The PCoIP Client Session Variables ADMX template file (pcoip.client.admx) contains policy settings related to the PCoIP display protocol. You can configure computer default values that an administrator can override, or you can configure user settings that an administrator cannot override. The settings that can be overridden appear in the PCoIP Client Session Variables > Overridable Administrator Defaults folder in the Group Policy Management Editor. The settings that cannot be overridden appear in the PCoIP Client Session Variables > Not Overridable Settings folder in the Group Policy Management Editor.

The ADMX files are available in VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip, which you can download from the VMware Downloads site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon download, which includes the ZIP file.

Table 1. PCoIP Client Session Variables
Setting Description
Configure PCoIP client image cache size policy Controls the size of the PCoIP client image cache. The client uses image caching to store portions of the display that were previously transmitted. Image caching reduces the amount of data that is retransmitted.

When this setting is disabled, PCoIP uses a default client image cache size of 250 MB.

When you enable this setting, you can configure a client image cache size from a minimum of 50 MB to a maximum of 300 MB. The default value is 250 MB.

This setting is disabled by default.

Configure PCoIP event log cleanup by size in MB Enables the configuration of the PCoIP event log cleanup by size in MB. When this setting is configured, it controls the log file cleanup by size in MB. For example, for a non-zero setting of m, log files larger than m MB are silently deleted. A setting of 0 indicates no file cleanup by size. When this setting is disabled, the default event log cleanup by size in MB setting is 100. This setting is disabled by default.
Configure PCoIP event log cleanup by time in days Enables the configuration of the PCoIP event log cleanup by time in days. When this setting is configured, it controls the log file cleanup by time in days. For example, for a non-zero setting of n, log files older than n days are silently deleted. A setting of 0 indicates no file cleanup by time. When this policy is disabled, the default event log cleanup by time in days setting is 7. This setting is disabled by default.

The log file cleanup is performed once, when the session starts. Any change to the setting is not applied until the next session.

Configure PCoIP event log verbosity

Sets the PCoIP event log verbosity. The values range from 0 (least verbose) to 3 (most verbose).

When this setting is enabled, you can set the verbosity level from 0 to 3. When the setting is disabled, the default event log verbosity level is 2. This setting is disabled by default.

When this setting is modified during an active PCoIP session, the new setting takes effect immediately.

Configure PCoIP session encryption algorithms Controls the encryption algorithms advertised by the PCoIP endpoint during session negotiation.

Selecting one of the check boxes disables the associated encryption algorithm. You must enable at least one algorithm.

This setting applies to both agent and client. The endpoints negotiate the actual session encryption algorithm that is used. If FIPS140-2 approved mode is enabled, the Disable AES-128-GCM encryption value is overridden if both AES-128-GCM encryption and AES-256-GCM encryption are disabled.

If the Configure SSL Connections setting is disabled, both the Salsa20-256round12 and AES-128-GCM algorithms are available for negotiation by this endpoint. This setting is disabled by default.

Supported encryption algorithms, in order of preference, are SALSA20/12-256, AES-GCM-128, and AES-GCM-256. By default, all supported encryption algorithms are available for negotiation by this endpoint.

Configure PCoIP virtual channels Specifies the virtual channels that can and cannot operate over PCoIP sessions. This setting also determines whether to disable clipboard processing on the PCoIP host.

Virtual channels that are used in PCoIP sessions must appear on the virtual channel authorization list. Virtual channels that appear in the unauthorized virtual channel list cannot be used in PCoIP sessions.

You can specify a maximum of 15 virtual channels for use in PCoIP sessions.

Separate multiple channel names with the vertical bar (|) character. For example, the virtual channel authorization string to allow the mksvchan and vdp_rdpvcbridge virtual channels is mksvchan|vdp_rdpvcbridge.

If a channel name contains the vertical bar or backslash (\) character, insert a backslash character before it. For example, type the channel name awk|ward\channel as awk\|ward\\channel.

When the authorized virtual channel list is empty, all virtual channels are disallowed. When the unauthorized virtual channel list is empty, all virtual channels are allowed.

The virtual channels setting applies to both agent and client. Virtual channels must be enabled on both agent and client for virtual channels to be used.

The virtual channels setting provides a separate check box that allows you to disable remote clipboard processing on the PCoIP host. This value applies to the agent only.

By default, all virtual channels are enabled, including clipboard processing.

Configure SSL cipher list

Configures a TLS/SSL cipher list to restrict the use of cipher suites before establishing an encrypted TLS/SSL connection. The list consists of one or more cipher suite strings separated by colons. All cipher suite strings are case insensitive.

The default value is ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:@STRENGTH.

If this setting is configured, the Enforce AES-256 or stronger ciphers for SSL connection negotiation check box in the Configure SSL connections to satisfy Security Tools setting is ignored.

This setting must be applied to both the PCoIP server and the PCoIP client.

Configure SSL connections to satisfy Security Tools Specifies how TLS session negotiation connections are established. To satisfy security tools, such as port scanners, enable this setting and do the following:
  1. Store the certificate for the Certificate Authority that signed any Server certificate to be used with PCoIP in the Trusted Root certificate store.
  2. Configure the agent to load certificates only from the Certificate Store. If the Personal store for the Local Machine is used, leave the CA Certificate store name unchanged with the value ROOT, unless a different store location was used in step 1.

If this setting is disabled, the AES-128 cipher suite is not available and the endpoint uses Certification Authority certificates from the machine account's MY store and Certification Authority certificates from the ROOT store. This setting is disabled by default.

Configure SSL protocols Configures the OpenSSL protocol to restrict the use of certain protocols before establishing an encrypted TLS connection. The protocol list consists of one or more OpenSSL protocol strings separated by colons. All cipher strings are case insensitive.

The default value is TLS1.1:TLS1.2, which means that TLS v1.1 and TLS v1.2 are enabled and SSL v2.0, SSLv3.0, and TLS v1.0 are disabled.

If this setting is set in both the client and the agent, the OpenSSL protocol negotiation rule is followed.

Configure the Client PCoIP UDP port Specifies the UDP client port that is used by software PCoIP clients. The UDP port value specifies the base UDP port to use. If the base port is not available, the UDP port range value determines how many additional ports to try.

The range spans from the base port to the sum of the base port and port range. For example, if the base port is 50002 and the port range is 64, the range spans from 50002 to 50066.

This setting applies to the client only.

By default, the base port is 50002 and the port range is 64.

Configure the maximum PCoIP session bandwidth Specifies the maximum bandwidth, in kilobits per second, in a PCoIP session. The bandwidth includes all imaging, audio, virtual channel, USB, and control PCoIP traffic.

Set this value to the overall capacity of the link to which your endpoint is connected, considering the number of expected concurrent PCoIP sessions. For example, with a single-user VDI configuration (a single PCoIP session) that connects through a 4Mbit/s Internet connection, set this value to 4Mbit, or 10% less than this value to leave some allowance for other network traffic. When you expect multiple concurrent PCoIP sessions to share a link, comprising either multiple VDI users or an RDS configuration, you might want to adjust the setting accordingly. However, lowering this value will restrict the maximum bandwidth for each active session.

Setting this value prevents the agent from attempting to transmit at a higher rate than the link capacity, which would cause excessive packet loss and a poorer user experience. This value is symmetric. It forces the client and agent to use the lower of the two values that are set on the client and agent side. For example, setting a 4 Mbit/s maximum bandwidth forces the agent to transmit at a lower rate, even though the setting is configured on the client.

When this setting is disabled on an endpoint, the endpoint imposes no bandwidth constraints. When this setting is enabled, the setting is used as the endpoint's maximum bandwidth constraint in kilobits per second.

The default value is 900000 kilobits per second.

This setting applies to the agent and the client. If the two endpoints have different settings, the lower value is used.

Configure the PCoIP session bandwidth floor Specifies a lower limit, in kilobits per second, for the bandwidth that the PCoIP session reserves.

This setting configures the minimum expected bandwidth transmission rate for the endpoint. When you use this setting to reserve bandwidth for an endpoint, the user does not have to wait for bandwidth to become available, which improves session responsiveness.

Make sure that you do not over-subscribe the total reserved bandwidth for all endpoints. Make sure that the sum of bandwidth floors for all connections in your configuration does not exceed the network capability.

The default value is 0, which means that no minimum bandwidth is reserved. When this setting is disabled, no minimum bandwidth is reserved. This setting is disabled by default.

This setting applies to the agent and the client, but the setting only affects the endpoint on which it is configured.

When this setting is modified during an active PCoIP session, the change takes effect immediately.

Configure the PCoIP session MTU Specifies the Maximum Transmission Unit (MTU) size for UDP packets for a PCoIP session.

The MTU size includes IP and UDP packet headers. TCP uses the standard MTU discovery mechanism to set MTU and this setting does not affect it.

The maximum MTU size is 1500 bytes. The minimum MTU size is 500 bytes. The default value is 1300 bytes.

Typically, you do not have to change the MTU size. Change this value if you have an unusual network setup that causes PCoIP packet fragmentation.

This setting applies to the agent and the client. If the two endpoints have different MTU size settings, the lowest size is used.

If this setting is disabled or not configured, the client uses the default value in the negotiation with the agent.

Configure the PCoIP transport header Configures the PCoIP transport header and sets the transport session priority.

The PCoIP transport header is a 32-bit header that is added to all PCoIP UDP packets (only if the transport header is enabled and both side support it). The PCoIP transport header allows network devices to make better prioritization/QoS decisions when dealing with network congestion. The transport header is enabled by default.

The transport session priority determines the PCoIP session priority reported in the PCoIP transport header. Network devices make better prioritization/QoS decisions based on the specified transport session priority.

When the Configure the PCoIP transport header setting is enabled, the following transport session priorities are available:

  • High
  • Medium (default value)
  • Low
  • Undefined

The PCoIP agent and client negotiate the transport session priority value. If the PCoIP agent specifies a transport session priority value, the session uses the agent-specified session priority. If only the client has specified a transport session priority, the session uses the client-specified session priority. If neither agent nor client has specified a transport session priority, or Undefined Priority is specified, the session uses the default value, Medium priority.

Enable/disable audio in the PCoIP session Determines whether audio is enabled in PCoIP sessions. Both endpoints must have audio enabled. When this setting is enabled, PCoIP audio is allowed. When it is disabled, PCoIP audio is disabled. Audio is enabled by default.