Omnissa Horizon Deep Dive 2026 | VDI Guy

// Version Matrix

Horizon 8 Version Matrix — 2024/2025/2026

Omnissa uses YY.MM naming. ESB (Extended Service Branch) = 2-year lifecycle. Standard = 12 months. Always match Connection Server + Agent versions exactly. Interoperability Matrix ↗

Release	Build	Released	EOL Date	Type	Key Changes & Notes
2512 Latest	8.14.0	Dec 2025	Dec 2026	Standard	Nutanix AHV GA, Entra ID SSO GA, Blast HEVC HW encode, OLM 30-char migration complete, MSIX App Attach strict mode, DEM 2512 integration.
2509	8.13.0	Sep 2025	Sep 2026	Standard	Smart Card SSO improvements, Linux VDA 2509 support, App Volumes 4.13, Horizon Cloud Next-Gen improvements.
2506	8.12.0	Jun 2025	Jun 2026	Standard	IC provisioning speed improvements, DEM 2506, USB redirection updates, Horizon HTML Access enhancements.
2503	8.11.0	Mar 2025	Mar 2026	Standard	Entra ID domain-join GA, logon performance improvements, vSphere 8.0 U3 support.
2412 ESB ★	8.10.0	Dec 2024	Dec 2026	ESB	Current ESB. 2-year lifecycle. Recommended for enterprises needing stability. OLM key migration, all major features stable. Quarterly patch releases.
2312	8.9.0	Dec 2023	Dec 2025 ⚠	EOL	EOL Dec 2025. Migrate immediately to 2412 ESB or 2512. No security patches.
7.x / 2111 and older	—	—	EOL	EOL	Unsupported. Known CVEs. Upgrade path: 7.x → 2312 → 2412 ESB → 2512.

VDI Guy Recommendation: New deployments → 2512 (Nutanix AHV GA, all latest features). Enterprises on change-controlled cycles → 2412 ESB (Dec 2026 EOL, patch quarterly). Never mix Connection Server and Agent major versions — one delta maximum. Run vdmadmin -A -getDomains to verify CS health after upgrades.

// Core Architecture

Horizon 8 Component Architecture

Horizon uses a distributed component model. Each piece has specific HA requirements. Don't undersize Connection Servers — they're often the first bottleneck.

🖥️ Connection Server

Central broker: AD auth, pool entitlement, session routing. 7-node max per pod. HA: 2+ nodes behind F5/NSX/HAProxy. Each node: ~2,000 CCU. Windows Server 2022 recommended.

4 vCPU · 16 GB RAM · 100 GB disk

🔧 Horizon Agent

Installed on every desktop/RDSH. Manages Blast/PCoIP sessions, USB, printing, SSO, clipboard. Version must match CS ±1 minor version. Available for Windows and Linux (Blast only on Linux).

VMware-Horizon-Agent-x86_64.exe /silent /norestart

🌐 Unified Access Gateway

External gateway in DMZ. Replaces Security Server. Handles Blast UDP 8443, PCoIP 4172, Workspace ONE integration. Deploy 2+ for HA. OVA-based, no Windows license required.

2 vCPU · 4 GB RAM min · 20 GB disk

📦 App Volumes Manager

Just-in-time app delivery via VMDK/VHD AppStacks and Writable Volumes. 4.13 adds MSIX App Attach. Requires SQL Server (Express OK for <1,000 users, Full for larger). Port 443 from VMs.

4 vCPU · 8 GB RAM · SQL Server required

🎯 DEM (FlexEngine)

Policy-based environment management. Replaces logon scripts + folder redirection GPO. Manages printers, drives, env vars, app settings via XML configs. ADMX templates for CS config. No agent on CS.

Client-side agent only · Config share: \\server\DEM

☁️ Horizon Universal Broker

Cloud-hosted multi-pod broker. Federates on-prem pods + cloud capacity. Required for Horizon Cloud Next-Gen. Subscribers authenticate to HCS which routes to nearest pod. No on-prem install.

SaaS · Requires Horizon Universal license

Network Port Requirements

Port	Protocol	Flow	Purpose	Required?
443	TCP	Client → UAG/CS	HTTPS Horizon client, HTML Access, Blast TCP fallback	Must Open
8443	UDP	Client → UAG	Blast Extreme UDP — primary display protocol	Must Open
4172	UDP+TCP	Client → UAG/Agent	PCoIP protocol (legacy thin clients)	If PCoIP used
22443	UDP+TCP	Client → Agent	Blast Extreme internal/direct connection	Internal only
389/636	TCP	CS → DC	LDAP / LDAPS for Active Directory	Must Open
902	TCP	CS → ESXi	Instant Clone provisioning, VM power operations	Must Open
443	TCP	CS → vCenter	vCenter API — provisioning, inventory, snapshots	Must Open
8472	UDP	ESXi → ESXi	VXLAN/Geneve for NSX (if used)	NSX only

// Instant Clone Technology

Instant Clone — Architecture, Mechanics & Tuning

Instant Clone (IC) replaced Linked Clone as the standard for all new pooled deployments in Horizon 7.x+. Uses vSphere memory COW from a running parent — no quiesce, no reboot chain.

How IC Provisioning Works

Golden Image (Parent VM)

Windows 10/11 LTSC or Server. Horizon Agent installed. Parent stays powered ON. IC clones from live memory state — not from snapshot.

Memory Fork (vSphere COW)

vSphere forks running parent memory pages via copy-on-write. New VM boots in ~100ms sharing parent pages. No quiesce, no snapshot chain overhead.

ClonePrep Customization

Assigns SID, hostname (pool-XXXX), IP, joins AD. ClonePrep (not Sysprep) — 80% faster. Takes 60–90s. Minimize by pre-joining, disabling Windows Update, using static IP pools.

Available State → Session

VM sits in pool headroom. User connects → assigned in <1s. At logoff: VM deleted immediately, new clone provisioned. Zero leftover user state.

IC Performance Tuning Parameters

Parameter	Recommended Value	Notes
Headroom VMs	10–15% of pool size	Pre-provisioned VMs prevent logon wait
Min # Machines	≥ headroom count	Keeps VMs alive always
ClonePrep vs Sysprep	ClonePrep always	80% faster — no full reboot
Storage Policy	vSAN / NVMe SSD	COW deltas need low-latency storage
Max Concurrent Provisions	20–50 per vCenter	More = vCenter API saturation
Parent VM placement	Same cluster as clones	Cross-cluster IC = network overhead
Parent vCPU topology	Match clone topology	Mismatch slows fork
Power policy	Always On or Off	Suspend NOT supported with IC

Gold Image Seal Checklist: Run VMware OS Optimization Tool → Disable Windows Update service → Disable pagefile on OS disk (move to D:) → Enable disk cache → Set power plan to High Performance → Remove unused startup items → Run cleanmgr /verylowdisk. Smaller parent = faster fork = faster logon.

// Blast Extreme Protocol

Blast Extreme — Tuning, GPO Settings & Best Practices

Blast Extreme (HEVC/H.264 over UDP 8443) is the standard protocol for all Horizon 2026 deployments. PCoIP only for legacy hardware. Never RDP as primary.

GPO Setting	Registry Path	Recommended Value	Impact
Max Session Bandwidth	Blast\MaxSessBandwidthKbps	0 (unlimited)	Let Blast auto-throttle. Hard cap degrades UX. Only limit on severely constrained WANs.
Min Session Bandwidth	Blast\MinSessBandwidthKbps	256	Prevents Blast throttling below 256 Kbps. Maintains minimum quality floor.
H.264 Hardware Encode	Blast\H264Enabled	1 (enabled)	Enable always. Falls back to software if no GPU. Software H.264 adds CPU overhead.
HEVC Hardware Encode	Blast\HEVCEnabled	1 (enabled)	HEVC = 50% better compression than H.264. Requires NVIDIA vGPU or Intel QSV on ESXi host. New in 2512.
Max Frame Rate	Blast\MaxFramesPerSecond	30 (general) / 60 (GPU users)	60 FPS nearly doubles bandwidth. Use QoS to protect GPU pool bandwidth.
Build-to-Lossless	Blast\AllowBuildToLossless	Disabled (general) / Enabled (finance)	Lossless for pixel-perfect compliance. 3–5× bandwidth increase. GPO restrict to finance OU only.
Audio Quality	Blast\AudioQuality	Low (22 Kbps default)	High = 64 Kbps/session overhead. Default Low fine for voice/Teams. Set High for AV production.
UDP Transport	UAG blastExternalUrl	udp://host:8443	UDP MUST be open at firewall. TCP 443 fallback works but latency/quality significantly worse.
Clipboard Direction	Blast\ClipboardRedirection	Client-to-Agent only (secure)	Restrict clipboard direction for DLP. Bidirectional for productivity, Agent-to-Client only for kiosk.

Protocol Comparison — 2026

Scenario	Protocol
Knowledge workers (LAN/WAN)	Blast UDP 8443
CAD / 3D / vGPU workloads	Blast HEVC + GPU
Financial (pixel-perfect)	Blast Lossless
Legacy PCoIP thin clients	PCoIP UDP 4172
Firewall restricted (no UDP)	Blast TCP 443
Linux VMs	Blast (PCoIP = extra lic)

Bandwidth Estimates

User Type	Avg BW	Peak BW
Task/call center	200–400 Kbps	1 Mbps
Knowledge worker	500 Kbps–1.5 Mbps	3 Mbps
Power user (video)	2–5 Mbps	8 Mbps
CAD / vGPU (HEVC)	4–8 Mbps	15 Mbps

// GPU Virtualization

vGPU & GPU Virtualization — NVIDIA, vDGA, vSGA

GPU acceleration for CAD, rendering, media, financial workstations. Horizon 2512 supports NVIDIA vPC/vWS, vDGA passthrough, and deprecated vSGA. Requires NVIDIA vGPU licensed driver stack on ESXi host.

Mode	GPU Sharing	Users/GPU	Display Encode	Use Case	Notes
vPC	Shared compute	Up to 32	Software (host CPU)	GPU-accelerated apps (ArcGIS, AutoCAD 2D)	Best cost/density. No OpenGL 4.x. No protocol HW encode.
vWS (Quadro)	Shared full-stack	1–8	NVIDIA NVENC	CAD, 3D modeling, Revit, CATIA, video edit	Full OpenGL/DX12. Blast HEVC HW encode. NVIDIA RTX required.
vDGA (Passthrough)	1:1 dedicated	1	Full GPU NVENC	ML inference, rendering farms, max perf	No vMotion. Bare-metal GPU performance. GPU idle when user logged off.
vSGA (deprecated)	Shared display only	Up to 64	Software	Aero / DWM glass effects only	Deprecated. No HEVC. No modern GPU features. Use vPC instead.

NVIDIA A40 Profile Reference (48 GB)

# A40 = 48 GB GDDR6 total vRAM
# Format: GPU-[size]Q = workstation class
# GPU-[size]B = virtual PC class (compute only)

A40-1Q   =  1 GB → 48 users/GPU  (knowledge)
A40-2Q   =  2 GB → 24 users/GPU  (knowledge+)
A40-4Q   =  4 GB → 12 users/GPU  (CAD light)
A40-8Q   =  8 GB →  6 users/GPU  (CAD/3D)
A40-24Q  = 24 GB →  2 users/GPU  (rendering)
A40-48Q  = 48 GB →  1 user/GPU   (ML/workstation)

# Check in VM: nvidia-smi → shows vgpu_type
# Check NVENC utilization: nvidia-smi dmon -s u

Blast + vGPU GPO Settings

# VMware View Agent > Blast Config (GPO)
# Path: Computer Config > Policies > Blast

Allow H.264 hardware encoding = Enabled
Allow HEVC hardware encoding  = Enabled  # 2512+
Max monitors per session      = 4
Max resolution per display    = 3840x2160
Enable FBC (Frame Buffer Capture) = Enabled

# NVIDIA host driver GPO (optional):
# Unlimited vGPU display memory = Enabled
# Validate: In VM > Task Manager > GPU
# Should show "NVIDIA xxx vGPU" not "VMware SVGA"

// VM & Host Sizing

Desktop & Host Sizing Reference 2026

User Type	vCPU	RAM	Disk	Users/Host*	Pool Type	Notes
Task Worker	1	2–4 GB	40 GB	150–200	Non-persistent IC	Call center, kiosk, single app. No Office.
Knowledge Worker	2	4–6 GB	60 GB	80–120	Non-persistent IC	Office 365, Teams, browser, LOB apps.
Power User	4	8–16 GB	80 GB	40–60	Persistent / Floating	Developers, analysts, thick apps.
CAD / 3D (vGPU)	4–8	16–32 GB	120 GB	6–12 (GPU limited)	Persistent	NVIDIA vWS 4Q–8Q. NVMe storage required.
RDSH (per session)	0.25–0.5	1–2 GB	—	40–60 sessions/VM	Non-persistent	RDSH VM: 16–24 vCPU / 64–128 GB. Published apps + desktops.
Connection Server	4	16 GB	100 GB	1 per 2,000 CCU	Infrastructure	Min 2 for HA. Windows Server 2022.

* Users/host based on dual-socket host with 2× Intel Xeon 6338 (32 cores each) or AMD EPYC 7543 (64 cores) — 256 GB RAM total. Adjust for your hardware.

⚠ vCPU Overcommit Warning: Max 6:1 vCPU:pCPU for knowledge workers. Max 4:1 for power users. Higher ratios cause CPU ready spikes at logon storm. Monitor cpu.ready < 5% at peak. Use vROps "Lagoon" dashboards for VDI-specific metrics.

// OLM Licensing

Omnissa Licensing Model (OLM) 2026

Omnissa completed the VMware → OLM transition in 2025. 30-character keys replace 25-char VMware keys. Legacy 25-char keys remain valid until next renewal.

Edition	Includes	Model	Best For
Horizon Universal	Horizon + App Volumes + DEM + HCS. On-prem + cloud.	Named User or CCU · Annual	Best value 2026. CCU for shift workers (<100% utilization). Named for 1:1 dedicated.
Horizon Enterprise Plus	All Universal + HCS Next-Gen + advanced analytics.	Named User · Annual	Multi-cloud + Next-Gen broker. Universal Broker required.
Horizon Standard	Core broker + agent only. No App Volumes or DEM.	CCU · Perpetual or subscription	Small deployments, tight budgets. No cloud burst.
Legacy VMware Keys (25-char)	Pre-Omnissa entitlements	Perpetual (no new purchases)	Migrate at renewal via licenses.omnissa.com. Hot-swap — no downtime.

25→30 Char Key Migration

# VMware 25-char: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
# Omnissa 30-char: XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX

# Migration steps:
# 1. Login: https://licenses.omnissa.com
# 2. License Keys → Convert Legacy Keys
# 3. Enter 25-char → receive 30-char equivalent
# 4. Horizon Admin Console:
#    Settings → Product Licensing → Edit License
# Hot-swap: no downtime, no session disruption
# Verify: vdmadmin -L (list current license info)

License Monitoring (REST API)

# Horizon REST API — license status
# Base URL: https://cs.corp.com/rest

GET /monitor/v3/license
# Returns: usedLicenseCount, maxLicensedSessions,
#          licenseExpiry, licenseEdition

# PowerShell via Horizon API:
$header = @{Authorization = "Bearer $token"}
$lic = Invoke-RestMethod -Uri "$cs/rest/monitor/v3/license" -Headers $header
Write-Host "Used: $($lic.usedLicenseCount)/$($lic.maxLicensedSessions)"

# Alert: >85% usage, <90 days to expiry

// Logon Optimization

Logon Time Blueprint — Sub-10 Second Target

Every second over 15 seconds to usable desktop generates helpdesk tickets. Target: <10s total. Measure with Horizon Logon Monitor, Lakeside SysTrack, or Nexthink before tuning.

Stage	Target	Common Culprits	Remediation
Kerberos / Network Auth	<0.5s	DC latency, DNS failure, NTP skew (>5 min)	DC in same AD site as VMs. Split-brain DNS. Check `w32tm /query /status`.
FSLogix Container Mount	<2s	Large VHDX (>20 GB), slow SMB storage, Cloud Cache sync delay	VHDX <15 GB + redirections.xml. Azure Files Premium. Local CacheDirectory on NVMe.
Group Policy Processing	<2s	Slow WMI filters, many GP extensions, Software Install policy	Audit with `gpresult /h report.html`. Disable unused CSEs. Loopback Replace mode. Remove Software Install from VDI GPOs.
DEM FlexEngine	<1s	Many logon tasks, synchronous drive mapping, large DEM config share	Async DEM tasks. Background drive mapping. Keep DEM config share <50 MB. Async printer mapping.
App Volumes Mount	<2s	Too many AppStacks, large VMDKs, AVM network latency	Max 8 AppStacks/user. Each <10 GB. Enable AppStack caching. AVM server in same vCenter.
Shell Load (Explorer.exe)	<3s	Startup apps, network printer enumeration, drive mapping, OneDrive init	Disable startup apps via GPO. Background printer discovery. Async drive mapping. OneDrive Files On Demand.
Total to Usable Desktop	<10s	—	Measure each stage. Address highest contributor first.

Quick Win Checklist: ✓ OS Optimization Tool (disables 50+ services) ✓ Async GP processing (single biggest gain after storage) ✓ FSLogix VHDX <15 GB with redirections.xml ✓ DC in same AD site ✓ NTP sync <5 min skew ✓ Disable "Always wait for network" GPO on Instant Clone ✓ Background printer enum GPO ✓ DEM async logon tasks. Run gpresult /r and check "The following GPOs were not applied" — often reveals irrelevant policies slowing processing.

// Nutanix AHV (2512 GA)

Horizon on Nutanix AHV — General Availability in 2512

Horizon 2512 marks the GA of Nutanix AHV as a first-class hypervisor. No vSphere license required. Full Instant Clone support. Nutanix Files replaces Azure Files or external NAS for FSLogix.

AHV Requirements (2512)

▸Nutanix AOS 6.7 or later
▸AHV 20230302.x or later
▸Prism Central (PC) — required for Horizon integration
▸Nutanix Files 4.4+ for FSLogix SMB storage
▸Connection Server 2512 (exact version match)
▸Instant Clone only (Linked Clone not supported on AHV)
▸Prism Central Starter license minimum

AHV vs vSphere — Key Differences

+No vCenter required — Prism Central API integration
+Built-in HCI storage — no SAN/NAS license
+Nutanix Files for FSLogix replaces Azure Files
+Lower license cost (no ESXi + vCenter)
!Fewer memory management knobs (no TPS/balloon visibility)
!NVIDIA vGPU support limited vs ESXi
–No DRS equivalent — manual VM placement

When to choose Nutanix AHV: Already on Nutanix HCI. Want to eliminate VMware licensing cost. Nutanix Files available for FSLogix. Avoid if: heavy vGPU workloads (ESXi has better NVIDIA support), complex DRS/HA automation, or running 7.x → migration preferred on vSphere first.

// Common Issues

Troubleshooting Reference — Common Horizon Issues

Symptom	Likely Cause	Diagnostic Command / Tool	Fix
Black screen after login	Explorer.exe crash, shell load failure, missing profile	Event Viewer > Application > Source: Desktop Window Manager	Check FSLogix logs. Verify redirections.xml not excluding AppData\Roaming. Re-seal gold image.
Slow logon (>30s)	FSLogix mount, GPO, printer enum, domain trust	gpresult /h > logon.html; frx list-profile-size	See Logon Tuning section above. Stage-by-stage measurement required.
Session disconnect / reconnect loop	UDP 8443 blocked, MTU mismatch, network path issue	Test-NetConnection -Port 8443 -ComputerName [UAG]; Wireshark on client	Verify UDP 8443 open at all firewall hops. Check MSS/MTU on tunnel if VPN. Try Blast TCP 443 to confirm UDP is the issue.
IC provisioning stuck	vCenter API overload, parent VM unhealthy, AD join failure	Horizon Admin Console > Problem VMs; vCenter Tasks panel	Reduce max concurrent provisions. Check AD join account permissions. Review CS logs: `C:\ProgramData\VMware\VDM\logs`
No desktops available (all missing)	CS AD connection broken, vCenter unreachable, license expired	vdmadmin -A -getDomains; vdmadmin -L	Test CS → DC connectivity. Verify vCenter creds in CS config. Check license in Settings > Licensing.
Poor video / choppy Blast	TCP fallback active, bandwidth cap, CPU saturation	Horizon Client > Help > Collect Support Logs; check BlastTransport in logs	Verify UDP 8443 open. Check MaxSessBandwidthKbps (should be 0). Enable HEVC. Check vCPU ready time <5%.

Key Log Locations

# Connection Server logs:
C:\ProgramData\VMware\VDM\logs\

# Agent logs (in VM):
C:\ProgramData\VMware\VDM\logs\

# Blast log (client-side):
%APPDATA%\VMware\VMware Horizon View Client\Logs\

# vdmadmin useful commands:
vdmadmin -A -getDomains     # AD trust status
vdmadmin -L                  # license info
vdmadmin -S -s [CS-FQDN]    # service status
vdmadmin -U -u [username]    # user session info

Horizon Event DB (PowerShell)

# Horizon REST API — recent events
$header = @{Authorization = "Bearer $token"}
$events = Invoke-RestMethod `
  -Uri "$cs/rest/monitor/v3/events/summary" `
  -Headers $header

# View pool status:
$pools = Invoke-RestMethod `
  -Uri "$cs/rest/inventory/v8/desktop-pools" `
  -Headers $header
$pools | Select-Object displayName, enabled,
  provisioningStatusData

// Related Pages

Continue the Deep Dive

📦

FSLogix 26.01 CU1

Profile containers, Cloud Cache, VHDX

🎯

DEM Deep Dive

FlexEngine, logon/logoff policy

📚

App Volumes

AppStacks, Writable Volumes, MSIX

🌐

UAG Config

Blast UDP, PCoIP, edge config