VMware Workspace ONE Cloud-Based Reference Architecture

Appendix B: Horizon Configuration

This appendix provides details about group policy settings and Horizon Smart Policies, provided through VMware User Environment Manager™.

Horizon Group Policies

You can use standard Microsoft Group Policy Object settings to configure VMware Horizon® virtual desktops and applications, and also use VMware-provided GPO administrative templates for fine-grained control of access to features.

OU GPO Best Practices

Use the following guidelines when applying GPO settings to organizational units (OUs):

  • Re-use GPOs.
  • Create separate OUs for users and computers.
  • Ensure that each GPO is enabled or disabled for Computer and User settings.
  • Group similar settings into one GPO.
  • Understand the difference between monolithic and functional GPOs:
    • Monolithic GPOs contain settings for many different areas and are quite large. All settings are in one place. Use monolithic GPOs for generic settings that apply to all users or computers.
    • Functional GPOs contain a limited set of settings for a specific area. Functional GPOs are smaller GPOs that facilitate settings being defined for particular users or VMs.
  • Link the GPOs to the OU structure (or site), and then use Security Groups to selectively apply these GPOs to particular users or computers.
  • Use loopback replace to ensure that only the settings for the VM’s OU are applied to the session.

This appendix contains a list of group policy settings that would typically be applied (this is not an exhaustive list). Most other settings can be applied through User Environment Manager policies. As part of the VMware Horizon® Cloud Services download, there is a VMware-Horizon-Extras-Bundle ZIP file that contains a set of group policy templates to assist in defining additional GPO settings.

Common GPO Settings for Desktop and RDSH Server VMs 

Setting

Value

Computer Configuration/Policies/Administrative Templates/System/Group Policy/

Configure user Group Policy loopback processing mode

Enabled

Mode = Replace

Configure Logon Script Delay

Disabled

Computer Configuration/Policies/Administrative Templates/System/Logon/

Show first sign-in animation

Disabled

Always wait for the network at computer startup and logon

Enabled

Desktop Settings

Setting

Value

Computer Configuration/Policies/Administrative Templates/System/User Profiles/

Set roaming profile path for all users logging onto this computer

Enabled

(Specify the roaming profile network share path)

Delete cached copies of roaming profiles

Enabled

RDSH Server OU-Level Settings

Setting

Value

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Licensing/

Use the specified Remote Desktop license servers

Enabled

(List license servers)

Hide notifications about RD Licensing problems that affect the RD Session Host server

Enabled

Set the Remote Desktop licensing mode

Enabled

(Match mode of licenses)

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Profiles/

Use mandatory profiles on the RD Session Host server

Enabled

Set path for Remote Desktop Services Roaming User Profile

Enabled

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection/

Allow time zone redirection

Enabled

User Configuration Settings

Various settings can be used to optimize the user experience while protecting the system. The following table lists a few basic, initial settings that would normally be applied. Because these are user settings, you must also use the loopback processing setting.

Setting

Value

User Configuration/ Policies/Administrative Templates/Start Menu and Taskbar/

Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands

Enabled

Add Logoff to the Start Menu

Enabled

User Configuration/ Policies/Administrative Templates/Windows Components/Internet Explorer/

Automatically activate newly installed add-ons

Enabled

User Configuration/ Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/ Security Page/

Site to Zone Assignment List

  • Zone assignments

Enabled

<URL of Identity Manager> 1

Example: https://workspace.vmweuc.com   1

<URL of ThinApp Share> 1

Example: \\vmweuc.com\files\ 1

User Environment Manager – Group Policy Settings

The following instructions are excerpted from the User Environment Manager Administration Guide. Refer to this guide for more details on group policy settings.

  1. Copy the VMware UEM.admx and VMware UEM FlexEngine.admx ADMX templates (and their corresponding ADML files) from the download package to the ADMX location as described in the Managing Group Policy ADMX Files Step-by-Step Guide on the Microsoft Web site.
  2. Open the Group Policy Management Console.
  1. Create a new GPO or select an existing GPO that is applied to the users for which you want to configure FlexEngine.
  2. To open the Group Policy Management Editor, right-click the selected GPO and click Edit.

    The FlexEngine ADMX template is available under User Configuration\ Administrative Templates\VMware UEM\FlexEngine.
  1. Configure the appropriate User Environment Manager group policy settings. At a minimum, the following must be set:
  • Flex config Files – Location of the User Environment Manager configuration share.
  • Profile archives – Location of the User Environment Manager user profile share.
  • Run FlexEngine as a Group Policy Extension – Setting that enables the FlexEngine agent. Alternatively, it can be called from a logon script.
  • A logoff script must be defined for User Environment Manager to save settings on logoff. The syntax of the logoff script is:

    “C:\Program Files\VMware\Horizon Agents\User Environment Manager\FlexEngine.exe” -s

Table: User Environment Manager Group Policy Settings

Setting

Value

User Configuration\Policies\Administrative Templates\VMware UEM\FlexEngine

Flex config files

Enabled

(Enter User Environment Manager configuration share)

Profile archives

Enabled

(Location of the User Environment Manager user profile share)

Run FlexEngine as Group Policy Extension

Enabled

User Configuration\Policies\Windows Settings\Scripts\

Logoff

Script Name = C:\Program Files\VMware\Horizon Agents\User Environment Manager\FlexEngine.exe

Script Parameters = -s

User Environment Manager Smart Policies

The following tables contain some simple sample Horizon Smart Policies. Adapt them to suit the use case and environment.

The following policies are defined in the User Environment Manager Management Console.

Table: Horizon Smart Policies – External

Setting

Value

USB redirection

Disable

Printing

Disable

Clipboard

Disable

Client drive redirection

Disable

PCoIP profile

Not set

Conditions

Horizon Client property Client location is equal to External

Table: Horizon Smart Policies – Internal

Setting

Value

USB redirection

Enable

Printing

Enable

Clipboard

Enable

Client drive redirection

Enable

PCoIP profile

Not set

Conditions

Horizon Client property Client location is equal to Internal

Table: Horizon Smart Policies – ZContractor

Setting

Value

USB redirection

Disable

Printing

Enable

Clipboard

Disable

Client drive redirection

Disable

PCoIP profile

Not set

Conditions

Horizon Client property Client location is equal to Internal

and

User is a member of an Active Directory group Contractor

You should also configure a triggered task to ensure that Smart Policies are reevaluated every time a user reconnects to a session so the user gets the appropriate policy applied.

Table: Triggered Task – Horizon Smart Policies

Setting

Value

Trigger

Reconnect Session

Action

Use Environment refresh

Refresh

Horizon Policies

Table: Folder Redirection – Horizon Smart Policies

Settings

 

Remote path

User’s Home drive share using the %username% variable

Example:  \\vmweuc.com\share\Users\%username%

Folders to redirect

Documents

Note: Depending on your needs, you might also want to select Downloads, Music, Pictures, and Videos. Be aware that selecting these folders places a larger load on your file servers, requiring additional disk space and higher performance requirements.

Conditions

None