New features in Horizon 2306 enhance security, flexibility, and manageability 

The latest release of Horizon 8, 2306, is available and it adds a host of new features. Each of these has been designed based on the feedback and requirements of our valuable customers. Let’s dive right in and see what’s new for servers and clients.

Horizon Server updates: simplifying management and bolstering security

Let’s get started with what is new on the Horizon Server side. These improvements are designed to streamline administrative tasks and enhance security. Here’s a breakdown of the features released in Horizon 2306.

Granular RBAC privileges for cloud-connected customers  

In Horizon 8 versions prior to 2306, to gain access to management and monitoring services for Horizon deployments, super admins were required to activate their SaaS subscription via the Horizon Control Plane. Now, with Horizon 2306, we’ve introduced more granular role-based access control (RBAC) privileges that allow the super admin to provide granular privileges to non-super admins, allowing them to activate and manage licenses, and monitor the Horizon environment. By applying specific privileges for admins, this feature eliminates the need for super admin roles for routine tasks, while it also provides tighter security and ensures that only authorized personnel can make significant changes. 

Block end user connection if no certificate check  

Security is always top of mind in Horizon development. To that end, we’ve introduced a new mechanism that can enforce the server certificate check. Once the setting is configured, when an end user requests to access a desktop or an app reaches the connection server, the request will have the client settings already mapped against the admin-configured settings on the server. Based on the configuration, The brokering behavior is determined based on the configuration There are now three potential actions — “Enforce,” “Warn,” and “Ignore” — that admins can use to mandate stricter certificate verification policies: 

• Enforce: A mandatory certificate check. If invalid, the connection is dropped. 
• Warn: The user gets a warning, is allowed to connect, and the event is logged. 
• Ignore: The certificate check is executed, but only a log entry is made without any user notification.  

This feature ensures a balance between usability and security, giving admins the flexibility to determine the rigor of their authentication process.  

Fixed timer for discarding SSO credentials bolsters security  

Customers can set a fixed timer to discard single sign-on (SSO) credentials to ensure re-authentication is required after a set time, further bolstering security. Admins can set the session time for end users and ensure they re-authenticate when new virtual desktop sessions or published applications are launched.  

Configure certificate mappings from console  

For those customers using certificate-based authentication such as smart cards, the Microsoft security update (KB5014754) will disallow weak certificate mappings such as user principal name and email. Horizon 2306 allows you to configure certificate mappings from the Horizon console. This feature provides three options: 

1. SID, which is considered the strongest and is the recommended option. 

2. Custom alt security identity, such as x509serialnumber, x509SKI. 

3. Legacy option, for customers who haven’t applied the security update and continue to use existing smart cards 

Instant Clone Smart Provisioning default mode 

Instant Clone Smart Provisioning will now default to Mode B (VMs created without a parent VM). Mode B is compatible with all the workflows such as vTPM and vGPU. Mode A (VMs created with a parent VM) is selected only when using vTPM device on an ESXi host version earlier than 7.0 update 3f. You can still change the provisioning mode as described in this KB (Knowledge Base) document, but it is not recommended.  

Improve with auto debugging for instant clones  

Auto debug mode allows admins to preserve the internal template VMs for debugging in case of provisioning errors. Previously, admins would have to set the configuration parameter for the golden image in vCenter to enable this mode. With this feature, admins can enable debug mode from the console, which is applied to all the instant clone pools in the vCenter. When on, internal template VMs are preserved in a separate folder in the vCenter, and these VMs are automatically deleted when this mode is turned off. It is recommended to enable the “Stop Provisioning on Error” setting so that provisioning stops at the first error, and that specific error can be debugged. 

Persistent disks for instant clones  

Horizon 2306 reintroduces persistent disks for dedicated instant clones, intended for customers who are still using persistent disks with dedicated linked clones in Horizon 7. This new feature provides a migration path for customers who cannot upgrade to Horizon 8 because of the persistent disks. For more information on migrating, read this document, “Migration Guidance to Move from Horizon 7.X to Horizon 8.” 

Cloud Pod Architecture session load distribution  

To assist Cloud Pod Architecture (CPA) in distributing user sessions evenly across resources within a global entitlement, 2306 introduces “Session Load Distribution Policy.” This new setting allows admins to select the session count policy to set a session load distribution policy on an individual global entitlement basis. With this, CPA will equitably distribute incoming session requests across resources based on the session count in relation to the capacity, providing a more balanced distribution across available resources. For example, if a global entitlement has two desktop pools, each with a capacity of 100 desktops, sessions would be distributed evenly across the desktop pools for better desktop and app performance. 

Now let’s move on to the newest updates for the Horizon Agent. We continue to strive for seamless compatibility and functionality across platforms, ensuring a smoother end-user experience for all. Read on to see what is new in experience features in 2306.  

Horizon Agent 2306: enhancing compatibility and user experience

Now let’s move on to the newest updates for the Horizon Agent. We continue to strive for seamless compatibility and functionality across platforms, ensuring a smoother end-user experience for all. Read on to see what is new in experience features in 2306.  

Improvements for the Linux agent  

Building on our existing support for Rocky on vSphere, Horizon 2306 adds support for Rocky Linux. Additionally, Horizon Desktop Recording support was added for Linux VMs allowing admins to record and replay sessions to help troubleshoot issues, ensure compliance and security, and monitor activity. Lastly, for our virtual integrated printing feature, a watermark can be added to the opening page of a document set.  

Enhancements in remote experience and codec support via Blast   

Next up are the improvements made to our Blast display protocol that continue to ensure end users have a seamless experience in a virtual session. 

• BSG RX feature allowance. With the Blast Secure Gateway Remote Experience, we introduce an “allow list” for specific features. Recognizing that some customers grant admin access to end users, the traditional GPOs and registry settings may fall short as they can be misused on the agent VM. For improved safeguarding admins can now restrict certain features at the UAG itself, such as USB redirection in case they have security concerns with the specific feature, and hence prevent a bad actor from allowing unauthorized features at the agent level.  
• AV1 codec enhancements. We’ve added hardware encode support for the AV1 codec on NVIDIA GPUs. Furthermore, we’ve extended support for Linux clients to use this codec. 
• Audio-video sync improvements for Mac. After refining the synchronization of audio and video on Windows clients, we’re extending those enhancements to Mac clients. 
• 3D hardware support for Linux VDI. For those running the Linux agent on physical desktops, it’s now possible to harness the power of 3D hardware within these desktops. 
• Enhanced Mac and Linux supportability. We’ve incorporated comprehensive logging information to facilitate Blast troubleshooting and aim to reduce the occurrence of black screens. This enhancement in logging is available for both Mac and Linux clients. 
• High definition and high dynamic range for HEVC codec. 2306 expands support to include high-definition color and high dynamic range for the HEVC codecs, available for Windows, Mac, and Linux clients. Additionally, it enables the HEVC 4:4:4 encoding on Intel GPUS, providing higher color accuracy in image rendering.  

Unified communications optimizations  

Here’s a rundown of the latest updates from 2306 that will elevate your remote collaboration experience: 

• Simulcast streaming for superior quality with Microsoft Teams. In the past, the overall video quality of a Teams group call was prone to degradation if one of the participants joined in from a poor network. Now, with the simulcast feature, each participant’s stream is independent of other user networks connected to the call. This means you’ll no longer have the entire group’s quality compromised, improving the overall user experience.  
• Mac client gets the Teams background blur. Now end users joining a Teams video call on their Horizon desktops from a MacBook can blur their backgrounds, providing the desired functionality when using video on Teams.  
• Screen snipping on Teams for Mac client. The Mac client now supports screen snipping or screenshots. If you’ve been in a scenario where your VDI runs in full screen with a Teams call on the endpoint, it might have created a black void while trying to screenshot in the VM. To combat this, the screenshot will be taken on the endpoint first and then saved to the VM. 
• Breakout rooms in Teams. Now end users can create breakout rooms on Teams optimized for Horizon.  
• Reactions in Teams. End users will now be able to send emojis and other reactions while on a Teams call. 

Finally, we will cover the features 2306 brings to each client. 

Horizon Client updates

Windows continues to advance, keeping in step with evolving user needs and technological shifts. Below, I’ll cover the latest features that are enhancing the Windows client experience in Horizon 2306: 

• ARM device support with emulation mode: Windows now officially supports ARM devices that operate in emulation mode. This support is exclusive to Windows 11, as it’s the optimal OS for ARM devices because it enhances their performance and usability. 
• Seamless Bluetooth pairing: Enhancing connectivity, users can now pair Bluetooth devices even after the VM is up and running. There’s no need to revert to the endpoint; devices can be located and paired directly within the remote desktop. 

• Visible passwords through GPO. Horizon 2306 introduces a new GPO to address challenges with complex password requirements. This allows users to view their password as they type, which helps users who have extensive password criteria. 
• WebAuthN (FIDO2) authentication for allowed applications. When discussing FIDO2, YubiKey is predominantly the focus for support. Users have been forwarding YubiKey as USB devices for authentication within the VM. However, forwarding YubiKey in this manner restricts its availability on the endpoint. Recognizing the need for a smoother user experience, especially for those using diverse apps, WebAuthN calls are now forwarded from the VM. WebAuthN is used by a broad range of websites and many Windows applications. Although not all apps are covered, this feature streamlines the process for the majority, limiting the need for full YubiKey forwarding via USB redirection. 
• Limit size of dump files. Recognizing the need to manage storage, Windows now provides settings to limit the size of dump files, ensuring system efficiency.  
• Drive redirection in nested mode: Windows now officially supports drive redirection in nested mode or double hop, enriching the user’s management capabilities. 

Linux client: advancements in management and feature integration  

Horizon 2306 provides new enhancements for the Linux client, ushering in greater flexibility and user-friendly features. Here’s a look into what’s new: 

• Deb installation package integration with main RX features. 2306 introduces a Deb installation package option that facilitates easier Linux management, especially if you’re utilizing a management tool tailored for digging.  
• Embracing AOMedia Video 1 (AV1) decoding. The Linux client now supports the AV1 codec, enhancing the decode capabilities for file type associations. 
• File type association. Mirroring features are available for Windows and Mac users; Linux now allows mapping of file types to remote apps. This ensures a more seamless user experience when accessing various file types remotely. 
• TrueSSO unlocked for Linux client. For environments equipped with TrueSSO, when a VM has gone to sleep, a pop-up screen will ask if the VM requires unlocking, which kick-starts the TrueSSO authentication flow.  
• Drive redirection in nested mode. The Linux client now supports drive redirection in nested mode for both Linux and Windows. In scenarios involving a double hop, starting from either Linux or Windows and transitioning to a Windows VM, users can forward their drive to the subsequent stop, most likely another Windows interface. 

Mac client: improved end-user features and workflows  

The latest release delivers features to improve the end-user experience and optimize workflows for end users using Mac clients in 2306. Here’s a snapshot of the newly introduced features: 

• Streamlined screenshots with Teams. We’ve integrated a feature that simplifies the process of capturing screenshots within Teams. 
• Seamless integration with Zoom and Cisco. Building on what we rolled out for Windows, Mac users can now host Zoom or Webex plugins on UAG. On the initial connection, the Mac client will download the plugin and receive a prompt for installation that will be available going forward.  
• Installation file change from .dmg to .pkg. The installation process for Mac client has shifted from the .dmg file format to .pkg. This change introduces a comprehensive UI for installation, moving away from the previous drag install method. 
• Advanced Wi-Fi Insights with DEEM. By incorporating the DEEM (Digital Employee Experience Management) module, Mac users can now collect data on Wi-Fi strength. This data integrates with Intelligence, marking a significant step for users who are utilizing Workspace ONE Intelligence for telemetry checks, and now provides the ability to remediate as needed.  
• Vendor-specific features for scanners. Scanners connected to a Mac might offer features that are not present in TWAIN specifications. The 2306 update allows the VM to capture these settings and show them in the scanner UI in the virtual machine.  
• True SSO unlocked for Mac client. Similar to the Windows client, Mac users can now reactivate the TrueSSO authentication whenever the VM enters sleep mode, ensuring uninterrupted access and operations. 

Chrome client: Improved end-user interactions  

Included in 2306 are features that enhance the end-user interactions using Chrome clients on a virtual desktop, while improving connectivity.  

• Support for Horizon Cloud next-gen. Horizon Cloud one next-gen uses an updated, modern authentication flow. In this release, all Horizon clients are now fully integrated and supported on this platform, signifying a significant stride forward in our cloud capabilities. 

• Bad connection warning. Following the success of the bad connection warning for Windows, we have extended this feature to both the Chrome client and HTML Access. Users can now be promptly notified of connectivity issues, ensuring smoother operations. 
• Split composite USB devices for redirection. 2306 adds support for composite USB devices. This is particularly beneficial for multifunctional devices like the Nuance PowerMic or keyboards equipped with credit card readers. Such devices, although registering as a singular USB unit, possess multiple functional components. With an upgrade to 2306, users can fully utilize these composite devices with ease. 
• Real-time audio-video performance enhancements. We have integrated performance enhancements for real-time audio and video interactions. Utilizing the H.264 codec, we are providing compression of both video and audio at the endpoint.  

Also of note is that VMware Horizon 8 is now certified for Common Criteria compliance by the National Information Assurance Partnership (NIAP). This NIAP certification means Horizon 8, recognized as a leader in VDI and apps, can be used in U.S. national security systems. Read the blog to learn more. Horizon is also Product Compliant List certified, which means it can be leveraged by other nations that follow the Common Criteria Recognition Arrangement (CCRA). This achievement is in addition to Horizon Cloud Service recently being authorized to operate in FedRAMP® and StateRAMP® High environments.

Well, that is a wrap for 2306! For more information on these features as well as others I did not cover, please review the Horizon 8 2306 release notes. 

Taking advantage of new features as they are released is one benefit to upgrading to our Horizon subscription license.  You can download version 2306 by visiting MyVMware.com.