In certain VMware Horizon environments, it is a priority to prohibit access to VMware Horizon desktops through the RDP display protocol. You can prevent users and administrators from using RDP to access VMware Horizon desktops by configuring pool settings and a group policy setting.

By default, while a user is logged in to a remote desktop session, you can use RDP to connect to the virtual machine. The RDP connection terminates the remote desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, deactivate the AllowDirectRDP setting.

Note: Remote Desktop Services must be started on the virtual machine that you use to create pools and on the virtual machines that are deployed in the pools. Remote Desktop Services are required for Horizon Agent installation, SSO, and other Horizon session-management operations.

Prerequisites

Verify that the Horizon Agent Configuration Administrative Template (ADMX) file is installed in Active Directory.

Procedure

  1. Select the display protocol that you want Horizon Connection Server to use to communicate with Horizon Client devices.
    Option Description
    Create a desktop pool
    1. In Horizon Console, start the Add Pool wizard.
    2. On the Remote Display Protocol page, select VMware Blast or PCoIP as the default display protocol.
    Edit an existing desktop pool
    1. In Horizon Console, select the desktop pool and click Edit.
    2. On the Desktop Pool Settings tab, select VMware Blast or PCoIP as the default display protocol.
  2. For the Allow users to choose protocol setting, select No.
  3. Prevent devices that are not running Horizon Client from connecting directly to Horizon desktops through RDP by disabling the AllowDirectRDP group policy setting.
    1. On your Active Directory server, open the Group Policy Management Console and select Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > VMware Horizon Agent Configuration.
    2. Disable the AllowDirectRDP setting.