The VMware View Agent Configuration ADMX template file (vdm_agent.admx) contains policy settings related to the authentication and environmental components of Horizon Agent.
The ADMX files are available in VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip, which you can download from the VMware Downloads site. Go to https://my.vmware.com/web/vmware/downloads. Look for Desktop & End-User Computing and under this category, select Download Product under VMware Horizon. Then select the appropriate Horizon version and click Go To Downloads. From here you can find the Horizon GPO Bundle that includes the VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip file.
The following tables describe policy settings in the VMware View Agent Configuration ADMX template file. The template contains both Computer Configuration and User Configuration settings. The User Configuration setting overrides the equivalent Computer Configuration setting.
The settings are located in the
folder.Agent Configuration
Agent configuration settings are in the
folder in the Group Policy Management Editor.Filter Microsoft Chart and Smart Art Setting |
Computer | User | Properties |
---|---|---|---|
AllowDirectRDP | X | Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is deactivated, the agent permits only Horizon-managed connections through Horizon Client. When connecting to a remote desktop from Horizon Client for Mac, do not deactivate the AllowDirectRDP setting. If this setting is deactivated, the connection fails with an Access is denied error. By default, while a user is logged in to a remote desktop session, you can use RDP to connect to the virtual machine. The RDP connection terminates the remote desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, deactivate the AllowDirectRDP setting.
Important: The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.
This setting is activated by default. |
|
AllowSingleSignon | X | Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is activated, users are required to enter their credentials only once, when they log in to the server. When this setting is deactivated, users must reauthenticate when the remote connection is made. This setting is activated by default. |
|
Audio option for single session Windows 10 physical Remote Desktop machine | X | Specifies the audio device to use on a Horizon Windows 10 physical machine hosting the remote desktop session. When activated, select from the following options:
|
|
CommandsToRunOnConnect | X | Specifies a list of commands or command scripts to be run when a session is connected for the first time. See Running Commands on Horizon Desktops for more information. |
|
CommandsToRunOnDisconnect | X | Specifies a list of commands or command scripts to be run when a session is disconnected. See Running Commands on Horizon Desktops for more information. |
|
CommandsToRunOnReconnect | X | Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect. See Running Commands on Horizon Desktops for more information. |
|
Connecting Session Threshold | X | Specifies the maximum number of sessions that can concurrently log onto the RDSH machine, exempting reconnecting sessions. If activated, the session threshold value is initially set to 20 but should be changed according to use case. If 0 is selected, then the connecting session threshold is deactivated. This policy is deactivated by default, so if the policy is not configured, then the connecting session threshold will be deactivated. | |
ConnectionTicketTimeout | X | Specifies the amount of time in seconds that the Horizon connection ticket is valid. Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds. |
|
CredentialFilterExceptions | X | Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames. |
|
Disable Time Zone Synchronization | X | X | Determines whether the time zone of the remote desktop is synchronized with the time zone of the connected client. An activated setting applies only if the Disable time zone forwarding setting of the Horizon Client Configuration policy is not set to deactivated. This setting is deactivated by default. |
Disconnect Session Time Limit (VDI) | X | Specifies the amount of time after which a disconnected desktop session logs out automatically.
You can also configure the time limit in the Automatically logoff after disconnect desktop pool setting in Horizon Console. If you configure this setting in both places, the group policy setting takes precedence. For example, selecting Never prevents a disconnected session on this machine from ever logging out, regardless of the setting in Horizon Console. |
|
DPI Synchronization | X | X | Adjusts the system-wide DPI setting for the remote session. When this setting is activated or not configured, the system-wide DPI setting for the remote session is set to match the corresponding DPI setting on the client operating system. When this setting is deactivated, the system-wide DPI setting for the remote session is never changed. For a list of the supported guest operating systems, see the "Using DPI Synchronization" topic in the Horizon Client for Windows Guide. This setting is activated by default. |
DPI Synchronization Per Monitor | X | X | Adjusts the DPI setting in multiple monitors during a remote session. When this setting is activated, the DPI setting in all monitors changes to match the client per-monitor DPI setting during a remote session. If the DPI setting is customized, the customized DPI setting is matched. The Allow Display Scaling option is dimmed in Horizon Client. When this setting is deactivated, users must log out and reconnect to the remote desktop to make DPI setting changes take effect in all monitors. For a list of the supported guest operating systems, see the "Using DPI Synchronization" topic in the Horizon Client for Windows Guide. This setting is activated by default. |
Enable Battery State Redirection | X | Determines whether battery state redirection is activated. This feature is supported with Windows and Linux client systems. When this setting is activated, information about the Windows or Linux client system's battery is redirected to a Windows remote desktop. The battery icon in the system tray on the remote desktop indicates the battery charge percentage. If the battery charge is less than or equal to 10 percent, a message pops up stating that the battery is low. This setting is activated by default. |
|
Enable multi-media acceleration | X | Determines whether multimedia redirection (MMR) is activated on the remote desktop. MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on the remote system directly through a TCP socket to the client. The data is decoded directly on the client, where it is played. You can deactivate MMR if the client has insufficient resources to handle local multimedia decoding. This setting is activated by default. |
|
Enable Unauthenticated Access | X | Activates or deactivates the unauthenticated access feature. When this setting is activated, unauthenticated access users can access published applications from Horizon Client without requiring Active Directory credentials. When this setting is deactivated, unauthenticated access users cannot access published applications from Horizon Client without requiring Active Directory credentials. You must reboot the RDS host for this setting to take effect. This setting is activated by default. |
|
Force MMR to use software overlay | X | MMR tries to use the hardware overlay to play back video for better performance. When working with multiple displays, the hardware overlay exists on only one of the displays, either the primary display or the display where WMP started. If a user drags WMP to another display, the video appears as a black rectangle. Use this option to force MMR to use a software overlay that works on all displays. This setting is activated by default. |
|
Idle Time Until Disconnect (VDI) | X | Specifies the amount of time after which a remote desktop session disconnects because of user inactivity. If deactivated, not configured, or activated with the Never setting, the remote desktop sessions are never disconnected. If the desktop pool or machine is configured to log out automatically after a disconnect, that setting is honored. |
|
Key Logger Blocking | X | Determines whether the end point encrypts the communication between the keyboard and the Horizon Client to avoid key-logging malware on the end point. When this setting is activated, all keystrokes are encrypted. When it is deactivated, keystrokes are communicated normally. This is deactivated by default.
Note the following:
|
|
Load Index Threshold | X | Specifies the minimum load index at which the RDSH machine will start denying session logons, exempting reconnecting sessions. If activated, the load threshold value is initially set to 90 but should be changed according to use case. If 0 is selected, then the load index threshold is deactivated. This policy is deactivated by default, so if the policy is not configured, then the load index threshold will be deactivated. | |
Prewarm Session Time Limit | X | Specifies the amount of time after which a prewarm session logs out automatically. This setting is not configured by default. | |
RDS Connection Time Until Disconnect | X | Specifies the maximum amount of time that a Remote Desktop Services session can be active before it is disconnected automatically. Timeout values range from Never to one week. Selecting Never will never disconnect Remote Desktop Services sessions on this machine. | |
RDS Disconnected Time Until Logoff | X | Specifies the amount of time after which a disconnected Remote Desktop Services session logs off automatically. Timeout values range from Never to one week. Selecting Never will never log off disconnected Remote Desktop Services sessions on this machine. | |
RDS End Session When Time Limit Reached | X | Specifies whether to end or disconnect a Remote Desktop Services session that has timed out. If this setting is activated, the Remote Desktop Services session is ended (user is logged off and the session is deleted from the server) after the time limit for active or idle sessions have been reached. By default, Remote Desktop Services sessions are disconnected after reaching their time limits. | |
RDS Idle Time Until Disconnect | X | Specifies the amount of time after which an idle Remote Desktop Services session disconnects automatically. Timeout values range from Never to one week. Selecting Never will never disconnect Remote Desktop Services sessions on this machine. | |
Screen-capture Blocking | X | X* |
Determines whether users can take screenshots of their virtual desktop or published application from their end point. If activated, users are blocked from taking screenshots of the virtual desktop or virtual applications using their Windows or macOS devices.
Note: For Browser Redirection and HTML5 Multimedia Redirection, the redirected content could be captured when Block Screenshot is activated.
This setting is deactivated by default; users are allowed to take screenshots using their devices. Requirements: Horizon Agent 2106 and later support this setting. This setting is enforceable on Horizon Client for Windows and Horizon Client for Mac 2106 and later. In most cases, you can configure this setting for the machine or per user. *However, If you deactivate SSO on the agent, you must configure this setting for the machine, not per user. If you set this feature for both machine and user, the setting for the user takes precedence. Nested mode is supported. To enforce this behavior on clients or under conditions that do not support the setting, use limits on the session connection. See Global Client Restriction Settings for Client Sessions in the Horizon 8 Administration document. Behavior notes: While activated, users cannot take screenshots of the virtual desktop or virtual application from supported clients. These notes detail the expected results. For VMware WebRTC/Media Optimization for Microsoft Teams:
For Optimized Zoom VDI
For VMware Virtualization for Skype for Business
Host's native applications such as Zoom and Microsoft Teams might not share content of the VMware remote desktop or published application that activates this feature.
With Multimedia Redirection and HTML5 Multimedia Redirection
|
ShowDiskActivityIcon | X | This setting is not supported in this release. | |
Single sign-on retry timeout | X | Specifies the time, in milliseconds, after which single sign-on is retried. Set the value to 0 to deactivate single sign-on retry. The default value is 5000 milliseconds. This setting is activated by default. |
|
Toggle Display Settings Control | X | Determines whether to deactivate the Settings tab in the Display control panel when a client session uses the PCoIP or Blast Extreme display protocols. This setting is activated by default. |
Agent Security
The Agent Security setting is in the
folder in the Group Policy Management Editor.Setting | Computer | User | Properties |
---|---|---|---|
Accept SSL encrypted framework channel | X | Activates the TLS encrypted framework channel. You can specify one of the following options:
This setting is activated by default. |
Authentication
Policy settings for Windows Hello for Business certificate redirection are in the ADMX template file vdm_agent.admx. Certificate redirection setting is in the folder in the Group Policy Management Editor.
Setting | Computer | User | Properties |
---|---|---|---|
List of allowed executables | X | List of executables that are allowed to use redirected Windows Hello for Business certificate. This setting is not activated by default. |
Clipboard Redirection
Policy settings for Clipboard Redirection are in the ADMX template file vdm_agent_clipboard.admx. The Clipboard Redirection settings are in the folder in the Group Policy Management Editor.
Setting | Computer | User | Description |
---|---|---|---|
Clipboard memory size on server | X | X | Specifies the server clipboard memory size value in bytes or kilobytes, as selected. If it is not configured, the memory size is in kilobytes. The client also has a value for the clipboard memory size, which is always in kilobytes. After the session is set up, the server sends its clipboard memory size value to the client. The effective clipboard memory size value is the lesser of the client and server clipboard memory size values. A large clipboard memory size can negatively affect performance, depending on your network. VMware recommends that you do not set the clipboard memory size to a value greater than 16 MB.
Note: To transfer larger amounts of data, use the client drive redirection feature.
|
Configure clipboard audit | X | X | Specifies whether the clipboard audit feature is activated on the agent machine. When this setting is activated, the options are as follows:
When this setting is deactivated or not configured, the default value is Disabled in both directions. You can use the Windows event viewer on the agent machine to view the event log. The log name is VMware Horizon RX Audit. To view the event log in a centralized location, you can configure VMware Log Insight or Windows Event Collector.
Note: Only the Windows client supports agent machine to client machine clipboard auditing.
|
Configure clipboard redirection | X | X | Determines the direction in which clipboard redirection is allowed. You can select one of the following values:
Clipboard redirection is implemented as a virtual channel. If virtual channels are deactivated, clipboard redirection does not function. This setting applies only to Horizon Agent. When this setting is deactivated or not configured, the default value is Enabled client to agent only. |
Configure clipboard redirection formats | X | X | Determines whether a filter is activated or deactivated on the agent machine for each data format.
When the setting is not configured or deactivated, the filters for clipboard redirection are deactivated for all formats. This setting not configured by default. |
Configure file transfer | X | Configures how the file transfer feature works between the remote desktop and HTML Access or Horizon Client for Chrome. Valid values are as follows. This setting applies only to remote desktops.
When this setting is deactivated or not configured, the default value is Enabled file upload only. |
|
Whether block clipboard redirection to client side when client doesn't support audit | X | X | Specifies whether to block clipboard redirection to clients that do not support the clipboard audit feature. When this setting is activated, you must select one of the following values.
When this setting is deactivated or not configured, the default value is Block. You must activate the Configure clipboard audit group policy setting for this setting to take effect. |
Collaboration
Collaboration settings are in the
folder in the Group Policy Management Editor.Setting | Description |
---|---|
Allow control passing to collaborators | When activated, users can pass input control to other collaborators during collaboration. When deactivated, the toggle switch does not appear in the collaboration window. This setting is activated by default. |
Allow inviting collaborators by e-mail | When activated, you can send collaboration invitations by using an installed email application. When deactivated, you cannot use email to invite collaborators, even if an email application is installed. This setting is activated by default. |
Allow inviting collaborators by IM | When activated, you can send collaboration invitations by using an installed Instant Message (IM) application. When deactivated, you cannot use IM to invite collaborators, even if an IM application is installed. This setting is activated by default. |
Include Outlook-formatted URL in clipboard text | When this setting is activated, a Microsoft Outlook-formatted invitation URL is included in the clipboard invitation text. Activate this setting if you expect end users to paste clipboard invitation text into an email message. This setting is deactivated by default. |
Separator used for multiple e-mail addresses in mailto: links | Configures the separator used for multiple email addresses in mailto: links to allow better compatibility with various email clients. When not configured, the default value is a semicolon without a space to separate email addresses. If your default email client does not allow a semicolon as a separator, try other combinations, such as a comma plus one space or semicolon plus one space. |
Server URLs to include in invitation message | Sets the server URLs to include in collaboration invitations. If this setting is not configured, a default URL is used, but it might be incorrect in all but the simplest deployments. |
Turn off collaboration | When activated, the Session Collaboration feature is turned off. When deactivated or not configured, you can control the feature at the farm or desktop pool level. This setting takes effect after you reboot the Horizon Agent machines. |
Maximum number of invited collaborators | Specifies the maximum number of collaborators that you can invite to join a session. The default maximum is 5. The limit is 20. |
Configures SSL protocols and cryptographic algorithms
SSL protocols and cryptographic algorithms settings are in the VMware View Agent Configuration folder in the Group Policy Management Editor.
Setting | Description |
---|---|
Configures SSL protocols and cipher suites | Allows you to specify the cryptographic algorithms and protocols before establishing an encrypted SSL connection. The cipher list consists of one or more cipher strings separated by colons. Note that all cipher strings are case sensitive. If the feature is enabled, the default value is: 'TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES' which means that TLS v1.1 and TLS v1.2 are enabled. Cipher suites will use ECDHE, ECDH and RSA with 128 or 256 bit AES, with a preference for GCM mode. SSL v2.0, SSL v3.0 and TLS v1.0 are not supported. |
Configures Signature Algorithms Extension | Specifies the signature algorithms for TLS v1.2. Enter a colon-separated list of signature algorithms in order of decreasing preference, in the form of algorithm+hash. Note that algorithm and hash names are case sensitive. For example: RSA+SHA256:ECDSA+SHA256 If this option is not set then the default value is all signature algorithms supported by the OpenSSL library. |
Configures Supported Groups Extension | Sets the supported elliptic curve groups. Enter a list of curves separated by colons. Note that curve names are case sensitive. For example: P-256:P-384 If this option is not set and ECDHE cipher suites are provided, then the default value is all signature algorithms supported by the OpenSSL library. |
Strict certification revocation check | When enabled, Horizon Client will refuse to connect to servers when it cannot verify the certificate revocation status. When this setting is disabled, the client will check revocation but it will not block a connection based on revocation status. The Ignore certificate revocation problems GPO takes precedence over this GPO, do not use them together. This setting is disabled by default. |
Drag and Drop
Policy settings for Drag and Drop are in the ADMX template file vdm_agent_dnd.admx. The Drag and Drop settings are in the folder in the Group Policy Management Editor.
Setting | Description |
---|---|
Configure drag and drop direction | Specifies the direction in which drag and drop is allowed. When activated, the options are as follows:
When this setting is deactivated or not configured, the default value is Enabled client to agent only. This setting applies to the agent only. |
Configure drag and drop formats | Determines which drag and drop direction (Disabled in both directions, Enabled agent to client only, Enabled client to agent only, or Enabled in both directions) is allowed for each data format. When this setting is activated, the options are as follows:
When this setting is deactivated or not configured, the default value for all formats is Enabled in both directions. This setting applies to the agent only. |
Configure drag and drop size threshold | Determines the size limit for dragging common data types other than files and folders. When this setting is activated, select the unit of the drag data size from the Choose the unit of the drag and drop size drop-down menu. You can select Bytes, Kilobytes, or Megabytes. Select or enter the drag data size in the Drag and drop size threshold text box. The effective data range for each unit is as follows:
When this setting is deactivated or not configured, a default threshold of 1 megabyte is set. This setting applies only to the agent. |
Performance Tracker
Setting | Description |
---|---|
Enable Horizon Performance Tracker auto start in remote desktop connection | When activated, Horizon Performance Tracker starts automatically when a user logs on to a remote desktop connection. To clear this preference GPO setting, select Disable. |
Enable Horizon Performance Tracker auto start in remote application connection | When activated, Horizon Performance Tracker starts automatically when a user logs on to a remote application connection. To clear this preference GPO setting, select Disable. |
Performance Tracker basic setting | When activated, you can set the frequency in seconds at which Horizon Performance Tracker collects data. |
Scanner Redirection
Policy settings for Scanner Redirection are in the ADMX template file vdm_agent_scanner.admx. Scanner Redirection settings are in the folder in the Group Policy Management Editor.
Setting | Computer | User | Description |
---|---|---|---|
BandwidthLimit | X | Specifies the maximum allowed bandwidth, in kilobytes per second, for transferring scanned data to a user session. If you specify 0 or no value, the bandwidth is unlimited. |
|
Compression | X | Specifies the image compression rate to use during the image transfer to a remote desktop or published application. You can select one of the following compression modes:
When you activate this setting, the selected compression mode is set for all users affected by this policy. Users can change the Compression option in the VMware Horizon Scanner Redirection Preferences dialog box, overriding the policy setting. When you deactivate this policy setting or do not configure it, JPEG compression mode is used. |
|
Default Color Mode | When this setting is activated, you can configure the default color mode: black and white, grayscale, or color. This setting is supported on Windows XP Professional or Windows Server 2003 or later. | ||
Default Duplex | When this setting is activated, you can configure the default scanning mode: simplex or duplex. In duplex mode, the scanning application must support duplex scanning and request two pages from the scanner. This setting is supported on Windows XP Professional or Windows Server 2003 or later. | ||
Default Scanner | X | X | Provides centralized management of scanner autoselection. You select scanner autoselection options separately for TWAIN and WIA scanners. You can select one of the following autoselection options:
When you activate this setting as a Computer Configuration policy, the setting determines the scanner autoselection mode for all users of the affected computers. Users cannot change the Default Scanner option in the VMware Horizon Scanner Redirection Preferences dialog box. When you activate this setting as a User Configuration policy, the setting determines the scanner autoselection mode for all affected users. However, users can change the Default Scanner option in the VMware Horizon Scanner Redirection Preferences dialog box. When you activate this setting in both Computer Configuration and User Configuration, the scanner autoselection mode in Computer Configuration overrides the corresponding policy setting in User Configuration for all users of the affected computers. When you deactivate this setting or do not configure it in either policy configuration, the scanner autoselection mode is determined by the corresponding policy setting (either User Configuration or Computer Configuration) or by user selection in the VMware Horizon Scanner Redirection Preferences dialog box. |
Disable functionality | X | Deactivates the scanner redirection feature. When you activate this setting, scanners cannot be redirected and do not appear in the scanner menu on users' desktops and applications. When you deactivate this setting or do not configure it, scanner redirection works and scanners appear in the scanner menu. |
|
Force the TWAIN Scanning Properties dialog | X | When this setting is activated, the TWAIN Scanning Properties dialog box is always displayed, even if a scanning application does not display the scanning dialog box. | |
Hide Webcam | X | X | Prevents webcams from appearing in the scanner selection menu in the VMware Horizon Scanner Redirection Preferences dialog box. By default, webcams can be redirected to desktops and applications. Users can select webcams and use them as virtual scanners to capture images. When you activate this setting as a Computer Configuration policy, webcams are hidden from all users of the affected computers. Users cannot change the Hide Webcam option in the VMware Horizon Scanner Redirection Preferences dialog box. When you activate this setting as a User Configuration policy, webcams are hidden from all affected users. However, users can change the Hide Webcam option in the VMware Horizon Scanner Redirection Preferences dialog box. When you activate this setting in both Computer Configuration and User Configuration, the Hide Webcam setting in Computer Configuration overrides the corresponding policy setting in User Configuration for all users of the affected computers. When you deactivate this setting or do not configure it in either policy configuration, the Hide Webcam setting is determined by the corresponding policy setting (either User Configuration or Computer Configuration) or by user selection in the VMware Horizon Scanner Redirection Preferences dialog box. |
Lock config | X | Locks the scanner redirection user interface and prevents users from changing configuration options on their desktops and applications. When you activate this setting, users cannot configure the options that are available from the tray menu on their desktops and applications. Users can display the VMware Horizon Scanner Redirection Preferences dialog box, but the options are inactive and cannot be changed. When you deactivate this setting or do not configure it, users can configure the options in the VMware Horizon Scanner Redirection Preferences dialog box. |
|
TWAIN Scanner Properties dialog location | X | Specifies where the TWAIN Scanning Properties dialog box appears. You can select one of the following options:
|
Serial COM
Setting | Computer | User | Description |
---|---|---|---|
PortSettings1 PortSettings2 PortSettings3 PortSettings4 PortSettings5 |
X | X | The port settings determine the mapping between the COM port on the client system and the redirected COM port on the remote desktop and determines other settings that affect the redirected COM port. You configure each redirected COM port individually. Five port settings policy settings are available, allowing up to five COM ports to be mapped from the client to the remote desktop. Select one port settings policy setting for each COM port that you intend to configure. When you activate the port settings policy setting, you can configure the following items that affect the redirected COM port:
When you activate the port settings policy setting for a particular COM port, users can connect and disconnect the redirected port, but users cannot configure properties of the port on the remote desktop. For example, users cannot set the port to be redirected automatically when they log on to the remote desktop, and they cannot ignore the DSR signal. These properties are controlled by the group policy setting.
Note: A redirected COM port is connected and active only if the physical COM port is connected locally to the client system. If you map a COM port that does not exist on the client, the redirected port appears as inactive and not available in the tool tray menu on the remote desktop.
When the port settings policy setting is deactivated or not configured, the redirected COM port uses the settings that users configure on the remote desktop. The Serial COM Redirection for VMware Horizon menu options are active and available to users. These settings are in the folder in the Group Policy Management Editor. |
Bandwidth limit | X | Sets a limit on the data transfer speed, in kilobytes per second, between the redirected serial port and client systems. When you activate this setting, you can set a value in the Bandwidth limit (in kilobytes per second) box that determines the maximum data transfer speed between the redirected serial port and the client. A value of 0 deactivates the bandwidth limit. When this setting is deactivated, no bandwidth limit is set. When this setting is not configured, local program settings on the remote desktop determine whether a bandwidth limit is set. This setting is in the folder in the Group Policy Management Editor. |
|
COM Port Isolation Mode | X | Specifies the isolation mode for COM ports. When you activate this setting, you can select one of the following isolation modes:
If this setting is not configured, serial port redirection operates in Full Isolation mode. |
|
Connect all ports automatically | X | When you activate this setting, all COM ports are connected automatically, even if no individual group policy settings are activated. If individual group policy settings are configured for specific ports, the individual group policy settings are used. If this setting is deactivated or not configured, the auto-connect functionality is determined by the individual port group policy settings or the local program settings. This setting is not configured by default. |
|
Disable functionality | X | Deactivates the serial port redirection feature. When you activate this setting, COM ports are not redirected to the remote desktop. The serial port tool tray icon on the remote desktop is not displayed. When this setting is deactivated, serial port redirection works, the serial port tool tray icon is displayed, and COM ports appear in the Serial COM Redirection for VMware Horizon menu. When this setting is not configured, settings that are local to the remote desktop determine whether serial port redirection is deactivated or activated. This setting is in the folder in the Group Policy Management Editor. |
|
Local settings priority | X | X | Gives priority to the settings that are configured on the remote desktop. When you activate this policy, the serial port redirection settings that a user configures on the remote desktop take precedence over the group policy settings. A group policy setting takes effect only if a setting is not configured on the remote desktop. When this setting is deactivated or not configured, group policy settings take precedence over the settings that are configured on the remote desktop. This setting is in the folder in the Group Policy Management Editor. |
Lock configuration | X | X | Locks the serial port redirection user interface and prevents users from changing configuration options on the remote desktop. When you activate this setting, users cannot configure the options that are available from the tool tray menu on their desktops. Users can display the Serial COM Redirection for VMware Horizon menu, but the options are inactive and cannot be changed. When this setting is deactivated, users can configure the options in the Serial COM Redirection for VMware Horizon menu. When this setting is not configured, local program settings on the remote desktop determine whether users can configure the COM port redirection settings. This setting is in the folder in the Group Policy Management Editor. |
Smart Card Redirection Settings
Smart card redirection settings are in the
folder in the Group Policy Management Editor.Setting | Computer | User | Properties |
---|---|---|---|
Allow applications access to Local Smart Card readers | X | If activated, applications can access all local smart card readers even when the smart card redirection feature is installed. When activated, the desktop is monitored for the presence of a local reader and when detected, the smart card redirection switches off, allowing access to the local readers. The redirection remains off until the next time the user connects to the session. When local access is activated, applications can no longer access remote readers present on the client. This setting does not apply to RDP or to RDS hosts when the Remote Desktop Services role is activated. This setting is deactivated by default. |
|
Local Reader Name | X | Specifies the name of a local reader to monitor to activate local access. By default, the reader must have a card inserted to activate local access. You can deactivate this requirement by using the Require an inserted Smart Card setting. This setting is activated by default. |
|
Require an inserted Smart Card | X | If activated, local reader access is activated if the local reader has a card inserted. If deactivated, local access is activated as long as a local reader is detected. This setting is activated by default. |
True SSO Configuration Settings
True SSO configuration settings are in the
folder in the Group Policy Management Editor. See the Horizon 8 Administration document.Unity Touch and Hosted Apps Settings
Unity Touch and Hosted Apps settings are in the
folder in the Group Policy Management Editor.Setting | Computer | User | Properties |
---|---|---|---|
Send updates for empty or offscreen windows | X | Specifies whether the client receives updates about empty or offscreen windows. When this setting is deactivated, information about windows that are smaller than 2x2 pixels, or that are located offscreen, are not sent to the client. This setting is deactivated by default. |
|
Enable UWP support on RDSH platforms | X | When activated, Universal Windows Platform (UWP) applications can run on Windows 10 virtual desktop (WVD) hosts on Horizon Cloud Service on Azure. When deactivated, the application status shows as unavailable in Horizon Agent and the user cannot access the application. Restart the agent VM for this setting to take effect. This setting is deactivated by default. |
|
Enable Unity Touch | X | Determines whether the Unity Touch functionality is activated on the remote desktop. Unity Touch supports the delivery of published applications in Horizon Client and allows mobile device users to access applications in the Unity Touch sidebar. This setting is activated by default. |
|
Enable system tray redirection for Hosted Apps | X | Determines whether system tray redirection is activated while a user is running published applications. This setting is activated by default. |
|
Enable user profile customization for Hosted Apps | X | X | Specifies whether to customize the user profile when published applications are used. If this setting is activated, a user profile is generated, the Windows theme is customized, and startup applications are registered. This setting is deactivated by default. |
Limit usage of Windows hooks | X | Deactivates most hooks when published applications or Unity Touch are used. This setting is intended for applications that have compatibility issues when OS-level hooks are set. For example, enabling this setting deactivates the use of most Windows active accessibility and in-process hooks. This setting is deactivated by default, which means that all preferred hooks are used. |
|
Only launch new instances of Hosted Apps if arguments are different | X | This policy controls the behavior when a published application starts, but an existing instance of the application is already running inside a disconnected protocol session. When deactivated, the existing instance of the application activates. When activated, the inside existing instance of the application activates only if the command-line parameters match. This setting is deactivated by default. |
|
Redirect legal notice messages as a window | X | When activated, this policy redirects legal notices to a custom-sized window in Horizon Client. Specify the width and height of the window in pixels. For high DPI monitors, the sizes will be multiplied based on the DPI. This functionality is only supported for published applications. Restart the RDSH server and Horizon Client for the setting to take effect. This setting is deactivated by default. |
|
Unity Filter rule list | X | Specifies filter rules for unity windows when using published applications. Horizon Agent uses these rules to support custom applications. For information about creating filter rules, see Managing Special Unity Windows. This setting is not configured by default. |
View Agent Direct-Connection Configuration
Policy settings for View Agent Direct-Connection Configuration are in the ADMX template file vdm_agent_direct_connection.admx. View Agent Direct-Connection configuration settings are in the folder in the Group Policy Management Editor. See the Horizon Agent Direct-Connection Plug-In document.
Real-Time Audio-Video Configuration
Policy settings for Real-Time Audio-Video Configuration are in the ADMX template file vdm_agent_rtav.admx. RTAV configuration settings are in the folder in the Group Policy Management Editor. See Real-Time Audio-Video Group Policy Settings.
USB Configuration
USB Configuration settings are in the Using Policies to Control USB Redirection .
folder in the Group Policy Management Editor. SeeVMware AppTap Configuration
The VMware AppTap configuration setting is in the
folder in the Group Policy Management Editor.Setting | Computer | User | Properties |
---|---|---|---|
Processes to ignore when detecting empty application sessions | X | Specifies the list of processes to ignore when detecting empty application sessions. You can specify either a process filename or a full path. Values are not case-sensitive . Do not use environment variables in paths. UNC network paths are allowed, example: \\vmware\temp\app.exe. This setting is not configured by default. |
Client Drive Redirection
Policy settings for Client Drive Redirection are in the ADMX template file vdm_agent_cdr.admx. Client Drive Redirection settings are in the folder in the Group Policy Management Editor. See Client Drive Redirection Policy Settings.
VMware HTML5 Features
VMware HTML5 features consist of Browser Redirection, Geolocation Redirection, HTML5 Multimedia Redirection, and WebRTC Redirection. Policy settings for these features are in the VMware HTML5 Feature Policy Settings.
folder in the Group Policy Management Editor. SeeVMware Integrated Printing
Policy settings for VMware Integrated Printing are in the ADMX template file printerRedirection.admx. VMware Integrated Printing settings are in the folder in the Group Policy Management Editor. See VMware Integrated Printing Policy Settings.
VMware Virtualization Pack for Skype for Business
VMware Virtualization Pack for Skype for Business settings are in the VMware Virtualization Pack for Skype for Business Policy Settings.
folder in the Group Policy Management Editor. SeeWatermark Configuration
The watermark configuration setting is in the User Configuration folder, located in folder in the Group Policy Management Editor.
Setting | Computer | User | Properties |
---|---|---|---|
Watermark Configuration | X | activate this setting to configure a watermark to appear on your virtual desktop. Enter information you want to display as the watermark in Text. Options are: %ViewClient_IP_Address% %ViewClient_Broker_UserName% %ViewClient_Broker_DomainName% %COMPUTERNAME% %USERDOMAIN% %USERNAME% %ViewClient_ConnectTime% The character limit is 256 characters and 1024 characters after expansion.
Image Layout: the watermark layout on the screen, which is divided into nine squares:
Text Rotation: a specific angle for the watermark text. Opacity: the transparency level of the text. The range is 0 through 255. The default value is 255. Margin: the space around the watermark for the Tile layout. If the watermark is scaled, the margin is also scaled. Text Color: specifies the color of the watermark text using space-separated RGB color values in decimal. The text outline is rendered in a contrasting color. The default is white text outlined in black. Font Size: specifies the size of the watermark text. If this value is 0, the default font size is used. Refresh Interval: specifies the interval, in seconds, that the watermark is refreshed. When 0 is specified, the watermark update is deactivated. The maximum value is 86400 seconds (24 hours). This setting is not configured by default. |