Tag Archives: Horizon

Upgrade VMware Horizon – An alternate method

3 Mar

In my previous blog post Upgrade from VMware Horizon 7.13.1 to 8.6 (2206) fails with VMware Horizon View Blast Secure Gateway (VMBlastSG) could not be installed. In this post, I will go into the details on the manual uninstall process and installation of the latest version of the VMware Horizon.

Why inplace upgrade fails?

The core reason for the in-place upgrade failing was that the VMware Service around Horizon was not getting deleted during the uninstall performed by the setup, which was rolling back the change.

What is the solution?

The quick solution is to uninstall the VMware Horizon 7 HTML Access, followed by VMware Horizon 7 Connection Server. Perform a reboot on the broker virtual machine, and this step will delete the services from about that were not getting deleted automatically. Install the VMware Horizon 8.x setup, and the installation will go smoothly.

What is the alternate method detailed steps?

The in-place upgrade method described here – Upgrade Connection Servers in a Replicated Group works 99.99% of the time in corner cases like mine. You will have to perform this method. Ensure you follow the basics of a full backup of the brokers, ADAM database, SQL database, backup of the locked.properties file and Disable vCenter provisioning.

Don’t perform this method without seeking proper VMware Support guidance. If you run into issues, you will be in unsupported territory and might ask yourself how you ended up here.

Uninstall existing VMware Horizon

  • Login to the broker you are going to perform the upgrade and open the Programs and Features
  • First, uninstall the VMware Horizon 7 HTML Access
  • Second, uninstall the VMware Horizon 7 Connection Server
  • You will be left with the AD LDS Instances (Local and CloudPod partitions). Make sure you leave them as-is.


To get rid of the ghosted services perform an reboot of the broker VM.

Install the latest release 8.x

  • Login to the broker you are going to perform the upgrade
  • Validate whether the above services are deleted
  • Right click and run as administrators on the Connection server.exe of the 8.x setup
  • Make sure you select – Standard Server and click on HTML access and IPv4
  • It will detect the instance of the Horizon and you need to click on OK
  • Select Configure the Firewall within Windows
  • The Horizon 8.x will be installed successfully on the virtual machine
  • Repeat this steps on the other brokers within your POD


You must wait approximately 5-7 mins for the Horizon Administrator console to come online. Validate the Health dashboard for any errors and check the desired 8.x version is present.

I hope you will find this information useful if you encounter the issue and it should help you save time. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Aresh Sarkari

Upgrade from VMware Horizon 7.13.1 to 8.6 (2206) fails with VMware Horizon View Blast Secure Gateway (VMBlastSG) could not be installed

22 Dec

Many customers are already in the process of upgrading from VMware Horizon 7.x to 8.x or will soon upgrade as the End Of Life dates are upcoming in April 2023. I want to share a rare experience wherein the Horizon upgrade from 7.13.1 to 8.6 version failed. In the rare occasion where in upgrade fails in the below mentioned manner, the workaround steps will come in handy.

We have only received the workaround from VMware support, and I intend to update the post once I get a complete RCA. At least the workaround can help someone not have to revert the entire environment instead, follow the workaround and avoid a lot of rework.


During the upgrade of the first connection server in the POD1, we encountered the following error five mins into the upgrade. Note before starting the upgrade, the entire health dashboard for the POD was green and included backup and snapshots.

Environment Overview

Let take a look at the environment details to provide an high-level overview:
Active Site (POD1)

  • 5 VMware Horizon Connection Servers 7.13.1
  • SQL Database on Microsoft SQL 2016 Always-on – EventsDB
  • The 5 Brokers are behind an NSX Load balancer

Active Site (POD2)

  • 5 VMware Horizon Connection Servers 7.13.1
  • SQL Database on Microsoft SQL 2016 Always-on – EventsDB
  • The 5 Brokers are behind an NSX Load balancer


The logs from the installer had the following message it’s complaining about insufficient privileges, which the installer is run with admin privileges already.

MSI (s) (A0:E0) [06:12:07:977]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
Action 6:12:07: InstallServices. Installing new services
MSI (s) (A0:E0) [06:12:07:977]: Executing op: ProgressTotal(Total=9,Type=1,ByteEquivalent=1300000)
MSI (s) (A0:E0) [06:12:07:977]: Executing op: ServiceInstall(Name=PCOIPSG,DisplayName=VMware Horizon View PCoIP Secure Gateway,ImagePath="C:\Program Files\VMware\VMware View\Server\bin\SecurityGateway.exe",ServiceType=16,StartType=3,ErrorControl=1,,Dependencies=[~],,,Password=**********,Description=Provides VMware Horizon View PCoIP gateway services.,,)
InstallServices: Service:
MSI (s) (A0:E0) [06:12:08:228]: Executing op: ServiceInstall(Name=VMBlastSG,DisplayName=VMware Horizon View Blast Secure Gateway,ImagePath="C:\Program Files\VMware\VMware View\Server\appblastgateway\nssm.exe",ServiceType=16,StartType=3,ErrorControl=0,,Dependencies=[~],,,Password=**********,Description=Provides VMware Horizon View Blast gateway services.,,)
InstallServices: Service:
Info 1923.Service VMware Horizon View Blast Secure Gateway (VMBlastSG) could not be installed. Verify that you have sufficient privileges to install system services.
Action ended 6:12:08: InstallFinalize. Return value 3.

Also noticed during the upgrade, it should uninstall the services from version 7.13.1, and new services would be created for version 8.6. In this case, they were listed as disabled.


Later during the ongoing RCA investigation, a workaround provided was working well. The reason for socializing the workaround is that we spent a tremendous amount of time and effort in a revert operation, which was very time consuming and cumbersome. Only if we had known about this workaround during the failed upgrade would we have saved tremendous effort.

#ProTip – If you have two POD, make sure before you start the upgrade. Take a snapshot of all the PODS together at the same time. This could help you in scenarios where the POD1 upgrade fails, and you can revert the entire environment (POD1 & POD2) from snapshots.

Prerequisite / Rollback Plan 

  1. Power off all the Connection Servers part of Cloud POD Federation 
  2. Take a powered-off snapshot
  3. In case of an incident during the change activity which requires recovering Horizon Environment, Snapshots will be used as a fallback plan as the last option if break/fix, troubleshooting steps performed is not resolving the issue. 
  4. In troubleshooting scenarios of a failed upgrade 

Workaround Steps 

  1. The following steps need to be performed on each Connection Server at a time 
  2. Uninstall HTML and Horizon Connection Server 7.13.1 component keeping ADLDS and ADLDSG Instances intact. Check services.msc, and Horizon Services will appear in the Disabled state 
  3. Perform a reboot of the Connection Server, and Horizon Services will be cleared from services.msc
  4. Install Horizon 8.6 as Standard, which will pick the residing ADLDS and ADLDSG instance
  5. After successful install, it can be verified using ldp utility as instructed in KB https://kb.vmware.com/s/article/2064157 and look for the fields whenChanged , and whenCreated . This step can be performed prior upgrade for comparing the state of ADLDS

The VMware GSS case handled by Jezill Asharaf (A very helpful support engineer) and a few of the backend engineering team has been instrumental. I hope you will find this information useful if you encounter the issue and it should help you save time. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Aresh Sarkari

Install VMware Horizon Client using Winget

14 Dec

The enterprise has been rolling out the application packages using various available methods (GPOs, SCCM, WS1 UEM etc.) in the industry. Today we are going to take a step further and see how to deploy the VMware Horizon Client using the new Micrososft Windows Package Manager (Winget)

Available Commands for various verison of Horizon Client

Following are the commands however, it’s recommended only to install the latest or the matching version based on your VMware Horizon environment.

VMware Horizon 8.xVMware Horizon Client 8.x
VMware Horizon 7.xVMware Horizon Client 5.x
# Latest GA version VMware Horizon Client version
winget install -e --id VMware.HorizonClient
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v
# VMware Horizon Client version
winget install -e --id VMware.HorizonClient -v

Installing, Listing, Upgrading and Un-installing the latest version HZ Client

Open the PowerShell with administrative privileges


winget install -e --id VMware.HorizonClient

Listing the installed package

List the package and its details of the previous installation step

winget list --name 'VMware Horizon Client'

Upgrading from version 5.5.4 to 8.7.0

winget upgrade --id VMware.HorizonClient


Following is the command to uninstall the Horizon Client.

winget uninstall --id VMware.HorizonClient

Note after running the above command, the Windows endpoint rebooted immediately. I am not whether the product team has included the /norestart switches to the packages. If you come across the same leave a comment down below.

I hope you will find this helpful post about the winget and VMware Horizon Client details. Give it a spin in your lab and production environment, if you find anything interesting. I hope you can share it back with me?

Aresh Sarkari

Making Microsoft Quick Assist work with VMware App Volumes – Writable Volumes

6 Sep

Microsoft Quick Assist is a tool widely used by service desk teams to take remote control of a computer and help end-users with a screen share. We noticed with the recent changes Microsoft made to Quick Assist, it stopped working when VMware App Volumes – Writable Volumes were present.

Error launching Quick Assist

We tried many steps of installing the Quick Assist offline using various Powershell commands, and nothing worked out. We also got to a point Quick Assist will launch without the Writable Volumes present or local admins with Writable Volumes. In the end, VMware Support GSS, with help from backend engineering, provided a working solution.

Solution (Workaround)

Step 1 – Download the offline version of the Quick Assist App from the Microsoft store and place all the files into C:\Temp\QuickAssist. Following are the steps to download the offline version of MS store apps.

Offline Files MS Quick Assist

Step 2 – Delete the old version of the Quick Assist App (Not part of the MS Store). Start Menu > Settings > Apps > Optional features > Microsoft Quick Assist > Uninstall. 

Uninstall Optional Features – Microsoft Quick Assist

Step 3 – Install the Offline version of the Microsoft Quick Assist package using PowerShell

PowerShell Add-AppxProvisionedPackage -PackagePath C:\Install\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense
PowerShell Install Appx Package

Step 4 – Install WebView2 component which is a pre-requisite for Quick Assist. Note this step is quite important and not something that has been emphazied alot.

  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
Install Microsoft Edge WebView

Step 5 – Launch the Quick Assist App once. Make sure, without launching the app, don’t move to the next step. Please wait at least 10 mins on this step or/else reboot the template VM and launch the app

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app
Launching Quick Assist

Step 6 – Create an OS scheduled task to run at every logon. This will launch the Quick Assist and register at every logon.

schtasks /create /RU "SYSTEM" /TN RegisterQuickAssist /SC ONLOGON /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-AppxProvisionedPackage -PackagePath C:\Temp\QuickAssist\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense"
Schedule Task – Register of Microsoft Quick Assist at User Login

Step 7 – Take a snapshot of the golden image and the remaning steps will be performed in App Volumes files.

Step 8 – We need to prepare the template bundle of Writable Volumes (UIA+Profile) to contain a file startup_postsvc.bat with the following contents. Note Alter the file path if you decide to use something else.

  @echo off
  setlocal enabledelayedexpansion
  set WV_Path=none
  for /F "tokens=3" %%A in ('reg query HKLM\System\ControlSet001\Services\svservice\Parameters /v WritableVolume 2^>nul') do (
    set WV_Path=C:%%A
    fltmc attach bindflt !WV_PATH!
  reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView" /v DisplayName >nul 2>&1
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
    start /wait C:\Temp\QuickAssist\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f

Here is the procedure to update the writable volume’s file – Update Writable Volumes (vmware.com). Zip all the files and push the changes using AV Manager > Writables > Update Writable Volumes

Additional Files for writable volumes startup

Step 9 – Validation login to the virtual desktop (Make sure the updated file – startup_postsvc.bat are pushed onto the WV). After a few seconds, the Microsoft Edge WebView2 Runtime component and Quick Assist should appear in Programs and Features.

PowerShell Get-AppxPackage *assist*

Step 10 – Launch Quick Assist via Start Menu or Explorer and Voila!

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app

If you encounter a similar issue, you can follow the above solution. I hope you will find this information useful if you encounter the same issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 3+ months.

Aresh Sarkari

VMware vRealize Operations Management Pack for Horizon MP4H 2.0

9 Feb

The MP4H (Management Pack for Horizon) 2.0 was recently released – Release Notes. It was time to give it a go, and the best place IMHO is VMware Test Drive, as they have a larger environment and there is alot of data for simulation compared to our small homelab.

Let’s take a look at the following information from the vRealize Operations – MP4H:

  • New engaging Dashboards and View
  • Observations and thoughts
  • Where to download the MP4H 2.0 pack?

New engaging Dashboards and Views

Service Monitoring for Unified Access Gateway (UAG) and Connection Server (CS) – Using the Telegraf Agent, you can monitor the Tomcat services and HTTP Health Checks against the UAG and CS web services. The step by step configuration details can be found here.

Connection Server certificate validation – There are new properties around CS certificate validation. This way, you can an dashboard based on the view – Availability \ Horizon Connection Server Certificate.

Unified Access Gateway Session – There are views on UAG Session Disparity amongst different UAG Appliances and session split across internal and external UAG appliances. The UAG Overall experience widget gives a high-level overview. Note the HTTP check is using the Telegraf agent to perform the checks (It’s empty, but you get the point there is capability.)

Horizon Client Versions and Horizon User Agent Version – These dashboards are not new and were present in the previous MP4H, but these are so important to get an overview of the Client and Agent versions within the environment.

Observations and thoughts

Very excited to see the UAG Appliances inclusion as a first class citizen into monitoring & alerting. One can tell looking at the MP4H 2.0 has come a long way since its previous releases. I am personally looking forward to the built-in reports to come back in future releases, along with the inclusion of VMware App Volumes and VMware Workspace ONE alerting and reporting. If the VMware product team considers my recommendation, it can start to differentiate itself against other players within the same market segment.

Features wishlist:

  • HTTP Check and Service monitoring for App Volumes and Workspace ONE Access
  • Certificate validation for UAG, App Volumes and Workspace ONE Access
  • Builtin Reports – Previous Horizon Reports, App Volumes – AppStacks, App Volumes – Wrtiable Volumes, Workspace ONE Access – User Sessions etc.

I can’t wait to see what the next release of the vRealize Operations – Horizon Management pack beholds.

Where to download the MP4H 2.0 pack?

You can download the pack from VMware Marketplace, and the following versions of vRealize Operations are supported.

Cameron covers additional information on his blog post here – MP4H 2.0 What’s New and Use Cases – C4 | Virtually Blogging (cameronfore.com). I highly recommend following him for all MP4H content.

Disclaimer – All the screenshots are from VMware Test Drive Portal. All credits to them for their hardwork.

I hope you will find this helpful post about the latest release of MP4H 2.0. I highly recommend giving it a go on Test Drive and a small request if you find anything interesting. I hope you can share it back with me?

Aresh Sarkari

Script/API – Delete Orphaned Writable Volumes from VMware App Volumes Manager

10 Nov

Often within the VMware App Volumes Manager (AVM), Writable Volumes will show up as Status – Orphaned. Let’s take a look at the following topics:

  • What is Orphaned Writable Volumes?
  • Script to delete them from the App Volumes Managers

What is Orphaned Writable Volumes?

App Volumes Manager is integrated with Microsoft Active Directory (AD), and it’s in continuous synchronization. Whenever an end-user account gets disabled into the AD during the next sync activity of App Volumes Manager, it will mark the writable volumes with Writable Status = Orphaned.

Now in the ideal world, these accounts have been disabled and should be okay to delete? Maybe, if you don’t have the obligation of data retention, then you are ready to delete them. If you need to retain them, keep them as-is for compliance purposes.

Script to delete them for App Volumes Manager

Before we talk about the script, the deletion is very straightforward within the App Volumes Manager. Select the volumes with Status = Orphaned and select the Delete button. However, when you have to do the same against multiple POD, which becomes challenging, and as always, if it’s not automated, there is the scope of human error.


  • You need the App Volumes Manager URL
  • You need the username and password of the App Volumes Manager
  • You need to enter y/Y to proceed further with the deletion
  • The script was tested on PowerShell V5.x with App Volumes Manager version 2.18.10 (The logic will be the same however, the API call for App Volumes 4.x will be different)
# Get List of Wrtiable Volumes from AppVolumes Manager for Status=Orphaned
# Delete the Orphaned Wrtiable Volumes
# You need username and password for the App Volumes Manager
# Author - Aresh Sarkari (Twitter - @askaresh)
# Version - V5.0

#App Volumes Manager Name or IP Address
$AVManager = "https://avm001.askaresh.local"

# Run at the start of each script to import the credentials
$RESTAPIUser = "domain\username"
$RESTAPIPassword = "enteryourpassword"

#Ignore cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

#Login AV Manager Body
$body = @{
    username = “$RESTAPIUser"
    password = “$RESTAPIPassword”

#Login API call to the AV Manager
Invoke-RestMethod -SessionVariable DaLogin -Method Post -Uri "$AVManager/cv_api/sessions” -Body $body

#Get the list of Writbale Volumes from the AV Manager
$output = Invoke-RestMethod -WebSession $DaLogin -Method Get -Uri "$AVManager/cv_api/writables" -ContentType "application/json"

#Selecting the WV with status Orphaned into a variable
$WVouput = $output.datastores.writable_volumes | Select-Object id, owner_name, owner_upn, title, status | Where-Object {[string]$_.status -match "Orphaned"}

#Output on the console (Validate carefully before proceeding ahead)
$WVouput | Format-Table | Out-String | % {Write-Host $_}

#Confirmation logic to proceed with the deletion
$confirmation = Read-Host -Prompt "Are you Sure You Want To Proceed with the deletion:" 
if ($confirmation -match "[yY]" ) {
    # proceed

# The WV Deletion API call only looks for IDs. We are filtering the ids only
$WVOutputIDs = $WVouput.id

#Looping to delete each Writable Volumes via its ID
foreach ($WVOutputIDss in $WVOutputIDs) {

# Writable Volumes deletion Parameters body
$jsonbody = @{
    bg = "0"
    volumes = "$WVOutputIDss"
} | ConvertTo-Json

#API call to delete the Wrtiable Volumes
#We are using Invoke-webrequest for getting the Content of the deletion (Success) in oneline
$WVdeletecall = Invoke-WebRequest -WebSession $DaLogin -Method Post -Uri "$AVManager/cv_api/volumes/delete_writable" -Body $jsonbody -ContentType "application/json"


#Dig into the exception to get the Response details.
Write-Host $WVdeletecall.StatusCode
Write-Host $WVdeletecall.StatusDescription
Write-Host $WVdeletecall.Content


GitHub scripts/del-writablevolume-status-orphaned at master · askaresh/scripts (github.com)


  • When you run the script, it will identify all the end-users with Status = Orphaned. If you like, you can copy and paste the output in an editior (Notepad++) to verify the output.
  • Once you press y/Y it will go ahead and delete the Orphaned writable volumes.

I hope you will find this script useful to bulk delete orphaned Writable Volumes in App Volumes Manager. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Aresh Sarkari

Script/API – Horizon Reach – Get consolidated Horizon Farms/Desktops pools – Name Health, Image and Snapshot information

27 Oct

Horizon Reach is a potent tool, and Andrew Morgan has put in a lot of blood, sweat and tears to develope it. What suprises me is why isnt this fling included into the Horizon product? We haven’t gathered here to talk about the product management and roadmap aspects 😉

Horizon Reach fling aggregates all the various Horizon POD information into its database. Typically, running Horizon API calls or Horizon Powershell modules might have to run them against individual pods to fetch information about that POD. The beauty with Horizon Reach is it aggregates all the information, we can write scripts/API calls to request information from there instead of writing Horizon POD specific scripts.

Let’s take a look at the following information from the Horizon Reach fling:

  • What API’s are available with Horizon Reach?
  • What all options are available to interact with Horizon Reach API?
  • Script – Get a consolidated list of Horizon Farm details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)
    • Note the above can also be fetched using the old Horizon Powershell modules but trust me it’s pretty tricky to run a foreach loop for every object on the SOAP method.
  • Script – Get a consolidated list of Horizon Desktop Pools details (Display the Name, Base Image details, Snapshot Version, Health and If provisioning is enabled)

What API’s are avilable with Horizon Reach?

After you have installed the Horizon Reach fling, go to the following URL to check out all the avilable API’s. Its the UI Swagger interface to simplify and understand each calls.

URL https://horzonreach.domain:9443/swagger/index.html

What all options are avilable to interact with Horizon Reach API?

You can interact with the API with your preffered method such as Powershell or Postman or something else.

Postman https://horzonreach.domain:9443/swagger/v1/swagger.json (You will be able to import all the Horizon Reach API as a collection within Postman)

Powershell – You can use the built-in modules of Invoke-RestMethod or Invoke-WebRequest method to interact with Horizon Reach API.

Scripts to get consolidated Horizon Farms/Desktops information


  • You need the Horizon Reach Server URL
  • You need the password of the Horizon Reach Server
  • The script provides you with the details of all Horizon PODs in your setup.
  • The script was tested on PowerShell V5.x
#Horizon Reach Server Name or IP Address
$HZReachServer = "https://horizonreach.domain:9443"

#Ignore the self signed cert errors
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

#API Call to make the intial connection to the Horizon Reach Server##
$HZReachLogonAPIcall = "$HZReachServer`/api/Logon"

#The body payload that comprises of the login API request
$body = @{
    username = "administrator"
    password = "enteryourpassword"
} | ConvertTo-Json

$HZReachlogin = Invoke-RestMethod -Method Post -uri $HZReachLogonAPIcall -Body $body -ContentType "application/json"

#Header along with the JWT token is now saved for future API calls
#You need to call this header in all subsequent calls as it has the token
$Headers = @{ Authorization = "Bearer $($HZReachlogin.jwt)" }

#API Call to fetch the consolidated (as many pods you have) Horizon Farm information##
$HZReachFarms = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/Farms" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, health, isProvisioningEnabled

Write-Output $HZReachFarms

#API Call to fetch the consolidated (as many pods you have) Horizon desktop pool information##
$HZReachPools = Invoke-RestMethod -Method Get -uri "$HZReachServer/api/pools" -Headers $Headers -ContentType "application/json" -UseBasicParsing | Format-Table -Property displayname, baseimage, snapshot, enabled, healthDetail, isProvisioningEnabled

Write-Output $HZReachPools

GitHub scripts/HorizonReach-Farms-Pools-Info at master · askaresh/scripts (github.com)


  • Farm Output:
  • Desktop Pool Output:
  • The following information (Display Name, Snapshot, Base Image, Health, Provisioning Mode) is pulled using the above scripts. I was much interested to see the snapshot versions of each Farms/Pools along with Health and provisioning status. Feel free to extract whatever details you are looking for there are plenty of other properties.

I hope you will find this script useful to fetch helpful information from Horizon Reach. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?

Aresh Sarkari

VMware EUC stack upgrade – Legacy? or Modernizing? or Middleground?

14 Sep

It was that time of the year to perform a VMware End-User Computing (EUC) stack upgrade on the environment, and I thought of sharing the overall thought process and decisions made along the way. It will be interesting to share with others who might be in a similar situation or process of developing their upgrade/migration strategies. In this post, we shall take a look into these topics:

  • Current versions of the VMware EUC Stack
  • What version numbers did we upgrade/migrated to?
  • Why did we migrate to these versions?
  • Wishlist (Someone Listening?)
  • Valuable links to reference during upgrade/migration

Current versions of the VMware EUC Stack

  • VMware Horizon 7.11 (Connection Server/Agents)
  • VMware Horizon Client 5.5
  • VMware App Volumes 2.18.1.x Manager/VMware App Volumes 2.18.5 Agent version
  • VMware Workspace ONE Access 20.01/Connector 1903 (Not in scope for the upgrade)
  • VMware Dynamic Environment Manager 9.10
  • VMware Unified Access Gateway 3.10

What versions numbers did we upgrade/migrated to?

  • VMware Horizon 7.13.1 (Connection Server/Agents)
  • VMware Horizon Client 5.5.2
  • VMware App Volumes (Manager/Agents)
  • VMware Dynamic Environment Manager 2103
  • VMware Unified Access Gateway 2103.1

Why did we migrate to these versions?

The obvious question everyone might ask is the latest versions are Horizon 8.x and App Volumes 4.x why are you picking older versions for the upgrade? The short answer is the limitations and trade-off, and the following matrix tries to uncover in more detail.

Note – Not all customers might fall under the limitation category, or the limiting feature/functionality could be different in your case. By no means this should be your defacto reasons. Make sure to evaluate your situation and create a matrix to make a data-driven decision. If the project is greenfield/no-limitations applied, it’s a no-brainer to opt for the latest product releases.

ProductUpgrade DecisionVerison of Choice
VMware Horizon++ We had all the boxes ticked from a feature/functionality standpoint to be able to upgrade/migrate to Horizon 8.x version. (Instant Clones, Printing, UAG etc.). Infact everything worked well in the development environment
++ The latest vROPS Horizon Adapter 1.2/Horizon 8.x version doesn’t include the built-in Horizon reports. We use the reporting feature for all sorts of custom reporting on Horizon PODs. The older version of vROPS Horizon Adapter 6.7.1/Horizon 7.x has all the existing metrics and reporting available but doesn’t include support for Horizon 8.x on the support matrix
++ The no reporting on the Horizon Adapter 1.2 + limited metrics on RDSH limited our ability to move to the latest version of Horizon 8.x. Once the built-in reports\metrics and guidance is made available, we shall jump onto the latest version (n-1)
Horizon 7.13.1
VMware App Volumes++ Lack of Writable Volumes (UIA+Profile and UIA) migrations from 2.18.x to 4.x. Need official guidance or tool/script/guidance to upgrade all the wrtiable of the 2.18.x environment to 4.x. I am sure alot of enterprise customers will have plenty of Writable Volumes to migrate and don’t have the flexibility to start from scratch on a new version
++ VMware AppStack Migration fling is the perfect migration utility to migrate AppStacks 2.18.x to 4.x need something similar for Writable Volumes
App Volumes
VMware Dynamic Environment Manager++ This was the only piece of software that didn’t have interoperability or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)DEM 2103
VMware Unified Access Gateway++ The appliance has no interoperability issues with Horizon 7.13.1 or upgrade complexity. The obvious choice was to upgrade to the latest (n-1)UAG 2103.1
Upgrade Decision Matrix

The above stack provides us with the required General Availability support until Q2 FY2022 and beyond.


I am looking forward to vROPS Horizon Adapter XX to include the built-in Horizon Reports/Additional Metrics for RDSH in the new version or provide detailed guidance on creating meaningful reports in future releases. Additionally, the App Volumes team releases tools and advice on migrating 4000’s+ Writable Volumes from 2.18.x to 4.x. Once the above is released, I plan to upgrade to the branch of Horizon 8.x and App Volumes 4.x releases version numbers.

Valuable links to reference during upgrades

Here is the cheat sheet for all the useful links to review and formulate an upgrade plan:

VMware Product Interoperability MatrixProduct Interoperability Matrix (vmware.com)
Product DocumentationVMware Horizon Documentation
VMware App Volumes Documentation
VMware Dynamic Environment Manager (Formerly Known as VMware User Environment Manager) Documentation
Techzone Migrating Legacy Horizon Components to Modern Alternatives

View Composer –> Instant Clones
Security Server –> UAG
Persona –> DEM
Persistent Disk – FSLogix
Modernizing VDI for a New Horizon | VMware
App Volumes Upgrade considerationsVMware App Volumes 4 Installation and Upgrade Considerations | VMware
Fling Migrate App Volumes AppStack from 2.18.x to 4.xApp Volumes Migration Utility | VMware Flings
Supported Windows 10 versions based on Horizon AgentSupported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393) (vmware.com)
VMware EUC Stack Agent OrderAgent installation order for Horizon View, Dynamic Environment Manager, and App Volumes (2118048) (vmware.com)
Supported Windows 10 versions based on App Volumes AgentVMware App Volumes and Microsoft Windows 10 Support
VMware Product Lifecycle – End of LifeProduct Lifecycle Matrix (vmware.com)
Reference Material

I hope you will find the above information useful in your enterprise upgrade/migrate strategy for VMware EUC Stack. I would love to hear your strategy and similar situations limiting your ability to migrate to the latest and greatest versions.

Aresh Sarkari

Stop syncing Disabled user accounts into the VMware Workspace ONE Access – Directory Sync

6 Sep

We had many Disabled accounts that were getting synced into the Workspace ONE Access (WoA) from the Directory Sync – Active Directory with IWA operation. The challenge here been no standards to cater for Disable accounts in the Active Directory. I decided to stop syncing the disabled accounts into WoA. Thanks for the exclusion filter feature that came in handy, and the following are the detailed steps.

  • Exclusion filter to stop syncing the Disabled accounts
  • Safeguards adjustment (Optional)
  • Why did we had to stop syncing Disable accounts?

Exclusion filter to stop syncing the Disabled accounts

Login to your WoA portal with administrative privileges and go to the following path – Identity & Access Management –> Directories –> Select the Directory with Active Directory & IWA –> Sync Settings –> Users

Add the filter to exclude the disabled users:

userAccountControl – contains – 514
Note – 514 = Disabled Accounts

userAccountControl – contains – 66050
Note – 66050 = Disabled, Password Doesn’t Expire

Note – I found this helpful blog which described all the UAC attributes/values in detail – UserAccountControl Attribute/Flag Values | Jack Stromberg

WoA – Users

The above will take care of not syncing the Disable user accounts into the WoA directory. However, in our scenario, the number of disable accounts were very high, and the Safeguards kick-in to protect mass deletion.

Safeguards Adjustment (Optional)

This is an optional step depending on your environment. It might need tweaking, and I am highlighting the values that need to be tweaked if it involves mass deletion (Note – these values are for experimental purposes only). Note – Please switch the value back to default after the mass deletion activity is completed. The Safeguards feature a real blessing to control WoA Directory Sync accidents against any human/automation errors.

WoA – Safeguards

Why we had to stop syncing disable accounts?

I ran into an issue where-in users had multiple accounts with 1 active/1 disabled. The email address attributes were the same in both the accounts, which will have a conflict when the end-user tries to login. This becomes evident once we switched our identity to 3rd party IDP – Azure Active Directory, where the primary NAMEID attribute is the email address.

I hope you will find these steps helpful to stop syncing disabled accounts into WoA Access – Directory Sync.

Aresh Sarkari

My top sessions for VMworld 2021

31 Aug

VMworld 2021 is right around the corner, and it’s time to have a personally curated list prepared for the sessions. The following category sessions I am most excited about. Note I am excited about more sessions than I can include in this blog post, but you get the idea of my direction 🙂 Though I am not speaking, I know the amount of effort to prepare the deck/recording based on my previous 3 VMworld speaking engagements. Good Luck, speakers!

  • End User Services
  • Multi Cloud
  • VMware Code

End User Services

Architecting Multi-Cloud Horizon [EUS1547]

Learn how to architect multi-cloud VMware Horizon deployments. This technical session will cover the deployment options and platforms available, including Horizon, Horizon Cloud Service on Microsoft Azure, Horizon on VMware Cloud on AWS, Horizon on Azure VMware Solution, and Horizon on Google Cloud VMware Engine. Find out how Horizon Control Plane Services, such as Universal Broker and Image Management Service, aid in both administration and user access.

Chris Halstead, Senior Staff Architect, VMware
Hilko Lantinga, Staff Architect, VMware
Richard Terlep, Staff Architect, EUC Technical Marketing, VMware
Darren Hirons, Lead Solutions Engineer – Digital Workspace, VMware

Back to Our Future: Community Roundtable on the VDI Admin Role Development [EUS2461]

A VDIscover Experience session. The life of a VDI admin requires expertise across many areas of IT and as a result, can be very rewarding. But how does what you’re doing today translate to a career path in desktop and app virtualization in the future? Join this roundtable of community VDI experts, hosted by VMware’s Brian Madden and Ron Oglesby, to gain insights on how the VDI admin role will develop in the future and what you should be focusing on to develop skills that can make you stand out in the VDI space, including security, cloud, SaaS, and more.

Joris Adriaanse, Business Development Manager, FONDO.
Ron Oglesby, Staff Architect, VMware
Brian Madden, Distinguished Technologist, VMware
Maarten Caus, EUC architect, ITQ

Blasting your way into the Extreme with VMware Horizon [EUS1834]

Ever wondered where the “Extreme” bit from Blast Extreme is referring to? In this session, seeing is believing. You will witness VMware Horizon hosting insanely intensive workloads, from cloud gaming and immersive VR training to movie making and warfighting simulation. We will show what it takes to extend VMware Horizon beyond your typical VDI use cases and into the realms of media production, gaming, simulation, training and more. You will also learn how customers are utilising VMware Horizon, Blast Extreme and more to deliver next generation services during a global pandemic. Oh, and did we mention that we will show you some demos which will blow you away? This is a must-see session for any EUC enthusiast!

Matt Coppinger, Director, Product Management, EUC, VMware
Spencer Pitts, Chief Technologist, VMware
Johan Van Amersfoort, Technologist EUC, ITQ

Create, Automate, and Optimize a Windows Image for Horizon [EUS1549]

This technical session led by VMware End-User Computing Technical Marketing will be a deeper dive into the key elements of creating and optimizing Windows for use as a VMware Horizon desktop or RDSH host. This process is critical to the success of any virtual desktop infrastructure (VDI) or published application project, and is often skipped or misunderstood. All steps of the process will be covered, including how to add automation. This session will include several demos showing the process of creating an optimized Windows VDI image.

Graeme Gordon, Senior Staff EUC Architect, VMware
Hilko Lantinga, Staff Architect, VMware

Disaster Recovery with Multi-Cloud Horizon [EUS1548]

Learn how to design VMware Horizon to provide disaster recovery (DR) capabilities to enable availability, recoverability, and business continuity. This session will explore the strategy, different deployment options for recovery sites, options for user access, and considerations for data replication and failover.

Richard Terlep, Staff Architect, EUC Technical Marketing, VMware
Graeme Gordon, Senior Staff EUC Architect, VMware

Horizon Cloud Service on Microsoft Azure: Nuts and Bolts [EUS2489]

So, is it the year of virtual desktop infrastructure (VDI)? A profound yes. The events of this year meant that business had to pivot rapidly to a remote model (telework). And one platform that helped many businesses, small to large, is VMware Horizon Cloud Service on Microsoft Azure. In this session, you will see what is needed to get an environment up and running very quickly.

Linus Bourque, Principal Instructor, VMware
John Krueger, Principal Instructor, VMware

Multi-Cloud VDI Beyond the Reference Architecture: Field-Tested Practices [EUS1961]

A VDIscover experience session. The public cloud, especially a VMware-based public cloud service, is an ideal place to run virtual desktops and published application workloads. But deploying an end-user computing solution into a hybrid or multi-cloud scenario adds new considerations and complications that impact user experience. In this session, VMware End-User Computing technologists Sean Massey and Dan Berkowitz will join with leading community members to discuss the key considerations and field-tested practices for delivering a good user experience in hybrid or multi-cloud VDI environments.

Daniel Berkowitz, Sr. Architect, VMware
Sean Massey, Staff Multi-Cloud Solutions Architect, VMware
Eduardo Molina, EUC Practice Director, AHEAD
Johan Van Amersfoort, Technologist EUC, ITQ
Simon Long, VMware Engineer, Google Cloud Center of Excellence, Google

Accelerate Your VDI Management with vRealize Operations [MCL1899]

This session provides an understanding of why VDI and app management matters more than ever today, and how to create a digital foundation that supports ever-changing business requirements. We will focus on the new VMware vRealize Operations Management Pack for Horizon and how it can help organizations overcome today’s distributed challenges.

Thomas Bryant, Sr. Product Line Marketing Manager, VMware


App Modernization Deep Dive with VMware Cloud on AWS and VMware Tanzu [MCL2290]

Application modernization is top of mind for all enterprises that want to deliver value to their customers quickly. However, many organizations struggle to begin their application modernization journey due to a variety of reasons including legacy systems, lack of knowledge of the application, and application dependencies. In this session we will show how organizations can leverage VMware Tanzu and VMware Cloud on AWS to discover, analyze, and map dependencies, convert to containers and ultimately deploy a modernized application on an API driven infrastructure, while still realizing the TCO benefits that come with VMware Cloud on AWS.

William Lam, Senior Staff Solution Architect, VMware

Automate and Improve Day 2 Operations with vSphere Lifecycle Manager [MCL1274]

VMware vSphere Lifecycle Manager enhances the way administrators plan and execute VMware ESXi lifecycle operations. Reducing the amount of time required to update and upgrade your systems is imperative as the number of systems and environments grow. This talk details the features and capabilities of vSphere Lifecycle Manager, including newly added support for VMware NSX-T and VMware Tanzu. If you are looking to further automate vSphere Lifecycle Manager with VMware PowerCLI, we will provide the information and examples needed to get started. vSphere lifecycle management has never been easier.

Niels Hagoort, Staff Technical Marketing Architect, VMware
Jatin Purohit, Sr. Technical Marketing Manager, VMware

Azure VMware Solution Best Practices for Implementation and Migration [MCL3114S]

Join us for an interactive discussion on best practices when implementing, migrating and managing your Azure VMware Solution environment. Learn from our Azure VMware Solution experts and their experiences working closely with customers throughout deployment, including how to optimize for different scenarios and how to leverage the best of VMware and Azure services.

Jeramiah Dooley, Principal Cloud Advocate, Microsoft
Shannon Kuehn, Cloud Advocate, Microsoft

Azure VMware Solution: Deployment Deep Dive [MCL2036]

In this session, we will discuss planning and deployment of Azure VMware Solution beyond the quick start. We will cover planning for network addressing, connectivity, integrating into an existing Azure hub and spoke or virtual WAN deployment, configuring monitoring and management, and establishing governance controls.

Jeremiah Megie, Principal Cloud Solutions Architect, VMware
Steve Pantol, Sr. Technical Marketing Architect, VMware

Azure VMware Solution: Lessons Learned and Trends from Customer Deployments [MCL2004]

In this session, we will share lessons learned from Microsoft and VMware architects about best practices through many customer deployments and migrations to Azure VMware Solution. We will focus on deployment, security, network, migration, infrastructure components (e.g., LDAP/DNS), disaster recovery, and day 2 operations design decisions and recommendations. Specifically, we will demonstrate how architecture considerations translate from on premises to the cloud without sacrificing design principles or technology investments already in place. Migration is just one part of the customer’s modernization journey. We will also show how current applications can take advantage of native Azure services.

Emad Younis, Director, Multi-Cloud Center of Excellence, VMware
Trevor Davis, Senior Technical Specialist, Microsoft

VMware Code

Managing your Horizon Environment Using the Python Module for Horizon [CODE2747]

Learn how to get started with Python and the VMware Horizon REST API to automate desktop and RDS pool CRUD (create/read/update/delete) operations. Find out about the basic principles of the Python module for Horizon and what it takes to get started with your automation project in a session full of demo’s

Wouter Kursten, Professional Services Engineer, ControlUP

Pitfalls of Infrastructure as Code (And How to Avoid Them!) [CODE2758]

Are you looking to start your journey into Infrastructure as Code? Or have you already jumped in head-first? Either way, this session is for you! We’ll talk about many of the common pitfalls of IaC, and how you can avoid them. From infrastructure pitfalls, to coding pitfalls, we’ll go over all kinds of things that you may not have thought of yet. Get your questions ready, because I’m here to help you be successful in your IaC journey!

Tim Davis, DevOps Advocate, env0

Live Coding: Terraforming Your vSphere Environment [CODE2755]

Infrastructure as code is the process of managing infrastructure in a file or a set of files rather than manually configuring resources in a user interface. This session is going to take a live look at how to make the process of getting starting with infrastructure as code in a VMware vSphere environment as easy as possible using HashiCorp Terraform, the de facto standard for infrastructure as code.

Kyle Ruddy, Sr Technical Marketing Manager, HashiCorp


A Field Guide to Health Check vSAN to Operate, Upgrade and Transform [MCL1825]

Your data is the most critical part of a solution. Ensuring predictability and technical security is a daily part of the system administrator’s role. Join this deep-dive session with Paul McSharry, a VCDX certified architect from the Critical Accounts Program, to discuss and be guided through what is needed for a production VMware vSAN platform health check. Based on field experience with some of VMware’s largest vSAN and VMware Cloud Foundation strategic customers, ask questions and take away a checklist to review before upgrades and significant changes to keep your data safe. Understand the architectural design choice impacts with 6.7 and 7.x, review the data path, and discuss useful KPIs that can be monitored to ensure you get the most value of your vSAN deployment.

Paul McSharry, Principal Architect, VMware

VMware vSAN – Dynamic Volumes for Traditional and Modern Applications [MCL1084]

In this session, Duncan and Cormac will explore the possibilities of using VMware vSAN for traditional virtual machine applications as well as new modern/containerized applications. They will look at how vSAN continues to evolve and at some of the more recent features. In particular, they will discuss vSAN File Service, which can now be used to deliver both NFS and SMB file shares, while continuing to offer block storage at the same time. They will also demonstrate how vSAN File Service integrates with the VMware vSphere container storage interface (CSI) in Kubernetes to dynamically provision read-write-many volumes for Pods that need shared storage. The session will incorporate some common how-tos, best practices, and gotchas to avoid to enable you with the smoothest experience possible with vSAN File Service.

Duncan Epping, Chief Technologist, VMware
Cormac Hogan, Chief Technologist, VMware

Disaggregating Storage and Compute with HCI Mesh: Why, When, and How [MCL1683]

There are multiple use cases for disaggregating Hyperconverged Infrastructure (HCI) storage. Common scenarios include environments with disproportionate requirements for compute and storage resources and architectures with limited local storage capacity, e.g., blade servers. HCI Mesh with vSAN provides a simple method for scaling compute and storage resources independently. You will learn why HCI storage disaggregation is beneficial, how HCI Mesh works, and what use cases to consider. There will be demos and we will also show examples of business-critical application design, tiering and scaling storage, and recommendations for successful implementation.

John Nicholson, Staff Technical Marketing Architect, VMware
Peter Flecha, Sr Technical Marketing Architect, VMware

I hope you will find these sessions list helpful in your journey, and please do let me know if I have missed out on exciting sessions.

Aresh Sarkari