Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When you change the Message Security Mode from "Enabled" or "Mixed" to "Enhanced" in Global Settings in Horizon Admin console and restart the VMware Horizon Message Bus Component service on all connection broker hosts in the pod, you will notice that Enhanced Security Status is stuck in PENDING ENHANCED.
This article assists in resolving the Enhanced Security Status from PENDING ENHANCED to ENHANCED by identifying the unreachable VMs and Stale VMs in the inventory and clearing them. Note: Mixed Mode is not designed to be a permanent option. It is designed to be a temporary option - Please be aware of the following. If your environment is set to mixed for over 24 hours . Please correct this as a discrete task prior to upgrade Failure to upgrade to Horizon 2209 or Later from 2206 or earlier when message security is MIXED (90251)
After all Horizon Message Bus Component services have been restarted, the system begins changing the message security mode to Enhanced for all desktops. When some of the desktops are in unreachable state or if there are any stale VMs in the database, this is stuck in "PENDING ENHANCED" until the unreachable VMs and stale VMs are cleared from the database.
After restarting Horizon Message Bus Component services in all the Connection servers, the Agents get transitioned to Enhanced Security Mode for the secured communication and the time taken to complete this process depends on the total number Horizon managed desktops in the environment. If there are VDIs in a "Agent Unreachable" state, this status get stuck in ENHANCED PENDING.
Procedure:1) Finding Problematic Machines: Log in to one of the Connection servers and open the Command prompt as an admin.Change the directory to C:\Program Files\VMware\VMware View\Server\tools\bin. Run the below command to identify the total number of VDI desktops in transition to Enhanced Message Security Mode. vdmutil --authAs username --authDomain domainname --authPassword "*" --countPendingMsgSecStatus For additional details on vdmutil, please see the following VMware Docs page: Using the vdmutil Command-Line Utility on a Connection Server Instance in Horizon 8 You will see the total number of VDIs that are in transition. Once all the available machines are transitioned to Enhanced mode, you will find this count is stuck at some point without completing the transition. Run the below command to identify the list of machines that are pending transition. vdmutil.cmd --authAs username --authDomain domainname --authPassword "*" --listPendingMsgSecStatus This lists all the machines that are stuck in pending transition. Now copy the names of the pending VMs and identify the state of the VMs in the Horizon Admin console under machinesMost likely you will find these machines in the "Agent Unreachable" state, however, equally they may not be present in the inventory. 2) Unreachable Machine Cleanup Desktop TypeActionNon-persistent Instant ClonesRemove the VM Delete Virtual-Machine Desktops in a PoolFull Clone Persistent VDIsRemove the machines from the desktop pool and re-add them later If the pending VMs are not found in the Horizon inventory, most likely they are the stale VMs that should be cleared from the database. Manually removing problem desktops and pools from Horizon (2015112) walks through this process. 3) Verify the transition pending count after cleanup vdmutil --authAs username --authDomain domainname --authPassword "*" --countPendingMsgSecStatus What can I do if my count is not decreasing? Please arrange a period of time when provisioning can be halted in the environment.Disable provisioning on all pools.Allow any outstanding Enhanced Security tasks to be completed (This can be monitored in the debug log) Reference: Collecting VMware Horizon View log bundles (1017939) 2023-11-18T08:04:19.545+01:00 DEBUG (1998-2578) <EnhancedSecurityManager$EnhancedSecurityTask-1694941434162> [EnhancedSecurityManager$EnhancedSecurityTask] Waiting for 2 out of 4 machines to enter MS mode Run the countPendingMsgSecStatus command and confirm a decrease in the count.Once the count hits 0 it is designed to move to ENHANCED. This can be confirmed in the UI. What can I do if the security status is still stuck as Pending Enhanced and the above count is 0? Review Registered Machines and look for the presence of Unreachable machines and RDS hosts and remove them from the Registered Machines list. (. These can be checked in the Horizon Inventory under "Inventory -> Machines -> Others". )You can increase your log levels to Level 3 / trace logging for a temporary period of time on the connection server that reports the "Waiting for X machine " Logline. This is a task that will be present on a designated Connection Server. See Changing the log file behavior in the VMware Horizon components (1025887) 2023-11-18T08:04:19.545+01:00 TRACE (1998-2578) <EnhancedSecurityManager$EnhancedSecurityTask-1694123459962> [EnhancedSecurityManager$EnhancedSecurityTask] machine cn=X , ,dc=vdi,dc=vmware,dc=int is in mode ON Utilizing the CN name provided in the enhanced logs, you can conduct a targeted investigation into the specific machines halting the transition to Enhanced.Once they are removed, you will notice that Message Security Mode and Enhanced Security Status changed to ENHANCED. Important: There is an increased overhead in setting TRACE logging. Ideally, choose a quieter period when provisioning is disabled and there are no login peaks. Once machines are identified, please turn off Level 3 logging by choosing a lower level with the commands provided in Changing the log file behavior in the VMware Horizon components (1025887)
Manually removing problem desktops and pools from Horizon (2015112) Using the vdmutil Command-Line Utility on a Connection Server Instance in Horizon 8 Ensuring a successful migration from Horizon 7 to Horizon 8 (89840) Failure to upgrade to Horizon 2209 or Later from 2206 or earlier when message security is MIXED (90251)