What is the preferred method to configure clients to use work folders?

Determines whether all the available USB devices on the client system are connected to the remote desktop or published application when the remote desktop or published application starts.

Determines whether USB devices are connected to the remote desktop or published application when the devices are plugged in to the client system.

Specifies the layout of the Horizon Client window that users see when they log into a remote desktop. The layout choices are as follows:

• Full Screen
• Multimonitor
• Window - Large
• Window - Small

This setting is available only when the DesktopName to select setting is also set.

After you enable this setting, remote desktop autofit functionality is disabled and the Allow Display Scaling option is hidden in the Horizon Client user interface.

Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory.

Determines whether Horizon Client error messages are hidden during login.

This setting applies only when the login process is fully scripted, for example, when all the required login information is prepopulated through group policy.

If the login fails because of incorrect login information, users are not notified and the Horizon Client process is terminated.

Determines how running published applications behave when users reconnect to a server. The choices are as follows:

• Ask to reconnect to open applications
• Reconnect automatically to open applications
• Do not ask and do not automatically reconnect

When this setting is enabled, end users cannot configure the published application reconnection behavior in Horizon Client.

When this setting is disabled, end users can configure published application reconnection behavior in Horizon Client. This setting is disabled by default.

When this setting is enabled, the Unauthenticated Access setting in Horizon Client is visible, disabled, and selected. The client can fall back to another authentication method if Unauthenticated Access is not available.

When this setting is disabled, users are always required to enter their credentials to log in and access their published applications. The Unauthenticated Access setting in Horizon Client is hidden and deselected.

Users can enable Unauthenticated Access in Horizon Client by default. The Unauthenticated Access setting is visible, enabled, and deselected.

If Unauthenticated Access is not used for a specific connection to a server, this setting is ignored. Users can select an account by default.

Determines whether a connection is added to the existing Horizon Client instance with which the user is already connected to the same server.

This setting is disabled by default when not configured.

This setting is enabled by default.

The equivalent Windows Registry value is AllowCmdLineCredentials.

When this setting is not configured (the default), users can change the SSL proxy setting in Horizon Client manually. See Setting the Certificate Checking Mode in Horizon Client.

By default, Horizon Client blocks SSL proxy connections for Blast Secure Gateway and secure tunnel connections.

Specifies the Connection Server instances that accept the user identity and credential information that is passed when a user selects Log in as current user in the Options menu on the Horizon Client menu bar. If you do not specify any Connection Server instances, all Connection Server instances accept this information, unless the Allow logon as current user authentication setting is disabled for the Connection Server instance in Horizon Console.

To add a Connection Server instance, use one of the following formats:

• domain\system$
• [email protected]
• The Service Principal Name (SPN) of the Connection Server service.

The equivalent Windows Registry value is BrokersTrustedForDelegation.

• No Security. No certificate checking occurs.
• Warn But Allow. If a certificate check fails because the server uses a self-signed certificate, users see a warning, which they can ignore. For self-signed certificates, the certificate name is not required to match the server name that users enter in Horizon Client.

  If any other certificate error condition occurs, Horizon Client shows an error and prevents users from connecting to the server.

  Warn But Allow is the default value.

• Full Security. If any type of certificate error occurs, users cannot connect to the server. Horizon Client displays certificate errors to the user.

When this setting is configured, users can view the selected certificate verification mode in Horizon Client, but cannot configure the setting. The certificate checking mode dialog box informs users that an administrator has locked the setting.

When this setting is disabled, Horizon Client users can select a certificate checking mode. This setting is disabled by default.

To allow a server to perform selecting of certificates provided by Horizon Client, the client must make HTTPS connections to the Connection Server or security server host. Certificate checking is not supported if you off-load TLS to an intermediate device that makes HTTP connections to the Connection Server or security server host.

If you do not want to configure this setting as a group policy, you can also enable certificate verification by adding the CertCheckMode value name to one of the following registry keys on the client computer:

• For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security
• For 64-bit Windows: HKLM\SOFTWARE\WOW6432Node\VMware, Inc.\VMware VDM\Client\Security

Use the following values in the registry key:

• 0 implements No Security.
• 1 implements Warn But Allow.
• 2 implements Full Security.

If you configure both the group policy setting and the CertCheckMode setting in the Windows Registry key, the group policy setting takes precedence over the registry key value.

Note: In a future Horizon Client release, using the Windows registry to configure this setting might not be supported and the group policy setting must be used.

Specifies the default value of Log in as current user in the Options menu on the Horizon Client menu bar.

This setting overrides the default value specified during Horizon Client installation.

If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting.

When Log in as current user is selected in the Options menu, the identity and credential information that the user provided when logging in to the client system is passed to the Connection Server instance and ultimately to the remote desktop or published application. When Log in as current user is deselected, users must provide identity and credential information multiple times before they can access a remote desktop or published application.

This setting is disabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser.

Determines whether Log in as current user is visible in the Options menu on the Horizon Client menu bar.

When Log in as current user is visible, users can select or deselect it and override its default value. When Log in as current user is hidden, users cannot override its default value from the Horizon Client Options menu.

You can specify the default value for Log in as current user by using the policy setting Default value of the 'Log in as current user' checkbox.

This setting is enabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser_Display.

If Horizon Client is shared, you might not want users to see the names of recent desktops and published applications. You can disable the jump list by disabling this setting.

This setting is enabled by default.

The equivalent Windows Registry value is EnableJumplist.

• Enable: Enables TLS, but allows fallback to the previous unencrypted connection if the remote desktop does not have TLS support. For example, View 5.0 and earlier remote desktops do not have TLS support. Enable is the default setting.
• Disable: Disables TLS. This setting might be useful for debugging, or if the channel is not being tunneled and might potentially be optimized by a WAN accelerator product.
• Enforce: Enables TLS and refuses to connect to remote desktops that do not have TLS support .

The equivalent Windows Registry value is EnableTicketSSLAuth.

The default value is TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

This cipher string means that TLS v1.1 and TLS v1.2 are enabled and SSL v.2.0, SSL v3.0, and TLS v1.0 are disabled. SSL v2.0, SSL v3.0, and TLS v1.0 are no longer the approved protocols and are permanently disabled.

Cipher suites use ECDHE, ECDH, and RSA with 128-bit or 256-bit AES. GCM mode is preferred.

For more information, see http://www.openssl.org/docs/apps/ciphers.html.

The equivalent Windows Registry value is SSLCipherList.

The equivalent Windows Registry value is EnableSmartCardSSO.

This setting is disabled by default.

Note: When this setting is enabled, the client might only use a cached URL during server certificate verification. The types of cached URL information can be CRL Distribution Point (CDP) and Authority Information Access (OCSP and CA issuer access methods).

This setting is enabled by default.

When this setting is enabled, you can select Yes or No from the Allow fallback from Kerberos to NTLM drop-down menu.

• If you select Yes, NTLM authentication may be used any time that the client is unable to retrieve a Kerberos ticket for the server.
• If you select No, NTLM authentication is allowed only for servers listed in the Always use NTLM servers group policy setting.

When this setting is not configured, NTLM authentication is allowed for the servers listed in the Always use NTLM servers group policy setting.

To use NTLM authentication, the server SSL certificate must be valid and Windows policies must not restrict the use of NTLM.

For information about configuring fallback from Kerberos to NTLM in a Connection Server instance, see "Using the Log In as Current User Feature Available with Windows-Based Horizon Client" in the document.

Determines whether audio information played on the remote desktop is redirected. Select one of the following settings:

• Disable Audio: Audio is disabled.
• Play in VM (needed for VoIP USB Support): Audio plays within the remote desktop. This setting requires a shared USB audio device to provide sound on the client.
• Redirect to client: Audio is redirected to the client. This setting is the default mode.

This setting applies only to RDP audio. Audio that is redirected through MMR plays in the client.

Determines whether the default audio input device is redirected from the client to the remote session. When this setting is enabled, the audio recording device on the client appears in the remote desktop and can record audio input.

The default setting is disabled.

Separate versions of this setting are provided for the following unit and bpp combinations:

• MB/8bpp
• MB/16bpp
• MB/24bpp
• MB/32bpp

When this setting is enabled, enter a size in kilobytes.

Specifies the color depth of the remote desktop. Select one of the available settings:

• 8 bit
• 15 bit
• 16 bit
• 24 bit
• 32 bit

Determines whether desktop composition is enabled on the remote desktop.

When desktop composition is enabled, individual windows no longer draw directly to the screen or primary display device as they did in previous versions of Microsoft Windows. Instead, drawing is redirected to off-screen surfaces in video memory, which are then rendered into a desktop image and presented on the display.

Enabling this setting, or leaving it unconfigured, allows data on the redirected drive on the remote desktop to be copied to the drive on the client computer. Disable this setting if allowing data to pass from the remote desktop to users' client computers represents a potential security risk in your deployment. Another approach is to disable folder redirection in the remote desktop virtual machine by enabling the Microsoft Windows group policy setting, Do not allow drive redirection.

The Redirect drives setting applies to RDP only.

Note: This setting applies to both RDP and PCoIP connections.

This setting lets you send key combinations to the remote virtual machine or apply key combinations locally.

Key combinations are applied locally by default.

• Both the client and guest operating systems support NLA.
• Direct client connections are enabled for the Connection Server instance. Tunneled connections are not supported with NLA.

When this setting enabled, VMware Blast can connect through a proxy server.

When this setting is disabled, VMware Blast cannot use a proxy server.

When this setting is not configured (the default), users can configure whether VMware Blast connections can use a proxy server in the Horizon Client user interface. See Configure VMware Blast Options.

When this setting is disabled, the data sharing mode setting in the Horizon Client user interface is set to Off and end users cannot change the setting.

When this setting is not configured (the default), end users can change the data sharing mode setting in the Horizon Client user interface.

When this setting is enabled, the display scaling feature is enabled for all remote desktops and published applications.

When this setting is disabled, the display scaling feature is disabled for all remote desktops and published applications.

If this setting is not configured (the default setting), end users can enable and disable display scaling in the Horizon Client user interface.

You can also hide the display scaling preference in the Horizon Client user interface by enabling the Locked Guest Size group policy setting.

When this setting is enabled, H.264 decoding becomes the preferred option.

When this setting is disabled, H.264 decoding is never used.

When this setting is not configured, users can choose whether to enable H.264 decoding. See Configure VMware Blast Options.

This setting takes effect only if H.264 decoding is enabled.

When this setting is not configured, users can choose whether to enable high-color accuracy mode. See Configure VMware Blast Options.

When this setting is enabled, HEVC decoding becomes the preferred option.

When this setting is disabled, HEVC decoding is never used.

When this setting is not configured, users can choose whether to enable HEVC decoding. See Configure VMware Blast Options.

When this setting is enabled, shortcuts are installed on client machines. Users are not prompted to install the shortcuts.

When this setting is disabled, shortcuts are never installed on client machines. Users are not prompted to install the shortcuts.

Users are prompted to install the shortcuts by default.

When this setting is disabled, the lock key toggle states are synchronized from the remote desktop to the client device. In Horizon Client, the Automatically synchronize the keypad, scroll and cap lock keys setting check box is deselected and the setting is dimmed.

When this setting is either enabled or disabled, users cannot modify the Automatically synchronize the keypad, scroll and cap lock keys setting in Horizon Client.

When this setting is not configured, a user can enable or disable lock key synchronization for a remote desktop by configuring the Automatically synchronize the keypad, scroll and cap lock keys setting in Horizon Client. See Configure Lock Key Synchronization.

This setting is not configured by default.

When this setting is enabled, Horizon Client runs in single-instance mode and a user cannot start multiple Horizon Client instances in a Windows session.

When this setting is disabled, a user can start multiple Horizon Client instances in a Windows session. This setting is disabled by default.

Coalescing mouse movement events can reduce client-to-agent bandwidth use, but can potentially add minor latency to mouse movement.

This setting is disabled by default.

When this setting is enabled, you specify the full path to the file that contains the custom help text in the text box provided, for example, C:\myDocs\errorFooter.txt.

This setting is disabled by default.

When this setting is enabled, all client drive redirection functionality is disabled in Horizon Client, including the ability to open local files with published applications. In addition, the following elements are hidden in the Horizon Client user interface:

• Sharing panel in the Settings dialog box.
• Share Folders item in the Option menu in a remote desktop.
• Sharing item for Horizon Client in the system tray.
• Sharing dialog box that appears the first time you connect to a remote desktop or application after you connect to a server.

When this setting is disabled, the client drive redirection feature is fully functional. This setting is disabled by default.

Enable this setting if you do not want the user to see toast notifications in the corner of the screen.

Note: If you enable this setting, the user does not see a five-minute warning when the Session Timeout function is active.

When this setting is not configured (the default setting), the end user must use the mouse to ungrab the remote desktop and then press the Windows logo key + P to select a presentation display mode.

This setting does not apply to published application sessions.

When this setting is enabled, Horizon Client does not register any file extension handlers and does not allow the user to override the setting.

When this setting is disabled, Horizon Client always registers file extension handlers. By default, file extension handlers are registered, but users can disable the feature in the Horizon Client user interface by using the Turn on the ability to open a local file with a remote application from the local file system setting on the Sharing panel in the Settings dialog box. For more information, see Share Local Folders and Drives.

This setting is disabled by default.

Determines whether multimedia redirection (MMR) is enabled on the client.

MMR does not work correctly if the Horizon Client video display hardware does not have overlay support.

Note: The shade menu bar is disabled by default for kiosk mode.

Note: You can also disable the online update feature by setting the AUTO_UPDATE_ENABLED property to 0 when you install Horizon Client from the command line. For more information, see Install Horizon Client From the Command Line.

This setting provides a temporary workaround for multi-monitor display problems encountered when using Horizon Client for Windows 2106 or later with unified communications (UC) applications such as Cisco WebEx and Zoom. This setting is enabled by default.

If your UC vendor has not yet provided an application update that fixes the display problem, you can implement a temporary workaround by disabling this setting. Disabling this setting turns off the default windows hierarchy and causes windows to be displayed in relation to the bounding box of all monitors in a multi-monitor setup. For more information, see VMware Knowledge Base (KB) article 85400.

Note: Use this workaround only as a temporary fix until you can install the updated version of the UC application that fixes the display problem permanently. After installing the updated UC application, turn on the default windows hierarchy again by enabling this setting from the GPO.

When this setting is enabled, you can configure the following options:

• Hide Settings -- Select Yes to hide the Settings item in the context menu.
• Hide Create Shortcut to Desktop -- Select Yes to hide the Create Shortcut to Desktop item in the context menu.
• Hide Add to Start Menu -- Select Yes to hide the Add to Start Menu item in the context menu.
• Hide Mark as Favorite -- Select Yes to hide the Mark as Favorite item in the context menu.

This setting is disabled by default.

When this setting is enabled, you can configure the following options:

• Hide Reset Desktop -- Select Yes to hide the Reset Desktop item in the context menu.
• Hide Restart Desktop -- Select Yes to hide the Restart Desktop item in the context menu.
• Hide Display -- Select Yes to hide the Display item in the context menu.
• Hide Settings -- Select Yes to hide the Settings item in the context menu.
• Hide Create Shortcut to Desktop -- Select Yes to hide the Create Shortcut to Desktop item in the context menu.
• Hide Add to Start Menu -- Select Yes to hide the Add to Start Menu item in the context menu.
• Hide Mark as Favorite -- Select Yes to hide the Mark as Favorite item in the context menu.

This setting is disabled by default.

When this setting is enabled, you can configure the following options.

• Hide Help -- Select Yes to hide the Help item in the Options menu.
• Hide Reset Desktop -- Select Yes to hide the Reset Desktop item from the Options menu.
• Hide Restart Desktop -- Select Yes to hide the Restart Desktop item from the Options menu.
• Hide Connect USB Device -- Select Yes to hide the Connect USB Device menu on the menu bar.

This setting is disabled by default.

When this setting is enabled, you can configure the following options.

• Hide Settings -- Select Yes to hide the Horizon Client Settings item.

This setting is disabled by default.

When this setting is enabled, you can configure the following options.

• Hide Favorites Toggle -- Select Yes to hide the Show Favorites (star) icon.
• Hide Settings Gear -- Select Yes to hide the Settings (gear) icon.

This setting is disabled by default.

When this setting is disabled or not configured, the user can grab focus by clicking inside the remote desktop window. This setting is not configured by default.

Configures a hot key combination to release input focus from a PCoIP or VMware Blast remote desktop session. The hot key consists of one or two modifier keys and one function key.

When the Minimize the fullscreen virtual desktop after release input focus check box is selected, users can press any hot key that is configured to release input focus (for example, Ctrl+Shift+F5) to minimize the remote desktop window when the remote desktop is in full-screen mode. By default, Ctrl+Shift+F5 minimizes the remote desktop window when the desktop is in full-screen mode without any configuration.

When this setting is disabled or not configured, the user can release focus by pressing Ctrl+Alt or clicking outside the remote desktop window.

This setting is not configured by default.

When this setting is enabled, and the display resolution or display scaling has been customized for a remote desktop, each time a user opens the remote desktop, the custom settings are applied automatically, regardless of the client device that the user uses to log in to the remote desktop.

This setting is disabled by default.

Allow the automatic splitting of composite USB devices.

The default value is undefined, which equates to false.

Excludes a composite USB device specified by vendor and product IDs from splitting. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]...

You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0781_pid-55**

The default value is undefined.

Treats the components of a composite USB device specified by vendor and product IDs as separate devices. The format of the setting is

vid-xxxx_pid-yyyy(exintf:zz[;exintf:ww ])

You can use the exintf keyword to exclude components from redirection by specifying their interface number. You must specify ID numbers in hexadecimal, and interface numbers in decimal including any leading zero. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0781_pid-554c(exintf:01;exintf:02)

Note: Horizon does not automatically include the components that you have not explicitly excluded. You must specify a filter policy such as Include Vid/Pid Device to include those components.

The default value is undefined.

Allows audio input devices to be redirected.

The default value is undefined, which equates to true.

This setting appears in the folder in the Group Policy Management Editor.

Allows audio output devices to be redirected.

The default value is undefined, which equates to false.

This setting appears in the folder in the Group Policy Management Editor.

Allows input devices other than keyboards or mice that are available at startup time (also known as hid-bootable devices) to be redirected.

The default value is undefined, which equates to true.

This setting appears in the folder in the Group Policy Management Editor.

Allows devices to be redirected even if the Horizon Client fails to get the config/device descriptors.

To allow a device even if it fails the config/desc, include it in the Include filters, such IncludeVidPid or IncludePath.

The default value is undefined, which equates to false.

This setting appears in the folder in the Group Policy Management Editor.

Allows input devices other than hid-bootable devices or keyboards with integrated pointing devices to be redirected.

The default value is undefined, which equates to true.

This setting appears in the folder in the Group Policy Management Editor.

Allows keyboards with integrated pointing devices (such as a mouse, trackball, or touch pad) to be redirected.

The default value is undefined, which equates to false.

This setting appears in the folder in the Group Policy Management Editor.

Allows smart-card devices to be redirected.

The default value is undefined, which equates to false.

This setting appears in the folder in the Group Policy Management Editor.

Allows video devices to be redirected.

The default value is undefined, which equates to true.

This setting appears in the folder in the Group Policy Management Editor.

Disables the use of agent settings when performing USB device filtering.

The default value is undefined, which equates to false.

This setting appears in the folder in the Group Policy Management Editor.

Excludes all USB devices from being redirected. If set to true, you can use other policy settings to allow specific devices or families of devices to be redirected. If set to false, you can use other policy settings to prevent specific devices or families of devices from being redirected.

If you set the value of Exclude All Devices to true on the agent, and this setting is passed to Horizon Client, the agent setting overrides the Horizon Client setting.

The default value is undefined, which equates to false.

This setting appears in the folder in the Group Policy Management Editor.

For example:

For example:

Excludes families of devices from being redirected. The format of the setting is family_name_1[;family_name_2]...

For example: bluetooth;smart-card

If you have enabled automatic device splitting, Horizon examines the device family of each interface of a composite USB device to decide which interfaces are excluded. If you have disabled automatic device splitting, Horizon examines the device family of the whole composite USB device.

The default value is undefined.

This setting appears in the folder in the Group Policy Management Editor.

Excludes devices that have specific vendor and product IDs from being redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]...

You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0781_pid-****;vid-0561_pid-554c

The default value is undefined.

This setting appears in the folder in the Group Policy Management Editor.

Exclude devices at specified hub or port paths from being redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]...

You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths.

For example: bus-1/2/3_port-02;bus-1/1/1/4_port-ff

The default value is undefined.

This setting appears in the folder in the Group Policy Management Editor.

Includes families of devices that can be redirected. The format of the setting is family_name_1[;family_name_2]...

For example: storage

The default value is undefined.

This setting appears in the folder in the Group Policy Management Editor.

Include devices at a specified hub or port paths that can be redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]...

You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths.

For example: bus-1/2_port-02;bus-1/7/1/4_port-0f

The default value is undefined.

This setting appears in the folder in the Group Policy Management Editor.

Specifies USB devices that have a specified vendor and product ID that can be redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]...

You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0561_pid-554c

The default value is undefined.

This setting appears in the folder in the Group Policy Management Editor.

This setting is enabled by default.

This setting is disabled by default.

Note: Disabling this setting does not clear the cache. If you disable and then re-enable this setting, the cache is reused.

This setting is enabled by default.

When this setting is enabled, no client printers are redirected. When this setting is disabled or not configured, all client printers are redirected.

This setting is not configured by default.

VMware supports running Horizon Client inside a remote desktop. This configuration, commonly called nested mode, involves three layers and two hops, as follows:

• L0 (endpoint) - physical machine where Horizon Client is installed.
• L1 (first-hop remote desktop) - the remote desktop where both Horizon Client and Horizon Agent are installed.
• L2 (second-hop published desktop or published application) - the published desktop or published application to which the second-hop client connects.

When this setting is enabled, the L1 local printers are redirected to the inner session. When this setting is not configured or disabled, the L1 local printers are not redirected to the inner session.

This setting is not configured by default.

When this setting is disabled, PCoIP uses a default client image cache size of 250 MB.

When you enable this setting, you can configure a client image cache size from a minimum of 50 MB to a maximum of 300 MB. The default value is 250 MB.

This setting is disabled by default.

The log file cleanup is performed once, when the session starts. Any change to the setting is not applied until the next session.

Sets the PCoIP event log verbosity. The values range from 0 (least verbose) to 3 (most verbose).

When this setting is enabled, you can set the verbosity level from 0 to 3. When the setting is disabled, the default event log verbosity level is 2. This setting is disabled by default.

When this setting is modified during an active PCoIP session, the new setting takes effect immediately.

Selecting one of the check boxes disables the associated encryption algorithm. You must enable at least one algorithm.

This setting applies to both agent and client. The endpoints negotiate the actual session encryption algorithm that is used. If FIPS140-2 approved mode is enabled, the Disable AES-128-GCM encryption value is overridden if both AES-128-GCM encryption and AES-256-GCM encryption are disabled.

If the Configure SSL Connections setting is disabled, both the Salsa20-256round12 and AES-128-GCM algorithms are available for negotiation by this endpoint. This setting is disabled by default.

Supported encryption algorithms, in order of preference, are SALSA20/12-256, AES-GCM-128, and AES-GCM-256. By default, all supported encryption algorithms are available for negotiation by this endpoint.

Virtual channels that are used in PCoIP sessions must appear on the virtual channel authorization list. Virtual channels that appear in the unauthorized virtual channel list cannot be used in PCoIP sessions.

You can specify a maximum of 15 virtual channels for use in PCoIP sessions.

Separate multiple channel names with the vertical bar (|) character. For example, the virtual channel authorization string to allow the mksvchan and vdp_rdpvcbridge virtual channels is mksvchan|vdp_rdpvcbridge.

If a channel name contains the vertical bar or backslash (\) character, insert a backslash character before it. For example, type the channel name awk|ward\channel as awk\|ward\\channel.

When the authorized virtual channel list is empty, all virtual channels are disallowed. When the unauthorized virtual channel list is empty, all virtual channels are allowed.

The virtual channels setting applies to both agent and client. Virtual channels must be enabled on both agent and client for virtual channels to be used.

The virtual channels setting provides a separate check box that allows you to disable remote clipboard processing on the PCoIP host. This value applies to the agent only.

By default, all virtual channels are enabled, including clipboard processing.

Configures a TLS/SSL cipher list to restrict the use of cipher suites before establishing an encrypted TLS/SSL connection. The list consists of one or more cipher suite strings separated by colons. All cipher suite strings are case insensitive.

The default value is ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:@STRENGTH.

If this setting is configured, the Enforce AES-256 or stronger ciphers for SSL connection negotiation check box in the Configure SSL connections to satisfy Security Tools setting is ignored.

This setting must be applied to both the PCoIP server and the PCoIP client.

1. Store the certificate for the Certificate Authority that signed any Server certificate to be used with PCoIP in the Trusted Root certificate store.
2. Configure the agent to load certificates only from the Certificate Store. If the Personal store for the Local Machine is used, leave the CA Certificate store name unchanged with the value ROOT, unless a different store location was used in step 1.

If this setting is disabled, the AES-128 cipher suite is not available and the endpoint uses Certification Authority certificates from the machine account's MY store and Certification Authority certificates from the ROOT store. This setting is disabled by default.

The default value is TLS1.1:TLS1.2, which means that TLS v1.1 and TLS v1.2 are enabled and SSL v2.0, SSLv3.0, and TLS v1.0 are disabled.

If this setting is set in both the client and the agent, the OpenSSL protocol negotiation rule is followed.

The range spans from the base port to the sum of the base port and port range. For example, if the base port is 50002 and the port range is 64, the range spans from 50002 to 50066.

This setting applies to the client only.

By default, the base port is 50002 and the port range is 64.

Set this value to the overall capacity of the link to which your endpoint is connected, considering the number of expected concurrent PCoIP sessions. For example, with a single-user VDI configuration (a single PCoIP session) that connects through a 4Mbit/s Internet connection, set this value to 4Mbit, or 10% less than this value to leave some allowance for other network traffic. When you expect multiple concurrent PCoIP sessions to share a link, comprising either multiple VDI users or an RDS configuration, you might want to adjust the setting accordingly. However, lowering this value will restrict the maximum bandwidth for each active session.

Setting this value prevents the agent from attempting to transmit at a higher rate than the link capacity, which would cause excessive packet loss and a poorer user experience. This value is symmetric. It forces the client and agent to use the lower of the two values that are set on the client and agent side. For example, setting a 4 Mbit/s maximum bandwidth forces the agent to transmit at a lower rate, even though the setting is configured on the client.

When this setting is disabled on an endpoint, the endpoint imposes no bandwidth constraints. When this setting is enabled, the setting is used as the endpoint's maximum bandwidth constraint in kilobits per second.

The default value is 900000 kilobits per second.

This setting applies to the agent and the client. If the two endpoints have different settings, the lower value is used.

This setting configures the minimum expected bandwidth transmission rate for the endpoint. When you use this setting to reserve bandwidth for an endpoint, the user does not have to wait for bandwidth to become available, which improves session responsiveness.

Make sure that you do not over-subscribe the total reserved bandwidth for all endpoints. Make sure that the sum of bandwidth floors for all connections in your configuration does not exceed the network capability.

The default value is 0, which means that no minimum bandwidth is reserved. When this setting is disabled, no minimum bandwidth is reserved. This setting is disabled by default.

This setting applies to the agent and the client, but the setting only affects the endpoint on which it is configured.

When this setting is modified during an active PCoIP session, the change takes effect immediately.

The MTU size includes IP and UDP packet headers. TCP uses the standard MTU discovery mechanism to set MTU and this setting does not affect it.

The maximum MTU size is 1500 bytes. The minimum MTU size is 500 bytes. The default value is 1300 bytes.

Typically, you do not have to change the MTU size. Change this value if you have an unusual network setup that causes PCoIP packet fragmentation.

This setting applies to the agent and the client. If the two endpoints have different MTU size settings, the lowest size is used.

If this setting is disabled or not configured, the client uses the default value in the negotiation with the agent.

The PCoIP transport header is a 32-bit header that is added to all PCoIP UDP packets (only if the transport header is enabled and both side support it). The PCoIP transport header allows network devices to make better prioritization/QoS decisions when dealing with network congestion. The transport header is enabled by default.

The transport session priority determines the PCoIP session priority reported in the PCoIP transport header. Network devices make better prioritization/QoS decisions based on the specified transport session priority.

When the Configure the PCoIP transport header setting is enabled, the following transport session priorities are available:

• High
• Medium (default value)
• Low
• Undefined

The PCoIP agent and client negotiate the transport session priority value. If the PCoIP agent specifies a transport session priority value, the session uses the agent-specified session priority. If only the client has specified a transport session priority, the session uses the client-specified session priority. If neither agent nor client has specified a transport session priority, or Undefined Priority is specified, the session uses the default value, Medium priority.