{"id":288,"date":"2025-11-08T15:28:49","date_gmt":"2025-11-08T14:28:49","guid":{"rendered":"https:\/\/techbygiusi.com\/?p=288"},"modified":"2025-11-20T15:18:58","modified_gmt":"2025-11-20T14:18:58","slug":"fslogix-horizon-entra-hybrid-join-configuration","status":"publish","type":"post","link":"https:\/\/techbygiusi.com\/index.php\/guide\/fslogix-horizon-entra-hybrid-join-configuration\/","title":{"rendered":"FSLogix + Horizon + Entra Hybrid Join Configuration"},"content":{"rendered":"\n<p>Over time, I\u2019ve tested many different setups for VMware Horizon environments \u2014 some more successful than others. But after countless rebuilds, troubleshooting sessions, and user feedback, I finally landed on what I consider <em>my ideal configuration<\/em>: a Horizon environment powered by <strong>FSLogix profiles<\/strong> and <strong>Entra Hybrid Joined<\/strong> virtual machines.<\/p>\n\n\n\n<p>In this post, I\u2019ll walk through how I\u2019ve structured the configuration, step by step:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"#Building-the-Horizon-Master-Image\" data-type=\"internal\" data-id=\"#Building-the-Horizon-Master-Image\"><strong>Building the Horizon Master Image<\/strong><\/a> \u2013 the base OS, optimizations, and agents I include.<\/li>\n\n\n\n<li><a href=\"#Preparing-the-Horizon-Master-Image-for-Entra-Hybrid-Join\" data-type=\"internal\" data-id=\"#Preparing-the-Horizon-Master-Image-for-Entra-Hybrid-Join\"><strong>Joining to Entra Hybrid<\/strong><\/a> \u2013 the configuration details that ensure smooth sign-in and device registration.<\/li>\n\n\n\n<li><a href=\"#Configuring-the-Desktop-Pools\" data-type=\"internal\" data-id=\"#Configuring-the-Desktop-Pools\"><strong>Configuring the Desktop Pools<\/strong><\/a> \u2013 settings that keep login performance and flexibility balanced.<\/li>\n\n\n\n<li><a href=\"#Setting-Up-FSLogix-Profiles\" data-type=\"internal\" data-id=\"#Setting-Up-FSLogix-Profiles\"><strong>Setting Up FSLogix Profiles<\/strong><\/a> \u2013 how I handle profile containers, exclusions, and storage.<\/li>\n\n\n\n<li><a href=\"#Final-Tweaks-and-Recommendations\" data-type=\"internal\" data-id=\"#Final-Tweaks-and-Recommendations\"><strong>Final Tweaks and Recommendations<\/strong> <\/a>\u2013 small but impactful adjustments that make the whole environment stable and fast.<\/li>\n\n\n\n<li><a href=\"#Sources\" data-type=\"internal\" data-id=\"#Sources\"><strong>Sources<\/strong><\/a><\/li>\n<\/ol>\n\n\n\n<p>\u26a0\ufe0f <strong>Disclaimer:<\/strong><br>I\u2019m not a certified VMware professional. Everything described in this post is based on my own hands-on experience and the configuration that has proven reliable in my environment.<br>These recommendations come from extensive testing, trial and error, and real-world practice \u2014 not from official VMware training or certification materials.<br>Most of the configurations and procedures were developed by following tutorials, community discussions, and official guides or knowledge base articles from VMware, Microsoft, and other trusted sources.<br>All referenced sources can be found at the end of this post.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"Building-the-Horizon-Master-Image\">1. Building the Horizon Master Image<\/h6>\n\n\n\n<p>For the base image, we start with a clean, patched Windows 11 Enterprise image. After joining it to the domain, we install the following key components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Omnissa Horizon Agent (selecting only the features needed for my pools)<\/li>\n\n\n\n<li>FSLogix Apps<\/li>\n\n\n\n<li>Latest Windows Updates<\/li>\n\n\n\n<li>VMware Tools<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udca1 <strong>Tip:<\/strong><br>Since the switch to <strong>Omnissa Horizon licensing<\/strong>, the <strong>Helpdesk Plugin<\/strong> is now included in the <strong>standard license package<\/strong>. That means you can enable it directly during the setup process without needing any additional licenses. Make sure to activate it in the Omnissa Horizin Agent configuration \u2014 it\u2019s a powerful tool for monitoring user sessions and troubleshooting performance issues.<\/p>\n\n\n\n<p>At the time of writing this post, our environment is running:<\/p>\n\n\n\n<p>VMware Tools: 12.5.3 (Build 24819442)<br>Omnissa Horizon Agent: Version 2506<\/p>\n\n\n\n<p>In previous years, we used the <strong>VMware OS Optimization Tool (OSOT)<\/strong> to remove unnecessary services and scheduled tasks from the master image. However, after experiencing a few stability issues with certain applications, we decided to move away from OSOT. Instead, we created a <strong>small custom cleanup script<\/strong> that we run right before shutting down the master image and taking a snapshot.<\/p>\n\n\n\n<p>Our current script contains the following tasks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delete temporary files<\/li>\n\n\n\n<li>Delete downloads of the currently logged-in user<\/li>\n\n\n\n<li>Empty Recycle Bin<\/li>\n\n\n\n<li>Start Disk Cleanup<\/li>\n\n\n\n<li>Reset network settings<\/li>\n\n\n\n<li>Optimize storage (optional, may take a while)<\/li>\n<\/ul>\n\n\n\n<p>start cleanup.ps1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@echo off\n:: Enable UTF-8 console output\nchcp 65001 &gt;nul\n\n:: Start cleanup.ps1 with PowerShell in bypass mode\nset SCRIPT=%~dp0cleanup.ps1\npowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -File \"%SCRIPT%\"\npause<\/code><\/pre>\n\n\n\n<p>cleanup.ps1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Console]::OutputEncoding = &#91;System.Text.Encoding]::UTF8\n$OutputEncoding = &#91;System.Text.Encoding]::UTF8\n\nWrite-Host \"Starting cleanup...\" -ForegroundColor Cyan\n\n# Delete temporary files\nWrite-Host \"Deleting temporary files...\" -ForegroundColor Yellow\nGet-ChildItem -Path \"C:\\Windows\\Temp\" -Recurse -Force -ErrorAction SilentlyContinue | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue\n\n# Delete downloads of the currently logged-in user\nWrite-Host \"Deleting Downloads folder of the logged-in user...\" -ForegroundColor Yellow\n$downloadPath = Join-Path $env:USERPROFILE \"Downloads\"\nif (Test-Path $downloadPath) {\n    Get-ChildItem -Path $downloadPath -Recurse -Force -ErrorAction SilentlyContinue | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue\n    Write-Host \"Downloads from $downloadPath have been cleaned.\" -ForegroundColor Green\n} else {\n    Write-Host \"No Downloads folder found.\" -ForegroundColor Red\n}\n\n# Empty Recycle Bin\nWrite-Host \"Emptying Recycle Bin...\" -ForegroundColor Yellow\nClear-RecycleBin -Force -ErrorAction SilentlyContinue\n\n# Start Disk Cleanup\nWrite-Host \"Starting automatic Disk Cleanup...\" -ForegroundColor Yellow\nStart-Process -FilePath \"cleanmgr.exe\" -ArgumentList \"\/sagerun:1\" -Wait\n\n# Reset network settings\nWrite-Host \"Network: Releasing IP addresses and flushing DNS cache...\" -ForegroundColor Yellow\nipconfig \/release\nipconfig \/flushdns\n\n# Optimize storage (optional, may take a while)\nWrite-Host \"Performing storage optimization...\" -ForegroundColor Yellow\ncompact.exe \/compactos:always\n\nWrite-Host \"Cleanup completed!\" -ForegroundColor Green<\/code><\/pre>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"Preparing-the-Horizon-Master-Image-for-Entra-Hybrid-Join\">2. Preparing the Horizon Master Image for Entra Hybrid Join<\/h6>\n\n\n\n<p>Before finalizing the master image, we ensured that our Horizon master image was prepared for all cloned desktops to correctly register with Microsoft Defender for Endpoint. This guarantees that every virtual desktop instance reports properly to the security portal once it is deployed.<\/p>\n\n\n\n<p>We followed Microsoft\u2019s official steps for onboarding non-persistent VDI environments, as described in their documentation:<br><br>\ud83d\udd17 <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/configure-endpoints-vdi?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noreferrer noopener\">Configure endpoints for VDI in Microsoft Defender for Endpoint<\/a><\/p>\n\n\n\n<p>In our case we  followed the &#8220;Single Entry Path&#8221;. Here\u2019s a summary of the process we implemented:<\/p>\n\n\n\n<p><strong>Download the VDI onboarding package<\/strong><br><br>From the <strong>Microsoft Defender portal<\/strong>, navigate to<br><strong>Settings \u2192 Endpoints \u2192 Device Management \u2192 Onboarding<\/strong>.<br>Choose the correct <strong>operating system<\/strong>, select <strong>VDI onboarding scripts for non-persistent endpoints<\/strong>, and then download the <code>.zip<\/code> package.<\/p>\n\n\n\n<p><strong>Extract and copy the scripts<\/strong><br><br>Unzip the package and copy its contents to:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\Startup<\/code><\/pre>\n\n\n\n<p>If the folder isn\u2019t visible, make sure hidden files and folders are enabled in File Explorer.<\/p>\n\n\n\n<p><strong>Copy the extracted files<\/strong><br><br>Copy both Onboard-NonPersistentMachine and WindowsDefenderATPOnboardingScript.<\/p>\n\n\n\n<p><strong>Register the Startup Script via Group Policy<\/strong><br><br>Open the <strong>Group Policy Editor<\/strong> (<code>gpedit.msc<\/code>) and navigate to:<br><code>Computer Configuration \u2192 Windows Settings \u2192 Scripts \u2192 Startup<\/code><br>Then: Use the <strong>PowerShell Scripts<\/strong> tab and add <code>Onboard-NonPersistentMachine.ps1<\/code><br><em>(There\u2019s no need to specify the other file, as it\u2019s triggered automatically.)<\/em><br><br>\u2699\ufe0f <strong>Important:<\/strong><br>This Group Policy should be applied <strong>only to the Organizational Unit (OU)<\/strong> that contains your <strong>Instant Clone desktops<\/strong> \u2014 <strong>not<\/strong> to the master image or any template VM.<br>The master image must remain clean and unregistered so that every new clone performs its own onboarding during first boot.<br>Applying the policy to the master image could cause duplicate device entries or stale registrations in <strong>Microsoft Defender for Endpoint<\/strong> and <strong>Microsoft Entra ID<\/strong>.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"Configuring-the-Desktop-Pools\"><strong>3. Configuring the Desktop<\/strong> <strong>Pools<\/strong><\/h6>\n\n\n\n<p>For our deployment, we decided to use <strong>Instant Clones<\/strong> to ensure fast provisioning, easy updates, and minimal administrative overhead.<br>Below is a summary of the <strong>key pool settings<\/strong> we applied:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Setting<\/strong><\/th><th><strong>Value \/ Configuration<\/strong><\/th><th><strong>Description \/ Purpose<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>Guest Customization<\/strong><\/td><td>ClonePrep<\/td><td>Automates domain join and machine identity generation for each clone.<\/td><\/tr><tr><td><strong>View Storage Accelerator<\/strong><\/td><td>Enabled<\/td><td>Improves read performance and reduces I\/O load on the datastore.<\/td><\/tr><tr><td><strong>Allow reuse of existing computer accounts<\/strong><\/td><td>Enabled<\/td><td>Prevents unnecessary AD object recreation and supports stable hybrid join behavior.<\/td><\/tr><tr><td><strong>Snapshot Update Cycle<\/strong><\/td><td>Every 7 days<\/td><td>Ensures regular image refresh and deployment of updates.<\/td><\/tr><tr><td><strong>Cluster \/ Host<\/strong><\/td><td>vSAN-backed cluster<\/td><td>Dedicated to Horizon VDI workloads for optimized performance.<\/td><\/tr><tr><td><strong>Pool Type<\/strong><\/td><td>Instant Clone Desktop Pool<\/td><td>Provides fast, space-efficient, and easily managed VMs.<\/td><\/tr><tr><td><strong>vTPM<\/strong><\/td><td>Enabled<\/td><td>Required for Windows 11 compatibility and enhanced security.<\/td><\/tr><tr><td><strong>Action at Logoff<\/strong><\/td><td>Delete and recreate VM<\/td><td>Guarantees a clean non-persistent desktop for every session.<\/td><\/tr><tr><td><strong>Allow users to restart their desktops<\/strong><\/td><td>No<\/td><td>Prevents manual restarts that could interrupt provisioning cycles.<\/td><\/tr><tr><td><strong>Session Type<\/strong><\/td><td>Desktop<\/td><td>Standard virtual desktop deployment type.<\/td><\/tr><tr><td><strong>Display Protocol<\/strong><\/td><td>Horizon Blast (default)<\/td><td>Offers modern, high-performance graphics streaming.<\/td><\/tr><tr><td><strong>Session Collaboration<\/strong><\/td><td>Disabled<\/td><td>Restricts users from sharing desktop sessions.<\/td><\/tr><tr><td><strong>Allow multiple client sessions per user<\/strong><\/td><td>No<\/td><td>Each user receives a unique, isolated desktop.<\/td><\/tr><tr><td><strong>Allow PCoIP Ultra<\/strong><\/td><td>No<\/td><td>Environment standardized on Horizon Blast only.<\/td><\/tr><tr><td><strong>3D Renderer<\/strong><\/td><td>Managed via vSphere Client<\/td><td>Configured depending on workload and GPU availability.<\/td><\/tr><tr><td><strong>Remote Power Policy<\/strong><\/td><td>Always On<\/td><td>Keeps desktops ready for quick connection.<\/td><\/tr><tr><td><strong>Disconnect Session Timeout<\/strong><\/td><td>480 minutes<\/td><td>Controls session persistence for idle users.<\/td><\/tr><tr><td><strong>Computer Naming Pattern<\/strong><\/td><td><code>W11-vPC-xxx{n:fixed=3}<\/code><\/td><td>Ensures consistent and predictable computer naming.<\/td><\/tr><tr><td><strong>VM Access Policy<\/strong><\/td><td>Block direct vSphere access<\/td><td>Prevents administrators from connecting directly to the VM console, improving security.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"Setting-Up-FSLogix-Profiles\">4. Setting Up FSLogix Profiles<\/h6>\n\n\n\n<p>To handle user profile roaming in our Horizon environment, we use <strong>FSLogix Profile Containers<\/strong>. This provides a fast, reliable, and seamless profile experience for users logging into non-persistent Instant Clone desktops.<\/p>\n\n\n\n<p>The FSLogix profile containers are stored on a <strong>Windows file server<\/strong> located on the same <strong>vSAN storage<\/strong> as the Horizon virtual machines.<br>This ensures minimal latency between desktop sessions and the profile store, improving both login times and session responsiveness.<\/p>\n\n\n\n<p>Each user profile is mounted dynamically at logon as a <strong>VHDX container<\/strong>, giving the user a persistent experience while keeping the underlying desktop non-persistent.<\/p>\n\n\n\n<p>All FSLogix settings are applied through <strong>Group Policy Objects (GPOs)<\/strong> to guarantee consistent configuration across all virtual desktops.<br>Below is a summary of our applied policy configuration, based on the settings shown in the screenshot:<\/p>\n\n\n\n<p><strong>General FSLogix Policies<\/strong><\/p>\n\n\n\n<p><strong>GPO Path:<\/strong><br><code>Computer Configuration \u2192 Administrative Templates \u2192 FSLogix<\/code><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Policy Name<\/th><th>Setting<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><strong>Cleanup Invalid Sessions<\/strong><\/td><td>Enabled<\/td><td>Ensures stale FSLogix sessions are cleaned up automatically.<\/td><\/tr><tr><td><strong>Roam Recycle Bin<\/strong><\/td><td>Disabled<\/td><td>Keeps the Recycle Bin local to reduce container size.<\/td><\/tr><tr><td><strong>VHD Compact Disk<\/strong><\/td><td>Enabled<\/td><td>Compacts profile containers automatically to reclaim disk space.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>FSLogix \/ ODFC Containers<\/strong><\/p>\n\n\n\n<p><strong>GPO Path:<\/strong><br><code>Computer Configuration \u2192 Administrative Templates \u2192 FSLogix \u2192 ODFC Containers<\/code><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Policy Name<\/th><th>Setting<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><strong>Include Office Activation<\/strong><\/td><td>Disabled<\/td><td>Uses standard Microsoft 365 activation instead of FSLogix ODFC.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>FSLogix \/ Profile Containers<\/strong><\/p>\n\n\n\n<p><strong>GPO Path:<\/strong><br><code>Computer Configuration \u2192 Administrative Templates \u2192 FSLogix \u2192 Profile Containers<\/code><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Policy Name<\/th><th>Setting<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><strong>Enabled<\/strong><\/td><td>Enabled<\/td><td>Activates FSLogix Profile Container functionality.<\/td><\/tr><tr><td><strong>Initial AppX Packages<\/strong><\/td><td>Enabled<\/td><td>Ensures modern Windows apps initialize correctly.<\/td><\/tr><tr><td><strong>Is Dynamic (VHD)<\/strong><\/td><td>Enabled<\/td><td>Creates containers with dynamic disk sizing.<\/td><\/tr><tr><td><strong>Keep Local Directory (after logoff)<\/strong><\/td><td>Disabled<\/td><td>Deletes local profile remnants after logoff.<\/td><\/tr><tr><td><strong>Outlook Cached Mode<\/strong><\/td><td>Enabled<\/td><td>Keeps Outlook in Cached Exchange Mode within the profile container.<\/td><\/tr><tr><td><strong>Redirect Type<\/strong><\/td><td>Enabled<\/td><td>Standard FSLogix redirection behavior.<\/td><\/tr><tr><td><strong>Remove Orphaned OST Files on Logoff<\/strong><\/td><td>Enabled<\/td><td>Deletes orphaned OST files to prevent corruption.<\/td><\/tr><tr><td><strong>Roam Identity<\/strong><\/td><td>Enabled<\/td><td>Roams user identity (SID consistency).<\/td><\/tr><tr><td><strong>Roam Search<\/strong><\/td><td>Disabled<\/td><td>Keeps Windows Search index local for better performance.<\/td><\/tr><tr><td><strong>Set Temp Folders to Local Path<\/strong><\/td><td>Enabled<\/td><td>Redirects TEMP, TMP, and INetCache folders to the local drive.<\/td><\/tr><tr><td><strong>Size in MBs<\/strong><\/td><td>Enabled \u2192 50,000 MB<\/td><td>Limits container size to 50 GB.<\/td><\/tr><tr><td><strong>VHD Locations<\/strong><\/td><td>Enabled \u2192 <code>\\\\&lt;fileserver&gt;\\dfs\\FSLogix<\/code><\/td><td>Defines the path where FSLogix VHD\/VHDX containers are stored.<\/td><\/tr><tr><td><strong>Redirection XML Source Folder<\/strong><\/td><td>Enabled \u2192 <code>\\\\&lt;fileserver&gt;\\software$\\FSLogix<\/code><\/td><td>Location of the XML redirection configuration.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>FSLogix \/ Profile Containers<\/strong> \/ <strong>Container and Directory Naming<\/strong><\/p>\n\n\n\n<p><strong>GPO Path:<\/strong><br><code>Computer Configuration \u2192 Administrative Templates \u2192 FSLogix \u2192 Profile Containers -&gt; Container and Directory Naming<\/code><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Policy Name<\/th><th>Setting<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><strong><strong>Volume Type (VHD or VHDX)<\/strong><\/strong><\/td><td>Enabled \u2192 VHDX<\/td><td>Uses VHDX for better performance and resilience.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>To further refine our FSLogix configuration, we created a <strong>custom <code>redirections.xml<\/code> file<\/strong> that we linked through Group Policy (configured under<br><code>Computer Configuration \u2192 Administrative Templates \u2192 FSLogix \u2192 Profile Containers \u2192 Redirection XML Source Folder<\/code>).<\/p>\n\n\n\n<p>This XML file fine-tunes what parts of the user profile are <strong>excluded or included<\/strong> in the FSLogix container. The goal is to reduce container size, speed up logons, and avoid storing volatile authentication and cache data that should remain local.<\/p>\n\n\n\n<p>We built the XML based on Microsoft\u2019s official recommendations (<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/devices\/howto-device-identity-virtual-desktop-infrastructure\" target=\"_blank\" rel=\"noreferrer noopener\">Device identity and desktop virtualization<\/a>) and several practical adjustments for hybrid-joined Horizon environments.<\/p>\n\n\n\n<p>Below is the version we currently use:<\/p>\n\n\n\n<pre class=\"wp-block-code has-tiny-font-size\"><code>&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n\n&lt;FrxProfileFolderRedirection ExcludeCommonFolders=\"0\"&gt;\n\n  &lt;Excludes&gt;\n    &lt;!-- Browser Cache --&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache&lt;\/Exclude&gt;\n\n    &lt;!-- Microsoft Identity + Token Broker (AAD + M365 Sign-in) --&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Microsoft\\OneAuth&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Microsoft\\TokenBroker&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Microsoft\\IdentityCache&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Microsoft\\Office\\16.0\\Identity&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy&lt;\/Exclude&gt;\n\n    &lt;!-- Office Authentication Caches --&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Local\\Microsoft\\CredentialManager&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;AppData\\Roaming\\Microsoft\\Credentials&lt;\/Exclude&gt;\n\n    &lt;!-- Registry Keys --&gt;\n    &lt;Exclude Copy=\"0\"&gt;HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\IdentityCRL&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AAD&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WorkplaceJoin&lt;\/Exclude&gt;\n    &lt;Exclude Copy=\"0\"&gt;HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\TokenBroker&lt;\/Exclude&gt;\n  &lt;\/Excludes&gt;\n\n  &lt;Includes&gt;\n    &lt;!-- Oracle\/Sun Java --&gt;\n    &lt;Include Copy=\"3\"&gt;AppData\\LocalLow\\Sun\\Java\\Deployment\\security&lt;\/Include&gt;\n\n    &lt;!-- Microsoft DPAPI Keys (important for password and M365 login persistence) --&gt;\n    &lt;Include Copy=\"3\"&gt;AppData\\Roaming\\Microsoft\\Protect&lt;\/Include&gt;\n\n    &lt;!-- Edge User Data: keeps login data and local state --&gt;\n    &lt;Include Copy=\"3\"&gt;AppData\\Local\\Microsoft\\Edge\\User Data&lt;\/Include&gt;\n  &lt;\/Includes&gt;\n\n&lt;\/FrxProfileFolderRedirection&gt;<\/code><\/pre>\n\n\n\n<p>After setting up FSLogix and completing the hybrid join preparation, we added a few final optimizations to make the entire setup more stable and reliable in production.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"Final-Tweaks-and-Recommendations\">5. Final Tweaks and Recommendations<\/h6>\n\n\n\n<p>To ensure that each Instant Clone correctly completes the <strong>Entra Hybrid Join<\/strong> process during its first startup, we created a <strong>dedicated GPO<\/strong> for the Horizon Agent.<\/p>\n\n\n\n<p>This policy enforces that the Horizon Agent <strong>waits for the hybrid join process to finish<\/strong> before fully initializing the desktop session.<br>Without this setting, some machines could register inconsistently or fail to appear correctly in Microsoft Entra ID, especially in fast-provisioning environments like Instant Clones.<\/p>\n\n\n\n<p><strong>GPO Path:<\/strong><\/p>\n\n\n\n<p><code>Computer Configuration \u2192 Administrative Templates \u2192 Omnissa Horizon Agent Configuration \/ Agent Configuration<\/code><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Policy Name<\/th><th>Setting<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><strong>Configure Wait for Hybrid Join<\/strong><\/td><td>Enabled<\/td><td>Horizon Agent delays login until Entra Hybrid Join is successfull<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>By enabling this option, the Horizon Agent delays the login readiness state until the <strong>Entra Hybrid Join<\/strong> has completed successfully. This ensures that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The machine is properly registered in <strong>Entra ID<\/strong> before user login.<\/li>\n\n\n\n<li><strong>Conditional Access<\/strong> and <strong>Defender onboarding<\/strong> policies are applied consistently.<\/li>\n\n\n\n<li><strong>FSLogix profile mounting<\/strong> occurs in a stable identity state.<\/li>\n<\/ul>\n\n\n\n<p>As described in the official Omnissa documentation (<a href=\"https:\/\/docs.omnissa.com\/de-DE\/bundle\/Horizon8InstallUpgrade\/page\/SupportforAzureActiveDirectory.html\" target=\"_blank\" rel=\"noreferrer noopener\">Support for Azure Active Directory<\/a>),<br><strong>Microsoft Entra Connect<\/strong> performs synchronization tasks on an <strong>hourly schedule<\/strong>.<br>Because of this, a freshly provisioned desktop can remain in a <em>\u201cPending\u201d<\/em> state for some time before it becomes fully available in Entra ID.<\/p>\n\n\n\n<p>In practice, this can result in <strong>longer startup times<\/strong> for new or refreshed desktops.<br>In our environment, the delay typically ranges between <strong>2 and 10 minutes<\/strong>, depending on synchronization timing and infrastructure load.<br>However, once the join is completed, the machine remains stable and consistently recognized across all connected Microsoft services.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"Sources\">Sources<\/h6>\n\n\n\n<p><strong>Blogs:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stephen Wagner: <a href=\"https:\/\/www.stephenwagner.com\/2023\/07\/23\/hybrid-azure-ad-join-azure-ad-connect-vdi\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hybrid Azure AD Join with Azure AD Connect for Non-Persistent VDI with VMware Horizon<\/a><\/li>\n\n\n\n<li>Borns IT- und Windows-Blog: <a href=\"https:\/\/www.borncity.com\/blog\/2025\/02\/01\/microsoft-365-outlook-fehler-58tm1\/\" target=\"_blank\" rel=\"noreferrer noopener\">Outlook Error [58tm1]<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Microsoft:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/configure-endpoints-vdi\" target=\"_blank\" rel=\"noreferrer noopener\">Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/devices\/howto-device-identity-virtual-desktop-infrastructure\" target=\"_blank\" rel=\"noreferrer noopener\">Device identity and desktop virtualization<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/fslogix\/how-to-install-fslogix\" target=\"_blank\" rel=\"noreferrer noopener\">Install FSLogix applications<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Omnissa:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.omnissa.com\/bundle\/Horizon8InstallUpgrade\/page\/SupportforAzureActiveDirectory.html\" target=\"_blank\" rel=\"noreferrer noopener\">Support for Microsoft Entra (Azure Active Directory)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/kb.omnissa.com\/s\/article\/89127\" target=\"_blank\" rel=\"noreferrer noopener\">Hybrid Azure AD support in Omnissa Horizon View (89127)<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over time, I\u2019ve tested many different setups for VMware Horizon environments \u2014 some more successful than others. But after countless rebuilds, troubleshooting sessions, and user feedback, I finally landed on what I consider my ideal configuration: a Horizon environment powered by FSLogix profiles and Entra Hybrid Joined virtual machines. In this post, I\u2019ll walk through [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[21,20,11],"class_list":["post-288","post","type-post","status-publish","format-standard","hentry","category-guide","tag-fslogix","tag-horizon","tag-windows"],"_links":{"self":[{"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/posts\/288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/comments?post=288"}],"version-history":[{"count":35,"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/posts\/288\/revisions"}],"predecessor-version":[{"id":361,"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/posts\/288\/revisions\/361"}],"wp:attachment":[{"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/media?parent=288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/categories?post=288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techbygiusi.com\/index.php\/wp-json\/wp\/v2\/tags?post=288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}