The PCoIP ADMX template file contains group policy settings that configure general settings such as PCoIP image quality, USB devices, and network ports.

All of these settings are in the Computer Configuration > Policies > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults folder in the Group Policy Management Editor.

All of these settings are also in the User Configuration > Policies > Administrative Templates > PCoIP Session Variables > Not Overridable Administrator Settings folder in the Group Policy Management Editor.

Table 1. PCoIP General Policy Settings

Setting

Description

Configure PCoIP event log cleanup by size in MB

Enables the configuration of the PCoIP event log cleanup by size in MB.

When this policy is configured, the setting controls how large a log file can grow before it is cleaned up. For a non-zero setting of m, log files larger than m MB are automatically and silently deleted. A setting of 0 indicates that no file cleanup by size takes place.

When this policy is disabled or not configured, the default event log cleanup by size is 100 MB.

The log file cleanup is performed once at session startup. A change to the setting is not applied until the next session.

Configure PCoIP event log cleanup by time in days

Enables the configuration of the PCoIP event log cleanup by time in days.

When this policy is configured, the setting controls how many days can pass before the log file is cleaned up. For a non-zero setting of n, log files older than n days are automatically and silently deleted. A setting of 0 indicates that no file cleanup by time takes place.

When this policy is disabled or not configured, the default event log cleanup is 7 days.

The log file cleanup is performed once at session startup. A change to the setting is not applied until the next session.

Configure PCoIP event log verbosity

Sets the PCoIP event log verbosity. The values range from 0 (least verbose) to 3 (most verbose).

When this setting is enabled, you can set the verbosity level from 0 to 3. When the setting is not configured or disabled, the default event log verbosity level is 2.

When this setting is modified during an active PCoIP session, the new setting takes effect immediately.

Configure PCoIP image quality levels

Controls how PCoIP renders images during periods of network congestion. The Minimum Image Quality, Maximum Initial Image Quality, and Maximum Frame Rate values interoperate to provide fine control in network-bandwidth constrained environments.

Use the Minimum Image Quality value to balance image quality and frame rate for limited-bandwidth scenarios. You can specify a value between 30 and 100. The default value is 40. A lower value allows higher frame-rates, but with a potentially lower quality display. A higher value provides higher image quality, but with potentially lower frame rates when network bandwidth is constrained. When network bandwidth is not constrained, PCoIP maintains maximum quality regardless of this value.

Use the Maximum Initial Image Quality value to reduce the network bandwidth peaks required by PCoIP by limiting the initial quality of the changed regions of the display image. You can specify a value between 30 and 100. The default value is 80. A lower value reduces the image quality of content changes and decreases peak bandwidth requirements. A higher value increases the image quality of content changes and increases peak bandwidth requirements. Unchanged regions of the image progressively build to a lossless (perfect) quality regardless of this value. A value of 80 or lower best utilizes the available bandwidth.

The Minimum Image Quality value cannot exceed the Maximum Initial Image Quality value.

Use the Maximum Frame Rate value to manage the average bandwidth consumed per user by limiting the number of screen updates per second. You can specify a value between 1 and 120 frames per second. The default value is 30. A higher value can use more bandwidth but provides less jitter, which allows smoother transitions in changing images such as video. A lower value uses less bandwidth but results in more jitter.

These image quality values apply to the soft host only and have no effect on a soft client.

When this setting is disabled or not configured, the default values are used.

When this setting is modified during an active PCoIP session, the new setting takes effect immediately.

Configure frame rate vs image quality preference

Configure the frame rate and image quality preference from 0 (highest frame rate) to 100 (highest image quality). If this policy is disabled or not configured, the default setting is 50.

Higher value (max: 100) means you prefer high image quality even if frame rate is choppy. Lower value (min: 0) means you prefer a fluent experience with aggressive image quality.

This setting could work with the Configure PCoIP image quality levels GPO, which determines the max initial image quality level and min image quality level. While the Frame rate and image quality preference can adjust the image quality level for each frame, it cannot exceed the max/min quality level threshold configured by Configure PCoIP image quality levels GPO.

When this policy is changed during run time, it could take effect immediately.

Configure PCoIP session encryption algorithms

Controls the encryption algorithms advertised by the PCoIP endpoint during session negotiation.

Checking one of the check boxes disables the associated encryption algorithm. You must enable at least one algorithm.

This setting applies to both agent and client. The endpoints negotiate the actual session encryption algorithm that is used. If FIPS140-2 approved mode is enabled, the Disable AES-128-GCM encryption value is always overridden so that AES-128-GCM encryption is enabled.

Supported encryption algorithms, in order of preference, are SALSA20/12-256, AES-GCM-128, and AES-GCM-256. By default, all supported encryption algorithms are available for negotiation by this endpoint.

If both endpoints are configured to support all three algorithms and the connection does not use a Security Gateway (SG), the SALSA20 algorithm will be negotiated and used. However, if the connection uses an SG, SALSA20 is automatically disabled and AES128 will be negotiated and used. If either endpoint or the SG disables SALSA20 and either endpoint disables AES128, then AES256 will be negotiated and used.

Configure PCoIP USB allowed and unallowed device rules

Specifies the USB devices that are authorized and not authorized for PCoIP sessions that use a zero client that runs Teradici firmware. USB devices that are used in PCoIP sessions must appear in the USB authorization table. USB devices that appear in the USB unauthorization table cannot be used in PCoIP sessions.

You can define a maximum of 10 USB authorization rules and a maximum of 10 USB unauthorization rules. Separate multiple rules with the vertical bar (|) character.

Each rule can be a combination of a Vendor ID (VID) and a Product ID (PID), or a rule can describe a class of USB devices. A class rule can allow or disallow an entire device class, a single subclass, or a protocol within a subclass.

The format of a combination VID/PID rule is 1xxxxyyyy, where xxxx is the VID in hexadecimal format and yyyy is the PID in hexadecimal format. For example, the rule to authorize or block a device with VID 0x1a2b and PID 0x3c4d is 11a2b3c4d.

For class rules, use one of the following formats:

Allow all USB devices

Format: 23XXXXXX

Example: 23XXXXXX

Allow USB devices with a specific class ID

Format: 22classXXXX

Example: 22aaXXXX

Allow a specific subclass

Format: 21class-subclassXX

Example: 21aabbXX

Allow a specific protocol

Format: 20class-subclass-protocol

Example: 20aabbcc

For example, the USB authorization string to allow USB HID (mouse and keyboard) devices (class ID 0x03) and webcams (class ID 0x0e) is 2203XXXX|220eXXXX. The USB unauthorization string to disallow USB Mass Storage devices (class ID 0x08) is 2208XXXX.

An empty USB authorization string means that no USB devices are authorized. An empty USB unauthorization string means that no USB devices are banned.

This setting applies to Horizon Agent only and only when the remote desktop is in a session with a zero client that runs Teradici firmware. Device use is negotiated between the endpoints.

By default, all devices are allowed and none are disallowed.

Configure PCoIP virtual channels

Specifies the virtual channels that can and cannot operate over PCoIP sessions. This setting also determines whether to disable clipboard processing on the PCoIP host.

Virtual channels that are used in PCoIP sessions must appear on the virtual channel authorization list. Virtual channels that appear in the unauthorized virtual channel list cannot be used in PCoIP sessions.

You can specify a maximum of 15 virtual channels for use in PCoIP sessions.

Separate multiple channel names with the vertical bar (|) character. For example, the virtual channel authorization string to allow the mksvchan and vdp_rdpvcbridge virtual channels is mksvchan|vdp_vdpvcbridge.

If a channel name contains the vertical bar or backslash (\) character, insert a backslash character before it. For example, type the channel name awk|ward\channel as awk\|ward\\channel.

When the authorized virtual channel list is empty, all virtual channels are disallowed. When the unauthorized virtual channel list is empty, all virtual channels are allowed.

The virtual channels setting applies to both agent and client. Virtual channels must be enabled on both agent and client for virtual channels to be used.

The virtual channels setting provides a separate check box that allows you to disable remote clipboard processing on the PCoIP host. This value applies to the agent only.

By default, all virtual channels are enabled, including clipboard processing.

Configure the PCoIP transport header

Configures the PCoIP transport header and sets the transport session priority.

The PCoIP transport header is a 32-bit header that is added to all PCoIP UDP packets (only if the transport header is enabled and supported by both sides). The PCoIP transport header allows network devices to make better prioritization/QoS decisions when dealing with network congestion. The transport header is enabled by default.

The transport session priority determines the PCoIP session priority reported in the PCoIP transport header. Network devices make better prioritization/QoS decisions based on the specified transport session priority.

When the Configure the PCoIP transport header setting is enabled, the following transport session priorities are available:

  • High

  • Medium (default value)

  • Low

  • Undefined

The transport session priority value is negotiated by the PCoIP agent and client. If the PCoIP agent specifies a transport session priority value, the session uses the agent-specified session priority. If only the client has specified a transport session priority, the session uses the client-specified session priority. If neither agent nor client has specified a transport session priority, or Undefined Priority is specified, the session uses the default value, Medium priority.

Configure the TCP port to which the PCoIP host binds and listens

Specifies the TCP agent port bound to by software PCoIP hosts.

The TCP port value specifies the base TCP port that the agent attempts to bind to. The TCP port range value determines how many additional ports to try if the base port is not available. The port range must be between 1 and 10.

The range spans from the base port to the sum of the base port and port range. For example, if the base port is 4172 and the port range is 10, the range spans from 4172 to 4182.

Do not set the size of the retry port range to 0. Setting this value to 0 causes a connection failure when users log in to the desktop with the PCoIP display protocol. Horizon Client returns the error message, The Display protocol for this desktop is currently not available. Please contact your system administrator.

This setting applies to Horizon Agent only.

On single-user machines, the default base TCP port is 4172 in View 4.5 and later. The default base port is 50002 in View 4.0.x and earlier. By default, the port range is 1.

On RDS hosts, the default base TCP port is 4173. When PCoIP is used with RDS hosts, a separate PCoIP port is used for each user connection. The default port range that is set by the Remote Desktop Service is large enough to accommodate the expected maximum of concurrent user connections.

Important:

As a best practice, do not use this policy setting to change the default port range on RDS hosts, or change the TCP port value from the default of 4173. Most important, do not set the TCP port value to 4172. Resetting this value to 4172 will adversely affect PCoIP performance in RDS sessions.

Configure the UDP port to which the PCoIP host binds and listens

Specifies the UDP agent port bound to by software PCoIP hosts.

The UDP port value specifies the base UDP port that the agent attempts to bind to. The UDP port range value determines how many additional ports to try if the base port is not available. The port range must be between 1 and 10.

Do not set the size of the retry port range to 0. Setting this value to 0 causes a connection failure when users log in to the desktop with the PCoIP display protocol. Horizon Client returns the error message, The Display protocol for this desktop is currently not available. Please contact your system administrator.

The range spans from the base port to the sum of the base port and port range. For example, if the base port is 4172 and the port range is 10, the range spans from 4172 to 4182.

This setting applies to Horizon Agent only.

On single-user machines, the default base UDP port is 4172 for View 4.5 and later and 50002 for View 4.0.x and earlier. By default, the port range is 10.

On RDS hosts, the default base UDP port is 4173. When PCoIP is used with RDS hosts, a separate PCoIP port is used for each user connection. The default port range that is set by the Remote Desktop Service is large enough to accommodate the expected maximum of concurrent user connections.

Important:

As a best practice, do not use this policy setting to change the default port range on RDS hosts, or change the UDP port value from the default of 4173. Most important, do not set the UDP port value to 4172. Resetting this value to 4172 will adversely affect PCoIP performance in RDS sessions.

Enable access to a PCoIP session from a vSphere console

Determines whether to allow a vSphere Client console to display an active PCoIP session and send input to the desktop.

By default, when a client is attached through PCoIP, the vSphere Client console screen is blank and the console cannot send input. The default setting ensures that a malicious user cannot view the user's desktop or provide input to the host locally when a PCoIP remote session is active.

This setting applies to Horizon Agent only.

When this setting is disabled or not configured, console access is not allowed. When this setting is enabled, the console displays the PCoIP session and console input is allowed.

When this setting is enabled, the console can display a PCoIP session that is running on a Windows 7 system only when the Windows 7 virtual machine is hardware v8. Hardware v8 is available only on ESXi 5.0 and later. By contrast, console input to a Windows 7 system is allowed when the virtual machine is any hardware version.

Enable/disable audio in the PCoIP session

Determines whether audio is enabled in PCoIP sessions. Both endpoints must have audio enabled. When this setting is enabled, PCoIP audio is allowed. When it is disabled, PCoIP audio is disabled. When this setting is not configured, audio is enabled by default.

Enable/disable microphone noise and DC offset filter in PCoIP session

Determines whether to enable the microphone noise and DC offset filter for microphone input during PCoIP sessions.

This setting applies to Horizon Agent and Teradici audio driver only.

When this setting is not configured, the Teradici audio driver uses the microphone noise and DC offset filter by default.

Turn on PCoIP user default input language synchronization

Determines whether the default input language for the user in the PCoIP session is synchronized with the default input language of the PCoIP client endpoint. When this setting is enabled, synchronization is allowed. When this setting is disabled or not configured, synchronization is disallowed.

This setting applies to Horizon Agent only.

Configure SSL Connections to satisfy Security Tools

Specifies how SSL session negotiation connections are established.

In order to satisfy port scanners, enable this 'Configure SSL connections' setting and on Horizon Agent, complete the following tasks:

  1. In Microsoft Management Console, store a correctly named and signed certificate into the Personal store for the Local Machine's computer account and mark it exportable.

  2. Store the certificate for the Certificate Authority that signed it in the Trusted Root certificate store.

  3. Disable connections to VMware View 5.1 and earlier.

  4. Configure Horizon Agent to load certificates only from the Certificate Store. If the Personal store for the Local Machine is used, leave the certificate store names unchanged as "MY" and "ROOT" (without the quotes), unless a different store location was used in steps 1 and 2.

The resulting PCoIP Server will satisfy Security Tools such as port scanners.

Configure SSL Protocols

Configures the OpenSSL protocol to restrict the use of certain protocols before establishing an encrypted SSL connection. The protocol list consists of one or more openssl protocol strings separated by colons. Note that all cipher strings are case insensitive.

The default value is: 'TLS1.1:TLS1.2"

This means that both TLS v1.1 and TLS v1.2 are enabled (SSL v2.0, SSLv3.0 and TLS v1.0 are disabled).

This setting applies to both Horizon Agent and Horizon Client.

If it is set on both sides, the OpenSSL protocol negotation rule will be followed.

Configure SSL cipher list

Configures an SSL cipher list to restrict the use of cipher suites before establishing an encrypted SSL connection. The list consists of one or more cipher suite strings separated by colons. All cipher suite strings are case insensitive.

The default value is ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:@STRENGTH.

If this setting is configured, the Enforce AES-256 or stronger ciphers for SSL connection negotiation check box in the Configure SSL connections to satisfy Security Tools setting is ignored.

This setting must be applied to both the PCoIP server and the PCoIP client.