-
HZN-973: In the Admin UI, when you create Linux full clones agent with the Sysprep customization selected and "Select AD container from Domain Accounts" checked in the Guest Customization wizard, full clone pool provisioning fails.
Workaround: Ensure the option "Select AD container from Domain Accounts" is not selected for Sysprep customization during Linux Full clone agent creation. This will allow pool provisioning. Note that by default "Select AD container from Domain Accounts" is not selected in the Guest Customization wizard.
-
3183262: The default value of security configuration setting allowUnexpectedHost has changed from true to false. This means that connections using the name or IP address of a proxy, gateway or load balancer that is not defined in locked.properties will fail, even if checkOrigin and enableCORS are both set to false.
Workaround: Configure balancedHost and portalHost entries appropriately. See VMware KB 85801 for more information.
-
3154957: Customers connecting their Horizon 8 pods to the Horizon Cloud next-gen control plane to consume the Horizon SaaS Subscription licensing (Universal License and Plus License) see an incorrect license expiration date in the Horizon Console.
Workaround: Ignore the License Expiration field in Horizon Console and refer to the customer connect portal for the actual expiration date. See https://kb.vmware.com/s/article/91037 for details.
-
3073725: Number of issues reported for ESXi Hosts in the dashboard summary may not match with number of issues reported in the dedicated ESXi Host issues section in the dashboard.
If NVIDIA GRID vGPU support detects a mismatch with the supported vGPUs for the given host, the issue count should be incremented but the count may not display in the UI.
Workaround: View the warnings in Dashboard > System Health > View > vSphere > ESX Hosts.
-
3076811: Admin console doesn’t open with localhost(loopback address) in IPv6.
Workaround: Use the fully Qualified domain name instead of localhost in the URL to open the admin console. For example, if the fully qualified domain name is (test-machine-1.hzeipv6.local) then the URL to open the admin console would be: https://test-machine-1.hzeipv6.local/admin/
-
2712612: Substituting cluster certificates causes True SSO configuration to fail.
Workaround: Contact your VMware representative for assistance with this. The issue will be fixed in an upcoming release.
-
3020358: Horizon Connection Server fails to validate the server certificate of a vCenter instance, preventing a successful connection. This can happen even if an older version of Horizon can connect successfully using the same certificate. In the Connection Server debug log, you will see an exception similar to this:
2022-08-14T08:59:19.762-04:00 DEBUG (207C-17B4) <ajp-nio-127.0.0.1-8009-exec-2> [Connection4] [EXCEPTION] Connection to the vCenter Server https://SITE-VCENTER.DOMAIN.FOREST:443/sdk failed.: javax.xml.ws.WebServiceException: Could not send Message. com.vmware.vdi.logger.Logger.debug(Logger.java:44)
javax.xml.ws.WebServiceException: Could not send Message.....
This is caused by javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://SITE-VCENTER.DOMAIN.FOREST:443/sdk: Certificates do not conform to algorithm constraints
Workaround: Follow the steps in https://kb.vmware.com/kb/89331
-
3004222: View API consumers like the MP4H Adapter invoke MachineDetailsView. This API fails intermittently with user data not found error.
Workaround: None
-
2852439: When administrators try to access the Horizon Console without closing the browser or opening a new session in another tab or reloading the page after leaving the interface idle on the Login Page for an extended period of time (longer than the value for Global Settings Timeout), they are not able to log in even with correct credentials.
Workaround: Open a new session in another tab or reload the login page.
-
1778303: When you restart or reset a virtual machine for which an end user session exists in a desktop pool from vCenter Server or from the Windows Operating System menu, the virtual machine restarts but the status of the virtual machine might appear in the “Already Used” state in Horizon Console.
This problem can occur for the following pool types:
Workaround: Use Horizon Client to restart or reset the virtual machine in the instant-clone desktop pool. If the virtual machine is already in the “Already Used” state, remove the virtual machine. This action automatically creates a new virtual machine based on the pool provisioning settings.
-
1817536: If you provision instant clones on local datastores, the corresponding hosts cannot be put into maintenance mode. This occurs because the internal VMs and the instant clones are stored on local datastores so they cannot be migrated.
Workaround: Delete the instant-clone desktop pool. This will delete the related VMs and enable the corresponding hosts to enter maintenance mode.
-
1548405: Universal Windows Platform (UWP) applications are not supported as published applications on Windows Server 2016 and Windows Server 2019 RDS hosts.
-
1605667: For True SSO, the connectivity status between the Connection Server instance and the enrollment server is displayed only on the System Health Status dashboard for the connection server that you are using to access Horizon Console. For example, if you are using https://server1.example.com/admin for Horizon Console, the connectivity status to the enrollment server is collected only for the server1.example.com connection server. You might see one or both of the following messages:
It is mandatory to configure one enrollment server as primary. Configuring a secondary enrollment server is optional. If you have only one enrollment server, you will see only the first message (on error). If you have both a primary and a secondary enrollment server and both have connectivity issues, you will see both messages.
-
1850273: When you set up True SSO in an environment with CAs and SubCAs with different templates set up on each of them, you are allowed to configure True SSO with a combination of templates from a CA or SubCA with another CA or SubCA. As a result, the dashboard might display the status of True SSO as green. However, it fails when you try to use True SSO.
-
1864310: In Horizon Help Desk Tool, the pod name does not appear if the session is a local session or a session running in the local pod.
Workaround: Set up the Cloud Pod Architecture environment to view pod names in Horizon Help Desk Tool.
-
1880134: The Workspace ONE mode setting is not reflected in the replica server from Workspace ONE.
Workaround: Configure the Workspace ONE mode in Connection Server.
-
1880355: In a Cloud Pod Architecture environment, pre-launched application sessions from global application entitlements are not shown in Inventory > Search Sessions in Horizon Console.
Workaround: Log in to the Horizon Console user interface for a Connection Server instance in the hosting pod and select Monitoring > Events to view pre-launched session information.
-
1569435: For Intel vDGA, only the Haswell and Broadwell series of Intel integrated GPUs are supported. Broadwell integrated GPUs are supported only on vSphere 6 Update 1b and later. Haswell integrated GPUs are supported on vSphere 5.5 and later. The GPU must be enabled in the BIOS before it can be recognized by ESXi. For more information, see the documentation for your specific ESXi host. Intel recommends leaving the graphics memory settings in the BIOS set to their default values. If you choose to change the settings, keep the aperture setting at its default (256M).
-
1946086, 1936954: For vCenter Server 6.0 U3 or later, including vCenter Server 6.5, internal parent VMs migrate to another host during failure. This migration causes an issue because unnecessary parent VMs reside on the destination host.
Workaround: Manually remove these parent VMs. For more information, see the Windows Desktops and Applications in Horizon document.
-
1951074, 1936743: To reduce the possibility of memory exhaustion, vGPU profiles with 512 MB or less of frame buffer support only one virtual display head on a Windows 10 guest operating system.
The following vGPU profiles have 512 Mbytes or less of frame buffer:
-
Tesla M6-0B, M6-0Q
-
Tesla M10-0B, M10-0Q
-
Tesla M60-0B, M60-0Q
-
GRID K100, K120Q
-
GRID K200, K220Q
Workaround: Use a profile that supports more than one virtual display head and has at least one GB of frame buffer.
-
1952105, 1928484: Virtual desktops and published desktops and application pools fail to launch if they have the client restriction feature enabled and are entitled to a domain that is configured with a one-way AD trust.
Workaround: None.
-
1961900: After an upgrade, the bookmarks do not appear in Workspace ONE.
Workaround: Add the bookmarks from the catalog in Workspace ONE again.
-
2020365, 2018588: After you disconnect and reconnect the network cable and click "Disconnect and Log Off" on the client machine, the remote desktop does not disconnect and log off.
Workaround: Manually close the window of the remote desktop and disconnect from the remote session.
-
2024833: When you create full clones with the Sysprep customization method, customization and domain joining sometimes fails on Windows 10 guest operating systems.
Workaround: This occurs because of a Microsoft Windows issue. To resolve this issue, follow the steps in this Microsoft help article: Sysprep fails after you remove or update Microsoft Store apps that include built-in Windows images.
-
2085284, 2001591: When you use Safari version 10.1.1 as the Web browser to log in to Horizon Console with a Fully Qualified Domain Name, user interface issues such as the bottom panels appearing blank can occur.
Workaround: Safari version 10.1.1 is not a supported Web browser version for Horizon Console. Use a Safari version earlier than version 10.1.1 or version 11.0.2 and later to log in to Horizon Console.
-
2074958, 2067873: The following user interface issues occur in Horizon Help Desk Tool for global Linux sessions in a Cloud Pod Architecture deployment:
-
An internal error occurred message appears, the Skype for Business status is not displayed, and the operating system version displays as “-” when you click the session details on the Details tab.
-
A “failed to get Remote Assistance ticket” message appears when you click Remote Assistance.
-
An internal error occurred message appears when you click the Applications tab.
Workaround: None. Horizon Help Desk does not support the following user interface features for Linux desktops: Skype for Business status, Remote Assistance, Applications tab, and the session idle status.
-
2104955, 2104953: Horizon Console does not update the space reclamation information for a vCenter Server on vSphere version 6.7 that uses the VMFS6 with the automatic UNMAP feature.
Workaround: None.
-
2085281, 2000267: Login to Horizon Console fails if you use the IP address to login to Horizon Console on a Firefox, Google Chrome, Microsoft Edge, Firefox, or Safari Web browser.
Workaround: Use the Fully Qualified Domain Name (FQDN) to login to Horizon Console. For more information on using FQDN to log in to Web applications, see the Horizon Security document.
-
2091333: After an upgrade to vSphere 6.7, you cannot use the custom specification created with a vSphere version earlier than 6.7.
Workaround: After an upgrade to vSphere 6.7, create a new custom specification and use this specification for pool provisioning.
-
2093129, 2069708: Horizon Help Desk Tool displays the logon time for both the brokering pod and the hosting pod but does not display the logon time for a pod that is neither the brokering pod nor the hosting pod. Horizon Help Desk Tool displays the logon time after a few minutes for the hosting pod if the brokering pod is a remote pod.
Workaround: If Horizon Help Desk Tool does not display the logon time for the hosting pod, close the page that displays session details, wait 7-8 minutes and navigate to the Details tab to view the session details again.
-
2111978, 2073141: VMware Identity Manager sometimes fails to launch desktops. When you save SAML configuration details for the first time in VMware Identity Manager with SAML enabled on Connection Server, desktops do not start.
Workaround: Save the profile again and perform a sync operation on the new profile. The sync operation can occur every hour or day, as set by the administrator.
-
2126853: Horizon Single Sign On fails when the scope of the trust authentication setting is set to “Selective Authentication".
Workaround: Use one of the following workarounds to resolve this issue.
-
Use domain-wide authentication.
-
Continue to use the “Selective Authentication” security setting, but explicitly grant each Horizon Connection Server host (local system) accounts the "Allowed to Authenticate" permission on all the domain controllers of the computer objects (resource computers) that reside in the trusting domain or forest. For information on how to grant the "Allowed to Authenticate" permission, see the Microsoft article "Grant the Allowed to Authenticate permission on computers in the trusting domain or forest."
-
2146919: With the Cloud Pod Architecture feature, in certain circumstances RDS licensing servers issue multiple permanent licenses to the same client in a mixed-mode licensing environment.
Workaround: None. This problem is a third-party issue and is in line with the way Microsoft RDS license servers issue licenses.
-
1629622: Attempts to connect to the HTML Access portal or one of the administration consoles using an IP address or CNAME fails for most browsers without additional configuration. In the majority of these cases, an error is reported but sometimes a blank error message is displayed.
Workaround: To resolve this issue, see “Origin Checking” in the Horizon 8 Security document.
-
2175332: When configuring Skype for Business, there is an optional feature to enable Media Bypass which bypasses the Mediation Server. For Skype for Business optimized calls to and from PSTN users, media will always route through the Mediation Server regardless of whether Media Bypass is enabled.
Workaround: None. Media Bypass is not supported with the Virtualization Pack for Skype for Business. See VMware Knowledge Base (KB) article 56977.
-
2217199: If the same user exists in both Connection Server pods that need to be paired in a Cloud Pod Architecture environment, Horizon Console displays the value for “Source Pods” as 2 and sources the user from both pods. An administrator can edit the user from both pods, which might cause inconsistencies in user configuration during hybrid logon. Additionally, hybrid logon for the user cannot be disabled.
Workaround: You must delete the user from both pods and then recreate the user and configure the user for hybrid logon.
-
2222221: Core-dump error messages are generated while adding Virtual Volumes datastores on nested ESXi or nested virtual ESXi.
Workaround: None.
-
2277110: When you add a vCenter Server to Connection Server using an existing PowerShell script, the following error message appears:
Failed to add vc instance: No enum constant com.vmware.vdi.commonutils.Thumbprint.Algorithm.SHA-1
This issue occurs because the certificateEncoding property that indicates a certificate override for self-signed certificates is added in Horizon 7 version 7.8. Therefore, earlier versions of VMware PowerCLI scripts that have an incorrect value of SHA-1 fail.
Workaround: Update the PowerShell scripts to use the property value DER_BASE64_PEM instead of SHA-1. For example, set $certificate_override.sslCertThumbprintAlgorithm = 'DER_BASE64_PEM'.
-
2356156: When a Universal Windows Platform (UWP) application is upgraded, the path containing the version changes, and the application is unreachable by the original path. The app status is Unavailable in Horizon Console and a user cannot launch the app.
Workaround: Update the app path in Horizon Console after an upgrade and verify the app status is Available. Alternatively, do not upgrade the app.
-
2330942: When device filtering is configured for the client drive redirection feature and a user uses the RDP display protocol to connect, device filtering does not work.
Workaround: When device filtering is configured for client drive redirection, configure Connection Server so that RDP connections are not allowed.
-
2300801: The True SSO desktop unlock feature is supported in PCoIP and Blast protocols, but not in Remote Desktop Protocol (RDP).
-
2358355, 2353567: In Horizon Console, the user or group summary fails to load due to domain trust issues in the following cases:
-
When users and groups belong to a one-way trust domain and the logged in administrator has the necessary permissions from a one-way trust domain.
-
When users and groups belong to a two-way trust domain and the logged in administrator has the necessary permissions from a two-way trust domain.
-
When users and groups belong to a one-way or two-way trust domain and the logged in administrator is from the child domain and has the necessary permissions.
Workaround: None.
-
2363188, 2354034: In Horizon Console, some events might not be listed because the Connection Server time is set incorrectly with respect to the Connection Server time zone.
Workaround: None.
-
2366007, 2339388: You can recover an instant-clone virtual machine with an active session in Horizon Console.
Workaround: None.
-
2516216, 2514333: The Pre-launch and Use Home Site options do not work well together for global application entitlements. When you create a global application entitlement, if you enable both the Pre-launch and Use Home Site options, the pre-launched session might not be created from the home site. This problem occurs because the same session is used to start subsequent applications, and those sessions are not started from the home site.
Workaround: None.
-
2510477, 2500272: The following error message can appear while installing or uninstalling Connection Server:
"Error opening installation log file. Verify that the specified location exists and is writable."
This error occurs due to a third-party Microsoft error. For details see this Microsoft help article.
Workaround: Restart the virtual machine on which the Connection Server is installed.
-
2686004, 2672069: The CSRF feature for Horizon HTML Access introduced in Horizon 2006 does not support the combination of a pre-login message configured on Connection Server with SAML authentication through Unified Access Gateway.
Workaround: If you use this combination of features and Horizon version, disable this pre-login message on Connection Server. A pre-login message should instead be configured on the SAML IdP, so that it is presented to the user before the user enters their credentials.
-
2986303: Certificates signed using SHA-1 are no longer supported in FIPS mode.
Workaround: See Older Protocols and Ciphers Disabled in VMware Horizon in the Horizon Security guide.