VMware Horizon 8 2212

VMware has just released a new version of Horizon 2212. These are some of the features/support introduced:

  • Horizon 8 version 2212 in conjunction with App Volumes 4 version 2212 introduces Horizon Published Apps on Demand.  With this new feature, administrators can use App Volumes applications directly in their instant-clone RDS farms.  Now applications can be delivered dynamically to a generic Windows OS as users launch them. This greatly simplifies static image management and gives administrators the ability to reduce their application specific farms. This also brings the Horizon and App Volumes administration consoles closer together, allowing Horizon administrators to add App Volumes Manager servers and entitle applications to users without the need for duplicate entitlements in App Volumes. This feature creates an opportunity to reduce the time-consuming management of application installations on RDS Farms, and enables scenarios such as multiple users being able to use different versions of the same application while logged in to the same RDS Server.
  • Microsoft MAK licenses are now supported with Instant Clones.
  • When you create an automated pool of full clone desktops, you can now specify an active directory OU in which computer accounts can be created. Previously, computer accounts would get created in the default OU and administrators would manually move them after pool creation. This feature, which already exists for Instant Clone desktop pools, addresses this pain point for administrators.
  • Cloud Pod Architecture is supported with IPv6 environments for more security and added address spaces.
  • Administrators can now generate a CSR configuration file, import a CA-signed certificate to Connection Server, and monitor health of the certificate from Horizon Console.

More details here:

VMware Horizon 8 2212 Release Notes

VMware Horizon 8 2212

AppVolume Application in Pending Delete

In some situations, removing an Application of AppVolume may not result correctly, and as a result, the state of applications from the UI may result in deleting and stalling:

In my case, I also have the advantage that they have not remained in cancellation even if the Packages

To perform the cleanup, you must work on the AppVolume Database.

To proceed we must:

  • Locate the server that hosts the DB.
    • On an AppVolume server, in 64-bit ODBC, there is an SRVMANAGER entry edit the entry and identify the server’s name and its DB name.
  • Shut down each server with the App Volume Manager role of the App Volume Manager service.

  • Connect with SQL Management Studio to AppVolume DB.
  • Back up your DB.
    • Using the native SQL tool or third-party backup tools.
  • Remove the rows corresponding to the application in the dbo.app_products table.
    • In some situations, it may not be enough the name and then in the removal query we indicate the status that is deleting.

Image containing text, device, gauge, screenshot

Auto-generated description

If there are also packages in a state of deleting also proceed with the removal of the corresponding rows that we can find in the dbo table .app_packages.

AppVolume Application in Pending Delete

Horizon Instant Clone -VM Replica and Template in inaccessible state

In the various maintenance activities of a Horizon infrastructure, it can happen to find VMs of the instant clone chain in an inaccessible state. (Caused by issues on hosts or vCenter such as sudden shutdowns without properly maintaining Horizon Desktop Pools.)

Image that contains text

Auto-generated description

In the VMware Horizon solution there is a tool, from the command line, that allows the cleaning of these objects.

The tool is present in the directory

C:\Program Files\VMware\VMware View\Server\tools\bin>

of one of the connection servers of the Horizon infrastructure

The command is iccleanup.cmd

The first step is to connect to the vCenter in question by launching the following command

iccleanup.cmd -vc <fqdn of vCenter> -uid <administrative user>

Once you have entered the password you will have the possibility to list the VMs of the instant clone infrastructures implemented on that vCenter with the LIST command

Image that contains text

Auto-generated description

Or delete objects in an inaccessible state, for example:

With the delete –index 2 command

Image that contains text

Auto-generated description

After the completion of the cleaning, the situation will be as follows:

Image that contains text

Auto-generated description

Horizon Instant Clone -VM Replica and Template in inaccessible state

I updated my Home Lab with the gift of Cohesity and the vEXPERT community

Immagine che contiene testo, interni

Descrizione generata automaticamente

Until a few weeks, my Home Lab was composed of two physical ESXi nodes (respectively an INTEL NUC NUC8i3BEH and an HP Desktop HP ProDesk 600 G2 DM), with 32 GB of RAM each and 5 TB of total disk.

For my testing activities, especially in VDI (Horizon) and some vSAN (implemented a 2-node cluster to test the operation of Shared Disks for Microsoft clusters) could be enough.

But the desire to test vSphere 8 (vSAN etc …) and the possibility of trying the Kubernetes world was pushing me to evaluate an expansion of my Home LAB ……….

………. And thanks to COHESITY and the vEXPERT community at VMware EXPLORER in Barcelona I was able to have my expansion…. a beautiful Maxtang NX6412 NX6412-Maxtang-A premier manufacturer (maxtangpc.com)

Image containing electronic, projector

Auto-generated description

here’s how I activated the new HW:

  • Equipment
    • Being barebones I had to buy RAM and DISK, taking advantage of Black Friday I bought:
      • Timetec 1TB SSD 3D NAND TLC SATA III 6Gb/s M.2 2280 NGFF 512TBW
      • Transcend JM3200HSE-32G 32GB DDR4 3200MHz SO-DIMM 2Rx8 1.2V

Image containing text, electronic, circuit

Auto-generated description

For the RAM I will proceed to evaluate an expansion with an additional 32GB bank

  • Installation
    • Updated vCenter to version 8
    • Installed ESXi version 8 on a USB stick (Using VMware Workstation and installing ESXi from an ISO on my USB stick) and used it to boot from Maxtang.

At this point I encountered the first problem, the two network cards are not compatible… I had to use a USB dongle -> Ethernet and I managed to start everything (Thanks also to the community drivers USB Network Native Driver for ESXi | VMware Flings

    • I finally added ESXi to my vCenter
  • First use
    • The first thing I did was use William Lam’s script to deploy a vSAN 8

Automated vSphere & vSAN 8 Lab Deployment Script (williamlam.com)

    • I configured the HA of my vCenter
    • Now I’m trying to improve my know-how on Tanzu and WorkSpace One


I updated my Home Lab with the gift of Cohesity and the vEXPERT community

Using Secondary Image on Instant Clone Desktop Pool (VMware Horizon)

In the management of a pool of Instant Clone (IC) VMs in a VMware Horizon infrastructure, one of the most useful aspects for a system administrator is the ability to make updates by modifying the GoldImage, subsequently generating a new Snapshot of it and applying it to all the VM ICs of the Pool.

Since version 2111, we have the possibility to use a “second image” in the same Pool to allow the deployment of this second image in a “selective” way on only some VMs.

This allows us to test the changes made only on a limited number of users.

Let’s see how it works, in my Home Lab where I have a Pool of type IC with Guest OS Windows 11.

The VMs (in this case there are 2) point to the following snapshot of the GoldImage:

Immagine che contiene tavolo

Descrizione generata automaticamente

Let’s proceed to update the VMware Tools on the Gold image, where the version is currently present

Immagine che contiene testo

Descrizione generata automaticamente

Post update we have the following version

Immagine che contiene testo

Descrizione generata automaticamente

We proceed with turning off the GoldImage and create the snapshot to use.

Once the snapshot is created, we go to the Desktop Pool and proceed to assign the snapshot created as a secondary image.

Immagine che contiene tavolo

Descrizione generata automaticamente

Immagine che contiene testo

Descrizione generata automaticamente

We select the option to publish it as a second image

Immagine che contiene testo

Descrizione generata automaticamente

If we want to select now the VM IC on which to push we put the flag to:

In my case we will select after the VMs ICs

We wait for the secondary image to be ready for deployment

When it is ready we will be able to see the following in the details of the pool


At this point in the “Machines (Instant Clone Details)” menu, you will enable the following option:

We select the VM on which we want to apply the image and proceed:

Immagine che contiene testo

Descrizione generata automaticamente

And we wait for this to be applied

Immagine che contiene testo

Descrizione generata automaticamente

Let’s try to connect with two different users to the same pool to see the differences between the two VMs and we will notice that one IC has the updated VMware tools and the other does not

Once all the tests of the changes have been carried out, we have three possibilities:

  • Apply the default image to the VM on which we tested the subimage
  • Authorize the second image as Default
  • Delete the second image because it doesn’t meet your needs

Apply the default image to the VM on which we tested the subimage

Authorize the second image as Default

Delete the second image because it doesn’t meet your needs

Immagine che contiene testo

Descrizione generata automaticamente

Using Secondary Image on Instant Clone Desktop Pool (VMware Horizon)

Script for removing and installing Horizon agent


  • Share containing the installation file of the Horizon agent version and a . bat containing the command to silently install the Horizon agent
  • List of VMs on which to perform the operation
  • A user to access vCenter with administrative rights
  • One user to install horizon agent on VMs

The script includes:

  • Credential request
    • First request the user to access the vCenter (line 6)
    • Second request the user to remove and install the Horizon Agent on the VMs (line 8)
  • Import the VM list (line 12)
  • Connecting to the vCenter (line 13)
  • Part a for each machine contained in the file with the list of VMs (line 14)
  • Check if the Horizon Agent is present (line 25)
  • If present, remove it and reboot (line 29), if not present, switch to the installation fa
  • Installing the Horizon agent (line 54)
    • Share mount
    • Running the .bat contained in the share
  • Waiting for the installation to finish and reboot

There are 3 “procedures” in the script

For  verification if the Horizon Agent is installed (line 18 to 20):

$script = @”

Get-WmiObject Win32_Product -filter “Name=’VMware Horizon Agent'” | Select Caption

” @

For the removal the Horizon  agent (line 22 to 24):

$removeapp= @”

wmic Product Where “Name=’VMware Horizon Agent'” Call Uninstall /NoInteractive

” @

For agent installation (Line 50 to 54):

$installapp = @”

New-PSDrive -Name “S” -Root “\\vimng03\share” -Persist -PSProvider “FileSystem”


” @

In this last agent installation procedure, you must modify:

  • S 🡪 letter with which the share will be temporarily mounted on the VM (which we can change but must also be modified in the installation file .Bat
  • \\vimng03\share –> put the share where you want the Horizon agent installation file and the installation file .bat
  • S:\agentinstallv8.bat is the file that will install the agent in silently mode

Where inside it is start:

s:\VMware-Horizon-Agent-x86_64-8.0.0-16530789.exe /s /v”/qn ADDLOCAL=BlastUDP,Core,HelpDesk,RDP,RTAV,TSMMR,USB,VmVideo,VmwVaudio,VmwVdisplay,VmwVidd”

to be parameterized according  VMware’s guide.

in my case the file will look like this

#The script need:
#List the VMs name where remove e reinstall the agent (file c:\vdi.txt or where you want)
#Share where is the horizon agent installation file and the file agentinstallv8.bat that contain the silent command for installation
#When the script start ask the vCenter Credential and the Admin User Credential for install the Horizon Agent on the VM
#Credential for access to vCenter
$credential = Get-Credential
#Credential with administrator role for install horizon agent 
$VMCredential = Get-Credential
$vcenter = "<FQDNvCenter>"
#List of VMs where remove e install new agent version
$VDIs = Get-Content "c:\vdi.txt"
connect-viserver $vcenter -Credential $credential
foreach ($VDI in $VDIs){
$VM = Get-VM -Name $VDI
Write-Host "Start remove agent from $VM"
#Script for verify if the agent is installed
$script = @"
Get-WmiObject Win32_Product -filter "Name='VMware Horizon Agent'" | Select Caption 
#Script for remove
$removeapp= @"
wmic Product Where "Name='VMware Horizon Agent'" Call Uninstall /NoInteractive
$value = Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $script -GuestCredential $VMCredential 
#Check if horizon agent are install if present the script remove it and reboot the VM
if ($value.ScriptOutput -like "*Horizon*") {
     Write-Host "Horizon agent is installed"
     Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $removeapp -GuestCredential $VMCredential -RunAsync
     While(Test-Connection $VM -Quiet -Count 1){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to shut down."
        Start-Sleep -sec 1
     While(!(Test-Connection $VM -Quiet -Count 1)){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to come back up."
        Start-Sleep -sec 1
     if ($value.ScriptOutput -cnotlike "*Horizon*") {
     Write-Host "Agent removed from $VM and $VM rebooted"
   else { 
   Write-Host "Horizon agent is not installed on $VM" 

#####Agent Installation
Write-Host "Start the Horizon Agent installation in $VM"
Sleep 15 
#Installation with share change the fileserver,the share name, the labl and the file 
$installapp = @"
New-PSDrive -Name "S" -Root "\\vimng03\share" -Persist -PSProvider "FileSystem"
Invoke-VMScript -VM $VM -ScriptType powershell -ScriptText $installapp -GuestCredential $VMCredential -RunAsync
While(Test-Connection $VM -Quiet -Count 1){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to shut down."
        Start-Sleep -sec 1
While(!(Test-Connection $VM -Quiet -Count 1)){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to come back up."
        Start-Sleep -sec 1
Write-Host "$VM after installation is UP" 
$value = Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $script -GuestCredential $VMCredential
if ($value.ScriptOutput -like "*Horizon*") {
    Write-Host "New Horizon agent is installed in $VM"
    Write-Host "New Horizon agent is not installed in $VM" 
Disconnect-VIServer $vcenter -Force
Script for removing and installing Horizon agent

Upgrade Unified Access Gateway

VMware Horizon infrastructures often have the Unified Access Gateway (UAG) component to enable a secure connection from outside your corporate network to VDI.

This positioning makes the UAG subject to frequent updates, today we will see how to update it.

Download the ISO file of the version we want to update from the VMware Customer Site:

Unified Access Gateway 2203 for vSphere, Amazon AWS and Google Cloud (Non-FIPS) 
File size: 2.63 
File type: Ova 
Read More 
Unified Access Gateway (UAG) 2203 for vSphere (FIPS) 
File size: 2.14 Ga 
File type: ova 
Read More 
Unified Access Gateway WAG) 2203 for Microsoft Azure 
File size: 2.54 GB 
File type: zip 
Read More 
Unified Access Gateway WAG) 2203 PowerShell Scripts 
File size: 79.4 KB 
File type: zip 
Read More 
MDS checksums. SHAI checksums and SdA256 checksums

Check compatibility with your Horizon infrastructure:

Product Interoperability Matrix (vmware.com)

Add to My Favorite List 
Hide Interoperability 
Compatible IV Incompatible 
Com*tible Put End of 
Put End of 
Not S upgnrted 
VMwere Horizon 
T 132 - VMwere Horizon 7 
713 1 - VMwere Horizon 7 
T 13 0 - VMwere Horizon 7 
Hide Legacy Releases O 
Past End ot General Support Past End at Technical Guidance 
VMware Unified Access Gateway 

Download the INI file containing the current UAG configuration

  • Access the Unified Access Gateway interface
    • HTTPS://<fqdnUAG>:9443

Using the credentials of the admin user

Unified Access Gateway 
dmin Username 
Admin Password 

Once logged in, download the .ini file

A picture containing chart

Description automatically generated

OCSP Settings 
Support Settings 
Support Settings 
Edge Service Session Statistics 
Log Archive 
Log Level Settings 
Export Unified Access Gateway Settings

Retrieving the information needed to complete the configuration file:

  • Certificate for public access and password
  • Certificate for the admin center and its password
  • SAML component XML if integration with AZURE MFA
  • Information on where to deploy (vCenter, Cluster, virtual network, datastore ) the Virtual Appliance of the new UAG

The data indicated will serve me to fill in the fields of the downloaded ini file

File Edit Format 
netmaskØ=255.255.255. or 
netManagement etwor 
• pØA110cationMode=STATICV4 
forceNetmaskØ=255.255.255. or 
forceNetmask1=255.255.255. or

I summarize the info required in this table

Sector Field Description
General netInternet PortGroup on which to certify the network card that communicates to the internet world *
General diskmode Thin or Thick
General Source Absolute path where the ISO resides
General Target Path of the vSphere infrastructure where we will deploy the virtual appliance
General Ds Datastore where the VM will be created
General netManagementNetwork Portgroup on which to certify the network adapter for UAG management *
General netBackendNetwork Portgroup on which to certify the network adapter for UAG management *
General Name Virtual Machine Name
General uagName Hostname of the UAG (normally to be left that of the UAG to be replaced)
SSLCert pfxCerts Property Path where the SSL Certificate generated by a public CA in password protected PFX format used to access VDI by Horizon Clients resides
SSLCertAdmin pfxCerts Property Path where the SSL Certificate generated by a CA (normally Microsoft and Private) used to secure and validate access to the UAG Management Interface resides
IDPExternalMetadata1 metadataXmlFile Property XML file of the Identity Provider (In this case Azure AD) to enable Azure MFA for access

*VMware recommends at least two network adapters in two different segments for production environments

  • One for internet traffic (I call it the EXT-DMZ)
  • One for traffic to the internal LAN (I call it the INT-DMZ)

It is possible to create environments with 1 or 3 network adapters, in the first case VMware recommends only one card only for test environments, and in the second to also differentiate the management traffic that otherwise, in the two-card configuration would pass through the card that communicates with the internal LAN.

File Edit Format View Help 
net Internet—DPG - EXT•4Zjjj) 
source—E : - unified - access - gateway- 22.03. 1955Ø 91_OVFI Ø. Ova 
target—vi : / /vcaØ7 
netmaskØ=255.255.255. and 
net8ackendNetwork=DPG - INT - C*IZ 
forceNetmaskØ=255.255.255. and 
forceNetmask1-255.255.255. and 
net-maski=255,255,255. and 
authenticationT imeout—3ØØØØe 
sys L ogType=UDP 

At this point we can proceed with the deployment of the virtual appliance:

  • The first step is Shutdown the old UAG Virtual Appliance (I suppose do you have at least two UAGs with a Load Balancer in front and at least a DNS round-robin for balancing the traffic to the Connection server)

.\uagdeploy.ps1 -iniFile UAG_Settings_VIUAG04.ini

Administrator: Windows PowerShell 
uag ep oy2203> 
uag ep oy. PSI

Allow CEIP

Insert password for PFX Certificate File

Insert a new (or reuse the old) password for the Root account (for access to UAG OS) and Admin account (for access to UAG WEB admin console)

Waiting to complete the UAG Deploy (You can check the process from the vCenter task)

Now the new UAG virtual appliance is up and running!! Test it and apply the same step for all UAG virtual appliances of your VMware Horizon Infrastructure.

Upgrade Unified Access Gateway

Horizon and Skyline Collector

This is a little guide for connecting the VMware Horizon infrastructure to Skyline service.

The requirement is:

The following permissions are required for the account used to add the Horizon Connection Server to the Skyline Collector. These permission are sufficient tor both collecting 
product usage data, and transferring support bundles with Log Assist. 
Administrator (read-only) Role 
Collect Operation Logs

The Administrator (read-only) does not have the Collect Operation Logs Privilege and for this, I need to create a dedicated Role.

Add Role 
* Name 
Manage Access Groups 
Collect Operation Logs 
Manage Global Configuration and Policies 
Manage Farms and Desktop and Applications Pools 
Add and remove access groups. 
Collect Operation Logs. 
View and change global policies and view configuration 
settings except for administrator roles and permissions. 
Add, modify, and delete farms Add, modify, delete, and 
entitle desktop and application pools. Add and remove 

We created a service user svcskyline in our Active Directory and now assign it the correct role

Add Administrator Or Permission 
Select administrators or groups 
Select a role 

Add Administrator Or Permission 
Select administrators or groups 
Select a role 
Select the access groups 
Administrators (Read only) 
Agent Registration Administrators 
Global Configuration and Policy Administrators 
Global Configuration and Policy Administrators (Rea 
d only) 
Help Desk Administrators 
Applies to an access group 

Add Administrator Or Permission 
Select administrators or groups 
Select a role 
Select the access groups 
Access Group 

Repeat for CollectLogs Role

Global Administrators View 
Administrators and Groups 
Role Privileges 
Role Permissions 
Access Groups 
Add user or Group 
• adx.loc\svcSkyline 
Remove User or Group 
Add Permission 
Remove Permission 
Administrators (Read only) 
Access Group 

Now add to Skyline Collector the Horizon View

Login to Skyline Collector


(if you lost the password https://kb.vmware.com/s/article/52652)

Skyline"' Collector 
System Status 
Collector Overview 
@ Your Collector is Running

Go to Configuration and select Product Horizon View

vCenter Server 
Horizon View 
vRealize Operations 
VMware Cloud Foundation 
vRealize Suite Lifecycle Manager 
vRealize Automation


Horizon View 
Currenty configured Horizon View products: 
Currently there are no Horizon View products configured 
Use the "'ADD HORIZON VIEW" button below to configure one. 

Add Horizon View 
FODN/IP Address 
Account username 
Account Password 
VCS 1 

Horizon View 
Currenty configured Horizon View products: 
+ ADD 
Endpoints Working 

Now on Skyline Advisor Pro console (https://console.cloud.vmware.com/) we have 2 Horizon Connection Server

Inventory Summary 
Last Analysis: Mar 11, 2022 10:13 AM CET 
VMware Cloud Foundation 
Virtual Machines 
vRealize Operations Manager 
Horizon Connection Servers 
NSX-T Object 
NSX-V Object 
vRealize Automation

We’ll attend 24 hours to see the information

Connection Servers 
v Cen ters 
O Unknown O 
Virtual Machines 
Initial product "Status" value may take up to 24 
hours to display correctly If this state persists for 
more than that and your Collector is not in state 
"Inactive", please open a support request.

And after 24 hours we have the first Active Findings

P.S. For the finding ID Horizon-Log4jremotecodeexe-VMSA#202128 I applied the Workaround and Skyline Advisor is unable to check this workaround.


Horizon View (vmware.com)

Horizon and Skyline Collector