The VMware View Agent Configuration ADMX template file (vdm_agent.admx) contains policy settings related to the authentication and environmental components of Horizon Agent.

The ADMX files are available in VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip, which you can download from the VMware Downloads site. Go to https://my.vmware.com/web/vmware/downloads. Look for Desktop & End-User Computing and under this category, select Download Product under VMware Horizon. Then select the appropriate Horizon version and click Go To Downloads. From here you can find the Horizon GPO Bundle that includes the VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip file.

The following tables describe policy settings in the VMware View Agent Configuration ADMX template file. The template contains both Computer Configuration and User Configuration settings. The User Configuration setting overrides the equivalent Computer Configuration setting.

The settings are located in the Computer Configuration > Policies > Administrative Templates > VMware View Agent Configuration folder.

Agent Configuration

Agent configuration settings are in the VMware View Agent Configuration > Agent Configuration folder in the Group Policy Management Editor.

Table 1. Agent Configuration Policy Settings

Filter Microsoft Chart and Smart Art

Setting
Computer User Properties
AllowDirectRDP X

Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is deactivated, the agent permits only Horizon-managed connections through Horizon Client.

When connecting to a remote desktop from Horizon Client for Mac, do not deactivate the AllowDirectRDP setting. If this setting is deactivated, the connection fails with an Access is denied error.

By default, while a user is logged in to a remote desktop session, you can use RDP to connect to the virtual machine. The RDP connection terminates the remote desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, deactivate the AllowDirectRDP setting.

Important: The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

This setting is activated by default.

AllowSingleSignon X

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is activated, users are required to enter their credentials only once, when they log in to the server. When this setting is deactivated, users must reauthenticate when the remote connection is made.

This setting is activated by default.

Audio option for single session Windows 10 physical Remote Desktop machine X Specifies the audio device to use on a Horizon Windows 10 physical machine hosting the remote desktop session. When activated, select from the following options:
  • Use audio device attached to the Horizon Client endpoint. This is the default setting.
  • Use audio device attached to Horizon Windows 10 physical remote desktop endpoint.
This setting is not configured by default.
CommandsToRunOnConnect X

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

See Running Commands on Horizon Desktops for more information.

CommandsToRunOnDisconnect X

Specifies a list of commands or command scripts to be run when a session is disconnected.

See Running Commands on Horizon Desktops for more information.

CommandsToRunOnReconnect X

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

See Running Commands on Horizon Desktops for more information.

Connecting Session Threshold X Specifies the maximum number of sessions that can concurrently log onto the RDSH machine, exempting reconnecting sessions. If activated, the session threshold value is initially set to 20 but should be changed according to use case. If 0 is selected, then the connecting session threshold is deactivated. This policy is deactivated by default, so if the policy is not configured, then the connecting session threshold will be deactivated.
ConnectionTicketTimeout X

Specifies the amount of time in seconds that the Horizon connection ticket is valid.

Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds.

CredentialFilterExceptions X

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

Disable Time Zone Synchronization X X

Determines whether the time zone of the remote desktop is synchronized with the time zone of the connected client. An activated setting applies only if the Disable time zone forwarding setting of the Horizon Client Configuration policy is not set to deactivated.

This setting is deactivated by default.

Disconnect Session Time Limit (VDI) X Specifies the amount of time after which a disconnected desktop session logs out automatically.
  • Never: disconnected sessions on this machine never log out.
  • Immediately: disconnected sessions log out immediately.

You can also configure the time limit in the Automatically logoff after disconnect desktop pool setting in Horizon Console. If you configure this setting in both places, the group policy setting takes precedence.

For example, selecting Never prevents a disconnected session on this machine from ever logging out, regardless of the setting in Horizon Console.

DPI Synchronization X X Adjusts the system-wide DPI setting for the remote session. When this setting is activated or not configured, the system-wide DPI setting for the remote session is set to match the corresponding DPI setting on the client operating system. When this setting is deactivated, the system-wide DPI setting for the remote session is never changed.

For a list of the supported guest operating systems, see the "Using DPI Synchronization" topic in the Horizon Client for Windows Guide.

This setting is activated by default.

DPI Synchronization Per Monitor X X Adjusts the DPI setting in multiple monitors during a remote session.

When this setting is activated, the DPI setting in all monitors changes to match the client per-monitor DPI setting during a remote session. If the DPI setting is customized, the customized DPI setting is matched. The Allow Display Scaling option is dimmed in Horizon Client.

When this setting is deactivated, users must log out and reconnect to the remote desktop to make DPI setting changes take effect in all monitors.

For a list of the supported guest operating systems, see the "Using DPI Synchronization" topic in the Horizon Client for Windows Guide.

This setting is activated by default.

Enable Battery State Redirection X Determines whether battery state redirection is activated. This feature is supported with Windows and Linux client systems.

When this setting is activated, information about the Windows or Linux client system's battery is redirected to a Windows remote desktop. The battery icon in the system tray on the remote desktop indicates the battery charge percentage. If the battery charge is less than or equal to 10 percent, a message pops up stating that the battery is low.

This setting is activated by default.

Enable multi-media acceleration X

Determines whether multimedia redirection (MMR) is activated on the remote desktop.

MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on the remote system directly through a TCP socket to the client. The data is decoded directly on the client, where it is played. You can deactivate MMR if the client has insufficient resources to handle local multimedia decoding.

This setting is activated by default.

Enable Unauthenticated Access X Activates or deactivates the unauthenticated access feature. When this setting is activated, unauthenticated access users can access published applications from Horizon Client without requiring Active Directory credentials. When this setting is deactivated, unauthenticated access users cannot access published applications from Horizon Client without requiring Active Directory credentials.

You must reboot the RDS host for this setting to take effect.

This setting is activated by default.

Force MMR to use software overlay X MMR tries to use the hardware overlay to play back video for better performance. When working with multiple displays, the hardware overlay exists on only one of the displays, either the primary display or the display where WMP started. If a user drags WMP to another display, the video appears as a black rectangle. Use this option to force MMR to use a software overlay that works on all displays.

This setting is activated by default.

Idle Time Until Disconnect (VDI) X Specifies the amount of time after which a remote desktop session disconnects because of user inactivity.

If deactivated, not configured, or activated with the Never setting, the remote desktop sessions are never disconnected.

If the desktop pool or machine is configured to log out automatically after a disconnect, that setting is honored.

Key Logger Blocking X Determines whether the end point encrypts the communication between the keyboard and the Horizon Client to avoid key-logging malware on the end point.

When this setting is activated, all keystrokes are encrypted. When it is deactivated, keystrokes are communicated normally. This is deactivated by default.

Note the following:
  • To use this setting with Horizon Client for Mac, you must have Horizon Client for Mac 2111 or later.
  • You can configure this setting for the machine or per user. If you deactivate SSO on the agent, you must configure this setting for the machine, not per user. If both machine and user are configured, the GPO setting for the user takes effect.
  • To prevent a user from connecting to the agent using clients that do not support key logger blocking, limit the session connection. See "Global Client Restriction Settings for Client Sessions" in the Horizon 8 Administration document.
Load Index Threshold X Specifies the minimum load index at which the RDSH machine will start denying session logons, exempting reconnecting sessions. If activated, the load threshold value is initially set to 90 but should be changed according to use case. If 0 is selected, then the load index threshold is deactivated. This policy is deactivated by default, so if the policy is not configured, then the load index threshold will be deactivated.
Prewarm Session Time Limit X Specifies the amount of time after which a prewarm session logs out automatically. This setting is not configured by default.
RDS Connection Time Until Disconnect X Specifies the maximum amount of time that a Remote Desktop Services session can be active before it is disconnected automatically. Timeout values range from Never to one week. Selecting Never will never disconnect Remote Desktop Services sessions on this machine.
RDS Disconnected Time Until Logoff X Specifies the amount of time after which a disconnected Remote Desktop Services session logs off automatically. Timeout values range from Never to one week. Selecting Never will never log off disconnected Remote Desktop Services sessions on this machine.
RDS End Session When Time Limit Reached X Specifies whether to end or disconnect a Remote Desktop Services session that has timed out. If this setting is activated, the Remote Desktop Services session is ended (user is logged off and the session is deleted from the server) after the time limit for active or idle sessions have been reached. By default, Remote Desktop Services sessions are disconnected after reaching their time limits.
RDS Idle Time Until Disconnect X Specifies the amount of time after which an idle Remote Desktop Services session disconnects automatically. Timeout values range from Never to one week. Selecting Never will never disconnect Remote Desktop Services sessions on this machine.
Screen-capture Blocking X X*
Determines whether users can take screenshots of their virtual desktop or published application from their end point. If activated, users are blocked from taking screenshots of the virtual desktop or virtual applications using their Windows or macOS devices.
Note: For Browser Redirection and HTML5 Multimedia Redirection, the redirected content could be captured when Block Screenshot is activated.

This setting is deactivated by default; users are allowed to take screenshots using their devices.

Requirements:

Horizon Agent 2106 and later support this setting. This setting is enforceable on Horizon Client for Windows and Horizon Client for Mac 2106 and later.

In most cases, you can configure this setting for the machine or per user. *However, If you deactivate SSO on the agent, you must configure this setting for the machine, not per user. If you set this feature for both machine and user, the setting for the user takes precedence.

Nested mode is supported.

To enforce this behavior on clients or under conditions that do not support the setting, use limits on the session connection. See Global Client Restriction Settings for Client Sessions in the Horizon 8 Administration document.

Behavior notes:

While activated, users cannot take screenshots of the virtual desktop or virtual application from supported clients. These notes detail the expected results.

For VMware WebRTC/Media Optimization for Microsoft Teams:

  • In VMware Horizon Windows VDI or Teams remote app sessions, sharing is normal.
  • In VMware Horizon Mac VDI sessions, sharing is normal.
  • In VMware Horizon Mac app sessions, VMware Horizon Mac Teams remote app session sharing will show blocked Teams windows, but the Mac client screen can be shared.
For Webex VDI
  • In Horizon Client for Windows and Horizon Client for Mac, audio/visual content is normal for the camera and for screen sharing.

For Optimized Zoom VDI

  • In Horizon Client for Windows sharing is normal; audio/visual content is normal for Zoom VDI 5.9.0. For earlier releases, visual content is black if using a camera.
  • In Horizon Client for Mac, sharing is normal and audio/visual content is normal, but the sharing window and audio/visual content window will not respect this GPO because these windows are owned by the vendor.

For VMware Virtualization for Skype for Business
  • In both supported clients, sharing and audio/visual content are normal.
Host's native applications such as Zoom and Microsoft Teams might not share content of the VMware remote desktop or published application that activates this feature.

With Multimedia Redirection and HTML5 Multimedia Redirection

  • In Horizon Client for Windows client, redirection is normal.
  • In Horizon Client for Mac client, redirection is not supported.
ShowDiskActivityIcon X This setting is not supported in this release.
Single sign-on retry timeout X Specifies the time, in milliseconds, after which single sign-on is retried. Set the value to 0 to deactivate single sign-on retry. The default value is 5000 milliseconds.

This setting is activated by default.

Toggle Display Settings Control X

Determines whether to deactivate the Settings tab in the Display control panel when a client session uses the PCoIP or Blast Extreme display protocols.

This setting is activated by default.

Note: The Connect using DNS Name setting was removed in the Horizon 6 version 6.1 release. You can set the Horizon 8 LDAP attribute, pae-PreferDNS, to tell Connection Server to give preference to DNS names when sending the addresses of desktop machines and RDS hosts to clients and gateways. See "Give Preference to DNS Names When Horizon Connection Server Returns Address Information" in the Horizon 8 Installation and Upgrade document.

Agent Security

The Agent Security setting is in the VMware View Agent Configuration > Agent Security folder in the Group Policy Management Editor.

Table 2. Agent Security Policy Setting
Setting Computer User Properties
Accept SSL encrypted framework channel X Activates the TLS encrypted framework channel. You can specify one of the following options:
  • Disable - Deactivate TLS.
  • Enable - Activate TLS. Allow legacy clients to connect without TLS.
  • Enforce - Activate TLS. Refuse legacy client connections.

This setting is activated by default.

Authentication

Policy settings for Windows Hello for Business certificate redirection are in the ADMX template file vdm_agent.admx. Certificate redirection setting is in the VMware View Agent Configuration > Whfb Certificate Redirection folder in the Group Policy Management Editor.

Table 3. Windows Hello for Business Certificate Redirection
Setting Computer User Properties
List of allowed executables X List of executables that are allowed to use redirected Windows Hello for Business certificate.

This setting is not activated by default.

Clipboard Redirection

Policy settings for Clipboard Redirection are in the ADMX template file vdm_agent_clipboard.admx. The Clipboard Redirection settings are in the VMware View Agent Configuration > Clipboard Redirection folder in the Group Policy Management Editor.

Table 4. Clipboard Redirection Policy Settings
Setting Computer User Description
Clipboard memory size on server X X Specifies the server clipboard memory size value in bytes or kilobytes, as selected. If it is not configured, the memory size is in kilobytes.

The client also has a value for the clipboard memory size, which is always in kilobytes. After the session is set up, the server sends its clipboard memory size value to the client. The effective clipboard memory size value is the lesser of the client and server clipboard memory size values.

A large clipboard memory size can negatively affect performance, depending on your network. VMware recommends that you do not set the clipboard memory size to a value greater than 16 MB.

Note: To transfer larger amounts of data, use the client drive redirection feature.
Configure clipboard audit X X Specifies whether the clipboard audit feature is activated on the agent machine. When this setting is activated, the options are as follows:
  • Disabled in both directions. Information about clipboard data is not recorded.
  • Enabled client to server only. Information about clipboard data that is copied from the client machine to the agent machine is recorded in an event log on the agent machine.
  • Enabled in both directions. Information about clipboard data that is copied from the client machine to the agent machine, and from the agent machine to the client machine, is recorded in an event log on the agent machine.
  • Enabled server to client only. Information about clipboard data that is copied from the agent machine to the client machine is recorded in an event log on the agent machine.

When this setting is deactivated or not configured, the default value is Disabled in both directions.

You can use the Windows event viewer on the agent machine to view the event log. The log name is VMware Horizon RX Audit. To view the event log in a centralized location, you can configure VMware Log Insight or Windows Event Collector.

Note: Only the Windows client supports agent machine to client machine clipboard auditing.
Configure clipboard redirection X X Determines the direction in which clipboard redirection is allowed. You can select one of the following values:
  • Enabled client to agent only
  • Disabled in both directions
  • Enabled in both directions
  • Enabled agent to client only

Clipboard redirection is implemented as a virtual channel. If virtual channels are deactivated, clipboard redirection does not function.

This setting applies only to Horizon Agent.

When this setting is deactivated or not configured, the default value is Enabled client to agent only.

Configure clipboard redirection formats X X Determines whether a filter is activated or deactivated on the agent machine for each data format.
  • Filter files folders from incoming clipboard data: Specifies whether selected files or folders can be copied to the clipboard from the client machine to the agent machine. If activated, copying files and folders from the client machine is blocked. If deactivated, copying and pasting files and folders from the client machine is allowed.
  • Filter files and folders from outgoing clipboard data: Specifies whether selected files or folders can be copied to the clipboard from the agent machine to the client machine. If activated, copying files and folders from the agent machine is blocked. If deactivated, copying and pasting files and folders from the agent machine is allowed.
  • Filter text out of the incoming clipboard data: Specifies whether textual data is filtered out of the clipboard data coming from the client machine to the agent machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter text out of the outgoing clipboard data: Specifies whether textual data is filtered out of the clipboard data sent from the agent machine to the client machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Rich Text Format data out of the incoming clipboard data: Specifies whether Rich Text Format data is filtered out of the clipboard data coming from the client machine to the agent machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Rich Text Format data out of the outgoing clipboard data: Specifies whether Rich Text Format data is filtered out of the clipboard data sent from the agent machine to the client machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter images out of the incoming clipboard data: Specifies whether image data is filtered out of the clipboard data coming from the client machine to the agent machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter images out of the outgoing clipboard data: Specifies whether image data is filtered out of the clipboard data sent from the agent machine to the client machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Microsoft Office text data out of the incoming clipboard data: Specifies whether Microsoft Office text format data (BIFF12 format) is filtered out of the clipboard data coming from the client machine to the agent machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Microsoft Office text data out of the outgoing clipboard data: Specifies whether Microsoft Office text format data (BIFF12 format) is filtered out of the clipboard data sent from the agent machine to the client machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Microsoft Chart and Smart Art data out of the incoming clipboard data: Specifies whether Microsoft Office Chart and Smart Art data (Art::GVML ClipFormat) is filtered out of the clipboard data sent from the client machine to the agent machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Microsoft Chart and Smart Art data out of the outgoing clipboard data: Specifies whether Microsoft Office Chart and Smart Art data (Art::GVML ClipFormat) is filtered out of the clipboard data sent from the agent machine to the client machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Microsoft Text Effects data out of the incoming clipboard data: Specifies whether Microsoft Office text effects data (HTML Format) is filtered out of the clipboard data coming from the client machine to the agent machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.
  • Filter Microsoft Text Effects data out of the outgoing clipboard data: Specifies whether Microsoft Office text effects data (HTML Format) is filtered out of the clipboard data sent from the agent machine to the client machine. When this setting is activated, the data is filtered out. When this setting is deactivated, the data is allowed.

When the setting is not configured or deactivated, the filters for clipboard redirection are deactivated for all formats.

This setting not configured by default.

Configure file transfer X Configures how the file transfer feature works between the remote desktop and HTML Access or Horizon Client for Chrome. Valid values are as follows.

This setting applies only to remote desktops.

  • Disabled both upload and download
  • Enabled both upload and download
  • Enabled file upload only. Users can upload files from the client system to the remote desktop.
  • Enabled file download only. Users can download files from the remote desktop to the client system.

When this setting is deactivated or not configured, the default value is Enabled file upload only.

Whether block clipboard redirection to client side when client doesn't support audit X X Specifies whether to block clipboard redirection to clients that do not support the clipboard audit feature.

When this setting is activated, you must select one of the following values.

  • Block blocks agent-to-client clipboard redirection if the clipboard audit feature is supported on the agent machine, but is not supported on the client machine.
  • Passthrough allows agent-to-client clipboard redirection if the clipboard audit feature is supported on the agent machine, but is not supported on the client machine.

When this setting is deactivated or not configured, the default value is Block.

You must activate the Configure clipboard audit group policy setting for this setting to take effect.

Collaboration

Collaboration settings are in the VMware View Agent Configuration > Collaboration folder in the Group Policy Management Editor.

Table 5. Collaboration Policy Settings
Setting Description
Allow control passing to collaborators When activated, users can pass input control to other collaborators during collaboration. When deactivated, the toggle switch does not appear in the collaboration window. This setting is activated by default.
Allow inviting collaborators by e-mail When activated, you can send collaboration invitations by using an installed email application. When deactivated, you cannot use email to invite collaborators, even if an email application is installed. This setting is activated by default.
Allow inviting collaborators by IM When activated, you can send collaboration invitations by using an installed Instant Message (IM) application. When deactivated, you cannot use IM to invite collaborators, even if an IM application is installed. This setting is activated by default.
Include Outlook-formatted URL in clipboard text When this setting is activated, a Microsoft Outlook-formatted invitation URL is included in the clipboard invitation text. Activate this setting if you expect end users to paste clipboard invitation text into an email message. This setting is deactivated by default.
Separator used for multiple e-mail addresses in mailto: links Configures the separator used for multiple email addresses in mailto: links to allow better compatibility with various email clients. When not configured, the default value is a semicolon without a space to separate email addresses.

If your default email client does not allow a semicolon as a separator, try other combinations, such as a comma plus one space or semicolon plus one space.

Server URLs to include in invitation message Sets the server URLs to include in collaboration invitations. If this setting is not configured, a default URL is used, but it might be incorrect in all but the simplest deployments.
Turn off collaboration When activated, the Session Collaboration feature is turned off. When deactivated or not configured, you can control the feature at the farm or desktop pool level. This setting takes effect after you reboot the Horizon Agent machines.
Maximum number of invited collaborators Specifies the maximum number of collaborators that you can invite to join a session. The default maximum is 5. The limit is 20.

Configures SSL protocols and cryptographic algorithms

SSL protocols and cryptographic algorithms settings are in the VMware View Agent Configuration folder in the Group Policy Management Editor.

Table 6. Configures SSL protocols and cryptographic algorithms Settings
Setting Description
Configures SSL protocols and cipher suites Allows you to specify the cryptographic algorithms and protocols before establishing an encrypted SSL connection. The cipher list consists of one or more cipher strings separated by colons. Note that all cipher strings are case sensitive.

If the feature is enabled, the default value is: 'TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES' which means that TLS v1.1 and TLS v1.2 are enabled. Cipher suites will use ECDHE, ECDH and RSA with 128 or 256 bit AES, with a preference for GCM mode. SSL v2.0, SSL v3.0 and TLS v1.0 are not supported.

Configures Signature Algorithms Extension Specifies the signature algorithms for TLS v1.2. Enter a colon-separated list of signature algorithms in order of decreasing preference, in the form of algorithm+hash. Note that algorithm and hash names are case sensitive. For example: RSA+SHA256:ECDSA+SHA256

If this option is not set then the default value is all signature algorithms supported by the OpenSSL library.

Configures Supported Groups Extension Sets the supported elliptic curve groups. Enter a list of curves separated by colons. Note that curve names are case sensitive. For example: P-256:P-384

If this option is not set and ECDHE cipher suites are provided, then the default value is all signature algorithms supported by the OpenSSL library.

Strict certification revocation check When enabled, Horizon Client will refuse to connect to servers when it cannot verify the certificate revocation status. When this setting is disabled, the client will check revocation but it will not block a connection based on revocation status. The Ignore certificate revocation problems GPO takes precedence over this GPO, do not use them together.

This setting is disabled by default.

Drag and Drop

Policy settings for Drag and Drop are in the ADMX template file vdm_agent_dnd.admx. The Drag and Drop settings are in the VMware View Agent Configuration > Drag and Drop folder in the Group Policy Management Editor.

Table 7. Drag and Drop Policy Settings
Setting Description
Configure drag and drop direction

Specifies the direction in which drag and drop is allowed. When activated, the options are as follows:

  • Disabled in both directions
  • Enabled client to agent only. Allows drag and drop only from the client system to the agent.
  • Enabled agent to client only. Allows drag and drop only from the agent to the client system.
  • Enabled in both directions

When this setting is deactivated or not configured, the default value is Enabled client to agent only.

This setting applies to the agent only.

Configure drag and drop formats Determines which drag and drop direction (Disabled in both directions, Enabled agent to client only, Enabled client to agent only, or Enabled in both directions) is allowed for each data format. When this setting is activated, the options are as follows:
  • Option for file format
  • Option for text format
  • Option for Rich Text format
  • Option for Image format
  • Option for HTML format
  • Option for File Content format

When this setting is deactivated or not configured, the default value for all formats is Enabled in both directions.

This setting applies to the agent only.

Configure drag and drop size threshold Determines the size limit for dragging common data types other than files and folders.

When this setting is activated, select the unit of the drag data size from the Choose the unit of the drag and drop size drop-down menu. You can select Bytes, Kilobytes, or Megabytes. Select or enter the drag data size in the Drag and drop size threshold text box. The effective data range for each unit is as follows:

  • Bytes: 1 through 1023
  • Kilobytes: 1 through 1023
  • Megabytes: 1 through 16 (the maximum data size to drag and drop is 16 megabytes)

When this setting is deactivated or not configured, a default threshold of 1 megabyte is set.

This setting applies only to the agent.

Performance Tracker

Policy settings for Performance Tracker are in the ADMX template file vdm_agent_perfTracker.admx. Performance Tracker settings are in the VMware View Agent Configuration > Performance Tracker folder in the Group Policy Management Editor.
Table 8. Performance Tracker Policy Settings
Setting Description
Enable Horizon Performance Tracker auto start in remote desktop connection When activated, Horizon Performance Tracker starts automatically when a user logs on to a remote desktop connection. To clear this preference GPO setting, select Disable.
Enable Horizon Performance Tracker auto start in remote application connection When activated, Horizon Performance Tracker starts automatically when a user logs on to a remote application connection. To clear this preference GPO setting, select Disable.
Performance Tracker basic setting When activated, you can set the frequency in seconds at which Horizon Performance Tracker collects data.

Scanner Redirection

Policy settings for Scanner Redirection are in the ADMX template file vdm_agent_scanner.admx. Scanner Redirection settings are in the VMware View Agent Configuration > Scanner Redirection folder in the Group Policy Management Editor.

Table 9. Scanner Redirection Group Policy Settings
Setting Computer User Description
BandwidthLimit X Specifies the maximum allowed bandwidth, in kilobytes per second, for transferring scanned data to a user session.

If you specify 0 or no value, the bandwidth is unlimited.

Compression X Specifies the image compression rate to use during the image transfer to a remote desktop or published application.

You can select one of the following compression modes:

  • Disable – Image compression is deactivated.
  • Lossless – Lossless (zlib) compression is used without loss of image quality.
  • JPEG – JPEG compression is used with loss of quality. You select the level of image quality from the JPEG compression quality drop-down menu. JPEG compression quality must be a value between 0 and 100.

When you activate this setting, the selected compression mode is set for all users affected by this policy. Users can change the Compression option in the VMware Horizon Scanner Redirection Preferences dialog box, overriding the policy setting.

When you deactivate this policy setting or do not configure it, JPEG compression mode is used.

Default Color Mode When this setting is activated, you can configure the default color mode: black and white, grayscale, or color. This setting is supported on Windows XP Professional or Windows Server 2003 or later.
Default Duplex When this setting is activated, you can configure the default scanning mode: simplex or duplex. In duplex mode, the scanning application must support duplex scanning and request two pages from the scanner. This setting is supported on Windows XP Professional or Windows Server 2003 or later.
Default Scanner X X Provides centralized management of scanner autoselection.

You select scanner autoselection options separately for TWAIN and WIA scanners. You can select one of the following autoselection options:

  • None. Do not select scanners automatically.
  • Autoselect Automatically select the locally connected scanner.
  • Last used Automatically select the last-used scanner.
  • Specified Select the scanner name that you type in the Specified scanner text box.

When you activate this setting as a Computer Configuration policy, the setting determines the scanner autoselection mode for all users of the affected computers. Users cannot change the Default Scanner option in the VMware Horizon Scanner Redirection Preferences dialog box.

When you activate this setting as a User Configuration policy, the setting determines the scanner autoselection mode for all affected users. However, users can change the Default Scanner option in the VMware Horizon Scanner Redirection Preferences dialog box.

When you activate this setting in both Computer Configuration and User Configuration, the scanner autoselection mode in Computer Configuration overrides the corresponding policy setting in User Configuration for all users of the affected computers.

When you deactivate this setting or do not configure it in either policy configuration, the scanner autoselection mode is determined by the corresponding policy setting (either User Configuration or Computer Configuration) or by user selection in the VMware Horizon Scanner Redirection Preferences dialog box.

Disable functionality X Deactivates the scanner redirection feature.

When you activate this setting, scanners cannot be redirected and do not appear in the scanner menu on users' desktops and applications.

When you deactivate this setting or do not configure it, scanner redirection works and scanners appear in the scanner menu.

Force the TWAIN Scanning Properties dialog X When this setting is activated, the TWAIN Scanning Properties dialog box is always displayed, even if a scanning application does not display the scanning dialog box.
Hide Webcam X X

Prevents webcams from appearing in the scanner selection menu in the VMware Horizon Scanner Redirection Preferences dialog box.

By default, webcams can be redirected to desktops and applications. Users can select webcams and use them as virtual scanners to capture images.

When you activate this setting as a Computer Configuration policy, webcams are hidden from all users of the affected computers. Users cannot change the Hide Webcam option in the VMware Horizon Scanner Redirection Preferences dialog box.

When you activate this setting as a User Configuration policy, webcams are hidden from all affected users. However, users can change the Hide Webcam option in the VMware Horizon Scanner Redirection Preferences dialog box.

When you activate this setting in both Computer Configuration and User Configuration, the Hide Webcam setting in Computer Configuration overrides the corresponding policy setting in User Configuration for all users of the affected computers.

When you deactivate this setting or do not configure it in either policy configuration, the Hide Webcam setting is determined by the corresponding policy setting (either User Configuration or Computer Configuration) or by user selection in the VMware Horizon Scanner Redirection Preferences dialog box.

Lock config X Locks the scanner redirection user interface and prevents users from changing configuration options on their desktops and applications.

When you activate this setting, users cannot configure the options that are available from the tray menu on their desktops and applications. Users can display the VMware Horizon Scanner Redirection Preferences dialog box, but the options are inactive and cannot be changed.

When you deactivate this setting or do not configure it, users can configure the options in the VMware Horizon Scanner Redirection Preferences dialog box.

TWAIN Scanner Properties dialog location X Specifies where the TWAIN Scanning Properties dialog box appears. You can select one of the following options:
  • Agent – the VMware Scanner Properties dialog box appears on the agent side.
  • Client – the native vendor scanner TWAIN dialog box appears on the client side. (This option is not supported for the Linux client.)

Serial COM

Policy settings for Serial COM are in the ADMX template file vdm_agent_serialport.admx. Serial COM settings are in the VMware View Agent Configuration > Serial COM folder in the Group Policy Management Editor.
Table 10. Serial COM Policy Settings
Setting Computer User Description
PortSettings1

PortSettings2

PortSettings3

PortSettings4

PortSettings5

X X

The port settings determine the mapping between the COM port on the client system and the redirected COM port on the remote desktop and determines other settings that affect the redirected COM port. You configure each redirected COM port individually.

Five port settings policy settings are available, allowing up to five COM ports to be mapped from the client to the remote desktop. Select one port settings policy setting for each COM port that you intend to configure. When you activate the port settings policy setting, you can configure the following items that affect the redirected COM port:

  • The Source port number setting specifies the number of the physical COM port that is connected to the client system.
  • The Destination virtual port number setting specifies the number of the redirected virtual COM port on the remote desktop.
  • The Autoconnect setting automatically connects the COM port to the redirected COM port at the start of each desktop session.
  • With the IgnoreDSR setting, the redirected COM port device ignores the Data Set Ready (DSR) signal.
  • The Pause before close port (in milliseconds) setting specifies the time to wait (in milliseconds) after a user closes the redirected port and before the port is actually closed. Certain USBs to Serial adapters require to this delay to preserve transmitted data. This setting is intended for troubleshooting purposes.
  • The Serial2USBModeChangeEnabled setting resolves problems that apply to USB to Serial adapters that use the Prolific chipset, including the GlobalSat BU353 GPS adapter. If you do not activate this setting for Prolific chipset adapters, connected devices can transmit data, but cannot receive data.
  • The Disable errors in wait mask setting deactivates the error value in the COM port mask. This troubleshooting setting is required for certain applications. For more information, see the Microsoft documentation for the WaitCommEvent function at http://msdn.microsoft.com/en-us/library/windows/desktop/aa363479(v=vs.85).aspx.
  • The HandleBtDisappear setting supports BlueTooth COM port behavior. This setting is intended for troubleshooting purposes.
  • The UsbToComTroubleShooting setting resolves some issues that apply to USB to Serial port adapters. This setting is intended for troubleshooting purposes.
  • The Permanent setting keeps the redirected COM port status in the remote session even if the client disconnects.

When you activate the port settings policy setting for a particular COM port, users can connect and disconnect the redirected port, but users cannot configure properties of the port on the remote desktop. For example, users cannot set the port to be redirected automatically when they log on to the remote desktop, and they cannot ignore the DSR signal. These properties are controlled by the group policy setting.

Note: A redirected COM port is connected and active only if the physical COM port is connected locally to the client system. If you map a COM port that does not exist on the client, the redirected port appears as inactive and not available in the tool tray menu on the remote desktop.

When the port settings policy setting is deactivated or not configured, the redirected COM port uses the settings that users configure on the remote desktop. The Serial COM Redirection for VMware Horizon menu options are active and available to users.

These settings are in the VMware View Agent Configuration > Serial COM > PortSettings folder in the Group Policy Management Editor.

Bandwidth limit X Sets a limit on the data transfer speed, in kilobytes per second, between the redirected serial port and client systems.

When you activate this setting, you can set a value in the Bandwidth limit (in kilobytes per second) box that determines the maximum data transfer speed between the redirected serial port and the client. A value of 0 deactivates the bandwidth limit.

When this setting is deactivated, no bandwidth limit is set.

When this setting is not configured, local program settings on the remote desktop determine whether a bandwidth limit is set.

This setting is in the VMware View Agent Configuration > Serial COM folder in the Group Policy Management Editor.

COM Port Isolation Mode X Specifies the isolation mode for COM ports. When you activate this setting, you can select one of the following isolation modes:
  • Full Isolation – virtual serial ports are visible and accessible only within user sessions. COM port names can have the same names in different user sessions. System services, such as spoolsrv.exe, cannot access isolated serial ports in this mode.
  • Isolation Disabled – virtual serial ports are visible globally. Any port can be accessed from any session. Because ports cannot have the same name in different user sessions, port names must be unique for each user. System services, such as spoolsrv.exe, can access any serial port.

If this setting is not configured, serial port redirection operates in Full Isolation mode.

Connect all ports automatically X When you activate this setting, all COM ports are connected automatically, even if no individual group policy settings are activated. If individual group policy settings are configured for specific ports, the individual group policy settings are used.

If this setting is deactivated or not configured, the auto-connect functionality is determined by the individual port group policy settings or the local program settings.

This setting is not configured by default.

Disable functionality X Deactivates the serial port redirection feature.

When you activate this setting, COM ports are not redirected to the remote desktop. The serial port tool tray icon on the remote desktop is not displayed.

When this setting is deactivated, serial port redirection works, the serial port tool tray icon is displayed, and COM ports appear in the Serial COM Redirection for VMware Horizon menu.

When this setting is not configured, settings that are local to the remote desktop determine whether serial port redirection is deactivated or activated.

This setting is in the VMware View Agent Configuration > Serial COM folder in the Group Policy Management Editor.

Local settings priority X X Gives priority to the settings that are configured on the remote desktop.

When you activate this policy, the serial port redirection settings that a user configures on the remote desktop take precedence over the group policy settings. A group policy setting takes effect only if a setting is not configured on the remote desktop.

When this setting is deactivated or not configured, group policy settings take precedence over the settings that are configured on the remote desktop.

This setting is in the VMware View Agent Configuration > Serial COM folder in the Group Policy Management Editor.

Lock configuration X X Locks the serial port redirection user interface and prevents users from changing configuration options on the remote desktop.

When you activate this setting, users cannot configure the options that are available from the tool tray menu on their desktops. Users can display the Serial COM Redirection for VMware Horizon menu, but the options are inactive and cannot be changed.

When this setting is deactivated, users can configure the options in the Serial COM Redirection for VMware Horizon menu.

When this setting is not configured, local program settings on the remote desktop determine whether users can configure the COM port redirection settings.

This setting is in the VMware View Agent Configuration > Serial COM folder in the Group Policy Management Editor.

Smart Card Redirection Settings

Smart card redirection settings are in the VMware View Agent Configuration > Smartcard Redirection > Local Reader Access folder in the Group Policy Management Editor.

Table 11. Smart Card Redirection Policy Settings
Setting Computer User Properties
Allow applications access to Local Smart Card readers X

If activated, applications can access all local smart card readers even when the smart card redirection feature is installed. When activated, the desktop is monitored for the presence of a local reader and when detected, the smart card redirection switches off, allowing access to the local readers. The redirection remains off until the next time the user connects to the session. When local access is activated, applications can no longer access remote readers present on the client.

This setting does not apply to RDP or to RDS hosts when the Remote Desktop Services role is activated.

This setting is deactivated by default.

Local Reader Name X Specifies the name of a local reader to monitor to activate local access. By default, the reader must have a card inserted to activate local access. You can deactivate this requirement by using the Require an inserted Smart Card setting.

This setting is activated by default.

Require an inserted Smart Card X If activated, local reader access is activated if the local reader has a card inserted. If deactivated, local access is activated as long as a local reader is detected.

This setting is activated by default.

True SSO Configuration Settings

True SSO configuration settings are in the VMware View Agent Configuration > True SSO Configuration folder in the Group Policy Management Editor. See the Horizon 8 Administration document.

Unity Touch and Hosted Apps Settings

Unity Touch and Hosted Apps settings are in the VMware View Agent Configuration > Unity Touch and Hosted Apps folder in the Group Policy Management Editor.

Table 12. Unity Touch and Hosted Apps Policy Settings
Setting Computer User Properties
Send updates for empty or offscreen windows X Specifies whether the client receives updates about empty or offscreen windows. When this setting is deactivated, information about windows that are smaller than 2x2 pixels, or that are located offscreen, are not sent to the client.

This setting is deactivated by default.

Enable UWP support on RDSH platforms X When activated, Universal Windows Platform (UWP) applications can run on Windows 10 virtual desktop (WVD) hosts on Horizon Cloud Service on Azure. When deactivated, the application status shows as unavailable in Horizon Agent and the user cannot access the application. Restart the agent VM for this setting to take effect.

This setting is deactivated by default.

Enable Unity Touch X Determines whether the Unity Touch functionality is activated on the remote desktop. Unity Touch supports the delivery of published applications in Horizon Client and allows mobile device users to access applications in the Unity Touch sidebar.

This setting is activated by default.

Enable system tray redirection for Hosted Apps X Determines whether system tray redirection is activated while a user is running published applications.

This setting is activated by default.

Enable user profile customization for Hosted Apps X X Specifies whether to customize the user profile when published applications are used. If this setting is activated, a user profile is generated, the Windows theme is customized, and startup applications are registered.

This setting is deactivated by default.

Limit usage of Windows hooks X Deactivates most hooks when published applications or Unity Touch are used. This setting is intended for applications that have compatibility issues when OS-level hooks are set. For example, enabling this setting deactivates the use of most Windows active accessibility and in-process hooks.

This setting is deactivated by default, which means that all preferred hooks are used.

Only launch new instances of Hosted Apps if arguments are different X This policy controls the behavior when a published application starts, but an existing instance of the application is already running inside a disconnected protocol session. When deactivated, the existing instance of the application activates. When activated, the inside existing instance of the application activates only if the command-line parameters match.

This setting is deactivated by default.

Redirect legal notice messages as a window X When activated, this policy redirects legal notices to a custom-sized window in Horizon Client. Specify the width and height of the window in pixels. For high DPI monitors, the sizes will be multiplied based on the DPI. This functionality is only supported for published applications.

Restart the RDSH server and Horizon Client for the setting to take effect.

This setting is deactivated by default.

Unity Filter rule list X Specifies filter rules for unity windows when using published applications. Horizon Agent uses these rules to support custom applications. For information about creating filter rules, see Managing Special Unity Windows.

This setting is not configured by default.

View Agent Direct-Connection Configuration

Policy settings for View Agent Direct-Connection Configuration are in the ADMX template file vdm_agent_direct_connection.admx. View Agent Direct-Connection configuration settings are in the VMware View Agent Configuration > View Agent Direct-Connection Configuration folder in the Group Policy Management Editor. See the Horizon Agent Direct-Connection Plug-In document.

Real-Time Audio-Video Configuration

Policy settings for Real-Time Audio-Video Configuration are in the ADMX template file vdm_agent_rtav.admx. RTAV configuration settings are in the VMware View Agent Configuration > View RTAV Configuration folder in the Group Policy Management Editor. See Real-Time Audio-Video Group Policy Settings.

USB Configuration

USB Configuration settings are in the VMware View Agent Configuration > View USB Configuration folder in the Group Policy Management Editor. See Using Policies to Control USB Redirection .

VMware AppTap Configuration

The VMware AppTap configuration setting is in the VMware View Agent Configuration > VMware AppTap Configuration folder in the Group Policy Management Editor.

Table 13. VMware AppTap Configuration Setting
Setting Computer User Properties
Processes to ignore when detecting empty application sessions X Specifies the list of processes to ignore when detecting empty application sessions. You can specify either a process filename or a full path. Values are not case-sensitive . Do not use environment variables in paths. UNC network paths are allowed, example: \\vmware\temp\app.exe.

This setting is not configured by default.

Client Drive Redirection

Policy settings for Client Drive Redirection are in the ADMX template file vdm_agent_cdr.admx. Client Drive Redirection settings are in the VMware View Agent Configuration > VMware Horizon Client Drive Redirection folder in the Group Policy Management Editor. See Client Drive Redirection Policy Settings.

VMware HTML5 Features

VMware HTML5 features consist of Browser Redirection, Geolocation Redirection, HTML5 Multimedia Redirection, and WebRTC Redirection. Policy settings for these features are in the VMware View Agent Configuration > VMware HTML5 Features folder in the Group Policy Management Editor. See VMware HTML5 Feature Policy Settings.

VMware Integrated Printing

Policy settings for VMware Integrated Printing are in the ADMX template file printerRedirection.admx. VMware Integrated Printing settings are in the VMware View Agent Configuration > VMware Integrated Printing folder in the Group Policy Management Editor. See VMware Integrated Printing Policy Settings.

VMware Virtualization Pack for Skype for Business

VMware Virtualization Pack for Skype for Business settings are in the VMware View Agent Configuration > VMware Virtualization Pack for Skype for Business folder in the Group Policy Management Editor. See VMware Virtualization Pack for Skype for Business Policy Settings.

Watermark Configuration

The watermark configuration setting is in the User Configuration folder, located in User Configuration > Policies > Administrative Templates > VMware View Agent Configuration > Watermark folder in the Group Policy Management Editor.

Table 14. Watermark Configuration Setting
Setting Computer User Properties
Watermark Configuration X activate this setting to configure a watermark to appear on your virtual desktop. Enter information you want to display as the watermark in Text. Options are:
%ViewClient_IP_Address%
%ViewClient_Broker_UserName%
%ViewClient_Broker_DomainName%
%COMPUTERNAME%
%USERDOMAIN%
%USERNAME%
%ViewClient_ConnectTime%

The character limit is 256 characters and 1024 characters after expansion.

Image Layout: the watermark layout on the screen, which is divided into nine squares:
  • Tile: watermark is positioned in all 9 squares. This layout is always used for application sessions.
  • Multiple: watermark is positioned in the center and four corner squares. If the watermark size exceeds the box size, it is scaled to maintain the aspect ratio.
  • Center: watermark is positioned in the center square.

Text Rotation: a specific angle for the watermark text.

Opacity: the transparency level of the text. The range is 0 through 255. The default value is 255.

Margin: the space around the watermark for the Tile layout. If the watermark is scaled, the margin is also scaled.

Text Color: specifies the color of the watermark text using space-separated RGB color values in decimal. The text outline is rendered in a contrasting color. The default is white text outlined in black.

Font Size: specifies the size of the watermark text. If this value is 0, the default font size is used.

Refresh Interval: specifies the interval, in seconds, that the watermark is refreshed. When 0 is specified, the watermark update is deactivated. The maximum value is 86400 seconds (24 hours).

This setting is not configured by default.