When manually creating a base VM in a pod with manifest lower than 1600, after running the Horizon Agents Installer, you must configure some DaaS agent properties in the VM to explicitly pair the VM with the pod before Horizon Cloud can convert the VM into an assignable image that can be used in Horizon Cloud.


  • From the pod's summary page in the Horizon Cloud Administration Console, obtain the pod's tenant appliance IP address. In the Administration Console, navigate to Settings > Capacity and click on the pod's name. On the Summary page, locate the Tenant appliance IP address property and note down that IP address.
    Location of the tenant appliance IP address in the pod's Capacity page

  • Verify that the agent-related components were installed in the base VM as described in For Pods at Manifests Lower Than 1600, Install the Agent-Related Software Components in the Base Virtual Machine.
    Important: When your pod is of manifest 1600 and lower, you must use a version of Horizon Agents Installer that aligns with your pod level. Otherwise these steps to pair the VM with the cloud will not work and the VM will fail to pair with the cloud. As an example, when your pod has a manifest version between 1493 and 1600, install Horizon Agents Installer 19.2 into the base VM. When the manifest version is between 1273 and 1493, install Horizon Agents Installer 19.1 into the base VM.
  • In the base VM's Windows operating system, confirm that you can access the Keytool.exe file in C:\Program Files (x86)\VMware\Horizon Agents\Horizon DaaS Agent\service. Open a command prompt as administrator, navigate to C:\Program Files (x86)\VMware\Horizon Agents\Horizon DaaS Agent\service, and issue the command Keytool.exe -h. If the command returns information about running Keytool to import the bootstrap credentials, you have the required access.


  1. In the Microsoft Azure portal, connect to the base VM and log in to the VM's Windows operating system if you are not already connected.
  2. Download the DaaS SSL bootstrap file from Horizon Cloud.
    This file is used in the bootstrap process that allows the VM's operating system and the pod to pair with each other securely.
    1. Point the VM's browser to https://cloud.horizon.vmware.com and log in with your credentials.
    2. Click Inventory > Images.
    3. On the Images page, select ... > Download Bootstrap.
    4. In the download window, select the appropriate location, the corresponding pod, and enter and re-enter a password of 8-20 ASCII characters containing at least one each of the following: lowercase letter, uppercase letter, number, and symbol (!@#$%^&*).
      Do not use non-ASCII characters in the password. Make a note of this password for future use.
    5. Click OK to save the bootstrap file to a location in the VM.
      The downloaded file is named image_bootstrap.7z by default. This file is used as input to the Keytool.exe utility.
  3. Verify the setting of the DaaS agent's EnableBootstrap registry key is set to 1 (one), and not 0 (zero).
    1. Run regedit.
    2. In the Registry Editor, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware DaaS Agent entry.
    3. Verify the value of the EnableBootstrap key is set to 1 (one).
      If EnableBootstrap key is not set to 1 (one), then modify the key to set it to 1 (one).
  4. Create a registry key for the desktop manager address.
    1. In the Registry Editor, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware DaaS Agent entry.
    2. Add a new string value key named DesktopMgrAddresses.
    3. Set the new key's value to the pod's Tenant appliance IP address value that you obtained from the pod's details page in the Administration Console.

      New registry key for DaaS agent's tenant appliance IP address

  5. Restart the DaaS agent service.
    The DaaS agent waits for the bootstrap credentials to be imported in the next step.
  6. Import the DaaS SSL bootstrap credentials.
    1. Open a command prompt as administrator and navigate to C:\Program Files (x86)\VMware\Horizon Agents\Horizon DaaS Agent\service.
    2. Run Keytool.exe using the downloaded DaaS SSL bootstrap file (image_bootstrap.7z) as an argument.
      Keytool.exe –f absolute-path-to-bootstrap-file/image_bootstrap.7z
      When prompted, enter the encryption password that you set when you downloaded the DaaS SSL bootstrap file.
      Note: Ensure that step 2 to add the registry key is completed before you run the Keytool utility. If the registry key does not exist, the Keytool command might fail with the message Cannot find the file specified.
      The Keytool utility performs the bootstrap and moves the certificate to the cert folder. If you see a message that the file is successfully decrypted, this step is complete.
  7. Close your RDP connection.
  8. In the Microsoft Azure portal, click Stop on the VM.
  9. When the portal indicates the VM is completely stopped, click Start on the VM.

What to do next

At this point, the base VM conforms to the Horizon Cloud environment's requirements to create an assignable image, also referred to as a sealed image. To confirm that this VM can be converted into a sealed image, in the Horizon Cloud Administration Console, navigate to Inventory > Imported VMs and check that an ACTIVE status is displayed in the Agent Version column for this VM.

If you joined the VM to your Active Directory domain, you can use domain accounts to connect to the VM to customize the image. If you did not join the VM to your Active Directory domain, you can use the local administrator account to connect to the VM to customize the image.

Customize the image's Windows operating system, including configuring things like wallpapers and installing the applications you want this VM to provide to your end users. If you enabled a public IP address for the VM, you can connect to the created VM by using the IP address displayed on the Imported VMs page in an RDP client like Microsoft Remote Desktop Connection. For details, see Customize the Master Image VM's Windows Operating System and its subtopics:
Important: It is strongly recommended that you optimize the image VM, including removing AppX packages from Window 10 images, as described in Customize the Master Image VM's Windows Operating System, Deciding to Optimize the Windows Image When Using the Import Desktop Wizard, and Deciding to Remove Windows Store Apps When Using the Import Desktop Wizard.

If you selected a NV-series VM type, you must log into the VM's operating system and install the supported NVIDIA graphics drivers to get the GPU capabilities of the GPU-enabled NV-series VM. You install the drivers after the VM is created and the Imported VMs page shows the DaaS agent is active. See Install NVIDIA Graphics Drivers in a GPU-Enabled Master Image.

If you selected to install the Dynamic Environment Manager option when installing the agent, configure a separate file server in your Microsoft Azure subscription that has at least SMB 2 enabled. Then configure VMware Dynamic Environment Manager using that file server. Also configure the GPO settings. See the VMware Dynamic Environment Manager documentation topics in the Dynamic Environment Manager product documentation.

For improved security regarding the use of the Horizon Agent, configure your Active Directory server domain policy GPO (Group Policy Object) to disable weak ciphers in SSL and TLS protocols. For information about disabling weak ciphers when communicating using the SSL/TLS protocol, see the appropriate agent-related information in the VMware Horizon® 7 documentation set, such as Disable Weak Ciphers in SSL/TLS.

After you are finished customizing the master VM, use the New Image workflow to convert the master VM to an assignable image. See Convert a Configured Master Virtual Machine to an Assignable Image.