VMware Horizon 7 7.13.2 | 10 MAR 2022

Check for additions and updates to these release notes.

What's New

  • Log4j update

    Log4j has been updated to version 2.17.1 in Horizon Connection Server, HTML Access Direct-Connection, Horizon Agent for Windows, and Horizon Agent for Linux.

  • Instant Clone Maintenance Mode support

    Instant Clone Maintenance Mode is now supported using ViewAPI.

  • 30-day grace period for licensing

    Horizon Term Licensing now has a 30-day grace period, so the system does not immediately deny access to Horizon once the license is expired.

Note Regarding Upgrade

If pae-ClientSSLCipherSuites or pae-ServerSSLCipherSuites have values in the Active Directory Application Mode (ADAM) database, you must reset those values and make sure they are empty (<not set>) and then reboot all the connection servers before performing the upgrade. Failure to do this will prevent you from being able to connect to the Horizon console after upgrade.

Before You Begin

  • Important note about installing VMware View Composer

    If you plan to install or upgrade to View Composer 7.2 or later, you must upgrade the Microsoft .NET framework to version 4.6.1. Otherwise, the installation will fail.

  • Important note about installing VMware Tools

    If you plan to install a version of VMware Tools downloaded from VMware Product Downloads, rather than the default version provided with vSphere, make sure that the VMware Tools version is supported. To determine which VMware Tools versions are supported, go to the VMware Product Interoperability Matrix, select the solution VMware Horizon View and the version, then select VMware Tools (downloadable only).

  • If you want to install View Composer silently, see the VMware Knowledge Base (KB) article 2148204, Microsoft Windows Installer Command-Line Options for Horizon Composer.
  • This Horizon 7 release includes new configuration requirements that differ from some earlier releases. See the Horizon 7 Upgrades document for upgrade instructions.
  • Any Horizon 7.13.x release can be upgraded to any Horizon 8.x release as long as that Horizon 8.x release was generally available after the Horizon 7.13.x release.
  • If you intend to upgrade a pre-6.2 installation of Horizon 7, and the Connection Server, security server, or View Composer server uses the self-signed certificate that was installed by default, you must remove the existing self-signed certificate before you perform the upgrade. Connections might not work if the existing self-signed certificates remain in place. During an upgrade, the installer does not replace any existing certificate. Removing the old self-signed certificate ensures that a new certificate is installed. The self-signed certificate in this release has a longer RSA key (2048 bits instead of 1024) and a stronger signature (SHA-256 with RSA instead of SHA-1 with RSA) than in pre-6.2 releases. Note that self-signed certificates are insecure and should be replaced by CA-signed certificates as soon as possible, and that SHA-1 certificates are no longer considered secure and should be replaced by SHA-2 certificates.

    Do not remove CA-signed certificates that were installed for production use, as recommended by VMware. CA-signed certificates will continue to work after you upgrade to this release.

  • After you have performed a fresh install or upgraded all Connection Server instances to Horizon 7 version 7.2 or later, you cannot downgrade the Connection Server instances to a version earlier than Horizon 7 version 7.2 because the keys used to protect LDAP data have changed. To keep the possibility of downgrading Connection Server instances while planning an upgrade to Horizon 7 version 7.2 or later, you must perform an LDAP backup before starting the upgrade. If you need to downgrade the Connection Server instances, you must downgrade all Connection Server instances and then apply the LDAP backup to the last Connection Server that is downgraded.  
  • Selecting the Scanner Redirection setup option with Horizon Agent installation can significantly affect the host consolidation ratio. To ensure the optimal host consolidation, make sure that the Scanner Redirection setup option is only selected for those users who need it. (By default, the Scanner Redirection option is not selected when you install Horizon Agent.) For users who need the Scanner Redirection feature, configure a separate desktop pool and select the setup option only in that pool.
  • Horizon 7 uses only TLSv1.1 and TLSv1.2. In FIPS mode, it uses only TLSv1.2. You might not be able to connect to vSphere unless you apply vSphere patches. For information about re-enabling TLSv1.0, see Enable TLSv1 on vCenter Connections from Connection Server and Enable TLSv1 on vCenter and ESXi Connections from View Composer in the Horizon 7 Upgrades document.
  • FIPS mode is not supported on releases earlier than 6.2. If you enable FIPS mode in Windows and upgrade Horizon Composer or Horizon Agent from a release earlier than Horizon View 6.2 to Horizon 7 version 7.2 or later, the FIPS mode option is not shown. You must do a fresh install instead to install Horizon 7 version 7.2 or later in FIPS mode.
  • Linux desktops use port 22443 for the VMware Blast display protocol.
  • Starting with Horizon 7 version 7.2, it is possible that the ordering of cipher suites can be enforced by Connection Server. For more information, see the Horizon 7 Security document.
  • Starting with Horizon 7 version 7.2, Connection Server must be able to communicate on port 32111 with other Connection Servers in the same pod. If this traffic is blocked during installation or upgrade, installation will not succeed.
  • Starting with Horizon 7 version 7.3.2, TLS handshakes on port 443 must complete within 10 seconds, or within 100 seconds if smart card authentication is enabled. In previous releases of Horizon 7, TLS handshakes on port 443 were allowed 100 seconds to complete in all situations. You can adjust the time for TLS handshakes on port 443 by setting the configuration property handshakeLifetime. Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by setting the configuration property secureHandshakeDelay. For more information about setting configuration properties, see the Horizon 7 Security document.
  • When the Remote Desktop Services role is not present, the Horizon Agent installer prompts you to install Horizon Agent in RDS mode or desktop mode.
  • If you have FIPS mode enabled in a cloud pod architecture consisting of non-homogenous pods, that is, pods at different versions, Horizon 7.10.3 pods do not work with a pod running Horizon 7.12 or later. To upgrade 7.10.3 to a later version, first upgrade to a patched 7.10.3 that is fully backward and forward compatible with other versions. Contact VMware Customer Connect on how to obtain the patch.
  • For inofrmation about configuring linked-clone desktop pools to use multiple network labels, see VMware Knowledge Base article 84168.
  • In environments with many datastores (100+), the Desktop Pool creation wizard may not display all available datastores for selection. For more information, see VMware Knowledge Base article 88151.


The Horizon Administrator and Horizon Console user interface, Horizon Administrator and Horizon Console online help, and Horizon 7 product documentation are available in Japanese, French, German, Spanish, simplified Chinese, traditional Chinese, and Korean. For the documentation, see the Documentation Center for VMware Horizon 7.

Compatibility Notes

  • For the supported guest operating systems for Horizon Agent on single-user machines and RDS hosts, see VMware Knowledge Base (KB) article 2150295, Supported Windows Versions for Remote Desktop Systems for Horizon Agent.
  • If you use Horizon 7 servers with a version of View Agent older than 6.2, you will need to enable TLSv1.0 for PCoIP connections. View Agent versions that are older than 6.2 support the security protocol TLSv1.0 only for PCoIP. Horizon 7 servers, including connection servers and security servers, have TLSv1.0 disabled by default. You can enable TLSv1.0 for PCoIP connections on these servers by following the instructions in VMware Knowledge Base (KB) article 2130798, Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later.
  • For the supported Linux guest operating systems for Horizon Agent, see System Requirements for Horizon 7 for Linux in the Setting Up Horizon 7 for Linux Desktops document.
  • For the supported operating systems for Connection Server, security server, and View Composer, see System Requirements for Server Components in the Horizon 7 Installation document.
  • Horizon 7 functionality is enhanced by an updated set of Horizon Clients provided with this release. For example, Horizon Client 4.0 or later is required for VMware Blast Extreme connections. See the VMware Horizon Clients Documentation page for information about supported Horizon Clients.
  • The instant clones feature requires vSphere 6.0 Update 1 or later.
  • Windows 7 and Windows 10 are supported for instant clones, but not Windows 8 or Windows 8.1.
  • See the VMware Product Interoperability Matrix for information about the compatibility of Horizon 7 with current and previous versions of vSphere.
  • For the supported Active Directory Domain Services (AD DS) domain functional levels, see Preparing Active Directory in the Horizon 7 Installation document.
  • For more system requirements, such as the supported browsers for Horizon Administrator, see the Horizon 7 Installation document.
  • RC4, SSLv3, and TLSv1.0 are disabled by default in Horizon 7 components, in accordance with RFC 7465, "Prohibiting RC4 Cipher Suites," RFC 7568, "Deprecating Secure Sockets Layer Version 3.0," PCI-DSS 3.1, "Payment Card Industry (PCI) Data Security Standard", and SP800-52r1, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations." If you need to re-enable RC4, SSLv3, or TLSv1.0 on a Connection Server, security server, View Composer, or Horizon Agent machine, see Older Protocols and Ciphers Disabled in Horizon in the Horizon 7 Security document.
  • If a PCoIP Secure Gateway (PSG) has been deployed for PCoIP connections, zero client firmware must be version 4.0 or later.
  • When using Client Drive Redirection (CDR), deploy Horizon Client 3.5 or later and View Agent 6.2 or later to ensure that CDR data is sent over an encrypted virtual channel from an external client device to the PCoIP security server and from the security server to the remote desktop. If you deploy earlier versions of Horizon Client or Horizon Agent, external connections to the PCoIP security server are encrypted, but within the corporate network, the data is sent from the security server to the remote desktop without encryption. You can disable CDR by configuring a Microsoft Remote Desktop Services group policy setting in Active Directory. For details, see Managing Access to Client Drive Redirection in the Configuring Remote Desktop Features in Horizon 7 document.
  • The USB Redirection setup option in the Horizon Agent installer is deselected by default. You must select this option to install the USB redirection feature. For guidance on using USB redirection securely, see Deploying USB Devices in a Secure Horizon 7 Environment in the Horizon 7 Security document.
  • The Global Policy, Multimedia redirection (MMR), defaults to Deny. To use MMR, you must open Horizon Administrator, edit Global Policies, and explicitly set this value to Allow. To control access to MMR, you can enable or disable the Multimedia redirection (MMR) policy globally or for an individual pool or user. Multimedia Redirection (MMR) data is sent across the network without application-based encryption and might contain sensitive data, depending on the content being redirected. To ensure that this data cannot be monitored on the network, use MMR only on a secure network.
  • Before you set the level of Transparent Page Sharing (TPS) in Horizon Administrator, VMware recommends that the security implications be understood. For guidance, see the VMware Knowledge Base (KB) article 2080735, Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing.
  • To use View Storage Accelerator in a vSphere 5.5 or later environment, a desktop virtual machine must be 512GB or smaller. View Storage Accelerator is disabled on virtual machines that are larger than 512GB. Virtual machine size is defined by the total VMDK capacity. For example, one VMDK file might be 512GB or a set of VMDK files might total 512GB. This requirement also applies to virtual machines that were created in an earlier vSphere release and upgraded to vSphere 5.5.
  • Horizon 7 does not support vSphere Flash Read Cache (formerly known as vFlash).
  • In Horizon (with View) version 6.0 and later releases, the View PowerCLI cmdlets Get-TerminalServer, Add-TerminalServerPool, and Update-TerminalServerPool have been deprecated.
  • Screen DMA is disabled by default in virtual machines that are created in vSphere 6.0 and later. View requires screen DMA to be enabled. If screen DMA is disabled, users see a black screen when they connect to the remote desktop. When Horizon 7 provisions a desktop pool, it automatically enables screen DMA for all vCenter Server-managed virtual machines in the pool. However, if Horizon Agent is installed in a virtual machine in unmanaged mode (VDM_VC_MANAGED_AGENT=0), screen DMA is not enabled. For information about manually enabling screen DMA, see VMware Knowledge Base (KB) article 2144475, Manually enabling screen DMA in a virtual machine.
  • vGPU enabled instant clone desktop pools are supported for vSphere 6.0 and later.
  • Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the Horizon 7 environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
  • In Horizon 7 version 7.2 or later, the viewDBChk tool will not have access to vCenter or View Composer credentials and will prompt for this information when needed.
  • The forwarding rules for HTTP requests received by Connection Server instances and security servers have changed at this release. If you have defined custom frontMapping entries in locked.properties, you should remove them before upgrading. If you wish to disallow administrator connections to certain Connection Server instances, then instead of defining custom frontMapping entries, add this entry to locked.properties:

    frontServiceWhitelist = tunnel|ajp:broker|ajp:portal|ajp:misc|moved:*|file:docroot

    On security servers, this entry is applied automatically and does not need to be set in locked.properties.

  • Horizon Persona Management is not compatible with User Writable Volumes created with the UIA + Profile template.
  • In Horizon 7 version 7.0.3 or later, internal validation checks determine if the instant clone and internal template have valid IP addresses and a network connection. If a virtual machine has a NIC that cannot be assigned an IP address during provisioning, instant-clone provisioning fails.
  • For information about the models of NVIDIA GPU cards supported by Horizon 7, see https://docs.nvidia.com/grid/9.0/product-support-matrix/index.html.
  • AMD v340 graphics cards are supported.
  • Real-Time Audio-Video (RTAV) is supported in an IPv6 environment.
  • See the VMware Product Interoperability Matrix for information about the compatibility of Horizon 7 with the latest versions of VMware Unified Access Gateway, VMware Identity Manager, VMware App Volumes, VMware Dynamic Environment Manager, and VMware Tools.
  • PCoIP is not supported with RDSH instant clone pools in an IPv6 environment. PCoIP is supported with remote desktops in an IPv6 environment.
  • Starting with version 18.2.7, Avi Networks (VMware NSX Advanced Load Balancer) supports load balancing for Connection Server, Unified Access Gateway appliances, and App Volumes Manager.
  • True SSO and Smart Card based SSO/Logon are not supported with Horizon on Windows 10 2004.
  • Instant clones are available with Standard and Advanced licenses.
  • Carbon Black sensor 3.6 is compatible with instant clones. See Interoperability of VMware Carbon Black and Horizon.
  • When you deploy an instant clone as a RDS host, do not reboot the RDS host directly from within the Windows Server OS. Instead, refresh the instant clone VM using the push image workflow.
  • Instant clones with multiple-NIC configuration are not currently supported.

Supported Windows 10 Operating Systems

For an updated list of supported Windows 10 operating systems, see VMware Knowledge Base (KB) article 2149393,  Supported Versions of Windows 10 on Horizon 7. For more information on upgrade requirements for Windows 10 operating systems, see VMware Knowledge Base (KB) article 2148176,  Upgrade Requirements for Windows 10 Operating Systems here.

Prior Releases of Horizon 7

Features that were introduced in prior releases are described in the release notes for each release, along with existing known issues.

Resolved Issues

The number provided before each resolved issue refers to the VMware internal issues tracking system.

  • 2900718 - Logging Improvement: If the session data cannot be gathered for a user, logs are no longer filled with all users’ session data.
  • 2849511 - HomeSite assignment API does not fail if the group information is unavailable. Now it always responds with the information of the users.
  • 2775264 - Stale Global Entitlement entries present in the global ADAM database are ignored to ensure Global Entitlement workflows are unaffected.
  • 2787085 - In Windows 10 VDI, if DPI Sync and DPI Sync Per Monitor are both enabled, GPO settings are prioritized over Allow Display Scaling. For other platforms, DPI Sync Per Monitor does not work for the same GPO settings; Allow Display Scaling is prioritized.
  • 2789169 - Delay of 15 seconds was observed when the user is switching the session from one Thin Client to another with Imprivata OneSign.
  • 2804870 - TrueSSO --edit --connector command failed, so users were unable to set up a second CA server for True SSO.
  • 2763922 - Agent installation failed following Trusted Root Certificate updates.
  • 2797405 - After Connection Server upgrade from version 7.12, the Horizon UI did not load the Administrator tab under Settings and the "Administrator" account was blank.
  • 2689881 - Issue in Instant Clone refresh workflow when configuring guestinfo.AgentCustomizationFlags on the golden image.
  • 2788297 - In Horizon Console, users having certain custom roles and permissions could not be assigned/unassigned to Dedicated VDI pools.
  • 2860121 - Lync process hung due to vdp_rdpvcbridge when reconnecting a disconnected user session. This issue occurred when the Virtualization Pack for Skype for Business was not installed.
  • 2819071 - Users were able to select the RDP protocol on Horizon Client despite having a NVIDIA GRID vGPU enabled pool. A pool where NVIDIA GRID vGPU is enabled should not be able to use RDP.
  • 2763170 - MachineDetailsView queries failed with serialization errors when requesting via API.
  • 2787946 - When performing a Managed Manual Pool Edit, changing 3D Renderer to vGPU did not reset vRAM size and Max Monitors fields to their default values under Remote Display Protocol Settings.
  • 2750839 - In the HTML5 UI, the VDI Administrator was not able to add or view the user accounts list on the Remote Access tab. After deleting the user account in AD, task would fail with error {#AD_USER_OR_GROUP_NOT_FOUND#}Could not find user or group in AD.
  • 2759618 - Screen update was out of sync with typing.
  • 2750087 - In Automated Desktop Pool Summary, the Allow Separate Session field was not updated as per pool settings and the Delete or Refresh on Logoff field is not localized.
  • 2716566 - In the administration console filter and refresh were not working on Desktop Pool > Machines tabs.
  • 2645312 - Microphone was not recognized when used for the Google Meet application from browser.
  • 2753550 - When customers utilized the Monitoring tool which uses the vdmadmin command with CBMonitor to check the health status of the connection servers, this command no longer worked after upgrade to 7.12. It produced the following error: Failed to perform operation: Cannot access broker management service.
  • 2777879 - Helpdesk user sessions was throwing error "Failed to do helpdesk operation for session..." when accessing sessions for specific users. Username length was updated from 32 to 128.
  • 2845183 - Microphone issue in Horizon Agent machines which caused the the microphone to keep dropping.
  • 2704379 - When editing pool or farm in Horizon, it was taking an excessive amount of time to load guest customization data. This process is now optimized to load only one AD Container in the edit workflow. All the AD Containers are loaded on demand when the Browse button is explicitly clicked.
  • 2711176 - Adding dedicated linked clone task failed with 2-way trusted domain.
  • 2802057 - When user attempted using the Recover option on an Instant Clone agent, the following error occurred: The security database on the server does not have a computer account for this workstation trust relationship
  • 2698885 - Attempt to publish the image to the existing Instant clone pool failed with error: SERVER_FAULT_FATAL: Runtime error in completePrevAction:Found no snapshot on internal template
  • 2698659 - During Instant Clone provisioning, some VDIs were getting stuck in Customizing state, unless rebooted.
  • 2761553 - Client-Agent URL content redirection did not work for Instant Clone.
  • 2614595 - Smartcard login option was not available when Horizon Agent was installed on the physical machine.
  • 2794365 - NGVC AD site detection was not recording the correct site information.
  • 2881687 - VDI was being assigned to users before it finished the Automatic Refresh.
  • 2752934 - Enabling SAML on newly added broker disabled the TrueSSO mode on all Connection Servers.
  • 2628889 - On Windows Server 2012, trying to connect to RDSH using PCoIP caused system failure with blue screen.
  • 2782589 - TrueSSO: Failed to launch remote apps from Workspace ONE portal after idle session timeout. After idle session timeout, remote apps closed and desktop kept running.
  • 2767323 - Display issue with specific display and resolution when Vmware Tools 11.2.6 is installed (primary display on the right).
  • 2787996 - Add Desktop Pool - Access Group was reset to root when user revisited Desktop Pool Identification page.
  • 2779244 - User could not connect to RDSH due to logoff in progress after logging off.
  • 2895826 - In the administration console, the disposable disk setting was sometimes not displayed properly. It said the drive letter is "same disk as OS" and does not mention is the disk size.
  • 2896649 - View Composer would only connected to SQL database using the SQL Native Client (SNAC). When users attempted connecting using the ODBC Driver 17 or 13 the system says that the database is not supported.
  • 2753111 - Internal error occurred while loading Problem vCenter VMs or Machines tab in Horizon Console.
  • 2782914 - Application Pool screen was not loading in the Horizon Console.
  • 2710101 - When connecting to a Horizon pool using a zero client with a 90 degree rotated monitor via PCoIP, the screen appeared black for several seconds and then disconnected. 90 degree monitor rotation via PCoIP is now supported.
  • 2824824 - When a user attempted to drag objects from Agent to Client, the cursor was getting stuck in the corner of the window, so that the user had to wait 5-10 seconds before re-trying the move.
  • 2803916 - View Composer feature was showing as disabled in the administration console when upgrading from 7.11 to 7.13.
  • 2911131 - End users were randomly receiving duplicate sessions when badging in and out of healthcare workstations.
  • 2841401 - TrueSSO - Enrollment Server was unable to connect to CA when Windows New Technology LAN Manager (NTLM) was disabled.
  • 2861539 - There was an internal error when accessing the dashboard in the administration console.
  • 2825848 - The Global Administrators view in the Horizon view admin page was not loading.
  • 2768993 - After user logoff, machines were entering into an "error missing state" when the machines are present in vCenter and it was expected to recreate the pool VMs. There are now improved error handling techniques that do not allow these errors to occur.
  • 2737108 - VMware Integrated Print with NPD (native print driver) was not working with Unauthenticated Users.

Known Issues

Horizon Persona Management

  • Windows renews its HKCU registries and the Persona Features installed change every time a user logs in.

    Workaround: Leave one of the default folders in the profile (such as Music, Pictures, Downloads, etc) out of "Files and folders excluded from roaming".

View Composer

  • Manage Persistent Disks role is not giving permission to detach a disk.

    Workaround: No specific workaround, but the Administrator has permission in the console to detach a disk.

Horizon Connection Server

  • If you edit an Instant Clone pool while the initial publish operation is going on, you might see a "Could not find golden image in the vCenter Server " error. This is expected behavior, so you can ignore this error. It will disappear when the publish is finished.
  • Cannot select the datastore root folder to place the persistent disk with Horizon Console while performing a detach operation with a different datastore.

    Workaround: Use subfolders to place the persistent disks.

  • Agent version does not display properly in spreadsheet when downloaded from the Inventory > Machine page.  

    Workaround: Download data from the Inventory > Desktop Pool > Machines page instead.

  • PCoIP is not working when connected with smart card on a physical Agent machine.

    Workaround: None.

Horizon Agent

  • Failed to connect to RDSH pool or RDSH app using BLAST/PCoIP protocol after upgrading Horizon agent to 7.13.2.

    Workaround: Restart the agent machine twice after upgrade to launch using BLAST and PCoIP.

  • Desktop hosted application displays the Agent desktop's Windows update restart notification in the client machine's system tray.

    Workaround: None

  • When user profile loads for the first time on the machine, the desktop hosted application launch window covers the full screen and there is no way to minimize it. This is more of an issue for Instant Clone pools because they load the profile every time and manual pools do not have this issue for subsequent logins.

    Workaround: None

Horizon Client

  • The Clean up credential when tab closed for HTML Access feature is not working with Firefox in Microsoft Windows. Workaround: Use Chrome or Microsoft Edge browser.
check-circle-line exclamation-circle-line close-line
Scroll to top icon