When you build a reference machine, choose the core software to include in the base layer carefully, as this software is distributed with the base layer to all end users.

Software considerations apply for image management and special instructions for specific software categories. See Reference Machine Software and Settings.

See also Reference Machine Software and Settings.

For best results, include the following applications in the base layer:

Antivirus and security products such as anti-malware

VPN or other connectivity software, such as iPass


Windows components and frameworks, for example, .NET, Java

Global Windowa configuration and settings changes

System-level software is sensitive to conflicting software, so it is important that endpoints do not receive conflicting software through other distribution methods. If a certain type of system-level software, for example, antivirus is distributed with a base layer, do not distribute different versions of the same software or conflicting software through other software distribution mechanisms, and the reverse.

Include the organization VPN, antivirus, firewall applications, and the driver store in the minimal restore set.

The base layer generally includes core applications that an organization uses, while more specialized applications are typically distributed with app layers. Verify that the software is suitable for mass distribution and uses a volume license that does not require machine-specific identification or individual manual activation.

Certain applications are protected by hardware-based identification methods or a unique license key that resides on the endpoint, for example, in a license file, and must not be distributed with the base or app layer or installed on the reference machine. The user can still install these applications on the endpoint or through software distribution solutions that target individual endpoints.

Most enterprise software is protected by a floating, or volume, license, which eliminates this problem.

On the reference machine, install software as administrator, and if the option exists, install for All Users. Exclude user profiles on the reference machine from the base layer so that you do not distribute them. Do not distribute software installed exclusively for a specific user, because it might not function properly.

Example: The Google Chrome default installation is to the current user profile. Make sure to install it for All Users if it is to be included in the base layer.

To ensure the presence of an application shortcut on the end user’s desktop or Programs menu, verify that the shortcut is correctly created when the application is installed on the reference machine. If it is not, create the shortcut manually in the All Users profile.

Applications that set up and use local user accounts or local groups, or both, might not function well on endpoints when the base layer is applied to them. Consequently, you must exclude definitions of local user accounts and local groups from the base layer.

Many hardware vendors include special software to enhance the user experience of their platforms. These applications can support specific hardware buttons, connection management and power management capabilities, and so on.

To include special software as part of the base layer, use the base layer only for compatible hardware. Do not preinstall hardware-specific software on a single base layer that you want to use for multiple incompatible hardware platforms.

Use App layering for OEM software.

Horizon Mirage does not distribute software that changes the Master Boot Record (MBR). Full Disk Encryption software usually modifies the MBR, so this type of software cannot be delivered with a base layer. Such software can still be installed on individual endpoints through an external delivery mechanism or during first-time provisioning.

Examples of Disk Encryption software that use preboot authentication are Checkpoint Full Disk Encryption, PGPDisk, Sophos SafeGuard, and McAfee Endpoint Encryption.


Mirage requires certain Full Disk Encryption applications to be pre-configured before performing a Windows 7 migration. For more information about supported Full Disk Encryption software, contact VMware technical support.

Certain security software products take measures to protect their software and do not allow other processes to modify their files. Software of this type cannot be updated through Horizon Mirage. Instead, use the security vendor-recommended update process to implement central control and management of that software. Horizon Mirage does not interfere with or manipulate the operation of these security products, and does not override the security measures they provide.

Microsoft BitLocker, in Windows 7, performs full-disk encryption and is fully compatible with Horizon Mirage. The state of BitLocker is maintained and managed on each endpoint and does not propagate to the Horizon Mirage CVD in the data center.

After you use BootUSB to do bare metal restore, the BitLocker state is not preserved and the machine is not encrypted.

The following BitLocker scenarios apply:

If BitLocker is enabled on the target endpoint, it remains enabled after Horizon Mirage restore, base layer update, or rebase operations, regardless of the BitLocker configuration in the original endpoint on which the CVD was running, or on the reference machine from which the base layer was captured.

Similarly, if BitLocker is disabled on the target endpoint, it remains disabled after Horizon Mirage restore, base layer update, or rebase operations.


When you build a Windows 7 base layer for migration purposes, verify that BitLocker is disabled on the reference machine. Otherwise the migration operations cannot be completed.