VMware Horizon 7 7.13.3 | 21 MAR 2023 Check for additions and updates to these release notes. |
VMware Horizon 7 7.13.3 | 21 MAR 2023 Check for additions and updates to these release notes. |
VMware Horizon 7.13.3 includes bug fixes and hot patch rollups.
Horizon 7.13.3 is designed for customers who intend to stay on Horizon 7.13.x after the General Support Phase for Horizon 7.13.x ends. For the end of General Support Phase date, see https://lifecycle.vmware.com/#/. Once the General Support Phase ends, Horizon 7.13.x will enter the Technical Guidance Support phase that is provided for 2 years after the end of General Support. For more information on General Support and Technical Guidance Support phases, see Lifecycle Phase Definitions.
If you are on Horizon 7.13.2 or earlier version and do not want to utilize Technical Guidance Support, it is recommended that you upgrade directly to Horizon 8.x. For more information on target versions, see the Upgrade section.
Horizon Connection Server 7.13.3 includes Apache Tomcat 8.5.87.
Important note about installing VMware View Composer
If you plan to install or upgrade to View Composer 7.2 or later, you must upgrade the Microsoft .NET framework to version 4.6.1. Otherwise, the installation will fail.
Important note about installing VMware Tools
If you plan to install a version of VMware Tools downloaded from VMware Product Downloads, rather than the default version provided with vSphere, make sure that the VMware Tools version is supported. To determine which VMware Tools versions are supported, go to the VMware Product Interoperability Matrix, select the solution VMware Horizon View and the version, then select VMware Tools (downloadable only).
If you want to install View Composer silently, see the VMware Knowledge Base (KB) article 2148204, Microsoft Windows Installer Command-Line Options for Horizon Composer.
This Horizon 7 release includes new configuration requirements that differ from some earlier releases. See the Horizon 7 Upgrades document for upgrade instructions.
After you have performed a fresh install or upgraded all Connection Server instances to Horizon 7 version 7.2 or later, you cannot downgrade the Connection Server instances to a version earlier than Horizon 7 version 7.2 because the keys used to protect LDAP data have changed. To keep the possibility of downgrading Connection Server instances while planning an upgrade to Horizon 7 version 7.2 or later, you must perform an LDAP backup before starting the upgrade. If you need to downgrade the Connection Server instances, you must downgrade all Connection Server instances and then apply the LDAP backup to the last Connection Server that is downgraded.
Selecting the Scanner Redirection setup option with Horizon Agent installation can significantly affect the host consolidation ratio. To ensure the optimal host consolidation, make sure that the Scanner Redirection setup option is only selected for those users who need it. (By default, the Scanner Redirection option is not selected when you install Horizon Agent.) For users who need the Scanner Redirection feature, configure a separate desktop pool and select the setup option only in that pool.
Horizon 7 uses only TLSv1.1 and TLSv1.2. In FIPS mode, it uses only TLSv1.2. You might not be able to connect to vSphere unless you apply vSphere patches. For information about re-enabling TLSv1.0, see Enable TLSv1 on vCenter Connections from Connection Server and Enable TLSv1 on vCenter and ESXi Connections from View Composer in the Horizon 7 Upgrades document.
FIPS mode is not supported on releases earlier than 6.2. If you enable FIPS mode in Windows and upgrade Horizon Composer or Horizon Agent from a release earlier than Horizon View 6.2 to Horizon 7 version 7.2 or later, the FIPS mode option is not shown. You must do a fresh install instead to install Horizon 7 version 7.2 or later in FIPS mode.
Linux desktops use port 22443 for the VMware Blast display protocol.
Starting with Horizon 7 version 7.2, it is possible that the ordering of cipher suites can be enforced by Connection Server. For more information, see the Horizon 7 Security document.
Starting with Horizon 7 version 7.2, Connection Server must be able to communicate on port 32111 with other Connection Servers in the same pod. If this traffic is blocked during installation or upgrade, installation will not succeed.
Starting with Horizon 7 version 7.3.2, TLS handshakes on port 443 must complete within 10 seconds, or within 100 seconds if smart card authentication is enabled. In previous releases of Horizon 7, TLS handshakes on port 443 were allowed 100 seconds to complete in all situations. You can adjust the time for TLS handshakes on port 443 by setting the configuration property handshakeLifetime. Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by setting the configuration property secureHandshakeDelay. For more information about setting configuration properties, see the Horizon 7 Security document.
When the Remote Desktop Services role is not present, the Horizon Agent installer prompts you to install Horizon Agent in RDS mode or desktop mode.
If you have FIPS mode enabled in a cloud pod architecture consisting of non-homogenous pods, that is, pods at different versions, Horizon 7.10.3 pods do not work with a pod running Horizon 7.12 or later. To upgrade 7.10.3 to a later version, first upgrade to a patched 7.10.3 that is fully backward and forward compatible with other versions. Contact VMware Customer Connect on how to obtain the patch.
For information about configuring linked-clone desktop pools to use multiple network labels, see VMware Knowledge Base article 84168.
In environments with many datastores (100+), the Desktop Pool creation wizard may not display all available datastores for selection. For more information, see VMware Knowledge Base article 88151.
Check the VMware Product Interoperability Matrix before upgrading your Horizon deployment. Note the following guidance:
You can only upgrade to a version with a release date later than your current deployment. This may be confusing if you are upgrading from an ESB maintenance release. For example, Horizon 7.13.3 was released after Horizon 8 version 2212, so you cannot upgrade from Horizon 7.13.3 to Horizon 2212. You can only upgrade to a version that is released after the Horizon 7.13.3 release date, such as Horizon 2303.
When upgrading from a non-ESB version to an ESB version, the target ESB version must be later that your current non-ESB release. For example, you cannot upgrade from Horizon 8 2203 (non-ESB) to Horizon 8 2111.1 (ESB) even though 2111.1 was released after 2203 (or you will lose features). You can only upgrade to Horizon 8 2212 or later versions.
The Horizon Administrator and Horizon Console user interface, Horizon Administrator and Horizon Console online help, and Horizon 7 product documentation are available in Japanese, French, German, Spanish, simplified Chinese, traditional Chinese, and Korean. For the documentation, see the Documentation Center for VMware Horizon 7.
For the supported guest operating systems for Horizon Agent on single-user machines and RDS hosts, see VMware Knowledge Base (KB) article 2150295, Supported Windows Versions for Remote Desktop Systems for Horizon Agent.
If you use Horizon 7 servers with a version of View Agent older than 6.2, you will need to enable TLSv1.0 for PCoIP connections. View Agent versions that are older than 6.2 support the security protocol TLSv1.0 only for PCoIP. Horizon 7 servers, including connection servers and security servers, have TLSv1.0 disabled by default. You can enable TLSv1.0 for PCoIP connections on these servers by following the instructions in VMware Knowledge Base (KB) article 2130798, Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later.
For the supported Linux guest operating systems for Horizon Agent, see System Requirements for Horizon 7 for Linux in the Setting Up Horizon 7 for Linux Desktops document.
For the supported operating systems for Connection Server, security server, and View Composer, see System Requirements for Server Components in the Horizon 7 Installation document.
Horizon 7 functionality is enhanced by an updated set of Horizon Clients provided with this release. For example, Horizon Client 4.0 or later is required for VMware Blast Extreme connections. See the VMware Horizon Clients Documentation page for information about supported Horizon Clients.
The instant clones feature requires vSphere 6.0 Update 1 or later.
Windows 7 and Windows 10 are supported for instant clones, but not Windows 8 or Windows 8.1.
See the VMware Product Interoperability Matrix for information about the compatibility of Horizon 7 with current and previous versions of vSphere.
For the supported Active Directory Domain Services (AD DS) domain functional levels, see Preparing Active Directory in the Horizon 7 Installation document.
For more system requirements, such as the supported browsers for Horizon Administrator, see the Horizon 7 Installation document.
RC4, SSLv3, and TLSv1.0 are disabled by default in Horizon 7 components, in accordance with RFC 7465, "Prohibiting RC4 Cipher Suites," RFC 7568, "Deprecating Secure Sockets Layer Version 3.0," PCI-DSS 3.1, "Payment Card Industry (PCI) Data Security Standard", and SP800-52r1, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations." If you need to re-enable RC4, SSLv3, or TLSv1.0 on a Connection Server, security server, View Composer, or Horizon Agent machine, see Older Protocols and Ciphers Disabled in Horizon in the Horizon 7 Security document.
If a PCoIP Secure Gateway (PSG) has been deployed for PCoIP connections, zero client firmware must be version 4.0 or later.
When using Client Drive Redirection (CDR), deploy Horizon Client 3.5 or later and View Agent 6.2 or later to ensure that CDR data is sent over an encrypted virtual channel from an external client device to the PCoIP security server and from the security server to the remote desktop. If you deploy earlier versions of Horizon Client or Horizon Agent, external connections to the PCoIP security server are encrypted, but within the corporate network, the data is sent from the security server to the remote desktop without encryption. You can disable CDR by configuring a Microsoft Remote Desktop Services group policy setting in Active Directory. For details, see Managing Access to Client Drive Redirection in the Configuring Remote Desktop Features in Horizon 7 document.
The USB Redirection setup option in the Horizon Agent installer is deselected by default. You must select this option to install the USB redirection feature. For guidance on using USB redirection securely, see Deploying USB Devices in a Secure Horizon 7 Environment in the Horizon 7 Security document.
The Global Policy, Multimedia redirection (MMR), defaults to Deny. To use MMR, you must open Horizon Administrator, edit Global Policies, and explicitly set this value to Allow. To control access to MMR, you can enable or disable the Multimedia redirection (MMR) policy globally or for an individual pool or user. Multimedia Redirection (MMR) data is sent across the network without application-based encryption and might contain sensitive data, depending on the content being redirected. To ensure that this data cannot be monitored on the network, use MMR only on a secure network.
Before you set the level of Transparent Page Sharing (TPS) in Horizon Administrator, VMware recommends that the security implications be understood. For guidance, see the VMware Knowledge Base (KB) article 2080735, Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing.
To use View Storage Accelerator in a vSphere 5.5 or later environment, a desktop virtual machine must be 512GB or smaller. View Storage Accelerator is disabled on virtual machines that are larger than 512GB. Virtual machine size is defined by the total VMDK capacity. For example, one VMDK file might be 512GB or a set of VMDK files might total 512GB. This requirement also applies to virtual machines that were created in an earlier vSphere release and upgraded to vSphere 5.5.
Horizon 7 does not support vSphere Flash Read Cache (formerly known as vFlash).
In Horizon (with View) version 6.0 and later releases, the View PowerCLI cmdlets Get-TerminalServer, Add-TerminalServerPool, and Update-TerminalServerPool have been deprecated.
Screen DMA is disabled by default in virtual machines that are created in vSphere 6.0 and later. View requires screen DMA to be enabled. If screen DMA is disabled, users see a black screen when they connect to the remote desktop. When Horizon 7 provisions a desktop pool, it automatically enables screen DMA for all vCenter Server-managed virtual machines in the pool. However, if Horizon Agent is installed in a virtual machine in unmanaged mode (VDM_VC_MANAGED_AGENT=0), screen DMA is not enabled. For information about manually enabling screen DMA, see VMware Knowledge Base (KB) article 2144475, Manually enabling screen DMA in a virtual machine.
vGPU enabled instant clone desktop pools are supported for vSphere 6.0 and later.
Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the Horizon 7 environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
In Horizon 7 version 7.2 or later, the viewDBChk tool will not have access to vCenter or View Composer credentials and will prompt for this information when needed.
The forwarding rules for HTTP requests received by Connection Server instances and security servers have changed at this release. If you have defined custom frontMapping entries in locked.properties, you should remove them before upgrading. If you wish to disallow administrator connections to certain Connection Server instances, then instead of defining custom frontMapping entries, add this entry to locked.properties:
frontServiceWhitelist = tunnel|ajp:broker|ajp:portal|ajp:misc|moved:*|file:docroot
On security servers, this entry is applied automatically and does not need to be set in locked.properties.
Horizon Persona Management is not compatible with User Writable Volumes created with the UIA + Profile template.
In Horizon 7 version 7.0.3 or later, internal validation checks determine if the instant clone and internal template have valid IP addresses and a network connection. If a virtual machine has a NIC that cannot be assigned an IP address during provisioning, instant-clone provisioning fails.
For information about the models of NVIDIA GPU cards supported by Horizon 7, see https://docs.nvidia.com/grid/9.0/product-support-matrix/index.html.
AMD v340 graphics cards are supported.
Real-Time Audio-Video (RTAV) is supported in an IPv6 environment.
See the VMware Product Interoperability Matrix for information about the compatibility of Horizon 7 with the latest versions of VMware Unified Access Gateway, VMware Identity Manager, VMware App Volumes, VMware Dynamic Environment Manager, and VMware Tools.
PCoIP is not supported with RDSH instant clone pools in an IPv6 environment. PCoIP is supported with remote desktops in an IPv6 environment.
Starting with version 18.2.7, Avi Networks (VMware NSX Advanced Load Balancer) supports load balancing for Connection Server, Unified Access Gateway appliances, and App Volumes Manager.
True SSO and Smart Card based SSO/Logon are not supported with Horizon on Windows 10 2004.
Instant clones are available with Standard and Advanced licenses.
Carbon Black sensor 3.6 is compatible with instant clones. See Interoperability of VMware Carbon Black and Horizon.
When you deploy an instant clone as a RDS host, do not reboot the RDS host directly from within the Windows Server OS. Instead, refresh the instant clone VM using the push image workflow.
Instant clones with multiple-NIC configuration are not currently supported.
For an updated list of supported Windows 10 operating systems, see VMware Knowledge Base (KB) article 2149393, Supported Versions of Windows 10 on Horizon 7. For more information on upgrade requirements for Windows 10 operating systems, see VMware Knowledge Base (KB) article 2148176, Upgrade Requirements for Windows 10 Operating Systems here.
Features that were introduced in prior releases are described in the release notes for each release, along with existing known issues.
2784578 : Users could no longer log in using UPN. They could only log in with Domain\UserName.
2872296: The VDI ends up in an agent unreachable state. Review of the logs shows that the agent is unable to initialize the Java Virtual Machine.
2876932: End user requests from the client take a long time to display Global assignments on the Horizon Client in a larger environment.
2895550: Problem with domain enumeration. Certain domains keep 'dropping' off the list of available domains .
2900002: Unable to install agent from an ISO image as part of the software installation method.
2916762: Generic users without a password cannot log in from the HTML client.
2916826: Full clone machines were unexpectedly deleted from automated pool. VM still shows in ADAM and vCenter but not in Horizon Console.
2929457: VDI users using TrueSSO are not able to log in, or it takes multiple attempts to log in even after authenticating with WS1.
2933391: RDS application sessions are not resumed consistently. Application sessions end up in a new farm when multi-session mode is enabled.
2940301: Machines queries do not fail and the status of all agents, including the unreachable state VMs for the machine queries, are returned.
2944687: Random resolutions are applied to the VDI session instead of the client machine resolution.
2947365: Instant Clone pool creation fails if the AD container is selected using the FIND option instead of the default option.
2948203: Remote taskbar and desktop are visible on launched RDSH published applications when they should be hidden.
2968769: The desktop section of the helpdesk tool does not populate with data and displays a spinning icon.
2980017: Network selected in desktop pool settings failed to get updated with error "Network label could not be found on this desktop's host or cluster".
2985010: After logging in to the agent desktop in a persona-enabled environment, the Horizon client hangs.
2986192: Instant clone push image fails on some VDIs with a failed network adapter.
2987659: Deadlock issue addressed to avoid the black screen on the VDI session.
2990754: All Connection Servers in one pod intermittently become unresponsive and require a reboot.
2996484: Removed display of FQDN from landing page when HTML access was disabled due to security concerns.
2998526: Disconnected sessions are not properly logged off automatically after the DisconnectLimitMinutes is reached.
3012167: Horizon client log in is slow when using SAML with a large AD forest.
3020147: Provision fails with java.util.ConcurrentModificationException error.
3026973: Deadlock situation addressed in Horizon event Database cleanUp task.
3042604: BSOD(SYSTEM_SERVICE_EXCEPTION) due to page fault occurs in vmwvwebcam!LogMgr::Init+0x60.
3057672: RDSH Horizon Agent service which caused the user session establishment is suddenly terminated.
3061973: Block swagger UI access using static secure gateway rule.
3116871: HTML Access download page displays even when HTML Access is not installed.
Horizon Persona Management
Windows renews its HKCU registries and the Persona Features installed change every time a user logs in.
Workaround: Leave one of the default folders in the profile (such as Music, Pictures, Downloads, etc) out of "Files and folders excluded from roaming".
View Composer
Manage Persistent Disks role is not giving permission to detach a disk.
Workaround: No specific workaround, but the Administrator has permission in the console to detach a disk.
OS Disk Datastore on Machines (View Composer details ) columns is missing after migrating storage of Linked Clone
Workaround: Use the Flex console with an old OS image that has Flash access.
Horizon Connection Server
If you edit an Instant Clone pool while the initial publish operation is going on, you might see a "Could not find golden image in the vCenter Server " error. This is expected behavior, so you can ignore this error. It will disappear when the publish is finished.
Cannot select the datastore root folder to place the persistent disk with Horizon Console while performing a detach operation with a different datastore.
Workaround: Use subfolders to place the persistent disks.
Agent version does not display properly in spreadsheet when downloaded from the Inventory > Machine page.
Workaround: Download data from the Inventory > Desktop Pool > Machines page instead.
PCoIP is not working when connected with smart card on a physical Agent machine.
Workaround: None.
Customers connecting their Horizon 8 pods to the Horizon Cloud next-gen control plane to consume the Horizon SaaS Subscription licensing (Universal License and Plus License) see an incorrect license expiration date in the Horizon Console.
Workaround: Ignore the License Expiration field in Horizon Console and refer to the customer connect portal for the actual expiration date. See https://kb.vmware.com/s/article/91037 for details.
Horizon Agent
Failed to connect to RDSH pool or RDSH app using BLAST/PCoIP protocol after upgrading Horizon agent to 7.13.2.
Workaround: Restart the agent machine twice after upgrade to launch using BLAST and PCoIP.
Desktop hosted application displays the Agent desktop's Windows update restart notification in the client machine's system tray.
Workaround: None
When user profile loads for the first time on the machine, the desktop hosted application launch window covers the full screen and there is no way to minimize it. This is more of an issue for Instant Clone pools because they load the profile every time and manual pools do not have this issue for subsequent logins.
Workaround: None
Horizon Client
The Clean up credential when tab closed for HTML Access feature is not working with Firefox in Microsoft Windows. Workaround: Use Chrome or Microsoft Edge browser.