Horizon Cloud on Azure Proof-Of-Concept Deployment Guide

Hello, I am back with the 3rd post on Horizon Cloud on Azure.  This time I wanted to step through what is required for a simple green field Proof-of-Concept.  If you go through the Horizon Cloud on Azure Checklist Guide with the customer then you will have all the required information to start the deployment.

Disclaimer: This information is for lab purposes only and you should consult your VMware or Microsoft team on their products in use.

  • Please note that this document assumes that Active Directory is already configured in Azure.
    • Horizon Cloud does not support Azure AD, but instead Azure Active Directory Domain Services or hosted Active Directory server or your data center Active Directory connected via VPN, Express connect or MPLS.
  • The time it took me to complete all steps was around 6 hours.
    • Several steps in Azure take 45 minutes each.
Version 1.0
Contributors: Mark Richards, Staff Systems Engineer EUC

Continue reading

Horizon Cloud on Azure Checklist Guide

Hello, I am back with the 2nd post on Horizon Cloud on Azure.  I have been scheduled for my first Proof-of-Concept with a customer on Horizon Cloud in Azure but before I can start I need to gather information about the customers Azure environment. You will have the customer create a few objects in Azure so the deployment can go smoothly.

FYI: I know that you have never had a situation when you went to start a project and found that you did not have the required [insert need here].  I refinished a bathroom last year and even had a comprehensive checklist, but I still made weekly daily hourly runs to HomeDepot, Lowes and Menards.  No matter what someone else tells you, if you did not validate it yourself before hand then you will spend hours looking for someone to grant you permissions to AD because your AD person is out the day you need them.

[As I ran through the Checklist and searching for the required information I started to become much more comfortable with the Azure Portal.]

What I like to do is schedule a pre-call with the customer to define the What’s, Why’s, How’s, Who’s and exit success before even scheduling an actual PoC.  I have already done this with my customer and we defined the use case(s), who is part of the PoC and what is their responsibility along with what is considered success.  I like to define the length of the PoC especially since Azure charges by the minute for the resources in use. One last thing collected was the assumptions list.

I then schedule a call to gather the requirements before we can start the deployment using the provided Pre-Req Checklist document. Setup Checklist at this link

The following document can be used for a how-to complete the Requirements CheckLists.  Please open the checklist to become familiar with it and follow along.  This document is not formatted to describe why you need the information but what is needed and where it is located in the Azure portal.

  • The time required to complete and validate the prerequisites will vary on access to the Azure Portal and the permissions your customer has.
  • The time it took me to validate this information in my Portal was about 1 – 2 hours.  This excludes the creation of Azure AD Domain Services.
Version 1.01
Contributors: Mark Richards

Continue reading

Horizon Cloud on Azure

Hello and long time no posts. I have been very busy and frankly not a huge fan of  blogging myself, but I assume you know that.

I have been working with the Horizon Cloud product lately (formerly known as Horizon Air) and the capabilities of adding compute capacity into Microsoft Azure.  Yes you read this correctly, you can leverage your Azure subscription or credits to add Horizon Cloud desktop and application compute in.

What does this really mean?

VMware Horizon Cloud has a unified web management for all cloud based desktops and application farms or pools along with user and group entitlements.  Horizon Cloud allows you to choose which “data center” or “cloud” that your compute capacity resides in.  This could be Horizon Cloud data centers, Azure or on-premise and we call this the Horizon Cloud control plane.  Or as VMware documentation states:

Horizon Cloud is a control plane that VMware hosts in the cloud. This cloud service enables the central orchestration and management of remote desktops and applications in your Microsoft Azure capacity.

VMware is responsible for hosting the service and providing feature updates and enhancements for a software-as-a-service experience.

The cloud control plane also hosts a common management user interface referred to as the Horizon Cloud Administration Console, or Administration Console for short. The Administration Console runs in industry-standard browsers and provides IT administrators a single location for management tasks involving user assignments and the virtual desktops, remote desktop sessions, and applications. The Administration Console is accessible from anywhere at any time, providing maximum flexibility.

For on-premise or Azure, Horizon deploys an object called the Horizon Cloud Node which is responsible for the “cloud or datacenter” connectivity to the Horizon Control plane for management.  This is an out going connection from the Horizon node to the Horizon Cloud web management.  For Azure the node is auto deployed and is responsible for the provisioning and brokering of users to Horizon resources, such as session desktops or hosted applications. Or as VMware documentation states:

A Horizon Cloud node, or node for short, has a physical regional location in a Microsoft Azure cloud. In the node deployment wizard, you select where to place the node, according to the regions available for your particular Microsoft Azure subscription. You also select an existing virtual network (vnet) that the node will use in your selected region.

You can deploy more than one node and manage all of them from the Horizon Cloud Administrator Console. The nodes you deploy after the first one can reuse the same vnet as your first node or use different vnets. Also, each node can be in a different Microsoft Azure region, using a vnet in that region.

The node deployment process automatically creates a set of resource groups in your Microsoft Azure capacity. Resource groups are used to organize the assets that the environment needs,

The concept and infrastructure is very easy to understand.  Look at the graphic below and you will notice that Active Directory from on-premise or hosted as an AD server in Azure is connected to a VNET or network in your Azure environment.  VMware Horizon Cloud will create 3 subnets on a VNET network automatically for you. One for management, one for desktops/servers and one for external remote access as a DMZ leveraging VMware Unified Access Gateway (access points, UAG).  The Horizon Node connects to the Horizon Cloud plane and has access to the Azure marketplace and permissions to deploy/create/delete VMs as requested from the Horizon administrator.

Horizon leverages a VM image, clones it as a Base VM and then provisions plus sysprep and adds that new VM to the requested Farm for capacity.

An enduser leverages the Horizon Client or HTML browser to access the Horizon Desktops and Apps by connecting to the Unified Access Gateway in the DMZ or via an MPLS/VPN connection between your site and the Azure instance.  All entitlements leverage your Active Directory Service that is defined as part of the setup.

Screen Shot 2017-12-13 at 2.14.14 PM

Learning more

I will be posting a few more articles around the how to gather the pre-reqs and a PoC deploy walk-through over the next several days.

In the meantime more information can be found on VMware.com

VMware Communities on Horizon Cloud Service

Overview on VMware.com

Plan & Design
Horizon Cloud on Microsoft Azure Data Sheet

Install & Configure


RDS Desktop and App Scalability with VMware Horizon Cloud Service on Microsoft Azure



VMware EUC Access Point 2.5 (The one the ships with Horizon 7) and UEM Smart Policies

Last fall I posted below VMware EUC Access Point What is it and how to get it to work using Curl or Postman and the REST-API for quick configuration or changes.  Since Horizon 7 has shipped decided it was time to update my lab.  I used the exact setup as I did before, but noticed a few new items in the JSON config. (These are documented here) You can now guide Blast Extreme to 443 instead of 8443.  This is one less pin hole in the firewall. +1

Screenshot 2016-03-30 08.22.53

The one that caught my eye was “gatewayLocation”: “External”.  This value appears that it can only be Internal or External.  Why did this catch my eye ?  I have been defining VMware User Environment Manager 9 Horizon Policies.UEM 9 Smart Policies

In UEM 9 you can setup PCoIP policies that are applied on connection or reconnection to a View desktop session.  My policy will be set to apply broadband quality, see the reference chat below.

PCoIP Tuning Policies

PCoIP Policies reference

For UEM Policies you can define conditions that must match before applying the settings.  My policy has the following conditions that must be matched: The Horizon client property is External ( here is where the Access Point value comes into play ), only is you connect to the View Pool called EUC and your endpoint is on the 172.16.1.x network range.

Screenshot 2016-03-28 17.44.28

Now when I connect using the Horizon Client 4 to my Horizon 7 environment from my MIFI (network range 172.16.1.x) the desktop will dynamically tune PCoIP settings for the best performance for my use case.

If you have not looked at VMware User Environment Manager have a look at the VMware Communities or a Technical Overview from Stephane Asselin @ https://www.youtube.com/watch?v=-Ts3C3cjuW4&ab_channel=VMwareEnd-UserComputing

Comming Soon “Load Balancing Horizon View using VMware NSX”

I have been working on a new Hand-On-Labs leveraging NSX for Horizon.  This week I will start to publish a guide on setting up Load Balancing View Connections servers and EUC Access Point or Security Servers using the load balancing function from NSX.

As time permits I will also start to add information around the Horizon NSX Fling, my findings around modifying policies and dynamic identity based firewall services to limit east/west traffic.

Load Balancing App Volumes manager is another post that should come in the next few days or weeks.


Stay tuned while I finish up the docs…

VMware User Environment Manager (UEM) and Horizon View RDS Volatile Environment Variables


This document is will familiarize you with the use of PowerShell scripting to read and create registry settings based on Horizon View Volatile Environment Variables when connecting to a Remote Desktop Session. This covers a basic deployment for your use in a Proof of Concept or internal testing, you should review that it meets your use case if you intend to use in a production deployment.

Background information

What is User Environment Management?

User Environment Management is the concept of managing a user’s profile across devices and locations. IT centrally manages policies where, regardless of how delivery is performed, end-users can access their desktops and applications with personalized and consistent settings across devices. User Environment Management is focused entirely on the context of the user, and not the device the user is working on. User Environment Management generally focuses on user profile management, user personalization settings, contextual policy settings, user rights management, license management, and reporting.

What is VMware User Environment Manager?

VMware User Environment Manager offers personalization and dynamic policy configuration across any virtual, physical and cloud-based environment. It is a critical component of Integrated Management (which supports user centric computing and addresses end-to-end application and user management). User Environment Manager can simplify end-user profile management by providing organizations with a single and scalable solution that leverages existing infrastructure. IT can simply map infrastructure (including networks and printer mappings) and dynamically set policies for end users to securely support more use cases. With this solution, end users can also enjoy quick access to their Windows workspace and applications, with a personalized and consistent experience across devices and locations. The net effect—organizations leveraging User Environment Manager can increase workplace productivity while driving down the cost of acquisition and day-to-day desktop support and operations

How does VMware User Environment Manager work?

VMware User Environment Manager allows IT to quickly deliver a personalized environment to end-users at login across different devices and locations. Using dynamic contextual policy control, User Environment Manager gives IT a comprehensive profile management tool that supports physical, virtual, and cloud hosted desktops and applications. These policies deliver a consistent experience that adapts to the end-user’s needs.

What are the benefits of using User Environment Manager?

VMware User Environment Manager provides a single and scalable solution to help customers protect their existing investments and drives down costs. The solution requires minimal infrastructure to get started. It allows IT to deliver dynamic profiles, applications, and user policies—reducing desktop and support costs. It additionally provides end-users with personalized access that follows them across devices and locations in real time

Volatile Environment Variables

Environment variables are a set of string values associated with a process. The Windows Shell process has a number of environment variables associated with it that contain useful information that you can use within your scripts, including:

    • Directories searched by the shell to locate programs (the path).

    • Number of processors, processor manufacturer, and processor architecture of the computer.

    • User profile location.

    • Temporary directory locations.

When a user logs on to Windows, the shell process starts and obtains its initial environment variables by loading both the computer-specific (system) and user-specific (user) environment variables from the registry.

In addition to the computer-specific and user-specific environment variables loaded from the registry, additional process environment variables are generated dynamically during each logon.

What are Volatile Variables used for?

Since the variables are unique to each user, you can use the information to determine the what the name of the endpoint or IP address the remote user is connecting from.  You can also leverage the information for tools like BGinfo to display certain variables to the user’s desktop.

Client System Information Sent from Horizon View Clients

Registry Key


Supported Desktops

Supported Client Systems


The IP address of the client system.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


The MAC address of the client system.

VDI (single-user machine)


Windows, Linux, Mac, Android


The machine name of the client system.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


The domain of the client system.

VDI (single-user machine)


Windows, Metro


The user name that was used to log in to the client system.

VDI (single-user machine)


Windows, Linux, Mac


The domain name that was used to log in to the client system.

VDI (single-user machine)


Windows, Metro

For Linux and Mac clients, seeViewClient_Machine_Domain.ViewClient_LoggedOn_Domainnameis not given by the Linux or Mac client because Linux and Mac accounts are not bound to Windows domains.


The thin client name or operating system type of the client system.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


The DNS name of the View Connection Server instance.

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


The URL of the View Connection Server instance.

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


The status of the tunnel connection for the View Connection Server, which can be eithertrue (enabled) orfalse (disabled).

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


The URL of the View Connection Server tunnel connection, if the tunnel connection is enabled.

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


The IP address of the client system that is seen by the View Connection Server instance.

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


The Olson time zone ID.

To disable time zone synchronization, enable the View AgentDisable Time Zone Synchronizationgroup policy setting.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS


The GMT standard time.

To disable time zone synchronization, enable the View AgentDisable Time Zone Synchronizationgroup policy setting.

VDI (single-user machine)


Windows, Metro


Domain name used to authenticate to View Connection Server.

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


Username used to authenticate to View Connection Server.

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


Specifies the Unique Client HardwareId used as a link to the license key.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


Specifies the number of monitors being used on the client.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


Specifies the arrangement, resolution, and dimensions of displays on the client.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


Specifies the type of keyboard being used on the client. For example: Japanese, Korean.

VDI (single-user machine)




Specifies the session type. The type can be desktop or application.

VDI (single-user machine)


Value is sent directly from View Connection Server, not gathered by Horizon Client.


Specifies the type of mouse.

VDI (single-user machine)




Specifies the number of buttons supported by the mouse.

VDI (single-user machine)




Specifies the rate, in reports per second, at which input from a PS/2 mouse is sampled.

VDI (single-user machine)




Specifies the protocol being used.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


Specifies the operating system language.

VDI (single-user machine)


Windows, Linux, Mac, Android, iOS, Metro


Specifies the desktop pool Unique ID.

VDI (single-user machine)

Windows, Linux, Mac, Android, iOS, Metro

The Horizon Clients, Mac, Windows, Linux, iOS, Android, HTML5 and Blast all pass specific information to the desktop or application session.

When a user connects or reconnects to a View desktop, Horizon Client gathers information about the client system and View Connection Server sends that information to the remote desktop.

View Agent writes the client computer information to the system registry path HKEY_CURRENT_USER\Volatile Environment on remote desktops that are deployed on single-user machines.

For remote desktops that are deployed in Remote Desktop Sessions, View Agent writes the client computer information to the system registry path HKCU\Volatile Environment\x, where x is the session ID, on the RDS host.

You can add commands to the View Agent CommandsToRunOnConnect, CommandsToRunOnReconnect, and CommandsToRunOnDisconnect group policy settings to run commands or command scripts that read this information from the system registry when users connect and reconnect to desktops.

Reference:https://pubs.vmware.com/horizon-62-view/topic/com.vmware.horizon-view.desktops.doc/GUID-86ED59AD-3A2C-4B71-8CFE-19B33E76E571.html?resultof=”volatile” “volatil” – GUID-86ED59AD-3A2C-4B71-8CFE-19B33E76E571__

Current Challenge

Why is this important?

Since User Environment Manager can customize the end users experience base on a dynamic configuration and your users will be connecting “remotely” or from multiple network locations, an array of endpoints types or different sessions (desktop/applications) these Volatile Environment Variables become very valuable to build conditions.

An example of a condition is: When a user is a member of the “Engineering Group” in Active Directory, while NOT connecting from a local ip network range and connecting from a MacBook, then Map M: to \\unc\path\directory and map CutePDF as the default printer.

RDS Session Challenge

For remote desktops that are deployed in RDS sessions or Hosted Applications, the View Agent writes the client computer information to the system registry path HKCU\Volatile Environment\x, where x is the session ID, on the RDS host instead of the HKCU\Volatile Environment that is on a desktop.

Since the location for the variables in the registry is different for each user, it becomes almost impossible to create dynamic configurations based on the variable conditions in UEM.  You must know the path to the registry variable to test that condition.  

Today, based on Horizon 6.2 with User Environment Manager 8.7 we have no way to retrieve the Session # and populate that # in the condition, thus the challenge we face.

View Volatile Environment Variables for RDS Sessions

Script Solution

To overcome the challenge on RDS hosts we need to create a script to retrieve the correct variable from your session and populate those elsewhere.

This solution leverages PowerShell to read the variables and write them back to another registry location that is still volatile.

PowerShell script

 This script will read the defined registry values from the HKCU\Volatile Environment\SESSION #\Variables and re-write them to HKCU\Environment\Variables for use in User Environment Manager or custom scripts.

You can cut and paste this script to a file called ViewVariables.ps1 or download from here http://bit.ly/ViewVariables

# //
 //Mark Richards
 //Staff Systems Engineer at VMware
 Finds the RDS session ID of a given user.
 Query session in order to get the given user's session ID.
 Get-RDSSessionId -UserName johndoe
 function Get-RDSSessionId
 # Identifies a user name (default: current user)
 [Parameter(ValueFromPipeline = $true)]
 $UserName = $env:USERNAME
 $returnValue = $null
 $ErrorActionPreference = 'Stop'
 $output = query.exe session $UserName |
 ForEach-Object {$_.Trim() -replace '\s+', ','} |
 $returnValue = $output.ID
 $_.Exception | Write-Error
 New-Object psobject $returnValue
 function Get-RDSClientName
 # Identifies a RDS session ID
 [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
 $returnValue = $null
 $regKey = 'HKCU:\Volatile Environment\{0}' -f $SessionId
 $ErrorActionPreference = 'Stop'
 $regKeyValues = Get-ItemProperty $regKey
 $sessionName = $regKeyValues | ForEach-Object {$_.SESSIONNAME}
 if ($sessionName -ne 'Console')
 $returnValueIPA = $regKeyValues | ForEach-Object {$_.ViewClient_IP_Address}
 $returnValueMAC = $regKeyValues | ForEach-Object {$_.ViewClient_MAC_Address}
 $returnValueMNam = $regKeyValues | ForEach-Object {$_.ViewClient_Machine_Name}
 $returnValueMDom = $regKeyValues | ForEach-Object {$_.ViewClient_Machine_Domain}
 $returnValueLogU = $regKeyValues | ForEach-Object {$_.ViewClient_LoggedOn_UserName}
 $returnValueLogD = $regKeyValues | ForEach-Object {$_.ViewClient_LoggedOn_Domainname}
 $returnValueType = $regKeyValues | ForEach-Object {$_.ViewClient_Type}
 $returnValueBrokerDNS = $regKeyValues | ForEach-Object {$_.ViewClient_Broker_DNS_Name}
 $returnValueBURL = $regKeyValues | ForEach-Object {$_.ViewClient_Broker_URL}
 $returnValueBT = $regKeyValues | ForEach-Object {$_.ViewClient_Broker_Tunneled}
 $returnValueBrokerTURL = $regKeyValues | ForEach-Object {$_.ViewClient_Broker_Tunnel_URL}
 $returnValueBrokerRIPA = $regKeyValues | ForEach-Object {$_.ViewClient_Broker_Remote_IP_Address}
 $returnValueTZID = $regKeyValues | ForEach-Object {$_.ViewClient_TZID}
 $returnValueTime = $regKeyValues | ForEach-Object {$_.ViewClient_Windows_Timezone}
 $returnValueBrokerDomain = $regKeyValues | ForEach-Object {$_.ViewClient_Broker_DomainName}
 $returnValueBrokerUN = $regKeyValues | ForEach-Object {$_.ViewClient_Broker_UserName}
 $returnValueCID = $regKeyValues | ForEach-Object {$_.ViewClient_Client_ID}
 $returnValueDNum = $regKeyValues | ForEach-Object {$_.'ViewClient_Displays.Number'}
 $returnValueDTop = $regKeyValues | ForEach-Object {$_.'ViewClient_Displays.Topology'}
 $returnValueKT = $regKeyValues | ForEach-Object {$_.ViewClient_Keyboard.Type}
 $returnValueSessionType = $regKeyValues | ForEach-Object {$_.ViewClient_Launch_SessionType}
 $returnValueMouseI = $regKeyValues | ForEach-Object {$_.ViewClient_Mouse.Identifier}
 $returnValueMouseB = $regKeyValues | ForEach-Object {$_.ViewClient_Mouse.NumButtons}
 $returnValueMouseSR = $regKeyValues | ForEach-Object {$_.ViewClient_Mouse.SampleRate}
 $returnValueProtocol = $regKeyValues | ForEach-Object {$_.ViewClient_Protocol}
 $returnValueLan = $regKeyValues | ForEach-Object {$_.ViewClient_Language}
 $returnValueLID = $regKeyValues | ForEach-Object {$_.ViewClient_Launch_ID}
 Write-Warning 'Console session'
 #            $returnValue = $env:COMPUTERNAME
 $_.Exception | Write-Error
Get-RDSSessionId | Get-RDSClientName

UEM and RDS Specific setup

There are several specific settings that will need to be made to your RDS host(s).

Please see the Dale Carter’s blog on VMware User Environment Manager Deployed in 60 Minutes or Less for your initial setup and the User Environement Manager Admin Guide for detailed information. You should also bookmark VMware End-User-Computing TV link for all your User Environment Manager needs.

You will need to install the UEM agent on you RDS servers.

Create a .BAT file to easily launch the PowerShell Script

Create a ViewVariables.bat file that contains the logic to launch the PowerShell script.

The script should contain the following.

c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden “&  ‘\\fileserver\software\ViewVariables.ps1′”

Note the \\unc-path to your ViewVariables PowerShell Script.

Script location

Copy the ViewVariables.ps1 and ViewVariables.bat file to a UNC path that all RDS host and users can access.

Mine is \\fileserver\software\

UEM Configuration for RDS use

User Environment Logon Tasks

Since we need the variables to be available for other configurations you will want to configure a Logon Task to launch the script.

This task will run a script located on a \\unc\path for any user that logs on to a server name that starts with RDS.

Logon Task Setup

To create a task for each logon to any RDS host you will need to open the UEM manager and go to

    1. User Environment
    2. Click on Logon Tasks
    3. Click on Create
    4. Click on Settings
    5. Give your task a Name
    6. Define your Settings specifically the Command that is your \\UNC-Path\ViewVariables.bat file.  You will also want to Run the task before the profile archive import.


Define Conditions for the Task

I am limiting this task to only run while connecting to one of my RDS hosts.

    1. Click on Conditions
    2. Click on Add and
    3. Choose Environment Variable.  All of my RDS servers start with the netbios name of RDS-01, RDS-02, RDS-03 so you can see my rule matches ComputerName that Starts with RDS

Save your conditions and your ready to test.

User Environment Triggered Tasks

One of the benefits of a remote session is that you can connect from multiple locations and multiple device types and when you are leveraging an RDS session. Many times your users are still logged on to the RDS server, but their session is disconnected.  These variables need to be updated on every connection to be available for other configurations you will want to configure a Triggered Task to launch the script.

This task will run a scripted located on a \\unc\path for any user that logs on to a server name that starts with RDS.

Triggered Tasks

To define the task:

    1. go to the User Environment tab in the Manager
    2. Click Triggered Tasks
    3. Select Create
    4. In the dialog select Settings
    5. Give your Task a name
    6. Define your settings for the Trigger:  Reconnect session, Run custom command and point to you ViewVariables.bat file

Save your task for testing

Condition Sets

Conditions are used to control whether and when certain User Environment Manager actions are performed, and condition sets are used to centrally group conditions that are then available for reuse

Create a Condition Set

I create Condition Sets for easy reuse when multiple conditions are required.

    1. Click on the Condition Sets tab
    2. Click Create
    3. Make sure you’re on the Settings tab
    4. Give your Condition Set a Name
    5. Define your conditions by clicking Add and defining all of your required rules.  
    6. For me I am checking to to see if a user is connected to a Hosted Applications and only if they are connecting from a Windows or Mac client.

This set allows me to the same conditions to multiple configurations.



I have an application that I created based on Firefox that will sets the user agent on Firefox to act like it is being run from an iPad.  I am using a Predefined Setting to set the configuration of the browser but I do not want this policy/configuration to execute for the application when ran from a mobile device.

    1. I created a Personalization
    2. Named it Firefox-iPad
    3. Set my conditions leveraging my Condition Set


Test your configuration

Now that I have the scripts located and tasks defined I can move to testing

Hosted Application

You can see that I have published RegEdit as a Hosted Application running in my Horizon View 6.2 environment.  I launch the application from my Macbook and once it is running I go to check the Volatile Environment variables in the the registry.  You will notice that I have the session number 1 so my variables are located under that session #.


Script Results

Now I navigated to the registry location that the script copies all of the variables.  See the HKCU\Environment and the variables will be the same.

You should be able to logoff and/or reconnect while those variables will be updated.


User Environment Manager is very powerful and with the correct conditions can be extremely granular providing user environment setup or application configuration management. Leveraging custom scripts will allow you to enhance your deployment and manage every use case that comes your way.


Dale Carter’s blog on VMware User Environment Manager Deployed in 60 Minutes or Less

VMware End-User-Computing TV

User Environment Manager Administrator’s Guide

VMware Horizon 6 Documentation

Horizon View for K-12 Standardized Testing Client

Standardized Testing Client


This document is a cookbook that will familiarize you with the creation of a client used for standardized testing while limiting the possibility for a student to break out of the session. This covers a basic deployment for your use in a Proof of Concept or internal testing, this is not intended for a production deployment.

Background information

I have been working with several different K-12 school districts across an array of States on a common issue around Standardized Testing.  If you are not familiar with these Standardized tests, then think back to your grade school days and coloring those little circles with your #2 pencil.  These test are now all online and provided by companies like Pearson.

The issues that these schools have is the number of endpoints for students to take the test using a certified platform to limit the possibility to cheat.  Just think if you could Google for answers to those questions like “If a train leaves Chicago at noon carrying 20 passengers, 5 of whom smoke, in 4 cars, what is the name of the conductor’s dog?

 The solution to the first issue is leveraging VMware Horizon View for a certified secure locked down desktop that only has access to the testing site.  This is a View pool that can dynamically grow or shrink to meet the needs of each school.  This part should be straight forward, but I will point out a few small changes that could help your deployment.

I should also mention that if your school district does not have the resources to run Horizon View on premise then this solution will work with cloud based desktops running in Horizon Air.  This is a great option due to the cloud bursting capabilities and the utility cost structure.  Pay for what you use when you need it.  I will create a follow up to this with more specifics in the near future.

 The second issue is that many school districts are allowing students to “BYO” or bring your own laptop to school.  This is a great option since it lowers the cost to the schools while providing standard desktop and applications to the students for the whole school year.  The concerns is that the school has no administrative rights or permissions to manage those devices.  So how do I provide a certified desktop for Standardized testing to un-managed endpoints?  

The solution that I am working on is building a simple application that will auto connect a Windows based endpoint to your Horizon View pool in full screen, hides the desktop ribbon or shade and disables USB.  The only way out of the View desktop is to logoff the VM or disrupt the connection.  This would require the student to re-launch the application and a proctor or instructor to log them back into the standardized testing application, thus notifying that student stopped their test.

Over the next two sections I will step you through the quick creation let’s call this the recipe for a Horizon Standardized Test Client.  

Horizon View Pool Configuration:

I will step you through the configurations in VMware Horizon View for a certified secure locked down pool.

Create a Desktop Pool specific to the use case.

From your View Administrator you will

  1. Click on the Desktop Pools under the Inventory Catalog
  2. Choose Add… to start the desktop pool wizard

Define the characteristics of the desktop pool type

For this desktop pool you will want a 1. Automated Pool that will allow dynamic provisioning of the number of VMs available.

Desktop User Assignment

Select Floating user assignment to allow access to any desktop in the pool since they will be used for the exact same application and there is no need for user persona.  This will also allow you to define advanced characteristics for provisioning.

Define Provisioning Type

For provisioning of the virtual machines you will want to choose

  1. View Composer linked clones.  Linked Clones share the same base image and use less storage space while each VM is independent from each other
  2. Select your vCenter Server that will be used for provisioning and manages your gold master image.

Desktop Pool Identification

You will need to define the desktop pool names and identity

  1. Give your Pool a unique name
  2. Give your Pool the name you want the end user to see.  This name will be used when we build the client
  3. Optionally define your Access group and add a description

Desktop Pool Settings

In this section you will define several key options for the best practices on the use case for Standardized testing

  1. To ensure that all the VMs that you have provisioned are ready for use you should change the power policy to Ensure machines are always powered on
  2. This next setting is key to ensure that when an endpoint disconnects from a View desktop in this pool that the user is Immediately logged off Windows.  This makes it impossible for one user to gain access to a desktop another user is logged in or for that same user to return to the same desktop with out re-logging into the testing application
  3. The new feature that will Allow a user to connect to a new virtual machine when using a different endpoint is also key to enabling a Kiosk type mode.  Basically set this feature to yes and you can use a single user id and password to connect to a unique desktop for each endpoint.
  4. Now to ensure that your virtual machines meet the certification and lock down state each and every time, then you will want to Refresh the VM immediately after logoff.  Remember the setting in #2 ?  When combined with this setting then your VMs will revert to a good known snapshot state every time an endpoint or user disconnects.
  5. Set your Display Protocol features to meet your testing needs

Define Provisioning Settings

For the provisioning settings you will want to define

  1. The naming pattern for the Windows VMs.  This will also be the name of the Windows netbios and Active Directory object
  2. Define your Pool size.  What is the maximum number of desktops that you will need during a testing week and add 10-15%, then define the number of VMs that are in an available state or spares.  To think of these settings, the max is the largest possible number of sessions and the spares are the number that you want to make sure are always ready.  As an example, Sister Delores Marie’s class of 25 is scheduled for testing next week.  This is the same week that Mr. K’s class of 40 is scheduled.  Your maximum number of desktops sessions would be 65 but to “avoid the noid” you might add 10 more desktops to the max and set your powered on machines at 65.
  3. For provisioning timing, you will want to decide if you want all 75 VMs created up front or if you want the pool to be dynamic.

Continue through the wizard to Choose your gold master image

Choose the master VM that you will use to create the linked cloned desktops.

Continue to the Guest Customization

Once you completed the other components of the wizard you will define the guest customization

  1. Select the Active Directory Domain that your VMs will be created in
  2. Choose the OU that the desktops will live.  This is important since you will probably create specific Group Policies that will lock down the desktop like PCoIP settings including no USB, limit the Audio, disable Clip board redirection and other standard Windows machine policies.
  3. Optionally select the Allow reuse of pre-existing computer accounts. This will update the computer object in AD once a VM is “refreshed” or “recomposed” during provisioning actions

Complete the rest of the wizard to start create the desktop pool.

Entitle User(s) to the testing machine

To entitle a user(s) to have access to those desktops you just created you will

  1. select your pool you created
  2. Click on Entitlements and then Add entitlement

Entitle your “kisok” user(s) to access the pool

For this use case I have created a single user that can login to Active Directory multiple times that will be used to authenticate to Horizon View and single sign-on to the Windows desktop.

  1. Click Add…
  2. In the find user or group dialog search on your user(s). Mine is Test User
  3. Select your user(s) and
  4. Click Ok to add those users

Standardized Desktop Pool setup is complete

You now have setup your desktop pool to allow a single user id to connect to a unique desktop from any endpoint for the use of the testing application(s) while ensuring a clean desktop every time some disconnects from a session.

Note: You should review the Group Policy settings and requirements for a certified testing desktop and apply the required policies.  I have used VMware User Environment Manager to apply user based policies and user environment settings to achieve a locked desktop.  This will be covered in the future.

Creating a ThinApp package for Standardized Testing

“Horizon Standardized Testing Client” using ThinApp and the AutoConnect fling

As stated in the background, this solution is a simple application that will auto connect a Windows based endpoint to your Horizon View pool in full screen, hides the desktop ribbon or shade and disables USB.  The only way out of the View desktop is to logoff the VM or disrupt the connection.  This would require the student to re-launch the application and a proctor or instructor to log them back in to the standardized testing application, thus notifying that student stopped their test.

This recipe will require VMware ThinApp as well as the View Auto-Connection Utility fling.  See https://labs.vmware.com/flings/view-auto-connection-utility for more information on the utility.

Start your ThinApp Setup Capture process

On your ThinApp capture desktop you will need to install a few applications as pre-requisites:

  • .Net 4.5
  • Horizon View Client
  • Auto-Connection Utility (Copy but DO NOT RUN prior the next steps)

 Launch the ThinApp Setup Capture process from

  1. Windows Start, VMware, ThinApp Setup Capture

Note: You can capture all the requirements in a single ThinApp package, but the application size will be in excess of 1GB due to .Net

Prescan the workstation

Click Prescan to continue

Create a new folder for the AutoConnect Utility

From Windows Explorer you will need to create a folder to use for the AutoConnection Utility.

  1. Go to your C:\Program Files (x86)\
  2. Right click in the folder and choose New
  3. Select Folder
  4. Give your folder a name like Horizon AutoConnect

Copy the application files

Since the View AutoConnection Utility does not have an installer and only a zip file, then you will need to extract the files.

  1. Copy View_AutoConnect.exe file to your folder created in the step above.  

I have also included an icon (.ICO) file that I will use to customize the ThinApp package, this is optional.

Review your folder contents

Validate your files are locked in the correct folder

Create a desktop shortcut

For this recipe I want a shortcut / launcher on the desktop of every machine it will be installed.

  1. Right-Click on the View_AutoConnect file
  2. Select Send to
  3. Choose Desktop (create shortcut)

Modify the desktop shortcut

Now that you created the desktop shortcut, we will modify it to represent you customizations

  1. From the desktop, Right-Click on the View_AutoConnect – Shortcut
  2. Select Properties

Name your client app

  1. From the properties select the General tab
  2. Give you application a name.  For this recipe I have chosen Horizon Standardized Testing Client.  This is the name that will show up for the shortcut application on the user’s desktop.

Customize your applications icon

I wanted to change the icon to a specific icon for my application.

  1. From the Shortcut tab
  2. Select Change Icon…
  3. Then Select Browse…

Browse to your custom icon file

Click open on the .ICO file that was copied earlier.  Make sure that your icon file is located in the folder you created or part of the Windows desktop.

Review your changes

Review your changes and validate your icon is correct.  If so then click OK to continue.

Review your desktop shortcut and launch to configure

Now that you modified the properties of your shortcut you will want to review them before continuing.

Notice that your icon and name have changed to reflect the customizations.

If the shortcut looks correct, double click to launch the application

Configure the AutoConnect Settings

This step is the most important for setting up the the correct variables.  These variables / settings will define how your application will act.

  1. Choose the Desktop radial button
  2. Specify the name of your View Desktop Pool.  I choose Standardized Testing as the name when I created the pool earlier.
  3. Choose PCOIP for the desktop Protocol.  This allows you to leverage Group Policies to fine tune the users experience while providing a secure encrypted connection
  4. Specify the dns name of your View Connection Server.  Mine is hv.therandomone.net
  5. Now for correct authentication to work automatically ( single sign-on ) to the desktop you will want to embed the Username, Password and Active Directory domain information.  When the application is launched, it will authenticate to the specified View Connection Server while passing these credentials into the desktop.
  6. Check the Quit Application when Session Ends to ensure that nothing remains running on the endpoint after the user or desktop session is disconnected
  7. From the drop down choose fullscreen for the Desktop Layout.
  8. To ensure the fullscreen desktop session has now desktop shade, check the option
  9. Launch Desktop Session Silently
  10. Hide the View Client After Launch option will make sure that the View client is minimized while the desktop connection is maximized and in the foreground.
  11. Click the Use Custom Command String to populate your choices
  12. Finally Click the Enable AutoConnection to invoke the settings for use.


Review the AutoConnect Settings

Review the options and settings in the Auto Connection Utility

For this recipe the Auto Connection Utility will launch the Horizon View Client and login as TheRandomOne\TestUser to hv.therandomone.net, connect to a fullscreen desktop from the Standardized Testing pool using PCOIP and hide the desktop shade.

Exit the AutoConnection Utility

Exit the Auto Connection Utility so you can continue the ThinApp Capture process.

Complete the ThinApp Setup Capture Process

From the ThinApp dialog choose Postscan for ThinApp to capture the changes.

Choose your Application Executables

If you’re not familiar with ThinApp, you need to choose what entry point or what file you want to represent the executable.

  1. I choose Horizon Standardized Testing Client, this is the same name as the desktop shortcut that was created earlier.
  2. Click Next to continue the process

Select Isolation mode

Please review Peter Bjork’s blog to understand isolation mode. https://blogs.vmware.com/thinapp/2011/04/thinapp-isolation-modes-explained.html 

Since the settings defined in the AutoConnection utility write to the local registry and may conflict with existing defined settings you will want to isolate those to the ThinApp package.  The ThinApp package will only use the settings in this application and will ignore any conflicting ones from the local os.

This is a very important step that will ensure every endpoint will launch the exact same.

Name the Application for Windows Inventory

Give your ThinApp application a name.  I chose the same as my desktop shortcut, but you can name it anything you want.

ThinApp Package Settings

For this recipe I want a single executable that contains all the code required to run so I have chosen Use one of the entry points.

I also would like to make this package installable or distributable as an MSI. The MSI “install” of a ThinApp package copies the EXE and any other entry point files to a directory on the local os as well as registers the applications with Windows add/remove programs for inventory.

If during your capture process if you installed .Net and the Horizon Client you should choose Use a separate .DAT file instead of the EXE.  A large EXE will create false positives for most anti-virus applications and the .DAT file will allow you to have a small .EXE and reference the .DAT file for the application package.

Finish the build process

Now that you have defined all of the settings for this ThinApp application, you need to “build” the isolated single EXE using the wizard.

Once you are finished with the building of the package, you will want to copy the EXE and MSI files from the captures\bin directory to a different endpoint to test.

Testing Video:

You are all set to start a test and validate your settings are correct.

Start the video to see the Client in action.

Notice in the video that the student’s desktop has a custom background.  When the application is launched you will see it auto-connect to the custom View desktop.

Notice in the video that the student’s desktop has a custom background.  When the application is launched you will see it auto-connect to the custom View desktop.

If the video will not play, go to https://youtu.be/LmvqPftOvwI to watch it


Chris Halstead’s Horizon Auto Connection Utility fling

 Peter Bjork’s blog on ThinApp

VMware EUC Access Point, part 2 OVFtool deployment

I was talking to Mark Benson the other day on the futures of EUC Access Point ( you will have to wait but you will like it once it is released ) and we started to talk about the deployment and how “desktop folks” don’t normally deal with edge devices like EUC Access Point.  I stated that the setup is a little confusing and the documentation is somewhat lacking.  During our talk he posed an interesting point.  “Why not just use the OVFTOOL and do a command line deployment ?  The OVA deploys in just a few minutes.”  This got me thinking and thus I went on a little deployment adventure.

Deployment Adventure Time ( I wish I had Jake and Finn to join me on this one )

This is for your background information on OVF deployment documentation for EUC Access Point https://pubs.vmware.com/horizon-62-view/topic/com.vmware.horizon-ap.deploy-config.doc/GUID-658A266E-989B-43F9-AF64-95D442FD456B.html

Now the first thing I did was go and download the latest version on the Windows OVFTool.  Once I installed the code I edited my environment variables to include the ovftool.exe in the PATH.  Ok the hard part is done right ?  How hard can it be to deploy an OVA/OVF from a command line ?

The command line is actually straightforward once you figure out all of the switches.  My command is below using the same information from the previous post.  I did attempt this many many times before I was successful.  I am going to dissect the statement so you can follow along and update your own EUC Access Point.

Please note that this is a single line and is wrapped due to length

ovftool –X:enableHiddenProperties –powerOffTarget –powerOn –overwrite –vmFolder=”Horizon View/Access Point” ^ –net:Internet=”Virtual Machine Network” –net:ManagementNetwork=”Management” –net:BackendNetwork=”Infrastructure” ^ –deploymentOption=onenic –prop:ip0= –prop:DNS= ^ -ds=”Storage” -dm=thin –name=AP01 –ipAllocationPolicy=fixedPolicy ^ –prop:adminPassword=AdM1n! –prop:rootPassword=rootpwd1! ^ –prop:settingsJSON=”{\”edgeServiceSettingsList\”: { \”edgeServiceSettingsList\”: ^ [ { \”identifier\”: \”VIEW\”, \”enabled\”: true, \”proxyDestinationUrl\”: \”https://hvrs.therandomone.net:443\”, ^ \”proxyDestinationUrlThumbprints\”: \”sha1=01 f6 8f 8e b6 e0 a9 08 57 45 4c 47 2a 27 3e 9d 1a aa 85 98\”, ^ \”pcoipEnabled\”: true, \”pcoipExternalUrl\”: \”\”, ^ \”blastEnabled\”: true, \”blastExternalUrl\”: \”hv.therandomone.net:8443\”, ^ \”tunnelEnabled\”: true, \”tunnelExternalUrl\”: \”hv.therandomone.net:8443\”, ^ \”proxyPattern\”:\”/\” } ] }}” ^ euc-access-point- ^ vi://vcenter.therandomone.net/”Random Labs”/host/esxi.therandomone.net/

The first part of the command ovftool –X:enableHiddenProperties –powerOffTarget –powerOn –overwrite –vmFolder=”Horizon View/Access Point” ^ calls the ovftool and –powerOn will force the VM to turn on once it is deployed. The next part specifies the folder and if you would like to overwrite any existing VM with the same name.  I changed my name so I left that. The –vmFolder=”Horizon View/Access Point” will create the VM in the root vm folder called Horizon View and the sub folder called Access Point.  Please note the “ “ too allow for spaces.

The second part of the command line –net:Internet=”Virtual Machine Network” –net:ManagementNetwork=”Management” –net:BackendNetwork=”Infrastructure” ^ will specify the networks from the OVF wizard and match those to you vSwitch or dVS.  For me I have the –net:Internet=”Virtual Machine Network as my edge public facing adapter and my vSwitch is called “Virtual Machine Network”.  You will need to do the same for the Management and Backend network adapters.  In a single NIC deployment you can use the same virtual switch.

The third part of this looooong command line –deploymentOption=onenic –prop:ip0= –prop:DNS= ^ specifies the type of deployment, 1, 2 or 3 NICs and the IP Address you will use.  As you see the –deploymentOption= and the –prop:ip0= — prop:DNS= are pretty straightforward and should match how you deployed from the first post.

For the fourth part I specified the storage type and set the passwords.  -ds=”Storage” -dm=thin –name=AP01 –ipAllocationPolicy=fixedPolicy ^ –prop:adminPassword=AdM1n! –prop:rootPassword=rootpwd1!  the option -ds= is asking for the name of your Storage Volume.  Mine is Storage.  The -dm= option is one that I added and not in the documentation but it allows you to specify the type of disk used.  I choose Thin, but you could leave it out and you will end up with eagerZero.  Finally the –prop:adminPassword and –prop:rootPassword need to be set.  Note that the Admin password needs to be a complex password or you might will has issues with the deployment if you want to make changes later.

Now for the real fun.  The next part is that JSON formated file that I used in the previous post, but you must modify it to escape the quotes “.  –prop:settingsJSON=”{\”edgeServiceSettingsList\”: { \”edgeServiceSettingsList\”: ^ [ { \”identifier\”: \”VIEW\”, \”enabled\”: true, \”proxyDestinationUrl\”: \”https://hvrs.therandomone.net:443\”, ^ \”proxyDestinationUrlThumbprints\”: \”sha1=01 f6 8f 8e b6 e0 a9 08 57 45 4c 47 2a 27 3e 9d 1a aa 85 98\”, ^ \”pcoipEnabled\”: true, \”pcoipExternalUrl\”: \”\”, ^ \”blastEnabled\”: true, \”blastExternalUrl\”: \”hv.therandomone.net:8443\”, ^ \”tunnelEnabled\”: true, \”tunnelExternalUrl\”: \”hv.therandomone.net:8443\”, ^ \”proxyPattern\”:\”/\” } ] }}” ^

You will need the set the pcoipExternalUrl, blastExternalUrl and the tunnelExternalUrl for your deployment as well as the your Connection Server address and SSL certificate Thumbprint.  Lets examine one of them: \”pcoipExternalUrl\”: \”\”,   Their needs to be an escape before every “ so you see \”pcoipExternalUrl\”:\”\” and in the actual JSON file you would not have the slashes \.  

Once you figure this part out, the deployment of multiple access points should be easy especially if you are going to front end them with a load balancer.

Now the final part of the command line euc-access-point- ^ vi://vcenter.therandomone.net/”Random Labs”/host/esxi.therandomone.net/ selects the correct EUC Access Point OVA file and which vCenter do you want the deployment to happen on.  The syntax should be straight forward, but it is not.  My vCenter has a DataCenter but I do not have a Cluster or a resource pool, just a host under the DataCenter.


 So in the syntax you need to specify to look for a host and not a Cluster.  Mine looks like this  vi:\\Your vCenter\Your DataCenter\host\ESXi Host name/ .  You will be prompted for a user id and password to complete the action.  You can also script that with either the user id and password using the vi:\\USERid:password@\Your vCenter…..

Five minute deployment and I was up and running.

After working with both setups, I might agree with Mark Benson and just use the OVF command line deployment method.  I am going to continue to work on this with a few peers, heck we might even deploy a VMware Fling as a EUC Access Point configuration tool that will format your JSON file for you and allow you to deploy multiples EUC Access Points easily.

I hope this help you.  Now back to trying to get to VMworld Barcelona

VMware EUC Access Point – What is it and How-To get it to work.

EUC Access Point Deployment and Config

I was working in my lab this week and decided that I needed to deploy the new EUC Access Point appliance the is available with VMware Horizon 6.2.  After a few hours of working with the deployment of the OVF and dealing with the documentation I decided to create this quick deployment and configure guide.  Note that this is not a complete how-to, but it should get you on your way.

What is Access Point ?

Access Point functions as a secure gateway for users who want to access Horizon 6 desktops and applications from outside the corporate firewall.

Access Point appliances typically reside within a DMZ and act as a proxy host for connections inside your company’s trusted network. This design provides an additional layer of security by shielding View virtual desktops, application hosts, and View Connection Server instances from the public-facing Internet.

Access Point directs authentication requests to the appropriate server and discards any un-authenticated request. The only remote desktop and application traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated user. Users can access only the resources that they are authorized to access.

Access Point appliances fulfill the same role that was previously played by View security servers, but Access Point provides additional benefits:

  • An Access Point appliance can be configured to point to either a View Connection Server instance or a load balancer that fronts a group of View Connection Server instances. This design means that you can combine remote and local traffic.
  • Configuration of Access Point is independent of View Connection Server instances. Unlike with security servers, no pairing password is required to pair each security server with a single View Connection Server instance.
  • Access Point appliances are deployed as hardened virtual appliances, which are based on a Linux appliance that has been customized to provide secure access. Extraneous modules have been removed to reduce potential threat access.
  • Access Point uses a standard HTTP(S) protocol for communication with View Connection Server. JMS, IPsec, and AJP13 are not used

The following authentication mechanisms are available, and for all of these authentication mechanisms except smart card, authentication is proxied to View Connection Server:

  • Active Directory credentials
  • RSA SecurID
  • Smart cards (Note that for this release smart card authentication is a Tech Preview feature as of 09/08/2015)
  • SAML (Security Assertion Markup Language)

Continue reading

I guess it is time.

Well, welcome to my blog site.  I have been putting off doing a blog for a decade but I guess it is time to start my own.

My plan is to add simple and detailed information around end user technologies as well as direct link to existing blogs while adding specific information or updating the information.

My goal is to make the information valuable but delivered with light hearted humor.  (If your not having fun then the stress will overcome you.)

Look for upcoming articles and “tech lunch bytes” delivered live.