The VMware View Agent Configuration ADMX template file (vdm_agent.admx) contains policy settings related to the authentication and environmental components of Horizon Agent.

The ADMX files are available in VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, which you can download from the VMware Downloads site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes the ZIP file.

The following tables describe policy settings in the VMware View Agent Configuration ADMX template file. The template contains both Computer Configuration and User Configuration settings. The User Configuration setting overrides the equivalent Computer Configuration setting.

Agent Configuration Settings

Agent configuration settings are in the VMware View Agent Configuration > Agent Configuration folder in the Group Policy Management Editor.

Table 1. Agent Configuration Policy Settings

Setting

Computer

User

Properties

AllowDirectRDP

X

Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is disabled, the agent permits only Horizon-managed connections through Horizon Client.

When connecting to a remote desktop from Horizon Client for Mac, do not disable the AllowDirectRDP setting. If this setting is disabled, the connection fails with an Access is denied error.

By default, while a user is logged in to a remote desktop session, you can use RDP to connect to the virtual machine. The RDP connection terminates the remote desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.

Important:

The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

This setting is enabled by default.

AllowSingleSignon

X

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter their credentials only once, when they log in to the server. When this setting is disabled, users must reauthenticate when the remote connection is made.

This setting is enabled by default.

CommandsToRunOnConnect

X

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

See Running Commands on Horizon Desktops for more information.

CommandsToRunOnDisconnect

X

Specifies a list of commands or command scripts to be run when a session is disconnected.

See Running Commands on Horizon Desktops for more information.

CommandsToRunOnReconnect

X

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

See Running Commands on Horizon Desktops for more information.

ConnectionTicketTimeout

X

Specifies the amount of time in seconds that the Horizon connection ticket is valid.

Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds.

CredentialFilterExceptions

X

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

Disable Time Zone Synchronization

X

X

Determines whether the time zone of the Horizon desktop is synchronized with the time zone of the connected client. An enabled setting applies only if the Disable time zone forwarding setting of the Horizon Client Configuration policy is not set to disabled.

This setting is disabled by default.

DPI Synchronization

X

X

Adjusts the system-wide DPI setting for the remote session. When this setting is enabled or not configured, the system-wide DPI setting for the remote session is set to match the corresponding DPI setting on the client operating system. When this setting is disabled, the system-wide DPI setting for the remote session is never changed.

This setting is enabled by default.

Note:

This setting applies only to Windows clients on which Horizon Client 4.2 or later is installed.

Enable multi-media acceleration

X

Determines whether multimedia redirection (MMR) is enabled on the remote desktop.

MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on the remote system directly through a TCP socket to the client. The data is then decoded directly on the client, where it is played. You can disable MMR if the client has insufficient resources to handle local multimedia decoding.

This setting is enabled by default.

Enable Unauthenticated Access

X

Enables or disables the unauthenticated access feature. When this setting is enabled, unauthenticated access users can access published applications from a Horizon Client without requiring AD credentials. When this setting is disabled, unauthenticated access users cannot access published applications from a Horizon Client without requiring AD credentials.

You must reboot the RDS host for this setting to take effect.

This setting is enabled by default.

Force MMR to use software overlay

X

MMR tries to use the hardware overlay to play back video for better performance. When working with multiple displays, the hardware overlay exists only on one of the displays, either the primary display or the display where WMP was started. If WMP is dragged to another display, the video appears as a black rectangle. Use this option to force MMR to use a software overlay that works on all displays.

This setting is enabled by default.

ShowDiskActivityIcon

X

This setting is not supported in this release.

Single sign-on retry timeout

X

Specifies the time, in milliseconds, after which single sign-on is retried. Set the value to 0 to disable single sign-on retry. The default value is 5000 milliseconds.

This setting is enabled by default.

Toggle Display Settings Control

X

Determines whether to disable the Settings tab in the Display control panel when a client session uses the PCoIP display protocol.

This setting is enabled by default.

Note:

The Connect using DNS Name setting was removed in the Horizon 6 version 6.1 release. You can set the Horizon 7 LDAP attribute, pae-PreferDNS, to tell Horizon Connection Server to give preference to DNS names when sending the addresses of desktop machines and RDS hosts to clients and gateways. See "Give Preference to DNS Names When Horizon Connection Server Returns Address Information" in the Horizon 7 Installation document.

Agent Security Setting

The Agent Security setting is in the VMware View Agent Configuration > Agent Security folder in the Group Policy Management Editor.

Table 2. Agent Security Policy Setting

Setting

Computer

User

Properties

Accept SSL encrypted framework channel

X

Enables the SSL encrypted framework channel. The following options are available:

  • Disable - Disable SSL.

  • Enable - Enable SSL. Allow legacy clients to connect without SSL.

  • Enforce - Enable SSL. Refuse legacy client connections.

This setting is enabled by default.

Session Collaboration Settings

Session Collaboration settings are in the VMware View Agent Configuration > Collaboration folder in the Group Policy Management Editor. See Session Collaboration Policy Settings.

Persona Management Settings

Persona Management settings are in the VMware View Agent Configuration > Persona Management folder in the Group Policy Management Editor. See the Setting Up Virtual Desktops in Horizon 7 document.

Scanner Redirection Settings

Scanner Redirection settings are in the VMware View Agent Configuration > Scanner Redirection folder in the Group Policy Management Editor. See Scanner Redirection Group Policy Settings.

Serial COM Settings

Serial COM settings are in the VMware View Agent Configuration > Serial COM folder in the Group Policy Management Editor. See Serial Port Redirection Group Policy Settings.

Smart Card Redirection Settings

Smart card redirection settings are in the VMware View Agent Configuration > Smartcard Redirection > Local Reader Access folder in the Group Policy Management Editor.

Table 3. Smart Card Redirection Policy Settings

Setting

Computer

User

Properties

Allow applications access to Local Smart Card readers

X

If enabled, applications can access all local Smart Card readers even when the Smart Card Redirection feature is installed. When enabled, the desktop is monitored for the presence of a local reader and when detected, the smart card redirection will switch off allowing access to the local readers. The redirection will remain off until the next time the user connects to the session. When local access is enabled, applications can no longer access remote readers present on the client.

This setting does not apply to RDP or to RDSH hosts when the Remote Desktop Services role is enabled.

This setting is disabled by default.

Local Reader Name

X

Specifies the name of a local reader to monitor to enable local access. By default, the reader must have a card inserted to enable local access. You can disable this requirement by using the Require an inserted Smart Card setting.

This setting is enabled by default.

Require an inserted Smart Card

X

If enabled, local reader access is enabled if the local reader has a card inserted. If disabled, local access is enabled as long as a local reader is detected.

This setting is enabled by default.

True SSO Configuration Settings

True SSO configuration settings are in the VMware View Agent Configuration > True SSO Configuration folder in the Group Policy Management Editor. See Horizon 7 Administration document.

Unity Touch and Hosted Apps Settings

Unity Touch and Hosted Apps settings are in the VMware View Agent Configuration > Unity Touch and Hosted Apps folder in the Group Policy Management Editor.

Table 4. Unity Touch and Hosted Apps Policy Settings

Setting

Computer

User

Properties

Send updates for empty or offscreen windows

X

Specifies whether the client receives updates about empty or offscreen windows. When this setting is disabled, information about window that are smaller than 2x2 pixels, or that are located entirely offscreen, are not sent to the client.

This setting is disabled by default.

Enable Unity Touch

X

Determines whether the Unity Touch functionality is enabled on the remote desktop. Unity Touch supports the delivery of remote applications in Horizon and allows mobile device users to access applications in the Unity Touch sidebar.

This setting is enabled by default.

Enable system tray redirection for Hosted Apps

X

Determines whether system tray redirection is enabled while a user is running remote applications.

This setting is enabled by default.

Enable user profile customization for Hosted Apps

X

X

Specifies whether to customize the user profile when remote applications are used. If this setting is enabled, a user profile is generated, the Windows theme is customized, and startup applications are registered.

This setting is disabled by default.

Only launch new instances of Hosted Apps if arguments are different

X

This policy controls the behavior when a Hosted App is launched but an existing instance of the application is already running inside of a disconnected protocol session. When disabled, the existing instance of the application is activated. When enabled, the existing instance of the application is activated only if the command-line parameters match.

This setting is disabled by default.

Limit usage of Windows hooks

X

Disables most hooks when remote applications or Unity Touch are used. This setting is intended for applications that have compatibility issues when OS-level hooks are set. For example, enabling this setting disables the use of most Windows active accessibility and in-process hooks.

This setting is disabled by default, which means that all preferred hooks are used.

Horizon Agent Direct-Connection Configuration Settings

Horizon Agent direct configuration settings are in the VMware View Agent Configuration > View Agent Direct-Connection Configuration folder in the Group Policy Management Editor. See the View Agent Direct-Connection Plug-In Administration document.

Real-Time Audio-Video Configuration Settings

RTAV configuration settings are in the VMware View Agent Configuration > View RTAV Configuration folder in the Group Policy Management Editor. See Real-Time Audio-Video Group Policy Settings.

USB Configuration Settings for Horizon Agent

See USB Settings in the Horizon Agent Configuration ADMX Template.

VMware Client IP Transparency Settings

VMware Client IP transparency settings are in the VMware View Agent Configuration > VMware Client IP Transparency folder in the Group Policy Management Editor.

Table 5. VMware Client IP Transparency Policy Settings

Setting

Computer

User

Properties

Default auto detect proxy

X

Default Internet Explorer connection setting. Turns on Automatically detect settings in Internet Options > Local Area Network (LAN) Settings.

This setting is not enabled by default.

Default Proxy Server

X

Default Internet Explorer connection setting for the proxy server. Specifies the proxy server to use in Internet Options > Local Area Network (LAN) Settings.

This setting is not enabled by default.

Enable

X

Enables VMware Client IP Transparency. Remote connections to Internet Explorer use the client's IP address instead of the IP address of the remote desktop machine. This setting takes effect at the next login.

If the VMware Client IP Transparency custom setup option is selected in the Horizon Agent installer, this setting is enabled by default.

Set proxy for Java applet

X

Sets the proxy for Java applets. The following options are available:

  • Use client ip transparency for Java proxy - directs a remote connection to use the client's IP address instead of the IP address of the remote desktop machine for Java applets.

  • Use direct connection for Java proxy - uses a direct connection to bypass the browser setting for Java applets.

  • Use the default value for Java proxy - restores the original Java proxy settings.

This setting is not enabled by default.

Device Bridge Settings

Device bridge settings are in the VMware View Agent Configuration > VMware Device Bridge folder in the Group Policy Management Editor. See Device Bridge BAS Plugin Policy Settings.

Flash Redirection Settings

Flash redirection settings are in the VMware View Agent Configuration > VMware FlashMMR folder in the Group Policy Management Editor.

Table 6. FlashMMR Policy Settings

Setting

Computer

User

Properties

Enable flash multi-media redirection

X

Specifies whether Flash Redirection is enabled on the agent.

Minimum rect size to enable FlashMMR

X

Specifies the minimum rect size to enable Flash Redirection.

The default width is 320 pixels and the default height is 200 pixels.

HTML5 Multimedia Redirection Settings

HTML5 multimedia redirection settings are in the VMware View Agent Configuration > VMware HTML5 Multimedia Redirection folder in the Group Policy Management Editor. See VMware HTML5 Multimedia Redirection Policy Settings.

VMware Virtualization Pack for Skype for Business Settings

HTML5 multimedia redirection settings are in the VMware View Agent Configuration > VMware Virtualization Pack for Skype for Business folder in the Group Policy Management Editor. See VMware Virtualization Pack for Skype for Business Policy Settings.