Horizon Client includes a group policy ADMX template file that you can use to configure Horizon Client features and behavior. You can optimize and secure remote desktop and published application connections by adding the policy settings in the ADMX template file to a new or existing GPO in Active Directory. The template file contains both Computer Configuration and User Configuration group policies. Horizon Client applies policies when remote desktops and published applications start and when users log in. The Horizon Client Configuration ADMX template file (vdm_client.admx), and all ADMX template files that provide group policy settings, are available in VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyy.zip, where YYMM is the marketing version number, x.x.x is the internal version number, and yyyyyyy is the build number. You can download this ZIP file from the VMware Downloads site at https://my.vmware.com/web/vmware/downloads. You must copy the file to your Active Directory server and use the Group Policy Management Editor to add the administrative templates. For instructions, see the Horizon Remote Desktop Features and GPOs document. You can set group policies for many of the same settings that you can configure when you run Horizon Client from the command line, including the remote desktop window size, login user name, and login domain name. The following table describes the scripting definition settings in the VMware Horizon Client Configuration ADMX template file. This template file provides a Computer Configuration and a User Configuration version of each scripting definition setting. The User Configuration setting overrides the equivalent Computer Configuration setting. The settings appear in the folder in Group Policy Management Editor. Determines whether all the available USB devices on the client system are connected to the remote desktop or published application when the remote desktop or published application starts. Determines whether USB devices are connected to the remote desktop or published application when the devices are plugged in to the client system. Specifies the layout of the Horizon Client window that users see when they log into a remote desktop. The layout choices are as follows: This setting is available only when the DesktopName to select setting is also set. After you enable this setting, remote desktop autofit functionality is disabled and the Allow Display Scaling option is hidden in the Horizon Client user interface. Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory. Determines whether Horizon Client error messages are hidden during login. This setting applies only when the login process is fully scripted, for example, when all the required login information is prepopulated through group policy. If the login fails because of incorrect login information, users are not notified and the Horizon Client process is terminated. Determines how running published applications behave when users reconnect to a server. The choices are as follows: When this setting is enabled, end users cannot configure the published application reconnection behavior in Horizon Client. When this setting is disabled, end users can configure published application reconnection behavior in Horizon Client. This setting is disabled by default. When this setting is enabled, the Unauthenticated Access setting in Horizon Client is visible, disabled, and selected. The client can fall back to another authentication method if Unauthenticated Access is not available. When this setting is disabled, users are always required to enter their credentials to log in and access their published applications. The Unauthenticated Access setting in Horizon Client is hidden and deselected. Users can enable Unauthenticated Access in Horizon Client by default. The Unauthenticated Access setting is visible, enabled, and deselected. If Unauthenticated Access is not used for a specific connection to a server, this setting is ignored. Users can select an account by default. Determines whether a connection is added to the existing Horizon Client instance with which the user is already connected to the same server. This setting is disabled by default when not configured. Security settings include group policies for certificates, login credentials, and the single sign-on feature. The following table describes the security settings in the Horizon Client Configuration ADMX template file. This table shows whether the settings include both Computer Configuration and User Configuration settings, or only Computer Configuration settings. For the security settings that include both types of settings, the User Configuration setting overrides the equivalent Computer Configuration setting. These settings appear in the folder in the Group Policy Management Editor. This setting is enabled by default. The equivalent Windows Registry value is AllowCmdLineCredentials. When this setting is not configured (the default), users can change the SSL proxy setting in Horizon Client manually. See Setting the Certificate Checking Mode in Horizon Client. By default, Horizon Client blocks SSL proxy connections for Blast Secure Gateway and secure tunnel connections. Specifies the Connection Server instances that accept the user identity and credential information that is passed when a user selects Log in as current user in the Options menu on the Horizon Client menu bar. If you do not specify any Connection Server instances, all Connection Server instances accept this information, unless the Allow logon as current user authentication setting is disabled for the Connection Server instance in Horizon Console. To add a Connection Server instance, use one of the following formats: The equivalent Windows Registry value is BrokersTrustedForDelegation. If any other certificate error condition occurs, Horizon Client shows an error and prevents users from connecting to the server. Warn But Allow is the default value. When this setting is configured, users can view the selected certificate verification mode in Horizon Client, but cannot configure the setting. The certificate checking mode dialog box informs users that an administrator has locked the setting. When this setting is disabled, Horizon Client users can select a certificate checking mode. This setting is disabled by default. To allow a server to perform selecting of certificates provided by Horizon Client, the client must make HTTPS connections to the Connection Server or security server host. Certificate checking is not supported if you off-load TLS to an intermediate device that makes HTTP connections to the Connection Server or security server host. If you do not want to configure this setting as a group policy, you can also enable certificate verification by adding the CertCheckMode value name to one of the following registry keys on the client computer: Use the following values in the registry key: If you configure both the group policy setting and the CertCheckMode setting in the Windows Registry key, the group policy setting takes precedence over the registry key value. Note: In a future Horizon Client release, using the Windows registry to configure this setting might not be supported and the group policy setting must be used. Specifies the default value of Log in as current user in the Options menu on the Horizon Client menu bar. This setting overrides the default value specified during Horizon Client installation. If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting. When Log in as current user is selected in the Options menu, the identity and credential information that the user provided when logging in to the client system is passed to the Connection Server instance and ultimately to the remote desktop or published application. When Log in as current user is deselected, users must provide identity and credential information multiple times before they can access a remote desktop or published application. This setting is disabled by default. The equivalent Windows Registry value is LogInAsCurrentUser. Determines whether Log in as current user is visible in the Options menu on the Horizon Client menu bar. When Log in as current user is visible, users can select or deselect it and override its default value. When Log in as current user is hidden, users cannot override its default value from the Horizon Client Options menu. You can specify the default value for Log in as current user by using the policy setting Default value of the 'Log in as current user' checkbox. This setting is enabled by default. The equivalent Windows Registry value is LogInAsCurrentUser_Display. If Horizon Client is shared, you might not want users to see the names of recent desktops and published applications. You can disable the jump list by disabling this setting. This setting is enabled by default. The equivalent Windows Registry value is EnableJumplist. The equivalent Windows Registry value is EnableTicketSSLAuth. The default value is TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES This cipher string means that TLS v1.1 and TLS v1.2 are enabled and SSL v.2.0, SSL v3.0, and TLS v1.0 are disabled. SSL v2.0, SSL v3.0, and TLS v1.0 are no longer the approved protocols and are permanently disabled. Cipher suites use ECDHE, ECDH, and RSA with 128-bit or 256-bit AES. GCM mode is preferred. For more information, see http://www.openssl.org/docs/apps/ciphers.html. The equivalent Windows Registry value is SSLCipherList. The equivalent Windows Registry value is EnableSmartCardSSO. This setting is disabled by default. Note: When this setting is enabled, the client might only use a cached URL during server certificate verification. The types of cached URL information can be CRL Distribution Point (CDP) and Authority Information Access (OCSP and CA issuer access methods). This setting is enabled by default. The following settings appear in the folder in the Group Policy Management Editor. When this setting is enabled, you can select Yes or No from the Allow fallback from Kerberos to NTLM drop-down menu. When this setting is not configured, NTLM authentication is allowed for the servers listed in the Always use NTLM servers group policy setting. To use NTLM authentication, the server SSL certificate must be valid and Windows policies must not restrict the use of NTLM. For information about configuring fallback from Kerberos to NTLM in a Connection Server instance, see "Using the Log In as Current User Feature Available with Windows-Based Horizon Client" in the document. You can configure group policy settings for options such as the redirection of audio, printers, ports, and other devices when you use the Microsoft RDP display protocol. The following table describes the Remote Desktop Protocol (RDP) settings in the Horizon Client Configuration ADMX template file. All RDP settings are User Configuration settings. The settings appear in the folder in the Group Policy Management Editor. Determines whether audio information played on the remote desktop is redirected. Select one of the following settings: This setting applies only to RDP audio. Audio that is redirected through MMR plays in the client. Determines whether the default audio input device is redirected from the client to the remote session. When this setting is enabled, the audio recording device on the client appears in the remote desktop and can record audio input. The default setting is disabled. Separate versions of this setting are provided for the following unit and bpp combinations: When this setting is enabled, enter a size in kilobytes. Specifies the color depth of the remote desktop. Select one of the available settings: Determines whether desktop composition is enabled on the remote desktop. When desktop composition is enabled, individual windows no longer draw directly to the screen or primary display device as they did in previous versions of Microsoft Windows. Instead, drawing is redirected to off-screen surfaces in video memory, which are then rendered into a desktop image and presented on the display. Enabling this setting, or leaving it unconfigured, allows data on the redirected drive on the remote desktop to be copied to the drive on the client computer. Disable this setting if allowing data to pass from the remote desktop to users' client computers represents a potential security risk in your deployment. Another approach is to disable folder redirection in the remote desktop virtual machine by enabling the Microsoft Windows group policy setting, Do not allow drive redirection. The Redirect drives setting applies to RDP only. Note: This setting applies to both RDP and PCoIP connections. This setting lets you send key combinations to the remote virtual machine or apply key combinations locally. Key combinations are applied locally by default. General settings include proxy options, time zone forwarding, multimedia acceleration, and other display settings. The following table describes the general settings in the Horizon Client Configuration ADMX template file. General settings include both Computer Configuration and User Configuration settings. The User Configuration setting overrides the equivalent Computer Configuration setting. The settings appear in the VMware Horizon Client Configuration folder in the Group Policy Management Editor. When this setting enabled, VMware Blast can connect through a proxy server. When this setting is disabled, VMware Blast cannot use a proxy server. When this setting is not configured (the default), users can configure whether VMware Blast connections can use a proxy server in the Horizon Client user interface. See Configure VMware Blast Options. When this setting is disabled, the data sharing mode setting in the Horizon Client user interface is set to Off and end users cannot change the setting. When this setting is not configured (the default), end users can change the data sharing mode setting in the Horizon Client user interface. When this setting is enabled, the display scaling feature is enabled for all remote desktops and published applications. When this setting is disabled, the display scaling feature is disabled for all remote desktops and published applications. If this setting is not configured (the default setting), end users can enable and disable display scaling in the Horizon Client user interface. You can also hide the display scaling preference in the Horizon Client user interface by enabling the Locked Guest Size group policy setting. When this setting is enabled, H.264 decoding becomes the preferred option. When this setting is disabled, H.264 decoding is never used. When this setting is not configured, users can choose whether to enable H.264 decoding. See Configure VMware Blast Options. This setting takes effect only if H.264 decoding is enabled. When this setting is not configured, users can choose whether to enable high-color accuracy mode. See Configure VMware Blast Options. When this setting is enabled, HEVC decoding becomes the preferred option. When this setting is disabled, HEVC decoding is never used. When this setting is not configured, users can choose whether to enable HEVC decoding. See Configure VMware Blast Options. When this setting is enabled, shortcuts are installed on client machines. Users are not prompted to install the shortcuts. When this setting is disabled, shortcuts are never installed on client machines. Users are not prompted to install the shortcuts. Users are prompted to install the shortcuts by default. When this setting is disabled, the lock key toggle states are synchronized from the remote desktop to the client device. In Horizon Client, the Automatically synchronize the keypad, scroll and cap lock keys setting check box is deselected and the setting is dimmed. When this setting is either enabled or disabled, users cannot modify the Automatically synchronize the keypad, scroll and cap lock keys setting in Horizon Client. When this setting is not configured, a user can enable or disable lock key synchronization for a remote desktop by configuring the Automatically synchronize the keypad, scroll and cap lock keys setting in Horizon Client. See Configure Lock Key Synchronization. This setting is not configured by default. When this setting is enabled, Horizon Client runs in single-instance mode and a user cannot start multiple Horizon Client instances in a Windows session. When this setting is disabled, a user can start multiple Horizon Client instances in a Windows session. This setting is disabled by default. Coalescing mouse movement events can reduce client-to-agent bandwidth use, but can potentially add minor latency to mouse movement. This setting is disabled by default. When this setting is enabled, you specify the full path to the file that contains the custom help text in the text box provided, for example, C:\myDocs\errorFooter.txt. This setting is disabled by default. When this setting is enabled, all client drive redirection functionality is disabled in Horizon Client, including the ability to open local files with published applications. In addition, the following elements are hidden in the Horizon Client user interface: When this setting is disabled, the client drive redirection feature is fully functional. This setting is disabled by default. Enable this setting if you do not want the user to see toast notifications in the corner of the screen. Note: If you enable this setting, the user does not see a five-minute warning when the Session Timeout function is active. When this setting is not configured (the default setting), the end user must use the mouse to ungrab the remote desktop and then press the Windows logo key + P to select a presentation display mode. This setting does not apply to published application sessions. When this setting is enabled, Horizon Client does not register any file extension handlers and does not allow the user to override the setting. When this setting is disabled, Horizon Client always registers file extension handlers. By default, file extension handlers are registered, but users can disable the feature in the Horizon Client user interface by using the Turn on the ability to open a local file with a remote application from the local file system setting on the Sharing panel in the Settings dialog box. For more information, see Share Local Folders and Drives. This setting is disabled by default. Determines whether multimedia redirection (MMR) is enabled on the client. MMR does not work correctly if the Horizon Client video display hardware does not have overlay support. Note: The shade menu bar is disabled by default for kiosk mode. Note: You can also disable the online update feature by setting the AUTO_UPDATE_ENABLED property to 0 when you install Horizon Client from the command line. For more information, see Install Horizon Client From the Command Line. This setting provides a temporary workaround for multi-monitor display problems encountered when using Horizon Client for Windows 2106 or later with unified communications (UC) applications such as Cisco WebEx and Zoom. This setting is enabled by default. If your UC vendor has not yet provided an application update that fixes the display problem, you can implement a temporary workaround by disabling this setting. Disabling this setting turns off the default windows hierarchy and causes windows to be displayed in relation to the bounding box of all monitors in a multi-monitor setup. For more information, see VMware Knowledge Base (KB) article 85400. Note: Use this workaround only as a temporary fix until you can install the updated version of the UC application that fixes the display problem permanently. After installing the updated UC application, turn on the default windows hierarchy again by enabling this setting from the GPO. When this setting is enabled, you can configure the following options: This setting is disabled by default. When this setting is enabled, you can configure the following options: This setting is disabled by default. When this setting is enabled, you can configure the following options. This setting is disabled by default. When this setting is enabled, you can configure the following options. This setting is disabled by default. When this setting is enabled, you can configure the following options. This setting is disabled by default. When this setting is disabled or not configured, the user can grab focus by clicking inside the remote desktop window. This setting is not configured by default. Configures a hot key combination to release input focus from a PCoIP or VMware Blast remote desktop session. The hot key consists of one or two modifier keys and one function key. When the Minimize the fullscreen virtual desktop after release input focus check box is selected, users can press any hot key that is configured to release input focus (for example, Ctrl+Shift+F5) to minimize the remote desktop window when the remote desktop is in full-screen mode. By default, Ctrl+Shift+F5 minimizes the remote desktop window when the desktop is in full-screen mode without any configuration. When this setting is disabled or not configured, the user can release focus by pressing Ctrl+Alt or clicking outside the remote desktop window. This setting is not configured by default. When this setting is enabled, and the display resolution or display scaling has been customized for a remote desktop, each time a user opens the remote desktop, the custom settings are applied automatically, regardless of the client device that the user uses to log in to the remote desktop. This setting is disabled by default. You can define USB policy settings for Horizon Agent and Horizon Client. On connection, Horizon Client downloads the USB policy settings from Horizon Agent and uses those settings, together with the Horizon Client USB policy settings, to determine which devices are available for redirection from the host machine. The following table describes each policy setting for splitting composite USB devices in the Horizon Client Configuration ADMX template file. The settings apply at the computer level. The settings from the GPO at the computer level take precedence over the registry at HKLM\Software\Policies\VMware, Inc.\VMware VDM\Client\USB. The settings appear in the folder in the Group Policy Management Editor. For more information about using policies to control USB redirection, see the Horizon Remote Desktop Features and GPOs document. Allow the automatic splitting of composite USB devices. The default value is undefined, which equates to false. Excludes a composite USB device specified by vendor and product IDs from splitting. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]... You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0781_pid-55** The default value is undefined. Treats the components of a composite USB device specified by vendor and product IDs as separate devices. The format of the setting is vid-xxxx_pid-yyyy(exintf:zz[;exintf:ww ]) You can use the exintf keyword to exclude components from redirection by specifying their interface number. You must specify ID numbers in hexadecimal, and interface numbers in decimal including any leading zero. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0781_pid-554c(exintf:01;exintf:02) Note: Horizon does not automatically include the components that you have not explicitly excluded. You must specify a filter policy such as Include Vid/Pid Device to include those components. The default value is undefined. The following table describes the policy settings in the Horizon Client Configuration ADMX template file for filtering USB devices. The settings apply at the computer level. The settings from the GPO at the computer level take precedence over the registry at HKLM\Software\Policies\VMware, Inc.\VMware VDM\Client\USB. For more information about configuring filter policy settings for USB redirection, see the Horizon Remote Desktop Features and GPOs document. Allows audio input devices to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. Allows audio output devices to be redirected. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. Allows input devices other than keyboards or mice that are available at startup time (also known as hid-bootable devices) to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. Allows devices to be redirected even if the Horizon Client fails to get the config/device descriptors. To allow a device even if it fails the config/desc, include it in the Include filters, such IncludeVidPid or IncludePath. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. Allows input devices other than hid-bootable devices or keyboards with integrated pointing devices to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. Allows keyboards with integrated pointing devices (such as a mouse, trackball, or touch pad) to be redirected. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. Allows smart-card devices to be redirected. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. Allows video devices to be redirected. The default value is undefined, which equates to true. This setting appears in the folder in the Group Policy Management Editor. Disables the use of agent settings when performing USB device filtering. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. Excludes all USB devices from being redirected. If set to true, you can use other policy settings to allow specific devices or families of devices to be redirected. If set to false, you can use other policy settings to prevent specific devices or families of devices from being redirected. If you set the value of Exclude All Devices to true on the agent, and this setting is passed to Horizon Client, the agent setting overrides the Horizon Client setting. The default value is undefined, which equates to false. This setting appears in the folder in the Group Policy Management Editor. For example: For example: Excludes families of devices from being redirected. The format of the setting is family_name_1[;family_name_2]... For example: bluetooth;smart-card If you have enabled automatic device splitting, Horizon examines the device family of each interface of a composite USB device to decide which interfaces are excluded. If you have disabled automatic device splitting, Horizon examines the device family of the whole composite USB device. The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. Excludes devices that have specific vendor and product IDs from being redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]... You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0781_pid-****;vid-0561_pid-554c The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. Exclude devices at specified hub or port paths from being redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]... You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths. For example: bus-1/2/3_port-02;bus-1/1/1/4_port-ff The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. Includes families of devices that can be redirected. The format of the setting is family_name_1[;family_name_2]... For example: storage The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. Include devices at a specified hub or port paths that can be redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]... You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths. For example: bus-1/2_port-02;bus-1/7/1/4_port-0f The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. Specifies USB devices that have a specified vendor and product ID that can be redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]... You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID. For example: vid-0561_pid-554c The default value is undefined. This setting appears in the folder in the Group Policy Management Editor. In a nested mode or double-hop scenario, a user connects from the physical client system to a remote desktop, starts Horizon Client inside the remote desktop (the nested session), and connects to another remote desktop. To make the device work as expected in the nested session, you must configure the USB policy settings in the same way on both the physical client machine and in the nested session. You can configure group policy settings for the Browser Redirection feature. The following table describes the Browser Redirection settings in the Horizon Client Configuration ADMX template file. All Browser Redirection settings are Computer Configuration settings. The settings appear in the folder in the Group Policy Management Editor. For information about agent-side Browser Redirection settings, see the Horizon Remote Desktop Features and GPOs document. This setting is enabled by default. This setting is disabled by default. Note: Disabling this setting does not clear the cache. If you disable and then re-enable this setting, the cache is reused. This setting is enabled by default. You can configure group policy settings for the VMware Integrated Printing feature. The following table describes the VMware Integrated Printing settings in the Horizon Client Configuration ADMX template file. The table shows whether the settings include both Computer Configuration and User Configuration settings, or only Computer Configuration settings. For the settings that include both types of settings, the User Configuration setting overrides the equivalent Computer Configuration setting. The settings appear in the folder in the Group Policy Management Editor. For information about agent-side VMware Integrated Printing settings, see the Horizon Remote Desktop Features and GPOs document.
The PCoIP Client Session Variables ADMX template file (pcoip.client.admx) contains policy settings related to the PCoIP display protocol. You can configure computer default values that an administrator can override, or you can configure user settings that an administrator cannot override. The settings that can be overridden appear in the folder in the Group Policy Management Editor. The settings that cannot be overridden appear in the folder in the Group Policy Management Editor. The ADMX files are available in VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip, which you can download from the VMware Downloads site. Go to https://my.vmware.com/web/vmware/downloads. Look for Desktop & End-User Computing and under this category, select Download Product under VMware Horizon. Then select the appropriate Horizon version and click Go To Downloads. From here you can find the Horizon GPO Bundle that includes the VMware-Horizon-Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip file.
|