These things are put in paragraphs inside bullet items so they are easier to see. You can then conref the paragraphs inside table cells if need be.

Windows virtual desktops are single-session virtual machines.

This version of Horizon Client works with Windows virtual desktops that have Horizon Agent 7.5 or later installed. Supported guest operating systems include Windows 7, Windows 8.x, and Windows 10, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, with the following limitations:

Windows Server 2019 virtual desktops require Horizon Agent 7.7 or later.

Windows 7 and Windows 8.x virtual desktops are not supported with Horizon Agent 2006 and later.

RDS hosts are server computers that have Windows Remote Desktop Services and Horizon Agent installed. Multiple users can have published desktop sessions on an RDS host simultaneously. An RDS host can be either a physical machine or a virtual machine.

This version of Horizon Client works with RDS hosts that have Horizon Agent 7.5 or later installed. Supported guest operating systems include Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, with the following limitations:

Windows Server 2019 RDS hosts require Horizon Agent 7.7 or later.

Window Server 2012 RDS hosts are not supported with Horizon Agent 2006 and later.

For a list of supported Linux guest operating systems and information about supported features, see the Setting Up Linux Desktops in Horizon document.

RDS hosts are server computers that have Windows Remote Desktop Services and Horizon Agent installed. Multiple users can have remote desktop sessions on an RDS host simultaneously. An RDS host can be either a physical machine or a virtual machine.

Table 1. Features Supported for RDS Hosts

Feature

Windows Server 2012 and Windows Server 2012 R2 RDS Host

Windows Server 2016 RDS Host

Windows Server 2019 RDS Host

RSA SecurID or RADIUS

X

X

X

Smart cards

X

X

X

Single sign-on

X

X

X

PCoIP display protocol

X

X

X

VMware Blast display protocol

X

X

X

HTML Access

X

X

X

USB redirection

X

X

X

Client drive redirection

X

X

X

VMware Integrated Printing and location-based printing

X

X

X

Multiple monitors

X

X

X

Real-Time Audio-Video (RTAV)

X

X

X

With the VMware Blast display protocol or the PCoIP display protocol, a remote desktop screen resolution of 4K (3840 x 2160) is supported. The number of 4K displays that are supported depends on the hardware version of the desktop virtual machine and the Windows version.

Hardware Version

Windows Version

Number of 4K Displays Supported

10 (ESXi 5.5.x compatible)

7, 8, 8.x, 10

1

11 (ESXi 6.0 compatible)

7

(3D rendering feature disabled and Windows Aero disabled)

3

11

7

(3D rendering feature enabled)

1

11

8, 8.x, 10

1

13 or 14

7, 8, 8.x, 10

(3D rendering feature enabled)

1

13 or 14

7, 8, 8.x, 10

4

Table 2. Horizon Client Configuration Template: Security Settings

Setting

Description

Allow command line credentials

(Computer Configuration setting)

Determines whether user credentials can be provided with Horizon Client command line options. If this setting is disabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line.

This setting is enabled by default.

The equivalent Windows Registry value is AllowCmdLineCredentials.

Servers Trusted For Delegation

(Computer Configuration setting)

Specifies the Connection Server instances that accept the user identity and credential information that is passed when a user selects the Log in as current user check box. If you do not specify any Connection Server instances, all Connection Server instances accept this information.

To add a Connection Server instance, use one of the following formats:

domain\system$

system$@domain.com

The Service Principal Name (SPN) of the Connection Server service.

The equivalent Windows Registry value is BrokersTrustedForDelegation.

Certificate verification mode

(Computer Configuration setting)

Configures the level of certificate checking that is performed by Horizon Client. You can select one of these modes:

No Security. No certificate checking.

Warn But Allow. A warning appears if the Connection Server host presents a self-signed certificate, but the user can continue to connect to Connection Server. The certificate name does not need to match the Connection Server name provided by the user in Horizon Client. If any other certificate error condition occurs, an error dialog box appears and prevents the user from connecting to Connection Server. Warn But Allow is the default value.

Full Security. If any type of certificate error occurs, the user cannot connect to Connection Server. The user sees certificate errors.

When this group policy setting is configured, users can view the selected certificate verification mode in Horizon Client, but they cannot configure the setting. The SSL configuration dialog box informs users that the administrator has locked the setting.

When this setting is not configured or disabled, Horizon Client users can select a certificate verification mode.

If you do not want to configure the certificate verification setting as a group policy, you can also enable certificate verification by modifying Windows registry settings.

Default value of the 'Log in as current user' checkbox

(Computer and User Configuration setting)

Specifies the default value of the Log in as current user check box on theHorizon Client connection dialog box.

This setting overrides the default value specified during Horizon Client installation.

If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting.

When the Log in as current user check box is selected, the identity and credential information that the user provided when logging in to the client system is passed to the Connection Server instance and ultimately to the remote desktop. When the check box is deselected, users must provide identity and credential information multiple times before they can access a remote desktop.

This setting is disabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser.

Display option to Log in as current user

(Computer and User Configuration setting)

Determines whether the Log in as current user check box is visible on the Horizon Client connection dialog box.

When the check box is visible, users can select or deselect it and override its default value. When the check box is hidden, users cannot override its default value from the Horizon Client connection dialog box.

You can specify the default value for the Log in as current user check box by using the policy setting Default value of the 'Log in as current user' checkbox.

This setting is enabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser_Display.

Enable jump list integration

(Computer Configuration setting)

Determines whether a jump list appears in the Horizon Client icon on the taskbar of Windows 7 and later systems. The jump list lets users connect to recent Connection Server instances and remote desktops.

If Horizon Client is shared, you might not want users to see the names of recent desktops. You can disable the jump list by disabling this setting.

This setting is enabled by default.

The equivalent Windows Registry value is EnableJumplist.

Enable SSL encrypted framework channel

(Computer and User Configuration setting)

Determines whether to enable the SSL encrypted framework channel.

Enable: Enables SSL, but allows fallback to the previous unencrypted connection if the remote desktop does not have SSL support.

Disable: Disables SSL. This setting is not recommended but might be useful for debugging or if the channel is not being tunneled and could potentially then be optimized by a WAN accelerator product.

Enforce: Enables SSL, and refuses to connect to desktops with no SSL support.

The equivalent Windows Registry value is EnableTicketSSLAuth.

Configures SSL protocols and cryptographic algorithms

(Computer and User Configuration setting)

Configures the cipher list to restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted SSL connection. The cipher list consists of one or more cipher strings separated by colons.

The default value for Horizon Client is TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES.

Note

All cipher strings are case-sensitive.

Cipher suites use 128- or 256-bit AES, remove anonymous DH algorithms, and then sort the current cipher list in order of encryption algorithm key length.

You can search for openssl cipher string in a web browser and see the cipher list format.

The equivalent Windows Registry value is SSLCipherList.

If you do not want to configure this setting as a group policy, you can also enable it by adding the SSLCipherList value name to one of the following registry keys on the client computer:

For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware VDM\Client\Security

For 64-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware,Inc.\VMware VDM\Client\Security

Enable Single Sign-On for smart card authentication

(Computer Configuration setting)

Determines whether single sign-on is enabled for smart card authentication. When single sign-on is enabled, Horizon Client stores the encrypted smart card PIN in temporary memory before submitting it to Connection Server. When single sign-on is disabled, Horizon Client does not display a custom PIN dialog.

The equivalent Windows Registry value is EnableSmartCardSSO.

This setting is enabled by default.

This setting is disabled by default.

AllowDirectRDP

Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is disabled, the agent permits only Horizon-managed connections through Horizon Client.

When connecting to a remote desktop from Horizon Client for Mac, do not disable the AllowDirectRDP setting. If this setting is disabled, the connection fails with an Access is denied error.

Important

The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

AllowSingleSignon

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter their credentials only once, when they log in to the server. When this setting is disabled, users must reauthenticate when the remote connection is made.

No list is specified by default.

CommandsToRunOnConnect

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

CommandsToRunOnDisconnect

Specifies a list of commands or command scripts to be run when a session is disconnected.

CommandsToRunOnReconnect

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

ConnectionTicketTimeout

Specifies the amount of time in seconds that the Horizon connection ticket is valid.

Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds.

CredentialFilterExceptions

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

Connect all USB devices to the desktop on launch

Determines whether all of the available USB devices on the client system are connected to the desktop when the desktop is launched.

Connect all USB devices to the desktop when they are plugged in

Determines whether USB devices are connected to the desktop when they are plugged in to the client system.

Logon Password

Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory.

viewusb.AllowAutoDeviceSplitting

Allow Auto Device Splitting

Allow the automatic splitting of composite USB devices.

The default value is undefined, which equates to false.

viewusb.SplitExcludeVidPid

Exclude Vid/Pid Device From Split

Excludes a composite USB device specified by vendor and product IDs from splitting. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]...

You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0781_pid-55**

The default value is undefined.

viewusb.SplitVidPid

Split Vid/Pid Device

Treats the components of a composite USB device specified by vendor and product IDs as separate devices. The format of the setting is

vid-xxxx_pid-yyyy(exintf:zz[;exintf:ww ])

You can use the exintf keyword to exclude components from redirection by specifying their interface number. You must specify ID numbers in hexadecimal, and interface numbers in decimal including any leading zero. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0781_pid-554c(exintf:01;exintf:02)

Note

Horizon does not automatically include the components that you have not explicitly excluded. You must specify a filter policy such as Include Vid/Pid Device to include those components.

The default value is undefined.

viewusb.AllowAudioIn

Allow Audio Input Devices

Allows audio input devices to be redirected.

The default value is undefined, which equates to true.

viewusb.AllowAudioOut

Allow Audio Output Devices

Allows audio output devices to be redirected.

The default value is undefined, which equates to false.

viewusb.AllowHID

Allows input devices other than keyboards or mice to be redirected.

The default value is undefined, which equates to true.

viewusb.AllowHIDBootable

Allow HIDBootable

Allows input devices other than keyboards or mice that are available at boot time (also known as hid-bootable devices) to be redirected.

The default value is undefined, which equates to true.

viewusb.AllowDevDescFailsafe

Allow Device Descriptor Failsafe

Allows devices to be redirected even if the Horizon client fails to get the config/device descriptors.

To allow a device even if it fails the config/desc, include it in the Include filters, such IncludeVidPid or IncludePath.

The default value is undefined, which equates to false.

Allow Other Input Devices

Allows input devices other than hid-bootable devices or keyboards with integrated pointing devices to be redirected.

The default value is undefined, which equates to true.

viewusb.AllowKeyboardMouse

Allow Keyboard and Mouse Devices

Allows keyboards with integrated pointing devices (such as a mouse, trackball, or touch pad) to be redirected.

The default value is undefined, which equates to false.

viewusb.AllowSmartcard

Allow Smart Cards

Allows smart-card devices to be redirected.

The default value is undefined, which equates to false.

viewusb.AllowVideo

Allow Video Devices

Allows video devices to be redirected.

The default value is undefined, which equates to true.

viewusb.DisableRemoteConfig

Disable Remote Configuration Download

Disables the use of the agent settings when performing USB device filtering.

The default value is undefined, which equates to false.

viewusb.ExcludeAllDevices

Exclude All Devices

Excludes all USB devices from being redirected. If set to true, you can use other policy settings to allow specific devices or families of devices to be redirected. If set to false, you can use other policy settings to prevent specific devices or families of devices from being redirected.

If you set the value of Exclude All Devices to true on the agent, and this setting is passed to Horizon Client, the agent setting overrides the Horizon Client setting.

The default value is undefined, which equates to false.

viewusb.ExcludeFamily

Exclude Device Family

Excludes families of devices from being redirected. The format of the setting is family_name_1[;family_name_2]...

For example: bluetooth;smart-card

If you have enabled automatic device splitting, Horizon examines the device family of each interface of a composite USB device to decide which interfaces should be excluded. If you have disabled automatic device splitting, Horizon examines the device family of the whole composite USB device.

The default value is undefined.

viewusb.ExcludeVidPid

Exclude Vid/Pid Device

Excludes devices with specified vendor and product IDs from being redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]...

You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0781_pid-****;vid-0561_pid-554c

The default value is undefined.

viewusb.ExcludePath

Exclude Path

Exclude devices at specified hub or port paths from being redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]...

You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths.

For example: bus-1/2/3_port-02;bus-1/1/1/4_port-ff

The default value is undefined.

viewusb.IncludeFamily

Include Device Family

Includes families of devices that can be redirected. The format of the setting is family_name_1[;family_name_2]...

For example: storage

The default value is undefined.

viewusb.IncludePath

Include Path

Include devices at a specified hub or port paths that can be redirected. The format of the setting is bus-x1[/y1].../port-z1[;bus-x2[/y2].../port-z2]...

You must specify bus and port numbers in hexadecimal. You cannot use the wildcard character in paths.

For example: bus-1/2_port-02;bus-1/7/1/4_port-0f

The default value is undefined.

viewusb.IncludeVidPid

Include Vid/Pid Device

Includes devices with specified vendor and product IDs that can be redirected. The format of the setting is vid-xxx1_pid-yyy2[;vid-xxx2_pid-yyy2]...

You must specify ID numbers in hexadecimal. You can use the wildcard character (*) in place of individual digits in an ID.

For example: vid-0561_pid-554c

The default value is undefined.

Important

If you enable the Hide domain list in client user interface setting and select two-factor authentication (RSA SecureID or RADIUS) for the Connection Server instance, do not enforce Windows user name matching. Enforcing Windows user name matching prevents users from entering domain information in the user name text box and login always fails.

Send domain list setting

Hide domain list in client user interface setting

How users log in

Disabled (default)

Enabled

The Domain drop-down menu is hidden. Users must enter one of the following values in the User name text box.

User name (not allowed for multiple domains)

domain\username

username@domain.com

Disabled (default)

Disabled

If a default domain is configured on the client, the default domain appears in the Domain drop-down menu. If the client does not know a default domain, *DefaultDomain* appears in the Domain drop-down menu. Users must enter one of the following values in the User name text box.

User name (not allowed for multiple domains)

domain\username

username@domain.com

Enabled

Enabled

The Domain drop-down menu is hidden. Users must enter one of the following values in the User name text box.

User name (not allowed for multiple domains)

domain\username

username@domain.com

Enabled

Disabled

Users can enter a user name in the User name text box and then select a domain from the Domain drop-down menu. Alternatively, users can enter one of the following values in the User name text box.

domain\username

username@domain.com

Determines the amount of time that an empty application session is kept open. An application session is empty when all the applications that run in the session are closed. While the session is open, users can open applications faster. You can save system resources if you disconnect or log off empty application sessions. Select Never, Immediate, or set the number of minutes as the timeout value. The default is After 1 minute. If you select Immediate, the session logs off or disconnects within 30 seconds.

You can further reduce the time the session logs off or disconnects by editing a registry key on the RDS Host on which Horizon Agent is installed. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Plugins\wssm\applaunchmgr\Params and set a value for WindowCheckInterval. The default value is 20000. This means that the poll for the empty session check is every 20 seconds, which sets the maximum time between the last application session close and session log off to 40 seconds. You can change this value to 2500. This means that the poll for the empty session check is every 2.5 seconds, which sets the maximum time between the last application close and session log off to 5 seconds.