VMware Horizon Apps On Demand Launch Behavior How Does It Work?

VMware Horizon Apps On Demand Launch Behavior How Does It Work?


Have you ever been curious about the process that takes place when you initiate an on-demand launch of an App Volumes application on a Windows Server RDS host? Specifically, let’s consider a scenario where you or your user connects and launches a published app on demand.


  1. User clicks the published app on demand.

2. The App Package is presented to the RDS host via a mounted drive from Horizon View and App Volumes.

3. I am going to now logoff the user and see what happens. Keep in mind this is the only user logged into the machine so since that is the case no one else needs the app. It removes the applications that I was using.

4. As you can see the mounted drives are removed. This is a great feature that allows you to use the same images for multiple applications/use cases. Most times we create specialized farms to entertain certain uses causes which drives friction and complexity

What’s New In Horizon 2306 – Now Generally Available

What’s New In Horizon 2306 – Now Generally Available


Just released and made generally available on 07/06/2023 is Horizon Version 2306. This is the most current release of Horizon View from VMware. As a reminder this is a majority of the updates below. Look to the links below in the release notes section for full feature information and any additional updates should they happen from VMware.

This particular release has a ton of cool new enhancements around app volumes and our client agent release (CART). In particular for app volumes we have announced App Volumes Manager on Azure AVD with Azure File Shares (Solution Preview)and App Volumes for Amazon AppStream 2.0 Technical PreviewIn future posts I will be going over some these enhancements.

Horizon Server and Instant Clones

  • Session load distribution across CPA pods (Session Count approach).
  • Block connection to server if client doesn’t validate certificates.
  • Allow admins to configure certificate mapping.
  • Persistent disk support for Instant Clones.
  • Provide fixed timer for discarding SSO credentials without disconnecting Desktops/Apps.

Client and Agent Release

  • Horizon Recording support for LinuxVDI.
  • Fido2 WebAuthN redirection Windows Client.
  • DEEM: Mac client & .pkg installer
  • Mac scanner forward vendor-specific options.

App Volumes


Dynamic Environment Manager

  • Support for periodically refreshing DEM configuration.
  • Support for collecting telemetry data from DEM Management console
  • Support for configuring Horizon. browser content redirection policy.

Unified Access Gateway

  • Added compatibility with Horizon Connection Server’s support for setting enforcement state from clients with the same or a higher certificate checking mode.

  • Added support for PKG file type to Custom Executable distribution.

  • Support for enforcing virtual channel restrictions with Blast protocol. This list overrides any settings applied through the Horizon Agent.

  • Added support in Web Reverse Proxy for accessing intranet resources using NTLM authentication. In this case, Unified Access Gateway acts as an Identity Bridge to convert SAML into NTLM for back-end resource access.

  • Enhancements in SAML authentication for the Admin UI administrator login.

  • Configuration of static Service Provider entity id that is included in the Service Provider’s metadata.

  • Option to sign SAML AuthNRequest with TLS certificate installed on admin interface.

  • Added support to Tunnel Edge Service for optional Configuration ID parameter (used in future UEM release).

  • Logging improvements and troubleshooting enhancements.

  • Updates to Photon OS package versions and Java component versions.


Release Notes


New Monitoring Options for VMware Horizon Digital Employee Experience for Horizon (DEEM)

New Monitoring Options for VMware Horizon Digital Employee Experience for Horizon (DEEM)


It’s true that there is no shortage of monitoring choices out there. However, I am extremely excited about one of the newer options provided by VMware as an additional add-on, which is the Digital Employee Experience for VMware Horizon. The great thing about this option is that it utilizes the telemetry data already available from the Horizon Client and Horizon agent, without requiring any new additional installers. In contrast, some other solutions may require the installation of additional binaries, which can be challenging to ask our consumers/users to install, especially when they are unmanaged.

With our next-generation Horizon Control Plane, we have migrated our monitoring to the Workspace ONE Intelligence platform from our CMS (Cloud Monitoring Service). This opens up a whole new world of opportunities for observability and workflow automation using Workspace One Freestyle Orchestrator, notifications and other workflows can be generated from the captured telemetry events. Some of the integrations include Slack Web API, Workspace ONE UEM, Service Now and your own connectors for enterprise systems (REST API’s).

We all strive to create a great experience for our end consumers/users. Our goal is to build secure, performant, and resilient environments. (I’ve often heard from my customers that VDI is the most stable environment.) This monitoring option is an additional step to reinforce the experience we create because certain factors are beyond our control, such as the device they use, the last mile connectivity, and their location.  We track VM performance, network performance, and logon times. We utilize this telemetry to generate an overall organization experience score throughout the day. In this post I will go over briefly what dashboards there are and how to set up a notification on an event from Workspace One Freestyle Orchestrator.


  • Connect your Horizon deployment to Horizon Cloud using the our edge appliance and have Horizon Cloud manage the deployment.
  • One of these licences
    • Horizon Universal subscription
    • Horizon Apps Universal subscription
    • Horizon Apps Standard subscription
  • An additional purchase of the Workspace ONE Experience Analytics for Horizon add-on SKU. This will provide the DEEM  Digital Employee Experience for VMware Horizon dashboards.
  • Horizon Next-gen tenants are automatically set up with intelligence when provisioned.

Below I will go over some of the dashboard views. In this first screenshot you can see this is your default display of utilization in your universal console. We can do much more inside of Workspace One.

In these screenshots you can see something that looks similar but is not to your Horizon version 1 Cloud Monitoring Service (CMS). There is much more information if you drill into the each one by clicking view dashboard.  
Lets take the active sessions for example and click view. In this section you can see the active connections. Connections that users are actually performing activities in. If you are testing this it takes a few seconds for your session to pop up in this field.  
You can edit the columns and add a wide range of different data points!  

DEEM – Digital Employee Experience Management

Now available as an additional add on is all of the employee experience metrics and scoring as depicted in the screenshot below.  

You can create your own thresholds to describe what is good and what is poor. The frequency is every 4 hours with a date range of 24 hours.


VM Performance tab.  
We also have a network/Protocol tab for network insights. Click on view to see more details.  

In here you can see more details on your packet loss score. Additionally you can add  columns if you want just like shown above to further investigate issues.

Creating Notifications for Horizon with Freestyle Orchestrator

In your workspace one console click Freestyle button and add workflow button to start your first  workflow.  

In these two screenshots below you can see the Intelligence data source and the Horizon data source. Intelligence data source has all of the data and telemetry around Digital Employee Experience Management and Horizon has the Horizon components that make up delivery of applications and desktops.

We will go through as an example setting up a workflow to notify an email address of an agent(s) in an errored state. Remember this could be email, slack, service now or your own method. Make sure you select Horizon>Agent Error. Once you have selected that you can chose to execute this workflow manually, schedule it or  automatically which is what I am going to do.

I am going to set my Error Status equals true that way if it is an errored state I will get an email.

Now we are going to add an additional step to send us the email. I am going to add a step in the workflow and select the send email and click add action.

Now before you enter in your email and test it you can view the potential impact of this workflow before you enable it to so how much it impacts you. If you are satisfied with the results just give a name enable it and click save.

Here is an example of some extra connectors you can add. If you are looking to setup additional workflow connectors in Workspace One go to Integrations tab > Workflow connectors > click the add button. 

Microsoft Windows Defender Anti-Virus and App Volumes Scanning Behavior

Microsoft Windows Defender Anti-Virus and App Volumes Scanning Behavior


Have you ever been curious about the process that takes place when you initiate an on-demand launch of an App Volumes application on a Windows desktop? Specifically, let’s consider a scenario where we have a Windows 10 Operating System with its default Windows Defender antivirus program. In the screenshot provided, we can observe the behavior of the real-time scanning feature of Windows Defender Antivirus.

To provide some context, the Windows Defender Antivirus program is designed to protect your system from potential threats by continuously monitoring files, programs, and activities on your computer. When you launch an App Volumes application on demand, Windows Defender Antivirus kicks in to scan the application and associated files in real time. Notice that their is a new drive mounted with that application. It is aware of that as well.

In the case of the screenshot I mentioned, the machine where the application was launched was connected to the internet. Windows Defender Antivirus, as part of its functionality, relies on internet connectivity to enhance its scanning capabilities. It utilizes the internet to download the latest virus definition updates, access cloud-based protection services, and analyze potential threats against known patterns and signatures.



  1. Provision and entitle an application to be delivered to a user or computer on demand from the App Volumes Manager.
  2. Start Process Monitor from Microsoft.
  3. Observe results upon clicking on the shortcut in the Process Monitor software.

You can download the Process Monitor from Microsoft Here


Horizon Feature Parity Comparison on AVS VMCAWS GCVE OCVS

Horizon Feature Parity Comparison on AVS VMCAWS GCVE OCVS


If you have been thinking about leveraging different cloud providers from any one of VMware’s partners, it is important to note that some capabilities might become available at different times in each of the solutions. Also, I think it is important to remember that what I am talking about here is running vSphere in an IaaS model with one of these landing zones, and not native Azure as that would be our Horizon Cloud service on Azure.

What is interesting and makes things a bit easier for you is when you look at each landing zone’s KB, you can assume that any feature not listed in the table is supported. This makes things easier to consume. I have put the KBs together for you below


Feature Parity KB articles for each solution

Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration Part Two

Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration Part Two


This article is a continuation of my first part for published applications on demand for on-premise horizon. If you got brought to this article via search and need to start from the beginning please start here: Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration

First we will go into the Horizon Connection server>Farms>Farm Next we will associate the farm with an App Volumes Manager with the farm. A farm can be associated with one App Volumes manager but a Manger can be associated with many Farms.


Below you can see the new association in the farm.


Next in the Horizon Connection server>Applications>Add>Add from App Volumes Manager 


After this is complete you will be able to launch your horizon client and consume the new published app delivered on demand!


What’s New In Horizon 2303 – Now Generally Available

What’s New In Horizon 2303 – Now Generally Available


Just released and made generally available on 03/30/2023 is Horizon Version 2303. This is the most current release of Horizon View from VMware. As a reminder this is a majority of the updates below. Look to the links below in the release notes section for full feature information and any additional updates should they happen from VMware.


Horizon Server and Instant Clones

  • Instant Clone Sysprep customization now supports a adding vTPM device for clones.
  • Improvement in snapshot management – Snapshot vmdk files of the parent image are now deleted from the datastore when the corresponding snapshots are deleted from the vCenter.
  • Instant Clone troubleshooting – Admins can now see timestamp along with pool provisioning errors in the Horizon console.

Client and Agent Release

  • Support AV1 Encoding on desktops with Intel ATS-M GPUs
  • Windows Client Blast only Bad internet connection warning
  • URL redirection rules based on IP address
  • BlastCodec support for Mac ARM
  • Suppress broker time out message
  • Proxy authentication
  • Screen shipping for media offload
  • Individual Application sharing
  • Browser content redirection for Linux client.
  • iOS & Android client support for Horizon V2 Next-Gen.
  • BlastCodec client performance improvement.
  • Improved Blast connection failure diagnostic information.

App Volumes

  • Agent Credentials for File Shares


Dynamic Environment Manager

  • Support for searching DEM configuration.
  • Support for running custom commands as SYSTEM Context.
  • Support for FlexEngine command-line option to apply NoAD Settings on-demand.

Release Notes


Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration

Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration


One of the latest enhancements in Horizon View 2212 released in January of 2023 is horizon apps on demand. Apps on Demand is a feature in Horizon View 2212 that seeks to address several challenges associated with managing applications in a remote desktop session host (RDSH) environment. One of the primary challenges is the friction involved in the app update process, which can be time-consuming and result in delays and inefficiencies. Apps on Demand solves this by centralized management of applications delivered to generic farm images. Isolation between app and operating systems is key here.

Another challenge that Apps on Demand aims to tackle is unneeded infrastructure sprawl. In a traditional RDSH environment, multiple servers may be required to accommodate the growing number of applications and users. This can result in an inefficient use of resources, with some servers being underutilized while others are overloaded. Apps on Demand seeks to address this challenge by dynamically provisioning the resources required for each user’s session/application needs, ensuring that only the necessary resources are allocated, and no additional infrastructure is wasted. Why have applications installed when they are not being used?

Time spent scanning apps and updating images is another challenge that Apps on Demand seeks to overcome. In a traditional RDSH environment, maintaining up-to-date images of applications can be a time-consuming process. Apps on Demand seeks to address this challenge by using a centralized app store, which ensures that images are updated automatically and efficiently across the entire RDSH environment from one place.

Finally, complex entitlements are another challenge that Apps on Demand aims to tackle. In a complex RDSH environment, managing entitlements across multiple farms can be a challenging task. Apps on Demand seeks to address this challenge by providing a centralized entitlement management system from the Horizon Connection Server admirative console that ensures that entitlements are managed efficiently and consistently across the entire RDSH environment.
The journey to Published Apps on Demand has not been a singular event, but rather a culmination of many features. It began with Horizon Published Applications using traditional RDSH deployments, followed by Lifecycle Management with Markers, Multi-Session Apps, Apps on Demand, and finally, Published Apps on Demand.

Requirements for Published Apps on Demand

  • Horizon 2212 Connection Server
  • Horizon Agent 2212
  • App Volumes Manager 2212
  • App volumes Agent 2212

Apps on Demand Visualized

In the illustrated image below, you can see that applications are delivered to the user in real-time on demand. The green outline represents a single gold or generic image. A new RDSH host could only be stood up when the host reaches a configured threshold capacity. Once again, the farm is not being built around the required applications.


Example of user launch of published application on demand

  1. User selects the application from the Horizon Client.
  2. The Horizon Connection server communicates with the App Volumes Manager to request the application be attached to an RDSH host.
  3. Now the request for an attachment is sent to the vCenter.
  4. The disk with the app is now attached to the RDSH host.
  5. User is now connected to the application.


In order configure app volumes apps on demand you must first add an appvolumes manager to Horizon administration console on the connection server. Once logged go to Settings>Servers>App Volumes Mnagers Tab> Add

After hitting the add button you will see a tooltip and if you click on that it will say “Before you add app volumes manager to horizon connection server, install a valid SSL certificate signed by a trusted CA. n a test environment, you can use the default, self -signed certificate that is added to the truststore” So, before adding your app volumes manager to the connection server,  it is recommended to have a valid certificate, so lets enroll with a trusted CA. However, if you want to use the self-signed certificate. Import the certificate into the trusted root store of the Horizon connection servers. Then restart the connection server service. You can find more information below on how to find that certificate and just import them into the trusted root certificate store of the connection server.

For this I am going to create a new certificate template on my certificate authority which happens to be a Microsoft certificate Authority. Navigate to Certsrv console> certificate templates>manage templates.

Next I will duplicate the web server template with the following settings.

Edit the Application Policies and add Client Authentication

Navigate back to certsrv and right click the certificate templates and click New Certificate template to issue and select the app volumes template previously created and click ok.

Now that you have the template you can create a new certificate from that template to use for App Volumes Manager. For this instance, I am going to log into the app volumes manager windows VM hosting the server and generate a certificate. I start by typing in the search menu cert then you should be able to find the certificate mmc snapin for the local server.

Enter in the following information under common name enter the server name or load balanced name if you have more than one server (LB example ws2022appvol00.lab.local or whatever you want it to be) I put in any of the additional servers FQDN’s below. Also make the private key exportable. Click Enroll.

Now that you have created a certificate you now have to export the certificate. Follow the wizard and select yes export private key option and select the following options in the screenshot below. You will then be directed in the wizard to enter a password (enter password) and to save it to a location.

Once the certificate is exported we can extract the private key from the PFX file and convert the private key to PEM format. Using the commands below with openssl. (this is something that is not part of an os and needs to installed)

openssl pkcs12 –in c:\%yourlocationofsavedfile%\view-appvol01.pfx –nocerts –out c:\ %yourlocationofsavedfile%\appvol.key


openssl rsa –in c:\ %yourlocationofsavedfile%\view-appvol01.key -outform PEM –out c:\ %yourlocationofsavedfile%\vappvolpem.key


openssl pkcs12 –in c:\ %yourlocationofsavedfile%\view-appvol01.pfx –clcerts –nokeys –out c:\ %yourlocationofsavedfile%\appvolpem.crt

After that is complete you should have the following files. We will now be able to take these files and copy them to the appropriate server.

Next you will need to stop your app volumes services and copy the appvolpem.crt and appvolpem.key files into the app volumes manger’s directory(default: C:\program files(x86)\Cloud Volumes\Manager\nginx\conf). After they are copied into the appropriate directory change the nginix.conf file (make a backup copy of this file somewhere. I copied the file to my desktop modified it and replaced it in the directory) once the config file is changed to your new certificate’s names and saved the file you can start the previously stopped services.

Now go to your horizon connection server and add in a service account ideally like lab\appvolsvc that has administrator privilege on vcenter.

And that is it! In my next article you will be able to associate app volumes with a farm.

Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration Part Two

Horizon 2212 New Feature Connection Server Certificate Management

Horizon 2212 New Feature Connection Server Certificate Management


One of the latest enhancements in Horizon View Connection Server is the capability to manage certificates directly from the Horizon View administrative console. Furthermore, you can monitor the certificate status. With the necessary permissions within the administrative console, you can take advantage of this new feature. Lets take a look at where this feature is located and how to use it.

Importing and Generating a CSR

Once you logon to your connection server administrative console navigate to Settings>Certificate Management

As you can see I currently have a self signed certificate.

I’ve logged into the connection server as an Administrator but I do not have the ability to manage the certificates yet! Let’s fix that. Navigate to Settings>Administrators>Role Privileges> Add 

I’m going to add the required new role Manage Certificates and name it Certificate_Management Next click OK

Now we need to add this new role to the to whatever group you would like to manage the certificates.  Settings>Administrators and Groups> Add Permissions next select the newly created Certificate_Management role and lick Finish. After this is complete you are now able to generate a CSR and Import Certificates. (the buttons will now be available to click on)

In the example below this is a CSR request. If you plan to use this certificate with other Horizon Connection Servers please put their FQDN’s in the Subject Alternative Names section. 

If you plan to use the method of generating a CSR through the windows GUI. You can follow this VMware KB to generate certificates using the windows GUI. Generating a certificate template and generating/renewing certificate for Horizon connection server (80314)Once you complete the steps in the KB you can import the PFX file generated in the screenshot below.

It is important to note that after you import the certificate. You also have to remove the friendly name VDM of the old certificate on each server. Then make sure you modify your new certificate with the friendly name VDM and restart the VMware Horizon View Security Gateway Component. 

View Certificate security Configuration from the Horizon Administrative Console

Settings>Global Settings>Security Settings> View Security Configurations

Horizon Agent Client and Agent Silent msi /x guid uninstall

Horizon Agent Client and Agent Silent msi /x guid uninstall


In many cases, people use the .msi/.exe format and third-party deployment tools to manage software installation, updates, and in some cases, uninstallation. In this article, we will be discussing the Horizon Client and Horizon Agent. These concepts can also be applied to other .msi/.exe file types. The Horizon Client and Agent use these file types for installation and modification. This article can serve as a guide for your deployment, upgrades, modifications, or removal of the software.

The .exe file acts as a wrapper that contains the MSI files and runs them in the correct order during the installation process. For example, a software product may have multiple components, each with their own MSI file. The software vendor may choose to bundle these MSI files into a single .exe file to make the installation process easier for the end user.

It is always important to follow official documentation for procedures below and it may be best to utilize the switches with the .exe to better cleanup the install if you are trying to uninstall it completely. For instance in some cases you may find yourself looking for the codes for the MSI but find that you may have missed some of the other msi files that the exe installed. For example with the Horizon Client uninstall I would try this first then work with the MSI code.

VMware-Horizon-Client-y.y.yxxxxxx.exe /uninstall

Here is an example of the agent 2212.

msiexec.exe /qb /x {53D6EE37-6B10-4963-81B1-8E2972A1DA4D}

Documentation source:

Uninstall Horizon Client for Windows

Uninstalling VMware Horizon 8 Components Silently by Using MSI Command-Line Options


How to:

First you must look at what is installed on your machine. We can use Windows Powershell for that. Start by entering this into your Powershell window. Once you run this command you can see the output below shows us the ID we need.


Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, ModifyPath |
Where-Object {$_.DisplayName -eq ‘VMware Horizon Agent’} | Format-Table –AutoSize


Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, ModifyPath |
Where-Object {$_.DisplayName -eq ‘VMware Horizon Client’} | Format-Table –AutoSize

Once you have your unique information on that msi you will then be able use the command line to uninstall it or use my script for additional cleanup. I will say that if you are going to use my script this is something that I wrote and is not something officially supported. Use at your own risk.

Simple command line to uninstall 2212 client example:

MsiExec.exe /X {A37284DF-37C2-40D8-B857-E1DB2BA6892B}

Script with logging and directly cleanup:

@echo off

rem Uninstall Horizon Client
msiexec /x {A37284DF-37C2-40D8-B857-E1DB2BA6892B} /q /l*v “C:\temp\HorizonClientUninstall.log”

rem Remove related files and directories
rmdir /s /q “C:\ProgramData\VMware\VMware Horizon View”
rmdir /s /q “C:\Program Files\VMware\VMware Horizon View Client”
rmdir /s /q “C:\Program Files (x86)\VMware\VMware Horizon View Client”

echo Horizon Client has been successfully uninstalled and related files and directories have been removed.
echo Log file with detailed information can be found at “C:\temp\HorizonClientUninstall.log”

Chris Carlson

Chris Carlson

Senior Solutions Engineer

Chris Carlson is a Senior Solutions Engineer at VMware with over 15 years experience utilizing Hardware and Software products in enterprise data centers.


A personal Blog relating to virtualization with mostly VMware topics. This site is maintained by me Chris Carlson