Manually creating optimized Windows images for Horizon VMs

Overview of the procedure to build a golden image

This guide provides a step-by-step procedure for creating optimized Windows images for use in Horizon deployments. For more information on why you should optimize Windows, and an introduction to the Windows OS Optimization Tool, see Why you should optimize, towards the end of this guide.

The procedure to build a golden image involves the following tasks.

1. Create a virtual machine on your chosen hypervisor capacity.
2. Install Windows.
3. Install the hypervisor tools and drivers.
4. Update Windows.
5. Install applications that you want to be part of the golden image.
6. Optimize Windows using the Windows OS Optimization Tool for Horizon.
7. Generalize Windows using the Windows OS Optimization Tool for Horizon.
8. Clean up Microsoft Store apps.
9. Install the Omnissa agents.
10. Install GPU drivers (optional).
11. Finalize Windows using the Windows OS Optimization Tool for Horizon.
12. Prepare the image for deployment.

How to use this guide

This guide is organized into a chapter for each of the tasks listed above.

• The procedure given in this guide is intended to be non-hypervisor specific and applicable to all hypervisors or capacity types.
• The tasks given in the procedure in this guide are sequential and build on one another.
• Ensure you complete each task in a chapter before moving on to the next one.

This guide also includes chapters that give guidance on performing specific activities on a particular hypervisor platform. Hypervisor-specific activities are included within the overall procedure as inline references and links (for example Create a virtual machine includes links to the various hypervisor specific guidance on doing this).

This guide currently includes specific activity guidance for:

• VMware vSphere
• Nutanix AHV
• Microsoft Azure

Important: With some capacity or hypervisor types, certain tasks are not required. This will be indicated in each task.

This guide also includes chapters on:

• Group Policies – Common group policy settings, including adding users to remote desktops, and deactivate the local administrator account.
• Day-2 updates - such as updating Windows and hypervisor tools.

Infrastructure prerequisites

Before you can perform the procedures in this guide, you must have certain infrastructure components installed and configured.

Verify that you have the following components installed and configured:

• Hypervisor management – Console and user credentials with login rights and the privileges required to create a VM.
• Hypervisor hosts or capacity – Capacity available and configured in the hypervisor management instance.
• Active Directory - An authentication infrastructure that includes Active Directory.
• DNS and DHCP - Available on the network subnets that will be used to create the golden image.
• Horizon 8 - If you plan to use Horizon 8 to create desktop pools or RDSH server farms, ideally at this point you would also have Horizon Connection Server installed and configured. For installation instructions, see the Evaluation Guide for Horizon 8.
• Horizon Cloud – If you plan to use Horizon Cloud to create desktop pools, you should have access to a Horizon Cloud tenant, with a Horizon Edge deployed in your capacity provider. For more information, see Evaluation Guide for Horizon Cloud Service.
• App Volumes - If you intend to use App Volumes, you must have the host name or IP address of the server on which App Volumes Manager is installed or the load balancer fronting the server on which App Volumes Manager is installed. You will enter this information when you install the App Volumes Agent on the golden image.

Create a virtual machine

The first step in creating your golden image is to create a suitable virtual machine on your chosen hypervisor or capacity platform.

Create a suitable virtual machine with at least the following virtual hardware:

• CPU – 4 vCPU or more
• Memory – 4GB or more
• Disk – Appropriately sized for an install the version of Windows. Use guidance from the hypervisor vendor but also allow space for applications you may wish to install in the golden image.
• Network – Attached to a suitable subnet and using the hypervisor optimized driver.
• Display – Virtual display with allocated vRAM.
• CD-ROM – Used to install Windows from the ISO installation media.
• TPM - If you are installing Windows 11, you should also add a Trusted Platform Module (TPM) device to the VM. The Windows 11 installer has a restriction to only install on the systems that include a TPM or vTPM device.

You may wish to allocate greater amounts of CPU and memory resources to the virtual machine than those planned for the clones that will be derived from the golden image. This can speed up Windows installation, application deployment, and system optimization processes.

You can decrease the CPU and memory back to desired levels after you have created the image and are Optimizing the VM hardware in the last task Prepare the image for deployment. On some hypervisor platforms you can also use Compute Profiles to apply different CPU and memory settings when deploying pools.

For guidance on creating a suitable virtual machine on a specific hypervisor or capacity, see:

• For a vSphere-based VM, see Create a vSphere-based VM.
• For a Nutanix AHV-based VM, see Create an AHV-based VM.
• For a Microsoft Azure VM, see Methods to add Microsoft Azure.

Install Windows

Once you have the virtual machine defined, you can proceed with installing Windows.

Prerequisites for installing Windows

You should only install Windows versions and editions that are supported by both Omnissa and Microsoft.

• Windows ISO file – You must have uploaded an ISO file to a hypervisor datastore or image repository.
• Supported Windows version - The ISO file must contain a supported version of the Windows operating system.
• Important: Use an OS version that has a Microsoft Windows volume license key using the Key Management Service (KMS). KMS treats each activated clone as a computer with a newly issued license. In a production environment, you must activate Windows. In an evaluation environment, you can create the VM and log in without activating Windows.

Supported operating systems

See the knowledgebase article Supported Windows 10 and Windows 11 Guest Operating Systems for Horizon Agent and Remote Experience, for Omnissa Horizon 8.x (2006 and Later) (78714), for the minimal Horizon version of that operating system version/edition.

Horizon only supports those that have active Microsoft support (or are extended with a Microsoft support contract). Check the following pages to determine if your intended version/edition is still supported:

• Windows 11
• Windows 10
• Windows Server

Installing Windows

After you boot the virtual machine (VM), installation of the Windows OS should begin automatically. You will accept most of the default settings and specify that you are doing a new installation rather than an update.

1. Open a remote console for the virtual machine (VM) using the hypervisor management console and power on the VM.
   1. With some hypervisor management you will need to power on the VM before you can connect to its remote console.
   2. See the relevant hypervisor specific guidance in the sections at the end of this guide.
      1. Open a remote console to a vSphere VM.
      2. Open a remote console to an AHV VM.
2. Boot the VM from the Windows installation ISO.

If you miss the message and the opportunity to press a key, you can reset or reboot the VM using the hypervisor management console.

1. Press a key on your keyboard.

3. Select the appropriate language settings.
   1. Select the correct Language to install option.
   2. Select the appropriate region for the Time and currency format.
   3. Click Next.

4. Select the keyboard settings.
   1. Choose the appropriate Keyboard or input method.
   2. Click Next.

5. Select the setup option.
   1. Click on the box next to I agree everything will be deleted…
   2. Click Next.

6. Select the Windows edition to install (This screen is only shown for an ISO that contains multiple editions).
   1. Select the image from the list.
      1. Important: For Windows Server, select an edition with "Desktop Experience".
   2. Click Next.

7. Accept the license agreement.
   1. Select the I accept the Microsoft Software License Terms check box.
   2. Click Next.

8. Select the location to install Windows.
   1. Select the disk you want to install Windows into.
      1. Note: If no drives are listed, load the SCSI driver that comes with the hypervisor tools. See the relevant hypervisor specific section towards the end of this guide for information on how to do this on the chose platform.
      2. Load the SCSI driver to install Windows on a vSphere VM.
      3. Load the SCSI driver to install Windows on an AHV VM.
   2. Click Next.

9. Review and start the installation.
   1. Click Install.

10. Monitor installation progress.
    1. Wait for Windows to be installed.

When Windows finishes installation, it will restart, and you can carry on to the next step of entering audit mode.

Enter audit mode

After the Windows operating system is installed, you need to enter audit mode.

Audit mode allows you to bypass the Windows Out-of-Box Experience (OOBE), the initial setup screen that asks for user information, region, and language, so you can run tasks such as, adding drivers, installing applications, applying updates, running scripts, and applying optimizations. You will enter OOBE, in a later task when you Generalize the image.

1. Enter audit mode by pressing CTRL+SHIFT+F3
   1. When Windows reboots after installing, you are prompted with a regional settings screen. The screen at which you enter audit mode depends on which Windows operating system you are using and could be worded differently:
      1. Is this the right country or region?
      2. Let's start with a region
      3. Get going fast
      4. Personalize
      5. Customize Settings
      6. Setup Windows
   2. Some operating systems will automatically log in to Windows after a restart operation, while others will prompt for user credentials.
   3. If prompted for credentials, use Administrator for the username and leave the password field blank.
   4. Press CTRL+SHIFT+F3 to switch to Windows to audit mode.

The following screenshot shows the screen where you press CTRL+SHIFT+F3 after you install Windows 11 24H2.

The following screenshot shows the screen where you press CTRL+SHIFT+F3 after you install Windows Server.

2. Windows will enter audit mode, reboot, and login as Administrator.
3. Cancel the System Preparation Tool dialog.
   1. While Windows is in audit mode, the Sysprep dialog will appear each time you login. Cancel the dialog to close it without executing Sysprep each time it appears.
   2. Click Cancel.

Install hypervisor tools and drivers

Once Windows is installed, the next step is to install the hypervisor tools. These can include drivers for network cards, mouse, etc.

Use the hypervisor specific guidance for the hypervisor or capacity type you are using:

• For a vSphere-based VM, see Install VMware Tools.
• For a Nutanix AHV-based VM, see Install the VirtIO drivers.

Update Windows

It is good practice to update Windows.

Install .Net Framework 3.5 (optional)

Many applications and functions leverage .Net Framework, so it is advantageous to install .Net Framework into the golden image and update it with Windows update. The Finalize task that you run later, performs a precompile of the .Net libraries which means that each clone does not have to do this at a later time.

1. Open a command prompt, Run as Administrator.
2. Run the following command

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess
/Source:D:\sources\sxs

The following screenshot shows an example of successfully running this command.

Install Windows updates

Check for and install the latest Windows OS updates.

1. Select Windows update in Windows settings.
   1. Open Windows Settings.
   2. Click Windows Update.
   3. Click Check for updates and wait for the updates to be installed.

Note: For earlier non-LTSC Windows 10 versions, click Advanced options first and select Defer feature upgrades so that new features are not downloaded and installed. Deferring feature upgrades does not affect security updates.

2. Restart Windows.
   1. Click Restart now.

3. When Windows restarts.
   1. Run Windows Update again until no more updates are available, and no restarts are required.

Install applications into the golden image

Although our primary application-delivery mechanism is App Volumes, it might be desirable to install select applications in the golden image VM so that all clones get those applications in their base disk.

Many applications have integrated auto-update functionality. Install these applications, and update them to the latest version, and then turn off or deactivate the auto-update functionality to prevent the clones from updating individually.

Turn off hardware graphics acceleration in commonly used applications

If the VMs are not going to be using a physical GPU in the hypervisor hosts, you can reduce CPU usage by not emulating hardware graphics in applications.

While you can disable these application settings in the golden image, Omnissa recommends using Dynamic Environment Manager configuration files to control these application settings.

Microsoft Office and Adobe Reader are already done by OSOT, unless you deselected them.

The following is an example of disabling this in the golden image, for Google Chrome.

1. Google Chrome
   1. To turn off hardware graphics acceleration for Chrome, navigate to chrome://settings/system
   2. Turn off Use hardware acceleration when available.

Optimize Windows using the Windows OS Optimization Tool for Horizon

In this task, you use the Windows OS Optimization Tool for Horizon (OSOT) to analyze the list of recommended optimizations, confirm your selections, and apply those optimizations.

1. Take a snapshot of the virtual machine (optional but recommended).
   1. A snapshot of the VM allows you to reset the VM to a pre-optimized state. This is useful if you discover that some of optimizations that you applied, disabled functionality that you want to retain.

1. Power down the VM by shutting down Windows.
2. Take a VM-level snapshot of the virtual machine.
3. Power the virtual machine back on.
4. For guidance on talking a VM-level snapshot on a specific hypervisor or capacity, see:
   2. For a vSphere-based VM, see Take a vSphere VM snapshot.
   3. For a Nutanix AHV-based VM, see Create an AHV VM recovery point.

2. Run the Windows OS Optimization Tool for Horizon (OSOT executable).
   1. You can run OSOT either from a network share or by copying the files into a local folder.
3. Accept the license.
   1. Select I accept the terms of the agreement.
   2. Click on Next.

4. Analyze recommended system optimizations to apply.
   1. Click Analyze.

5. Configure common options.
   1. Click the Common Options button.

6. Review the tabs to determine which options to set.
   1. Here you can select alternate defaults that will change the selection of optimizations that will be applied.
   2. Click through the Common Options sections using the left-hand menu, and change any settings as required.
      1. As an example, when creating a golden image to provision persistent VMs, you probably want to change the default optimizations for Windows Update and Search to leave them enabled.
      2. Other typical changes include selecting which Store Apps are kept.
   3. When you are finished configuring common options, click OK.

7. Select the optimizations to apply.
   1. Select the appropriate optimizations from the extensive list. For most VDI environments, use the default selection.

8. Export Selections (optional)
   1. Save your optimization selections prior to optimizing, using the Export Selections button.
   2. This generates a JSON file that can be imported into and reused for future optimizations of this image.
   3. It also allows you to import your selections into other images you might create.
9. Apply the optimizations.
   1. Click Optimize.

10. Monitor the optimization results until the process is complete.
11. Restart Windows.

Generalize Windows using the Windows OS Optimization Tool for Horizon

Generalizing a Windows image means removing computer-specific information so that the image can be deployed throughout an enterprise. You use the Generalize tab of OSOT to run the system preparation tool (Sysprep) with a supplied and editable unattend.xml answer file.

Turn off device encryption

Some recent versions of Windows 11 have been observed enabling device encryption functionality during installation. This causes an error during Sysprep execution when the Generalize task takes Windows out of audit mode to enter Out-of-Box Experience (OOBE).

If device encryption is enabled, you will need to disable it to prevent this issue.

1. Open Windows Settings.
   1. Select Privacy & security.
   2. Select Device encryption.

2. Turn off device encryption.
   1. Toggle Device encryption to Off (if it is already off you don’t need to change anything).
   2. Confirm by clicking Turn off.

Turning off device encryption can take some time to complete. Make sure decryption has fully completed, shown in Windows Settings, before moving on to run Generalize.

Run Generalize

Now run the Generalize task using the Windows OS Optimization Tool for Horizon, selecting your time zone and locales. You optionally, change other settings such as specifying a password for the Administrator account, or even viewing and editing the answer file that Sysprep will use.

1. Generalize Windows using the Windows OS Optimization Tool for Horizon.
   1. Select the Generalize tab in OSOT.
   2. Select the correct Time Zone, Input Locale, and System Locale.
   3. Click Generalize.

2. When the Generalize task completes.
   1. Select OK (if a message that confirms Generalize has completed is displayed).
   2. Restart Windows (if it does not automatically restart).
3. Wait for AppX package provisioning
   1. After Windows reboots and enters Out of the Box Experience mode, AppX packages can be provisioned.
   2. To allow these to be fully provisioned, you should wait 1-2 minutes after the first login post-generalize before progressing.

Clean up Microsoft Store apps

After you run Generalize and Windows restarts it enters OOBE mode (Out of the Box Experience). As part of entering OOBE, recent versions of Windows 11 have been observed to enable Copilot for the current user.

This can cause a problem if you intend to use Sysprep as the customization method when provisioning pools from this golden image. To avoid that use of Sysprep failing, you can remove CoPilot from the current user.

1.  Open a Windows PowerShell console, as Administrator.
2. Run the following command.

Get-AppxPackage –name Microsoft.Copilot | Remove-AppxPackage

Diagnosing Sysprep failures during pool provisioning

When a pool deployment fails, you can confirm if the cause is Sysprep by looking at the following Sysprep log file.

C:\Windows\System32\Sysprep\Panther\setupact/log

You can get this file from the internal template VM that is created as part of automated pool provisioning. Alternatively, you can clone the golden image, run Sysprep on that copy, and analyze the logs on that VM.

Below is an extract from the end of the setupact.log file showing the error caused by Copilot being installed for the current user.

For more information see Troubleshooting Windows Sysprep Failures and Known Issue (77253).

Install the Omnissa agents

Next, install the required Omnissa agents into the Windows image.

If you are also installing third-party agent software (for example FSLogix), you should also install it at this time.

When installing all the Omnissa agents, and third-party agents, the installation order would be the following:

1. Horizon Agent
2. Dynamic Environment Manager
3. FSLogix (example of a third-party agent)
4. App Volumes

Important: The App Volumes Agent should always be installed last, after any other Omnissa or third-party agent.

Prerequisites

To install the required Omnissa agents, you will need the following:

• User account – When you log in to the OS of the golden image to run the installer, the account you use must have local administrative privileges.
• Agent installation files – If necessary, you can download the agent installation files from the Customer Connect downloads page.

Install Horizon Agent

If you plan to create Horizon desktops or application pools or server farms, you must install Horizon Agent on the golden VM image so that Horizon servers can communicate with and manage the VMs that you deploy. The Horizon Agent also communicates with Horizon Client on end users' computers to provide features such as connection monitoring, virtual printing, access to the local file system, and access to locally connected USB devices.

 Prerequisites for installing Horizon Agent

To do this, you need the following:

• Horizon Agent installer – Horizon Agent installer (.exe) file is available from the Customer Connect Downloads page. You must download the file and copy it to the system where it will run or to a location accessible to the system.
• Windows Server – If you intend the machine to function as a Remote Desktop Services (RDS) host, install the Remote Desktop Session Host (RDSH) role before installing the Horizon Agent. The Horizon Agent wizard when install in RDS Mode.
• If you install Horizon Agent on a Windows Server on which the RDSH role is not installed, the wizard will show an additional screen to allow you to choose between RDS Mode and Desktop Mode. Selecting Desktop mode configures the Windows Server machine as a single-user virtual desktop rather than as an RDS host.

 Installing the Horizon Agent

1. Run the Horizon Agent installer file.
   1. Click Next on the welcome and license agreement page.

2. Configure the RDS or desktop mode.
   1. The following screen is only shown on a Windows Server which does not have the Remote Desktop Session Host (RDSH) role installed.
   2. Select either RDS Mode, for shared multi-user sessions, or Desktop Mode, for single-user (VDI) desktops.
      1. If you select RDS Mode the RDS role is installed and you are prompted to restart, after which you can launch the agent installer again.
   3. Click Next.

3. Select the network protocol configuration.
   1. The environment must be either IPv6 only or IPv4 only.
   2. Horizon does not support a mixed IPv6 and IPv4 environment.
   2. Select the IP mode (IP version 4 or IP version 6) that the agent should use.
   3. Click Next.

4. Indicate that this is a golden image.
   1. The following screen will only be displayed on some hypervisors or capacity platforms.
   2. Select This machine will be used as a Golden Image.
   3. Click Next.

5. Select required features.
   1. Select only the features that are required.
      1. For most environments these are Core, Horizon Instant Clone Agent, Horizon Audio, and Horizon Integrated Printing.
      2. Some features may have security considerations that you need to take into account (for example USB redirection).
   2. Click Next.

6. Enable remote desktop support.
   1. Leave the default selection of Enable the Remote Desktop Capability on this Desktop.
   2. Click Next

7. Register the agent instance with the Connection Servers.
   1. The following screen will only be displayed on some hypervisors or capacity platforms.
   2. Enter a hostname for one of the Connection Servers in your pod.
   3. Select Specify administrator credentials.
   4. Enter a Username and Password, with permission to register agents with the Horizon Connection Server.
   5. Click Next.

8. Click install.
   1. Tick the box to Automatically restart the system on successful completion.
   2. Click Install.

9. If Windows does not automatically restart.
   1. Click Yes.

Install the Dynamic Environment Manager Agent

Dynamic Environment Manager provides profile management by capturing user settings for the operating system and applications. Unlike traditional application profile management solutions, Dynamic Environment Manager captures only the settings that the administrator specifies. This reduces login and logout time because less data needs to be loaded. User data is managed through folder redirection.

FlexEngine, the Dynamic Environment Manager Agent component, applies the policies that the IT administrator creates with the Dynamic Environment Manager Management Console. To install this component, you run the same Dynamic Environment Manager Setup wizard that you run to install the management console.

Note: Installing the Dynamic Environment Manager Agent is an optional step. Install this agent only if you plan to use this functionality.

 Prerequisites for FlexEngine Installation

To do this, you need the following:

• Dynamic Environment Manager FlexEngine Installer –The installer is included in a ZIP file. You must download the file, extract the Dynamic Environment Manager MSI file, and copy it to the system where it will run or to a location accessible to the system.
• Internet access – The installation process includes a certificate revocation check to verify the digital signature of the MSI file. This check requires Internet access.

Note: When you install the Dynamic Environment Manager Agent on a VM where Horizon Agent is already installed, you are not required to specify a Dynamic Environment Manager license file. However, you are required to have purchased Dynamic Environment Manager.

 Installing Dynamic Environment Manager FlexEngine

1. Run the Dynamic Environment Manager installer file.
   1. Select I accept the Omnissa General Terms.
   2. Click Next.

2. Choose Destination Folder.
   1. Click Next.

3. Choose the Typical Setup Type.
   1. Click Typical.

The typical setup installs the DEM FlexEngine agent component, along with the optional components: Application Migration and Self-Support. You can also choose a Custom setup and select the components you want to install.

4. Begin Installation.
   1. Click Install.

5. Complete Installation.
   1. Click Finish.

Install the App Volumes Agent

App Volumes delivers applications that are not in the golden image. Application containers, called packages, are assigned to a user, group, OU, or machine and mounted each time the user logs in to a desktop. With this strategy, user changes can persist between sessions. App Volumes can also provide user-writable volumes, which allow users to install their own applications and have those applications follow the user as they connect to different virtual desktops.

Install the App Volumes Agent on the golden image so that the App Volumes Manager can communicate with the cloned VMs that are deployed and attach the correct applications for a user.

Notes: Installing the App Volumes Agent is an optional step. Install this agent only if you plan to use this App Volumes functionality.

 Prerequisites for installing the App Volumes Agent

To do this, you need the following:

• App Volumes Agent Installer –The App Volumes installer is distributed as an ISO file. You can mount the ISO on the machine where you want to create the App Volumes component, or you can also extract the ISO contents to a shared folder. This option allows you to install each component without mounting the ISO each time.
• App Volumes Manager server information – During agent installation, you will be prompted to enter the host name or IP address and port number of the App Volumes Manager that this agent will communicate with.

 Install the App Volumes Agent

1. Run the App Volumes Installer
   1. You can use either the Setup.msi file or the App Volumes Agent.msi installer files from the App Volumes ISO.
   2. The screens shown in steps 2 and 3 only appear if you run the installation using the setup.msi. if you used the App Volumes Agent.msi, they would not appear.
2. Accept the setup license.
   1. Click Next on the welcome and license page.

3. Select the App Volumes Agent component.
   1. Leave the default selection of Install App Volumes Agent.
   2. Click Install.

4. Accept the App Volumes Agent license.
   1. Click Next on the App Volumes Agent welcome and license page.

5. Select the deployment configuration.
   1. Leave the default selection of Connect to App Volumes Manager.
   2. Click Next.

6. Supply the App Volumes Manager information.
   1. Provide the App Volumes Manager Address.
   2. Leave Disable certificate validation with App Volumes Manager as the default, not selected.
   3. Click Next.

7. Choose the Machine Type.
   1. Change the selection to match the types of machines you intend to create from this golden image. (Leave this selected for non-persistent or deselected for persistent machines).
   2. Click Next.

8. Begin installation.
   1. Click Install.

9. When the installation completes, exit the setup wizard.
   1. Click Finish.

10. Do not restart Windows.

Install GPU drivers

Installing GPU drivers is an optional task.

This is only necessary if your hypervisor hosts have shared graphic cards installed, and you want to enable the virtual machines to use them.

Install NVIDIA vGPU driver and license in the base image

If your hypervisor hosts have NVIDIA GPUs installed, and you want to enable the virtual machines to use them, you need to install the NVIDIA vGPU drivers into Windows.

For more information on using NVIDIA vGPU, see:

• NVIDIA Virtual GPU (vGPU): VMware vSphere Deployment Guide

Enable Windows Remote Desktop

As soon as a GPU is active within the virtual machine, the hypervisor console will no longer work, so before you install the driver, you need to enable Windows remote desktop and add a password.

1. Enable remote desktop.
   1. Open Windows Settings.
   2. Go to System and then to Remote Desktop.
   3. Enable Remote Desktop.

2. Confirm the Remote Desktop Settings.
   1. Click on Confirm.

3. Go to Sign-in options and add a password.
   1. Click on Accounts.
   2. Click on Sign-in options.
   3. Expand Password.
   4. Click on Add.

4. Provide a password.
   1. Provide a new password, confirm it and provide a hint.
   2. Click Next.

5. Finish the wizard.
   1. Click on Finish.

Install NVIDIA drivers

1. Connect to the machine with RDP.
2. Start the NVIDIA guest driver installation package that came with the hypervisor driver you installed on the hypervisor hosts.
   1. Click on OK.
   2. Click on AGREE AND CONTINUE on the NVIDIA license agreement.
3. Click on NEXT to perform an Express installation.

4. When the installation finishes, click on CLOSE.

5. Copy the client configuration token (license) file.
   1. Copy the .tok file from the license portal
   2. Into C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken

Alternatively, you can store the client configuration token in a custom location, such as a network file share.

6. Change the registry string ClientConfigTokenPath (optional)
   1. This is located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridLicensing
   2. Change the value to the full path to the folder in which you want to store the client configuration token for the client.
   3. For more information, see Configuring a Licensed Client on Windows with Custom Settings in the NVIDIA documentation.
   4. Additionally, see the third-party blog Network placement of NVIDIA vGPU Licensing Client Configuration Token.

Finalize Windows using the Windows OS Optimization Tool for Horizon

Before you shut down Windows to use it in a Horizon pool or farm, it is best practice to run certain system cleanup jobs and clear information from certain fields. You can use the Finalize tab of OSOT to perform the following tasks.

System cleanup jobs:

• Native Image Generator (Ngen.exe) – Improves the performance of managed applications.
• NTFS Compression (compact.exe) – Saves space on the Windows image by running the operating system and other system files from compressed files. This strategy reduces the number of IOPS required for storage with cache and has a negligible impact on the CPU.
• Deployment Image Servicing Management (DISM.exe) – Cleans unused files from the Side-by-Side component store.
• Local Group Policy Object Utility (LGPO.exe) – Manages local group policy.
• Secure Delete (sdelete64.exe) – Provides the ability to overwrite empty space with zeros.

Clear information:

• Clear KMS settings.
• Release the IP address.
• Delete unnecessary files.
• Zero empty disk space.

Note: The jobs you select for finalization may vary when performing this on initial image creation versus Day-2 updates maintenance of an existing image. On subsequent Day-2 updates, you may consider deselecting options such as Zero empty disk space and Create Local Group Policies.

Prerequisites for running Finalize in OSOT

1. Download third-party tools.
   1. Local Group Policy Object Utility can be downloaded as a zip file, as part of the Microsoft Security Compliance Toolkit.
   2. Secure Delete can be downloaded by clicking https://download.sysinternals.com/files/SDelete.zip.
2. Make sure tools aren’t blocked and copy the tools to the OSOT folder.
   1. After downloading and extracting the executables, right-click each file (sdelete64.exe and lgpo.exe).
   2. Select Properties, and in the Properties dialog box,
   3. If available, select Unblock and click OK.
   4. Then move the executables to the same folder as OSOT and launch the Windows OS Optimization Tool for Horizon.

Run Finalize

1. Run the Windows OS Optimization Tool for Horizon (OSOT executable).
2. Select the Finalize tab.
3. Run the Finalize task.
   1. Deselect any cleanups job you do not want to run as part of the finalize task.
      1. It is recommended that all steps and jobs are selected to be run on initial image creation.
      2. Some jobs can take a considerable amount of time to process (e.g. Compact).
   2. Click Finalize.

4. When all steps are completed.
   1. Click OK.

5. Shut down Windows.

Prepare the image for deployment

With a built golden image virtual machine, you can now prepare it for use in deploying Horizon pools and farms.

Optimizing the VM hardware

If virtual hardware is no longer required it can be removed from the virtual machine, to reduce resource consumption. Depending on the hypervisor platform, this could include the following devices that are no longer needed and would consume additional resources on each clone:

• CD-ROM/DVD drives
• USB controller
• SATA controller

Additionally, you should remove the Trusted Platform Module (TPM) device from the Windows 11 golden image. Removing a TPM device on a golden image is needed to be able to export or clone the VM. Do not remove TPM devices from production machines when software is storing keys in the TPM device.

The Horizon pool provisioning process adds new and individual virtual TPM devices to each clone.

For guidance on optimizing the VM hardware on a specific hypervisor or capacity, see:

• For a vSphere-based VM, see Optimize the VM hardware on vSphere.
• For a Nutanix AHV-based VM, see Optimize the VM hardware on AHV.

Export and import the VM to adjust disk size

With some hypervisor platforms, you can reduce the disk size of the golden image VM, and therefore the initial disk size of the clones, by exporting it and then importing it.

If the Secure Delete tool (sdelete64.exe) was run during the Finalize task, it overwrote empty space with zeros. Using the export and import process you can select the thin-disk option and shrink the size of the VM.

For guidance on exporting the VM, and reimporting again, with a specific hypervisor or capacity, see:

• For a vSphere-based VM, see Export and import the vSphere VM to adjust disk size.

Take a VM snapshot or create a VM template

To use the golden image to create clones for either a desktop pool or an RDSH farm, you need to create a frozen state, from which clones can be derived.

• For vSphere-based instant-clone pools and server farms, you achieve this state by taking a VM snapshot of the golden image VM.
• For vSphere full-clone pools, you achieve this state by cloning the golden image VM to a VM template.
• For AHV, you achieve this state by cloning the golden image VM to a VM template.

For guidance on preforming this on a specific hypervisor or capacity, see:

• For a vSphere-based VM, see Take a vSphere VM snapshot.
• For a Nutanix AHV-based VM, see Create an AHV VM template from a VM.

Although it is possible to take a snapshot of a VM that is powered on, for the purposes of creating a base image for a Horizon desktop pool or server farm, the VM must be shut down and powered off.

Your golden image (VM or VM template) is now ready to use to deploy desktop pools or RDSH farms.

Group Policies

Much of the initial configuration and ongoing management of virtual desktops, RDSH server farms, feature enablement, and end user experience is performed by creating and applying group policies in Active Directory. Some standard Microsoft Group Policy Object settings are required to configure virtual desktops and applications.

If you use Horizon, you can also use the provided GPO administrative templates for fine-grained control of access to features. See Using Group Policy Administrative Template Files.

Organizational Units for VMs

You should create an organizational unit (OU) specifically for your virtual desktops and an OU for your RDSH server VMs. An OU is a subdivision in Active Directory that contains users, groups, computers, or other OUs.

To prevent group policy settings from being applied to other Windows servers or workstations in the same domain as your desktops or server farms, you can create a GPO for group policies and link it to the OU that contains your VMs.

You can also delegate control of the OU to subordinate groups, such as server operators or individual users.

User groups

You should also create groups for different types of users in Active Directory. For example, you can create a group called End Users for your end users and another group called Horizon Administrators for users that will administer virtual desktops and applications.

Later in this guide, you will add a user group containing end users to the local Remote Desktop Users group in AD. Then members of the group will be able to connect to any VM that is joined to the domain.

Set other common Group Policies

For both virtual desktops and RDSH servers, create a GPO for the OU in Active Directory, and use the Group Policy Management Editor to apply the following GPO settings.

Set policies for RDSH servers

If you plan to use the image for creating RDSH servers, create a GPO for the RDSH server OU in Active Directory, and use the Group Policy Management Editor to apply the following GPO settings.

If you use Horizon 8, review the settings listed in the RDSH Server OU-Level Settings section of the Horizon Configuration chapter of the Workspace ONE and Horizon Reference Architecture.

Add users to the local remote desktop users’ group

To connect to a remote desktop or RDSH server, users must belong to the local Remote Desktop Users group of the virtual desktop or RDSH server. You can use the Restricted Groups policy in Active Directory to add users or groups to the Remote Desktop Users group.

The members of the Remote Desktop Users group are always added to the local Remote Desktop Users group of every virtual desktop or RDSH server that is joined to your domain. When adding new users, you need only add them to the Remote Desktop Users group.

Note: Before you can perform the procedure in this article, you must have created one or more user groups in Active Directory that contain the end users who will connect to virtual desktops and RDSH servers.

1. Open the Group Policy Management Editor
2. Add a group.
   1. Expand Computer Configuration > Policies > Windows Settings > Security Settings.
   2. Right-click Restricted Groups.
   3. Select Add Group.

3. Add the Remote Desktop Users Group.
   1. In the Add Group dialog box, enter Remote Desktop Users.
   2. Click OK.

4. Add User Groups to the Remote Desktop Users Group.
   1. Click on Add... under Members of this group.
   2. Add a group of end users.
   3. Click OK in the Add Member dialog box.
   4. Click OK in the Remote Desktop Users Properties dialog box.

Deactivate the local administrator user account

When you built the golden image, the local Administrator account was left enabled. Depending on the options chosen during Generalize, it may also have a blank password.

Use a GPO to deactivate the local administrator account.

1. In the Group Policy Management Editor.
   1. Edit the GPO.
2. Navigate to Local Users and Groups.
   1. Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.
   2. Click New.
   3. Click Local User.

3. Change Properties for the Local Administrator Account.
   1. Select Administrator (built-in).
   2. De-select User must change password at next logon.
   3. Select Account is disabled.
   4. Click OK.

If you use Horizon, you can also use GPO administrative templates for fine-grained control of access to features. See Using Group Policy Administrative Template Files.

Day-2 updates

It may be necessary to update the golden image with changes such as new Omnissa Horizon Agents, hypervisor tools, and Windows updates.

Update hypervisor tools

Use the hypervisor specific guidance to update the tools and drivers that are installed in Windows to support the hypervisor platform.

• For a vSphere-based VM, see Update VMware Tools.
• For a Nutanix AHV-based VM, see Update VirtIO drivers.

Update Windows as part of day-2 operations

Important: Updating Windows in the golden image is not typically recommended. Rather, it is better practice to generate a new image. You should build a new image on every Windows feature release and not upgrade the gold image.

If, however, you want to update Windows in the golden image, you can do so. The default optimization action is to disable Windows Update functionality, but you may have changed this in the common options selection during optimization.

If Windows Update functionality is disabled, you must re-enable it before you can update Windows. After you update Windows, the best practice is to run the OSOT to optimize and finalize again before using the updated VM.

1. Re-enable Windows Update functionality.
   1. Run OSOT again and click on the Update tab.
   2. Click Enable Windows Update. Let the process complete and click OK to close the information message that appears.
   3. Click Run Windows Update.

2. Update Windows
   1. To update Windows, follow the instructions from Install Windows updates.
3. Disable Windows Update functionality using OSOT.
   1. Click Restore to Original Settings. Let the process complete and click OK to close the information message that appears.

4. Use OSOT to Optimize and Finalize again.
   1. Optimize
      1. Running Optimize again is recommended as updates may have made changes to Windows that you do not want to be enabled. This could include services, scheduled tasks, etc.
      2. Follow the instructions from Optimize Windows using the Windows OS Optimization Tool for Horizon.
   2. Finalize
      1. Running Finalize again is recommended as updates may have made changes to Windows that need to be processed. This can include things like updates to .NET Framework, which a Finalize task can perform a pre-compile on.
      2. Follow the instructions from Finalize Windows using the Windows OS Optimization Tool for Horizon.

VMware vSphere specific guidance

This section only contains guidance on performing specific activities on VMware vSphere. For the overall procedure, refer to Overview of the procedure to build a golden image, at the beginning of this guide.

Prerequisites for vSphere

If you are using a vSphere infrastructure, which can reside either on-premises or on one or more cloud platforms, verify that you have the following components installed and configured:

• vCenter Server.
• vSphere ESXi host or hosts configured in the vCenter Server instance.
• vSphere user account – When you log in to vSphere Web Client, the account you use must have the privileges required to create a VM.

Create a vSphere-based VM

 For a vSphere-based infrastructure, you use vSphere Web Client to create the golden VM.

1. Start the new virtual machine wizard in the vSphere Web Client.
   1. In vSphere Web Client, right-click a data center, cluster, host, or VM folder.
   2. Select New Virtual Machine.

2. Select the new virtual machine creation type.
   1. Select Create a new virtual machine.
   2. Click NEXT.

3. Select a VM name and folder.
   1. Provide a name in the Virtual machine name field.
   2. Select a location.
   3. Click NEXT.

4. Select a cluster or host.
   1. Select a cluster or host as the compute resource.
   2. Click NEXT.

5. Select a datastore for the VM.
   1. Select a datastore or datastore cluster where you would like to store the VM.
   2. Click NEXT.

6. Select the vSphere compatibility level.
   1. Select the lowest version of ESXi that this VM would be deployed to.
      1. Tip: See Hardware Features Available with Virtual Machine Compatibility Settings.
   2. Click NEXT.

7. Select the Windows version and architecture.
   1. Select the Guest OS Version with the correct architecture (32- or 64-bit).
      1. Choose Microsoft Windows 10 when deploying Windows 11 to hardware version 19.
      2. Only enable Windows Virtualization Based Security (VBS) if your environment specifically requires it. (Note that VBS cannot be used together with vGPU or any kind of device passthrough.)
   2. Click NEXT.

8. On the customize hardware page, specify the CPU.
   1. Use the dropdown menu next to CPU to select the desired amount of vCPU.

9. Specify the memory settings for the VM.
   1. Expand the Memory section.
   2. Select Reserve all guest memory (All locked).
      1. Reserving all the guest memory removes the risk of memory swapping, ballooning, and the associated performance issues.
      2. This also removes the need for vSphere to create VM swap files for each clone and having to provide datastore space for them on suitably performant storage.

10. Specify the hard disk settings for the VM.
    1. Expand the New Hard disk section.
    2. Choose an appropriate hard disk size.
    3. Choose Thin Provision as the Disk Provisioning method.

11. Specify the SCSI controller.
    1. Expand the New SCSI controller section.
    2. Select VMware Paravirtual.

12. Specify the network controller and settings.
    1. Expand New Network.
    2. From the VM Network list, select the appropriate network.
    3. Select VMXNET3 as the Adapter Type.

13. Specify the CD/DVD drive settings.
    1. Expand New CD/DVD Drive.
    2. Select Datastore ISO File and browse to the Windows ISO file.
    3. Select Connect At Power On.

14. Add a second CD/DVD drive (optional).
    1. When installing something older than Windows 11 22H2 or Windows Server 2022, you need to add a second CD/DVD drive to allow you to mount the VMware Tools during Window installation, so you can install the SCSI driver.
    2. At the top of the page click on ADD NEW DEVICE
    3. Select CD/DVD Drive.

15. Specify video settings.
    1. Expand the Video card section.
    2. Select the maximum Number of displays that will be used.
    3. Use the table below to determine which number to enter in the Total video memory field.

Note: The table that follows describes the small amount of RAM on the ESXi host that is required for video overhead in addition to system memory. This VRAM size requirement depends on the display resolution and number of monitors configured for end users.

16. Add a virtual TPM device for Windows 11 (if not already present).
    1. When installing Windows 11 with newer VM hardware levels, a Trusted Platform Module (TPM) should already be present under Security Devices. If you are installing Windows 11 and using VM Hardware Level 19 (ESXi 7 U2) or earlier, you will have to add the Trusted Platform Module.
    2. At the top of the page click on ADD NEW DEVICE.
    3. Select Trusted Platform Module.

17. Add a vGPU device (optional).
    1. When you want to use vGPU, you need to add a PCI device to the VM.

1. At the top of the page click on ADD NEW DEVICE.
2. Select PCI Device.

18. If you’ve added vGPU
    1.  Select the desired profile.
    2. Click on SELECT.

19. Add Advanced Parameters.
    1. At the top of the customize hardware page, select Advanced Parameters.
    2. Add a new attribute devices.hotplug with a Value of false.
    3. Click on ADD.
    4. Click on NEXT.

20. Click on FINISH.

Open a remote console to a vSphere VM

1. Open a Remote Console for the Virtual Machine (VM).
   1. Using the vSphere Web Client, from the inventory list, select the newly created Windows VM.
   2. Launch a console for the VM by clicking either Launch Web Console or Launch Remote Console.

Note: To launch a remote console, you must have downloaded and installed the vSphere Remote Console.

Note: To launch a Web Console, the VM must first be powered on.

2. Power on the VM.
   1. Click the small green triangle-shaped button at the top of the remote console window or in the vSphere Client page for the VM.

Load the SCSI driver to install Windows on a vSphere VM

With some older versions of Windows, the PVSCSI driver is not included in the Windows installation media. In those cases, you will need to load the PVSCSI Driver from the VMware Tools disk image, to be able to install to use the PVSCSI controller and install Windows to the disk.

Note: Windows 11 22H2 and later, and Windows Server 2022/2025 and later, come with the PVSCSI driver so you should not need to mount the VMware Tools disk image and select it.

1. Access the Tools Disk Image from vSphere Web Client.
   1. Click on Actions > Guest OS and click on Install VMware Tools.

2. Mount the VMware Tools disk image on a virtual drive of the VM.
   1. Click on MOUNT and go back to the remote console.

3. Switch back to the VM remote console and open the load driver dialog box.
   1. Click Load driver.

4. Open the file browser.
   1. Click Browse.

5. Browse to the correct PVSCSI driver.
   1. Browse to E:\Program Files\VMware\VMware Tools\Drivers\pvscsi\
   2. Then navigate to and select the sub-directory that corresponds to the version of Windows you are installing, as indicated in the table below.
   3. Click OK when you have selected the correct driver.

6. Select the driver.
   1. With the VMware PVSCSI driver selected, click Next.

Windows should now recognize the hard disk attached to the PVSCSI controller and you should be able to select it as a target to install Windows to.

Install VMware Tools

VMware Tools is a set of services and modules that enable several features for better management of, and seamless user interactions with, guests operating systems. For example, Tools can run scripts that automate OS operations and can synchronize the time in the guest operating system with the time on the vSphere host. You must install Tools in vSphere based VMs used for desktop and application pools.

1. Using the vSphere Web Client.
   1. Select the VM in the inventory list.
2. Access the VMware Tools disk image.
   1. From the Summary tab for the VM, click on Actions and click on Install VMware Tools.

3. Mount the VMware Tools disk image.
   1. Click MOUNT.

4. Go back to the vSphere remote console for the VM.
   1. Open File Explorer and select the VMware Tools virtual drive.
   2. Run setup.exe.

5. Click Next on the welcome page.
   1. Click Next.

6. Select the custom setup type.
   1. Select Custom.
   2. Click Next.

7. Deactivate the Carbon Black Helper component (if not required).
   1. Deselect VMware Carbon Black Helper, unless you use Carbon Black.

8. If you leverage NSX, enable the NSX File and Network Introspection drivers.
9. Deactivate the service discovery component.
   1. Scroll down.
   2. Deselect Service Discovery, which enables the discovery of various services running inside a virtual machine. This component is not necessary.

10. Deactivate the volume shadow copy component.
    1. Scroll down.
    2. Deselect Volume Shadow Copy Services Support. This component is not required.
    3. Click Next.

11. Begin installation of VMware Tools
    1. Click Install.

12. Exit the installation wizard.
    1. Click Finish.

13. Restart Windows
    1. Click Yes and Windows will reboot.

You have now completed installing VMware Tools.

Take a vSphere VM snapshot

This procedure describes taking a VM snapshot.

1. Using vSphere Web Client.
   1. Select the VM in the inventory list.
   2. Ensure that the VM is powered off.
2. Click on Snapshots.
   1. In the VM details pane, select the Snapshots menu.
   2. Click on TAKE SNAPSHOT.

3. Define and create the Snapshot.
   1. Provide a descriptive Name; for example, the name might include the date of the snapshot.
   2. Click CREATE.

Optimize the VM hardware on vSphere

If virtual hardware is no longer required it can be removed from the virtual machine, which will reduce resource consumption on each clone.

1. Using the vSphere Web Client.
   1. Select the VM in the inventory list.
   2. Ensure the VM is shutdown.
2. Open the Edit Settings dialog box.
   1. Right-click the VM and select Edit Settings.
3. Adjust CPU and memory (optional).
   1. You may wish to change the allocated CPU and memory.
   2. Change the CPU value.
   3. Change the Memory value.
4. Remove the CD/DVD drives.
   1. In the CD/DVD drive 1 row, click the three dots on the right-hand side.
   2. Select Remove device.
   3. Do the same for the CD/DVD drive 2 if it exists.

5. Remove the SATA Controller.
   1. In the SATA Controller 0 row, click the three dots on the right-hand side.
   2. Select Remove device.

6. Remove the USB controller.
   1. In the USB xHCI controller row, click the three dots on the right-hand side.
   2. Select Remove device.

7. Apply the virtual hardware changes.
   1. Click OK.

Remove the virtual TPM device

Removing a Trusted Platform Module (TPM) device on a golden image is needed to be able to export or clone the VM. A TPM device is normally only added to a Windows 11 VM.

Do not remove TPM devices from production machines when software is storing keys in the TPM device. See https://knowledge.broadcom.com/external/article?legacyId=88320 for an alternative method that doesn’t remove a TPM device.

1. Delete any snapshots from VM.
2. Remove the virtual TPM device.
   1. Edit the VM settings again and expand the Security Devices section.
   2. In the Virtual TPM row, click the three dots on the right-hand side.
   3. Select Remove device.

3. Confirm removal of the TPM device.
   1. Click DELETE.

4. Apply the removal of the TPM device.
   1. Click OK.

Export and import the vSphere VM to adjust disk size

Using the export/import process described in this section, you can select the thin-disk option and shrink the size of the VM according to the number of zeroes written during the finalize procedure, when the Secure Delete tool (sdelete64.exe) was run to overwrite empty space with zeros.

Over time the space reclamation function of vSphere could do the same if enabled.

1. Using vSphere Web Client.
   1. Select the VM in the inventory list.
   2. Ensure that the VM is powered off.
2. Export to OVF (Open Virtualization Format).
   1. Right-click the VM and select Template.
   2. Select Export OVF Template.

3. Supply OVF template information.
   1. Optionally provide an Annotation; for example, you could specify the Windows build number.
   2. Select Enable advanced options.
   3. Select Include extra configuration.
   4. Click OK.

4. Download and save the VM files.
   1. Your web browser should allow you to download and save the following files: .ovf, .nvram, .vmdk, .mf.
   2. During export of the VM the file download may appear to stall. This is normal as the export is skipping empty (non-used) space.
   3. In some vSphere environments there may be a delay where the .mf (manifest) file has a slight delay before the download is started after other files complete.
   4. Do not delete the original VM from inventory until all required files are downloaded.
5. Deploy the OVF template.
   1. Right-click a VM folder, host, or cluster.
   2. Select Deploy OVF Template.

6. Select the OVF template you just exported.
   1. Select Local file.
   2. Click UPLOAD FILES.
   3. Browse to and select all files you have just downloaded when exporting to OVF:  .ovf, .nvram, .vmdk, and click Open.
   4. Click NEXT.

7. Select a folder.
   1. Change the Virtual machine name so that it is unique.
   2. Select a folder as a location for this VM in the vSphere inventory.
   3. Click NEXT.

8. Select a compute resource.
   1. Select a compute resource to host this VM.
   2. Click NEXT.

9. Review details.
   1. Click NEXT.

10. Select storage.
    1. Select a datastore.
    2. When using storage without storage policies, select Thin Provision; otherwise, select an item from the VM Storage Policy list that has thin provisioning.
    3. Click NEXT.

11. Select network.
    1. Select a Destination Network.
    2. Click NEXT.

12. Click finish on the ready to complete page.
    1. Click FINISH.

Delete the original VM after importing the OVF template

Once you are satisfied with the imported VM, you can delete the original VM, to save disk space.

1. Using vSphere Web Client.
   1. Select the original VM from the inventory list.
2. Delete the original VM.
   1. Right-click on the VM and select Delete from Disk.
3. Confirm the deletion.
   1. Click YES.

Update VMware Tools

When new versions of VMware Tools are released, use this procedure to update Tools in the golden image.

1. Use the vSphere Web Client.
   1. Select the VM in the inventory list.
2. Open the edit VM settings dialog box.
   1. Right-click the VM and select Edit Settings.
3. Add a virtual CD/DVD drive back to the VM.
   1. Click ADD NEW DEVICE.
   2. Select CD/DVD Drive.
   3. Click OK.

4. Power on the VM.
   1. Select the VM.
   2. Click on the power icon.
5. Click upgrade VMware Tools on the summary tab.
   1. On the Summary tab for the VM, click Upgrade VMware Tools.
6. Use the interactive upgrade.
   1. Select Interactive Upgrade.
   2. Click UPGRADE.
7. Now repeat the steps from Install VMware Tools.
8. Remove the virtual CD/DVD drive from the VM.
   1. When the upgrade of VMware Tools has completed, you should remove the CD/DVD drive that you added.
   2. Follow the guidance in Optimize the VM hardware on vSphere.

Nutanix AHV specific guidance

This section only contains guidance on performing specific activities on Nutanix AHV. For the overall procedure, refer to Overview of the procedure to build a golden image, at the beginning of this guide.

Prerequisites for Nutanix AHV

The installation media needs to be imported to the Images store before creating a VM.

• Windows installation media (ISO).
• Nutanix VirtIO drivers (ISO).

1. Import the Windows installation media using the Prism Central console.
   1. Ensure the console has the Infrastructure view selected.
   2. Expand the Compute option in the left-hand menu.
   3. Select Images.
   4. Select Add Image.

2. Select the Image File.
   1. Click on Add File and browse to the location you have the Windows ISO.
   2. Adjust the Name as necessary (usually if the name is too long).
   3. Click Next.

3. Select the Location.
   1. Select the same Cluster where you intend to locate your golden image VM.
   2. Click Save.

4. You can monitor the progress of the Upload using the Recent Tasks functionality of the Prism Central console.
5. Repeat the steps for the Nutanix-VirtIO-x.y.z.iso file.

Create an AHV-based VM

For a Nutanix AHV-based infrastructure, you use the Prism Central console to create the golden VM.

1. Start the new virtual machine wizard in the Prism Central console.
   1. Ensure the console has the Infrastructure view selected.
   2. Expand the Compute section in the left-hand menu.
   3. Select the VMs entry in the left-hand menu.
   4. Select Create VM.

2. Complete the Configuration page.
   1. Specify a Name for the VM.
   2. Choose a Cluster where the VM will be hosted.
   3. Configure the VM Properties, including CPUs and Memory.
   4. Click Next.

3. Add hard disk to the VM.
   1. On the Resources page, in the Disks panel, click on Attach Disk.
   2. Leave the Type as Disk.
   3. Change the Capacity to a suitable size, e.g. 90GB.
   4. Click Save.

4. Add CD-ROM drive for Windows installation media.
   1. Still on the Resources page, click on Attach Disk (just above the Disks panel).
   2. Change the Type to CD-ROM.
   3. Change the Operation to Clone from Image.
   4. Click on the Image field and select the appropriate Windows installation image (you uploaded this as part of the prerequisites).
   5. Click Save.

5. Add CD-ROM drive for SCSI controller driver (VirtIO).
   1. Click on Attach Disk to add s second CD-ROM device.
   2. Change the Type to CD-ROM.
   3. Change the Operation to Clone from Image.
   4. Click on the Image field and select the Nutanix VirtIO installation image (you uploaded this as part of the prerequisites).
   5. Click Save.

6. Attach a network.
   1. Still on the Resources page, in the Network panel, click Attach to Subnet.
   2. Select the appropriate Subnet that you want to attach this VM to.
   3. Click Save.

7. Configure the Shield VM Security Settings.
   1. For Windows 11, you need to configure security settings, including attaching a vTPM to the VM.
   2. Tick the box next to Secure Boot.
   3. Tick the box next to Attach vTPM.
   4. Click Next.

8. Configure the Timezone on the Management page.
   1. Select the appropriate Timezone.
   2. Click Next.

9. Review the VM settings and create the VM.
   1. Click Create VM.

10. You can monitor the progress using the Recent Tasks functionality of the Prism Central console.

Open a remote console to an AHV VM

For a Nutanix AHV-based infrastructure, you use the Prism Central console to open a remote console to a VM.

1. Using Prism Central, browse to and select the VM.
   1. In the VM Summary pane, click on the More menu.
   2. Select Power On.

2. Open a Remote Console for the Virtual Machine (VM).
   3. In the VM Summary pane, click on the Launch console button.
      1. You might need to refresh the VM Summary page before the Launch Console button is available.
      2. Clicking on the Summary menu option should do this.

Load the SCSI driver to install Windows on an AHV VM

The SCSI driver for the AHV implementation of a SCSI controller is not included in the Windows installation media.

When you try to install Windows, you will not see any hard drives until you load the SCSI driver from the VirtIO installation media.

1. Load a new driver.
   1. Click on Load Driver.

2. Select the correct driver folder.
   1. Click on the Browse button.
   2. Navigate to the appropriate Windows and architecture folder.
   3. Click OK.

3. Select and install the SCSI controller.
   1. Select the row Nutanix VirtIO SCSI pass-through controller.
   2. Click Install.

You can now return to Installing Windows, where you will be able to select the hard disk as a location to install Windows to.

Install the VirtIO drivers

The Nutanix VirtIO drivers enable the support for various hardware devices, such as SCSI controllers, and network cards.

You must install the network driver before you can continue working with Windows.

1. Open File Explorer.
   1. Browse to the CD Drive with the mounted Nutanix VirtIO image.
   2. Run the installer Nutanix-VirtIO.x.y.z-x64.msi.

2. Accept the license agreement.
   1. Select I accept the terms in the License Agreement.
   2. Click Install.

3. Close the setup.
   1. Click Finish.

Windows will now be able to recognize the network card and you can continue with the next task, Update Windows.

Install the Horizon Agent on an AHV VM

When installing the Horizon Agent on a Nutanix AHV-based VM, ensure that the following configuration is followed:

• Select the option to indicate that This machine will be used as a Golden Image.
• Ensure that the Instant Clone Agent feature is selected for installation.
• Register the agent instance with a Horizon Connection Server.

Create an AHV VM recovery point

This procedure describes creating a VM recovery point for an AHV VM.

1. Using Prism Central, browse to and select the VM.
   1. Ensure that the VM is powered off.
2. Open the recovery point wizard.
   1. In the VM Summary pane, click on the More menu.
   2. Select Create Recovery Point.

3. Create the recovery point.
   1. Enter a meaningful name in Recovery Point Name.
   2. Click Create.

You can monitor the progress in Recent Tasks.

Optimize the VM hardware on AHV

If virtual hardware is no longer required it can be removed from the virtual machine, which will reduce resource consumption on each clone.

1. Using Prism Central, browse to and select the VM.
   1. Ensure that the VM is powered off.
2. Update the VM hardware.
   1. In the VM Summary pane, click on the Update button.

3. Adjust CPU and memory (optional).
   1. You may wish to change the allocated CPU and memory.
   2. Change the CPU value.
   3. Change the Memory value.
4. Move to Resources tab of the VM.
   1. Click Next.
5. Remove the CD-ROM drives.
   1. In the first CD-ROM row, click the trash icon on the right-hand side.
   2. In the remaining CD-ROM row, click the trash icon on the right-hand side.
   3. Click Save.

Remove the virtual TPM device

Removing a TPM device on a golden image is needed to be able to export or clone the VM. Do not remove TPM devices from production machines when software is storing keys in the TPM device.

1. Update the VM hardware.
   1. In the VM Summary pane, click on the Update button.
2. Move to Resource tab of the VM.
   1. Click Next.
3. Remove the virtual TPM device.
   1. Deselect Attach vTPM.
   2. Click Save.

Create an AHV VM template from a VM

This procedure describes creating a VM template from the VM on Nutanix AHV.

1. Using Prism Central, browse to and select the VM.
   1. Ensure that the VM is powered off.
2. Open the VM Template wizard.
   1. Select Create VM Template.

3. Name the VM template.
   1. Fill in the Name field with an appropriate name for the VM template.
   2. Click Next.

4. Save the VM template.
   1. Click Save.

You can monitor the progress of the VM template creation in Recent tasks.

Update VirtIO drivers

This procedure describes updating the Nutanix VirtIO drivers in a VM.

• Download the updated VirtIO installer.
• The latest version of the Nutanix VirtIO installer can be downloaded from: https://portal.nutanix.com/page/downloads?product=ahv&bit=VirtIO

For ease of update, download the installer version (msi). The ISO version can be used but that will require you to upload the ISO to Images and then add a CD-ROM to the VM to use that image.

1. Open a console to the VM and login to Windows.
   1. Follow the instructions in Open a remote console to an AHV VM.
   2. Login into Windows.
2. Run the VirtIO installer.
   1. Run the Nutanix-VirtIO.x.y.z-x64.msi
   2. Follow the instructions in Install the VirtIO drivers.
3. Create a new VM template and update the Horizon pool with using the new VM template.
   1. Follow the instructions in Create an AHV VM template from a VM.

Microsoft Azure specific guidance

This section only contains guidance on performing specific activities on Microsoft Azure. For the overall procedure, refer to Overview of the procedure to build a golden image, at the beginning of this guide.

Prerequisites

If you are using Horizon Cloud Service consuming Microsoft Azure capacity, you must provide your own Microsoft Azure IaaS capacity and configure the Microsoft Azure prerequisites for a Horizon Cloud Service deployment.

Methods to add Microsoft Azure images

There are three methods to add a Microsoft Azure image to Horizon Cloud.

• Import an image from Microsoft Azure Marketplace - Use this option if you need an image based on the latest OS builds available in the Azure Marketplace.
• Add an image with Microsoft Custom VM - Choose this option if you have a custom workflow in Azure that generates base VMs for preparing images. This method also supports adding an image on a custom VM hosted on a Microsoft Azure dedicated host.
• Add an Image from Microsoft Azure Compute Gallery - Select this option if you have an existing image in your Microsoft Azure Compute Gallery.

For more information, see Managing Images for Microsoft Azure Provider Deployments.

Why you should optimize

The considerations for creating a Windows image for deployment as virtual machines are different from those if using it on physical machines.

• Physical machines – Resource usage on a physical machine only impacts the user who is using that machine. The operating system on a physical machine determines whether or not resources are available. One-time actions impact the user only the first time they are performed because the machine is never refreshed. For example, a user typically gets a new user profile the first time they log on, and they continue to use that same profile with all subsequent logons.
• Virtual machines – In contrast, in a virtual environment, the guest operating system behaves as if it has exclusive access to the CPU cores, but in reality, the cores are shared between multiple virtual machines. When using nonpersistent Omnissa Horizon VMs or user profiles, the actions that are intended to run only once could run every time a user logs on.

Therefore, with virtual desktops, one-time system actions must be configured in the golden image, and one-time user actions must be configured in the default user profile. In addition, to reach a higher consolidation ratio, increasing the number of VMs hosted on a single hypervisor host, it is recommended to turn off Windows features that are not required.

Advantages of an optimized image

Optimizing the golden image is well worth the time and effort involved. Savings are returned on a variety of fronts.

 Initial deployment time savings

By trimming the image, you can reduce the amount of required disk space by up to 80 percent, which translates to a significant reduction in the time it takes to create desktop pools (up to 3 times faster).

By default, Windows generates native images and performs disk cleanup actions after being idle for 10 minutes, which can use a full core for up to an hour. When deploying a large pool, this means that the cluster might not be usable for up to an hour after deployment. With image optimization, however, this process could be reduced to 30 seconds.

 User logon time savings

When a user logs on, the portion of logon time devoted to creating a standard user profile can take up to 30 seconds, but when optimized, this portion of logon time could be reduced to 3.5–10.5 seconds.

 Host memory savings

A default deployment can use up to 2 GB of active memory, but with optimization, memory requirements can be reduced significantly (up to 50 percent).

 Host CPU savings

An optimized deployment can reduce CPU usage by up to 40 percent, allowing for up to a 40-percent increase in VM density on the physical hypervisor host.

 Storage and IOPS savings

Because of the earlier-mentioned disk-space savings, you realize cache-usage improvements as well. Deactivating unneeded features and compressing the OS files means a larger portion can fit in the cache, which can reduce the amount of IOPS required by up to 250 percent.

Windows OS Optimization Tool for Horizon

The Omnissa Windows OS Optimization Tool for Horizon (often referred to as OSOT) helps optimize Windows 10/11 and Windows Server systems for use as VDI or RDSH server VMs.

OSOT includes customizable templates to activate or deactivate Windows system services and features, according to recommendations and best practices, across multiple systems. Because most Windows system services are enabled by default, OSOT can be used to easily deactivate unnecessary services and features to improve performance. For more information on the Windows OS Optimization Tool for Horizon, see Optimizing Images for Horizon.

OSOT also includes the ability to run commonly used Windows tools for image creation and optimization, including the Native Image Generator (Ngen.exe), NTFS Compression (compact.exe), and Deployment Image Servicing Management (DISM.exe). These tools can be run from the Finalize tab of the OSOT.

Using automation

A recommended alternative to manually creating the VM image is to use automation, which is provided by Microsoft Deployment Toolkit (MDT). For step-by-step instructions, see the companion guide Using Automation to Create Optimized Windows Images for Horizon VMs.

Summary and additional resources

With the image optimization procedures in this guide, you are able to achieve a significant reduction in the amount disk space, CPU, and memory used by virtual desktop and RDSH server VMs and their vSphere hosts. The result is corresponding savings in initial deployment time, user logon times, and IOPS.

• Image optimization techniques included:
• Deleting unnecessary files and folders, such as event logs and temporary files
• Compressing OS files
• Zeroing out free disk space and shrinking the disk

Using the Windows OS Optimization Tool for Horizon greatly simplifies many of these tasks.

This guide also provided step-by-step instructions for configuring the Windows image to perform optimally in a virtual environment, where CPU cores are shared among many VMs, and where users might be accessing a new VM every time they log in, though they probably will not realize it.

The procedures in this guide help you create an optimized Windows image that you can use in a Horizon implementation or in other types of deployments.

Additional resources

For more information about the products mentioned in this guide, you can explore the following resources:

• Horizon 8 documentation
• Horizon Cloud documentation
• Dynamic Environment Manager documentation
• App Volumes documentation
• Omnissa Product Interoperability Matrix

Changelog

The following updates were made to this guide:

About the author and contributors

• Graeme Gordon, Senior Staff Architect, Omnissa
• Hilko Lantinga, Staff Engineer 2, Omnissa.

Feedback

Your feedback is valuable.

To comment on this paper, contact us at tech_content_feedback@omnissa.com.