You can use Windows Registry settings on the enrollment server OS to configure which domains to connect to, various timeout periods, polling periods, and retries, and whether to prefer using the certificate authority that is installed on the same local server (recommended).
To change the advanced configuration settings, you can open the Windows Registry Editor (regedit.exe) on the enrollment server machine and create the following registry key:
HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service
Before making any registry modifications, make sure you have a current and valid backup of the registry. For more information on backing up the registry, see the Microsoft Knowledge Base article 136393.
| Registry Key | Min & Max | Type | Description |
|---|---|---|---|
| AllowIssuancePolicyInCerts | N/A | REG_SZ | Specifies whether the Enrollment Server allows certificates with Issuance policies. The default is FALSE. Use one of the following values:
|
| ConnectToDomains | N/A | REG_MULTI_SZ | List of domains the enrollment server attempts to connect to automatically. For this multi-string registry type, the DNS fully qualified domain name (FQDN) of each domain is listed on its own line. The default is to trust all domains. |
| ExcludeDomains | N/A | REG_MULTI_SZ | List of domains the enrollment server does not connect to automatically. If the connection server provides a configuration set with any of the domains, the enrollment server will attempt to connect to that domain or domains. For this multi-string registry type, the DNS FQDN of each domain is listed on its own line. The default is to exclude no domains. |
| ConnectToDomainsInForest | N/A | REG_SZ | Specifies whether to connect to and use all domains in the forest that the enrollment server is a member of. The default is TRUE. Use one of the following values:
|
| ConnectToTrustingDomains | N/A | REG_SZ | Specifies whether to connect to explicitly trusting/incoming domains. The default is TRUE. Use one of the following values:
|
| PreferLocalCa | N/A | REG_SZ | Specifies whether to prefer the locally installed CA, if available, for performance benefits. If set to TRUE, the enrollment server will send requests to the local CA. If the connection to the local CA fails, the enrollment server will try to send certificates requests to alternate CAs. The default is FALSE.
Use one of the following values:
|
| MaxSubmitRetryTime | 9500- 59000 | DWORD | Amount of time to wait before retrying to submit a certificate signing request, in milliseconds. The default is 25000. |
| SubmitLatencyWarningTime | 500 - 5000 | DWORD | Submit latency warning time when the interface is marked "Degraded" (in milliseconds). The default is 1500. The enrollment server uses this setting to determine whether a CA should be considered to be in a degraded state. If the last three certificate requests took more milliseconds to complete than are specified by this setting, the CA is considered degraded, and this status appears in the Horizon Console dashboard. A CA usually issues a certificate within 20 ms, but if the CA has been idle for a few hours, any initial request might take longer to complete. This setting allows an administrator to find out that a CA is slow, without necessary having the CA marked as slow. Use this setting to configure the threshold for marking the CA as slow. |
| WarnForLonglivedCert | N/A | REG_SZ | Disable warning for long-lived True-SSO certificate (templates). The default is True. The enrollment server displays a warning status in the Horizon Console dashboard by reporting True SSO templates as being in a degraded or non-optimal state if the certificate lifetime is set to greater than 14 days. The enrollment server uses this setting to disable the warning. The enrollment server must be restarted for this setting to take effect. |
