The ADM and ADMX template files for Horizon Agent, vdm_agent.adm and vdm_agent.admx, contain security-related settings for Horizon Agent. Unless otherwise noted, these files include only Computer Configuration settings.
Security Settings are stored in the registry on the guest machine under HKLM\Software\VMware, Inc.\VMware VDM\Agent\Configuration.
| Setting | Description |
|---|---|
| AllowDirectRDP | Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is disabled, the agent permits only Horizon-managed connections through Horizon Client. When connecting to a remote desktop from Horizon Client for Mac, do not disable the AllowDirectRDP setting. If this setting is disabled, the connection fails with an Access is denied error. By default, while a user is logged in to a remote desktop session, you can use RDP to connect to the virtual machine. The RDP connection terminates the remote desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.
Important: The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.
This setting is enabled by default. The equivalent Windows Registry value is AllowDirectRDP. |
| AllowSingleSignon | Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter their credentials only once, when they log in to the server. When this setting is disabled, users must reauthenticate when the remote connection is made. This setting is enabled by default. The equivalent Windows Registry value is AllowSingleSignon. |
| CommandsToRunOnConnect | Specifies a list of commands or command scripts to be run when a session is connected for the first time. No list is specified by default. The equivalent Windows Registry value is CommandsToRunOnConnect. |
| CommandsToRunOnDisconnect | Specifies a list of commands or command scripts to be run when a session is disconnected. No list is specified by default. The equivalent Windows Registry value is CommandsToRunOnReconnect. |
| CommandsToRunOnReconnect | Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect. No list is specified by default. The equivalent Windows Registry value is CommandsToRunOnDisconnect. |
| ConnectionTicketTimeout | Specifies the amount of time in seconds that the Horizon connection ticket is valid. Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds. The equivalent Windows Registry value is VdmConnectionTicketTimeout. |
| CredentialFilterExceptions | Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames. No list is specified by default. The equivalent Windows Registry value is CredentialFilterExceptions. |
For more information about these settings and their security implications, see the Configuring Remote Desktop Features in Horizon document.
