Released 15 October 2020

These release notes include the following topics:

• What's New in This Release
• Note Regarding Upgrade
• Before You Begin
• Internationalization
• Compatibility Notes
• Supported Windows 10 Operating Systems
• Prior Releases of Horizon 7
• Known Issues
• Resolved Issues

What's New in This Release

VMware Horizon 7 version 7.13 provides the following new features and enhancements. This information is grouped by installable component.

• Horizon Agent
• Product Enhancements
• Adobe Flash Player End of Life
• Horizon Connection Server On-Premises
• Horizon Agent for Linux
• Horizon GPO Bundle
• Horizon Client
• Horizon 7 Cloud Connector
• Horizon 7 Deployed on VMware Cloud on AWS

For information about the issues that are resolved in this release, see Resolved Issues.

Horizon Agent

• Log4j update for CVE-2021-44228 and CVE-2021-45046 

  Updated Log4j version to version 2.16 which is not vulnerable to CVE-2021-44228 or CVE-2021-45046.

  Note the following:

  • Currently released 7.13.0 Horizon Agent build 19067039 (release date 12/16/2021) is not vulnerable to CVE-2021-44228 or CVE-2021-45046.
  • Previously released 7.13.0 Horizon Agent build 16975066 (release date 10/15/2020) is vulnerable to both CVE-2021-44228 and CVE-2021-45046 only if the vRealize Operations feature in Horizon desktop agent is installed.
• Remote Experience
  • You can configure media optimization for Microsoft Teams. See Configuring Media Optimization for Microsoft Teams.
  • You can optimize cursor handling by configuring Windows registry settings. See Configuring Windows Registry Settings for Cursor Event Handling.
  • Client system information has a new registry key: ViewClient_Broker_Request_Path.

Product Enhancements

The VMware Horizon 7 version 7.13 release includes many new features and enhancements to Horizon Connection Server and Horizon Agent, including continuing to build on the feature parity of Horizon Console, the HTML5-based web console that replaces the Flash-based Horizon Administrator web interface.

Beginning with Horizon 2006, Horizon Administrator and Security Server are no longer supported. See No Longer Supported Features in This Release.

Adobe Flash Player End of Life

Since Adobe ended support for Adobe Flash Player after December 31, 2020, you can no longer use Horizon Administrator. You can switch to Horizon Console. The following features are not available in Horizon Console:

• ThinApp integration into desktop pools (ThinApp still works)
• Security Server management

For more information about the impact of Adobe Flash Player EOL on VMware products, see https://kb.vmware.com/s/article/78589. For the Horizon 7 version 7.13 support plan, see https://kb.vmware.com/s/article/81189.

Horizon Connection Server On-Premises

• Security

  There has been a security enhancement to address CVE-2020-1938, regarding incoming connections to Apache Tomcat. For details of this issue, see CVE-2020-1938.

  Note: This enhancement was implemented in Horizon 7.12.

• Horizon Console (HTML5-based Web Interface)
  There are several enhancements to Horizon Console. These include:
  • You can configure how long an idle Horizon Console session continues before the Connection Server session times out. See Global Settings for Client Sessions in Horizon Console.
  • You can enable the setting Accept logon as current user to allow Connection Server to accept the user identity and credential information that is passed when users select Log in as current user. See Using the Log In as Current User Feature Available with Windows-Based Horizon Client.
• Cloud Pod Architecture
  • The --htmlAccess and --disableHtmlAccess options are removed from the --updateGlobalEntitlement and --updateGlobalApplicationEntitlement lmvutil commands. The --htmlAccess option is also removed from the --createGlobalEntitlement and --createGlobalApplicationEntitlement lmvutil commands.
  • When you create or modify a global entitlement in Horizon Console, the HTML Access option is removed.
• Published Desktops and Applications
  • When you create or modify a farm in Horizon Console, the Allow HTML Access to desktops and applications on this farm option is removed. To prevent HTML Access to a published desktop or application, either do not install HTML Access support when you install Connection Server, or use the client restriction feature to block access.
  • You can select VDS 7.0 as an ephemeral port when creating an automated instant-clone farm. See Worksheet for Creating an Automated Instant-Clone Farm.
  • Horizon automatically chooses to provision instant clones directly from replicaVM, without creating any parentVM. This feature is called Smart Provisioning. See Creating Farms in Horizon Console.
• Virtual Desktops
  • When you create or modify an instant-clone desktop pool or an automated pool that contains full-clone virtual machines in Horizon Console, the HTML Access option is removed. To prevent HTML Access to a desktop pool, either do not install HTML Access support when you install Connection Server, or use the client restriction feature to block access.
  • You can select VDS 7.0 as an ephemeral port when creating instant clones. See Worksheet for Creating an Instant-Clone Desktop Pool.
  • Horizon automatically chooses to provision instant clones directly from replicaVM, without creating any parentVM. This feature is called Smart Provisioning. See Instant-Clone Desktop Pools.
  • Horizon Agent installer allows you to modify already installed components without needing to uninstall and reinstall Horizon Agent. See Modify Installed Components with the Horizon Agent Installer. You can also modify features silently. See Install Horizon Agent Silently.
  • You can run virtual machines on Hyper-V hypervisor. See Running Virtual Machines on Hyper-V.
  • VMware Update Manager can update ESXi hosts when performing maintenance on instant-clone hosts. See Perform Maintenance on Instant-Clone Hosts. 
• Event Database
  • Additional columns are added to the event database. After a Connection Server upgrade, you can run DML update scripts to populate the data in these additional columns in the event database. See the VMware Knowledge Base article 80781.
• IPv6 Support
  • vSAN is supported in an IPv6 environment. See Other Supported Features in an IPv6 Environment.

Horizon Agent for Linux

• New Supported Distributions
  Horizon Agent for Linux is now supported on Ubuntu 20.04.
• High Efficiency Video Coding (HEVC)
  Horizon Agent for Linux supports the HEVC encoder for compressing video data. HEVC provides higher image quality than H.264 at the same bandwidth. You can set two new configuration parameters in /etc/vmware/config: RemoteDisplay.allowHEVC and RemoteDisplay.allowHEVCYUV444. The existing parameters RemoteDisplay.qpmaxH264 and RemoteDisplay.qpminH264 now apply to either H.264 or HEVC, depending on which encoder is used. See Features of Horizon Linux Desktops, Setting Options in Configuration Files on a Linux Desktop, and Example Blast Settings for Linux Desktops. 

Horizon GPO Bundle

• The VMware Virtualization Pack for Skype for Business ADMX template file, vdm_agent.admx, has a modified setting Force Skype for Business in non-optimized mode.
• Microsoft Teams has a new GPO in the VMware WebRTC Redirection policy folder:
  • Enable sharing the client desktop screen while remoting the Microsoft Teams application in application sharing mode
• The VMware Blast ADMX template file, vdm_blast.admx, contains the following new setting:
  • Cursor warping
• The VMware Integrated Printing ADMX template file, printerRedirection.admx, contains the following new setting:
  • Do not redirect client printer(s)
• The View Agent Direct-Connection Plug-in Configuration has a new GPO setting for Log On As Current User:
  • Allow NTLM Fallback

Horizon Client

For information about new features in Horizon Client 5.5, including HTML Access 5.5, see the release notes on the Horizon Clients Documentation page.

Horizon 7 Cloud Connector

Applicable to VMware Horizon Universal License customers. The Horizon Cloud Connector virtual appliance is a required component for Horizon 7 version 7.6 and later, to support the management of Horizon 7 pods using Horizon Cloud Service.

Horizon 7 Deployed on VMware Cloud on AWS

For a list of Horizon 7 features supported on VMware Cloud on AWS, see the VMware Knowledge Base article 58539.

Note Regarding Upgrade

If pae-ClientSSLCipherSuites or pae-ServerSSLCipherSuites have values in the Active Directory Application Mode (ADAM) database, you must reset those values and make sure they are empty (<not set>) and then reboot all the connection servers before performing the upgrade. Failure to do this will prevent you from being able to connect to the Horizon console after upgrade.

Before You Begin

• Important note about installing VMware View Composer
  If you plan to install or upgrade to View Composer 7.2 or later, you must upgrade the Microsoft .NET framework to version 4.6.1. Otherwise, the installation will fail.
• Important note about installing VMware Tools
  If you plan to install a version of VMware Tools downloaded from VMware Product Downloads, rather than the default version provided with vSphere, make sure that the VMware Tools version is supported. To determine which VMware Tools versions are supported, go to the VMware Product Interoperability Matrix, select the solution VMware Horizon View and the version, then select VMware Tools (downloadable only).
• If you want to install View Composer silently, see the VMware Knowledge Base (KB) article 2148204, Microsoft Windows Installer Command-Line Options for Horizon Composer.
• This Horizon 7 release includes new configuration requirements that differ from some earlier releases. See the Horizon 7 Upgrades document for upgrade instructions.
• For supported upgrade paths, see the VMware Product Interoperability Matrix.
• Any Horizon 7.13.x release can be upgraded to any Horizon 8.x release as long as that Horizon 8.x release was generally available after the Horizon 7.13.x release.
• If you intend to upgrade a pre-6.2 installation of Horizon 7, and the Connection Server, security server, or View Composer server uses the self-signed certificate that was installed by default, you must remove the existing self-signed certificate before you perform the upgrade. Connections might not work if the existing self-signed certificates remain in place. During an upgrade, the installer does not replace any existing certificate. Removing the old self-signed certificate ensures that a new certificate is installed. The self-signed certificate in this release has a longer RSA key (2048 bits instead of 1024) and a stronger signature (SHA-256 with RSA instead of SHA-1 with RSA) than in pre-6.2 releases. Note that self-signed certificates are insecure and should be replaced by CA-signed certificates as soon as possible, and that SHA-1 certificates are no longer considered secure and should be replaced by SHA-2 certificates.
  Do not remove CA-signed certificates that were installed for production use, as recommended by VMware. CA-signed certificates will continue to work after you upgrade to this release.
• After you have performed a fresh install or upgraded all Connection Server instances to Horizon 7 version 7.2 or later, you cannot downgrade the Connection Server instances to a version earlier than Horizon 7 version 7.2 because the keys used to protect LDAP data have changed. To keep the possibility of downgrading Connection Server instances while planning an upgrade to Horizon 7 version 7.2 or later, you must perform an LDAP backup before starting the upgrade. If you need to downgrade the Connection Server instances, you must downgrade all Connection Server instances and then apply the LDAP backup to the last Connection Server that is downgraded.  
• Selecting the Scanner Redirection setup option with Horizon Agent installation can significantly affect the host consolidation ratio. To ensure the optimal host consolidation, make sure that the Scanner Redirection setup option is only selected for those users who need it. (By default, the Scanner Redirection option is not selected when you install Horizon Agent.) For users who need the Scanner Redirection feature, configure a separate desktop pool and select the setup option only in that pool.
• Horizon 7 uses only TLSv1.1 and TLSv1.2. In FIPS mode, it uses only TLSv1.2. You might not be able to connect to vSphere unless you apply vSphere patches. For information about re-enabling TLSv1.0, see Enable TLSv1 on vCenter Connections from Connection Server and Enable TLSv1 on vCenter and ESXi Connections from View Composer in the Horizon 7 Upgrades document.
• FIPS mode is not supported on releases earlier than 6.2. If you enable FIPS mode in Windows and upgrade Horizon Composer or Horizon Agent from a release earlier than Horizon View 6.2 to Horizon 7 version 7.2 or later, the FIPS mode option is not shown. You must do a fresh install instead to install Horizon 7 version 7.2 or later in FIPS mode.
• Linux desktops use port 22443 for the VMware Blast display protocol.
• Starting with Horizon 7 version 7.2, it is possible that the ordering of cipher suites can be enforced by Connection Server. For more information, see the Horizon 7 Security document.
• Starting with Horizon 7 version 7.2, Connection Server must be able to communicate on port 32111 with other Connection Servers in the same pod. If this traffic is blocked during installation or upgrade, installation will not succeed.
• Starting with Horizon 7 version 7.3.2, TLS handshakes on port 443 must complete within 10 seconds, or within 100 seconds if smart card authentication is enabled. In previous releases of Horizon 7, TLS handshakes on port 443 were allowed 100 seconds to complete in all situations. You can adjust the time for TLS handshakes on port 443 by setting the configuration property handshakeLifetime. Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by setting the configuration property secureHandshakeDelay. For more information about setting configuration properties, see the Horizon 7 Security document.
• When the Remote Desktop Services role is not present, the Horizon Agent installer prompts you to install Horizon Agent in RDS mode or desktop mode.
• In environments with many datastores (100+), the Desktop Pool creation wizard may not display all available datastores for selection. For more information, see VMware Knowledge Base article 88151.

Top of Page

Internationalization

The Horizon Administrator and Horizon Console user interface, Horizon Administrator and Horizon Console online help, and Horizon 7 product documentation are available in Japanese, French, German, Spanish, simplified Chinese, traditional Chinese, and Korean. For the documentation, see the Documentation Center for VMware Horizon 7.

Top of Page

Compatibility Notes

• For information about support for Azure Active Directory, see https://kb.vmware.com/s/article/89127.
• For the supported guest operating systems for Horizon Agent on single-user machines and RDS hosts, see VMware Knowledge Base (KB) article 2150295, Supported Windows Versions for Remote Desktop Systems for Horizon Agent.
• If you use Horizon 7 servers with a version of View Agent older than 6.2, you will need to enable TLSv1.0 for PCoIP connections. View Agent versions that are older than 6.2 support the security protocol TLSv1.0 only for PCoIP. Horizon 7 servers, including connection servers and security servers, have TLSv1.0 disabled by default. You can enable TLSv1.0 for PCoIP connections on these servers by following the instructions in VMware Knowledge Base (KB) article 2130798, Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later.
• For the supported Linux guest operating systems for Horizon Agent, see System Requirements for Horizon 7 for Linux in the Setting Up Horizon 7 for Linux Desktops document.
• For the supported operating systems for Connection Server, security server, and View Composer, see System Requirements for Server Components in the Horizon 7 Installation document.
• Horizon 7 functionality is enhanced by an updated set of Horizon Clients provided with this release. For example, Horizon Client 4.0 or later is required for VMware Blast Extreme connections. See the VMware Horizon Clients Documentation page for information about supported Horizon Clients.
• The instant clones feature requires vSphere 6.0 Update 1 or later.
• Windows 7 and Windows 10 are supported for instant clones, but not Windows 8 or Windows 8.1.
• See the VMware Product Interoperability Matrix for information about the compatibility of Horizon 7 with current and previous versions of vSphere.
• For the supported Active Directory Domain Services (AD DS) domain functional levels, see Preparing Active Directory in the Horizon 7 Installation document.
• For more system requirements, such as the supported browsers for Horizon Administrator, see the Horizon 7 Installation document.
• RC4, SSLv3, and TLSv1.0 are disabled by default in Horizon 7 components, in accordance with RFC 7465, "Prohibiting RC4 Cipher Suites," RFC 7568, "Deprecating Secure Sockets Layer Version 3.0," PCI-DSS 3.1, "Payment Card Industry (PCI) Data Security Standard", and SP800-52r1, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations." If you need to re-enable RC4, SSLv3, or TLSv1.0 on a Connection Server, security server, View Composer, or Horizon Agent machine, see Older Protocols and Ciphers Disabled in Horizon in the Horizon 7 Security document.
• If a PCoIP Secure Gateway (PSG) has been deployed for PCoIP connections, zero client firmware must be version 4.0 or later.
• When using Client Drive Redirection (CDR), deploy Horizon Client 3.5 or later and View Agent 6.2 or later to ensure that CDR data is sent over an encrypted virtual channel from an external client device to the PCoIP security server and from the security server to the remote desktop. If you deploy earlier versions of Horizon Client or Horizon Agent, external connections to the PCoIP security server are encrypted, but within the corporate network, the data is sent from the security server to the remote desktop without encryption. You can disable CDR by configuring a Microsoft Remote Desktop Services group policy setting in Active Directory. For details, see Managing Access to Client Drive Redirection in the Configuring Remote Desktop Features in Horizon 7 document.
• The USB Redirection setup option in the Horizon Agent installer is deselected by default. You must select this option to install the USB redirection feature. For guidance on using USB redirection securely, see Deploying USB Devices in a Secure Horizon 7 Environment in the Horizon 7 Security document.
• The Global Policy, Multimedia redirection (MMR), defaults to Deny. To use MMR, you must open Horizon Administrator, edit Global Policies, and explicitly set this value to Allow. To control access to MMR, you can enable or disable the Multimedia redirection (MMR) policy globally or for an individual pool or user. Multimedia Redirection (MMR) data is sent across the network without application-based encryption and might contain sensitive data, depending on the content being redirected. To ensure that this data cannot be monitored on the network, use MMR only on a secure network.
• Before you set the level of Transparent Page Sharing (TPS) in Horizon Administrator, VMware recommends that the security implications be understood. For guidance, see the VMware Knowledge Base (KB) article 2080735, Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing.
• To use View Storage Accelerator in a vSphere 5.5 or later environment, a desktop virtual machine must be 512GB or smaller. View Storage Accelerator is disabled on virtual machines that are larger than 512GB. Virtual machine size is defined by the total VMDK capacity. For example, one VMDK file might be 512GB or a set of VMDK files might total 512GB. This requirement also applies to virtual machines that were created in an earlier vSphere release and upgraded to vSphere 5.5.
• Horizon 7 does not support vSphere Flash Read Cache (formerly known as vFlash).
• In Horizon (with View) version 6.0 and later releases, the View PowerCLI cmdlets Get-TerminalServer, Add-TerminalServerPool, and Update-TerminalServerPool have been deprecated.
• Screen DMA is disabled by default in virtual machines that are created in vSphere 6.0 and later. View requires screen DMA to be enabled. If screen DMA is disabled, users see a black screen when they connect to the remote desktop. When Horizon 7 provisions a desktop pool, it automatically enables screen DMA for all vCenter Server-managed virtual machines in the pool. However, if Horizon Agent is installed in a virtual machine in unmanaged mode (VDM_VC_MANAGED_AGENT=0), screen DMA is not enabled. For information about manually enabling screen DMA, see VMware Knowledge Base (KB) article 2144475, Manually enabling screen DMA in a virtual machine.
• vGPU enabled instant clone desktop pools are supported for vSphere 6.0 and later.
• Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the Horizon 7 environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
• In Horizon 7 version 7.2 or later, the viewDBChk tool will not have access to vCenter or View Composer credentials and will prompt for this information when needed.
• The forwarding rules for HTTP requests received by Connection Server instances and security servers have changed at this release. If you have defined custom frontMapping entries in locked.properties, you should remove them before upgrading. If you wish to disallow administrator connections to certain Connection Server instances, then instead of defining custom frontMapping entries, add this entry to locked.properties:

  frontServiceWhitelist = tunnel|ajp:broker|ajp:portal|ajp:misc|moved:*|file:docroot

  On security servers, this entry is applied automatically and does not need to be set in locked.properties.
• Horizon Persona Management is not compatible with User Writable Volumes created with the UIA + Profile template.
• In Horizon 7 version 7.0.3 or later, internal validation checks determine if the instant clone and internal template have valid IP addresses and a network connection. If a virtual machine has a NIC that cannot be assigned an IP address during provisioning, instant-clone provisioning fails.
• For information about the models of NVIDIA GPU cards supported by Horizon 7, see https://docs.nvidia.com/grid/9.0/product-support-matrix/index.html.
• AMD v340 graphics cards are supported.
• Real-Time Audio-Video (RTAV) is supported in an IPv6 environment.
• See the VMware Product Interoperability Matrix for information about the compatibility of Horizon 7 with the latest versions of VMware Unified Access Gateway, VMware Identity Manager, VMware App Volumes, VMware Dynamic Environment Manager, and VMware Tools.
• PCoIP is not supported with RDSH instant clone pools in an IPv6 environment. PCoIP is supported with remote desktops in an IPv6 environment.
• Starting with version 18.2.7, Avi Networks (VMware NSX Advanced Load Balancer) supports load balancing for Connection Server, Unified Access Gateway appliances, and App Volumes Manager.
• True SSO and Smart Card based SSO/Logon are not supported with Horizon on Windows 10 2004.
• Instant clones are available with Standard and Advanced licenses.
• Carbon Black sensor 3.6 is compatible with instant clones. See Interoperability of VMware Carbon Black and Horizon.
• Instant clones with multiple-NIC configuration are not currently supported.

Supported Windows 10 Operating Systems

For an updated list of supported Windows 10 operating systems, see VMware Knowledge Base (KB) article 2149393,  Supported Versions of Windows 10 on Horizon 7.
For more information on upgrade requirements for Windows 10 operating systems, see VMware Knowledge Base (KB) article 2148176,  Upgrade Requirements for Windows 10 Operating Systems here.

Top of Page

Prior Releases of Horizon 7

Features that were introduced in prior releases are described in the release notes for each release, along with existing known issues.

Resolved Issues

The number provided before each resolved issue refers to the VMware internal issues tracking system.

• 2611802: After installing Horizon Agent, a Windows Server 2016 unmanaged desktop appears as an RDS Host instead of a desktop in Horizon Administrator.

• 2506831: Start menu does not work on Windows 10 2004 64-bit and 32-bit machines with Persona installed.

• 2413211: A deleted file or folder is not removed from a Windows Roaming Profile Synchronization enabled folder of Persona remote profile.

• 2594225: Logon fails at first logon after recomposing or refreshing a desktop where Persona and DSVA are enabled. See KB 80951.

• 2638685: VMware Persona Service crashes, resulting in users experiencing application issues after installing Microsoft Windows Defender ATP and Microsoft Bitlocker.

Known Issues

The known issues are grouped as follows.

• Horizon Persona Management
• View Composer
• Horizon Connection Server
• Horizon Agent for Linux
• Horizon Agent
• Horizon GPO Bundle
• Horizon Client
• Horizon Cloud Connector

Horizon Persona Management

• After every login, Persona Management takes a long time to replicate the first user persona on a guest operating system that uses the "v6" version of the user profile.

• When you log in to a Windows 10 LTSB machine using a persona profile and try to access redirected folders from Quick Access, such as Downloads or My Documents, you get this error:

  C:\Users\vdiuser7\Downloads is unavailable. Microsoft doesn't provide the API to add folder or file to Quick Access.
  Workaround: None

• When you log into a VM configured with Persona Management for the second time, the Microsoft Edge browser crashes and an error message that states the OneDrive application has never been used appears. Additionally, the files and folders cannot be replicated properly. This issue occurs with Windows 10 build 1703 and later.
  Workaround: Disable the Persona Management setting Roam Local Settings Folders. When you disable this setting, the Microsoft Edge browser works properly but the OneDrive application is only available when you log in for the first time.

• Offline icons are not displayed for files on a Windows Server 2012 virtual machine with Horizon Persona Management setting enabled.
  Workaround: None known.

• After a successful initial login to a virtual machine with Horizon Agent installed on Windows 10 version 1703 CBB system and with Persona Management enabled, the "OneDrive -Bad Image error" message is displayed during subsequent login attempts.

  Workaround:   Do not use OneDrive on your Windows 10 version 1703 CBB system. In the Group Policy Management Editor, disable the "Roam local settings folders" setting in the Computer Configuration > Policies > Administrative Templates > VMware View Agent Configuration > Persona Management > Roaming & Synchronization folder.

• A replicated Persona profile does not include Administrator permission.

  Workaround: To manage user profiles in the repository, the Administrator Security group must be given permission on profiles when replicating. Before any new users log in, enable the group policy Add the Administrators security group to roaming user profiles located in Computer Configuration -> Administrative Templates -> System -> User Profiles.

• Removing a local persona profile at logoff fails in Deep Security Environment and also occurs on subsequent login and logoff.

  Workaround: None.

• Windows renews its HKCU registries and the Persona Features installed change every time a user logs in.

  Workaround: Leave one of the default folders in the profile (such as Music, Pictures, Downloads, etc) out of "Files and folders excluded from roaming".

View Composer

• When you run View Composer installer on Windows Server 2016 with the latest Windows update from command line, you get a Microsoft
  .NET 4.6 framework error. This issue occurs because the CLI installer is not able to recognize latest version of Microsoft .NET 4.7.
  Workaround: Use the View Composer installer user interface to run the installer.

• Creating or recomposing desktop pools fails after you upgrade the parent virtual machine from build 1511 to build 1607 of the Windows 10 operating system. Build 1607 is the Windows 10 Anniversary Update operating system.
  Workaround:
  • Option 1. Perform a fresh installation of Windows 10 Build 1607 on the parent virtual machine.
  • Option 2. Do not select "Redirect disposable files"in the desktop pool creation wizard.

• Connection to View Composer fails when you run the following command: viewdbchk.cmd –findMachine
  Workaround: Import the self-signed certificate for View Composer into Connection Server's keystore or use a custom CA certificate.

• Due to recent changes to the Guest Customization utility on vSphere 6.7, during an Horizon 7 upgrade to version 7.5 you cannot use View Composer 7.5 with an earlier version of Horizon Agent for provisioning and recomposing linked-clone pools using the Sysprep customization method. The linked-clone desktops and farms get stuck indefinitely in the customization state during provisioning or recomposing operations.
  Workaround: Upgrade to the latest version of VMware Tools and upgrade Horizon Agent to version 7.5 on the parent virtual machine and take a snapshot of the upgraded parent virtual machine. Then, provision or recompose linked-clone desktop pools using the Sysprep customization method on vSphere 6.7.

• Linked clones get stuck in the customizing state for Win2k12 Standard and Datacenter versions.
  Workaround: For more information on how to fix this issue, see the VMware KB article https://kb.vmware.com/s/article/57348.

Horizon Connection Server

• During provisioning of an instant-clone desktop pool, if there is not enough space available on the data stores, the error message that is displayed in Horizon Administrator is "Cloning of VM <VM name> has failed -VC_FAULT_FATAL: Failed to extend swap file from 0 KB to 2097152 KB." This message does not clearly indicate the root cause of the problem.
  Workaround: Increase enough space in the datastore.
• In Horizon Administrator, if you go to Catalog> Desktop Pools, double-click an instant-clone desktop pool, go to the Inventory tab and click Machines (Instant Clone Details), the window displays details of the instant clones. However, the OS Disk data store column displays no information.
  Workaround: None
• In a large scale environment, some of the desktops in an instant-clone desktop pool might go into the Invalid IP state.
  Workaround: In Horizon Administrator, go to Pool Inventory, select the desktops in the Invalid IP state and click Recover.
• When you restart or reset a virtual machine for which an end user session exists in a desktop pool from vCenter Server or from the Windows Operating System menu, the virtual machine restarts but the status of the virtual machine might appear in the “Already Used” state in Horizon Administrator.
  This problem can occur for the following pool types:
  • Instant-clone desktop pools.
  • Linked-clone floating desktop pools with "Delete on log Off" enabled.
  • Linked-clone floating desktop pools with "Refresh on log Off" enabled.
  • Full-clone floating desktop pools with "Delete on log Off" enabled.
  Workaround: Use Horizon Administrator or Horizon Client to restart or reset the virtual machine in the instant-clone desktop pool. If the virtual machine is already in the “Already Used” state, remove the virtual machine. This action automatically creates a new virtual machine based on the pool provisioning settings.

• If you provision instant clones on local datastores, the corresponding hosts cannot be put into maintenance mode. This occurs because the internal VMs and the instant clones are stored on local datastores so they cannot be migrated.
  Workaround: Delete the instant-clone desktop pool. This will delete the related VMs and enable the corresponding hosts to enter maintenance mode.

• ESXi host remediation that uses VUM fails if the instant-clone Parent VM is present on the host in a powered-on state
  Workaround: For more information,see the VMware Knowledge Base (KB) article 2144808, Entering and exiting maintenance mode for an ESXi host that has Horizon instant clones. 

• Universal Windows Platform (UWP) applications are not supported as published applications on Windows Server 2016 and Windows Server 2019 RDS hosts.

• For True SSO, the connectivity status between the Connection Server instance and the enrollment server is displayed only on the System Health Status dashboard for the connection server that you are using to access Horizon Administrator. For example, if you are using https://server1.example.com/admin for Horizon Administrator, the connectivity status to the enrollment server is collected only for the server1.example.comconnection server. You might see one or both of the following messages:
  • The primary enrollment server cannot be contacted to manage sessions on this connection server.
  • The secondary enrollment server cannot be contacted to manage sessions on this connection server.
  It is mandatory to configure one enrollment server as primary. Configuring a secondary enrollment server is optional. If you have only one enrollment server, you will see only the first message (on error). If you have both a primary and a secondary enrollment server and both have connectivity issues, you will see both messages.

• When you set up True SSO in an environment with CAs and SubCAs with different templates setup on each of them, you are allowed to configure True SSO with a combination of template from a CA or SubCA with another CA or SubCA. As a result, the dashboard might display the status of True SSO as green. However, it fails when you try to use True SSO.

• In Horizon Help Desk Tool, the pod name does not appear if the session is a local session or a session running in the local pod.
  Workaround: Set up the Cloud Pod Architecture environment to view pod names in Horizon Help Desk Tool.

• The Workspace ONE mode setting does not get reflected in the replica server from Workspace ONE.
  Workaround: Configure the Workspace ONE mode in Connection Server.

• When you create full-clone desktop pools, sometimes wrong templates are displayed and valid templates are hidden due to a cache issue.
  Workaround: Restart Connection Server.
• When you try to add a SAML authenticator in Horizon Administrator, the Add button is disabled on the Manage SAML Authenticators page.
  Workaround: Log in to Horizon Administrator as a user who has the Administrators or Local Administrators role.

• In a Cloud Pod Architecture environment, pre-launched application sessions from global application entitlements are not shown in Inventory > Search Sessions in Horizon Administrator.
  Workaround: Log in to the Horizon Administrator user interface for a Connection Server instance in the hosting pod and select Monitoring > Events to view pre-launched session information.

• For Intel vDGA, only the Haswell and Broadwell series of Intel integrated GPUs are supported. Broadwell integrated GPUs are supported only on vSphere 6 Update 1b and later. Haswell integrated GPUs are supported on vSphere 5.5 and later. The GPU must be enabled in the BIOS before it can be recognized by ESXi. For more information, see the documentation for your specific ESXi host. Intel recommends leaving the graphics memory settings in the BIOS set to their default values. If you choose to change the settings, keep the aperture setting at its default (256M).

• Provisioning of virtual machines based on View Composer desktop pools configured to use NVIDIA GRID vGPU fails with the following error: The amount of graphics resource available in the parent resource pool is insufficient for the operation.
  Workaround: Use a single vGPU profile for all virtual desktops configured for 3D rendering in a cluster.

• For vCenter Server 6.0 U3 or later, including vCenter Server 6.5, internal parent VMs migrate to another host during failure. This migration causes an issue because unnecessary parent VMs reside on the destination host.
  Workaround: Manually remove these parent VMs. For more information, see the Setting Up Virtual Desktops in Horizon 7 document.

• To reduce the possibility of memory exhaustion, vGPU profiles with 512 MB or less of frame buffer support only one virtual display head on a Windows 10 guest operating system.
  
  The following vGPU profiles have 512 Mbytes or less of frame buffer:

  • Tesla M6-0B, M6-0Q
  • Tesla M10-0B, M10-0Q
  • Tesla M60-0B, M60-0Q
  • GRID K100, K120Q
  • GRID K200, K220Q

  Workaround: Use a profile that supports more than one virtual display head and has at least one GB of frame buffer.

• Published desktops and application pools fail to launch if they have the client restriction feature enabled and are entitled to a domain that is configured with a one-way AD trust.
  Workaround: None

• After an upgrade, the option to add a farm is grayed out if you have a role with the "Manage Farms and Desktops and Application Pools" (object-specific privilege).
  Workaround: Edit the role or create the role again with the "Manage Farms and Desktops and Application Pools" privilege, which also adds the “Manage Global Configuration and Policies” privilege.

• When you have a Horizon version older than 7.13 which supports Login as Current User (LACU) and you have enabled LACU in your setup and now want to upgrade to Horizon 7.13, after logging in using the Horizon Client through LACU, the desktop or application prompts you to provide user credentials.

  Workaround: See KB 82489.

• After an upgrade, the bookmarks do not appear in Workspace ONE.
  Workaround: Add the bookmarks from the catalog in Workspace ONE again.

• After you disconnect and reconnect the network cable and click "Disconnect and Log Off" on the client machine, the remote desktop does not disconnect and log off.

  Workaround: Manually close the window of the remote desktop and disconnect from the remote session.

• In Horizon Administrator, the ready to complete step does not does not display values for many fields during the cloning process for an automated pool containing full virtual machines. However, the cloning operation succeeds.
  Workaround: None.

• When you create linked clones and full clones with the Sysprep customization method, customization and domain joining sometimes fails on Windows 10 guest operating systems.
  Workaround: This occurs because of a Microsoft Windows issue. To resolve this issue, follow the steps in the Microsoft Knowledge Base (KB) article: https://support.microsoft.com/en-us/help/2769827.

• You cannot create a linked-clone desktop pool  or farm in Horizon Console if there is no Horizon 7 license configured.
  Workaround: Use Horizon Administrator to create a linked-clone desktop pool or farm without a Horizon 7 license.

• Log in to Horizon Console from the Internet Explorer browser displays only keywords instead of  icons. This issue occurs when you connect to a Connection Server or security server using an IP address instead of a DNS name.
  Workaround: Use a DNS name instead of an IP address when connecting. For more information, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/article/2150307.

• When you use Safari version 10.1.1 as the Web browser to log in to Horizon Console with a Fully Qualified Domain Name, user interface issues such as the bottom panels appearing blank can occur.
  Workaround: Safari version 10.1.1 is not a supported Web browser version for Horizon Console. Use a Safari version earlier than version 10.1.1 or version 11.0.2 and later to log in to Horizon Console.

• The following user interface issues occur in Horizon Help Desk Tool for global Linux sessions in a Cloud Pod Architecture deployment:

  • An internal error occurred message appears, the Skype for Business status is not displayed, and the operating system version displays as “-” when you click the session details on the Details tab.
  • A “failed to get Remote Assistance ticket” message appears when you click Remote Assistance.
  • An internal error occurred message appears when you click the Applications tab.

  Workaround: None. Horizon Help Desk does not support the following user interface features for Linux desktops: Skype for Business status, Remote Assistance, Applications tab, and the session idle status.

• Horizon Administrator does not update the space reclamation information for a vCenter Server on vSphere version 6.7 that uses the VMFS6 with the automatic UNMAP feature. 
  Workaround: None.

• After an upgrade to Horizon 7 version 7.5, only the first Connection Server that was installed can connect to the enrollment server.
  Workaround: Stop the Horizon Connection Server service, remove certificates with the friendly name “vdm.ec” from the VMware Horizon View Certificates store, and restart the Horizon Connection Server service.

• Login to Horizon Console fails if you use the IP address to login to Horizon Console on a Firefox, Google Chrome, Microsoft Edge, Firefox, or Safari Web browser.
  Workaround: Use the Fully Qualified Doman Name (FQDN) to login to Horizon Console. For more information on using FQDN to log in to Web applications, see the Horizon 7 Security document. 

• Horizon Administrator displays null/null in the user name column in the Users and Groups page for the following users: Account Operators, Incoming Forest Trust Builders, Terminal Server License Servers, Windows Authorization Access Group, Server Operators, and Pre-Windows 2000 Compatible Access.
  Workaround: None.

• After an upgrade to vSphere 6.7, you cannot use the custom specification created with a vSphere version earlier than 6.7.
  Workaround: After an upgrade to vSphere 6.7, create a new custom specification and use this specification for pool provisioning.

• Horizon Help Desk Tool displays the logon time for both the brokering pod and the hosting pod but does not display the logon time for a pod that is neither the brokering pod nor the hosting pod. Horizon Help Desk Tool displays the logon time after a few minutes for the hosting pod if the brokering pod is a remote pod.
  Workaround: If Horizon Help Desk Tool does not display the logon time for the hosting pod, close the page that displays session details, wait 7-8 mins and navigate to the Details tab to view the session details again.

• VMware Identity Manager sometimes fails to launch desktops. When you save SAML configuration details for the first time in VMware Identity Manager with SAML enabled on Connection Server, desktops do not start.
  Workaround: Save the profile again and perform a sync operation on the new profile. The sync operation can occur every hour or day, as set by the administrator.

• Horizon Administrator on Chrome in incognito mode displays an error when you try to export a table's contents as CSV: The file cannot be exported because a file of the same name is currently open. Close the file and try again or use a different file name. 
  Workaround:  Use Horizon Administrator on Chrome in normal mode to export the table.

• When you use Sysprep to customize Windows 10 linked clones on vCenter Server 6.7, the linked-clone desktops get stuck indefinitely in the customization state during provisioning or recomposing operations.
  Workaround: Use vCenter Server 6.5 U2 or earlier. If you must use vCenter Server 6.7, then use the Quickprep customization method.

• In Horizon Administrator, you can add a remote access user as an unauthenticated access user. However, unauthenticated access users cannot get remote access from external gateways. The user will not be able to access virtual desktops and can only launch applications as an unauthenticated access user. If the user tries to login with normal access, an “Incorrect authentication type requested” error message appears.
  Workaround: None.

• Horizon Single Sign On fails when the scope of the trust authentication setting is set to “Selective Authentication".
  Workaround: Use one of the following workarounds to resolve this issue.

  • Use domain-wide authentication.
  • Continue to use the “Selective Authentication” security setting, but explicitly grant each Horizon Connection Server host (local system) accounts the "Allowed to Authenticate" permission on all the domain controllers of the computer objects (resource computers) that reside in the trusting domain or forest. For information on how to grant the "Allowed to Authenticate" permission, see the Microsoft article Grant the Allowed to Authenticate permission on computers in the trusting domain or forest."

• With the Cloud Pod Architecture feature, in certain circumstances RDS licensing servers issue multiple permanent licences to the same client in a mixed-mode licensing environment.

  Workaround: None. This problem is a third-party issue and is inline with the way Microsoft RDS license servers issue licenses, even without Horizon 7.

• In Horizon Administrator, the “Use VMware Virtual vSAN” option does not appear as selected in the Storage Optimization step during the cloning process for a linked clone pool or an automated pool containing full virtual machines created on a vSAN datastore. However, the cloning operation is successful.
  Workaround: None.

• The following issues occur when you browse the datastore while editing an automated desktop pool that contains full virtual machines:

  • On the vCenter Settings tab, click “Browse Datastore”, the minimum recommended GB value is displayed.
  • On the Provisioning Settings tab, increase the maximum number of machines, then select the vCenter Settings tab, and click “Browse Datastore.” The minimum recommended GB value increases but gets added to the existing value.
  • For a desktop pool that contains three machines with one available and one still in the customizing or provisioning phase, edit the desktop pool and then select the vCenter Settings tab, and click “Browse Datastore.” The minimum recommended GB value is displayed for the total of three machines.

  Workaround: Use Horizon Administrator to browse for a datastore while editing an automated desktop pool that contains full virtual machines to see the correct value for the minimum recommended GB storage.

• The following issues occur when you browse the datastore while editing instant-clone desktop pools:

  • After an instant-clone desktop pool has all the machines in the available state, edit the desktop pool, on the vCenter Settings tab, click “Browse Datastore”. The Minimum Recommended (GB), Maximum Recommended (GB), and 50% Utilization values have positive values.
  • After an instant-clone desktop pool has all the machines in the available state, edit the desktop pool, on the Provisioning Settings tab, increase the maximum number of machines, then on the vCenter Settings tab click “Browse Datastore”. The Minimum Recommended (GB), Maximum Recommended (GB), and 50% Utilization values increase but get added to the existing value.
  • For a desktop pool that contains three machines with one available and one still in the customizing or provisioning phase, edit the desktop pool and then select the vCenter Settings tab, and click “Browse Datastore.” The Minimum Recommended (GB), Maximum Recommended (GB), and 50% Utilization values are shown for all three machines.

  Workaround: Use Horizon Administrator to browse for a datastore while editing instant-clone desktop pools to see the correct Minimum Recommended (GB), Maximum Recommended (GB), and 50% Utilization values.

• After you create an automated desktop pool that contains full virtual machines with two or more names with the “#Unassigned machines kept powered on” value less than the actual names specified and then edit the pool, the “#Unassigned machines kept powered on” field does not accept a value equal to the total number of names specified during the pool creation process and displays an incorrect error message.
  Workaround: Use Horizon Administrator to edit the automated desktop pool that contains full virtual machines with two or more names to update the "#Unassigned machines kept powered on" field value correctly.

• Attempts to connect to the HTML Access portal or one of the administration consoles using an IP address or CNAME fails for most browsers without additional configuration. In the majority of these cases, an error is reported but sometimes a blank error message is displayed.
  Workaround: To resolve this issue, see “Origin Checking” in the Horizon 7 Security document.

• When configuring Skype for Business, there is an optional feature to enable Media Bypass which bypasses the Mediation Server.
  For Skype for Business optimized calls to and from PSTN users, media will always route through the Mediation Server regardless if Media Bypass is enabled.

  Workaround: None. Media Bypass is not supported with the Virtualization Pack for Skype for Business. See https://kb.vmware.com/s/article/56977

• If the same user exists in both Connection Server pods that need to be paired in a Cloud Pod Architecture environment, Horizon Administrator displays the value for “Source Pods” as 2 and sources the user from both pods. An administrator can edit the user from both pods, which might cause inconsistencies in user configuration during hybrid logon. Additionally, hybrid logon for the user cannot be disabled.
  Workaround: You must delete the user from both pods and then recreate the user and configure the user for hybrid logon.

• Core-dump error messages are generated while adding Virtual Volumes datastores on nested ESXi or nested virtual ESXi.
  Workaround: None.

• Both Horizon Administrator and Horizon Console display the internal folder names instead of the actual folder names when you browse a vSAN datastore to import a persistent disk.
  Workaround: None.

• In both Horizon Administrator and Horizon Console, custom roles with the Manage Help Desk (Read Only) privilege are shown as being applicable to access groups.
  Workaround: None.

• Users that have the Administrators (Read Only) role cannot see View Configuration > Cloud Pod Architecture in Horizon Administrator.
  Workaround: Use Horizon Console.

• In Horizon Administrator, when you add or edit a linked-clone farm that uses vSAN datastores, Blackout Times is disabled.
  Workaround: Use Horizon console to set blackout times for a linked-clone farm that uses vSAN datastores.

• In Horizon Administrator, the Rebuild button does not work in the machine summary of an automated desktop pool that contains full virtual machines.
  Workaround: In Horizon Administrator, use the rebuild functionality from Machines > vCenter Server.

• When you add a vCenter Server to Connection Server using an existing PowerShell script, the following error message appears: Failed to add vc instance: No enum constant com.vmware.vdi.commonutils.Thumbprint.Algorithm.SHA-1. This issue occurs because the certificateEncoding property that indicates a certificate override for self-signed certificates is added in Horizon 7 version 7.8. Therefore, earlier versions of VMware PowerCLI scripts that have an incorrect value of SHA-1 fail.
  Workaround: Update the PowerShell scripts to use the property value DER_BASE64_PEM instead of SHA-1. For example, set $certificate_override.sslCertThumbprintAlgorithm = 'DER_BASE64_PEM'.

• When a Universal Windows Platform (UWP) application is upgraded, the path containing the version changes, and the application is unreachable by the original path. The app status is Unavailable in Horizon Administrator and a user cannot launch the app.

  Workaround: Update the app path in Horizon Administrator after an upgrade and verify the app status is Available. Alternatively, do not upgrade the app.

• When device filtering is configured for the client drive redirection feature, and a user uses the RDP display protocol to connect, device filtering does not work.

  Workaround: When device filtering is configured for client drive redirection, configure Connection Server so that RDP connections are not allowed.

• The True SSO desktop unlock feature is supported in PCoIP and Blast protocols, but not in Remote Desktop Protocol (RDP).

• In Horizon Console, the user or group summary fails to load due to domain trust issues in the following cases:

  • When users and groups belong to a one-way trust domain and the logged in administrator has the necessary permissions from a one-way trust domain.
  • When users and groups belong to a two-way trust domain and the logged in administrator has the necessary permissions from a two-way trust domain.
  • When users and groups belong to a one-way or two-way trust domain and the logged in administrator is from the child domain and has the necessary permissions.

  Workaround: Use Horizon Administrator to access the user or group summary.

• In Horizon Console, some events might not be listed because the Connection Server time is set incorrectly with respect to the Connection Server time zone.
  Workaround: Use Horizon Administrator to view all events.

• You can recover an instant-clone virtual machine with an active session. This occurs in both Horizon Administrator and Horizon Console.
  Workaround: None.

• In Horizon Administrator and Horizon Console, when you remove vCenter Servers with detached persistent disks, Horizon Administrator still shows the disks from that vCenter, but the disks cannot be operated upon. Horizon Console does not show any detached disks, but displays internal error banners.
  Workaround: No known workaround. Verify that there are no detached disks from the vCenter Server before removal.

• Virtual machines installed with Windows 2019 and created by selecting Windows 2019 OS in vSphere Client for vSphere 7 are not listed or supported in Horizon 7.
  Workaround: Install Windows 2019 on the virtual machine by selecting the Windows 2016 OS version in vSphere Client.

• When you launch Horizon Administrator from the Horizon 7 Administrator Console icon or by entering https://localhost/admin or https://localhost/newadmin in the address bar of a browser, you are redirected to https://127.0.0.1/admin. This redirection to an IP address may result in an authentication failure, as described in VMware Knowledge Base (KB) article 2150307: Cannot login to a VMware Web application such as Horizon Administrator or Horizon Help Desk Tool.

  Workaround: To prevent redirection to an IP address, enter https://localhost/admin/ in the address bar of the browser (make sure to append “/” to the end of the URL).

• In Horizon Console, when you duplicate a linked-clone desktop pool that uses native NFS snapshot technology, the Duplicate Pool wizard does not display the “Use Native NFS Snapshots (VAAI)” option as selected on the advanced optimization step when disk space reclamation is enabled on the selected vCenter Server.
  Workaround: Manually select the “Use Native NFS Snapshots (VAAI)” option in the Duplicate Pool wizard.

• The Pre-launch and Use Home Site options do not work well together for global application entitlements. When you create a global application entitlement, if you enable both the Pre-launch and Use Home Site options, the pre-launched session might not be created from the home site. This problem occurs because the same session is used to start subsequent applications, and those sessions are not started from the home site.

  Workaround: None.

• The following error message can appear while installing or uninstalling Connection Server: "Error opening installation log file. Verify that the specified location exists and is writable." This error occurs due to a third-party Microsoft error. For details see: https://support.microsoft.com/en-in/help/2564571/error-opening-installation-log-file-verify-that-the-specified-location.
  Workaround: Restart the virtual machine on which the Connection Server is installed.

Horizon Agent for Linux

This section describes issues that might occur with Horizon Agent for Linux or when you configure a Linux desktop.

• Sometimes the Collaboration window might not appear after you connect to a remote desktop and click the Collaboration UI icon.

  Workaround: Resize the desktop window or reconnect to the remote desktop.

• Configuring four monitors at 2560x1600 resolution on RHEL 6.6 or CentOS 6.6 virtual machines in vSphere 6.0 is not supported.
  Workaround: Use 2048x1536 resolution or deploy this configuration in vSphere 5.5.

• The Linux agent's keyboard layout and locale do not synchronize with the client if the Keyboard Input Method System is set to fcitx.
  Workaround: Set the Keyboard Input Method System to iBus.

• Single Sign On (SSO) does not work well on a RHEL/CentOS 7.2 desktop when you add a domain using System Security Services Daemon (SSSD).
  Workaround: After you add a domain using SSSD, modify the /etc/pam.d/password-auth file using the information in the VMware Knowledge Base article 2150330 SSO configuration changes required when using SSSD to join AD on RHEL/CentOS 7.2 Desktops.

• When a client user authenticating with smart card redirection connects to an Ubuntu 16.04/18.04/20.04, SLED 12 SP3, or SLES 12 SP3/SP5 desktop and removes or reinserts the smart card before entering the PIN, the desktop does not appear to recognize the change.

  The desktop will only detect a change in the smart card's state after the user closes the prompt asking for the PIN.

  Workaround: At the prompt, enter the smart card PIN and click OK. Or click Cancel to dismiss the prompt without entering a PIN.

• On Ubuntu 16.04, if the administrator attempts to disable smart card redirection by setting VVC.ScRedir.Enable to "FALSE" in the /etc/vmware/config configuration file, the desktop will hang at the login screen.

• When a client user connects to an Ubuntu 16.04/18.04/20.04, SLED 12 SP3, or SLES 12 SP3/SP5 desktop, "Error 2306: No suitable token available" appears on the login screen.

  This error message indicates that a smart card has been removed from the client system. The user can log in to the desktop by entering the user password or reinserting the smart card.

• After connecting to an Ubuntu 16.04 desktop and entering the wrong PIN for smart card authentication, the client user encounters a login prompt to enter the user password instead of the smart card PIN.

  The client user can click OK to close the user password prompt. A new prompt appears asking the user to enter the smart card PIN.

• On Ubuntu 16.04/18.04/20.04, SLED 12 SP3, and SLES 12 SP3/SP5, the desktop screensaver does not lock as expected when the user removes a smart card from the client system.

  By default, the desktop screensaver does not lock even after the client user removes the smart card used to authenticate into the desktop. To lock the screensaver under these conditions, you must configure pkcs11_eventmgr on the desktop.

  Workaround: Configure pkcs11_eventmgr to specify the correct screensaver behavior in response to smart card events.

• After you install Horizon Agent with smart card redirection enabled (-m parameter set to "yes") on a RHEL 7.0 desktop, Horizon Administrator, Horizon Console, or vSphere may display a black screen. Smart card redirection is supported on desktops running RHEL 7.1 or later. The feature is not supported on RHEL 7.0 desktops.

  Workaround: Install Horizon Agent with smart card redirection enabled on a desktop running RHEL 7.1 or later.

• If you configure two monitors with different resolutions, and the resolution of the primary screen is lower than that of the secondary screen, you might not be able to move the mouse or drag application windows to certain areas of the screen.
  Workaround: Make sure that the primary monitor's resolution is at least as large as the secondary monitor's.

• When you use a smart card on a RHEL 7 desktop and enable the option to lock the screen upon removal of the card, the screen may lock immediately after you log in with the smart card. This is a known issue with RHEL 7.

  Workaround: To access the desktop, unlock the screen after logging in with the smart card.

• On an Ubuntu 16.04/18.04/20.04 desktop, single sign-on (SSO) malfunctions when the operating system updates the gnome-shell binary automatically. In Ubuntu, the default policy is to download and install OS updates automatically.

  Workaround: Modify the policy in Ubuntu to download and install OS updates manually, instead of automatically.

• When an end user uses a smart card to log in to a RHEL 8.0/8.1 desktop, the greeter may prompt for the user's password instead of the smart card PIN. This issue can occur more frequently when network latency is high.

  Workaround: To reduce occurrences of this issue, edit the /etc/sssd/sssd.conf file by increasing the p11_child_timeout value under the [pam] section. Then reboot the desktop.

• vGPU functionality is not supported on Ubuntu 20.04 desktops.

• Horizon Agent for Linux does not support remote connections from the HTML Access client running in Internet Explorer or Edge.

Horizon Agent

• In FIPS mode, Horizon Agent fails to pair with Connection Server and the pool status is not available when Horizon Agent is installed to a drive other than the C drive.
  Workaround: When operating in the FIPS mode, install Horizon Agent on the C drive.
• A warning message about applications in use appears when you uninstall Horizon Agent on Windows Server 2016.
  Workaround: Click “Ignore” in the dialog box that appears when you use Windows Add or Remove Programs to uninstall Horizon Agent. If you uninstall Horizon Agent from the command line, use the command msiexec /x /qn {GUID of Agent} instead of the command msiexec /x {GUID of Agent}.

• When you uninstall the Horizon Agent, the mouse speed becomes slow and jerky. Uninstalling Horizon Agent also uninstalls the vmkbd.sys driver.
  Workaround: Repair VMware Tools on the Horizon Agent virtual machine.

• When upgrading from Horizon Agent 7.1 to Horizon Agent 7.2 on a Windows 7 guest operating system, a "Files in Use" dialog appears. The dialog states that the VMware Horizon Agent application is using files that need to be updated by the setup.
  Workaround: Click "Ignore" to proceed with the upgrade.

• Before the Profile Management finishes synchronizing user data, the desktop is refreshed or deleted if refresh or delete on logoff policy is activated.

  Workaround: None

• Windows 10 32-bit Horizon Agent installation throws "the arguments are invalid" exception and the installation continues after you click OK. This error occurs because the print spooler service is disabled.
  Workaround: Enable the print spooler service for the installation to work as expected.

• If a session owner is watching a video that has been accelerated using MMR during a collaboration session, the collaborators see a black screen instead of the video.

  Workaround: As a session owner, if you need to play a video during a collaboration session, do not use Windows Media Player or Internet Explorer to play the video, or disable MMR on pools where collaboration is enabled.

• If a collaborator joins a multimonitor session and enables relative mouse mode on their client, it is possible for the mouse to move to a secondary monitor that the collaborator cannot see.

  Workaround: Move the mouse back on to the screen. Alternatively, don't use relative mouse mode in a multimonitor session.

• If you use Chrome with URL Content Redirection, and you set ".*.google.*" for the https protocol in filtering rules and you set Google as your home page in Chrome, redirection to google.com occurs each time you open a new tab.

  Workaround: Change the home page or the filtering rules.

• When setting up a collaborative session, adding a collaborator by the email address from a two-way trusted domain fails.

  Workaround: Add the collaborator by using domain\user.

• HTML5 Multimedia Redirection works for Edge in a pre-1803 Windows 10 virtual desktop, but after updating to the latest Windows 10 1803 version, such as 17133, redirection does not work, particularly for websites that use autoplay, such as youtube.com.

  Workaround: Force restart the Windows 10 virtual desktop.

• Published applications do not get disconnected when the client session is idle, even when Idle Session Timeout is set with MaxIdleTime using the GPO or non-GPO method. A disconnect warning message appears, but the application is not disconnected.

• After you perform a seek operation of streaming media using Multimedia Redirection, the audio and video are not smooth.

  Workaround: Wait for a few minutes or reopen the current streaming media.

• Sometimes, when a user uses the HTML5 Multimedia Redirection feature to play a YouTube video in the Edge browser, the video keeps buffering and there is no image or sound.

  Workaround: Refresh the page.

• After you connect to a remote desktop that has the Real-Time Audio-Video feature enabled, you might see the following message: "Your PC needs to be restarted to finish setting up this device: devicename (VDI)."

  Workaround: You can ignore this message as the device is usable in the remote desktop. Alternatively, you can turn off the Windows Settings notification to prevent the message from being displayed.

• Users cannot use a serial printer with the serial port redirection feature when Horizon Agent is installed in an RDS host if the agent group policy setting COM Port Isolation Mode is set to Full Isolation (the default setting). This problem affects both Windows and Linux clients. This problem does not occur for virtual desktops.

  Workaround: Edit the COM Port Isolation Mode group policy setting, change the mode to Isolation Disabled, and restart Horizon Agent. For more information, see "Serial Port Redirection Group Policy Settings" in the Configuring Remote Desktop Features in Horizon 7 document.

• When using the VMware Integrated Printing feature, if you connect to a Windows 10 agent machine from a Windows 7 client machine, and you print documents that contain delta fonts from a redirected printer, the fonts do not appear correctly.

  Workaround: None. This problem is a third-party issue.

• sysprep fails for linked clones and full clones with Windows 10 1903, Windows 10 1909 (32-bit and 64-bit) guest OS with error: SYSPRP Sysprep_Clean_Validate_Opk: Audit mode can't be turned on if there is an active scenario.; hr = 0x800F0975

  Workaround: Apply these instructions on the master image and then provision the desktop: https://social.technet.microsoft.com/Forums/en-US/0dcbdf32-05a1-4edc-8f22-287998d30de5/sysprep-problem-audit-mode-canamp39t-be-turned-on-if-there-is-an-active-scenario?forum=win10itprosetup.

• Launching an RDSH application using file type associations requires the Client Drive Redirection feature to be installed and enabled in the agent machine.
   

• When you update the OS from Windows 1809 to 1903, you might see a black screen on Horizon Agent.

  Workaround: Apply the procedure in this KB article on the OS image.

• If Horizon Agent is installed on an RDS host, and the Printer Name for RDSH Agents group policy setting for the VMware Integrated Printing feature is configured to use the client machine name as a suffix, the client machine name supports only English-language characters. If the client machine name contains characters in a non-English language, the VMware Integrated Printing feature does not work in published desktops and published applications.

  Workaround: None.

• If you have Horizon Agent 7.13 or earlier running on a host with a 5K display monitor, and you connect to a remote desktop using PCoIP protocol in full screen mode and try to resize the desktop window to larger than 4K, the remote session display does not automatically fit to the monitor screen or window size.

  Workaround: Resize the desktop window to smaller than 4K. On devices that support Retina display, exit full screen mode and switch to Normal display.

• Windows Server 2019 RDSH is slow to display the desktop when VBS is enabled.

  Workaround: Restart the agent VM.

Horizon GPO Bundle

• Computer-based global policy objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  Workaround: See the VMware Knowledge Base (KB) article, 2150495.

• In a nested mode configuration where the first-level desktop (the machine where Horizon Client and Horizon Agent are installed) is a virtual desktop and the second-level desktop is a published desktop, the “Specify a filter in redirecting client printers” group policy setting does not affect the second-level desktop if you configure it in the first-level virtual desktop.

  Workaround: If you want to filter printers for the second-level desktop, configure the “Specify a filter in redirecting client printers” group policy in the second-level desktop.

Horizon Client

This section describes problems that end users might encounter when using Horizon Client or HTML Access to connect to remote desktops and applications. For problems that occur only in a specific Horizon Client platform, see the Horizon Client release notes on the Horizon Clients Documentation page.

• The profile data is missing for multiple user sessions on RDS hosts. This issue occurs when the sessions are in the disconnected state but the task manager on the RDS host still shows these sessions.
  Workaround: Delete the sessions from the RDS host or log the user off from the published desktop or application.

• When you log in to Workspace ONE, the pre-launch application session is not triggered. Pre-launch sessions are triggered only when there is a successful login to Connection Server from Horizon Client.
  Workaround: Manually start an application or desktop from Workspace ONE to trigger the applications enabled for pre-launch to be started.

• Using the VMware Blast display protocol and with Blast Secure Gateway (BSG) disabled, Horizon Client sometimes cannot recover from a brief (about 1 minute) network outage and the connection to the desktop is disconnected. This issue does not occur when BSG is enabled.
  Workaround: Reconnect the session.

• The RDS host stores only one set of application data for the first application launch of a session. Any subsequent application launch data is lost.
  Workaround: Log off the session and launch another application to store that data.

• Desktops fail to start when you use HTML Access from Internet Explorer or Microsoft Edge Web browsers to connect to Connection Server, security server, or replica server on a Windows 10 client operating system. This issue affects desktops with Windows 10 N, Windows 10 KN, Windows 7 N and Windows 7 KN guest operating systems.
  Workaround: Use Firefox or Google Chrome Web browsers for HTML Access.

• For Intel vDGA, multiple-monitor support is limited to no more than 3 monitors. The Intel driver supports only up to 3 monitors with a resolution of up to 3840 X 2160. If you try to connect with 4 monitors, the connection shows 3 black screens with just one screen working.

• If a VDI desktop is in a remote location and experiencing high network latency, then a recursive unlock using smart card authentication might not work.
  Workaround: Unlock the desktop manually.

• If a user of a Windows 8 remote desktop logs in using Kerberos authentication, and the desktop is locked, the user account for unlocking the desktop that Windows 8 shows the user by default is the related Windows Active Directory account, not the original account from the Kerberos domain. The user does not see the account he or she logged in with. This is a Windows 8 issue, not directly a Horizon 7 issue. This issue could, but does not usually, occur in Windows 7.

  Workaround: The user must unlock the desktop by selecting "Other user." Windows then shows the correct Kerberos domain and the user can log in using the Kerberos identity.

• When you use the Ambir Image Scan Pro 490i to perform a scan on a remote desktop or application, the dialog box always displays “Scanning…” and does not complete.
  Workaround: Perform a scan on the client. The client scan calibrates the scanner. After the calibrate operation is finished, save the calibration file and deploy it in ProgramData\AmbirTechnology\ImageScanPro490i

• Unicode keyboard input does not work correctly with HTML Access in Horizon 7 for Linux Desktops.

  Workaround: None.

• When you connect to a Linux desktop, some keyboard inputs do not work. For example, if you are using a non-English IME on both the client device and the remote desktop, some non-English keys are not displayed correctly.
  Workaround: Set the English IME on the client device and set the non-English IME on the remote desktop.

• Sometimes an audio call does not start correctly from Skype to Skype for Business. The call status is "Connecting call..." on the Skype for Business client.

  Workaround: None.

• If you use Skype for Business inside a non-persistent desktop, you might reach the Skype for Business limit of 16 device certificates. When this limit is reached and Skype for Business attempts a new logon, a new certificate will be issued and the oldest assigned certificate will be revoked.

  Workaround: None.

• If you launch Horizon Client 4.8 for Linux or earlier with FIPS mode is enabled, and you try to connect to Horizon Agent 7.6 or Horizon Connection Server 7.6 or later with FIPS mode enabled, the error message "Invalid license info for rds-license: Missing client id" appears.

  Workaround: To use Horizon Client for Linux with FIPS mode enabled to connect to Horizon Agent 7.6 or later or Horizon Connection Server 7.6 or later with FIPS mode enabled, use Horizon Client 4.9 for Linux or later.

• The default self-signed TLS server certificate generated on Unified Access Gateway, Horizon Connection Server, and Security Server might not be usable by Chrome browsers, Safari browsers, or VMware Horizon clients running on macOS 10.15, iOS 13, and Chrome OS 76. This problem can happen because the requirements for trusted TLS server certificates have been changed by Apple in these OS versions. The default self-signed certificates do not currently meet these new requirements. If the connection to Horizon from a client is through an intermediate load balancer or proxy that terminates TLS, the new certificate requirements must also be met on those devices. On Horizon Client for Mac on macOS 10.15, "Warn before connecting to untrusted servers" mode might not continue without verifying the self-signed certificate, the "Untrusted server connection" dialog box pops up with the error message "VMware Horizon Client cannot verify your connection. Contact your administrator.", and only the "Show Certificate" and "Do Not Connect" buttons are available.

  Workaround: VMware generally recommends that the default self-signed TLS server certificate on these products is replaced by a trusted CA signed certificate for the environment. This recommendation is always a good security practice. In this situation, as long as the trusted CA-signed certificate meets the new Apple requirements, the problem does not occur. An alternative workaround for macOS and iOS Horizon clients is to set the SSL Configuration to not verify server certificates. For more information on the Apple certificate requirements, see https://support.apple.com/en-us/HT210176

Horizon Cloud Connector

• When you use the HTML5-based vSphere Web client to deploy the Horizon Cloud Connector virtual appliance OVA file, the following error occurs: “Invalid value 'false' specified for property proxySsl. Failed to deploy OVF package.”
  Workaround: Use the Flex-based or the Flash-based vSphere Web Client to deploy the Horizon Cloud Connector virtual appliance OVA file.

• When starting Horizon Cloud Connector, you encounter the message "[FAILED] Failed to start Wait for Network to be Configured. See 'systemctl status systemd-networkd-wait-online.service' for details."

  This message is displayed incorrectly and does not indicate an actual problem with the network. You can disregard the message and continue to use Horizon Cloud Connector as usual.