VMware Horizon View – Settings I should not forget

Below is a list of non-default settings and configurations I use in VMware Horizon View deployments.

Horizon View Infrastructure

Create an index on the SQL Event Database (not needed anymore for version 6.1.1 and later)

When browsing the monitored events in the VMware Horizon View Administrator console, the performance might be extremely slow. The larger the Event database becomes, the slower the queries run.

To resolve this issue create an index on the SQL Events database

  • Open SQL Server Management Studio
  • Browse to the View Event Database
  • Browse to the dbo.event_data table
  • Right click and select “New Index”

ViewEventDB_create index

 

 

 

 

 

 

 

 

 

 

 

  • Create an index on column EventID

ViewEventDB_create index_2

 

 

 

 

 

 

Reference: http://kb.vmware.com/kb/2094580

Enable ‘High Performance’ host power policy

Poor performance may be related to processor power management implemented either by ESXi or by the server hardware. Certain applications that are very sensitive to processing speed latencies may show less than expected performance when processor power management features are enabled. It may be necessary to to turn off ESXi and server hardware power management features to achieve the best performance for such applications.

ESX_High_Performance

 

 

Reference: http://kb.vmware.com/kb/1018206

Limit domains visible to end-users

You can configure domain filters to limit the domains that a Horizon View Connection Server instance or security server makes available to end users.

  • Log on to a connection server
  • Open a command prompt (as administrator)
  • Change Directory to C:\Program Files\VMware\VMware View\Server\Tools\bin
  • To display the currently active domains for the View Connection Server instance, run the below command:
    • vdmadmin -N -domains -list -active
  • To make only the domain MYDOMAIN visible to the end-user run the below command:
    • vdmadmin -N domains -include -domain MYDOMAIN -add

Reference: VMware Horizon View documentation

Certificate Revocation Checking

Each Horizon View Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. By default, all certificates in the chain are checked except the root certificate.

If you have your own CA but do not or cannot include certificate revocation information in your certificate, you can choose not to check certificates for revocation by adding a registry key to your connection servers to not perform certificate revocation checking:

REG ADD "HKLM\Software\VMware, Inc.\VMware VDM\Security" /v CertificateRevocationCheckType /t REG_SZ /d 1

Reference: http://kb.vmware.com/kb2000063 and VMware Horizon Documentation

Origin Checking

Vmware Horizon View 7 added a new security feature that is enabled by default for RFC 6454 origin checking. This security feature protects against cross-site request forging. This feature will check the origin URL fro the web request when you go to the VMware Horizon View administrator page. When it does this check it will reject the request if teh URL is not https://localhost/admin or https://URL_used_in_Secure_Tunnel_URL_Field/admin . Therefore it is best to disable Origi Checking.

To disable Origin Checking, create a file on each connection server:

  • Filename: C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties
  • Content of the file: CheckOrigin=false

When the file is created the VMware Horizon Connection Server Service needs to be restarted

Enable Touch ID

Since VMware Horizon 6.2 a new functionality has been introduced to be able to log in to your VDIs and RDSH applications using the Touch ID on iPhones and iPads.

This functionality is however not enabled by default.

To enable the functionality

  • Open ADSI Edit on a connection server
  • Connect to the View ADAM database (See VMware KB 2012377)
  • Open the object DC=vdi, DC=vmware, DC=int ==> Properties – Global – Common
  • Edit Attribute “pae-ClientConfig” attribute
  • Add the value “BioMetricsTimeout=-1”
  • BioMetrocsTimeout

See also VMware Horizon View 6.2 Documentation

Pools

Set pae-DirtyVMPolicy to 2

When using VMware Horizon View with a pool set to refresh or delete the virtual machines after log off, you can experience the following symptoms:

  • VMware Horizon View virtual machines are unavailable.
  • The VMware Horizon View Administrator console shows the status of virtual machine as: “Already Used”  or  “Agent Disabled”

To resolve the issue set the pae-DirtyVMPolicy to 2

  • Start the ADSI Edit utility on the VMware Horizon View Connection Server host.
  • Select or type a Distinguished Name or connect to DC=vdi, DC=vmware, DC=int.
  • Select or type a domain or server to localhost:389.
  • Locate the OU=Server Groups for editing.
  • Under the Server Groups OU, double-click CN=pool_name. This opens the properties of the CN.
  • Click the pae-DirtyVmPolicy attribute and click Edit.
  • Set the pae-DirtyVmPolicy attribute to the selected mechanism described above.

pae-dirtyvmpolicy

 

 

 

 

 

 

Note: This needs to be done on every pool.

Reference http://kb.vmware.com/kb/1000590

Golden Image

Disable the HotAdd/HotPlug capability

To remove the option for users to remove NICs and SCSI controllers appear as removable devices

  • Connect to the ESXi/ESX host or vCenter Server using the vSphere Client.
  • Power off the virtual machine.
  • Right-click the virtual machine and click Edit Settings.
  • Click the Options tab.
  • Click General > Configuration Parameters > Add Row.
  • Insert a new row with the name devices.hotplug and a value of false.
  • Power on the virtual machine.

Reference: http://kb.vmware.com/kb/1012225

Install Microsoft Hotfix 2550978 on your golden image

Install Microsoft hotfix http://support.microsoft.com/kb/2550978 (See also VMware KB 2007319)

  • The 32-bit version for Windows 7 SP1 and Windows Server 2008 R2 SP1 Datacenter Edition can be downloaded here
  • The 64-bit versionfor Windows 7 SP1 and Windows Server 2008 R2 SP1 Datacenter Edition can be downloaded here

Enable Verbose or Highly Detailed Status Messages

Windows offers the option to display certain messages during its startup and shutdown. These are referred to as Verbose Status Messages (win7/2008) or Detailed Status Messages (win8/2012) and tell us the processes or steps that the Windows operating system is taking during startup, shutdown, logon, and logoff operations. These verbose messages tell you what Windows is doing in the background while carrying out these operations.

With these verbose status messages turned on, the end-user will see more things moving on the screen, which gives him/her the perception that logon is faster as he/she sees something is going on.

Add the following registry key to your parent image:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Add DWORD verbosestatus with a value of 1

Reference: http://www.thewindowsclub.com/enable-verbose-status-message-windows

Pre-compile .NET Framework assemblies

Microsoft .NET compiles framework assemblies on an as-needed basis when .NET-dependent programs are launched for the first time. This process can be both CPU-and disk-intensive, so you should pre-compile all .NET Framework assemblies on the Virtual Desktop master image prior to deployment. The following steps outline how to pre-compile all versions of the .NET Framework assemblies:

  1. Open an elevated Windows command prompt.
  2. Navigate to the C:\Windows\Microsoft.NET\Framework\v4.0.30319 directory.
  3. Type ngen.exe update /force This process may require several minutes to complete.Microsoft .NET 3.5 or 4.0 is not installed by default on Windows 7 or Windows 8. If Microsoft .NET 3.5 or 4.0 is required on the desktop image, it should be installed prior to running the ngen.exe executequeueditems command.

Lower the VDI client NVIDIA license interval (when using NVIDIA Grid)

By default the VDI client claims a license from the NVIDIA license server and keeps it for 24 hours. Especially in Instant clone situations I have seen that the NVIDIA license is not always correctly release when the VDI is being deleted. In some cases this can be problematic as you have to wait for 24 hours until licenses are released and new clients might not get a new license from the NVIDIA license server.

There is a registry key that can be set on the VDI client to lower the default 24hr license lease.

Add the following registry key to your parent image:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\Gridlicensing

Add DWORD LicenseInterval with a value of 600

Reference: https://docs.nvidia.com/grid/latest/grid-licensing-user-guide/index.html#windows-registry-grid-license-settings

Disable some Active Setup components of Windows

As per VMware KB 2100337 logon time will be a lot faster when disabling all the Active Setup components of Windows.

Delete stubpath under
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}”
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}”
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}”
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}”
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}”
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}”
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}”
“HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.