VMware Horizon 8 2006 | 11 AUG 2020 Check for additions and updates to these release notes. |
VMware Horizon 8 2006 | 11 AUG 2020 Check for additions and updates to these release notes. |
VMware Horizon 8 version 2006 includes the following new features and enhancements. This information is grouped by installable component.
Beginning with this release, version numbering is based on the planned year and the month of the release. The actual release date can vary based on business needs and engineering schedule changes to address critical customer requirements.
Horizon Connection Server
Cloud Pod Architecture
Global entitlements appear in alphabetical order in Horizon Client.
To use Horizon Console or lmvutil to configure and manage a Cloud Pod Architecture environment, an administrator must have the new Manage Cloud Pod Architecture global privilege. See Security Considerations for Cloud Pod Architecture.
You can define the global entitlement name that appears to users in Horizon Client. When creating or modifying a global entitlement in Horizon Console, use the new Display Name option. When using lmvutil commands, use the new --aliasName option. See Worksheet for Configuring a Global Entitlement and Creating a Global Entitlement.
The --htmlAccess and --disableHtmlAccess options are removed from the --updateGlobalEntitlement and --updateGlobalApplicationEntitlement lmvutil commands. The --htmlAccess option is also removed from the --createGlobalEntitlement and --createGlobalApplicationEntitlement lmvutil commands.
When you create or modify a global entitlement in Horizon Console, the HTML Access option is removed.
Published Desktops and Applications
Provisioning of majority of instant clone farms no longer involve creation of parent VM. This improves the manageability of the instant clone farm and well as optimizing the memory requirement of the farm. For extremely large farms, parent VM will still be created.
When you create or modify a farm in Horizon Console, the Allow HTML Access to desktops and applications on this farm option is removed. To prevent HTML Access to a published desktop or application, either do not install HTML Access support when you install Connection Server, or use the client restriction feature to block access.
Horizon automatically chooses to provision instant clones directly from replicaVM, without creating any parentVM. This feature is called Smart Provisioning. See Creating an Automated Instant-Clone Farm.
You can view the Horizon Client version for a published desktop or application session. See Manage Published Desktops and Application Sessions in Horizon Console.
Virtual Desktops
Instant clones are available in more VMware Horizon license packages including Standard, Advanced, and Enterprise Edition license packages.
A high memory usage alert that is triggered during the instant clone provisioning process has been disabled. See the VMware KB article 2151438.
You can restrict access to entitled desktop pools from certain client computers. See Implementing Client Restrictions for Desktop Pools, Published Desktops, and Application Pools.
When you create or modify an instant-clone desktop pool or an automated pool that contains full-clone virtual machines in Horizon Console, the HTML Access option is removed. To prevent HTML Access to a desktop pool, either do not install HTML Access support when you install Connection Server, or use the client restriction feature to block access.
Horizon automatically chooses to provision instant clones directly from replicaVM, without creating any parentVM. This feature is called Smart Provisioning. See Instant-Clone Desktop Pools.
Horizon Console
When you select the network for an instant-clone desktop pool or farm, Horizon Console selects network type from the current golden image configured in vSphere Client and displays networks based on the network type of the parent VM: DVS, NSX-t, and Standard. You can use the same network as the parent VM or select a network from the list of available options. Networks are filtered based on the parent VM network type. See Worksheet for Creating an Instant-Clone Desktop Pool and Worksheet for Creating an Instant-Clone Farm.
The View Storage Accelerator feature requires upto 32GB of RAM per ESXi host. You can specify a default host cache size between 100MB and 32,768MB. See Enable View Storage Accelerator Globally in Horizon Console.
You can click the Send Feedback icon in the Horizon Console header to send in-product feedback about features and functionality to the VMware Horizon team. See Send Feedback.
When you delete a desktop pool, the status of the desktop pool appears as "Deleting" on both the Desktops page and the Machines page. See Delete a Desktop Pool and Delete Virtual Machine Desktops in a Pool.
If you use an older Web browser such as Internet Explorer 11 to log in to Horizon Console, a pop-up windows appears that lists the Web browsers to use for the best user experience. See Log In to Horizon Console.
Horizon Connection Server Installer
The Connection Server installer has new branding.
The Connection Server installer has new icons.
You can select a deployment type to install Connection Server on premises or in a public cloud with VMware SDDC service.
You can perform a parallel upgrade of multiple Connection Servers. For more information about how to upgrade Connection Servers in parallel, see Upgrading Connection Servers in Parallel. For more information about troubleshooting errors in the Connection Server installer related to parallel upgrade of Connection Servers, see Troubleshooting Installation Errors During Parallel Upgrade of Connection Servers.
Note: At the last step of the installation or upgrade process, the Connection Server waits for all the services to start.This can result in a longer installation time than earlier versions of Connection Server installations or upgrades.
You can configure load balancers for Connection Server health monitoring. See Configuring Load Balancers for Horizon Connection Server Health Monitoring.
Role-Based Delegated Administration
Two new privileges are added. See Global Privileges.
Manage Cloud Pod Architecture
Manage Access Groups
Horizon Agent
The Horizon Agent installer splash screen is updated.
You can create and display a digital watermark on remote sessions. See Configuring a Digital Watermark.
You can use an integrated pen on a Windows tablet. See Configuring Pen Redirection.
You can configure registry settings for mouse event handling. See Configuring Windows Registry Settings for Cursor Event Handling.
Blast Codec is enabled by default.
VMware Blast uses the client's current topology when starting a connection to the agent machine.
The Microsoft Edge browser is supported with URL Content Redirection for Windows clients. You must install the VMware Horizon URL Content Redirection Helper extension in the Edge browser. See Install the URL Content Redirection Helper Extension for Edge on Windows.
You use the LBP Setting UI group policy setting to set up location-based printing. See Configure Location-Based Printing.
VMware Integrated Printing is supported on mobile client devices. See Configuring VMware Integrated Printing.
With the VMware Blast protocol, you can use two 8K displays. See Monitors and Screen Resolution.
Windows and Linux clients connecting to the agent use the H.264 video codec for real-time audio-video for improved performance, especially CPU usage in the client machine.
Horizon Agent for Linux
Horizon Agent supports the following new Linux operating systems:
RHEL/CentOS 7.8
RHEL/CentOS 8.2
SLES 12.x SP5
Horizon Agent no longer supports the following Linux operating systems:
SLED/SLES 12.x SP1 and SP2
RHEL/CentOS 6.x
NeoKylin 6 Update 1
You can configure RHEL 8.x/7.x and Ubuntu 18.04 virtual machines as multi-session Linux host machines. You can add these Linux host machines to manual or automated instant-clone farms on which you can base published desktop pools and published application pools. Each published desktop or published application can support multiple user sessions at the same time. See Setting Up Linux Published Desktops and Applications for Multi-Session Use.
vDGA graphics are no longer supported on Linux desktops.
Horizon GPO Bundle
The Blast Codec Quality group policy setting enables you to set the minimum and maximum values of the Quantization Parameter (QP), which controls the image quality of the remoted display when using Blast Codec compression. See VMware Blast Policy Settings.
With the Cursor warping group policy setting enabled, the remote agent detects sudden cursor movements and reflects them to the client by moving the local cursor. See VMware Blast Policy Settings.
The Configure maximum latency for mouse coalescing group policy setting enables you to configure the maximum latency allowed, in milliseconds, when coalescing mouse move events. See General Settings for Client GPOs.
Horizon Client
For information about new features in Horizon Client 2006, including HTML Access 2006, see the release notes on the VMware Horizon Client Documentation page.
For the latest set of Horizon API, see Horizon API.
The following feature is deprecated in this release.
View Composer
While Horizon 8 2006 is in general support phase until 11th August 2025, support for View Composer and Persistent Disk features for linked clones is limited to Technical Guidance only, meaning that fixes will no longer be provided for those features. See KB 94831 for details.
The following features are no longer supported in this release.
Horizon Connection Server
Security Server is no longer supported.
The Flash-based Horizon Administrator web interface is no longer supported.
Managing ThinApp applications is no longer available from Horizon Console. However, VMware ThinApp is still supported for VMware Horizon. See the VMware ThinApp documentation.
The local JMP Server is no longer supported.
Windows Server 2008 R2 and Windows Server 2012 are no longer supported.
Horizon Agent for Linux
RHEL/CentOS 6.x is no longer supported.
Horizon Agent
Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 are no longer supported.
The Persona Management feature is no longer supported.
The Flash URL Redirection and Flash Redirection features are no longer supported.
The Virtual Printing feature is no longer supported. Use the VMware Integrated Printing feature instead.
The VMware Client IP Transparency feature is no longer supported.
The Device Bridge component is removed.
Horizon Client
Windows 7, Windows 8, Windows 8.1, Windows 10 version 1809 SAC, Windows Server 2008 R2, and Windows Server 2012 are no longer supported.
The Flash URL Redirection and Flash Redirection features are no longer supported.
The Virtual Printing feature is no longer supported. Use the VMware Integrated Printing feature instead.
vRealize Operations for Horizon
vRealize Operations for Horizon is no longer supported. If you have vRealize Operations deployed and are upgrading to VMware Horizon 2006, you will need to disable or stop the vRealize Operations Desktop Agent service. This prevents the vRealize Operations Desktop Agent in Horizon 2006 from attempting to communicate with vRealize Operations for Horizon instances that might be running. If you have the Horizon Universal License and are leveraging the Cloud Monitoring Service (CMS), you do not need to make any changes when you deploy Horizon 2006.
Applicable to VMware Horizon Universal License customers. The Horizon Cloud Connector virtual appliance is a required component for VMware Horizon to support the management of Horizon pods using Horizon Cloud Service.
For a list of VMware Horizon features supported on VMware Cloud on AWS, see VMware Knowledge Base article 58539.
You can select Azure as an installation option to deploy Horizon on Azure VMware Solution (AVS). See Deploying VMware Horizon on Azure VMware Solution.
Important note about installing VMware View Composer
If you plan to install a View Composer server, or upgrade an existing View Composer installation, you must upgrade the Microsoft .NET framework to version 4.6.1 or newer. Otherwise, the installation will fail. View Composer is deprecated and will be removed in a later version of VMware Horizon. You should have a migration plan for View Composer in place before planning to upgrade to this release of VMware Horizon. If you do not have a migration plan in place, you should continue using VMware Horizon 7.x.
Important note about installing VMware Tools
If you plan to install a version of VMware Tools downloaded from VMware Product Downloads, rather than the default version provided with vSphere, make sure that the VMware Tools version is supported. To determine which VMware Tools versions are supported, go to the VMware Product Interoperability Matrix. (Supported versions: 11.1.0, 11.0.6, 10.3.22, 10.3.21).There are also performance issues with the 11.x versions of VMware Tools. For more information, see https://kb.vmware.com/s/article/78434.
This VMware Horizon release includes new configuration requirements that differ from some earlier releases.
For supported upgrade paths, see the VMware Product Interoperability Matrix.
If you intend to upgrade a pre-6.2 installation of VMware Horizon, and the Connection Server, or View Composer Server uses the self-signed certificate that was installed by default, you must remove the existing self-signed certificate before you perform the upgrade. Connections might not work if the existing self-signed certificates remain in place. During an upgrade, the installer does not replace any existing certificate. Removing the old self-signed certificate ensures that a new certificate is installed. The self-signed certificate in this release has a longer RSA key (2048 bits instead of 1024) and a stronger signature (SHA-256 with RSA instead of SHA-1 with RSA) than in pre-6.2 releases. Note that self-signed certificates are insecure and should be replaced by CA-signed certificates as soon as possible, and that SHA-1 certificates are no longer considered secure and should be replaced by SHA-2 certificates.
Do not remove CA-signed certificates that were installed for production use, as recommended by VMware. CA-signed certificates will continue to work after you upgrade to this release.
Downgrading Connection Server instances is not supported. To revert to a previous version after an upgrade, restore from backup. For more information, see Create a Replicated Group After Reverting Connection Server to a Snapshot.
VMware Horizon uses only TLSv1.1 and TLSv1.2. In FIPS mode, it uses only TLSv1.2. You might not be able to connect to vSphere unless you apply vSphere patches.
It is possible that the ordering of cipher suites can be enforced by Connection Server. For more information, see the Horizon Security document.
Connection Server must be able to communicate on port 32111 with other Connection Servers in the same pod. If this traffic is blocked during installation or upgrade, installation will not succeed.
TLS handshakes on port 443 must complete within 10 seconds, or within 100 seconds if smart card authentication is enabled. In previous releases of VMware Horizon, TLS handshakes on port 443 were allowed 100 seconds to complete in all situations. You can adjust the time for TLS handshakes on port 443 by setting the configuration property handshakeLifetime. Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by setting the configuration property secureHandshakeDelay. For more information about setting configuration properties, see the Horizon Security document.
If you have FIPS mode enabled in a cloud pod architecture consisting of non-homogenous pods, that is, pods at different versions, Horizon 7.10.3 pods do not work with a pod running Horizon 7.12 or later. To upgrade 7.10.3 to a later version, first upgrade to a patched 7.10.3 that is fully backward and forward compatible with other versions. Contact VMware Customer Connect on how to obtain the patch.
For the supported guest operating systems for Horizon Agent on single-user machines and RDS hosts, see VMware Knowledge Base (KB) article 78714 and VMware Knowledge Base (KB) article 78715.
For the supported Linux guest operating systems for Horizon Agent, see System Requirements for Horizon 7 for Linux in the Setting Up Horizon for Linux Desktops document.
For the supported operating systems for Connection Server, see the VMware Knowledge Base (KB) article article 78652.
VMware Horizon functionality is enhanced by an updated set of Horizon Clients provided with this release. See the VMware Horizon Clients Documentation page for information about supported Horizon Clients.
The following vSphere and vSAN versions are supported with VMware Horizon 8 beta: vSphere 7.0, vSphere 6.7, vSphere 6.5.
For the supported Active Directory Domain Services (AD DS) domain functional levels, see the VMware Knowledge Base (KB) article 78652.
RC4, SSLv3, and TLSv1.0 are disabled by default in VMware Horizon components, in accordance with RFC 7465, "Prohibiting RC4 Cipher Suites," RFC 7568, "Deprecating Secure Sockets Layer Version 3.0," PCI-DSS 3.1, "Payment Card Industry (PCI) Data Security Standard", and SP800-52r1, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations." If you need to re-enable RC4, SSLv3, or TLSv1.0 on a Connection Server or Horizon Agent machine, see Older Protocols and Ciphers Disabled in View in the Horizon Security document.
If a PCoIP Secure Gateway (PSG) has been deployed for PCoIP connections, zero client firmware must be version 4.0 or later.
The USB Redirection setup option in the Horizon Agent installer is deselected by default. You must select this option to install the USB redirection feature. For guidance on using USB redirection securely, see Deploying USB Devices in a Secure View Environment in the Horizon Security document.
The Global Policy, Multimedia redirection (MMR), defaults to Deny. To use MMR, you must open Horizon Console, edit Global Policies, and explicitly set this value to Allow. To control access to MMR, you can enable or disable the Multimedia redirection (MMR) policy globally or for an individual pool or user. Multimedia Redirection (MMR) data is sent across the network without application-based encryption and might contain sensitive data, depending on the content being redirected. To ensure that this data cannot be monitored on the network, use MMR only on a secure network.
Before you set the level of Transparent Page Sharing (TPS), VMware recommends that the security implications be understood. For guidance, see the VMware Knowledge Base (KB) article 2080735, Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing.
To use View Storage Accelerator in a vSphere 5.5 or later environment, a desktop virtual machine must be 512GB or smaller. View Storage Accelerator is disabled on virtual machines that are larger than 512GB. Virtual machine size is defined by the total VMDK capacity. For example, one VMDK file might be 512GB or a set of VMDK files might total 512GB. This requirement also applies to virtual machines that were created in an earlier vSphere release and upgraded to vSphere 5.5.
VMware Horizon does not support vSphere Flash Read Cache (formerly known as vFlash).
Screen DMA is disabled by default in virtual machines that are created in vSphere 6.0 and later. VMware Horizon requires screen DMA to be enabled. If screen DMA is disabled, users see a black screen when they connect to the remote desktop. When VMware Horizon provisions a desktop pool, it automatically enables screen DMA for all vCenter Server-managed virtual machines in the pool. However, if Horizon Agent is installed in a virtual machine in unmanaged mode (VDM_VC_MANAGED_AGENT=0), screen DMA is not enabled. For information about manually enabling screen DMA, see VMware Knowledge Base (KB) article 2144475, Manually enabling screen DMA in a virtual machine.
vGPU enabled instant clone desktop pools are supported for vSphere 2016 and later.
Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the VMware Horizon environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
In VMware Horizon, the viewDBChk tool will not have access to vCenter credentials and will prompt for this information when needed.
The forwarding rules for HTTP requests received by Connection Server instances have changed at this release. If you have defined custom frontMapping entries in locked.properties, you should remove them before upgrading. If you wish to disallow administrator connections to certain Connection Server instances, then instead of defining custom frontMapping entries, add this entry to locked.properties:
frontServiceWhitelist = tunnel|ajp:broker|ajp:portal|ajp:misc|moved:*|file:docroot
In VMware Horizon, internal validation checks determine if the instant clone and internal template have valid IP addresses and a network connection. If a virtual machine has a NIC that cannot be assigned an IP address during provisioning, instant-clone provisioning fails.
For information about the models of NVIDIA GPU cards supported by Horizon, see https://docs.nvidia.com/grid/9.0/product-support-matrix/index.html.
AMD v340 graphics cards are supported.
Real-Time Audio-Video (RTAV) is supported in an IPv6 environment.
See the VMware Product Interoperability Matrix for information about the compatibility of VMware Horizon with the latest versions of VMware Unified Access Gateway (supported versions 3.10, 3.9), VMware Identity Manager (vIDM hosted: vIDM staging tenant; vIDM on-prem: supported version 19.03), VMware App Volumes (supported versions 4.1, 4.0.1, 2.18.1), VMware Dynamic Environment Manager (supported versions 10.0, 9.11), and VMware Tools (versions 11.1.0, 11.0.6, 10.3.22, 10.3.21).
PCoIP is not supported with RDSH instant clone pools in an IPv6 environment. PCoIP is supported with remote desktops in an IPv6 environment.
Starting with version 18.2.7, Avi Networks (VMware NSX Advanced Load Balancer) supports load balancing for Connection Server, Unified Access Gateway appliances, and App Volumes Manager.
True SSO and Smart Card based SSO/Logon are not supported with Horizon on Windows 10 2004 as remote desktop.
For an updated list of supported Windows 10 operating systems, see VMware Knowledge Base (KB) article 78714.
For more information on upgrade requirements for Windows 10 operating systems, see VMware Knowledge Base (KB) article 2148176, Upgrade Requirements for Windows 10 Operating Systems here.
vSAN is supported in an IPv6 environment.
When you deploy an instant clone as a RDS host, do not reboot the RDS host directly from within the Windows Server OS. Instead, refresh the instant clone VM using the push image workflow.
For a list of supported Windows Server operating systems, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/article/78652.
For a list of Windows 10 guest operating systems, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/article/78714.
For Windows operating systems, other than Windows 10, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/article/78715
Horizon Agent for Linux supports installation on systems running Red Hat Enterprise Linux Workstation. Red Hat Enterprise Linux Server is not supported.
In the Setting Up Linux Desktops in Horizon document, all occurrences of "Red Hat Enterprise Linux" and "RHEL" refer to Red Hat Enterprise Linux Workstation only.
For the list of supported versions of Red Hat Enterprise Linux Workstation, see System Requirements For Horizon Agent for Linux
Features that were introduced in prior releases are described in the release notes for each release, along with existing known issues.
The number provided before each resolved issue refers to the VMware internal issues tracking system.
There are intermittent locking issues when a user logs on to a Windows 10 desktop.
The numbers provided before the resolved issues refer to the VMware internal issues tracking system.
Horizon Connection Server
When you restart or reset a virtual machine for which an end user session exists in a desktop pool from vCenter Server or from the Windows Operating System menu, the virtual machine restarts but the status of the virtual machine might appear in the “Already Used” state in Horizon Console.
This problem can occur for the following pool types:
Instant-clone desktop pools.
Full-clone floating desktop pools with "Delete on log Off" enabled.
Workaround: Use Horizon Client to restart or reset the virtual machine in the instant-clone desktop pool. If the virtual machine is already in the “Already Used” state, remove the virtual machine. This action automatically creates a new virtual machine based on the pool provisioning settings.
If you provision instant clones on local datastores, the corresponding hosts cannot be put into maintenance mode. This occurs because the internal VMs and the instant clones are stored on local datastores so they cannot be migrated.
Workaround: Delete the instant-clone desktop pool. This will delete the related VMs and enable the corresponding hosts to enter maintenance mode.
ESXi host remediation that uses VUM fails if the instant-clone Parent VM is present on the host in a powered-on state.
Workaround: For more information, see VMware Knowledge Base (KB) 2144808.
Universal Windows Platform (UWP) applications are not supported as published applications on Windows Server 2016 and Windows Server 2019 RDS hosts.
For True SSO, the connectivity status between the Connection Server instance and the enrollment server is displayed only on the System Health Status dashboard for the connection server that you are using to access Horizon Console. For example, if you are using https://server1.example.com/admin for Horizon Console, the connectivity status to the enrollment server is collected only for the server1.example.com Connection Server. You might see one or both of the following messages:
The primary enrollment server cannot be contacted to manage sessions on this connection server.
The secondary enrollment server cannot be contacted to manage sessions on this connection server.
It is mandatory to configure one enrollment server as primary. Configuring a secondary enrollment server is optional. If you have only one enrollment server, you will see only the first message (on error). If you have both a primary and a secondary enrollment server and both have connectivity issues, you will see both messages.
When you set up True SSO in an environment with CAs and SubCAs with different templates setup on each of them, you are allowed to configure True SSO with a combination of template from a CA or SubCA with another CA or SubCA. As a result, the dashboard might display the status of True SSO as green. However, it fails when you try to use True SSO.
In Horizon Help Desk Tool, the pod name does not appear if the session is a local session or a session running in the local pod.
Workaround: Set up the Cloud Pod Architecture environment to view pod names in Horizon Help Desk Tool.
The Workspace ONE mode setting does not get reflected in the replica server from Workspace ONE.
Workaround: Configure the Workspace ONE mode in Connection Server.
When you create full-clone desktop pools, sometimes wrong templates are displayed and valid templates are hidden due to a cache issue.
Workaround: Restart Connection Server.
When you try to add a SAML authenticator in Horizon Console, the Add button is disabled on the Manage SAML Authenticators page.
Workaround: Log in to Horizon Console as a user who has the Administrators or Local Administrators role.
In a Cloud Pod Architecture environment, pre-launched application sessions from global application entitlements are not shown in Inventory > Search Sessions in Horizon Console.
Workaround: Log in to the Horizon Console user interface for a Connection Server instance in the hosting pod and select Monitoring > Events to view pre-launched session information.
For Intel vDGA, only the Haswell and Broadwell series of Intel integrated GPUs are supported. Broadwell integrated GPUs are supported only on vSphere 6 Update 1b and later. Haswell integrated GPUs are supported on vSphere 5.5 and later. The GPU must be enabled in the BIOS before it can be recognized by ESXi. For more information, see the documentation for your specific ESXi host. Intel recommends leaving the graphics memory settings in the BIOS set to their default values. If you choose to change the settings, keep the aperture setting at its default (256M).
For vCenter Server 6.0 U3 or later, including vCenter Server 6.5, internal parent VMs migrate to another host during failure. This migration causes an issue because unnecessary parent VMs reside on the destination host.
Workaround: Manually remove these parent VMs. For more information, see the Setting Up Virtual Desktops in Horizon document.
To reduce the possibility of memory exhaustion, vGPU profiles with 512 MB or less of frame buffer support only one virtual display head on a Windows 10 guest operating system.The following vGPU profiles have 512 Mbytes or less of frame buffer:
Tesla M6-0B, M6-0Q
Tesla M10-0B, M10-0Q
Tesla M60-0B, M60-0Q
GRID K100, K120Q
GRID K200, K220Q
Workaround: Use a profile that supports more than one virtual display head and has at least one GB of frame buffer.
Virtual desktops and published desktops and application pools fail to launch if they have the client restriction feature enabled and are entitled to a domain that is configured with a one-way AD trust.
Workaround: None
After an upgrade, the option to add a farm is grayed out if you have a role with the "Manage Farms and Desktops and Application Pools" (object-specific privilege).
Workaround: Edit the role or create the role again with the "Manage Farms and Desktops and Application Pools" privilege, which also adds the “Manage Global Configuration and Policies” privilege.
After an upgrade, the bookmarks do not appear in Workspace ONE.
Workaround: Add the bookmarks from the catalog in Workspace ONE again.
After you disconnect and reconnect the network cable and click "Disconnect and Log Off" on the client machine, the remote desktop does not disconnect and log off.
Workaround: Manually close the window of the remote desktop and disconnect from the remote session.
When you create full clones with the Sysprep customization method, customization and domain joining sometimes fails on Windows 10 guest operating systems.
Workaround: This occurs because of a Microsoft Windows issue. To resolve this issue, follow the steps in the Microsoft Knowledge Base (KB) 2769827.
Log in to Horizon Console from the Internet Explorer browser displays only keywords instead of icons. This issue occurs when you connect to a Connection Server using an IP address instead of a DNS name.
Workaround: Use a DNS name instead of an IP address when connecting.
When you use Safari version 10.1.1 as the Web browser to log in to Horizon Console with a Fully Qualified Domain Name, user interface issues such as the bottom panels appearing blank can occur.
Workaround: Safari version 10.1.1 is not a supported Web browser version for Horizon Console. Use a Safari version earlier than version 10.1.1 or version 11.0.2 and later to log in to Horizon Console.
The following user interface issues occur in Horizon Help Desk Tool for global Linux sessions in a Cloud Pod Architecture deployment: An internal error occurred message appears, the Skype for Business status is not displayed, and the operating system version displays as “-” when you click the session details on the Details tab. A “failed to get Remote Assistance ticket” message appears when you click Remote Assistance. An internal error occurred message appears when you click the Applications tab.
Workaround: None. Horizon Help Desk does not support the following user interface features for Linux desktops: Skype for Business status, Remote Assistance, Applications tab, and the session idle status.
Horizon Console does not update the space reclamation information for a vCenter Server on vSphere version 6.7 that uses the VMFS6 with the automatic UNMAP feature.
Workaround: None.
Login to Horizon Console fails if you use the IP address to login to Horizon Console on a Firefox, Google Chrome, Microsoft Edge, Firefox, or Safari Web browser.
Workaround: Use the Fully Qualified Domain Name (FQDN) to login to Horizon Console. For more information on using FQDN to log in to Web applications, see the Horizon Security document.
After an upgrade to vSphere 6.7, you cannot use the custom specification created with a vSphere version earlier than 6.7.
Workaround: After an upgrade to vSphere 6.7, create a new custom specification and use this specification for pool provisioning. Horizon Help Desk Tool displays the logon time for both the brokering pod and the hosting pod but does not display the logon time for a pod that is neither the brokering pod nor the hosting pod.
Horizon Help Desk Tool displays the logon time after a few minutes for the hosting pod if the brokering pod is a remote pod.
Workaround: If Horizon Help Desk Tool does not display the logon time for the hosting pod, close the page that displays session details, wait 7-8 mins and navigate to the Details tab to view the session details again.
VMware Identity Manager sometimes fails to launch desktops. When you save SAML configuration details for the first time in VMware Identity Manager with SAML enabled on Connection Server, desktops do not start.
Workaround: Save the profile again and perform a sync operation on the new profile. The sync operation can occur every hour or day, as set by the administrator.
In Horizon Console, you can add a remote access user as an unauthenticated access user. However, unauthenticated access users cannot get remote access from external gateways. The user will not be able to access virtual desktops and can only launch applications as an unauthenticated access user. If the user tries to login with normal access, an “Incorrect authentication type requested” error message appears.
Workaround: None.
Horizon Single Sign On fails when the scope of the trust authentication setting is set to “Selective Authentication".
Workaround: Use one of the following workarounds to resolve this issue.
Use domain-wide authentication.
Continue to use the “Selective Authentication” security setting, but explicitly grant each Horizon Connection Server host (local system) accounts the "Allowed to Authenticate" permission on all the domain controllers of the computer objects (resource computers) that reside in the trusting domain or forest. For information on how to grant the "Allowed to Authenticate" permission, see the Microsoft article "Grant the Allowed to Authenticate permission on computers in the trusting domain or forest."
With the Cloud Pod Architecture feature, in certain circumstances RDS licensing servers issue multiple permanent licences to the same client in a mixed-mode licensing environment.
Workaround: None. This problem is a third-party issue and is inline with the way Microsoft RDS license servers issue licenses.
The following issues occur when you browse the datastore while editing an automated desktop pool that contains full virtual machines:
On the vCenter Settings tab, click “Browse Datastore”, the minimum recommended GB value is displayed.
On the Provisioning Settings tab, increase the maximum number of machines, then select the vCenter Settings tab, and click “Browse Datastore.” The minimum recommended GB value increases but gets added to the existing value.
For a desktop pool that contains three machines with one available and one still in the customizing or provisioning phase, edit the desktop pool and then select the vCenter Settings tab, and click “Browse Datastore.” The minimum recommended GB value is displayed for the total of three machines. Workaround: None.
The following issues occur when you browse the datastore while editing instant-clone desktop pools:
After an instant-clone desktop pool has all the machines in the available state, edit the desktop pool, on the vCenter Settings tab, click “Browse Datastore”. The Minimum Recommended (GB), Maximum Recommended (GB), and 50% Utilization values have positive values.
After an instant-clone desktop pool has all the machines in the available state, edit the desktop pool, on the Provisioning Settings tab, increase the maximum number of machines, then on the vCenter Settings tab click “Browse Datastore”. The Minimum Recommended (GB), Maximum Recommended (GB), and 50% Utilization values increase but get added to the existing value.
For a desktop pool that contains three machines with one available and one still in the customizing or provisioning phase, edit the desktop pool and then select the vCenter Settings tab, and click “Browse Datastore.” The Minimum Recommended (GB), Maximum Recommended (GB), and 50% Utilization values are shown for all three machines. Workaround: None.
After you create an automated desktop pool that contains full virtual machines with two or more names with the “#Unassigned machines kept powered on” value less than the actual names specified and then edit the pool, the “#Unassigned machines kept powered on” field does not accept a value equal to the total number of names specified during the pool creation process and displays an incorrect error message.
Workaround: None.
Attempts to connect to the HTML Access portal or one of the administration consoles using an IP address or CNAME fails for most browsers without additional configuration. In the majority of these cases, an error is reported but sometimes a blank error message is displayed.
Workaround: To resolve this issue, see “Origin Checking” in the Horizon Security document.
When configuring Skype for Business, there is an optional feature to enable Media Bypass which bypasses the Mediation Server.For Skype for Business optimized calls to and from PSTN users, media will always route through the Mediation Server regardless if Media Bypass is enabled.
Workaround: None. Media Bypass is not supported with the Virtualization Pack for Skype for Business. See VMware KB 56977.
If the same user exists in both Connection Server pods that need to be paired in a Cloud Pod Architecture environment, Horizon Console displays the value for “Source Pods” as 2 and sources the user from both pods. An administrator can edit the user from both pods, which might cause inconsistencies in user configuration during hybrid logon. Additionally, hybrid logon for the user cannot be disabled.
Workaround: You must delete the user from both pods and then recreate the user and configure the user for hybrid logon.
Core-dump error messages are generated while adding Virtual Volumes datastores on nested ESXi or nested virtual ESXi.Workaround: None. In Horizon Console, custom roles with the Manage Help Desk (Read Only) privilege are shown as being applicable to access groups.
Workaround: None.
When you add a vCenter Server to Connection Server using an existing PowerShell script, the following error message appears: Failed to add vc instance: No enum constant com.vmware.vdi.commonutils.Thumbprint.Algorithm.SHA-1. This issue occurs because the certificateEncoding property that indicates a certificate override for self-signed certificates is added in Horizon 7 version 7.8. Therefore, earlier versions of VMware PowerCLI scripts that have an incorrect value of SHA-1 fail.
Workaround: Update the PowerShell scripts to use the property value DER_BASE64_PEM instead of SHA-1. For example, set $certificate_override.sslCertThumbprintAlgorithm = 'DER_BASE64_PEM'.
When a Universal Windows Platform (UWP) application is upgraded, the path containing the version changes, and the application is unreachable by the original path. The app status is Unavailable in Horizon Console and a user cannot launch the app.
Workaround: Update the app path in Horizon Console after an upgrade and verify the app status is Available. Alternatively, do not upgrade the app.
When device filtering is configured for the client drive redirection feature, and a user uses the RDP display protocol to connect, device filtering does not work.
Workaround: When device filtering is configured for client drive redirection, configure Connection Server so that RDP connections are not allowed.
The True SSO desktop unlock feature is supported in PCoIP and Blast protocols, but not in Remote Desktop Protocol (RDP). In Horizon Console, the user or group summary fails to load due to domain trust issues in the following cases:
When users and groups belong to a one-way trust domain and the logged in administrator has the necessary permissions from a one-way trust domain.
When users and groups belong to a two-way trust domain and the logged in administrator has the necessary permissions from a two-way trust domain.
When users and groups belong to a one-way or two-way trust domain and the logged in administrator is from the child domain and has the necessary permissions.
Workaround: None.
In Horizon Console, some events might not be listed because the Connection Server time is set incorrectly with respect to the Connection Server time zone.
Workaround: None.
You can recover an instant-clone virtual machine with an active session in Horizon Console.
Workaround: None.
The Pre-launch and Use Home Site options do not work well together for global application entitlements. When you create a global application entitlement, if you enable both the Pre-launch and Use Home Site options, the pre-launched session might not be created from the home site. This problem occurs because the same session is used to start subsequent applications, and those sessions are not started from the home site.
Workaround: None.
The following error message can appear while installing or uninstalling Connection Server: "Error opening installation log file. Verify that the specified location exists and is writable." This error occurs due to a third-party Microsoft error. For details see: https://support.microsoft.com/en-in/help/2564571/error-opening-installation-log-file-verify-that-the-specified-location.
Workaround: Restart the virtual machine on which the Connection Server is installed.
Horizon Agent for Linux
This section describes issues that might occur with Horizon Agent for Linux or when you configure a Linux desktop.
Sometimes the Collaboration window might not appear after you connect to a remote desktop and click the Collaboration UI icon.
Workaround: Resize the desktop window or reconnect to the remote desktop.
The Linux agent's keyboard layout and locale do not synchronize with the client if the Keyboard Input Method System is set to fcitx.
Workaround: Set the Keyboard Input Method System to iBus.
Single Sign On (SSO) does not work well on a RHEL/CentOS 7.2 desktop when you add a domain using System Security Services Daemon (SSSD).
Workaround: After you add a domain using SSSD, modify the /etc/pam.d/password-auth file using the information in VMware Knowledge Base article 2150330.
When a client user authenticating with smart card redirection connects to an Ubuntu 18.04/16.04 desktop and removes or reinserts the smart card before entering the PIN, the desktop does not appear to recognize the change. The desktop will only detect a change in the smart card's state after the user closes the prompt asking for the PIN.
Workaround: At the prompt, enter the smart card PIN and click OK. Or click Cancel to dismiss the prompt without entering a PIN.
On Ubuntu 16.04, if the administrator attempts to disable smart card redirection by setting VVC.ScRedir.Enable to "FALSE" in the /etc/vmware/config configuration file, the desktop will hang at the login screen.
When a client user connects to an Ubuntu 18.04 desktop, "Error 2306: No suitable token available" appears on the login screen. This error message indicates that a smart card has been removed from the client system. The user can log in to the desktop by entering the user password or reinserting the smart card.
After connecting to an Ubuntu 16.04 desktop and entering the wrong PIN for smart card authentication, the client user encounters a login prompt to enter the user password instead of the smart card PIN.
The client user can click OK to close the user password prompt. A new prompt appears asking the user to enter the smart card PIN.
On Ubuntu 16.04/18.04, the desktop screensaver does not lock as expected when the user removes a smart card from the client system. By default, the desktop screensaver does not lock even after the client user removes the smart card used to authenticate into the desktop. To lock the screensaver under these conditions, you must configure pkcs11_eventmgr on the desktop.
Workaround: Configure pkcs11_eventmgr to specify the correct screensaver behavior in response to smart card events.
After you install Horizon Agent with smart card redirection enabled (-m parameter set to "yes") on a RHEL 7.0 desktop, Horizon Console or vSphere might display a black screen. Smart card redirection is supported on desktops running RHEL 7.1 or later. The feature is not supported on RHEL 7.0 desktops.
Workaround: Install Horizon Agent with smart card redirection enabled on a desktop running RHEL 7.1 or later.
If you configure two monitors with different resolutions, and the resolution of the primary screen is lower than that of the secondary screen, you might not be able to move the mouse or drag application windows to certain areas of the screen.
Workaround: Make sure that the primary monitor's resolution is at least as large as the secondary monitor's.
When you use a smart card on a RHEL 7 desktop and enable the option to lock the screen upon removal of the card, the screen might lock immediately after you log in with the smart card. This is a known issue with RHEL 7.
Workaround: To access the desktop, unlock the screen after logging in with the smart card.
On an Ubuntu desktop, single sign-on (SSO) malfunctions when the operating system updates the gnome-shell binary automatically. In Ubuntu, the default policy is to download and install OS updates automatically.
Workaround: Modify the policy in Ubuntu to download and install OS updates manually, instead of automatically.
When an end user uses a smart card to log in to a RHEL 8.0/8.1 desktop, the greeter might prompt for the user's password instead of the smart card PIN. This issue can occur more frequently when network latency is high.
Workaround: To reduce occurrences of this issue, edit the /etc/sssd/sssd.conf file by increasing the p11_child_timeout value under the [pam] section. Then reboot the desktop.
If a client user minimizes the window of a Linux published application using the Minimize command and then selects the Maximize command, the window is restored to its previous size instead of changing to full-screen mode as expected.
Workaround: To change to full-screen mode, select the Maximize command again.
Linux published applications do not support using the window taskbar to divide the work area in a multiple-monitor display. For example, suppose a client user has two monitors arranged side by side. If the user moves the taskbar to the right side of the left monitor's screen or the left side of the right monitor's screen, the work area is divided into two parts. However, if the user then maximizes the application window, the window is displayed incorrectly in relation to the taskbar.
When connecting to a Linux published application from Horizon Client for Mac, the application window is displayed with square corners instead of rounded corners.
If a client user leaves a nonmodal dialog box open in a Linux published application and then makes active a native application on the client system, part of the dialog box will appear to be missing when the user returns to the published application.
If the client user minimizes a Linux published application window or brings another application in front of the published application window, the taskbar fails to display the thumbnail preview of the published application window. Hovering over the published application icon in the taskbar displays a blank thumbnail instead of the contents of the published application window.
Linux published applications do not support the Aero Snap feature on Windows client systems. Users connecting to a Linux published application from Horizon Client for Windows do not have the capability to snap or fix windows to the edges of the computer screen using the keyboard or mouse.
Linux published applications do not support the jump list feature on Windows client systems. If a user connects to a Linux published application from Horizon Client for Windows and right-clicks the taskbar icon for the application, no jump list is displayed.
Due to a limitation in the work area, Linux published application windows cannot be moved partially off the edge of the client's screen or work area. If the user attempts to move a published application window past the edge of the screen, the window will bounce back inside the screen's boundaries.
If the client user opens a modal dialog box from a Linux published application, that dialog box might not appear in front of native windows.
When connecting to a published application from a Windows client system, there are some differences between the context menus of the Windows taskbar and the application window's title bar. Shift + right-clicking the application icon in the Windows taskbar displays a menu with the items: Restore, Move, Size, Minimize, Maximize, Close. Right-clicking the application window's title bar displays a menu with the items: Minimize, Maximize, Move, Resize, Close.
Published applications do not support the Move and Size context commands for the taskbar on Windows client systems. When a user Shift + right-clicks the published application icon in the Windows taskbar, Move and Size appear in the menu but neither command has any effect if selected.
Published applications do not support the Size command from the application window's context menu. When a user right-clicks the title bar of the application window, Size appears in the menu of commands but has no effect if selected.
When a user opens multiple session windows for the same published application on a Windows client system, the Cascade all windows command has no effect.
If a Windows client user with a dual monitor configuration maximizes a published application in the lower-resolution monitor's work area, the Windows taskbar turns black.
After publishing a LibreOffice application as an application pool, duplicate LibreOffice icons might appear in Horizon Client.
Workaround: From the Connection Server, manually assign the icon for the LibreOffice application.
Linux published applications do not support the Multi-Session Mode option in the application pool settings in Horizon Console.
When connected to a Linux published application, if the user opens a dialog box related to user account controls (such as when editing firewall settings), the desktop will not show.
Horizon Agent for Linux does not support session stealing between published desktops and published applications. For example, if a user has opened a published desktop session and then attempts to open an application session based on the same farm, the desktop session remains active and the application session is not established. Likewise, if the user has opened an application session and then attempts to open a published desktop session based on the same farm, the application session remains active and the desktop session is not established.
Horizon Agent
A warning message about applications in use appears when you uninstall Horizon Agent on Windows Server 2016.
Workaround: Click “Ignore” in the dialog box that appears when you use Windows Add or Remove Programs to uninstall Horizon Agent. If you uninstall Horizon Agent from the command line, use the command msiexec /x /qn {GUID of Agent} instead of the command msiexec /x {GUID of Agent}.
When you uninstall the Horizon Agent, the mouse speed becomes slow and jerky. Uninstalling Horizon Agent also uninstalls the vmkbd.sys driver.
Workaround: Repair VMware Tools on the Horizon Agent virtual machine.
Windows 10 32-bit Horizon Agent installation throws "the arguments are invalid" exception and the installation continues after you click OK. This error occurs because the print spooler service is disabled.
Workaround: Enable the print spooler service for the installation to work as expected.
If a collaborator joins a multimonitor session and enables relative mouse mode on their client, it is possible for the mouse to move to a secondary monitor that the collaborator cannot see.
Workaround: Move the mouse back on to the screen. Alternatively, don't use relative mouse mode in a multimonitor session.
If you use Chrome with URL Content Redirection, and you set ".*.google.*" for the https protocol in filtering rules and you set Google as your home page in Chrome, redirection to google.com occurs each time you open a new tab.
Workaround: Change the home page or the filtering rules.
When setting up a collaborative session, adding a collaborator by the email address from a two-way trusted domain fails.
Workaround: Add the collaborator by using domain\user.
After you connect to a remote desktop that has the Real-Time Audio-Video feature enabled, you might see the following message: "Your PC needs to be restarted to finish setting up this device: devicename (VDI)."
Workaround: You can ignore this message as the device is usable in the remote desktop. Alternatively, you can turn off the Windows Settings notification to prevent the message from being displayed.
Users cannot use a serial printer with the serial port redirection feature when Horizon Agent is installed in an RDS host if the agent group policy setting COM Port Isolation Mode is set to Full Isolation (the default setting). This problem affects both Windows and Linux clients. This problem does not occur for virtual desktops.
Workaround: Edit the COM Port Isolation Mode group policy setting, change the mode to Isolation Disabled, and restart Horizon Agent. For more information, see "Serial Port Redirection Group Policy Settings" in the Configuring Remote Desktop Features in Horizon document.
sysprep fails for full clones with Windows 10 1903, Windows 10 1909 guest OS with error:
SYSPRP Sysprep_Clean_Validate_Opk: Audit mode can't be turned on if there is an active scenario.; hr = 0x800F0975
Workaround: Apply these instructions on the golden image and then provision the desktop.
When you update the OS from Windows 1809 to 1903, you might see a black screen on Horizon Agent.
Workaround: Apply the procedure in this KB article on the OS image.
If Horizon Agent is installed on an RDS host, and the Printer Name for RDSH Agents group policy setting for the VMware Integrated Printing feature is configured to use the client machine name as a suffix, the client machine name supports only English-language characters. If the client machine name contains characters in a non-English language, the VMware Integrated Printing feature does not work in published desktops and published applications.
Workaround: None.
Windows 10 2004 remote desktops respond very slowly when VBS is enabled.
Workaround: None
Updating the None guest customization to any other guest customization on a desktop pool causes existing virtual machines to go into an unreachable state after a reboot or power cycle operation.
Workaround: In Horizon Console Desktop Pool settings, set the guest customization to None, then reboot the existing unreachable agent VMs.
With Horizon desktops using Nvidia GRID, Windows 10 build 2004, PCoIP protocol, and in multimonitor mode, some areas of the desktop might appear black and need to be manually refreshed.
Workaround: Use Blast protocol if available, or continue using Windows 10 build 1909.
Switching the agent desktop from window mode to multi-monitor mode with 4x4k monitors can sometimes take a few seconds.
Workaround: None.
When you run the Horizon Agent installer from a web browser download directory, the installer fails to complete installation.
Workaround: Download the installer to a non-download directory, such as the desktop, and run it from there for a successful installation.
Horizon GPO Bundle
Computer-based global policy objects (GPOs) that require a reboot to take effect are not applied on instant clones.
Workaround: See the VMware Knowledge Base (KB) article, 2150495.
Horizon Client
This section describes problems that end users might encounter when using Horizon Client or HTML Access to connect to remote desktops and applications. For problems that occur only in a specific Horizon Client platform, see the Horizon Client release notes on the Horizon Clients Documentation page.
If a VDI desktop is in a remote location and experiencing high network latency, then a recursive unlock using smart card authentication might not work.
Workaround: Unlock the desktop manually.
When you use the Ambir Image Scan Pro 490i to perform a scan on a remote desktop or application, the dialog box always displays “Scanning…” and does not complete.
Workaround: Perform a scan on the client. The client scan calibrates the scanner. After the calibrate operation is finished, save the calibration file and deploy it in ProgramData\AmbirTechnology\ImageScanPro490i
Unicode keyboard input does not work correctly with HTML Access in Horizon for Linux Desktops.
Workaround: None.
When you connect to a Linux desktop, some keyboard inputs do not work. For example, if you are using a non-English IME on both the client device and the remote desktop, some non-English keys are not displayed correctly.
Workaround: Set the English IME on the client device and set the non-English IME on the remote desktop.
Sometimes an audio call does not start correctly from Skype to Skype for Business. The call status is "Connecting call..." on the Skype for Business client.
Workaround: None.
If you use Skype for Business inside a non-persistent desktop, you might reach the Skype for Business limit of 16 device certificates. When this limit is reached and Skype for Business attempts a new logon, a new certificate will be issued and the oldest assigned certificate will be revoked.
Workaround: None.
Horizon Cloud Connector
When you use the HTML5-based vSphere Web client to deploy the Horizon Cloud Connector virtual appliance OVA file, the following error occurs: “Invalid value 'false' specified for property proxySsl. Failed to deploy OVF package.”
Workaround: Use the vSphere Web Client to deploy the Horizon Cloud Connector virtual appliance OVA file.
When starting Horizon Cloud Connector, you encounter the message "[FAILED] Failed to start Wait for Network to be Configured. See 'systemctl status systemd-networkd-wait-online.service' for details."
This message is displayed incorrectly and does not indicate an actual problem with the network. You can disregard the message and continue to use Horizon Cloud Connector as usual.