VMware Hands-on Labs - HOL-1951-02-VWS

Lab Overview - HOL-1951-02-VWS - VMware Horizon Getting Started

Lab Guidance

Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 1-2 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Use VMware Horizon 7 to provision VDI desktops with instant clones and RDS Hosts. Configure App Volumes to instantly provision applications, and User Environment Manager to provide a context-based user experience with an integrated workflow to provision user workspaces quickly.

Lab Module List:

 Lab Captains:


This lab manual can be downloaded from the Hands-on Labs Document site found here:


This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:



Please ask for a headset or feel free to use your own as this lab includes video reference material with sound.




Location of the Main Console


  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.



Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.



Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  



Accessing the Online International Keyboard


You can also use the Online International Keyboard found in the Main Console.

  1. Click to open Command Prompt
  2. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.



Insert @ Symbol


In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.
  3. Click on the @ sign
  4. Notice the @ sign entered in the active console window



Activation Prompt or Watermark


When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  



Look at the lower right portion of the screen


Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other message than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.


Module 1 - Horizon Overview and Features (60 minutes)


This Module contains the following lessons:


Horizon Technical overview - Video (10:16)

Feel free to watch this short video explaining Horizon features.


Horizon 7.5 Product Demo - VIDEO (10:38)

In this module we will look at the VMware Horizon 7.5 administrator console and how to invoke the new HTML 5 console

Horizon Editions Explained

VMware End-User-Computing products help IT break the current technology barriers and shift the focus from reacting to delivering services for business agility and workforce productivity. With VMware, IT organizations can meet end-user demands for a consistent and intuitive experience across devices in the office, at home, or on the go while ensuring that the business computing environment is secure, easy to manage, and in continuous compliance.

It is important understanding which options are available when choosing your Horizon edition and will definitely aid towards a succesful deployment and a clear understanding of how each feature is licensed.



Horizon 7 (on-premises)

Horizon 7 (on-premises) is available in three editions:

  1. Horizon Standard  - Simple, powerful VDI with great user experience
  2. Horizon Advanced  - Cost-effective delivery of desktops and applications through a unified workspace
  3. Horizon Enterprise  - Desktops and applications delivered with cloud automation and management

Have a look at the table below and make sure your business and use-case align with the feature set below. Each Horizon edition has 8 sections covering:


Company ABC has a requirement to optimally deliver audio and video either directly between end-points for one-on-one collaboration, or offloaded to a central Multipoint Control Unit (MCU) for multi-party conference calls or meetings.

Solution = Horizon Virtualization Pack for Skype for Business (**available through Horizon Advance)




Horizon Feature Table

Download the latest VMWARE END-USER COMPUTING Packaging and Licensing Including VMware Workspace ONE and VMware Horizon white paper.




Edition Selector Tool - New or Upgrade

Making the right choice looking at the Horizon feature table may look challenging  and can be a daunting task. VMware has developed an Edition Selector online that will help you make the right decision.

  1. Horizon Editions Selection Tool VMware Horizon is available in three editions: Horizon Standard, Advanced, and Enterprise. Access the selector guide to help choose the right edition for your needs.  
  2. Horizon Editions Upgrade Tool  Enter the product or SKU the customer currently has, select the product the customer wants upgrade to, and the tool will provide the upgrade path. Use the Upgrade Tool to help choose the right upgrade path.


What's New in Horizon 7.5

The section on What's new in Horizon 7.5 has a detailed breakdown of the new features and can be viewed watching the 11 minute video presentation (Option 1) or read thought the features (Option 2) .


Option 1 - VMware Horizon 7.5 - What's New Overview - VIDEO (11:08)



Option 2 - VMware Horizon 7.5 - What's New Overview - Manual Walk through

Drawing on the best of mobile and cloud, Horizon 7 radically transforms VDI, giving you unprecedented simplicity, security, speed and scale—all at lower costs. Horizon 7 helps you get up and running up to 30x faster while cutting costs over traditional solutions by as much as 50%



Horizon Console


VMware Horizon Console is the latest version of the Web interface through which you can create and manage virtual desktops, published desktops and applications. Horizon Console also integrates VMware Horizon Just-in-Time Management Platform (JMP) Integrated Workflow features for managing workspaces. Module 4 will cover this in more detail.

Horizon Console is available after you install and configure Horizon Connection Server and accessed via HTML 5. The first Console includes a partial implementation of Horizon 7 features, but you can use Horizon Administrator, the classic Web interface to access those features that are not yet available in Horizon Console.



Horizon Console - Benefits

The benefits of using Horizon Console include an easier desktop and application deployment process, just-in-time desktop delivery, and a more secure Web interface that eliminates security risks.  



Functionality - Horizon Console

To perform desktop or application pool deployment tasks, troubleshooting tasks, or manage JMP workflows through the Horizon Administrator Web interface by using a secure (TLS) connection.

This is the current feature set supported through the new Console:



JMP Integrated Workflow



This is a new feature that provides a simplified way for EUC Admins to define a workspace and facilitate assignments by defining a JMP assignment that includes information about the Horizon desktop pools, VMware App Volumes AppStacks, and VMware User Environment Manager through a single console for users or group of users.


Supported Components and Versions

The following versions of the VMware products must be installed before you begin installing JMP Server.



Help Desk Tool



There’s an updated version of the Help Desk Tool can be found in the new Horizon Console. Just open Horizon Console and select a username to start investigating and troubleshooting virtual desktop and app sessions.


Note: To get logon segments info. you need to enable timingProfiler writes to the event database: “vdmadmin -I -timingProfiler -enable” on each Connection Server.



Horizon 7 with VMware Cloud on Amazon Web Services



Horizon 7 with VMware Cloud on Amazon Web Services means the infrastructure is offered as a service, but customers have full control over the workloads they run on top of the infrastructure and have an environment that’s nearly identical to on-premises.


With Horizon 7.5 full clone VDI and RDSH are supported, Instant Clones is planned for a future version.

SaaS-based Workspace ONE and Unified Access Gateway 3.3 are supported, User Environment Manager and App Volumes are planned for a future version.

3rd party load balancer and NSX Edge North-South firewalling is supported, NSX Load-Balancing and Distributed Firewall for East-West are planned for a future version

Watch this video to learn more about this feature




VMware Cloud on Amazon Web Services Video



Subscription Based Licensing


In addition to VMware Horizon current licensing, subscription based licensing is now available for Horizon 7.4.1 and 7.5.



Extended Service Branch (ESB)



Starting in Q2 2018, Horizon will have an option of Extended Service Branch (ESB), in addition to the Current Release (CR) branch.

What is ESB?

An Extended Service Branch is a parallel release branch to the existing, current release of the product.


For example, Horizon 7.5 SP1 will be released at the same time its corresponding SP1 on AV, UEM and UAG ESBs. Mixing of ESB and Current Release or mixing of Service Pack versions is not supported.  




vSphere 6.7 and Instant-Clone API


Horizon Instant Clones with vSphere 6.7


Support for the instant-clone API in vSphere 6.7 are included with Horizon 7.5 and improve the following for Instant Clones:


A common mistake is that Horizon Instant Clones are equal to the vSphere PowerShell method, however Horizon is different as it always had a parent-less instant clone and then rebased on the replica, which also provides the benefit of the storage accelerator. Horizon includes cloneprep which automates the steps required on the guest OS.



Virtualization Based Security (VBS)



Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. Windows 10 leverages TPM for measuring boot integrity sequence (and based on that, automatically unlocking BitLocker protected drives), for protecting credentials or for health attestation.


vTPM Requirements

A Key Management Server (KMS) should be configured within vCenter in order to add a TPM device to a VM. TPM secrets are stored in VM files which gets automatically encrypted when a TPM device is provisioned. A Key Management Server (KMS) is required to encrypt VM files holding TPM secrets. You can use TPM for hardware binding with Credential Guard, Attestation or BitLocker keys. After a KMS has been added you can add a TPM device in vSphere or the Pool creation wizard.






Previously with Instant Clones only one vGPU profile per cluster was recommended, the reason was that even when grouping VMs per host, across hosts the VMs were still spread, this could lead to the situation that all GPUs would already have a VM running with another profile than required and as only a single profile per GPU is supported, thus a new VM could not be launched even though capacity was available. In the new consolidation mode VMs are also grouped across hosts.

In the new performance mode VMs are grouped across hosts, but spread between GPUs. There is an override per vCenter in the ADAM database that spreads across hosts that only should be used with single GPU profiles and is equal to the old best performance.



Golden image sharing for Instant Clones in multi-cluster



You can now use a single master (or golden image) for multiple clusters without shared storage between those clusters. VSAN for example is only available within the cluster.

This restriction has been removed by modifying the internal VM logic as the template is now started from the cluster it’s residing on.




Instant Clones




Cloud Pod Architecture




GPO Bundle



Horizon 7.5 Resources

VMware Horizon 7 has some of the best resources available online with dedicated resource zones specially created to enable all levels of users and administrators. Have a look at some of the following examples:

  1. VMware TECH ZONE
    • Video library with Beginner to Expert level
    • Tech Talks, Expert Series, Quick Talks and much more
    • Tools - This section will cover tools for App Volumes, Horizon and Workspace One
    • Blog - Link to VMware EUC blog series
  2. EUC Blog
  4. VMware Learning Zone
  5. Certification
  6. VMware Technical Papers
  7. VMware YouTube TV Channel
  8. VMware Testdrive
    • TestDrive is a fully featured, integrated and globally available product exploration environment provided by VMware for our Partners, Customers and Employees
  9. VMware Twitter
  10. Facebook


Learn more about Horizon 7 - Workspace ONE mode at TECH ZONE (2:00)



How to Gather the Facts about Your Current Environment


Our desktop assessment tool helps you prepare for the move to Horizon desktops and applications. Once the assessment is complete, you can design an operational prototype, identify technology and skills gaps, and uncover risks.  



Learn more about - VMware Cloud Foundation for Horizon




Lern more about - Horizon 7 on VMware Cloud on AWS




Module 1 provided an overview and introduction of


You've finished Module 1


Congratulations on completing  Module 1.

If you are looking for additional information on Horizon 7 JMP, try one of these:

Proceed to any module below which interests you most.




How to End Lab


To end your lab click on the END button.  


Module 2 -Horizon Components Explained (90 minutes)


This module contains the following lessons:

Lab Module List:

Module 1 - Horizon Overview and Features (60 minutes) (Basic)

Module 2 - Horizon Components Explained (90 minutes) (Basic)

Module 3 - Horizon Basics Tasks (90 minutes) (Basic)

Module 4 - Horizon (JMP) Just-in-Time Management Platform (90 minutes) (Basic)

Horizon Components and Architecture

VMware Horizon is comprised of industry-leading solutions for all aspects of desktop and application management and delivery.

Throughout this module you will see how these components address specific needs, how they can be combined to provide a comprehensive just-in-time management platform, and how they scale to cover the largest customer demands.

This brief section of the lab is for informational purposes only. There are no associated lab steps.


Horizon Logical Architecture


With the introduction of Horizon 7 Enterprise Edition, VMware is drawing on the best of mobile and the cloud, offering greater simplicity, security, speed, and scale in delivering on-premises virtual desktops and applications with cloud-like economics and elasticity of scale.

Each component of the platform can run independently, and addresses specific needs. For a list of Horizon components, features, and package levels, see module 1 of this lab.

As these components are combined and integrated, they complement each other adding new and unique capabilities.



Just-In-Time Management Platform


The Just-in-Time Management Platform (JMP), is the next-generation desktop and application delivery platform.

JMP includes:

JMP allows components of a desktop or RDSH server to be decoupled and managed independently in a centralized manner, yet reconstituted on demand to deliver a personalized user workspace when needed.

JMP is supported with both on-premises and cloud-based Horizon 7 deployments, providing a unified and consistent management platform regardless of your deployment topology.

The JMP approach provides several key benefits, including simplified desktop and RDSH image management, faster delivery and maintenance of applications, and elimination of the need to manage full persistent desktops.

To learn more and to get hands-on experience creating JMP assignments, see Module 4 of this lab.



Designing a Horizon 7 Implementation


One key concept in a Horizon 7 environment design is the use of pods and blocks, which gives you a proven, repeatable and scalable approach.

A pod is made up of a group of interconnected Connection Servers that broker desktops and/or published applications.  

A pod is divided into multiple blocks to provide scalability. Each block is made up of one or more resource vSphere clusters, and each block has its own VMware vCenter Server, Composer server (optional), and VMware NSX Manager (where NSX is being used).



Horizon 7 at Scale


A key component to making Horizon 7 Enterprise Edition truly scalable and able to be deployed across multiple locations, is Cloud Pod Architecture (CPA).

CPA introduces the concept of a global entitlement (GE) through joining multiple View pods together into a federation. This feature allows you to provide users and groups with a global entitlement that can contain desktop pools or RDSH-published applications from multiple different View pods that are members of this federation construct.

View pods can be in a single datacenter to scale for the largest customers, or spread across the globe to support multi-regional use cases.

To learn more about Horizon Cloud Pod Architecture, see Module 3 of this lab.




One of the methods of accessing Horizon 7 desktops and applications is through VMware Identity Manager. This requires integration between Horizon Connection Servers and VMware Identity Manager using the SAML 2.0 standard to establish mutual trust, which is essential for single sign-on (SSO) functionality.

When SSO is enabled, users who log in to VMware Identity Manager with Active Directory credentials can launch remote desktops and applications without having to go through a second login procedure. If you set up the True SSO feature, users can log in using authentication mechanisms other than AD credentials.

To learn more about Workspace ONE and Identity Manager see lab 1951-01.



More Information

To learn more about how to address business requirements and use cases with services constructed by integrating the components of VMware Workspace ONE, including VMware Horizon 7 Enterprise Edition, please review VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture.


Horizon with User Environment Manager

User Environment Manager provides profile management by capturing and preserving user settings for the operating system and applications.

Unlike traditional application profile management solutions, User Environment Manager does not manage the entire profile. Instead, it captures only settings the administrator specifies.

This approach reduces login and logout time because less data needs to be loaded. The settings can be dynamically applied when a user launches an application, making the login process more asynchronous. User data can be managed through folder redirection.


Introduction to User Environment Manager


With profile and policy management using User Environment Manager capabilities, IT can deliver a persistent experience across any VDI instance or published application.

For example, printer settings, network mappings, desktop backgrounds, and much more can follow the user as they move from virtual instance, to physical, or even cloud-based desktops or apps. Dynamic policies allow IT to trigger policy execution based on context.



User Environment Manager Technical Product Overview - Video (4:32)

To learn more about User Environment Manager, please review the following video. It provides a brief, technical overview of User Environment Manager, and is ideal for viewers looking for an introduction to the product.



User Environment Manager Administration Overview


  1. From the desktop on the Main Console double-click User Environment Manager Management Console



What's New in User Environment Manager 9.4?

User Environment Manager 9.4 introduced several new features including:

To learn more about the 9.4 release, including technical demos, please review the following video.



User Environment Manager v9.4 - What's New Technical Overview - Video (9:30)


Horizon with App Volumes

The App Volumes just-in-time application model separates IT-managed applications and application suites into administrator-defined application containers and introduces an entirely different container used for persisting user changes between sessions.

VMware App Volumes is a real-time application delivery system that IT can use to dynamically deliver and manage applications. You do not need to modify desktops or RDS servers to work with App Volumes because applications act as if they were natively installed. The App Volumes solution can be scaled out easily and cost-effectively, without compromising end-user experience. Applications are centrally managed and delivered to desktops through virtual disks.


Introduction to Horizon with App Volumes


App Volumes streamlines delivery and lifecycle management of applications.

  1. Apps are abstracted from the OS, and stored in read-only disks called AppStacks. These AppStacks may contain one or many applications. Because of this layer of abstraction, base images used to provision desktop pools need little more than an operating system.
  2. AppStacks are attached to VMs during boot or user login, making applications instantly available. A core set of applications can be delivered to desktops during provisioning. As users login, additional AppStacks containing departmental or user specific apps may be attached.
  3. AppStacks can be assigned to Active Directory OUs containing computer objects for RDS Hosts. As the hosts are provisioned and powered on, AppStacks are attached and the apps are available for publishing. As the farm grows, applications are automatically delivered to the new hosts.



Summary of App Volumes Benefits

With App Volumes, applications become objects that can be moved easily across data centers or to the cloud and shared with thousands of virtual machines. In a virtual desktop environment, App Volumes provides the following benefits:

Real-time, dynamic application delivery in virtualized environments  

Persistent end-user experience in non-persistent environments  

Application life-cycle management  

Reduced VDI infrastructure costs and improved efficiency  



App Volumes Manager Administration Overview

This section will familiarize you with the App Volumes Manager.



VMware App Volumes Feature Review

To learn more about AppStack Attachment Limits and other features that were introduced in App Volumes 2.13, please review the following video.



App Volumes v2.13 - What's New Technical Overview - Video (5:14)



What's New in App Volumes 2.14?

App Volumes 2.14 introduced several new features:

New Security Controls

Writable Volume Agility

Scale, Performance and Alignment

To learn more about the 2.14 release, including technical demos, please review the following video.



App Volumes v2.14 - What's New Technical Overview - Video (11:54)


NSX for Horizon

VMware NSX Data Center is the network virtualization platform for the Software-Defined Data Center (SDDC), providing network-based services such as security, virtualization networking, routing, and switching in a single platform. These capabilities are delivered for the applications within a data center, regardless of the underlying physical network and without the need to modify the application.

NSX provides key benefits to the Horizon 7 infrastructure components and the desktop environments.

This brief section of the lab is for informational purposes only. There are no associated lab steps.


NSX Security Functions for Horizon 7


NSX provides value for a number of use cases such as improving security, providing automation, and enabling multi-cloud networking. The following highlights the value of implementing Horizon 7 with NSX.



NSX and Horizon 7 Design Overview


The NSX platform consists of several components that make up the overall architecture. A highly scalable NSX infrastructure design is typically split into two clusters to create fault domains: the compute cluster and the management cluster. In a Horizon 7 design, however, we also have a desktop cluster.

As is shown in the diagram, the server domain is separated from the desktop domain. The server domain houses the Horizon 7, NSX, and vCenter Server management components. The desktop domain houses the desktop and RDSH pools and server farms, along with the NSX Manager and vCenter Server for the desktop cluster.



Key Use Case - Micro-Segmentation

The concept of micro-segmentation takes network segmentation, typically done with physical devices such as routers, switches, and firewalls at the data center level, and applies the same services at the individual workload (or desktop) level, independent of network topology.

NSX and its Distributed Firewall feature are used to provide a network-least-privilege security model using micro-segmentation for traffic between workloads within the data center. NSX provides firewalling services, within the vSphere ESXi hypervisor kernel, where every virtual workload gets a stateful firewall at the virtual network card of the workload. This firewall provides the ability to apply extremely granular security policies to isolate and segment workloads regardless of and without changes to the underlying physical network infrastructure.

To learn more about Horizon integration with NSX, see the VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture


Horizon 7 with VMware Cloud on Amazon Web Services

Through a strategic partnership, VMware Horizon 7 can now be deployed on Amazon Web Services.

This brief section of the lab is for informational purposes only. There are no associated lab steps.


Introduction to VMware Cloud on AWS


VMware Cloud on AWS is an on-demand service that enables you to run applications across vSphere-based cloud environments with access to a broad range of AWS services. Powered by VMware Cloud Foundation, this service integrates vSphere, vSAN and NSX along with VMware vCenter management, and is optimized to run on dedicated, elastic, bare-metal AWS infrastructure.

With VMware Hybrid Cloud Extension, customers can easily and rapidly perform large-scale bi-directional migrations between on-premises and VMware Cloud on AWS environments.

With the same architecture and operational experience on-premises and in the cloud, IT teams can now quickly derive instant business value from use of the AWS and VMware hybrid cloud experience.

To learn more about how you can deliver vSphere-based, Consistent Hybrid Operating Environments on AWS Cloud, visit VMware Cloud on AWS.



Introduction to Horizon on AWS


With VMware Cloud on Amazon Web Services the full Software Defined Data Center (vSphere with VSAN and NSX) is delivered as a cloud service on bare metal Amazon hardware.

Inside this cloud datacenter you can deploy any application, including Horizon 7.5, without needing to worry about maintaining vSphere components.

This service can scale elastically, is available on demand and in datacenters around the globe.



Use Cases for Horizon 7 on AWS


By installing Horizon 7 inside VMware Cloud on Amazon Web Services multiple use cases are enabled:



VMware Horizon 7 with VMware Cloud on AWS Technical Overview

The following video provides and overview of the new Horizon 7 v7.5 feature that enables IT to run Horizon 7 on the VMware Cloud on AWS. It includes a walkthrough of the SDDC deployment on VMware Cloud on AWS and a demo of the user experience.  

To learn more about Horizon 7 with VMware Cloud on AWS, please review the following video.



Horizon 7 v7.5 with VMware Cloud on AWS Technical Overview - Video (9:04)



More Information

To get hands-on with Horizon 7 with VMware Cloud on AWS, see lab 1951-04 Module 6.



Module 2 provided an overview and introduction of


You've finished Module 2


Congratulations on completing Module 2.

If you are looking for additional information on Horizon, try one of these:

Proceed to any module below which interests you most.




How to End Lab


To end your lab click on the END button.  


Module 3 - Horizon Basic Tasks (90 minutes)


Welcome to Module 3 of the VMware Hands on Labs Horizon 7 Enterprise Getting Started. This lab will provide a hands on high level overview of the following subjects:

Preparing a Virtual Desktop

This module will provide a high level overview of the steps necessary to prepare a virtual desktop image for deployment.


Golden Master Images


The virtual desktop/golden master images are a critical part of your infrastructure.  

When building out a Horizon environment, it is imperative to start with a clean base image. VMware’s best practices recommend building these golden master images from scratch with an .iso. This assures you will be starting with a clean and purpose built for a Horizon environment. This eliminates the risks associated with inheriting “ghosts” in the code or residual bits and settings from attempting to uninstall un-necessary applications, drivers, and agents while trying to “clean-up” an existing corporate image. In most cases, more time is wasted trying to clean up an existing image or troubleshooting the cause of poor performance/end user experience than it would have taken to build the golden images cleanly from scratch.




During the process of building out the golden master desktop image, it is a good idea to take many snapshots along the way. This allows you to revert to a previous state of the build should something go wrong without having to start from scratch.



Master Image Decisions

When creating golden master images you will be faced with some of the following decisions.

Taking the necessary time and perform the pre-analysis and create a plan should provide a clearer picture of how many golden master images you might need to build and maintain to achieve your business requirements. It will also show at which point you should clone the state of the image so you can branch off to create golden masters for the other required use cases (instant clones, linked clones, full clones, GRID enabled etc.)

The process is identical whether you are building out Server 201x for RDSH/Apps, or Windows 7/10 images.



Anti-Virus Considerations

Once the operating system is built, patched, and base common applications are installed to your company’s standards, careful consideration should be made when choosing and installing an anti-virus/malware solution. Make sure to adhere to the vendor’s recommended best practices. If you are installing an agent based Anti-Virus solution instead of a hypervisor based solution, check with the software vendor for the proper recommendations. Many of the vendors have a list of steps necessary to sanitize the golden master image before deployment, avoiding future complications with the Anti-Virus management console or installed in guest agent. VMware also has some general recommended best practices exclusions and configurations for most all Anti-Virus solutions to consider. These recommendations can impact end user experience/performance if not adhered to. The links below are a good starting point to review when deploying an Anti-Virus strategy in your Horizon environment.

VMware Anti-Virus Considerations in Horizon 7

VMware Anti-Virus Executable Exclusion List for Horizon





Once all golden master image base applications have been installed and validated, the next step is to optimize the image. Optimization insures the best desktop performance by disabling wasteful resource consuming unessential features and services providing the best end user experience possible.

For optimization, VMware has a graphical utility that you can download to simplify the optimization process. The link below is to the VMware OS optimization tool.

VMware Desktop Optimization Tool (OSOT)

For every optimization you perform on the desktop golden master image, the savings is cumulative  (if you save 1% CPU or RAM across 1,000 desktops that is clearly a significant amount of resources that can be purposed for additional desktops in the environment.

It is highly recommended before starting the optimization process to take a snapshot of the desktop image in its current state. This way if an application breaks due to an optimization setting or disabled service the tool makes, you can  revert back to the default un-optimized state until the offending setting can be found and excluded from the optimization process. It is also a good idea to read through the optimization settings and proposed changes. If you see any optimizations that you know will conflict with applications or end user experience you can proactively un-check the optimization so it is not removed in the optimization process.





Once the image is configured, optimized and validated there are some post configurations and clean up that should be done. First step is to remove any unnecessary hardware (Floppy Disk, CDROMs, Serial Ports etc.) After, there are a few advanced settings that should be configured as well. Take an additional snapshot and shutdown the desktop to start.



Hands On Lab Experience Post Optimization Configuration

This hands on experience will show you how to complete the post optimization processes.





  1. Launch Google Chrome.



Open vCenter Region A


  1. Click on vCenter folder.
  2. Select RegionA vSphere Client (HTML)



Login vCenter


  1. User Name: administrator@corp.local.
  2. Password: VMware1!
  3. Click Login.






  1. Right Click the VM base-W10-1709-x64-01.
  2. Snapshots.
  3. Click Take Snapshot.





  1. In the Name: Box Type a Unique Snapshot Name
  2. Click OK.





  1. Right Click base-W10-1709-x64-01.
  2. Click on Edit Settings.





  1. Click on the X to remove the CD/DVD drive (also you would remove the floppy and any serial ports in the same manner if applicable)



Verify CD ROM Will Be Removed


  1. Verify Device Will Be Removed.
  2. Click VM Options Tab.





  1. Expand the Boot Options menu.
  2. Check the box that says Force BIOS setup.





  1. Scroll down to Advanced and expand.
  2. Uncheck Enable Logging.





  1. Scroll Down to Configuration Parameters and click Edit Configuration. (This is not always necessary depending on your use case. (In this example when using the Horizon Direct Connect Agent, to configure a GRID enabled desktop you would need to add the advanced option svga.ScreenDMA with a value of TRUE.





  1. To add a Parameter Click the Add Configuration Params Button.





  1. Under the Name Heading add svga.ScreenDMA
  2. Under the Value Heading add the value TRUE
  3. Click OK to save changes and exit.





  1. Click OK to close Edit Settings and exit.





  1. Right click on base-W10-1709-x64-01
  2. Click Power.
  3. Click Power On to power the desktop back on for final configuration and optimization. The machine should have booted to the PhoenixBIOS Setup.





  1. Right click base-w10-1709-x64-01.
  2. Click Open Remote Console.





  1. Click on Open VMware Remote Console to Continue.





  1. Use the Right arrow to move over to the Advanced BIOS menu.





  1. Using the down arrow key, move down to the I/O Device Configuration option and press Enter.






  1. Using the Space Bar and arrow keys set all Serial, Parallel, and Floppy disk controllers to Disabled as shown.
  2. Press the Escape (ESC) key to get back to the root menu.





  1. Use the Right Arrow Key to the Boot Menu
  2. Use the Down Arrow Key to Highlight Hard Drive, Press the (shift and + key) to move Hard Drive to the first boot Device.
  3. Press Escape (ESC) key twice to exit and save changes prompt.





  1. Press Enter to confirm to Save and Exit.





  1. Watch for a clean boot and logon as corp\administrator.
  2. Password VMware1!





  1. From the desktop launch a Command Prompt






In the command prompt issue the following commands.  

  1. ipconfig /flushdns
  2. ipconfig /release
  3. shutdown /p





  1. Click on the red X to close the remote console window.
  2. Close all Chrome browser sessions and clients to return to the desktop.




At this point your golden master image is ready to be cloned. You would create as many clones as you need for the number of golden master images you need. (Instant Clones, Linked Clones, Full Clones, Graphics Accelerated etc.) Before cloning delete all outstanding snapshots. These clones should be named accordingly to their purpose and booted 1 by 1 re-named/joined to the domain with their new name to insure uniqueness when powered on.

Now that you have a clean master image, you can configure for your use cases. The View agent is only capable of being installed in full clone (Template) mode, Instant Clone, or Linked Clone mode. Instant clones are the method of choice going forward for several reasons. They are stateless just like linked clones, but are not dependent on Composer server and a SQL database (eliminating a single point of failure in your architecture and an additional SQL database instance to provision, backup, and maintain.




View Agent Installation

The order of installation for the Horizon View agent(s) is quite important. Failure to install the agents in the correct order can lead to poor performance or black screens upon connection to the desktop.

The reference KB can be found here.

The proper order is as follows:

Once this golden master image has been validated, (for instant and linked clones only) take a snapshot to be used as the reference point in time to deploy your stateless desktop pools. It’s usually a good idea to use the comments section to document changes, time, date fixes etc. for future reference.




This concludes the Preparing a Virtual Desktop Lab.


Instant Clones Linked Clones and Full Clone Pools

The section of the lab will provide an overview of Horizon Pools.


Desktop Pools

There are many types of desktop pools that can be created to suit most any use case you may have.

A Horizon desktop pool is a collection of desktops that users can select when they log in using a Horizon client or web browser. A pool can be created based on a subset of users, such as engineering or payroll, but this is not explicitly required.

The goal when creating pools should be to abstract the end user’s profile and applications from the desktop.  Stateless desktops streamline operations from provisioning and upgrading, to high availability and disaster recovery.

VMware provides several tools to help get your environment as stateless as possible.  


Each user is assigned a specific desktop and uses the same one at each logon. Dedicated assignment pools require a 1:1 desktop to user mapping.


Using floating assignment pools lets you create a pool of desktops that can be used by many users. The desktop used can be immediately deleted after logoff and re-created as needed. This configuration can offer the best security and most efficient use of storage.




There are two types of pools.


Automated desktop pools use a vCenter virtual machine template or snapshot to create new desktops. The machines can be created when the pool is created or on demand based on utilization. Automated pools support the following Instant Clones, Linked Clones, vCenter virtual machines, Blast and PCoIP.


Manual desktop pools are a collection of existing vCenter Server VMs, physical computers, or 3rd party virtual machines.

You can also specify how users are assigned desktops in a pool.




You can also specify how users are assigned desktops in a pool


Each user is assigned a specific desktop and uses the same one at each logon. Dedicated assignment pools require a 1:1 desktop to user mapping.


Using floating assignment pools lets you create a pool of desktops that can be used by many users. The desktop used can be immediately deleted after logoff and re-created as needed. This configuration can offer the best security and most efficient use of storage.




When and where to use stateful or stateless desktops is a decision made based on business requirements and intended business use case.

Stateless Desktops:

Stateless desktops provide many advantages over stateful. These benefits include: Lower storage cost, easier to maintain or upgrade and patch, no need to back up the virtual desktops as they are normally destroyed when the user logs off. It makes disaster recovery much simpler when you abstract the user personalized profile data/settings and applications from the desktops. When architected properly end users should not care or even have to know where their desktop is running. Additional tools such as UEUser Environment Manager, and App Volumes make this entirely possible.

Stateful Desktops:

Stateful or persistent desktops require the equivalent of conventional physical desktops. They are treated like any other physical desktop would be but are physically secured in a datacenter running on server class hardware. Stateful desktops require backing up, updates, applications installed like any other physical desktop. They can be centrally managed by tools like SCCM but still are subjected to backing up user data and state somewhere externally. The recovery time is also a consideration to restore should a virus or corruption occur. Stateful desktops consume more storage than stateless desktops as well.




For stateless desktop use cases you can choose between Linked Clones and Instant Clones.

When instant clones first came out, there were several features that linked clones had that were not available to instant clones. Since that time and VMware product updates, Instant Clones actually have a few additional features that Linked Clones do not have.  Instant clones require only a different selection when installing the View agent into the golden master (Instant clone or linked clone) there is no additional server or database requirement to use instant clones other than having the correct agent installed. You may not install both agents (instant and linked clones) on the same desktop as they are mutually exclusive of each other. If you choose to do both it will require 2 separate golden master images. Some of the new features in Horizon 7.5 for instant clones are the Instant Clone API for automated desktop pool creation and deployment, the ability to choose multiple vLANs (port groups) for deployment of pools, and NVIDIA Grid hardware vGPU enabled desktops can also be created as linked clone instances. One of the few tradeoffs for using instant clones is each host running instant clone desktops requires a powered-on parent desktop instance. This parent VM has the same CPU and RAM consumption as the linked clones and should be factored into the host capacity when sizing hosts.




Linked Clones are dependent upon a Windows 201x server and SQL database to run the Composer service. Composer is the mechanism used to create and manage the linked clone desktops. Linked clones allowed desktop pools to be created off of a snap shot (point in time) and deployed.  This is still a supported method of creating stateless desktops, however it is being used less often because of the requirements and single points of failure (SQL database and Composer server). Most deployments are leveraging Instant Clones over Linked clones due to new additional features and less resource consumption.




Full clone desktops are clones deployed from a template desktop in vCenter. The full clone desktops are treated like physical desktops as user data and applications are stored on these desktops. They do not share the same storage saving benefits that linked or instant clone desktops have. Full clone desktops due to their stateful nature can make things like backup and DR more challenging.




In this lab we will be walking through the steps needed to create an Instant Clone desktop pool.





Launch Google Chrome.





  1. Click on Horizon Folder.
  2. Click on Horizon-01-Admin.





  1. Logon with Administrator.
  2. Password is VMware1!
  3. Click Log In.





  1. Expand the Catalog menu.
  2. Click on Desktop Pools.





  1. Click Add this will start the add desktop pool wizard.





  1. Select Automated Desktop Pool.
  2. Click Next.





  1. Choose Floating.
  2. Click Next.





  1. Click Ignore on the More Information PopUp.





  1. Select Instant Clones.
  2. Click Next.





  1. In the ID field type MyPool.
  2. In the Display Name field type MyPool.
  3. Click Next.





  1. Review the desktop pool settings but leave defaults and click Next to continue.





  1. Type a name pattern in the Naming Pattern Blank. MyPool-{n:fixed=2} the 2 indicates to add 2 numbers to the name of the server being deployed.  The first server would be named MyPool-00, ,01,02...05. You can change the 2 to a 3 or 4 depending on naming convention requirements.
  2. Max Number of Machines set to 1.
  3. Click Next.






  1. Click Next to continue.





  1. Click Browse to browse to the parent VM.





  1. Click on base-w10-1709-x64-01 base image.
  2. Click OK.





  1. Click Browse to browse for the snapshot.





  1. Click on IC Desktop Base HoL2019 snapshot.
  2. Click OK.





  1. Click Browse to browse to the folder location for the clones.





  1. Click on Discovered Virtual Machine.
  2. Click OK.





  1. Click Browse to browse clusters.





  1. Click on RegionA01-IC01.
  2. Click OK.





  1. Click Browse on resource pool.





  1. Click on RegionA01-IC01.
  2. Click OK.





  1. Click Browse to browse datastores.





  1. Check the ESX04a-Local datastore.
  2. Click OK.





  1. Click OK to ignore the warning popup.





  1. Click Next to Continue.





  1. Leave all default settings click Next.





  1. Click Finish to complete the pool.





  1. Validate MyPool pool was created. This concludes the Instant Clone Pool deployment lab.



Application Pools and Published Desktop Pools

When creating an application pool or published desktop pool you must specify only one farm. The RDS hosts in a farm can host published desktops, applications, or both. A farm can support at most one published desktop pool, but it can support many application pools.




This section will focus on how to create application pools.





  1. Expand the Catalog menu.
  2. Click on Application Pools.





  1. Click Add this will start the add application pool wizard.





  1. In the drop down box verify RDS Farm - RDSH-01 is selected.
  2. Choose Character Map and Math Input Panel applications by checking the boxes.
  3. Click Next to continue.





  1. Uncheck the Entitle Users after this wizard finishes checkbox.
  2. If you need to rename your applications for your end users that is displayed when launching applications, you would change this under the DISPLAY NAME and ID fields.
  3. Click to Finish to the application pool deployment process.





  1. Verify that the Character_Map and Math_Input_Panel application pools are present.



Hands on Lab Experience Creating an RDS Desktop Pool.

In this lab we will be creating an RDS desktop pool.





  1. Expand the Catalog menu.
  2. Click on Desktop Pools.





  1. Click Add this will start the add desktop pool wizard.





  1. Select RDS Desktop Pool.
  2. Click Next.





  1. Type MyRDSPool for the pool ID.
  2. Type MyRDSPool for the Display Name.
  3. Click Next.





  1. Leave all default options click Next.





  1. Click on RDSH-01 Farm.
  2. Click Next.





  1. Review RDSH Pool settings.
  2. Click Finish to complete the RDS pool deployment process.





  1. Verify the MyRDSPool was created.

This concludes the RDSH Desktop Pool Deployment Lab.



Application and RDS Farms

In order to be able to create RDS Desktops or Publish applications you will need to create RDS farms. An RDS farm is a collection of RDS servers that serve up RDS virtual desktops or that have the same applications installed to provide published applications. You can use full clones, instant clones, or linked clones for this. You also can use physical servers if desired.

Automated Farm:

An automated farm can support Instant Clones, vCenter Virtual Machines, Microsoft RDS Hosts and Linked Clones.

Manual Farm:

vCenter Virtual Machines, Physical Servers, and Microsoft RDS Hosts.



Hands on Lab Experience RDS / Application Farm

This lab will show how you create RDS/Application server farms in View Manager. This process uses Instant Clone servers. Many of the same steps are used in creating Instant Clone desktop pools.





  1. Expand the Resources menu.
  2. Click on Farms.





  1. Click Add to begin adding a server farm node.





  1. Select Automated Farm.
  2. Click Next.





  1. Click Ignore on the More Information popup to continue.





  1. Verify Instant Clones is selected.
  2. Click Next.





  1. In the ID field type MyFarm as the name for your server farm. Review the possible far settings. These will set the farm's personality and function. Accept defaults.
  2. Click Next.





  1. Type a name pattern in the Naming Pattern Blank. FARM-{n:fixed=2} the 2 indicates to add 2 numbers to the name of the server being deployed.  The first server would be named FARM-00, ,01,02...05. You can change the 2 to a 3 or 4 depending on naming convention requirements.
  2. Max Number of Machines set to 1.
  3. Click Next.





  1. Leave the Storage Policy Management defaults and click Next.





  1. Click Browse on Parent VM in vCenter.





  1. Click on base-RDS-01.
  2. Click OK.





  1. On the Snapshot field click Browse.





  1. Click on AppVolAgentInstalled snapshot.
  2. Click OK.





  1. On the VM Folder Location click Browse.





  1. Click on Discovered Virtual Machines.
  2. Click OK.





  1. Click Browse on the Cluster setting.





  1. Click on RegionA01-IC01.
  2. Click OK.





  1. On the Resource Pool setting click Browse.





  1. Click on RegionA01-IC01 resource pool.
  2. Click OK.





  1. Click Browse to browse Datastores.





  1. Check the ESX04a-Local datastore.
  2. Click OK.





  1. You can safely ignore the warning this is because we are using local storage for Instant Clones. Click OK to continue.





  1. Under Networks click Browse.





  1. Uncheck the Use Network From Current Parent VM Image checkbox.
  2. Choose networks (Instant Clones allow multiple port groups, VLANs and Subnets.) Select any of the networks you want to.
  3. Click OK.





  1. Verify settings and Click Next.





  1. Leave the default settings and click Next.





  1. Click FINISH to complete the RDS Farm creation.





  1. Verify MyFarm Instant Clone Farm was created. Please close all browser sessions or open clients to return back to the desktop.

This concludes the Farm Creation Hands on Lab.


Entitling Pools and Applications

Once you have created your desktop pools, RDS host desktops, and application pools, the next step is to provide access to the end users. The process to add users or groups to pools is quite simple. You can add Active Directory users or Groups. We normally recommend adding groups to entitlements and then adding users to the groups. This simplifies administration and can prevent users from continuing to have access to desktops and application pools that they might not require any more (change in role etc.)





  1. Launch Google Chrome.





  1. Click on the Horizon Folder.
  2. Click on Horizon-01-Admin to launch Horizon Manager.





  1. Username: administrator
  2. Password: VMware1!
  3. Click Log In.





  1. Expand Catalog.
  2. Click on Desktop Pools.





  1. Click on IC-Pool1
  2. Click on the Entitlements Drop down
  3. Click on Add Entitlement





  1. Click on Add to start adding an entitlement.





  1. Uncheck Users checkbox.
  2. Type abig in the Name/Username search box.
  3. Click Find wait for enumeration.
  4. Click on ABigTelCo Cloud Org Administrators group.
  5. Click OK.





  1. Verify the ABigTelCo Cloud Org Administrators group is displayed.
  2. Click OK.





  1. Double Click on the Pool  IC-Pool1.

The entitlement process works the same on every type of pool Desktop, Application, RDSH.

Lets validate that we actually have entitled our pool.





  1. Click on the Entitlements Tab





  1. Verify the ABigTelCo Cloud Org Administrators group is listed and entitled from.

Entitlement Verification Completed.





To remove an entitlement from a pool follow the same process.

  1. From the entitlements window Click on ABigTelCo Cloud Org Administrators group.






  1. Click Remove Entitlement.





  1. Click OK to confirm entitlement removal.





  1. Validate ABigTelCo Cloud Org Administrators was successfully removed from IC-Pool1.

This completes the Remove Entitlement Lab. Please close all browsers to return to the desktop.


Horizon Clients Performance Tracker and Help Desk



Hands on Lab Experience Horizon Client for Windows

There are several methods to access Horizon View Desktops and Applications. The most popular and widely used is the Horizon View Client. This client is installed on the end point of choice and pointed to the Horizon View environment. The user logs in and is presented with the desktops and or applications they are entitled to. The full client provides the most features and best end user experience possible.

VMware Horizon client supports most all modern Operating System Platforms.





  1. From the Desktop Launch the Horizon Client.





  1. Click on horizon-01.corp.local.





  1. Logon with Username user2mod3.
  2. Password VMware1!
  3. Click Login.





  1. These are the applications and desktops you are entitled to. Click on one to launch and test the application or desktop.





  1. Try the application and click the red X to close the application.





  1. Click on Instant Clone Pool to launch a Desktop.





  1. Once the desktop appears test the desktop disconnect from view the View Client.





  1. Click on the X to disconnect from the desktop session.





  1. Click OK to confirm.





  1. Click the Disconnect plug to disconnect.





  1. Click OK to confirm disconnect from server.





  1. Click the red X to close the View Client.

This concludes the Horizon Client Lab



Hands On Lab Experience HTML5 Client


The HTML5 Blast client requires only a modern web browser to work and provide access to the end user desktops and applications they are entitled to. It does not require any configuration or installation. You point the web browser to the View environment URL and launch HTML5 client. You will see a list of the desktops and applications you are entitled to. Simply click to launch these desktops or applications in a web browser. The HTML5 Blast client is evolving and catching up with the full client over time. Each View release incorporates more features and fixes as well as a better end user experience.





  1. Launch Google Chrome.





  1. Type https://uag-01.corp.local in the URL box to connect to Horizon via UAG and using HTML5 client.


  1. Click on the VMware Horizon browser shortcut to launch the HTML5 View Client.





  1. Click on the VMware Horizon HTML Access.





  1. Username user2mod3.
  2. Password VMware1!
  3. Click Login.





  1. Click on the Calculator Application to launch via HTML5.





  1. Test out the Calc App in the HTML5 client and click X to close.





  1. To launch the HTML5 desktop click on Instant Clone Pool.





  1. Launch any of the applications test and close the chrome browser tab.





  1. Click the X to close out the HTML5 Client

This concludes the HTML5 client Hands on Lab.



Horizon Performance Tracker

A new feature in Horizon 7.5 is the Performance Tracker. This utility runs inside a remote desktop and monitors performance of the display protocols and system resource usage. This can also be ran as  a published application inside an application pool.





To start the lab launch the VMware Horizon Client.






  1. Click on horizon-01.corp.local.





  1. Username: user2mod3
  2. Password: VMware1!
  3. Click Login.





  1. Click on Instant Clone Pool.





  1. After logon, from the desktop launch VMware Horizon Performance Tracker.





  1. Observe current performance graphs and charts.





Launch MSPAINT or any other of the applications on the desktop and watch the real-time utilization changes of the graphs and charts of Horizon Performance Tracker.





  1. Click on Session Properties and observe the numerous client properties available at a glance.





  1. Click on the X to Close Performance Tracker and Logoff the desktop.





  1. Click on the X to close the View Client.





  1. Click OK to confirm disconnecting from the desktop session.





  1. Click on the Plug icon to close the View Client.





  1. Click OK to confirm Log off from the server.





  1. Click the red X to close the Horizon Client.



Horizon Help Desk Hands on Lab Experience

Horizon Help Desk Tool is a Web application that you can use to get the status of Horizon 7 user sessions and to perform troubleshooting and maintenance operations.

In Horizon Help Desk Tool, you can look up user sessions to troubleshoot problems and perform desktop maintenance operations such as restart or reset desktops.

To configure Horizon Help Desk Tool, you must meet the following requirements:





  1. Launch Google Chrome.





  1. Click on VMware Horizon shortcut.





  1. Click on VMware Horizon HTML Access.





  1. Username: user2mod3
  2. Password: VMware1!
  3. Click Login



Open Desktop Session


  1. Click on Instant Clone Pool.





  1. If you continued from the previous section MS Paint should already be running or if it isn't, Click on MS Paint desktop shortcut to launch.



Minimize Web Browser


  1. Minimize the web browser with the desktop still running by clicking the -





  1. From the desktop Launch the VMware Horizon Client.





  1. Launch a session to horizon-02.corp.local.





  1. Logon as user1mod1.
  2. VMware1! for the password.
  3. Click Login.





  1. Launch a desktop session to the Man-Pool1.



LAUNCH Google Chrome


  1. Launch Google Chrome.





  1. Username: administrator
  2. Password: VMware1!
  3. Click Log In





  1. Click on Horizon Console to Launch.





  1. In the search bar type user2mod3 and press enter.





  1. Click on user2mod3 search results to continue.





  1. Maximize the browser screen or scroll down In the session tab click on the win10ic-1.corp.local link.



Review Session INFO


  1. Scroll down and review all the session information. There are 3 tabs - Details, Processes, Applications.  When finished make sure you scroll down on the Details tab to continue.



Remote Assistance Request


  1. Click on the Remote Assistance Button.





  1. Click on the Down Menu Arrow to open the Remote Session File.
  2. Click Open to open the Remote Request Session file.



Minimize the Desktop Session


  1. Click the - minimize button to minimize the desktop session.



Open HTML 5 Client


  1. Click on the VMware Horizon Google Chrome HTML5 web client desktop session to open back up.



Accept Remote Session Request


  1. Click Yes to accept the Remote Assistance request.





  1. Verify Your helper can now see your desktop status.



Minimize WEB Client Session


  1. Minimize the Web Client by clicking on the - button.





  1. Click on Man-Pool1 the session with the desktop session using the Horizon Client.



Validate Remote Assistance Session


  1. You can see the MS PAINT session in the windowed desktop running.
  2. You can Request Control of the session.
  3. You can also start a Chat session from these menus.





  1. Click on Request Control. (You will see the popup request)





  1. Minimize the running desktop session by clicking the - button.





  1. Click on VMware Horizon - G...



Confirm Remote Control Request


  1. Click Yes to confirm and allow the session to be remotely controlled.





  1. Minimize the Horizon web client by clicking the - button





  1. Restore the Horizon Client by clicking Man-Pool1 session in the taskbar.



Verify Remote Control Function


  1. Validate the remote session is working by drawing on the MS PAINT page. This concludes the LAB. Close all sessions and browsers.
  2. Close all Browser and View Client sessions to return back to the desktop.




VMware Help Desk is a useful tool offering remote control, chat, and session information to help desk service providers.  Important session information including applications and real time performance data can be leveraged when assisting end users.


Role Based Delegation

You can assign predefined administrator roles toHorizon Help Desk Tooladministrators to delegate the troubleshooting tasks between administrator users. You can also create custom roles and add privileges based on the predefined administrator roles.

You can use Horizon Administrator to add, delete, and review permissions for specific administrator users and groups, for specific roles, and for specific access groups. You can use Horizon Administrator to add, modify, and delete custom roles.

If the predefined administrator roles do not meet your needs, you can combine specific privileges to create your own roles in Horizon Administrator.

Horizon Administrator includes predefined roles that you can assign to your administrator users and groups. You can also create your own administrator roles by combining selected privileges.



The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.

Global privileges control system-wide operations, such as viewing and changing global settings. Roles that contain only global privileges cannot be applied to access groups.

Object-specific privileges control operations on specific types of inventory objects. Roles that contain object-specific privileges can be applied to access groups.

Some of the predefined administrator roles contain internal privileges. You cannot select internal privileges when you create custom roles.




To increase the security and manageability of your Horizon 7environment, you should follow best practices when managing administrator users and groups.



Role Bases Access Control Hands on Lab Experience

This lab will cover a few concepts of Role Based Access Control within the Horizon View environment.  There are so many combinations you are limited mostly by your imagination and use cases.





  1. Launch Google Chrome from the Desktop.





  1. Click on the Horizon Folder.
  2. Click on Horizon-01-Admin to launch the Horizon Administrator Console.





  1. Logon as Administrator
  2. Password is VMware1!
  3. Click Log In.





  1. Expand the View Configuration menu.





  1. Click on Administrators.





Observe the default Administrators Role and Access Group /Root the user corp.local\administrator is a member of the Administrators role and has complete control and access over the entire Horizon environment. This role is allowed to create roles, add and remove people from roles, etc



Hands on Lab Experience Create an Access Group

This section will walk you through creating an Access Group. An Access Group is a container to place View objects into and provide granular privileges and permissions to those specific objects for particular administrative functions and roles.





  1. Expand View Configuration menu.





  1. Click on Administrators.





  1. Click on Access Groups Tab.
  2. Click Add Access Group.





  1. Type a Test Access Group for your Access Group name
  2. Click OK.





  1. Verify Test Access Group was created.



Hands on Lab Experience Creating a Role

This section will show you how to leverage pre-made or custom roles to suit your administrative needs. The roles can be defined to give just enough privileges to perform required work duties.





Take a look at the pre defined roles and descriptions. These can be used to quickly add users or groups to Access Groups to delegate administrative tasks as needed. You can also create custom roles to further fine tune as needed.

  1. Click on Roles tab.
  2. Click on Add Role.





This launches the Add Role Wizard.

  1. In the Name field type My New Role.
  2. Check the following Privileges - Manage Reboot Operations, Manage Sessions, Remote Assistance, Console Interaction, and Manage Help Desk.
  3. Click OK.






  1. Verify your custom role was created. This concludes this section.



Hands on Lab Experience Adding Users/ Groups to Roles and Access Groups

This section will show you how to add a domain user or group to View manager and assign a Role and Access Group.





  1. Click on Administrators and Groups tab.
  2. Click on Add User or Group.





  1. Click Add.





  1. Uncheck Groups.
  2. In Name/Username type user1mod1
  3. Click Find.
  4. Click user1mod1.
  5. Click OK.





  1. Click Next.





  1. Click on My New Role that you created in the previous section.
  2. Click Next.





  1. Select Test Access Group you created in previous steps.
  2. Click Finish.





  1. Verify the user corp.local\user1mod1 is added to both your My New Role and Test Access Group.





  1. Expand Catalog menu.
  2. Click Desktop Pools.





  1. Click on IC-Pool.
  2. Click on Access Group dropdown.
  3. Click Change Access Group.





  1. On the Access Group Drop Down Choose your Test Access Group.





  1. Click OK to complete.





  1. Click Logout to exit the Horizon Manager server.

This completes adding the user to a role and access group section of the lab.



Hands on Lab Experience Validate Access Group

This section will have you logon as the user:  user1mod1 a non administrator and verify that your Role and Access Group is working.





Logon to View Manager with the user1mod1 account

  1. Username: user1mod1
  2. Password: VMware1!
  3. Click Log In.





  1. Expand Catalog menu.
  2. Click Desktop Pools.





  1. Notice how the Add, Edit, Clone, Delete buttons are all greyed out. This is the Role Based Control working. Look around and try other operations. In this configuration pretty much everything is greyed out as you will find.

Please close all client and browser sessions before proceeding to the next steps.

This concludes the Role Based Access Lab. Close out all web browser sessions.


Cloud Pod Architecture Overview


Enabling the Horizon Cloud Pod (CPA) feature allows multiple Horizon pods to provide resource access across multiple locations and very large scale implementations seamlessly to the user. You will learn about the fundamental components and walk through the implementation and resource entitlement of Horizon Cloud Pod Architecture.

A key feature of the Horizon Cloud Pod Architecture is the ability to provide high availability and to scale-out virtual desktops in VMware Horizon 7.

This module will provide a high-level overview of enabling and using Cloud Pod Architecture (CPA).



This architecture provides three major benefits





  1. Launch Google Chrome from the Main Console desktop.





  1. Click on the Horizon folder.
  2. Choose Horizon-01-Admin.





  1. Username: administrator
  2. Password: VMware1!
  3. Click Log In.





  1. Expand the View Configuration menu.
  2. Click on Cloud Pod Architecture.





  1. Notice Cluster-HORIZON-01(local) this indicates you are on the HORIZON-01 POD.

Enabling CPA is a quite simple process. This is a high-level overview lab and we have already initialized it for you. It is a minimal risk activity that can be done at anytime. It doesn't require a reboot or outage window to enable.





  1. Expand the Catalog menu.
  2. Click on Global Entitlements.

The Global Entitlements object only exists once you have either initialized CPA or Joined a federation in a POD. You only need to perform this task on a single connection server in the pod.





  1. To start the process of adding a Global Entitlement from within the Global Entitlements window click the Add button. This will start the Global Entitlement wizard.





  1. Choose Desktop Entitlement. CPA Supports both.
  2. Click Next.





  1. Name:My Global Pool.
  2. Select Floating.
  3. Click Next.





  1. Click Add.





  1. Uncheck Groups.
  2. In Name type user1mod1.
  3. Click Find.
  4. Click user1mod1 name to highlight.
  5. Click Ok.





  1. Confirm user1mod1 was added and click Next.





  1. Make sure user1mod1 is added and click Finish to complete Global Entitlement.





  1. Validate My Global Pool was created.





  1. Click on Global Entitlements.
  2. Double click on the Global Entitlement construct you created (My Global Pool) and entitled in the previous steps.





  1. Click on Local Pools.
  2. Click on Add.





  1. Click on IC-Pool1.
  2. Click on Add to add the IC-Pool1 to the CPA entitlement.





  1. Validate that the local pool IC-Pool1 was added to My Global Pool.





  1. Click Add to add a second pool to the entitlement.





  1. Click on MYPool.
  2. Click Add.





  1. Validate 2 pools are added to the global entitlement. Similar pools can be added from CPA enabled VIEW PODS from the same or different View POD. Minimize the web browser.





  1. Launch Horizon Client.





  1. Connect to horizon-01.corp.local.





  1. Logon Username: user1mod1
  2. Password: VMware1!
  3. Click Login.





  1. Click on My Global Pool to launch a desktop session.

Currently all users are entitled to the Instant Clone Pool, which is connected to the Global Entitlement My Global Pool. This is not a best practice. When using CPA entitle only at the Global level and add the pools you want to back the entitlement.

Close out the View Client as well as any web browser sessions to return to the desktop.




This concludes the high-level overview of Cloud Pod Architecture. It provides a hands on look at CPA and exposes a few of the features CPA provides.


Module 4 - Just-in-Time Management Platform (JMP)(90 minutes)

Introduction to JMP

JMP (pronounced jump), which stands for Just-in-Time Management Platform, represents capabilities in VMware Horizon 7 Enterprise Edition that deliver Just-in-Time Desktops and Apps in a flexible, fast, and personalized manner. JMP is composed of the following VMware technologies:

JMP allows components of a desktop or RDSH server to be decoupled and managed independently in a centralized manner, yet reconstituted on demand to deliver a personalized user workspace when needed.

JMP represents capabilities within Horizon 7 Enterprise Edition version 7.x and Horizon Apps Advanced Edition. These editions include Horizon 7 version 7.x, vSphere 6.x, App Volumes 2.x, User Environment Manager 9.x, and VMware Identity Manager.


How JMP Works


JMP offers an alternative to managing per virtual machine. JMP decouples each aspect of a desktop to allow it to be managed on a per-user or per-group basis. Each component of the desktop is virtualized and managed centrally rather than separately, as is done in a traditional distributed per-VM approach. As illustrated, application-management containers are managed separately from the desktop OS. Similarly, user data files and OS- and application-specific configurations are decoupled from the OS and kept on separate file shares.



Benefits of JMP




1. Seamless and easy access to any app from any device:  



2. Persistent end-user experience in non-persistent environments:  



3. Cost-optimized infrastructure:  



4. Reliability and security:



5. Centralized administration and management:



6. Blast Extreme display technology built on industry-standard H.264:



New JMP Server

Building on the current success using the Just-in-Time Management Platform, VMware introduced a JMP server to provide a workflow based console. This new server is a separate install and will fuse together Active Directory, Horizon 7, UEM and App Volumes to ensure administrators can use a single pane of glass to manage desktop workspaces for users or groups.




3 Step Process - JMP Dynamics


JMP uses a 3-step process to create a Workspace for users and groups:

  1. Identify the User or Groups
  2. Define the Desktop workspace
  3. Dynamically build the solution out from a single administrator pane.


JMP Requirements

Supported versions of the VMware products that comprise the JMP technology must be installed before you can install JMP Server and use the JMP Integrated Workflow features.

The following versions of the VMware products must be installed before you begin installing JMP Server.


Hardware Requirements for JMP Server

You must install JMP Server on a dedicated physical or virtual machine that meets specific hardware requirements.

The following table lists the minimum hardware requirements for a JMP Server instance in a production environment.

Horizon JMP ServerHardware Requirements for a Production Environment





Network Requirements for JMP Server

The physical or virtual machine on which you plan to install JMP Server must be able to reach all product endpoints for all the points of delivery (PoDs) across your network.

Before you begin using the JMP Integrated Workflow features, all the security and CA-signed certificate authentication must already be configured for the JMP Server instance and all the technology endpoints that interact with your JMP Server instance



Database Requirements for JMP Server

The JMP Server installer requires specific SQL Server database versions to perform the JMP Server installation.

JMP Server supports the following SQL Server versions and editions in the two supported workload environments: proof-of-concept (PoC) or production.

Before running the JMP Server installer, you must create the SQL Server database that the JMP Server installer uses during the installation process.

You must also provide the login credentials that the JMP Server installer will use to connect to the SQL Server database that you created. You can select the type of authentication that the JMP Server installer uses. The default used is the Windows authentication. Whether you select the Windows authentication or SQL Server authentication, the login credentials that the JMP Server installer uses must already exist in the SQL Server instance before you can begin installing JMP Server.

In addition, you must create a SQL Server login for the Windows Server user account that you plan to use to install the JMP Server. This Windows user must be configured to have the proper credentials to modify the SQL Server database you created.

If your SQL Server is enabled with TLS encryption, you must export its TLS certificate and import the certificate into your JMP Server instance to enable an encrypted communication with the SQL Server




Supported Web Browser for JMP Integrated Workflow

You access the JMP Integrated Work flow user interface (UI) using the VMware Horizon Console, which is a Web-based application that is installed with VMware Horizon 7 Connection Server version 7.5 and later.

The following Web browsers are supported for use with the JMP Integrated Workflow features.


Explore - New Horizon Console




On the HOL-1951 Main Console Desktop

  1. Select Google Chrome





  1. Click - new TAB in Chrome
  2. Select the Horizon folder
  3. Click - Horizon-01-Admin



Horizon Login


  1. User Name = administrator
  2. Password = VMware1!
  3. Domain = CORP
  4. Click - Log In



New Horizon Console - SSO Option


At the top of the Horizon 7 Administrator Console

  1. Click Horizon Console

This is a built-in link to the new Horizon Console and will create a SSO session using the currently logged on user credentials



New Horizon Console - Direct URL


The New VMware Horizon console can also be accessed directly via the URL

  1. Username = Administrator
  2. Password = VMware1!
  3. Domain = CORP
  4. Click Login



JMP Dashboard - Horizon Console


On entry you are welcomed by the new JMP Dashboard

  1. Scroll down the page to learn more about the features



What's New


Using the traditional setup for a Just-in-Time Desktop Setup, the administrator would login separately to the UEM console, the App Volumes console and the Horizon console to create a single JMP setup as desired. The new JMP console gives the Horizon administrator the ability to orchestrate this (UEM/APPSTACKS/HORIZON) through a single pane of glass. The Helpdesk feature can easily be accessed using the same pane of glass.



Whats Included?




Walk me through the console


  1. Click - Assignments



JMP Assignments


  1. Click New



New Assignment


JMP assignment is the entry point to create a workflow through the new JMP server. The Assignment is defined in 6 sections

  1. Click Cancel to continue
  2. Click Yes

We will not be doing any new assignments during this introduction, but feel free to create workflows in the Advanced Lab HOL-1951-04



Users and Groups


  1. Click - User and Groups





The new Horizon console (B) is consistent with the current Horizon dashboard (A). The broader functionality will be matched in future releases, but the action/tasks for Users and groups including Inventory is evenly matched.



Inventory> Desktops


  1. Click Desktops below the Inventory section

This section will manage any new addition of desktop pools and edit any pre-existing desktops pools. The links highlighted in blue will enable you to drill further into the object exploring the object in more detail and enabling further options.

  1. Click IC-Pool1





Note the extra options highlighted in blue



Inventory> Applications


  1. Click Applications below the Inventory section

The application section will once again expose further details by following the Blue Highlighted links. Applications will expose any configured applications within Horizon that is ready for entitlement, but further more create the opportunity to add a new application either manually or from an already installed application within the RDS farm.





  1. Click Farms below the Inventory section

The farm section within Horizon will allow you to edit and manipulate the already created farm or create a new farm. The farm can only accept a server image, so please note that desktops images will not be exposed at this point. Feel free to browse but not change anything at this point as it will render the rest of the lab incomplete.



Inventory> Machines


  1. Click Machines below the Inventory section

The Machine section will expose any machines already created in the Horizon console, including desktops enabled through the vCenter, RDS Hosts registed and any other machines that has the agent installed.



Inventory> Registered Machines


  1. Click Registered Machines below the Inventory section

Registered RDS Host and the ability to edit, remove, enable or disable the host in this section.





  1. Click Settings

This is the entry point and we need to define the settings here before we can use any of the new JMP features. If the JMP server does not have a green tick and show that the service is established, then all the options will be greyed-out. The JMP server session will be verified each time the user logs on and/or clicks on the Settings tab.

JMP Settings define the relationship between the new JMP server engine and Horizon 7, Active Directory, App Volumes and UEM. This will be further defined in the Horizon 7 Enterprise Advanced lab, HOL-1951-04-VWS.



Horizon 7


  1. Click Horizon 7

The Horizon credentials are needed to establish a true SSL connection to maintain and interact with the current Horizon 7 Administrator Console



Active Directory


  1. Click Active Directory

This will enable the Active Directory integration using LDAP over TLS, LDAPS or LDAP as an option.



App Volumes


  1. Click App Volumes

The App Volumes integration is key to the Just-In-Time setup to provide AppStacks and/or Writable Volumes. The current JMP integration console only provides access to AppStacks.





  1. Click UEM

This is the only setting that only requires a URL to UEM Files Shares in order to function. Any pre-configured UEM personalized settings can be applied via this JMP engine, but cannot create new or edit any UEM settings. The console is used to provide a single pane of glass and not update any functions of UEM.

That concludes the JMP walkthrough.


Create your first Just-In-Time Desktop

In this lesson, you will create your first JMP Desktop.




On the HOL-1951 Main Console Desktop

  1. Select Google Chrome





  1. Click - new TAB in Chrome
  2. Select the Horizon folder
  3. Click - Horizon-01-Admin



Horizon Login


  1. User Name = administrator
  2. Password = VMware1!
  3. Domain = CORP
  4. Click - Log In



Horizon Dashboard


  1. Click the Catalog to expand
  2. Click Desktop Pools

Note: We have an Instant Clone pool that is pre-created. For this exercise we do not have to create Horizon pools, users, UEM personalization or App Stacks as they have been pre-setup. Please look at the module listing for this lab to learn more about the individual components.



Horizon Console


At the top of the Horizon 7 Administrator Console

  1. Click Horizon Console



Horizon Console - Assignments


  1. Click - Assignments



JMP Assignments - New


  1. Click - New



JMP Assignments - Users


  1. Type - User2Mod4
  2. Select the User [User2Mod4]

This is the first step to assign a JMP workflow to a user. We can use a single user or a group at this point.



JMP Assignments - Next


  1. Click - Next



JMP Assignments - Desktops


IC-Pool1 is a pre-created pool and we will assigne the user to this Instant Clone desktop pool as the first part before assigning UEM policies or App Stacks.

  1. Select the pool (ensure IC-Pool1 is highlighted)
  2. Click Next



JMP Assignments - Applications


This section will reach-out to the App Volumes server and show any AppStacks that are currently available. This will only look for AppStacks and not Writable Volumes. Please follow the standard procedure to attach a Writable Volume before or after you created the JMP assignment.

  1. Click and select Multimedia
  2. Click Next



JMP Assignments - UEM


The UEM server will be interrogated at this point and any pre-defined user personalization will be displayed for selection. Personalization policies cannot be created at this point, only selected and applied. There is no consistency check, so ensure by selecting a policy the user will receive the effective/appropriate changes applied via the personalization (ie Select Word only if the user has Word installed). Should you have no need for UEM policies at this point then Select (A) and slide this to YES to disable all UEM settings.

  1. Click and Select Word
  2. Click and Select Visio
  3. Click - Next

We have no WORD or VISIO installed on the desktop, but selected these to see how UEM personalization assignments are created and finally edited during this exercise.



JMP Assignments - Definitions


  1. Feel free to give your Assignment a useful name to ensure consistency in your environment.
  2. This will save a lot of time when you need to duplicate this assignment ensuring the description captures what you assigned.
  3. The user could already have a desktop in the pool selected in the first stage and this would allow for the AppStack to be presented in real time without the need for the user to log out and back in. Alternatively the selection can be left at default (On Next Login)
  4. Click - Next



JMP Assignments - Summary


The final overview screen presented as a summary to the entitlement and assignment of the first 5 steps. When you are satisfied with the selection then click submit or click back to make further changes.

  1. Click Submit



JMP Assignments (Keep this TAB open)


The Status for the assignment will go from Orange to Green when completed. This could take a minute or two and you will see a pop-up asking you to refresh the screen.

At this point you can choose to edit or duplicate the assignment. Should this assignment no longer be relevant then delete the assignment or start a new one.

*** Do not close this TAB in chrome, we will come back later and check the status update.



Chrome - Favorites (NEW TAB)


At the top of the chrome browser:

  1. Open a new TAB and then Click VMware Horizon



VMware Horizon HTML


  1. Click - Horizon HTML Access



VMware Horizon HTML Login


  1. Username = User2Mod4
  2. Password = VMware1!
  3. Click - Login



Instant Clone Pool


  1. Click Instant Clone Pool



Desktop Prepare


Wait while the new desktop is being prepared and the changes applied as per the JMP assignment.



Desktop - VLC


Once the desktop is ready feel free to look at the newly attached App Stack (VLC media player).  Within 6 steps , you selected a user, assigned an App Stack, applied UEM user personalization, ensuring you have a repeatable workflow for Users/Groups, Horizon, UEM and App Volumes.



Windows Sign out


When you are done looking around, please sign out

  1. Click the windows Icon
  2. Click the user Icon
  3. Click Sign out



App Volumes


Having a sneak peak at the App Volumes Dashboard we would notice that the user now has an App Stack assigned and showing as attached in IC-Pool1.



JMP Assignment - Refresh


If the JMP assignment is still orange then click refresh to update the status

  1. Click Refresh
  2. Click User2Mod4_IC-Pool1_My_First_JMP_Workflow




JMP Workflow


This will present the administrator with an overview of the assignment with the option to Edit, Duplicate or Delete the current assignment.




Module 4  topics included and introduction, the JMP requirements, the JMP console and creating your first JMP desktop.


You've finished Module 4


Congratulations on completing  Module 4.

If you are looking for additional information on Horizon 7 JMP, try one of these:

Proceed to any module below which interests you most.




How to End Lab


To end your lab click on the END button.  



Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1951-02-VWS

Version: 20190309-192210