benefit from using persistent desktops. For example, a group of developers who are constantly installing, updating, and testing new versions of complex software packages might benefit from using a dedicated, persistent desktop.

Benefits
  • In the short term, this approach reduces the impact on IT by limiting the amount of new technology to be implemented.
  • Persistent desktops can be either fully managed by IT or simply handed to an end user who has complete autonomy over the desktop.
Constraint

Much of the efficiency and automation potential of Horizon is not possible using this approach. As the environment scales up, other desktop types enable significant improvements in management efficiency.

Note: Even though traditional Windows management tools and practices can be applied in this model, you may need to make some changes when managing a fleet of virtual machines. Take antivirus software for example. Although you could take your existing antivirus software and policies and apply them to your persistent desktops, you might find excessive disk utilization on your shared storage array during a scheduled virus scan, which could impact performance of the entire system. Many antivirus vendors have software or policy alternatives that stagger the timing of scans or otherwise optimize the VDI experience.

Optional Horizon Components for Persistent Desktops

Horizon Persona Management is a legacy VMware technology that can abstract Windows user profile data from a persistent VM. Although Persona Management is supported for existing customers, advances in Horizon technologies provide more effective alternatives.

Note: Persona Management is not recommended for new Horizon deployments.

For more information about this tool and its constraints, see Horizon Persona Management.

VMware Dynamic Environment ManagerÔ complements full-clone, persistent desktops in a number of ways. The following is a brief summary of benefits. For more details, see Dynamic Environment Manager. With Dynamic Environment Manager, you can:

  • Remove administrator privileges from end users.
  • Create OS and application personalization that can roam to other devices.
  • Create dynamic policies to control the behavior of various Horizon Agent capabilities. Examples include enabling or disabling USB redirection and optimizing the Blast Extreme display protocol.
  • Redirect folders of user data to a network share for improved availability and disaster recovery.

This kind of personalization combined with folder redirection provides an excellent alternative to Persona Management.

Note: Dynamic Environment Manager is recommended to complement persistent desktops.

Nonpersistent Desktops

A nonpersistent desktop is one that is discarded after the user logs out of Windows. Adopting this model requires some fundamental changes in the way VMs are managed. Traditional PCLM tools may no longer apply or will require adaptation.

Technically, nonpersistent and semi-persistent desktops are very similar. There are some nuances, though, and depending on your business requirements, you might need one rather than the other for a given use case.

Note: If you choose to create nonpersistent desktops, Horizon instant-clone VMs should be used as the provisioning method. For more information, see Instant Clones .

Why Choose Nonpersistent Desktops?

Nonpersistent VMs provide significant improvements in speed and efficiency of desktop and application lifecycle management. Instant clones are by far the fastest provisioning option, with cloning speeds averaging one VM per second. The speed at which VMs can be destroyed and created enables us to approach lifecycle management differently than with traditional PCLM tools. OS and application updates can be applied to a master image, and instantly made available to end users when new sessions are established.

Benefit Provides a modern approach to provisioning, updating, and managing desktop images. Nonpersistent instant-clone VMs are the foundation for the Just-in-Time Management Platform (JMP). End users benefit from receiving a fast, optimized, brand-new VM with each login
Constraint

For user segments requiring a persistent user experience, additional Horizon components are required. IT must learn new tools and practices to manage the lifecycle of VMs.

Nonpersistent Desktops with a Nonpersistent User Experience

Some use cases might call for a truly nonpersistent experience. One example is a call center with predefined app settings and data saved to a remote repository rather than a Windows user profile. In this example, the desktops would be considered fully IT-managed.

Simply changing to a nonpersistent model and using instant clones for provisioning can have significant benefits over persistent VMs with full clones for this type of user segment. IT maintains an optimized master image, which is used to rapidly provision and entitle users to instant-clone VMs. End users consume these VMs, which are discarded and recreated, or refreshed, with each use. IT performs updates to the OS, applications, or configurations on the master image, and deploys new instant clones with zero interruption to end users. Information about updating instant-clone desktops is provided in Instant-Clone Maintenance .

Because instant clones are built into Horizon and vSphere, there is minimal IT training required to implement.

Nonpersistent Desktops with a Persistent User Experience

Although nonpersistent desktops provide a number of benefits, some use cases demand a persistent user experience. There are several aspects to providing a persistent user experience, and a given user segment may require one or more of these. For additional design considerations and decision points, see Elements of a Persistent User Experience.

Semi-Persistent Desktops

The term semi-persistent refers to a desktop that is created using a nonpersistent provisioning technology, such as instant clones or linked clones, but the VM is not immediately refreshed when a user logs out. A semi-persistent desktop can be used more than once, but not nearly as long as a typical physical PC or persistent desktop.

Adopting this model requires some fundamental changes in the way VMs are managed. Traditional PCLM tools may still apply but will likely need to be modified.

Note: If you choose to create semi-persistent desktops, Horizon instant-clone VMs or Horizon linked-clone VMs should be used as the provisioning method. Later sections of this document help you decide how to choose between instant clones and linked clones.

Why Choose Semi-Persistent Desktops?

First, the use of instant-clone or linked-clone VMs grants semi-persistent desktops similar benefits as nonpersistent desktops when it comes to speed of provisioning and lifecycle management.

Second, semi-persistent VMs are uniquely suited to address use cases that require a desktop to exist longer than nonpersistent VMs, without the need to create persistent desktops.

Consider the following scenario: A financial services company periodically hires contract employees for short-term projects. The contractors require access to a subset of the company’s network and application resources. A desktop VM is provided for the duration of the project, which is typically two weeks or less. During this time, the contractor might log in and out of the VM repeatedly. Upon completion of the project, the contractor’s access to the VM is revoked. The financial services company has an audit policy that requires the VM to be preserved for 30 days in case application event logs need to be reviewed by the IT or Security team. After 30 days, the VM should be discarded.

Although full-clone, persistent VMs could be used, semi-persistent desktops offer improved efficiencies in provisioning and re-provisioning operations. The speed at which instant-clone VMs can be created was highlighted in Why Choose Nonpersistent Desktops?

Note: It is important that semi-persistent desktops be routinely refreshed. For more information see Building a Semi-Persistent Desktop Service.

The ability to persist an instant-clone VM for brief periods of time, and then refresh the OS disk to a clean state as needed, makes instant clones an excellent choice for creating a semi-persistent desktop service. This service is well suited to address user segments similar to the example described in this section. 

Benefit

Provides a modern approach to provisioning, updating, and managing desktop images. VMs are persisted for the duration of a given project, and then easily and quickly restored to a known working state. 

Constraint

For user segments that require settings or data to persistent after the assigned semi-persistent VM has been refreshed, additional Horizon components are required. IT must learn new tools and practices to manage the lifecycle of VMs.

Use the following table to help you decide which type of desktop to use for a given user segment.

Table 2: Determining the Type of Desktop a User Segment Requires

Question

Relevance

How many users are included in the user segment?

For a small number of users, you might choose persistent desktops rather than ask IT to learn new technologies.

Is the user segment composed of users such as call center workers or the like, who use a very small number of applications and enter data into a database rather than needing to store data in the desktop?

If the answer is Yes, you can easily create nonpersistent desktops using only the core Horizon 7 technology.

Might an audit need to be performed after the user is finished with the VM, so that IT or a security team can review event logs or similar logs?

If the answer is Yes, you could use semi-persistent desktops rather than full clones. These types of desktops can also be used for contractors or users who will need a VM for only a few days or weeks.

Are you interested in implementing a modern approach to provisioning, updating, and managing desktop images?

You can often meet your users’ expectations by using a nonpersistent desktop that provides a persistent user experience.

Application Models

If you decide to build an Application service, consider whether to use a traditional RDSH server model or a modern approach using the VMware Just-in-Time Management Platform.

Just-in-Time Application Model

JMP (pronounced jump), which stands for Just-in-Time Management Platform, is ideal for building an RDSH-published application service. This model addresses a number of administrative challenges associated with traditional RDS-hosted implementations. JMP represents capabilities that deliver Just-in-Time Desktops and Apps in a flexible, fast, and personalized manner. JMP is composed of the following VMware technologies:

JMP allows components of a desktop or RDSH server to be decoupled and managed independently in a centralized manner, yet reconstituted on demand to deliver a personalized user workspace when needed. JMP is supported with both on-premises and cloud-based Horizon 7 deployments, providing a unified and consistent management platform regardless of your deployment topology.

The JMP approach provides several key benefits, including simplified desktop and RDSH image management, faster delivery and maintenance of applications, and elimination of the need to manage “full persistent” desktops.

Instant clones are by far the fastest provisioning option for creating an RDSH server farm, averaging one VM per second. The speed at which VMs can be destroyed and created enables us to approach lifecycle management differently than with traditional PCLM tools. OS and application updates can be applied to a master image and instantly made available to end users when new sessions are established.

In addition, using App Volumes AppStacks to dynamically provision applications to farms of instant-clone RDSH servers is extremely powerful. Consider the following capabilities:

  • Reduce image sprawl – Use a single, generic master image to provision one or many instant-clone farms of RDSH servers. AppStacks deliver the correct set of applications to the farms.
  • Make apps instantly available by attaching AppStacks at boot time – The number or size of AppStacks is of minimal concern because AppStacks are attached at boot, and will be ready for immediate use when users connect.
  • Streamline delivery and lifecycle management of applications – AppStacks can be updated independently of the image and assigned once testing and validation are complete. In the case of an application issue, roll-back to a previous AppStack can be accomplished in a matter of minutes.
  • Rapidly scale a farm up or down based on utilization – As the number of instant-clone RDSH servers is increased or decreased, AppStacks are automatically attached and detached. IT administrators can focus on scaling the environment to accommodate usage without worrying about deploying applications to the new hosts.
  • Deliver a consistent user experience – The master image can be updated or refreshed as needed. AppStacks are read-only virtual disks that are attached to each RDSH server, delivering a validated copy of the applications every time. 

Figure 2: App Volumes AppStacks for Instant-Clone RDSH Server Farms

The third technology component of JMP is Dynamic Environment Manager, which operates at the Windows OS level, providing a seamless experience as users roam between published applications and physical or virtual desktops.

Traditional Application Model

It is a common practice for customers to start with a traditional model and migrate to a Just-in-Time Apps model to gain additional efficiencies and use modern management practices. If you already maintain farms of full-clone RDSH servers, moving to Horizon Apps is a simple process.

The traditional application model requires only minimal effort to start brokering access to existing full-clone RDSH servers using the Blast Extreme or PCoIP display protocol. Although this approach reduces the impact on IT by limiting the amount of new technology to be implemented, you lose much of the efficiency and automation potential of Horizon.

Application Service Available from VDI in Nested Mode

Although some customers choose to implement only published applications or only VDI for their entire organization, many choose to provide one or more published applications to one segment of users, while providing another segment with a VDI desktop to accommodate additional requirements. The VDI user segment can also access the published applications from their remote desktop sessions, providing a seamless transition for users consuming both types of services.

The following illustration shows an endpoint device running the VMware Horizon® Client. The client uses a remoting protocol such as Blast Extreme or PCoIP to establish a connection to a Remote Desktop Services (RDS) host running the Horizon Agent, in an on-premises or cloud-hosted data center. The published application is executed on the RDSH server and is displayed to the user over the remoting protocol.

Figure 3: Horizon Application Session

The concept of first establishing a connection to a virtual desktop (VDI), and then connecting to a remote application session from the virtual desktop, is referred to as a nested connection. The published application can be provided through either the JMP or the traditional application model.

Figure 4: Horizon Nested Mode

Nested mode enables end users to access published application sessions directly, and to access those same published applications from within a VDI session. For more information, see the VMware Knowledge Base article VMware Horizon Guidelines for Nested Mode (67248).

Elements of a Persistent User Experience

Regardless of the provisioning technology you choose—desktop or published application—or the type of desktop, a persistent user experience is about the way end users perceive their experience. From the end user’s perspective, it should feel like the session they use from day to day is always coming from the same VM. Settings, applications, and data persist from session to session, whether end users are accessing the same VM guest OS or not.

Not all use cases will require a completely persistent user experience. This section describes the aspects of a persistent user experience, and the Horizon components that can be used to address them.

For the purposes of this guide, a persistent user experience is achieved by providing the following behaviors:

  • User customizations to IT-provided applications are preserved from session to session.
  • User customizations to the Windows OS are preserved from session to session.
  • User-installed applications are permitted.
  • User data may be created and consumed consistently each time the user logs in to a VM.

User Customizations for IT-Provided Applications

Whether IT-provided applications are installed using traditional PCLM tools, either included in a base image or dynamically delivered using App Volumes AppStacks, users might require the ability to customize or personalize settings such as toolbars, shortcuts, and language preferences. In terms of VMware Horizon features, this capability is called personalization.

Personalization of application settings is applicable regardless of whether your user segment calls for Horizon published applications or desktops. (For a discussion of this choice, see Applications or Desktops for a Particular Segment?)

With some user segments or individual users, IT might prefer to enforce some application preferences, while allowing personalization of others. Enforcing predefined settings ensures that required configurations are used, while providing end users the flexibility to customize where appropriate.

Note: Dynamic Environment Manager is recommended to provide personalization and predefined settings as needed.

Both personalization and predefined settings of IT-provided applications can be accomplished by adding Dynamic Environment Manager to your Horizon design. For more information, see Dynamic Environment Manager.

User Customizations for Windows Settings

Because users might require the ability to customize Windows settings for keyboards, mouse, and wallpaper, Dynamic Environment Manager is recommended to provide personalization for Windows settings as needed. Dynamic Environment Manager provides templates to address a variety of custom Windows settings.

User-Installed Applications (UIA)

Some user segments require the ability to install applications in addition to those already provided by IT. There are two concepts to consider with UIA:

  • The privileges necessary to install the applications
  • The ability to persist the applications between sessions

Note: UIA typically does not apply to RDSH-published applications, so the remainder of this section involves UIA with VDI.

With persistent desktops, you must address a user’s privileges regarding the ability to install applications. With nonpersistent desktops, you must address the user’s ability to install applications and the need to persist the UIA between sessions.

Ability to Install Applications

Windows requires user accounts to have elevated privileges to install software. Configuring an end-user account with these privileges often leads to propagation of malware and the exploitation of other vulnerabilities. For more information, see Windows Privileges

Note: Dynamic Environment Manager is recommended to provide strategic elevation of privileges so that end users with a standard user account can install select software. For more information, see Privilege Elevation.

Ability to Persist UIA Between Sessions

With a persistent desktop model, installed applications naturally persist between sessions because a user always connects to the same desktop VM. With a nonpersistent desktop model, UIAs are discarded at the end of a session along with the VM. To persist UIAs, an App Volumes user-writable volume can be assigned to users in this segment. For more information, see Persistent User Experience for Nonpersistent Desktops.

Note: App Volumes writable volumes are recommended to store and persist UIAs between sessions for nonpersistent desktops. 

User-Created Content

Most end users require the ability to create and retrieve content. This aspect of persistence is applicable to RDSH-published applications and to all desktop types.

With a persistent desktop model and typical local profile, user data is stored in the Windows user profile on the VM. To learn more about local profiles, see Local User Profiles . This model prevents users from accessing their data when they roam to another VM or physical PC. In addition, because user data is stored locally on the VM, there is significant risk of data loss if the VM is corrupted.

With a nonpersistent desktop model, user-created data stored on the VM is discarded after each use. Folder redirection can be used to provide a persistent user experience with user-created data by redirecting the data to a network share. For more information, see Folder Redirection

Note: Dynamic Environment Manager is recommended to manage folder redirection for user-created data, regardless of whether the desktop persists. For nonpersistent desktops, folder redirection allows user-created data to persist and makes the data available from multiple VMs and devices. For persistent desktops, folder redirection provides a good backup strategy.

Windows Primer

Microsoft designed Windows so that a single user accessed a single physical PC, installed and ran applications on that PC, and consumed and created data that was saved to that PC. Ever since the operating system’s inception, companies (including Microsoft) have been trying to separate the components of a desktop, with two primary goals in mind:

  • For end users, improve the user experience through flexibility, mobility, accessibility, and so on
  • For IT administrators, improve the manageability of desktops

Horizon technologies help address both of these goals. It is important to understand the Windows components to determine how to apply Horizon technologies when architecting desktop and application services. This section discusses some Windows fundamentals, which can be referenced as you design your Horizon solution.

Introduction

Designing a Horizon solution should begin with consideration of end users’ needs. If the solution does not meet these needs or is so cumbersome or performs so poorly that it interferes with productivity, end users will not adopt the solution.

Our recommendations are built on the following concepts:

  • Businesses run on data.
  • Applications are used to consume and produce data.
  • IT provides computing solutions so end users can easily and efficiently access applications.

Applications Need an Operating System

Horizon 7 can provide end users with Windows and Linux VMs, and nearly any endpoint device can be used to access these VMs. (See the Download VMware Horizon Clients web page for a list of supported client operating systems.) Statistics and experience with customers indicate that Windows is still dominant in the market.

This guide focuses on a Horizon 7 solution with Windows at its core.

User Profiles Are at the Heart of the User Experience on Windows

Since the design starts with the users, and the users will consume Windows apps, it is important to understand user profiles. In order to make informed decisions about which profile solutions to choose, administrators need to understand the fundamentals of Windows profiles.

Evolution of User Profiles

As the following table shows, the Windows user profile has evolved with Windows versions.

Table 3: Windows Operating Systems and Their Corresponding Profile Versions

Desktop OS

Server OS

Profile
Extension

Windows XP

Server 2003

Server 2003 R2

None

Windows Vista

Windows 7

Server 2008

Server 2008 R2

v2

Windows 8

Server 2012

v3

Windows 8.1

Server 2012 R2

v4

Windows 10
Versions: 1507 & 1511

N/A

v5

Windows 10

Versions: 1607 - 1809

Server 2016

v6

The key takeaway here is that not all versions are compatible with each other. This has implications for things like mandatory profiles, and moving profile data between operating systems.

Anatomy of a User Profile

At a high level, as is described in the Microsoft topic About User Profiles, user profiles are composed of two components:

  • Registry – The NTuser.dat file is loaded at user logon as HKEY_CURRENT_USER (HKCU) and is used to store registry settings that get customized for the user profile.
  • Applications often create or modify HKCU keys and values as users make customizations.
  • For the purposes of this section, NTuser.dat contains user configuration data.
  • Folder structure – A folder structure is created for each user who logs in to Windows.
  • The folder path depends on the Windows version. For currently shipping releases of Windows 10, C:\Users\<name>\ contains a predefined list of folders.
  • Some folders are designed to contain user data. Examples include Documents, Favorites, Music, and more.
  • The AppData folder is commonly used to store user configuration data in the following subdirectories:

    AppData\Local
    AppData\LocalLow
    AppData\Roaming

Applications often create or modify configuration files (INI, XML, and so on) as users make customizations.

To summarize, Windows profiles are used to store user content data and user configuration data.

Windows Folder Redirection

Folder redirection, which is described in the Microsoft topic Folder Redirection and Roaming User Profiles, has been available for many versions of Windows. This technology enables certain folders in a user profile, which contain user data and user configuration data, to be redirected to a network share. Users and applications interact with the folders as if they were local to the guest OS, though the content resides on a remote share.

Folder redirection has been used for years with physical and virtual PCs for two key reasons:

  • End users are free to roam from device to device in their organization, and still have access to user content data and user configuration data.
  • Redirecting data to network shares makes it considerably easier for IT to back up and restore data as needed.

Types of User Profiles

As is described in the Microsoft topic About User Profiles, Windows supports several profile types, including local user profiles, roaming user profiles, and mandatory user profiles.

Table 4: Local User Profiles
How local user profiles work
  • User profile is created on a Windows OS.
  • User profile component NTuser.dat is bound to the device.
  • Folder redirection can be used to redirect user data to a network share.
Benefit Default operation for Windows; no configuration required.
Constraint

Profile is bound to a single device, which limits roaming capabilities. If the device is corrupted in any way, the profile is lost.

 

Table 5: Roaming User Profiles
How roaming user profiles work
  • User profile is pre-created by IT. Each user gets a copy of the profile, which is synchronized to a network share.
  • User profile component NTuser.dat roams from device to device. It is downloaded locally from a network share at login, and is uploaded to the network when the user logs out.
  • User data can grow so large that syncing to and from the network impacts performance.
  • Folder redirection can be used to redirect user data to a network share.

Benefit

Enables user roaming from device to device.

Constraint

User profiles tend to continually grow, and grow quickly, impacting user login and logout times. Network sync issues often corrupt user profiles.

 

Table 6: Mandatory User Profiles
How mandatory user profiles work
  • User profile is pre-created by IT.
  • A copy of the mandatory profile is loaded each time the user logs in to Windows and is discarded when the user logs out.
  • User profile component NTuser.dat is renamed to NTuser.man, preventing end users from persisting changes to user data and user configuration data between sessions.
  • Folder redirection can be used to redirect user data to a network share.

Benefit

End users get an optimized, new copy of a Windows profile each time they log in. Excellent choice for use cases where a nonpersistent user experience is required.

Constraint

Mandatory profiles are typically stored on a network share so that IT can easily update them as needed. Availability of the network share and bandwidth constraints might impact user experience, especially when many users are logging in and downloading copies at the same time.

Mandatory profiles are recommended if your users do not require a persistent user experience. Combine mandatory profiles with Dynamic Environment Manager personalization and folder redirection to provide a persistent user experience with a nonpersistent desktop model.

Note: The process to create a Windows mandatory profile varies with Windows versions. In testing, we have found mandatory profiles difficult to configure with the most recent versions of Windows 10 (1809 and later).

For detailed information about creating and optimizing a mandatory profile for use with Horizon instant-clone VMs, see Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop. Please be sure to note the tested versions of Windows 10, and always perform your own user acceptance testing before implementing your mandatory profile in production.

Tip: When using mandatory profiles with instant-clone provisioning, consider storing the profile on the master image rather than a network share. Instant-clone pools and farms are easy and quick to update, easing the burden on IT when updates to the profile are needed. End users benefit from added speed during the login process because the profile does not have to be downloaded from the network each time.

Windows Privileges

End users operate modern versions of Windows with either standard or administrator privileges. (For a description of these privileges, see the Microsoft topic How User Account Control Works.) Year after year, data is published about new vulnerabilities in Windows and how the large majority of these could be mitigated by simply removing administrator privileges from end users. For example, see Research Reveals Microsoft Vulnerabilities More Than Doubled Since 2013.

The following excerpt, from the Microsoft document Implementing Least-Privilege Administrative Models, indicates the need to limit administrative privileges: “You should consider carefully whether users require administrative rights on their workstations….” Despite all these admonishments, it is common to see a high percentage of the user population running with administrative privileges. There are a few common reasons this occurs:

  • End users need to install software (user-installed apps, or UIA).
  • Legacy or poorly written applications require administrative privileges to run.
  • IT is providing a “safety net” in case end users require self-management capabilities in the future.

Horizon 7 Enterprise Edition Components and Features

The previous chapters listed the various questions you need to ask, and the considerations you must take into account, when determining which services to build for your end users. Now that you understand the issues and the way that Microsoft Windows approaches them, we can discuss how these issues might be addressed by the various components and features of Horizon 7 Enterprise Edition.

This section highlights the key technologies you should be aware of to complete a user segmentation exercise. There are a number of technical assets on the VMware Digital Workspace Tech Zone if you would like more information on any of the specific products described in this section.

Horizon Terminology

In the virtualization space, a number of terms are used somewhat interchangeably and can cause confusion. For the purposes of this document, the following definitions will be used.

  • Desktop pool – A collection of Horizon desktops.
  • Dedicated-assignment desktop – A desktop that is assigned to a specific user. When that user connects to a Horizon desktop pool, the same desktop is accessed each time.
    The desktop is defined by the machine name and MAC address of the VM. This has no bearing on user data or unique configuration settings.
  • Floating-assignment desktop – A desktop that does not remain assigned to the same user after that user logs out. When a user connects to a Horizon pool, a random desktop is accessed.
    This has no bearing on user data or unique configuration settings.
  • Persistent desktop – A desktop for which user customizations to applications, Windows settings, or both, and possibly user data are preserved from session to session.
    The VM goes through legacy lifecycle management (provisioning, app distribution, patch updates, other maintenance, and retirement) and is used repeatedly for an extended period of time. Dedicated-assignment full-clone VMs are highly recommended to create persistent desktops.
  • Nonpersistent desktop – A dedicated-assignment or floating-assignment desktop for which user customizations to applications, Windows settings, and user data are discarded or redirected from the desktop. For dedicated-assignment instant clones, only the machine name and MAC address are preserved.
    VM lifecycle is managed using modern methods. The VM is routinely used and then discarded, ensuring a clean and properly functioning VM for every session.
    Both dedicated-assignment and floating-assignment desktop pools are capable of providing a nonpersistent user experience.
  • Semi-persistent desktop – A desktop that is created using a nonpersistent desktop provisioning technology, such as instant clones or linked clones, but the VM is not immediately refreshed when a user logs out of Windows.
    A semi-persistent desktop can be used more than once, but not nearly as long as a typical physical PC or persistent desktop.
  • Windows template for provisioning pools and farms – There are a number of terms that refer to a primary instance of an IT-created VM, from which pools or farms are created, using some sort of provisioning engine.
    The following terms are typically considered interchangeable for this purpose, unless specifically stated otherwise:
    • Base image
    • Master image
    • Golden image
    • Golden master
    • Parent image
    • Parent VM

Horizon Provisioning Options

Horizon 7 includes technologies that can provide both virtual desktops and virtual (published) applications.

  • Horizon Apps – Enables delivery of Remote Desktop Services (RDS) published applications and desktops that are accessible from most endpoint devices.
  • Horizon VDI – Enables delivery of remote desktops using a virtual desktop infrastructure (VDI). These desktops are also accessible from most endpoint devices.

Provisioning operations comprise the technology and practices used to create, maintain, and retire virtual machines. With Horizon provisioning, VMs are typically grouped logically into pools for desktops and farms for RDSH servers.

Full Clones

With full clones, a complete copy of the master VM is created.

Figure 5: Horizon Full Clones

Microsoft Sysprep is typically used during provisioning to generalize the Windows image, removing computer-specific information so that the image can be deployed throughout an enterprise. For more information about Sysprep, see the Microsoft topic Sysprep (System Preparation) Overview.

Speed and efficiency of provisioning operations can be greatly improved with VMware vSphereÒ Storage APIs – Array Integration (VAAI) hardware assist.

Table 7: Analysis of Full-Clone Provisioning
Supporting infrastructure requirements vCenter Server

Model

Persistent desktops or servers

Benefit

Requires relatively little planning. Existing tools can be used for software distribution, antivirus, and so on.

Constraint

Precludes taking advantage of a modern management approach such as the Horizon Just-In-Time Management Platform

Linked Clones

This is a legacy cloning technology that enables scalable management of virtual desktops by provisioning clones from a single master image. The newer, VMware Instant Clone Technology (discussed in the next section) is now preferred to linked clones. We include this discussion of linked clones for completeness, to describe the evolution of VMware cloning technology, and because, at the time of this writing, linked clones support a few features that instant clones do not yet support, as described in Instant-Clone Considerations.

With linked clones, a complete copy of the master is created as a read-only replica VM.

Figure 6: Horizon Linked Clones

Delta disks are created for each VM, representing the changes from the replica. You can use either Microsoft Sysprep or VMware QuickPrep to customize the VMs during provisioning. For more information, see the VMware Knowledge Base article Differences between VMware ClonePrep, QuickPrep and Microsoft Sysprep (2003797).

Note: With linked-clone VMs, you can configure the Composer server to place user information, including user settings and other user-generated data, on a separate disk from OS information. Composer preserves user information on this persistent disk when the OS data is updated, refreshed, or rebalanced. You can create persistent disks when you create a linked-clone desktop pool.

Table 8: Analysis of Linked-Clone Provisioning
Supporting infrastructure requirements
  • vCenter Server
  • Composer server
  • External database

Model

  • Designed for nonpersistent or semi-persistent desktops
  • Not recommended for persistent desktops

Benefit

Faster provisioning than full clones. Provides some automation for managing the lifecycle of VMs. Supports both nonpersistent and semi-persistent models.

Constraint

Aging architecture that requires more components than instant clones. Heavy vSphere utilization.

  • When used in a semi-persistent model, recompose operations might take a long time and will likely require a maintenance window (service outage) to complete.
  • When used in a nonpersistent model, refresh-on-logoff operations tax vCenter Server, and too many simultaneous operations might degrade performance and impact end user productivity.

Instant Clones

Instant Clone Technology improves and accelerates the process of creating cloned VMs over the previous Horizon Composer linked-clone technology. In addition, instant clones require less storage and less expense to manage and update because the desktop is usually deleted when the user logs out, and a new desktop is created using the latest master image.

Figure 7: Horizon Instant Clones

The process of creating linked clones is as follows:

  1. The master and snapshot are combined into a template.
  2. A copy of the template is created as a read-only replica.
  3. A parent VM is created on each vSphere host and is powered on.
  4. Instant clones are forked from the running parent.

Rather than using Sysprep or QuickPrep to customize the VMs during provisioning, instant clones use VMware ClonePrep. For more information, see the VMware Knowledge Base article Differences between VMware ClonePrep, QuickPrep and Microsoft Sysprep (2003797).

Table 9: Analysis of Instant-Clone Provisioning
Supporting infrastructure requirements vCenter Server

Model

Designed for nonpersistent or semi-persistent desktops

Benefit

Rapid provisioning and re-provisioning. Supports modern management approach. Modern architecture is built into the vSphere hypervisor, reducing the burden on infrastructure components such as vCenter Server and shared storage.

Constraint

There are some niche use case requirements that are currently unsupported. For more information, see Instant-Clone Considerations.

Instant-Clone Maintenance

Instant-clone maintenance operations serve two primary purposes:

  • Push updates to operating systems and applications, and push any other changes necessary to a pool of desktops or farm of RDSH servers.
  • Refresh desktops or RDSH servers so that end users are always accessing a clean, optimized environment.

You can schedule maintenance of all the desktops in a pool or all RDSH servers in an automated instant-clone farm. During each maintenance cycle, all the VMs are refreshed from the parent VM.

You can make changes to the parent VM without affecting instant clones because the snapshot of the current parent VM is used for maintenance. The instant clones use the information in the parent VM for their system configuration.

Similar to a maintenance operation, you can perform a recover operation to immediately delete and recreate individual instant-clone desktops or servers.

Instant-Clone Considerations

Instant clones should be the first choice for nonpersistent and semi-persistent VM provisioning. There are, however, a few considerations to take into account. At the time of this writing, instant clones do not support the following:

If you absolutely need these capabilities for a given use case, consider using linked clones as an alternative.

App Volumes

If you are new to App Volumes, please review this brief Technical Overview video. The capabilities of App Volumes can be divided into two broad categories:

  • Delivery and lifecycle management of applications
  • Providing a persistent user experience using nonpersistent desktops

Note: App Volumes is applicable only to nonpersistent desktops and RDSH servers. App Volumes should not be used with the semi-persistent or persistent desktop models described in this guide. For more information, see the VMware Knowledge Base article Supported computer and user assignments combinations for AppStacks and Writable Volumes (2151829).

Delivery and Lifecycle Management of Applications

Either instant clones or linked clones can be used to create nonpersistent VMs. A master image is created, and, for a traditional application model, applications can be installed directly on Windows.

Figure 8: Applications Installed on Windows

Once the master image is ready, it can be used to create any number of VMs. Although this method works, it might result in image sprawl. Image sprawl occurs when you are forced to build and maintain many different master images to accommodate the various application and configuration requirements of your end users.

App Volumes provides a better approach by allowing applications to be abstracted from the nonpersistent master image and included in AppStacks.

Figure 9: Applications Abstracted to AppStacks with the App Volumes Agent

App Volumes leverages a mini-filter driver to create an abstraction layer. Applications are installed using typical installation methods but are captured to specialized virtual disks called AppStacks. When mounted, the App Volumes agent makes it appear as though the applications in the AppStacks are natively installed, and the applications run as expected.

Once created, AppStacks are read-only, and have a one-to-many relationship with users. That is, one AppStack can be mounted to many VMs simultaneously.

Persistent User Experience for Nonpersistent Desktops

Individual end users may be assigned a user-writable (read-write) volume (UWV). The UWV has a one-to-one relationship to the end user and can be used to persist a number of desktop components as users access nonpersistent desktops.

Figure 10: User-Writable Volume

UWVs are applicable to nonpersistent desktops but are not applicable to RDSH-published applications. There are three types of UWVs:

  • User-installed apps – As users install applications on a nonpersistent VM, the installation is redirected to the UWV and is persisted from session to session.
  • Profile data – The Windows user profile is redirected to the UWV and is persisted from session to session. For more information, see Anatomy of a User Profile.
  • User-installed apps + profile data – Both user-installed applications and Windows user profile data are redirected to the UWV.

When building a nonpersistent service, App Volumes can be used as part of your application delivery and lifecycle management practices to provide persistence of apps, data, or both. There are distinct benefits and constraints for each of these, as outlined in the following tables.

Table 10: Delivery and Lifecycle Management of Applications
Benefits
  • By abstracting applications from the master image, you can dramatically reduce the number of master images you maintain.
  • With AppStacks, deploying an application is nothing more than attaching a virtual drive. This provides rapid provisioning to hundreds or thousands of VMs.

Constraints

  • Managing and deploying applications with App Volumes requires you to learn and adopt new tools and practices.
  • Creating and provisioning AppStacks requires a solid understanding of applications, including knowledge of software dependencies, required drivers, altitude of mini-filter drivers, and more.

 

Table 11: Providing a Persistent User Experience for Nonpersistent Desktops
Benefits
  • User-writable volumes do an excellent job of persisting the user experience when using a nonpersistent desktop model. Capturing and persisting user-installed applications provides end users the freedom to install software while IT benefits from a modern management approach for desktops.
  • In addition, caches of data such as the Windows Index file, Outlook OST files, and cloud-sharing solutions such as OneDrive and Box can be stored on the UWV.

Constraint

Using UWVs to store profile data should be approached carefully. While your organization’s policy on user data retention might be different, it is typically IT’s responsibility to store, back up, and recover user data in the case of a disaster. UWVs are self-contained VMDK files.

If user profiles are stored in the UWVs, IT might have to create a backup-and-restore procedure. This can be challenging, considering that the volumes must be detached before they can be backed up.

Dynamic Environment Manager

If you are new to Dynamic Environment Manager, be sure to watch this brief Technical Overview video. The sections that follow describe key features of Dynamic Environment Manager.

Note: VMware User Environment Manager was renamed to VMware Dynamic Environment Manager as of the version 9.9 release. Some referenced materials may still use the previous name.

Personalization

Personalization is the ability to abstract metadata about Windows and application configuration settings and store them on the network. This abstraction enables end users to roam between Windows devices while still getting a persistent user experience for Windows and apps. Dynamic Environment Manager puts control in the hands of IT to determine which settings should persist.

Figure 11: Dynamic Environment Manager Personalization Settings

Personalization of Windows and application settings is required for a number of user segments. Dynamic Environment Manager can provide Windows and application personalization for persistent, nonpersistent, and semi-persistent desktops, as well as published applications.

Personalization abstracts settings so users are free to roam between physical devices, RDSH session-based desktops, VDI desktops, and cloud-based desktops.

Predefined Settings

Dynamic Environment Manager provides an easy and consistent way to apply and enforce predefined settings such as configuring a specific toolbar layout, setting a region-specific language, or disabling automatic updates, for all your Windows applications. See the Applying and Troubleshooting Predefined Settings operational tutorial for detailed technical examples.

Privilege Elevation

Removing administrator privileges from end users is one of the most effective ways to mitigate vulnerabilities in Windows. (For a discussion of standard and administrator privileges, see Windows Privileges.) The privilege elevation feature of Dynamic Environment Manager can be used to elevate permissions for specific, approved tasks or applications while using a standard user account. For more information, see the Privilege Elevation Feature Walk-Through video on Tech Zone.

Privilege elevation is applicable to persistent, nonpersistent, and semi-persistent desktops, as well as published applications.

  • Privilege elevation for user-installed applications – Most Windows applications require administrator privileges to install applications. The privilege elevation feature enables IT to define local or remote software repositories of approved software installers that can be run by end users who have only standard privileges.
    When the user invokes the installer, Dynamic Environment Manager elevates privileges and allows the software to be installed. If end users attempt to install software from an unauthorized location, the installer will fail due to the user’s standard privileges.
  • Privilege elevation for running installed legacy applications – Although uncommon, some applications require administrator privileges to run at all. The privilege elevation feature enables end users to run these specific Windows executables with elevated privileges even though the users have only standard privileges.

    This is accomplished by creating privilege elevation rules based on a file’s hash, path, or publisher. This whitelisting approach, and the granular ability to control elevation of permissions for child processes on a rule-by-rule basis, complements IT privilege-management strategies.

Horizon Smart Policies

Dynamic Environment Manager integrates with Horizon 7 by using Horizon Smart Policies. Smart Policies are available to control the behavior of numerous Horizon desktop features. Using a comprehensive set of conditions, these policies can be dynamically applied as users change location, endpoint device type, and more.

Figure 12: Horizon Smart Policy Options

To learn more about Horizon Smart Policies, see the Smart Policies for Horizon Feature Walk-Through video on Tech Zone.

Folder Redirection

Dynamic Environment Manager complements Windows folder redirection. Although you can configure folder redirection through Windows Group Policy, many IT administrators choose to centralize policy management with Dynamic Environment Manager. The following figure shows the easy-to-use UI for configuring which folders get redirected.

Figure 13: Configure Folder Redirection with Dynamic Environment Manager

Because Dynamic Environment Manager works seamlessly across virtual, physical, and cloud-based Windows devices, it can be adopted as part of any organization’s PCLM toolset.  

Table 12: Pros and Cons of Dynamic Environment Manager
Benefits
  • Dynamic Environment Manager provides a number of features that help provide a persistent user experience on nonpersistent VMs.
  • IT can leverage Dynamic Environment Manager capabilities to modernize management practices for persistent, nonpersistent, and semi-persistent desktop use cases.
  • Dynamic Environment Manager requires little infrastructure and easily scales to tens of thousands of users.

Constraints

  • Application personalization uses a whitelist approach. IT must define each application that will be personalized. Dynamic Environment Manager includes a number of application templates, and you have the ability to download many more from the VMware Marketplace.
  • Additional applications require the use of the included Application Profiler utility. Profiling applications is usually pretty easy, but uncommon programming techniques can make this a challenge for some applications.

The Application Profiling operational tutorial provides some examples and techniques to successfully profile tough applications. Experience with Windows application packaging is highly recommended for those who will profile applications.

Horizon Persona Management

Horizon Persona Management is legacy technology that abstracts the Windows user profile from the VM and stores it on a network share. (The Windows user profile was described in Anatomy of a User Profile.) Persona Management is not recommended for new Horizon deployments. Although Persona Management is supported for existing customers, advances in Horizon technologies, such as Dynamic Environment Manager (discussed in a later section), provide more effective alternatives.

Table 13: Pros and Cons of Persona Management
Benefit By abstracting user profile data from the VM, the risk of data loss in the case of a corrupted guest OS is reduced.

Constraint

The issue with Persona Management is similar to that of Microsoft Roaming Profiles. Profile data is constantly being synchronized between the VM and the network. As the profile grows, larger and larger data sets are synchronized. Networking issues can lead to profile corruption and potential data loss.

ThinApp

VMware ThinAppÒ is an application-packaging technology that complements physical, virtual, and cloud-based desktop and application deployments. Use ThinApp for one-off application issues where application isolation can solve technical limitations. Application conflicts are eliminated by isolating applications from each other and the underlying OS into a single executable file that can be easily deployed to many endpoints, either independently or with App Volumes.

For more information, see the section about ThinApp integration with AppStacks in the VMware Workspace ONE and VMware Horizon Reference Architecture.

Table 14: Pros and Cons of ThinApp
Benefits
  • You can reduce desktop image and RDSH server farm sprawl by running applications that would otherwise conflict on the same guest OS.
  • ThinApp can be combined with any of the desktop or application models listed in this guide as a strategy to address problematic applications.

Constraints

  • Creating and managing applications with ThinApp requires a solid understanding of how applications are constructed. For example, you might need to understand software dependencies, drivers, file system and registry interactions, and more.
  • Some applications simply will not work with ThinApp, so you will need to use alternative methods to package and distribute them.

Constructing Desktop Services with Horizon 7

Whether you are just starting your Horizon 7 design or are a veteran planning to expand adoption in your organization, it is important that you properly determine user needs and design manageable services. The previous sections of this guide discussed a number of design decisions that point to specific services to consider. The following sections use responses to those questions to define sample service requirements.

Tip: Consider using more than one desktop service type to ensure an excellent user and management experience, rather than trying to force all users into a single model.


This section assumes you have an understanding of the Horizon 7 and Microsoft technologies described in this guide, including the benefits and constraints of each. There are many ways to combine these technologies when building desktop services. The following recommended models may be modified as needed for your user segments. As stated in the introduction to this guide, each service will fit roughly in to one of these categories.

Building a Nonpersistent Desktop Service

A nonpersistent desktop service is best suited for user segments that require a high degree of IT management and control over the user experience. (For a review of this type of desktop, see the earlier section Nonpersistent Desktops.)

Nonpersistent Desktop Service with a Nonpersistent User Experience

This is a completely IT-managed service. This user segment has the following service requirements:

  • Disposable desktop
  • Predefined application list
  • Predefined application settings
  • Data saved to a remote repository rather than a Windows user profile
  • No need for user-customized application or Windows settings
  • No need for user-installed applications

An example of a user segment for this service would be a call center.

The following technologies are used in this service:

  • Horizon instant clones are used to provision pools of desktops.
  • Consider using a floating assignment so desktops are assigned as needed and are refreshed at logoff.
  • A dedicated assignment may be used so long as the Refresh OS disk after logoff option is set to always.
  • Master image includes OS, apps, and any required user configuration data (app settings).
  • Consider using a mandatory user profile to ensure a fast, consistent logon experience.

Figure 14: Nonpersistent Desktop Service with a Nonpersistent User Experience

Benefits
  • Rapid provisioning of VMs. End users get a brand-new, optimal desktop with each session.
  • Master image can be built using existing tools and practices. Minimal IT training to implement.

Constraints

This desktop model has a narrow scope of applicability and is best suited for use cases such as call centers.

Nonpersistent Desktop Service with a Persistent User Experience

This is a shared management service, built on the Just-In-Time Management Platform (JMP). Depending on the requirements of a given user segment, more of the management could be put on IT or the end user.

This user segment has the following service requirements:

  • Disposable desktop.
  • Partial list of predefined applications. Some users require more applications than other users.
  • Partial list of predefined application settings. IT mandates some predefined settings, while users require the ability to customize some application and Windows settings.
  • Users have control over where data is saved, including Windows profile locations such as Desktop and Documents.
  • Some users require the ability to install their own software (user-installed applications).

This service could be used for a variety of user segments. See the Mobile Knowledge Worker example in the VMware Workspace ONE and VMware Horizon Reference Architecture for more information.

The following technologies are used in this service:

  • Instant clones are used to provision pools of desktops.
    Either a floating or a dedicated assignment may be used. If a dedicated assignment is used, make sure the Refresh OS disk after logoff option is set to always for support with App Volumes. The master image includes OS and a minimal, core set of applications.
  • App Volumes is used to package and deploy applications using AppStacks.
    A single master image can be used to create multiple desktops pools while AppStacks deliver precisely the right set of applications for a given user.
  • Dynamic Environment Manager is used to create and distribute predefined settings to end users.
    A single, generic application configuration can be used when building the AppStacks, and predefined settings are used to distribute customized application settings to users as needed.
  • Dynamic Environment Manager personalization is used to capture user configuration data for applications and Windows settings and persist these between sessions.
  • Dynamic Environment Manager is used to configure folder redirection to abstract user data from the VM.
  • Consider using a mandatory profile to ensure a fast, consistent logon experience.
  • A standard Windows user account is used to improve overall security of desktops.
  • For end users who require the ability to install their own applications:
    • App Volumes user-writable volumes are created using the UIA template. The UWVs are assigned to select end users.
    • Dynamic Environment Manager privilege elevation is used to strategically elevate permissions during application installations.

Figure 15: Nonpersistent Desktop Service with a Persistent User Experience

Benefit This service utilizes a comprehensive set of Horizon 7 technologies to provide a high degree of IT management and control, while still providing end users a great deal of autonomy.

Constraints

  • This service requires learning and adopting several new technologies.
  • To be successful with this model, ensure a thorough user segmentation exercise is done and only use this model where it is a truly good fit.

The greatest operational efficiencies are achieved when all applications are managed by IT, all user data and user configuration data is abstracted from the VM, and any other changes made by the user are prevented or discarded. Although it is tempting to push this model across an organization, the model is often is not a good fit for every user segment.

 

Building a Semi-Persistent Desktop Service

A semi-persistent desktop service is best suited for user segments that require a high degree of IT management and control over the user experience. (For a review of this type of desktop, see the earlier section Semi-Persistent Desktops.)

VMware Horizon 7 version 7.9 introduced the ability to persist instant-clone VMs beyond a single use. You can now refresh instant clones periodically or based on thresholds.

Figure 16: Control for Configuring the Refresh Operation for a Dedicated Instant-Clone Pool

If you configure the pool setting Refresh OS disk after logoff to Never, the instant-clone VMs persist until you schedule or perform a manual maintenance operation. For more details, see Instant-Clone Maintenance .

Tip: If you configure your instant-clone pool to never refresh the OS disk after logoff, be sure you are periodically running maintenance operations on the pool. Using a semi-persistent desktop for too long essentially turns it in to a persistent desktop. Instant-clone VMs are not designed to run for extended periods of time, as in the persistent desktop model.

Semi-Persistent Desktop Service with a Nonpersistent User Experience

A semi-persistent desktop is a VM created using instant clones or linked clones, but the clone is not immediately refreshed after the first use. This desktop service follows the same guidelines as a nonpersistent desktop service with a nonpersistent user experience, though it does provide some additional capabilities over a truly nonpersistent VM.

This is a completely IT-managed service. This user segment has the following service requirements:

  • Disposable desktop.
  • Predefined application list.
  • Predefined application settings.
  • Data is saved to a remote repository rather than a Windows user profile.
  • No need for user-customized application or Windows settings.
  • No need for user-installed applications.
  • Requirement to keep the VM for auditing or other purposes beyond the initial use.

There are a number of reasons you might need to keep a nonpersistent VM for some period of time after the user logs out, such as:

  • To collect log files stored on the VM for troubleshooting purposes
  • To collect Windows or application events logs, or other data required to satisfy auditing requirements; for example, to verify which apps were used or whether any software was installed
  • For compliance or regulatory requirements

An example of a user segment for this service would be a nonpersistent use case with regulations; for example, certain financial services workers or temporary workers with short-term contracts.

The following technologies are used in this service:

  • Instant clones are used to provision pools of desktops.
  • A dedicated assignment must be used to expose the Refresh OS disk after logoff option. Configure this option for a value other than always to temporarily persist the VMs.
    The master image includes OS, apps, and any required user configuration data (app settings).
  • If instant clones are not a good fit for a given user segment, consider using linked clones. A list of limitations of instant clones is provided in the earlier section Instant-Clone Considerations.
  • Consider using a mandatory profile to ensure a fast, consistent logon experience.

Figure 17: Semi-Persistent Desktop Service with a Nonpersistent User Experience

Benefits
  • Rapid provisioning of VMs. End users get a brand-new, optimal desktop with each session.
  • Master image can be built using existing tools and practices. Minimal IT training to implement.
  • VMs persist for a brief time for auditing purposes as needed.

Constraints

App Volumes is not supported in this model. For more information, see the section App Volumes.

Building a Persistent Desktop Service

A persistent desktop service is best suited for user segments that require a high degree of autonomy when it comes to managing the PC. Two variations of this service are included in this section, user-managed and shared management. (For a review of this type of desktop, see the earlier section Persistent Desktops.)

Persistent Desktop Service – User Managed

For a user-managed service, the user segment has the following service requirements:

  • Persistent desktop that will be utilized for an extended period of time by an end user.
  • Minimal list of predefined applications. Users need to be allowed to install a variety of software, tools, and custom applications.
  • Minimal or no list of predefined application settings. Users require the ability to customize most application and Windows settings.
  • Users have control over where data is saved, including Windows profile locations such as Desktop and Documents.

The following technologies are used in this service:

  • Full clones are used to provision pools of desktops. Master image includes the OS and a minimal, core set of applications. 
  • A Windows administrator account is likely necessary to install software outside the purview of IT.
  • Traditional PCLM tools may be used to distribute and manage corporate applications.

Figure 18: Full-Clone Desktop Model

Tip: Consider using Dynamic Environment Manager or Microsoft Group Policy to configure folder redirection. Abstracting user data to a network share that can be backed up and restored in the case of a disaster is highly recommended, and has little impact to end-user autonomy with regards to their desktop.

Figure 19: Full-Clone Desktop Model with Folder Redirection

Benefits Reduces the impact on IT by limiting the amount of new technology to be implemented. VMs are managed like physical PCs, using traditional PCLM tools.

Constraints

  • No refresh or recompose capability. Each desktop is assigned 1:1 with an end user.
  • VMs typically need to stay powered on and might therefore require additional server capacity, even though utilization could be sporadic.
  • Modern approach to managing the lifecycle of desktops and apps introduced by Horizon JMP are not available with this model.

Persistent Desktop Service – Shared Management

For a shared management service, the user segment has the following service requirements:

  • Persistent desktop that will be utilized for an extended period of time by an end user.
  • Partial list of predefined applications. Users need to be allowed to install their own software but are restricted to a list of IT-approved applications.
  • Partial list of predefined application settings. IT mandates some predefined settings, while users require the ability to customize some application and Windows settings.
  • Users have control over where data is saved, including Windows profile locations such as Desktop and Documents.

The following technologies are used in this service:

  • Full clones are used to provision pools of desktops. Master image includes OS and a core set of applications. 
  • A standard Windows account is used to improve overall security of desktops.
  • Dynamic Environment Manager privilege elevation is recommended to strategically elevate privileges of IT-approved software for standard user accounts.
  • Traditional PCLM tools may be used to distribute and manage corporate applications.
  • Dynamic Environment Manager is used to create and distribute predefined settings to end users.
    A single, generic application configuration can be used when building application packages, and predefined settings are used to distribute customized application settings to users as needed.
  • Dynamic Environment Manager personalization is used to capture user configuration data for applications and Windows settings. By abstracting user configuration data from the VM, you help prevent loss in case of OS failure, and a consistent user experience is achieved when accessing virtual, physical, or cloud-based desktops. 
  • Dynamic Environment Manager is used to configure folder redirection to abstract user data from the VM, preventing loss in case of OS failure, and enabling end users to roam and access data from other PCs.

Figure 20: Full-Clone Model with Shared Management

Benefits
  • This model strikes a good balance between end user flexibility and IT control.
  • The use of a standard Windows account significantly reduces the threat of vulnerabilities.

Constraints

  • No refresh or recompose capability. Each desktop is assigned 1:1 with an end user.
  • VMs typically need to stay powered on and might therefore require additional server capacity, even though utilization could be sporadic.
  • IT assumes responsibility to maintain repository of approved software.
  • Modern approach to managing the lifecycle of desktops and apps introduced by Horizon JMP are not available with this model.

Constructing Application Services with Horizon 7

Because multiple users share access to RDSH servers, application services are typically fully managed by IT.

Building an Application Service Using the Just-in-Time Management Platform

An application service can be used for a variety of user segments. Details about the use case and service requirements can be found in the Horizon 7 Published Application Service section of the VMware Workspace ONE and Horizon Reference Architecture.

The following Horizon technologies are used in this service:

  • Instant clones – To provision farms of RDS hosts. Master image includes OS and a minimal set of core apps.

    Tip: Do not reboot instant-clone RDSH servers when using App Volumes AppStacks. Instead, use the host or farm maintenance operations to refresh the host. For more information, see the section Instant-Clone Maintenance

  • App Volumes – To package and deploy applications using AppStacks.

    With this strategy, a single master image can be used to create multiple RDSH server farms while AppStacks deliver precisely the right set of applications.

    Tip: Assign AppStacks to Active Directory OUs containing instant-clone computer objects. As the farm grows, AppStacks are automatically assigned to the new RDSH servers.

  • Dynamic Environment Manager – To create and distribute predefined settings to end users.
    A single, generic application configuration can be used when building the AppStacks, and predefined settings are used to distribute customized application settings to users as needed.
  • Dynamic Environment Manager personalization – To capture user configuration data for applications and Windows settings and persist these between sessions.
  • Dynamic Environment Manager – To configure folder redirection, which abstracts user data from the VM.

Also consider using a mandatory profile to ensure a fast, consistent logon experience.

Figure 21: Just-in-Time Management Model for Published Applications

Benefits
  • Shared application utilization is often variable. Using instant clones makes increasing or decreasing the size of a farm fast and simple.
  • Instant-clone maintenance operations ensure RDSH servers are running in an optimal state, without the need for an outage.
  • AppStacks are assigned to computer objects in Active Directory and are attached as the instant-clone RDSH servers are booted, ensuring applications are available for use immediately.
  • Dynamic Environment Manager provides a seamless experience as users roam from physical or virtual desktops to published applications.

Constraints

This service requires learning and adopting several new technologies.

Building a Traditional Application Service

While the JMP model is ideal for building application services, you might already have full-clone RDSH servers. The following technologies are used in this service:

  • Full clones are used to provision farms of RDSH servers. Master image includes OS and applications.
  • Configure folder redirection to abstract user data from the VM.
    Consider using Dynamic Environment Manager to configure folder redirection, which can be expanded for additional capabilities.
  • Consider using a mandatory profile to ensure a fast, consistent logon experience.

Figure 22: Full-Clone RDSH Server with Folder Redirection

Benefits

Reduces the impact on IT by limiting the amount of new technology to be implemented. VMs are managed like physical PCs, using traditional PCLM tools.

Constraints

Much of the efficiency and automation potential of Horizon 7 is not possible using this approach.

Summary and Next Steps

Horizon 7 Enterprise Edition includes several technologies for implementing modern virtual desktop and published-application solutions for a variety of user segments. A solution that is easy to manage but difficult to use will not be adopted by end users, whereas a solution that is easy to use but complex and difficult to manage will not be accepted by IT. That is why Horizon 7 components can be selected and combined to address the following example use cases and more:

  • Static task workers – Workers in a call center or retail location might require only a small number of Windows applications, which are completely IT-managed, and a Horizon published-application service might be the perfect fit.
  • Knowledge workers – Most corporate users will use some core applications, some department-specific applications, some SaaS-based applications, and might need to install some applications themselves. In other words, they want shared management. They might also occasionally work remotely.
    These users want a persistent user experience, and Horizon 7 can provide this experience using a combination of Horizon instant clones, App Volumes AppStacks and writable volumes, and Dynamic Environment Manager features such as personalization, folder redirection, and privilege elevation.
  • Temporary users – Certain short-term contractors might require a virtual desktop only for the duration of a given project, which might last only a couple of weeks, after which time you want to retain the VM for possible event-log review. A semi-persistent Horizon instant clone can provide the solution. Then, when the project is finished, the system can easily and almost instantly be restored to its original working state.
  • Power users – Software developers, IT administrators, and the like might need to have local administrator privileges and install all sorts of internal or nonstandard applications on their OS. For these users, a Horizon full clone can do the job. Optionally, Dynamic Environment Manager can redirect certain folders to provide a simple and secure backup solution.

These are just a few of the use cases Horizon 7 can satisfy. This document helps you determine the best combination of Horizon 7 technologies for your organization’s needs by stepping you through common design decisions. Once you detail the needs of your various user segments, this document describes each of the Horizon 7 components and how to build the appropriate use-case service using only the components you require.

After you determine which Horizon 7 components your organization will use, refer to the VMware Workspace ONE and VMware Horizon Enterprise Reference Architecture for guidance on creating a production-ready design, which includes architecting in repeatable blocks for scale and architecting for high availability and load balancing to ensure that there are no single points of failure.

Additional Resources

To get started designing an architecture plan and using Horizon 7, explore the following resources:

Author and Contributors

Author

Josh Spencer, Staff Technical Marketing Architect in End-User-Computing Technical Marketing, VMware

Contributors

  • Jim Yanik, Senior Manager in End-User-Computing Technical Marketing, VMware
  • Graeme Gordon, Senior Staff End-User-Computing (EUC) Architect, End-User-Computing Technical Marketing, VMware
  • Arindam Nag, Director, Product Management, End-User Computing, VMware
  • Caroline Arakelian, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Reviewers

  • Peter Bjork, Senior Staff Architect, End-User-Computing Technical Marketing, VMware
  • Thomas Breakiron, Staff Engineer, End-User Computing, VMware
  • Ryan Costello, Senior Staff Architect, EUC Customer Success, VMware
  • Cale Fogel, Senior Staff Domain Architect, VMware (@VirtualCale on Twitter)

 

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.