The Enrollment Server (ES) is a Horizon Cloud component that you install on a Windows Server machine as the last step in setting up infrastructure for True SSO. By deploying the Enrollment Agent (Computer) certificate onto the server, you are authorizing this ES to act as an Enrollment Agent and generate certificates on behalf of users.


Verify that you have completed the steps in Horizon Cloud - True SSO - Set Up an Enterprise Certificate Authority Using a Microsoft Windows Server System, Horizon Cloud - True SSO - Set Up a Certificate Template on the CA, and Horizon Cloud - True SSO - Download the Horizon Cloud Pairing Bundle.

Verify that the system on which you will install the Enrollment Server software is running one of these operating systems that are supported for this installation: Windows Server 2012 R2, Windows Server 2016, Windows Server 2019. The system should have a minimum of 4GB of memory.


  1. Install the Enrollment Server on the system.
    1. Download the Enrollment Server.exe file from the My VMware site. The file name should be similar to VMware-HorizonCloud-TruessoEnrollmentServer-x86_64-7.3.0-xxxxx.exe.
    2. Confirm that the system meets the prerequisites as previously stated.
    3. Run the installer and follow the wizard.
  2. Deploy the Enrollment Agent (Computer) Certificate.
    1. Open the Microsoft Management Console (MMC).
    2. On the File menu, click Add/Remove Snap-in.
    3. Under Available snap-ins, double-click Certificates.
    4. Select Computer account and click Next.
    5. Select Local computer and click Finish.
    6. On the Add or Remove Snap-ins dialog, click OK.
    7. In the MMC, right-click the Personal folder under Certificates and select All Tasks > Request New Certificates.
    8. In the Certificate Enrollment dialog, select the check box for the Enrollment Agent (Computer) and click Enroll.
  3. Import the pods' certificate CRT files extracted from the pairing_bundle.7z file, for those pods with which you want to configure True SSO.
    The pairing bundle contains a certificate file for each pod in your environment. Each CRT file name follow the pattern podID_truesso.crt, where podID is the pod's ID value.
    1. In the MMC, right-click the Certificates sub-folder under the VMware Horizon Cloud Enrollments Server Trusted Roots folder and select All Tasks > Import.
    2. Click Next.
    3. Navigate to the location where you extracted the certificate files from the pairing_bundle.7z bundle.
      When you have only one pod, the bundle contains only one CRT file. When you have more than one pod, the bundle contains a CRT file for each pod.
    4. Import the certificate file or files, depending on how many pods you are configuring.
    5. Click Next, then click Finish.
  4. Complete the remaining configuration steps described in Horizon Cloud - True SSO - Complete Configuring True SSO for your Horizon Cloud Environment.