VMware Horizon 8 (2006)

August 11, 2020
Thomas Poppelgaard
Horizon, VMware

VMware have released a new version of VMware Horizon 8 (2006), and this release is for now general available from August 2020. This is a major release, so I hope you like this article I put together. VMware have made some huge improvements in this release, which customers/partners are going to benefit from. HINT – If you are using Nvidia vGPU (on-prem) I highly recommend you upgrade to NVIDIA vGPU 11, as this is supporting VMware Horizon 8 (2006). I have in this article also included the new features of Horizon Cloud service for IBM Cloud, AWS, Azure. Lets dig into what is new.

What is new in VMware Horizon 8 (2006)

VMware Horizon 8 provides the following new features and enhancements

VMware Horizon Connection Server On-Premises
VMware Horizon Agent for Linux
VMware Horizon Agent for Windows
VMware Horizon GPO Bundle
VMware Dynamic Environment Manager 2006
VMware Unified Access Gateway 3.10
VMware Horizon Clients 2006 for Android, Linux, iOS, Mac, Windows, HTML Access

VMware Horizon Cloud services:

VMware Horizon Cloud Service v3 (Azure, AWS, On-prem)

VMware Horizon Connection Server On-Premises

The VMware Horizon 8 version 2006 release includes many new features and enhancements. Beginning with this release, version numbering is based on the year and the month of the release. For example, 2006 represents the year 2020 and the month of June.

Cloud Pod Architecture
- Global entitlements appear in alphabetical order in Horizon Client.
- To use Horizon Console or lmvutil to configure and manage a Cloud Pod Architecture environment, an administrator must have the new Manage Cloud Pod Architecture global privilege. See Security Considerations for Cloud Pod Architecture.
- You can define the global entitlement name that appears to users in Horizon Client. When creating or modifying a global entitlement in Horizon Console, use the new Display Name option. When using lmvutil commands, use the new –aliasName option. See Worksheet for Configuring a Global Entitlement and Creating a Global Entitlement.
- The –htmlAccess and –disableHtmlAccess options are removed from the –updateGlobalEntitlement and –updateGlobalApplicationEntitlement lmvutil commands. The –htmlAccess option is also removed from the –createGlobalEntitlement and –createGlobalApplicationEntitlement lmvutil commands.
- When you create or modify a global entitlement in Horizon Console, the HTML Access option is removed.
Published Desktops and Applications
- Provisioning of majority of instant clone farms no longer involve creation of parent VM. This improves the manageability of the instant clone farm and well as optimizing the memory requirement of the farm. For extremely large farms, parent VM will still be created.
- When you create or modify a farm in Horizon Console, the Allow HTML Access to desktops and applications on this farm option is removed. To prevent HTML Access to a published desktop or application, either do not install HTML Access support when you install Connection Server, or use the client restriction feature to block access.
- Horizon automatically chooses to provision instant clones directly from replicaVM, without creating any parentVM. This feature is called Smart Provisioning. See Creating an Automated Instant-Clone Farm.
- You can view the Horizon Client version for a published desktop or application session. See Manage Published Desktops and Application Sessions in Horizon Console.
Virtual Desktops
- Instant clones are available in more VMware Horizon license packages including Standard, Advanced, and Enterprise Edition license packages.
- A high memory usage alert that is triggered during the instant clone provisioning process has been disabled. See the VMware KB article 2151438.
- You can restrict access to entitled desktop pools from certain client computers. See Implementing Client Restrictions for Desktop Pools, Published Desktops, and Application Pools.
- When you create or modify an instant-clone desktop pool or an automated pool that contains full-clone virtual machines in Horizon Console, the HTML Access option is removed. To prevent HTML Access to a desktop pool, either do not install HTML Access support when you install Connection Server, or use the client restriction feature to block access.
- Horizon automatically chooses to provision instant clones directly from replicaVM, without creating any parentVM. This feature is called Smart Provisioning. See Instant-Clone Desktop Pools.
Horizon Console
- When you select the network for an instant-clone desktop pool or farm, Horizon Console selects network type from the current master image configured in vSphere Client and displays networks based on the network type of the parent VM: DVS, NSX-t, and Standard. You can use the same network as the parent VM or select a network from the list of available options. Networks are filtered based on the parent VM network type. See Worksheet for Creating an Instant-Clone Desktop Pool and Worksheet for Creating an Instant-Clone Farm.
- The View Storage Accelerator feature requires upto 32GB of RAM per ESXi host. You can specify a default host cache size between 100MB and 32,768MB. See Enable View Storage Accelerator Globally in Horizon Console.
- You can click the Send Feedback icon in the Horizon Console header to send in-product feedback about features and functionality to the VMware Horizon team. See Send Feedback.
- When you delete a desktop pool, the status of the desktop pool appears as “Deleting” on both the Desktops page and the Machines page. See Delete a Desktop Pool and Delete Virtual Machine Desktops in a Pool.
- If you use an older Web browser such as Internet Explorer 11 to log in to Horizon Console, a pop-up windows appears that lists the Web browsers to use for the best user experience. See Log In to Horizon Console.
Horizon Connection Server Installer
- The Connection Server installer has new branding.
- The Connection Server installer has new icons.
- You can select a deployment type to install Connection Server on premises or in a public cloud with VMware SDDC service.
- You can perform a parallel upgrade of multiple Connection Servers. For more information about how to upgrade Connection Servers in parallel, see Upgrading Connection Servers in Parallel. For more information about troubleshooting errors in the Connection Server installer related to parallel upgrade of Connection Servers, see Troubleshooting Installation Errors During Parallel Upgrade of Connection Servers. Note: At the last step of the installation or upgrade process, the Connection Server waits for all the services to start.This can result in a longer installation time than earlier versions of Connection Server installations or upgrades.
- You can configure load balancers for Connection Server health monitoring. See Configuring Load Balancers for Horizon Connection Server Health Monitoring.
Role-Based Delegated Administration
- Two new privileges are added. See Global Privileges.
  - Manage Cloud Pod Architecture
  - Manage Access Groups

VMware Horizon Agent 8 for Linux

Horizon Agent supports the following new Linux operating systems:
- RHEL/CentOS 7.8
- RHEL/CentOS 8.2
- SLES 12.x SP5
Horizon Agent no longer supports the following Linux operating systems:
- SLED/SLES 12.x SP1 and SP2
- RHEL/CentOS 6.x
- NeoKylin 6 Update 1
You can configure RHEL 8.x/7.x and Ubuntu 18.04 virtual machines as multi-session Linux host machines. You can add these Linux host machines to manual or automated instant-clone farms on which you can base published desktop pools and published application pools. Each published desktop or published application can support multiple user sessions at the same time. See Setting Up Linux Published Desktops and Applications for Multi-Session Use.
vDGA graphics are no longer supported on Linux desktops.

VMware Horizon Agent 8 for Windows

The Horizon Agent installer splash screen is updated.
You can create and display a digital watermark on remote sessions. See Configuring a Digital Watermark.
You can use an integrated pen on a Windows tablet. See Configuring Pen Redirection.
You can configure registry settings for mouse event handling. See Configuring Windows Registry Settings for Cursor Event Handling.
Blast Codec is enabled by default.
VMware Blast uses the client’s current topology when starting a connection to the agent machine.
The Microsoft Edge browser is supported with URL Content Redirection for Windows clients. You must install the VMware Horizon URL Content Redirection Helper extension in the Edge browser. See Install the URL Content Redirection Helper Extension for Edge on Windows.
You use the LBP Setting UI group policy setting to set up location-based printing. See Configure Location-Based Printing.
VMware Integrated Printing is supported on mobile client devices. See Configuring VMware Integrated Printing.
With the VMware Blast protocol, you can use two 8K displays. See Monitors and Screen Resolution.
Windows and Linux clients connecting to the agent use the H.264 video codec for real-time audio-video for improved performance, especially CPU usage in the client machine.

VMware Horizon 8 GPO Bundle

The Blast Codec Quality group policy setting enables you to set the minimum and maximum values of the Quantization Parameter (QP), which controls the image quality of the remoted display when using Blast Codec compression. See VMware Blast Policy Settings.
With the Cursor warping group policy setting enabled, the remote agent detects sudden cursor movements and reflects them to the client by moving the local cursor. See VMware Blast Policy Settings.
The Configure maximum latency for mouse coalescing group policy setting enables you to configure the maximum latency allowed, in milliseconds, when coalescing mouse move events. See General Settings for Client GPOs.

VMware Dynamic Environment Manager 2006

Elevated Tasks. VMware Dynamic Environment Manager 2006 expands on privilege elevation with the new elevated-tasks feature. Elevated tasks simplify elevation of an application at logon or logoff, or when another application starts or exits.
ADMX-Based Computer Settings. You can now also use ADMX-based settings to apply computer policy registry settings.
VMware Dynamic Environment Manager releases follow a new versioning format. VMware Dynamic Environment Manager is moving from a major-minor version-number model to a date-driven model represented by a year and month (yymm). This release is version 2006. The previous release was version 9.11. Product filenames and version numbers continue to contain the major-minor versioning. For 2006, the major-minor version is 10.0.
VMware Dynamic Environment Manager Editions. Starting with version 2006, VMware Dynamic Environment Manager is available in both Standard and Enterprise editions. DEM Standard Edition assists VMware Horizon® Standard Edition and VMware Horizon® Advanced Edition customers with user profile management. DEM Enterprise Edition is the full-featured version of VMware Dynamic Environment Manager.
Additional Windows Support.
- Windows 10 Version 2004 (May 2020 Update). See KB 57386 for the VMware Dynamic Environment Manager and Windows 10 Versions Support Matrix.

VMware Unified Access Gateway 3.10

VMware Unified Access Gateway 3.10 provides the following new features and enhancements:

Configuration of Workspace ONE edge services VMware Tunnel, Content Gateway, and Secure Email Gateway through the Admin UI now detects errors due to configuration issues and relays the error message to Admin UI. The error messages do get captured in the logs.
Added support to configure the maximum allowed CPU utilization to prevent an overload. Previous versions set this limit to a fixed 90%. When this level is exceeded, Unified Access Gateway responds to HTTP requests with a 503 error to indicate it is unable to handle the request due to temporary overloading. The support for this configuration allows a load balancer to allocate new sessions to alternative appliances. The default value is 100% so will never be exceeded, but a lower value can be configured in system settings using PowerShell or the Admin UI.
Extended support for Horizon Client IP protocol version bridging. Earlier versions supported IPv6 and IPv4 clients to connect to an IPv4 Horizon infrastructure. Support has been added to allow IPv6 and IPv4 clients to also connect to an IPv6 Horizon infrastructure.
Added a capability with Web Reverse Proxy edge service configuration to proxy requests normally used for local Unified Access Gateway resources. This capability was needed to support the download of the OPSWAT on-demand agent when Unified Access Gateway is used in a Horizon double-hop DMZ configuration. To support this case, the proxyPattern configured on the Web Reverse Proxy edge service must include /gateway/resources/(.*) so that these requests are forwarded to the Horizon Unified Access Gateway appliance.
The FIPS version of Unified Access Gateway now supports the Certificate-based authentication for Horizon Clients. This is for Smart Card/CAC and device certificate authentication.
General Unified Access Gateway SAML 2.0 enhancements for third-party Identity Providers used with the Horizon authentication.
Validated Microsoft ADFS and Shibboleth as additional SAML 2.0 Identity Providers for the Horizon authentication.
The Horizon OPSWAT device compliance check continuous evaluation interval can now be set to a minimum of every 5 minutes. Previously the minimum interval between checks was 30 minutes. By default, the continuous evaluation interval is still set to 0 meaning disabled. In this case, a continuous check is not performed but is still checked every time the user starts a Horizon desktop or application session.
Added support to configure a login disclaimer agreement message for the Admin UI login. The admin user must accept this agreement message before login. The Admin Disclaimer Text can be configured in the Admin UI or in the PowerShell .ini file.
Extended the logs collected with system information to further aid troubleshooting. The system_logs_archive directory has the following log files: cpu.info, mem.info, sysctl.log, and journalctl_archive.
The origin header used with Horizon requests to Connection Server can now optionally be rewritten to use the host name from the proxyDestinationUrl setting. In many cases, by rewriting the origin header with the host name can avoid the need to configure the locked.properties file on Connection Server to allow certain browsers to connect to Horizon.
Added support for additional connection concurrency for RADIUS authentication. In previous versions, this might cause delays in a Horizon user being prompted for RADIUS credentials during peak login rates when used with certain configurations of the on-premises version of Microsoft Azure Multi-Factor Authentication Server. The increased connection concurrency avoids this delay.
Updated TLS versions and default ciphers for connections on TCP port 443 for Horizon and Web Reverse Proxy edge services. Values are configurable. The non-FIPS Unified Access Gateway version defaults for these edge services are now:TLS 1.3 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 The FIPS Unified Access Gateway version defaults for these edge services are now: TLS 1.2 only TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
The Horizon Blast Secure Gateway component on TCP port 8443 no longer uses TLS 1.1. It supports TLS 1.2 only.
Secure Email Gateway support for Active Directory client certificate mapping authentication. For customers that publish client certificates to their user objects in Active Directory, this feature can be used when the certificate either does not have a UPN present, or the UPN does not match the UPN value in Active Directory.
For Secure Email Gateway, the Java version has been updated to Zulu OpenJDK JRE, version 11.0.7.
Qualified support for the AVI Networks load balancer in front-ending Unified Access Gateway for Horizon, Web Reverse Proxy, VMware Tunnel, Content Gateway, and Secure Email Gateway edge service.

Supported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 8)

Windows 10 1607 LTSB (Enterprise)
Windows 10 1703 CBB, Semi-Annual (Enterprise, Professional, Education)
Windows 10 1803
Windows 10 1809
Windows 10 1903
Windows 10 1909

For more additional information please read this knowledge article

VMware Horizon Client 2006 – new features