Horizon Client includes a group policy ADMX template file that you can use to configure Horizon Client features and behavior. You can optimize and secure remote desktop and published application connections by adding the policy settings in the ADMX template file to a new or existing GPO in Active Directory.
The template file contains both Computer Configuration and User Configuration group policies.
- The Computer Configuration policies set policies that apply to Horizon Client, regardless of who is running the client on the host.
- The User Configuration policies set Horizon Client policies that apply to all users who are running Horizon Client, and to RDP connection settings. User Configuration policies override equivalent Computer Configuration policies.
Horizon Client applies policies when remote desktops and published applications start and when users log in.
The Horizon Client Configuration ADMX template file (vdm_client.admx), and all ADMX template files that provide group policy settings, are available in VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyy.zip, where YYMM is the marketing version number, x.x.x is the internal version number, and yyyyyyy is the build number. You can download this ZIP file from the VMware Downloads site at https://my.vmware.com/web/vmware/downloads. You must copy the file to your Active Directory server and use the Group Policy Management Editor to add the administrative templates. For instructions, see the Configuring Remote Desktop Features in Horizon document.
Scripting Definition Settings for Client GPOs
You can set group policies for many of the same settings that you can configure when you run Horizon Client from the command line, including the remote desktop window size, login user name, and login domain name.
The following table describes the scripting definition settings in the VMware Horizon Client Configuration ADMX template file. This template file provides a Computer Configuration and a User Configuration version of each scripting definition setting. The User Configuration setting overrides the equivalent Computer Configuration setting. The settings appear in the folder in Group Policy Management Editor.
Setting | Description |
---|---|
Automatically connect if only one launch item is entitled | If a user is entitled to only one remote desktop, connect the user to that remote desktop. This setting prevents the user from having to select a remote desktop from a list that contains only one remote desktop. |
Connect all USB devices to the desktop or remote application on launch | Determines whether all the available USB devices on the client system are connected to the remote desktop or published application when the remote desktop or published application starts. |
Connect USB devices to the desktop or remote application when they are plugged in | Determines whether USB devices are connected to the remote desktop or published application when the devices are plugged in to the client system. |
DesktopLayout | Specifies the layout of the Horizon Client window that users see when they log into a remote desktop. The layout choices are as follows:
This setting is available only when the DesktopName to select setting is also set. |
DesktopName to select | Specifies the default remote desktop that Horizon Client uses during login. |
Disable 3rd-party Terminal Services plugins | Determines whether Horizon Client checks third-party Terminal Services plugins that are installed as normal RDP plugins. If you do not configure this setting, Horizon Client checks third-party plugins by default. This setting does not affect Horizon-specific plugins, such as USB redirection. |
Locked Guest Size | If the display is used on one monitor, specifies the screen resolution of the remote desktop. This setting does not work if you set the remote desktop display to All Monitors. After you enable this setting, remote desktop autofit functionality is disabled and the Allow Display Scaling option is hidden in the Horizon Client user interface. |
Logon DomainName | Specifies the NetBIOS domain that Horizon Client uses during login. |
Logon Password | Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory. For improved security, do not specify this setting. Users can enter the password interactively. |
Logon UserName | Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory. |
Server URL | Specifies the URL that Horizon Client uses during login, for example, https://view1.example.com. |
Suppress error messages (when fully scripted only) | Determines whether Horizon Client error messages are hidden during login. This setting applies only when the login process is fully scripted, for example, when all the required login information is prepopulated through group policy. If the login fails because of incorrect login information, users are not notified and the Horizon Client process is terminated. |
Disconnected application session resumption behavior | Determines how running published applications behave when users reconnect to a server. The choices are as follows:
When this setting is enabled, end users cannot configure the published application reconnection behavior in Horizon Client. When this setting is disabled, end users can configure published application reconnection behavior in Horizon Client. This setting is disabled by default. |
Enable Unauthenticated Access to the server | Determines whether users are required to enter credentials to access their published applications when they use Horizon Client. When this setting is enabled, the Unauthenticated Access setting in Horizon Client is visible, disabled, and selected. The client can fall back to another authentication method if Unauthenticated Access is not available. When this setting is disabled, users are always required to enter their credentials to log in and access their published applications. The Unauthenticated Access setting in Horizon Client is hidden and deselected. Users can enable Unauthenticated Access in Horizon Client by default. The Unauthenticated Access setting is visible, enabled, and deselected. |
Account to use for Unauthenticated Access | Specifies the Unauthenticated Access user account that Horizon Client uses to log in anonymously to the server if the Enable Unauthenticated Access to the server group policy setting is enabled, or if a user enables Unauthenticated Access by selecting Unauthenticated Access in Horizon Client. If Unauthenticated Access is not used for a specific connection to a server, this setting is ignored. Users can select an account by default. |
Use existing client instance when connect to same server | Determines whether a connection is added to the existing Horizon Client instance with which the user is already connected to the same server. This setting is disabled by default when not configured. |
Security Settings for Client GPOs
Security settings include group policies for certificates, login credentials, and the single sign-on feature.
The following table describes the security settings in the Horizon Client Configuration ADMX template file. This table shows whether the settings include both Computer Configuration and User Configuration settings, or only Computer Configuration settings. For the security settings that include both types of settings, the User Configuration setting overrides the equivalent Computer Configuration setting. These settings appear in the folder in the Group Policy Management Editor.
Setting | Computer | User | Description |
---|---|---|---|
Allow command line credentials | X | Determines whether user credentials can be provided with Horizon Client command-line options. If this setting is disabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line. This setting is enabled by default. The equivalent Windows Registry value is AllowCmdLineCredentials. |
|
Configures the SSL Proxy certificate checking behavior of the Horizon Client | X | Determines whether to allow certificate checking for secondary connections through an SSL proxy server for Blast Secure Gateway and secure tunnel connections. When this setting is not configured (the default), users can change the SSL proxy setting in Horizon Client manually. See Setting the Certificate Checking Mode in Horizon Client. By default, Horizon Client blocks SSL proxy connections for Blast Secure Gateway and secure tunnel connections. |
|
Servers Trusted For Delegation | X | Specifies the Connection Server instances that accept the user identity and credential information that is passed when a user selects Log in as current user in the Options menu on the Horizon Client menu bar. If you do not specify any Connection Server instances, all Connection Server instances accept this information, unless the Allow logon as current user authentication setting is disabled for the Connection Server instance in Horizon Console. To add a Connection Server instance, use one of the following formats:
The equivalent Windows Registry value is BrokersTrustedForDelegation. |
|
Certificate verification mode | X | Configures the level of certificate checking that Horizon Client performs. You can select one of these modes:
When this setting is configured, users can view the selected certificate verification mode in Horizon Client, but cannot configure the setting. The certificate checking mode dialog box informs users that an administrator has locked the setting. When this setting is disabled, Horizon Client users can select a certificate checking mode. This setting is disabled by default. To allow a server to perform selecting of certificates provided by Horizon Client, the client must make HTTPS connections to the Connection Server or security server host. Certificate checking is not supported if you off-load TLS to an intermediate device that makes HTTP connections to the Connection Server or security server host. If you do not want to configure this setting as a group policy, you can also enable certificate verification by adding the CertCheckMode value name to one of the following registry keys on the client computer:
Use the following values in the registry key:
If you configure both the group policy setting and the CertCheckMode setting in the Windows Registry key, the group policy setting takes precedence over the registry key value.
Note: In a future
Horizon Client release, using the Windows registry to configure this setting might not be supported and the group policy setting must be used.
|
|
Default value of the 'Log in as current user' checkbox | X | X | Specifies the default value of Log in as current user in the Options menu on the Horizon Client menu bar. This setting overrides the default value specified during Horizon Client installation. If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting. When Log in as current user is selected in the Options menu, the identity and credential information that the user provided when logging in to the client system is passed to the Connection Server instance and ultimately to the remote desktop or published application. When Log in as current user is deselected, users must provide identity and credential information multiple times before they can access a remote desktop or published application. This setting is disabled by default. The equivalent Windows Registry value is LogInAsCurrentUser. |
Display option to Log in as current user | X | X | Determines whether Log in as current user is visible in the Options menu on the Horizon Client menu bar. When Log in as current user is visible, users can select or deselect it and override its default value. When Log in as current user is hidden, users cannot override its default value from the Horizon Client Options menu. You can specify the default value for Log in as current user by using the policy setting Default value of the 'Log in as current user' checkbox. This setting is enabled by default. The equivalent Windows Registry value is LogInAsCurrentUser_Display. |
Enable jump list integration
|
X | Determines whether a jump list appears in the Horizon Client icon on the taskbar of Windows 7 and later systems. The jump list enables users to connect to recent servers, remote desktops, and published applications. If Horizon Client is shared, you might not want users to see the names of recent desktops and published applications. You can disable the jump list by disabling this setting. This setting is enabled by default. The equivalent Windows Registry value is EnableJumplist. |
|
Enable SSL encrypted framework channel | X | X | Determines whether TLS is enabled for View 5.0 and earlier remote desktops. Before View 5.0, the data sent over port TCP 32111 to the remote desktop was not encrypted.
The equivalent Windows Registry value is EnableTicketSSLAuth. |
Configures SSL protocols and cryptographic algorithms | X | X | Configures the cipher list to restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted TLS connection. The cipher list consists of one or more cipher strings separated by colons. The cipher string is case-sensitive. The default value is TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES This cipher string means that TLS v1.1 and TLS v1.2 are enabled and SSL v.2.0, SSL v3.0, and TLS v1.0 are disabled. SSL v2.0, SSL v3.0, and TLS v1.0 are no longer the approved protocols and are permanently disabled. Cipher suites use ECDHE, ECDH, and RSA with 128-bit or 256-bit AES. GCM mode is preferred. For more information, see http://www.openssl.org/docs/apps/ciphers.html. The equivalent Windows Registry value is SSLCipherList. |
Enable Single Sign-On for smart card authentication | X | Determines whether single sign-on is enabled for smart card authentication. When single sign-on is enabled, Horizon Client stores the encrypted smart card PIN in temporary memory before submitting it to Connection Server. When single sign-on is disabled, Horizon Client does not display a custom PIN dialog box. The equivalent Windows Registry value is EnableSmartCardSSO. |
|
Ignore certificate revocation problems | X | X | Determines whether to check certificate revocation status. When this GPO is enabled, the Horizon Client will treat the server’s certificate as valid even if the certificate sent by the server has been revoked or certificate revocation checking is known to be impossible, for instance if internet connection is limited. This setting is disabled by default.
Note: When this setting is enabled, the client might only use a cached URL during server certificate verification. The types of cached URL information can be CRL Distribution Point (CDP) and Authority Information Access (OCSP and CA issuer access methods).
|
Unlock remote sessions when the client machine is unlocked | X | X | Determines whether the Recursive Unlock feature is enabled. The Recursive Unlock feature unlocks all remote sessions after the client machine has been unlocked. This feature applies only after a user logs in to the server with the Log in as current user feature. This setting is enabled by default. |
The following settings appear in the
folder in the Group Policy Management Editor.Setting | Computer | User | Description |
---|---|---|---|
Allow NTLM Authentication | X | When this setting is enabled, NTLM authentication is allowed with the Log in as current user feature. When this setting is disabled, NTLM authentication is not used for any servers. When this setting is enabled, you can select Yes or No from the Allow fallback from Kerberos to NTLM drop-down menu.
When this setting is not configured, NTLM authentication is allowed for the servers listed in the Always use NTLM servers group policy setting. To use NTLM authentication, the server SSL certificate must be valid and Windows policies must not restrict the use of NTLM. For information about configuring fallback from Kerberos to NTLM in a Connection Server instance, see "Using the Log In as Current User Feature Available with Windows-Based Horizon Client" in the VMware Horizon Console Administration document. |
|
Always use NTLM for servers | X | When this setting is enabled, the Log in as current user feature always uses NTLM authentication for the listed servers. To create the server list, click Show and enter the server name in the Value column. The naming format for servers is the fully qualified domain name (FQDN). |
RDP Settings for Client GPOs
You can configure group policy settings for options such as the redirection of audio, printers, ports, and other devices when you use the Microsoft RDP display protocol.
The following table describes the Remote Desktop Protocol (RDP) settings in the Horizon Client Configuration ADMX template file. All RDP settings are User Configuration settings. The settings appear in the folder in the Group Policy Management Editor.
Setting | Description |
---|---|
Audio redirection | Determines whether audio information played on the remote desktop is redirected. Select one of the following settings:
This setting applies only to RDP audio. Audio that is redirected through MMR plays in the client. |
Enable audio capture redirection | Determines whether the default audio input device is redirected from the client to the remote session. When this setting is enabled, the audio recording device on the client appears in the remote desktop and can record audio input. The default setting is disabled. |
Bitmap cache file size in unit for number bpp bitmaps | Specifies the size of the bitmap cache, in kilobytes or megabytes, to use for specific bits per pixel (bpp) bitmap color settings. Separate versions of this setting are provided for the following unit and bpp combinations:
|
In-memory bitmap cache size in KB for 8bpp bitmaps | Specifies the size, in kilobytes, of the RAM bitmap cache to use for the 8-bits-per-pixel color setting. If ScaleBitmapCachesByBPP is true (the default), this cache size is multiplied by the bytes per pixel to determine the actual RAM cache size. When this setting is enabled, enter a size in kilobytes. |
Bitmap caching/cache persistence active | Determines whether persistent bitmap caching is used (active). Persistent bitmap caching can improve performance, but it requires additional disk space. |
Color depth | Specifies the color depth of the remote desktop. Select one of the available settings:
|
Cursor shadow | Determines whether a shadow appears under the pointer on the remote desktop. |
Desktop background | Determines whether the desktop background appears when clients connect to a remote desktop. |
Desktop composition | Determines whether desktop composition is enabled on the remote desktop. When desktop composition is enabled, individual windows no longer draw directly to the screen or primary display device as they did in previous versions of Microsoft Windows. Instead, drawing is redirected to off-screen surfaces in video memory, which are then rendered into a desktop image and presented on the display. |
Enable compression | Determines whether RDP data is compressed. This setting is enabled by default. |
Enable RDP Auto-Reconnect | Determines whether the RDP client component attempts to reconnect to a remote desktop after an RDP protocol connection failure. This setting has no effect if the Use secure tunnel connection to desktop option is enabled in Horizon Console. This setting is disabled by default. |
Font smoothing | Determines whether anti-aliasing is applied to the fonts on the remote desktop. |
Menu and window animation | Determines whether animation for menus and windows is enabled when clients connect to a remote desktop. |
Redirect clipboard | Determines whether the local clipboard information is redirected when clients connect to the remote desktop. |
Redirect drives | Determines whether local disk drives are redirected when clients connect to the remote desktop. By default, local drives are redirected. Enabling this setting, or leaving it unconfigured, allows data on the redirected drive on the remote desktop to be copied to the drive on the client computer. Disable this setting if allowing data to pass from the remote desktop to users' client computers represents a potential security risk in your deployment. Another approach is to disable folder redirection in the remote desktop virtual machine by enabling the Microsoft Windows group policy setting, Do not allow drive redirection. The Redirect drives setting applies to RDP only. |
Redirect printers | Determines whether local printers are redirected when clients connect to the remote desktop. |
Redirect serial ports | Determines whether local COM ports are redirected when clients connect to the remote desktop. |
Redirect smart cards | Determines whether local smart cards are redirected when clients connect to the remote desktop.
Note: This setting applies to both RDP and PCoIP connections.
|
Redirect supported plug-and-play devices | Determines whether local plug-and-play and point-of-sale devices are redirected when clients connect to the remote desktop. This behavior is different from the redirection that the USB Redirection component of the agent manages. |
Shadow bitmaps | Determines whether bitmaps are shadowed. This setting has no effect in full-screen mode. |
Show contents of window while dragging | Determines whether the folder contents appear when users drag a folder to a new location. |
Themes | Determines whether themes appear when clients connect to a remote desktop. |
Windows key combination redirection | Determines where Windows key combinations are applied. This setting lets you send key combinations to the remote virtual machine or apply key combinations locally. Key combinations are applied locally by default. |
Enable Credential Security Service Provider | Specifies whether the remote desktop connection uses Network Level Authentication (NLA). If the guest operating system requires NLA for remote desktop connections, you must enable this setting or Horizon Client might not connect to the remote desktop. In addition to enabling this setting, you must also verify that the following conditions are met:
|
General Settings for Client GPOs
General settings include proxy options, time zone forwarding, multimedia acceleration, and other display settings.
The following table describes the general settings in the Horizon Client Configuration ADMX template file. General settings include both Computer Configuration and User Configuration settings. The User Configuration setting overrides the equivalent Computer Configuration setting. The settings appear in the VMware Horizon Client Configuration folder in the Group Policy Management Editor.
Setting | Computer | User | Description |
---|---|---|---|
Allow Blast connections to use operating system proxy settings | X | Configures proxy server use for VMware Blast connections. When this setting enabled, VMware Blast can connect through a proxy server. When this setting is disabled, VMware Blast cannot use a proxy server. When this setting is not configured (the default), users can configure whether VMware Blast connections can use a proxy server in the Horizon Client user interface. See Configure VMware Blast Options. |
|
Allow data sharing | X | When this setting is enabled, the data sharing mode setting in the Horizon Client user interface is set to On and end users cannot change the setting. When this setting is disabled, the data sharing mode setting in the Horizon Client user interface is set to Off and end users cannot change the setting. When this setting is not configured (the default), end users can change the data sharing mode setting in the Horizon Client user interface. |
|
Allow display scaling | X | X | When this setting is enabled, the display scaling feature is enabled for all remote desktops and published applications. When this setting is disabled, the display scaling feature is disabled for all remote desktops and published applications. If this setting is not configured (the default setting), end users can enable and disable display scaling in the Horizon Client user interface. You can also hide the display scaling preference in the Horizon Client user interface by enabling the Locked Guest Size group policy setting. |
Allow H.264 Decoding | X | Configures H.264 decoding for the VMware Blast protocol. When this setting is enabled, H.264 decoding becomes the preferred option. When this setting is disabled, H.264 decoding is never used. When this setting is not configured, users can choose whether to enable H.264 decoding. See Configure VMware Blast Options. |
|
Allow H.264 high color accuracy | X | Configures high-color accuracy mode for H.264. This setting takes effect only if H.264 decoding is enabled. When this setting is not configured, users can choose whether to enable high-color accuracy mode. See Configure VMware Blast Options. |
|
Allow HEVC Decoding | X | Configures HEVC (also known as H.265) decoding for the VMware Blast protocol. When this setting is enabled, HEVC decoding becomes the preferred option. When this setting is disabled, HEVC decoding is never used. When this setting is not configured, users can choose whether to enable HEVC decoding. See Configure VMware Blast Options. |
|
Allow user to skip Horizon Client update | X | Specifies whether users can click the Skip button in the Horizon Client update window. If users click Skip, they do not see another update notification until the next Horizon Client version is available. | |
Always hide the remote floating language (IME) bar for Hosted Apps | X | X | Forces the floating language bar off for application sessions. When this setting is enabled, the floating language bar is never shown in a published application session, regardless of whether the local IME feature is enabled. When this setting is disabled, the floating language bar is shown only if the local IME feature is disabled. This setting is disabled by default. |
Always on top | X | Determines whether the Horizon Client window is always the topmost window. Enabling this setting prevents the Windows taskbar from obscuring a full-screen Horizon Client window. This setting is disabled by default. | |
Automatic input focus in a virtual desktop window | X | X | When this setting is enabled, Horizon Client sends input to the remote desktop automatically when a user brings the remote desktop to the front. In other words, focus is not in the frame of the window, and the user does not need to click inside the remote desktop window to move focus. |
Automatically check for updates | X | Specifies whether to check for Horizon Client software updates automatically. This setting controls the Check for updates and show badge notification check box on the Horizon Client update window. This setting is enabled by default. | |
Automatically install shortcuts when configured on the Horizon server | X | X | When published application and remote desktop shortcuts are configured on a Connection Server instance, this setting specifies how and whether the shortcuts are installed on client machines when users connect to the server. When this setting is enabled, shortcuts are installed on client machines. Users are not prompted to install the shortcuts. When this setting is disabled, shortcuts are never installed on client machines. Users are not prompted to install the shortcuts. Users are prompted to install the shortcuts by default. |
Automatically synchronize the keypad, scroll and caps lock keys | X | When this setting is enabled, the toggle states of the Num Lock, Scroll Lock, and Caps Lock keys are synchronized from the client device to a remote desktop. In Horizon Client, the Automatically synchronize the keypad, scroll and cap lock keys setting check box is selected and the setting is dimmed. When this setting is disabled, the lock key toggle states are synchronized from the remote desktop to the client device. In Horizon Client, the Automatically synchronize the keypad, scroll and cap lock keys setting check box is deselected and the setting is dimmed. When this setting is either enabled or disabled, users cannot modify the Automatically synchronize the keypad, scroll and cap lock keys setting in Horizon Client. When this setting is not configured, a user can enable or disable lock key synchronization for a remote desktop by configuring the Automatically synchronize the keypad, scroll and cap lock keys setting in Horizon Client. See Configure Lock Key Synchronization. This setting is not configured by default. |
|
Block multiple Horizon Client instances per Windows session | X | Prevents a user from starting multiple Horizon Client instances during a Windows session. When this setting is enabled, Horizon Client runs in single-instance mode and a user cannot start multiple Horizon Client instances in a Windows session. When this setting is disabled, a user can start multiple Horizon Client instances in a Windows session. This setting is disabled by default. |
|
Configure maximum latency for mouse coalescing | X | Sets the maximum latency allowed, in milliseconds, when coalescing mouse movement events. Valid values are 0 through 50. A value of 0 disables the feature. Coalescing mouse movement events can reduce client-to-agent bandwidth use, but can potentially add minor latency to mouse movement. This setting is disabled by default. |
|
Custom error screen footer | X | Enables you to add custom help text to the bottom of all Horizon Client error messages. You must provide the help text in a plain text (.txt) file on the local client system. The text file can contain up to 2048 characters, including control characters. Both ANSI and Unicode encoding are supported. When this setting is enabled, you specify the full path to the file that contains the custom help text in the text box provided, for example, C:\myDocs\errorFooter.txt. This setting is disabled by default. |
|
Default value of the "Hide the selector after launching an item" check box | X | X | Sets whether the Hide the selector after launching an item check box is selected by default. This setting is disabled by default. |
Disable desktop disconnect messages | X | X | Specifies whether messages that are normally shown upon remote desktop disconnection are disabled. These messages are shown by default. |
Disable sharing files and folders | X | Specifies whether client drive redirection functionality is available in Horizon Client. When this setting is enabled, all client drive redirection functionality is disabled in Horizon Client, including the ability to open local files with published applications. In addition, the following elements are hidden in the Horizon Client user interface:
When this setting is disabled, the client drive redirection feature is fully functional. This setting is disabled by default. |
|
Disable time zone forwarding | X | Determines whether time zone synchronization between the remote desktop and the connected client is disabled. | |
Disable toast notifications | X | X | Determines whether to disable toast notifications from Horizon Client. Enable this setting if you do not want the user to see toast notifications in the corner of the screen.
Note: If you enable this setting, the user does not see a five-minute warning when the Session Timeout function is active.
|
Disallow passing through client information in a nested session | X | Specifies whether Horizon Client is prevented from passing through client information in a nested session. When enabled, if Horizon Client is running inside a remote session, it sends the actual physical client information instead of the virtual machine device information. This setting applies to the following client information: device name and domain, client type, IP address, and MAC address. This setting is disabled by default, which means passing through client information in a nested session is allowed. | |
Display modifier function key | X | X | Specifies the switch modifier and function key combination that a user can press that, when grabbed and injecting input into a PCoIP or VMware Blast remote desktop session, changes the display configuration on the client machine. When this setting is not configured (the default setting), the end user must use the mouse to ungrab the remote desktop and then press the Windows logo key + P to select a presentation display mode. This setting does not apply to published application sessions. |
Disable opening local files in hosted applications | X | Specifies whether Horizon Client registers local handlers for the file extensions that hosted applications support. When this setting is enabled, Horizon Client does not register any file extension handlers and does not allow the user to override the setting. When this setting is disabled, Horizon Client always registers file extension handlers. By default, file extension handlers are registered, but users can disable the feature in the Horizon Client user interface by using the Turn on the ability to open a local file with a remote application from the local file system setting on the Sharing panel in the Settings dialog box. For more information, see Share Local Folders and Drives. This setting is disabled by default. |
|
Don't check monitor alignment on spanning | X | By default, the client desktop does not span multiple monitors if the screens do not form an exact rectangle when they are combined. Enable this setting to override the default. This setting is disabled by default. | |
Enable multi-media acceleration | X | Determines whether multimedia redirection (MMR) is enabled on the client. MMR does not work correctly if the Horizon Client video display hardware does not have overlay support. |
|
Enable relative mouse | X | X | Enables the relative mouse when using the PCoIP display protocol. Relative mouse mode improves the mouse behavior for certain graphics applications and games. If the remote desktop does not support the relative mouse, this setting is not used. This setting is disabled by default. |
Enable the shade | X | Determines whether the shade menu bar at the top of the Horizon Client window is visible. This setting is enabled by default.
Note: The shade menu bar is disabled by default for kiosk mode.
|
|
Enable Horizon Client online update | X | Enables the online update feature. This setting is enabled by default.
Note: You can also disable the online update feature by setting the
AUTO_UPDATE_ENABLED property to 0 when you install
Horizon Client from the command line. For more information, see
Install Horizon Client From the Command Line.
|
|
Enable Split Mks Window | X | This setting provides a temporary workaround for multi-monitor display problems encountered when using Horizon Client for Windows 2106 or later with unified communications (UC) applications such as Cisco WebEx and Zoom. This setting is enabled by default. If your UC vendor has not yet provided an application update that fixes the display problem, you can implement a temporary workaround by disabling this setting. Disabling this setting turns off the default windows hierarchy and causes windows to be displayed in relation to the bounding box of all monitors in a multi-monitor setup. For more information, see VMware Knowledge Base (KB) article 85400.
Note: Use this workaround only as a temporary fix until you can install the updated version of the UC application that fixes the display problem permanently. After installing the updated UC application, turn on the default windows hierarchy again by enabling this setting from the GPO.
|
|
Hide items in application context menu | X | X | Use this setting to hide items in the context menu that appears when you right-click a published application in the desktop and application selector window. When this setting is enabled, you can configure the following options:
This setting is disabled by default. |
Hide items in desktop context menu | X | X | Use this setting to hide items in the context menu that appears when you right-click a remote desktop in the desktop and application selector window. When this setting is enabled, you can configure the following options:
This setting is disabled by default. |
Hide items in desktop toolbar | X | X | Use this setting to hide items on the menu bar in a remote desktop window.
When this setting is enabled, you can configure the following options.
This setting is disabled by default. |
Hide items in system tray menu | X | X | Use this setting to hide items in the context menu that appears when you right-click the Horizon Client icon in the system tray on the local client system. When this setting is enabled, you can configure the following options.
This setting is disabled by default. |
Hide items in the client toolbar menu | X | X | Use this setting to hide items in the toolbar at the top of the desktop and application selector window. When this setting is enabled, you can configure the following options.
This setting is disabled by default. |
Hotkey combination to grab input focus | X | X | Configures a hot key combination to grab input focus for the last-used PCoIP or VMware Blast remote desktop session. The hot key consists of one or two modifier keys and one letter key. When this setting is disabled or not configured, the user can grab focus by clicking inside the remote desktop window. This setting is not configured by default. |
Hotkey combination to release input focus | X | X | Configures a hot key combination to release input focus from a PCoIP or VMware Blast remote desktop session. The hot key consists of one or two modifier keys and one function key. When the Minimize the fullscreen virtual desktop after release input focus check box is selected, users can press any hot key that is configured to release input focus (for example, Ctrl+Shift+F5) to minimize the remote desktop window when the remote desktop is in full-screen mode. By default, Ctrl+Shift+F5 minimizes the remote desktop window when the desktop is in full-screen mode without any configuration. When this setting is disabled or not configured, the user can release focus by pressing Ctrl+Alt or clicking outside the remote desktop window. This setting is not configured by default. |
Pin the shade | X | Determines whether the pin on the shade at the top of the Horizon Client window is enabled and auto-hiding of the menu bar does not occur. This setting has no effect if the shade is disabled. This setting is enabled by default. | |
Save resolution and DPI to server | X | Determines whether Horizon Client saves custom display resolution and display scaling settings on the server. For information about customizing the display resolution and display scaling settings for a remote desktop, see Customize the Display Resolution and Display Scaling for a Remote Desktop. When this setting is enabled, and the display resolution or display scaling has been customized for a remote desktop, each time a user opens the remote desktop, the custom settings are applied automatically, regardless of the client device that the user uses to log in to the remote desktop. This setting is disabled by default. |
|
Tunnel proxy bypass address list | X | Specifies a list of tunnel addresses. The proxy server is not used for these addresses. Use a semicolon (;) to separate multiple entries. | |
Update message pop-up | X | Specifies whether to show the update pop-up message to end users automatically when a new version of Horizon Client is available. This setting controls the Show pop-up message when there is an update check box on the Horizon Client update window. This setting is disabled by default. | |
URL for Horizon Client online help | X | Specifies an alternate URL from which Horizon Client can retrieve help pages. This setting is intended for use in environments that cannot retrieve the remotely hosted help system because they do not have Internet access. | |
URL for Horizon Client online update | X | Specifies an alternate URL from which Horizon Client can retrieve updates. This setting is intended for use in an environment that defines its own private/personal update center. If it is not enabled, the VMware official update server is used. |
USB Settings for Client GPOs
You can define USB policy settings for Horizon Agent and Horizon Client. On connection, Horizon Client downloads the USB policy settings from Horizon Agent and uses those settings, together with the Horizon Client USB policy settings, to determine which devices are available for redirection from the host machine.
The following table describes each policy setting for splitting composite USB devices in the Horizon Client Configuration ADMX template file. The settings apply at the computer level. The settings from the GPO at the computer level take precedence over the registry at HKLM\Software\Policies\VMware, Inc.\VMware VDM\Client\USB. The settings appear in the folder in the Group Policy Management Editor.
For more information about using policies to control USB redirection, see the Configuring Remote Desktop Features in Horizon document.
Setting | Description |
---|---|
Allow Auto Device Splitting | Allow the automatic splitting of composite USB devices. The default value is undefined, which equates to false. |
Exclude Vid/Pid Device From Split | Excludes a composite USB device specified by vendor and product IDs from splitting. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]... You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0781_pid-55** The default value is undefined. |
Split Vid/Pid Device | Treats the components of a composite USB device specified by vendor and product IDs as separate devices. The format of the setting is vid-xxxx_pid-yyyy(exintf:zz[;exintf:ww ]) You can use the exintf keyword to exclude components from redirection by specifying their interface number. You must specify ID numbers in hexadecimal, and interface numbers in decimal including any leading zero. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0781_pid-554c(exintf:01;exintf:02)
Note: Horizon does not automatically include the components that you have not explicitly excluded. You must specify a filter policy such as
Include Vid/Pid Device to include those components.
The default value is undefined. |
The following table describes the policy settings in the Horizon Client Configuration ADMX template file for filtering USB devices. The settings apply at the computer level. The settings from the GPO at the computer level take precedence over the registry at HKLM\Software\Policies\VMware, Inc.\VMware VDM\Client\USB.
For more information about configuring filter policy settings for USB redirection, see the Configuring Remote Desktop Features in Horizon document.
Setting | Description |
---|---|
Allow Audio Input Devices | Allows audio input devices to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. |
Allow Audio Output Devices | Allows audio output devices to be redirected. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. |
Allow HID-Bootable | Allows input devices other than keyboards or mice that are available at startup time (also known as hid-bootable devices) to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. |
Allow Device Descriptor Failsafe Behavior | Allows devices to be redirected even if the Horizon Client fails to get the config/device descriptors. To allow a device even if it fails the config/desc, include it in the Include filters, such IncludeVidPid or IncludePath. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. |
Allow Other Input Devices | Allows input devices other than hid-bootable devices or keyboards with integrated pointing devices to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. |
Allow Keyboard and Mouse Devices | Allows keyboards with integrated pointing devices (such as a mouse, trackball, or touch pad) to be redirected. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. |
Allow Smart Cards | Allows smart-card devices to be redirected. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. |
Allow Video Devices | Allows video devices to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. |
Disable Remote Configuration | Disables the use of agent settings when performing USB device filtering. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. |
Exclude All Devices | Excludes all USB devices from being redirected. If set to true, you can use other policy settings to allow specific devices or families of devices to be redirected. If set to false, you can use other policy settings to prevent specific devices or families of devices from being redirected. If you set the value of Exclude All Devices to true on the agent, and this setting is passed to Horizon Client, the agent setting overrides the Horizon Client setting. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. |
Exclude Automatically Connection Device Family | Excludes families of devices from being forwarded automatically. Use the following syntax:family-name[;...] For example: storage;hid |
Exclude Automatically Connection Vid/Pid Device | Excludes devices that have specific vendor and product IDs from being forwarded automatically. Use the following syntax:vid-xxxx_pid-xxxx|*[;...] For example: vid-0781_pid-554c;vid-0781_pid-9999 |
Exclude Device Family | Excludes families of devices from being redirected. The format of the setting is family_name_1[;family_name_2]... For example: bluetooth;smart-card If you have enabled automatic device splitting, Horizon examines the device family of each interface of a composite USB device to decide which interfaces are excluded. If you have disabled automatic device splitting, Horizon examines the device family of the whole composite USB device. The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. |
Exclude Vid/Pid Device | Excludes devices that have specific vendor and product IDs from being redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]... You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0781_pid-****;vid-0561_pid-554c The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. |
Exclude Path | Exclude devices at specified hub or port paths from being redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]... You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths. For example: bus-1/2/3_port-02;bus-1/1/1/4_port-ff The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. |
Include Device Family | Includes families of devices that can be redirected. The format of the setting is family_name_1[;family_name_2]... For example: storage The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. |
Include Path | Include devices at a specified hub or port paths that can be redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]... You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths. For example: bus-1/2_port-02;bus-1/7/1/4_port-0f The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. |
Include Vid/Pid Device | Specifies USB devices that have a specified vendor and product ID that can be redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]... You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0561_pid-554c The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. |
In a nested mode or double-hop scenario, a user connects from the physical client system to a remote desktop, starts Horizon Client inside the remote desktop (the nested session), and connects to another remote desktop. To make the device work as expected in the nested session, you must configure the USB policy settings in the same way on both the physical client machine and in the nested session.
VMware Browser Redirection Settings for Client GPOs
You can configure group policy settings for the Browser Redirection feature.
The following table describes the Browser Redirection settings in the Horizon Client Configuration ADMX template file. All Browser Redirection settings are Computer Configuration settings. The settings appear in the folder in the Group Policy Management Editor.
For information about agent-side Browser Redirection settings, see the Configuring Remote Desktop Features in Horizon document.
Setting | Description |
---|---|
Enable WebRTC camera and microphone access for browser redirection | When this setting is enabled, redirected pages that use WebRTC have access to the client system's camera and microphone. This setting is enabled by default. |
Ignore certificate errors for browser redirection | When this setting is enabled, certificate errors that occur in the redirected page are ignored and browsing proceeds. This setting is disabled by default. |
Enable cache for browser redirection | When this setting is enabled, the browsing history, including cookies, is stored on the client system.
Note: Disabling this setting does not clear the cache. If you disable and then re-enable this setting, the cache is reused.
This setting is enabled by default. |
VMware Integrated Printing Settings for Client GPOs
You can configure group policy settings for the VMware Integrated Printing feature.
The following table describes the VMware Integrated Printing settings in the Horizon Client Configuration ADMX template file. The table shows whether the settings include both Computer Configuration and User Configuration settings, or only Computer Configuration settings. For the settings that include both types of settings, the User Configuration setting overrides the equivalent Computer Configuration setting. The settings appear in the folder in the Group Policy Management Editor.
For information about agent-side VMware Integrated Printing settings, see the Configuring Remote Desktop Features in Horizon document.
Setting | Computer | User | Description |
---|---|---|---|
Do not redirect client printer(s) | X | X | Determines whether client printers are redirected. When this setting is enabled, no client printers are redirected. When this setting is disabled or not configured, all client printers are redirected. This setting is not configured by default. |
Allow to redirect L1 local printers to inner session | X | X | Determines whether to redirect L1 local printers to the inner session. VMware supports running Horizon Client inside a remote desktop. This configuration, commonly called nested mode, involves three layers and two hops, as follows:
When this setting is enabled, the L1 local printers are redirected to the inner session. When this setting is not configured or disabled, the L1 local printers are not redirected to the inner session. This setting is not configured by default. |
PCoIP Client Session Variables ADMX Template Settings
The PCoIP Client Session Variables ADMX template file (pcoip.client.admx) contains policy settings related to the PCoIP display protocol. You can configure computer default values that an administrator can override, or you can configure user settings that an administrator cannot override. The settings that can be overridden appear in the folder in the Group Policy Management Editor. The settings that cannot be overridden appear in the folder in the Group Policy Management Editor.
The ADMX files are available in VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip, which you can download from the VMware Downloads site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon download, which includes the GPO Bundle containing the ZIP file.
Setting | Description |
---|---|
Configure PCoIP client image cache size policy | Controls the size of the PCoIP client image cache. The client uses image caching to store portions of the display that were previously transmitted. Image caching reduces the amount of data that is retransmitted. When this setting is disabled, PCoIP uses a default client image cache size of 250 MB. When you enable this setting, you can configure a client image cache size from a minimum of 50 MB to a maximum of 300 MB. The default value is 250 MB. This setting is disabled by default. |
Configure PCoIP event log cleanup by size in MB | Enables the configuration of the PCoIP event log cleanup by size in MB. When this setting is configured, it controls the log file cleanup by size in MB. For example, for a non-zero setting of m, log files larger than m MB are silently deleted. A setting of 0 indicates no file cleanup by size. When this setting is disabled, the default event log cleanup by size in MB setting is 100. This setting is disabled by default. |
Configure PCoIP event log cleanup by time in days | Enables the configuration of the PCoIP event log cleanup by time in days. When this setting is configured, it controls the log file cleanup by time in days. For example, for a non-zero setting of n, log files older than n days are silently deleted. A setting of 0 indicates no file cleanup by time. When this policy is disabled, the default event log cleanup by time in days setting is 7. This setting is disabled by default. The log file cleanup is performed once, when the session starts. Any change to the setting is not applied until the next session. |
Configure PCoIP event log verbosity | Sets the PCoIP event log verbosity. The values range from 0 (least verbose) to 3 (most verbose). When this setting is enabled, you can set the verbosity level from 0 to 3. When the setting is disabled, the default event log verbosity level is 2. This setting is disabled by default. When this setting is modified during an active PCoIP session, the new setting takes effect immediately. |
Configure PCoIP session encryption algorithms | Controls the encryption algorithms advertised by the PCoIP endpoint during session negotiation. Selecting one of the check boxes disables the associated encryption algorithm. You must enable at least one algorithm. This setting applies to both agent and client. The endpoints negotiate the actual session encryption algorithm that is used. If FIPS140-2 approved mode is enabled, the Disable AES-128-GCM encryption value is overridden if both AES-128-GCM encryption and AES-256-GCM encryption are disabled. If the Configure SSL Connections setting is disabled, both the Salsa20-256round12 and AES-128-GCM algorithms are available for negotiation by this endpoint. This setting is disabled by default. Supported encryption algorithms, in order of preference, are SALSA20/12-256, AES-GCM-128, and AES-GCM-256. By default, all supported encryption algorithms are available for negotiation by this endpoint. |
Configure PCoIP virtual channels | Specifies the virtual channels that can and cannot operate over PCoIP sessions. This setting also determines whether to disable clipboard processing on the PCoIP host. Virtual channels that are used in PCoIP sessions must appear on the virtual channel authorization list. Virtual channels that appear in the unauthorized virtual channel list cannot be used in PCoIP sessions. You can specify a maximum of 15 virtual channels for use in PCoIP sessions. Separate multiple channel names with the vertical bar (|) character. For example, the virtual channel authorization string to allow the mksvchan and vdp_rdpvcbridge virtual channels is mksvchan|vdp_rdpvcbridge. If a channel name contains the vertical bar or backslash (\) character, insert a backslash character before it. For example, type the channel name awk|ward\channel as awk\|ward\\channel. When the authorized virtual channel list is empty, all virtual channels are disallowed. When the unauthorized virtual channel list is empty, all virtual channels are allowed. The virtual channels setting applies to both agent and client. Virtual channels must be enabled on both agent and client for virtual channels to be used. The virtual channels setting provides a separate check box that allows you to disable remote clipboard processing on the PCoIP host. This value applies to the agent only. By default, all virtual channels are enabled, including clipboard processing. |
Configure SSL cipher list | Configures a TLS/SSL cipher list to restrict the use of cipher suites before establishing an encrypted TLS/SSL connection. The list consists of one or more cipher suite strings separated by colons. All cipher suite strings are case insensitive. The default value is ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:@STRENGTH. If this setting is configured, the Enforce AES-256 or stronger ciphers for SSL connection negotiation check box in the Configure SSL connections to satisfy Security Tools setting is ignored. This setting must be applied to both the PCoIP server and the PCoIP client. |
Configure SSL connections to satisfy Security Tools | Specifies how TLS session negotiation connections are established. To satisfy security tools, such as port scanners, enable this setting and do the following:
If this setting is disabled, the AES-128 cipher suite is not available and the endpoint uses Certification Authority certificates from the machine account's MY store and Certification Authority certificates from the ROOT store. This setting is disabled by default. |
Configure SSL protocols | Configures the OpenSSL protocol to restrict the use of certain protocols before establishing an encrypted TLS connection. The protocol list consists of one or more OpenSSL protocol strings separated by colons. All cipher strings are case insensitive. The default value is TLS1.1:TLS1.2, which means that TLS v1.1 and TLS v1.2 are enabled and SSL v2.0, SSLv3.0, and TLS v1.0 are disabled. If this setting is set in both the client and the agent, the OpenSSL protocol negotiation rule is followed. |
Configure the Client PCoIP UDP port | Specifies the UDP client port that is used by software PCoIP clients. The UDP port value specifies the base UDP port to use. If the base port is not available, the UDP port range value determines how many additional ports to try. The range spans from the base port to the sum of the base port and port range. For example, if the base port is 50002 and the port range is 64, the range spans from 50002 to 50066. This setting applies to the client only. By default, the base port is 50002 and the port range is 64. |
Configure the maximum PCoIP session bandwidth | Specifies the maximum bandwidth, in kilobits per second, in a PCoIP session. The bandwidth includes all imaging, audio, virtual channel, USB, and control PCoIP traffic. Set this value to the overall capacity of the link to which your endpoint is connected, considering the number of expected concurrent PCoIP sessions. For example, with a single-user VDI configuration (a single PCoIP session) that connects through a 4Mbit/s Internet connection, set this value to 4Mbit, or 10% less than this value to leave some allowance for other network traffic. When you expect multiple concurrent PCoIP sessions to share a link, comprising either multiple VDI users or an RDS configuration, you might want to adjust the setting accordingly. However, lowering this value will restrict the maximum bandwidth for each active session. Setting this value prevents the agent from attempting to transmit at a higher rate than the link capacity, which would cause excessive packet loss and a poorer user experience. This value is symmetric. It forces the client and agent to use the lower of the two values that are set on the client and agent side. For example, setting a 4 Mbit/s maximum bandwidth forces the agent to transmit at a lower rate, even though the setting is configured on the client. When this setting is disabled on an endpoint, the endpoint imposes no bandwidth constraints. When this setting is enabled, the setting is used as the endpoint's maximum bandwidth constraint in kilobits per second. The default value is 900000 kilobits per second. This setting applies to the agent and the client. If the two endpoints have different settings, the lower value is used. |
Configure the PCoIP session bandwidth floor | Specifies a lower limit, in kilobits per second, for the bandwidth that the PCoIP session reserves. This setting configures the minimum expected bandwidth transmission rate for the endpoint. When you use this setting to reserve bandwidth for an endpoint, the user does not have to wait for bandwidth to become available, which improves session responsiveness. Make sure that you do not over-subscribe the total reserved bandwidth for all endpoints. Make sure that the sum of bandwidth floors for all connections in your configuration does not exceed the network capability. The default value is 0, which means that no minimum bandwidth is reserved. When this setting is disabled, no minimum bandwidth is reserved. This setting is disabled by default. This setting applies to the agent and the client, but the setting only affects the endpoint on which it is configured. When this setting is modified during an active PCoIP session, the change takes effect immediately. |
Configure the PCoIP session MTU | Specifies the Maximum Transmission Unit (MTU) size for UDP packets for a PCoIP session. The MTU size includes IP and UDP packet headers. TCP uses the standard MTU discovery mechanism to set MTU and this setting does not affect it. The maximum MTU size is 1500 bytes. The minimum MTU size is 500 bytes. The default value is 1300 bytes. Typically, you do not have to change the MTU size. Change this value if you have an unusual network setup that causes PCoIP packet fragmentation. This setting applies to the agent and the client. If the two endpoints have different MTU size settings, the lowest size is used. If this setting is disabled or not configured, the client uses the default value in the negotiation with the agent. |
Configure the PCoIP transport header | Configures the PCoIP transport header and sets the transport session priority. The PCoIP transport header is a 32-bit header that is added to all PCoIP UDP packets (only if the transport header is enabled and both side support it). The PCoIP transport header allows network devices to make better prioritization/QoS decisions when dealing with network congestion. The transport header is enabled by default. The transport session priority determines the PCoIP session priority reported in the PCoIP transport header. Network devices make better prioritization/QoS decisions based on the specified transport session priority. When the Configure the PCoIP transport header setting is enabled, the following transport session priorities are available:
The PCoIP agent and client negotiate the transport session priority value. If the PCoIP agent specifies a transport session priority value, the session uses the agent-specified session priority. If only the client has specified a transport session priority, the session uses the client-specified session priority. If neither agent nor client has specified a transport session priority, or Undefined Priority is specified, the session uses the default value, Medium priority. |
Enable/disable audio in the PCoIP session | Determines whether audio is enabled in PCoIP sessions. Both endpoints must have audio enabled. When this setting is enabled, PCoIP audio is allowed. When it is disabled, PCoIP audio is disabled. Audio is enabled by default. |