Below is a list of non-default settings and configurations I use in VMware Horizon View deployments.
Horizon View Infrastructure
Create an index on the SQL Event Database (not needed anymore for version 6.1.1 and later)
When browsing the monitored events in the VMware Horizon View Administrator console, the performance might be extremely slow. The larger the Event database becomes, the slower the queries run.
To resolve this issue create an index on the SQL Events database
- Open SQL Server Management Studio
- Browse to the View Event Database
- Browse to the dbo.event_data table
- Right click and select “New Index”
- Create an index on column EventID
Reference: http://kb.vmware.com/kb/2094580
Enable ‘High Performance’ host power policy
Poor performance may be related to processor power management implemented either by ESXi or by the server hardware. Certain applications that are very sensitive to processing speed latencies may show less than expected performance when processor power management features are enabled. It may be necessary to to turn off ESXi and server hardware power management features to achieve the best performance for such applications.
Reference: http://kb.vmware.com/kb/1018206
Limit domains visible to end-users
You can configure domain filters to limit the domains that a Horizon View Connection Server instance or security server makes available to end users.
- Log on to a connection server
- Open a command prompt (as administrator)
- Change Directory to C:\Program Files\VMware\VMware View\Server\Tools\bin
- To display the currently active domains for the View Connection Server instance, run the below command:
- “vdmadmin -N -domains -list -active“
- To make only the domain MYDOMAIN visible to the end-user run the below command:
- “vdmadmin -N domains -include -domain MYDOMAIN -add“
Reference: VMware Horizon View documentation
Certificate Revocation Checking
Each Horizon View Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. By default, all certificates in the chain are checked except the root certificate.
If you have your own CA but do not or cannot include certificate revocation information in your certificate, you can choose not to check certificates for revocation by adding a registry key to your connection servers to not perform certificate revocation checking:
REG ADD "HKLM\Software\VMware, Inc.\VMware VDM\Security" /v CertificateRevocationCheckType /t REG_SZ /d 1
Reference: http://kb.vmware.com/kb2000063 and VMware Horizon Documentation
Origin Checking
Vmware Horizon View 7 added a new security feature that is enabled by default for RFC 6454 origin checking. This security feature protects against cross-site request forging. This feature will check the origin URL fro the web request when you go to the VMware Horizon View administrator page. When it does this check it will reject the request if teh URL is not https://localhost/admin or https://URL_used_in_Secure_Tunnel_URL_Field/admin . Therefore it is best to disable Origi Checking.
To disable Origin Checking, create a file on each connection server:
- Filename: C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties
- Content of the file: CheckOrigin=false
When the file is created the VMware Horizon Connection Server Service needs to be restarted
Enable Touch ID
Since VMware Horizon 6.2 a new functionality has been introduced to be able to log in to your VDIs and RDSH applications using the Touch ID on iPhones and iPads.
This functionality is however not enabled by default.
To enable the functionality
- Open ADSI Edit on a connection server
- Connect to the View ADAM database (See VMware KB 2012377)
- Open the object DC=vdi, DC=vmware, DC=int ==> Properties – Global – Common
- Edit Attribute “pae-ClientConfig” attribute
- Add the value “BioMetricsTimeout=-1”
See also VMware Horizon View 6.2 Documentation
Pools
Set pae-DirtyVMPolicy to 2
When using VMware Horizon View with a pool set to refresh or delete the virtual machines after log off, you can experience the following symptoms:
- VMware Horizon View virtual machines are unavailable.
- The VMware Horizon View Administrator console shows the status of virtual machine as: “Already Used” or “Agent Disabled”
To resolve the issue set the pae-DirtyVMPolicy to 2
- Start the ADSI Edit utility on the VMware Horizon View Connection Server host.
- Select or type a Distinguished Name or connect to DC=vdi, DC=vmware, DC=int.
- Select or type a domain or server to localhost:389.
- Locate the OU=Server Groups for editing.
- Under the Server Groups OU, double-click CN=pool_name. This opens the properties of the CN.
- Click the pae-DirtyVmPolicy attribute and click Edit.
- Set the pae-DirtyVmPolicy attribute to the selected mechanism described above.
Note: This needs to be done on every pool.
Reference http://kb.vmware.com/kb/1000590
Golden Image
Disable the HotAdd/HotPlug capability
To remove the option for users to remove NICs and SCSI controllers appear as removable devices
- Connect to the ESXi/ESX host or vCenter Server using the vSphere Client.
- Power off the virtual machine.
- Right-click the virtual machine and click Edit Settings.
- Click the Options tab.
- Click General > Configuration Parameters > Add Row.
- Insert a new row with the name
devices.hotplug
and a value offalse
. - Power on the virtual machine.
Reference: http://kb.vmware.com/kb/1012225
Install Microsoft Hotfix 2550978 on your golden image
Install Microsoft hotfix http://support.microsoft.com/kb/2550978 (See also VMware KB 2007319)
- The 32-bit version for Windows 7 SP1 and Windows Server 2008 R2 SP1 Datacenter Edition can be downloaded here
- The 64-bit versionfor Windows 7 SP1 and Windows Server 2008 R2 SP1 Datacenter Edition can be downloaded here
Enable Verbose or Highly Detailed Status Messages
Windows offers the option to display certain messages during its startup and shutdown. These are referred to as Verbose Status Messages (win7/2008) or Detailed Status Messages (win8/2012) and tell us the processes or steps that the Windows operating system is taking during startup, shutdown, logon, and logoff operations. These verbose messages tell you what Windows is doing in the background while carrying out these operations.
With these verbose status messages turned on, the end-user will see more things moving on the screen, which gives him/her the perception that logon is faster as he/she sees something is going on.
Add the following registry key to your parent image:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Add DWORD verbosestatus with a value of 1
Reference: http://www.thewindowsclub.com/enable-verbose-status-message-windows
Pre-compile .NET Framework assemblies
Microsoft .NET compiles framework assemblies on an as-needed basis when .NET-dependent programs are launched for the first time. This process can be both CPU-and disk-intensive, so you should pre-compile all .NET Framework assemblies on the Virtual Desktop master image prior to deployment. The following steps outline how to pre-compile all versions of the .NET Framework assemblies:
- Open an elevated Windows command prompt.
- Navigate to the C:\Windows\Microsoft.NET\Framework\v4.0.30319 directory.
- Type ngen.exe update /force This process may require several minutes to complete.Microsoft .NET 3.5 or 4.0 is not installed by default on Windows 7 or Windows 8. If Microsoft .NET 3.5 or 4.0 is required on the desktop image, it should be installed prior to running the ngen.exe executequeueditems command.
Lower the VDI client NVIDIA license interval (when using NVIDIA Grid)
By default the VDI client claims a license from the NVIDIA license server and keeps it for 24 hours. Especially in Instant clone situations I have seen that the NVIDIA license is not always correctly release when the VDI is being deleted. In some cases this can be problematic as you have to wait for 24 hours until licenses are released and new clients might not get a new license from the NVIDIA license server.
There is a registry key that can be set on the VDI client to lower the default 24hr license lease.
Add the following registry key to your parent image:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\Gridlicensing
Add DWORD LicenseInterval with a value of 600
Disable some Active Setup components of Windows
As per VMware KB 2100337 logon time will be a lot faster when disabling all the Active Setup components of Windows.
Delete stubpath under “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}”