On the Horizon Instant-clone Pool the first end-user reaction upon the first login is “Why does Windows 10 need to reconfigure my profile?” Because the user sees the first login to Windows 10
To disable the Windows 10 First Sign-In there is a Local Computer Policy
When upgrading vCenter 6.5x to version 7u3x we encountered the following problem
Following this KB
Upgrading to vCenter Server 7.0 fails when case differs between FQDN and PNID (84355) (vmware.com)
We identify the problem in the fact that we have the hostname that differs from the PNID because one is all uppercase and the other lowercase.
From the following KB we find that we can not on vCenter 6.5 updatethe hostname
To solve we proceed first with the update to the version of vcenter 6.7u3 that fixes the part of FQDN
Once updated to 6.7 relaunch the commands indicated by KB and see that the PNID and hostname coincide
Then we update to the vCenter version 7u3
A customer during the integration of Workspace One Access with Azure AD for MFA activation “locked out” the admin interface.
Prior to version 21.08, a URL was enabled by default on each Workspace One Access VSA for Break-glass URL Endpoint access.
https://< TENANT URL>/SAAS/login/0
from 21.08 onwards it was disabled because it was not security complaint for customer environments
To enable it, you must SSH or WEB GUI access one of the Workspace One Access VSA and run the following command:
hznAdminTool configureBreakGlassLogin –enable -loginZero
and restart the horizon-workspace service with the following command.
Service Horizon-workspace restart
At this point the “Emergency” URL is enabled again
And you can access it to fix the necessary policies.
To turn it off:
hznAdminTool configureBreakGlassLogin –disable -loginZero
Service Horizon-workspace restart
It is very important to activate MFA (Multi-factor authentication) using applications such as Google Authenticator on corporate services exposed on the internet that require access using credentials.
If we talk about VMware Workspace One Access, a solution that allows us to publish applications and business services on the internet, it is mandatory to activate the MFA.
Since Workspace One Access version 22.09, you can use Authentication Applications such as Microsoft or Google.
Enabling MFA requires a few steps:
Enable the “Authenticator APP” authentication method on Workspace One Access
Access the Integration menu, select Authentication Methods, enable Authenticator App and select Configure.
We enable and possibly can change any classic account lock parameters etc …
At this point, we go to integrations, select identity provider and select our IDP related to the integration with AD
In the Authentication Methods menu select Authenticator APP
At this point, we just need to go and modify the policy used by our users by adding MFA for authentication
We go to the Resources, policies menu, select our policy and modify it
We select the rule of our interest (normally we select the one relating to access from public networks because we could reason that those who access from the company network have already done other methods of secure authentication …)
In the authentication methods used, we add the authenticator app
From now on, all users who log in to workspace one access and run with the rule we have modified we have the following user experience at the first login:
User experience at login
Go to WorkSpace One Access public URL.
If prompted, they will have to select the domain.
Then they will have to enter username and password
Finally, they will have a QRcode that they will have to use to configure their Authenticator APP (Microsoft or Google). So, in the selected phone app they will have to add an account by reading the QRCODE
We access our smartphone and launch the authentication application that we will use (in my case I launch Google Authenticator)
We add the new account
We select the option to scan a QRCODE and scan it 
Enter the passcode generated after scanning the QRCODE in the space provided under the QRcode code on the page WEB
We will now have an account named WSA (Woekspace One:WSA) linked to our authenticator app
From the next login after entering your username and password you will be asked for the access code generated by the user application
If we are removing a desktop pool from a Horizon infrastructure and we find ourselves in a situation that remains in a deleting state:
We can force the removal as follows:
In my example, we have the following situation
To remove them we use the tool iccleanup.cmd, we find te command on the connection servers by launching the following command to access:
iccleanup.cmd -vc <ome of vcenter> -uid < admin user of vcenter>
We enter the account password
Run with the list command the list of service VMs to be deleted
In my case, they are the VMs indicated with ID 2 and 3
We start from 2 and first launch the unprotect indicating with -I the number 2 (unprotect -I 2) and confirm by writing unprotect
Then we delete with the question delete -I 2 and confirm by writing delete
Let’s go back by writing Back
Relaunch the List command and verify that Index has taken the other chain of system VMs to be deleted
Ha was taken as index 2
We review the operations of unprotect and delete once again for index 2
At the end of the vCenter (they are service VM from other pools that should not be deleted)
Already in this case, we may have deleted the DesktopPool that was in a deleting state.
If the Pool in question is still present and in a deleting state, we proceed to access the ADSI Edit console and modify the ADAM DB by deleting the references left to the pool in deleting state (in my case ICTPM)
To connect follow this KB:
Connecting to the Horizon View Local ADAM Database (vmware.com)
remove the pool from Adam as follows.
At the end of March 2023, new versions of the products that make up the Horizon suite were released. (Connection Server, Volume App, DEM, and Unified Access Gateway)
There are several interesting features, below I report the link to each release note.
I bring to your attention the presence of AppVolume in a preview solution related to the use of AppVolume in the Azure environment. (This deployment option is intended for applications packages and not Writable Volumes)
Horizon
VMware Horizon 8 2303 Release Notes
App Volume on Azure
VMware App Volumes Manager Deployment Guide for Azure –
App Volume
VMware App Volumes 4, version 2303 Release Notes
DEM
VMware Dynamic Environment Manager 2303 Release Notes
Unified Access Gateway
Among the many features of DEM (Dynamic Environment Manager) to manage the roaming of user profiles (especially when we talk about Horizon Pool Instant Clone), there is the possibility to manage the mapping of printers.
Using this feature is tied to using a Printer Server (at least you must specify the path to the printer with a UNC)
So if we need to map printers that are not managed by print server we can do as follows:
Mapping scripts
We create a mapping script and place it in a network share, reachable by all the Instant Clone VDI that must use it.
(en-IT depends on the language used on the Windows 10 environment)
The share must have the following permissions:
Now we access DEM and configure the part of logon Task
In my case I also impose a condition that only the user fstorni can perform this task
We save everything
At the next logon the user fstorni will map the printer, and we can check from the DEM logs:
While all other users will not be able to map the printer
If you see such an error on the Cluster object of a vSAN (in my case it appeared on two vSAN clusters managed by the same vCenter)
vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service …….
an unhealthy state of the Service cluster
Errors such as the following in the EAM log. vCenter LOG
EAM.log:
2023-01-26T13:16:39.996Z | INFO | vim-monitor | VcListener.java | 131 | Retrying in 10 sec.
2023-01-26T13:16:41.432Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.
at com.vmware.eam.vmomi.EAMInitRequestFilter.handleBody(EAMInitRequestFilter.java:57) ~[eam-server.jar:?]
at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.handleBody(DispatcherImpl.java:373) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.dispatch(DispatcherImpl.java:290) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.impl.DispatcherImpl.dispatch(DispatcherImpl.java:246) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.http.impl.CorrelationDispatcherTask.run(CorrelationDispatcherTask.java:58) [vlsi-server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_345]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_345]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_345]
2023-01-26T13:16:50.007Z | INFO | vim-monitor | ExtensionSessionRenewer.java | 190 | [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e] Re-login to vCenter because method: currentTime of managed object: null::ServiceInstance:ServiceInstance failed due to expired client session: null
2023-01-26T13:16:50.007Z | INFO | vim-monitor | OpId.java | 37 | [vim:loginExtensionByCertificate:913aec585658e328] created from [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e]
2023-01-26T13:16:51.440Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.
And you see the lack of vCLS VMs in the two vSANs
To resolve the anomaly you must proceed as follows:
shell.set --enabled true
mkdir /certificate
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key
python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s localhost -u "Administrator@domain.local"
Note: If this produces the error “Hostname mismatch, certificate is not valid for ‘localhost'”, change ‘localhost’ to the FQDN or IP of the vCenter. The process is checking this value against the SAN entries of the certificate.
Note: The default user and domain is Administrator@vsphere.local. If this was changed during configuration, change the domain to match your environment. When prompted, type in the Administrator@domain.local password.
service-control --stop vmware-eam
service-control --start --all
VMware has just released a new version of Horizon 2212. These are some of the features/support introduced:
More details here:
In some situations, removing an Application of AppVolume may not result correctly, and as a result, the state of applications from the UI may result in deleting and stalling:
In my case, I also have the advantage that they have not remained in cancellation even if the Packages
To perform the cleanup, you must work on the AppVolume Database.
To proceed we must:
If there are also packages in a state of deleting also proceed with the removal of the corresponding rows that we can find in the dbo table .app_packages.