Help Center/ Workspace/ User Guide (Administrators)/ Policy Management/ Protocol Policy Management/ Creating a Policy/ Creating an Advanced Policy
Updated on 2025-08-20 GMT+08:00
View PDF
Share

Creating an Advanced Policy

Scenarios

General policies can meet daily office requirements. You can customize advanced policies for special scenarios.

Prerequisites

You have purchased a desktop.

Procedure

  1. Log in to the console.
  2. Choose Policies > Protocol Policies. The Protocol Policies page is displayed.
  3. Click Create Policy.
  4. Enter the policy name and description.

    • The policy name can contain up to 55 characters in digits, letters, and underscores (_).
    • The description can contain up to 255 characters.

  5. Select a creation mode as required.

    • Create without template: Create a policy using the default blank template.
    • Create with template: Create a policy using an existing policy template, whose configuration items will be used by default.

      You can select an existing policy template or add a custom template.

      The system provides four policy templates to help you quickly configure desktop policies in four different scenarios.

      • In security scenarios, Huawei Delivery Protocol (HDP) prevents data in a desktop from being transferred to or even stored on personal storage devices and ensures that data is stored only in an on-premises data center.
      • In gaming scenarios, cursor follow-up and image display are optimized to ensure smoothness even in poor bandwidth conditions.
      • In graphics processing scenarios, the display frame rate can be adjusted to improve the display quality and the cursor follow-up mode can be adjusted to narrow the gap between the cursor and the image and reduce the visual difference.
      • In video editing scenarios, video acceleration is used to optimize video playback quality. The cursor closely follows user operations, improving user experience.
    • Use existing policy: If a policy group has been created, you can import a policy from the existing policy group. The configuration items of the selected policy will be used by default.

  1. Click Next: Configure Policy. The General Policy Configuration page is displayed.
  2. On the General Policy Configuration page, click Advanced Policies to go to the Advanced Policies page.
  1. Configure an advanced policy, as shown in Figure 1.

    For details about how to configure an advanced policy, see Table 1.
    Figure 1 Configuring an advanced policy
    Table 1 Advanced policy list

    Policy Name

    Description

    Peripherals

    You can configure policies for the redirection of USB ports, devices, printers, and cameras.

    Audio

    You can configure policies for the redirection of audio, audio playback, and audio recording.

    Clients

    You can configure policies for automatic reconnection interval, waiting time before automatic monitor shutdown after screen locking, screenshot prevention, and IP address access control.

    Display

    You can configure policies for the display level, display frame rate, and video frame rate.

    Files and Clipboards

    You can configure policies for file redirection and clipboard redirection.

    Sessions

    You can configure policies for automatic screen locking, self-service maintenance, and disconnection after screen locking.

    Watermarking

    You can configure policies for watermark content, display settings, and display mode.

    General Audio/Video Bypass

    You can configure policies for general audio/video bypass.

    Virtual Channels

    You can configure policies for virtual channel control.

    Keyboards and Mouse Devices

    You can configure policies related to computer mouse devices, such as feedback and simulation mode.

    Screen Recording Audit

    You can configure policies related to screen recording, such as screen recording type, frame rate, and resolution.

  2. Configure required policies and click Next: Select Target Object.
  3. Select an object type as required and then select an object.
  4. Click Next: Finish. The policy has been created and will take effect upon the next login to the desktop.
  • indicates that the policy is enabled.
  • indicates that the policy is disabled.

Peripherals

Configure peripheral application policies, as shown in Table 2.
  • A peripheral may support:
    • USB port redirection
    • Device redirection
    • Serial port redirection
  • USB devices: USB port redirection is recommended over device redirection.
    • Device redirection is recommended for cameras, and file redirection for storage devices (see Files and Clipboards). If a storage device has other functions, such as password- or fingerprint-based access, you must configure USB port redirection for the device.
    • For non-standard USB devices or policy priority conflicts, you are advised to customize policies for USB port redirection.
  • Serial port devices: Serial port redirection is preferred.
    • If serial port redirection fails to satisfy the redirection requirements of a serial port device, use a serial-to-USB cable so that the serial port device can use USB port redirection.
    • For serial port printers, you can use printer redirection.
Table 2 Peripheral policies

Type

Parameter

Description

Example Value

USB Port Redirection

USB port redirection switch
  • : End users can use USB devices connected to terminals by using USB port redirection.
  • : End users cannot use USB devices connected to terminals by using USB port redirection.
  • Default value:

Graphics devices (such as scanners)
  • : End users can use USB graphics devices connected to terminals through USB port redirection.
  • : End users cannot use USB graphics devices connected to terminals through USB port redirection.
  • Default value:

Printers
  • : End users can use USB print devices connected to terminals through USB port redirection.
  • : End users cannot use USB print devices connected to terminals through USB port redirection.
  • Default value:

Smart card devices (such as Ukeys)
  • : End users can use smart card devices on a computer through USB port redirection.
  • : End users cannot use smart card devices on a computer through USB port redirection.
  • Default value:

Video devices (such as cameras)
  • : End users can use USB video devices connected to terminals through USB port redirection.
  • : End users cannot use USB video devices connected to terminals through USB port redirection.
  • Default value:

Storage devices (such as USB flash drives)
  • : End users can use USB storage devices connected to terminals through USB port redirection.
  • : End users cannot use USB storage devices connected to terminals through USB port redirection.
  • Default value:

Network Device (such as wireless NIC)
  • : End users can use network devices on a computer through USB port redirection.
  • : End users cannot use network devices on a computer through USB port redirection.
  • Default value:

Wireless Device (such as bluetooth)
  • : End users can use wireless devices on a computer through USB port redirection.
  • : End users cannot use wireless devices on a computer through USB port redirection.
  • Default value:

Other USB Devices
  • : End users can use other USB devices (excluding graphics devices, video devices, printers, storage devices, and smart cards) connected to terminals through USB port redirection.
  • : End users cannot use other USB devices (excluding graphics devices, video devices, printers, storage devices, and smart cards) connected to terminals through USB port redirection.
  • Default value:

USB Port Redirection Customization Policy

Users can customize USB policies and ADV policies using the customized ID or class policy. Use vertical bars (|) to separate multiple policies and store them in a configuration file as a complete string. The string contains a maximum of 1024 characters and cannot contain spaces or any of the following special characters: "!@#$%^&*()>?. Format examples are as follows:

  • Customized ID policy format:

    ID:VID:PID:isShare:isCompress

    NOTE:

    PID fuzzy match format (for peripherals with the same VID): ID:VID:FFFF:isShare:isCompress

  • Customized class policy format:

    CLASS:DeviceClass:DeviceSubClass:DeviceProtocol:InterfaceClass:InterfaceSubClass:InterfaceProtocol: isShare:isCompress

  • USB key policy format:

    USBKEY:VID:PID

  • ADV policy format:

    ADV:VID:PID:isSelectConfig:isResetInterface:isSelectInterface:isRevert

    NOTE:
    • Priority: Customized ID policies > customized class policies > basic class policies.
    • PID fuzzy match: This policy is used to forbid or allow the redirection of peripherals with the same VID.
    • ADV: performs advanced debugging on non-standard devices
    • VID: specifies the vendor ID
    • PID: specifies the product ID
    • isShare: specifies whether to allow device redirection If yes, the value is 1. If no, the value is 0.
    • isCompress: specifies whether to allow camera compression, which is only available for cameras. If yes, the value is 1. If no, the value is 0.
    • DeviceClass: specifies the device descriptor class
    • DeviceSubClass: specifies the device descriptor subclass
    • DeviceProtocol: specifies the device descriptor protocol
    • InterfaceClass: specifies the interface descriptor class
    • InterfaceSubClass: specifies the interface descriptor subclass
    • InterfaceProtocol: specifies the interface descriptor protocol
    • The USB key is used together with the key lock function of Westone.
    • isSelectConfig: specifies whether to run the command of selecting configuration on the Linux client
    • isResetInterface: specifies whether to run the command of resetting an interface when selecting configuration on the Linux client
    • isSelectInterface: specifies whether to run the command of selecting an interface on the Linux client
    • isRevert: specifies whether to run the command of negating a device ID on the Linux client
    • Policies are configured for standard devices. If devices cannot be redirected due to custom classes, configure custom policies.

ID:147E:2016:1:0|CLASS:08:06:50:08:06:50:1:0|USBKEY:147E:2016|ADV:78e:79f:1:1:1:1

Linux TC USB Redirection Mode
  • This option is available only for setting the USB redirection mode of Linux TCs.
  • The common mode is recommended for Linux TCs. If a USB device is incompatible with the general mode, you can use the classic mode.

General mode

Printer Redirection

Printer redirection switch
  • : End users can use printers connected to TCs through printer redirection (a policy of device redirection).
  • : End users cannot use printers connected to TCs on a cloud desktop.
  • Default value:
    NOTICE:

    The printer driver must be installed on both the TC and computer.

Synchronize Client Default Printer
  • : The default printer of the client is synchronized.
  • : The default printer of the client is not synchronized.
  • Default value:

Universal Printer Driver
  • Default
  • HDP XPSDrv Driver
  • Universal Printing PCL 5
  • Universal Printing PCL 6
  • Universal Printing PS

If you select Default, the Universal Printing PS driver is loaded for Linux client printer redirection, and the HDP XPSDrv Driver driver is loaded for Windows client printer redirection.

NOTICE:

To simplify the printer service, ensure that all users use TCs or SCs running the same OS to log in to cloud desktops. For example, all TCs run Linux.

Default

Session Printer

Session printer switch
  • : After the session printer is enabled and a custom policy is configured, a network sharing printer is automatically created in the session.
  • : The session printer is disabled.
  • Default value:

Session Printer Customization Policy
  • Users can customize a session printer policy by configuring IP address;Printer name;Printer model;Default printer;Settings;Location. Configuration items are separated by semicolons (;), and multiple policies are separated by vertical bars (|) and form a string that is saved in the configuration file. The string contains a maximum of 1024 characters and cannot contain any of the following characters: "!@#$%^&*()>?.
    • IP address: IP address of the printer server, for example, 192.168.1.11. This parameter is mandatory.
    • Printer name: name of the printer, for example, EPSON TM-T88IV Receipt. This parameter is mandatory.
    • Printer model: printer driver model, for example, EPSON TM-T88IV ReceiptSC4. This parameter is mandatory.
    • Default printer: If the value is 0, the printer is not a default printer; if the value is 1, the printer is a default printer. This parameter is mandatory.
    • Settings: If the value is 0, the printer is a network sharing printer; if the value is 1, the printer is a network port printer. This parameter is mandatory.
    • Location: indicates the printer location matching. Partial matching and full matching of client IP addresses, MAC addresses, and TC host names are supported currently. For example, IP:192.168.1.12 indicates full match of IP addresses, IP:192.168 indicates partial match of IP addresses, MAC:00-ac indicates partial match of MAC addresses, and HOSTNAME:workspace-vdesktop indicates full match of host names. If location matching is not required, set the parameter to 0.

192.168.1.11;EPSON TM-T88IV Receipt;EPSON TM-T88IV ReceiptSC4;1;0;IP:192.168.1.12

Camera Redirection

Camera redirection switch
  • : End users can use cameras connected to terminals through camera redirection (a policy of device redirection).
  • : End users cannot use cameras connected to terminals through camera redirection.
  • Default value:
    NOTE:
    • The camera driver must be installed on the terminal.
    • Toggle on the USB Port Redirection switch () and select Video Device (such as cameras).

Camera Frame Rate (FPS)

The value ranges from 1 to 30.

15

Camera Max Width (Pixel)

The value ranges from 1 to 9,999.

3000

Camera Max Height (Pixel)

The value ranges from 1 to 9,999.

3000

Camera Data Compression Mode

H.264

H.264

TWAIN Redirection

TWAIN redirection switch
  • : End users can use TWAIN devices connected to terminals through TWAIN redirection (a policy of device redirection).
  • : End users cannot use TWAIN devices connected to terminals through TWAIN redirection.
  • Default value:
    NOTE:

    The TWAIN driver must be installed on the terminal.

Image Compression Level

Defines the compression level for TWAIN redirection.

  • None (no compression)
  • Low (highest speed)
  • Medium (medium speed)
  • Lossless
  • Low-loss
  • Medium-loss
  • High-loss

Medium (medium speed)

PC/SC Redirection

-
  • If you enable this option, you can use smart cards connected to terminals through PC/SC redirection (a policy of device redirection). Disconnecting user sessions when smart cards are being removed is available.
  • If you disable this option, PC/SC redirection is disabled, but the PC/SC driver is still loaded. If you enable this option again, you do not need to restart the desktop. Disconnecting user sessions when smart cards are being removed is available.
  • If you disable this option, PC/SC smart card redirection is disabled and the PC/SC driver is not loaded. If you enable this option again, you need to restart the desktop.
NOTE:

To configure PC/SC redirection, deselect Smart Card (such as Ukey) in the USB Port Redirection policy. In addition, you need to customize an ID policy in the format of ID:VID:PID:0:0. To enable PC/SC redirection, you need to install the PC/SC driver on the terminal and desktop.

Disabled

Serial Port Redirection

Serial port redirection switch
  • : End users can use serial port devices connected to terminals through serial port redirection.
  • : End users cannot use serial port devices connected to terminals through serial port redirection.
  • Default value:
    NOTE:

    The serial port device driver must be installed on the desktop.

Auto Connect Client Serial Ports
  • : When users log in to cloud desktops, client serial ports are automatically connected to prevent the serial ports from being used by other local programs. You are advised to enable this parameter.
  • : When users log in to cloud desktops, client serial ports are not automatically connected.
  • Default value:

Driver Interface Redirection

Customized Drivers

Drivers installed on terminals are simulated to provide interfaces for applications on the computer to call to control and use hardware devices. Currently, only Linux desktops and SKF interfaces of cryptographic algorithm are supported.

  • Enter one or more driver file names or full paths of driver files installed on terminals. If multiple ones are entered, separate them with semicolons (;)
  • You can enter driver file names or full paths of driver files on different types of terminals. The HDP client dynamically identifies them.
  • Full path of a driver file. If the path contains spaces, use double quotation marks ("") to quote the path.
  • A driver file name must not contain special characters such as ;*?<>|.
  • The string contains a maximum of 1,000 characters.
  • This parameter is left empty by default, indicating that the function is disabled.
    NOTE:

    Ensure that hardware devices are supported.

/sdcard/HdpClient/Api/libSKFAPI_arm.so;/sdcard/HdpClient/Api/libSKFAPI_arm64.so;SKFAPI.dll

Audio

Configure audio policies, as shown in Table 3.
Table 3 Audio policies

Type

Parameter

Description

Example Value

Audio Redirection

Audio redirection switch

Applications on user desktops can use audio devices on terminals to record and play audio.

Playback Redirection

Playback redirection switch

This parameter takes effect only after audio redirection is enabled. The playback switch is controlled separately.

  • : Playback redirection is enabled so that end users can play audios.
  • : Playback redirection is disabled so that end users cannot play audios.

Playback Scenario
  • Lossless: The voice quality is better, but the bandwidth usage is the highest.
  • Voice call: The best voice call processing capability can be provided and the bandwidth usage is the lowest, but the music processing capability is average.
  • Music playback: The best music processing capability can be provided and the bandwidth usage is medium, but the voice call processing capability is average.
  • Automatic identification: The user's behavior, such as voice call or music playback, can be identified. The accuracy rate exceeds 90%. The system automatically switches to a better algorithm based on user behavior.

Music playback

Recording Redirection

Recording redirection switch

This policy takes effect only after audio redirection is enabled. The recording switch is controlled separately.

  • : Recording redirection is enabled so that end users can record audios.
  • : Recording redirection is disabled so that end users cannot record audios.

Recording Scenario
  • Lossless: The voice quality is better, but the bandwidth usage is the highest. This level is recommended only when the network bandwidth is sufficient and the network is stable and reliable. Generally, this level is not recommended for audio recording.
  • Voice call: The best voice call processing capability can be provided and the bandwidth usage is the lowest, but the music processing capability is average. You are advised to select this level because audio recording is the most common scenario.
  • Music recording: This option is reserved because recording is rarely used for music playback. Therefore, this option is not recommended for audio recording.
  • Automatic Identification: This option is reserved and is equivalent to Voice call.

Voice call

Clients

Configure client policies, as shown in Table 4.
Table 4 Client policies

Parameter

Description

Example Value

Auto Reconnection Interval (s)

Specifies the interval at which the client attempts to connect to the server after the client is disconnected abnormally. The value ranges from 0 to 50.

5

Session Persistence Time (s)

Specifies the longest duration allowed for automatic reconnection attempts after the client is disconnected abnormally. The value ranges from 0 to 180.

180

Auto Monitor Shutdown After Screen Locking
  • : After the VM screen is locked, the monitor is automatically shut down if no keyboard or mouse operation is performed on the client after the waiting time.
    NOTE:

    This policy only applies to TCs and does not take effect for nested login.

  • : After the VM screen is locked, the monitor is not automatically shut down.

Auto Monitor Shutdown In (s)

This parameter is valid only when Auto Monitor Shutdown After Screen Locking is enabled. This parameter specifies the waiting time before the local monitor is automatically shut down after the VM screen is locked. The value range is 10–600,000 seconds.

300

Screenshot Prevention Policy

After the policy is enabled, users are prevented from saving and sharing screenshots captured on cloud desktops.

  • : This policy is enabled.
  • : This policy is disabled.
NOTE:
  • Only Windows clients, macOS clients (version 24.6.3 or later), and Linux TCs are supported. After this function is enabled, other terminals cannot access the system.
  • The screenshot prevention policy relies on the underlying capabilities of the on-premises OS of the terminal user, so the support for this function varies with the client type.
  • In response to the potential new methods for screen shooting, we will continuously update and optimize the policy, but cannot guarantee comprehensive protection in special cases.

IP Address Access Control

By default, this parameter is left blank, indicating that all clients can access the desktop. After the IP address of a client is specified, only the specified client can access the desktop.

You need to enter a valid IP address and subnet mask for IP address-based access control. The IP address and subnet mask are separated by a vertical bar (|). If there are multiple IP addresses and subnet masks, separate them with semicolons (;), for example, IP address|Mask;IP address|Mask;IP address|Mask.

192.168.0.1|255.255.255.255

Verification of Terminals Added to a Domain

You can configure a policy to control terminal access to desktops. After the policy is enabled, only terminals that are added to the company's domain can access desktops.

  • : verification enabled
  • : verification disabled
    NOTE:
    • This function is supported only when an AD domain is interconnected with.
    • This function applies only to Windows terminals. You must select Windows after enabling terminal login control.
    • The terminal device and the desktop project are in the same domain.
    • Clients of 24.6.2.5001 or later are supported.
    • Servers of 24.6.2.5001 or later are supported.

Terminal Login Control
You can configure a policy to control terminal access to desktops.
  • : Enable this function to select the terminal types that can access cloud desktops.
    • : Only the selected terminals are allowed to access desktops.
    • : Unselected terminals are not allowed to access desktops.
  • : Disable this function to all terminals to access desktops.
    NOTE:
    • Clients of 24.6.2.5001 or later are supported.
    • Servers of 24.6.2.5001 or later are supported.

Display

Configure display policies, as shown in Table 5.
Table 5 Display policies

Type

Parameter

Description

Example Value

Display

Display Policy Level
  • Level 1: applies to network bandwidth lower than 512 Kbit/s. It can be used only for light-load office scenarios, such as browsing text documents. The display quality of this level is low.
  • Level 2: applies to network bandwidth lower than 1 Mbit/s. It can be used only for light-load office scenarios, such as browsing text documents and static images. The display quality of this level is better than that of level 1.
  • Level 3: applies to network bandwidth lower than 4 Mbit/s. It can be used for medium-load office scenarios, such as browsing documents, images, and dynamic web pages.
  • Level 4 (recommended): applies to network bandwidth lower than 20 Mbit/s. It can be used to play standard definition (SD) and high definition (HD) videos. This level ensures the display quality at a proper bandwidth level.
  • Level 5: applies to network bandwidth higher than 20 Mbit/s. This level delivers good video playback.

Level 4 (recommended)

Display Frame Rate (FPS)

Indicates the image refresh rate in non-video scenarios. Increasing this value improves image and operation smoothness but consumes more network bandwidth and VM CPU resources. The value ranges from 1 to 60. The recommended value ranges from 15 to 25.

25

Video Frame Rate (FPS)

Indicates the image refresh rate of video. Increasing this value improves video playback smoothness but consumes more network bandwidth and VM CPU resources.

NOTE:

This parameter is unavailable after Rendering acceleration is enabled.

-

Bandwidth (kbit/s)

Limits the peak bandwidth of a user. The value ranges from 256 to 25,000.

20000

Image Compression Parameters

Min. Capacity for Image Cache (MB)

The minimum capacity for image cache, expressed in MB. Increasing this value reduces bandwidth usage but consumes more client memory resources. If the parameter is set to a value smaller than 50, the cache function is disabled. The value ranges from 0 to 300.

200

Lossy Compression Recognition Threshold

The threshold for recognizing image complexity. Decreasing this value increases image quality but consumes more network bandwidth resources. The value ranges from 0 to 255.

60

Lossless compression

Specifies the image compression algorithm. You can select Basic compression or Deep compression. When you compress the same picture, the compression ratio and CPU usage of basic compression are lower than those of deep compression.

Basic compression

Deep Compression Level

This parameter takes effect after Deep compression is selected. A higher compression level means a higher compression ratio and CPU usage but lower bandwidth usage. Level 0 indicates a copy operation and no compression is involved. This level consumes the fewest CPU resources but the most bandwidth resources.

Level 0

Lossy Compression Quality

This parameter is used to set the image quality after lossy compression. Increasing this value improves image quality. The value ranges from 20 to 100.

85

Color Enhancement for Office Work

This parameter is used for color enhancement in office scenarios.

  • : Color enhancement for office work is enabled.
  • : Color enhancement for office work is disabled.

Video Compression Parameters

Quality/Bandwidth First
  • Quality First: If this option is selected, video images are compressed at a fixed quality level. Average Video Bitrate (Kbit/s) takes effect only after Rendering acceleration is enabled.
  • Bandwidth First: If this option is selected, video images are compressed at a fixed bitrate.

    Average Video Quality, Lowest Video Quality, and Highest Video Quality take effect only after Rendering acceleration is enabled.

Quality

Average Video Bitrate (Kbit/s)

Video compression algorithm parameter. In the Bandwidth First mode, increasing this value improves video quality. The value ranges from 256 to 100,000.

18,000

Peak Video Bitrate (Kbit/s)

Video compression algorithm parameter. Increasing this value improves display quality. The value ranges from 256 to 100,000.

18,000

Average Video Quality

Average quality coefficient of video. In the Quality First mode, increasing this value compromises video quality. The value ranges from 5 to 59.

15

Lowest Video Quality

Lower limit of video quality. In the Quality First mode, increasing this value compromises video quality. The value ranges from 5 to 69.

25

Highest Video Quality

Upper limit of video quality. In the Quality First mode, increasing this value compromises video quality. The value ranges from 1 to 59.

7

GOP Size

Video compression algorithm parameter. Decreasing this value improves video quality but consumes more bandwidth resources. It is recommended that this value be 1 to 2 times the video frame rate. The value ranges from 0 to 65,535.

100

Encoding Preset

Video compression algorithm parameter. Decreasing this value means faster encoding and better smoothness but lower image quality and higher bandwidth usage.

Preset 1

Rendering Acceleration

Rendering Acceleration
  • : Rendering acceleration is enabled to improve smoothness.
  • : Rendering acceleration is disabled.

Video Acceleration Enhancement
  • : Video acceleration enhancement is enabled.
  • : Video acceleration enhancement is disabled.

Video Optimization
  • : Video optimization is enabled to improve smoothness.
  • : Video optimization is disabled.

Disabled

GPU Color Optimization
  • : GPU color optimization is enabled to improve color reproduction in video/office hybrid scenarios.
  • : GPU color optimization is disabled.
NOTE:

This parameter applies only to GPU desktops.

Video Recognition Threshold

Number of frames required when you open or exit a video. It is easier to open or exit a video as the value increases. The value ranges from 0 to 500.

10

Frame Rate Statistical Length

Number of statistical frames during video detection. It is easier to open a video as the value decreases. The value ranges from 2 to 100.

4

Image Quality Threshold

It is easier to open a video as the value decreases. The value ranges from 0 to 100.

0

Refresh Frequency Threshold

It is easier to open a video as the value decreases. The value ranges from 1 to 100.

3

Threshold of Exiting Video Area

It is easier to exit a video as the value decreases. The value ranges from 0 to 100.

8

Min Video Width

It is easier to open a video as the value decreases. The value ranges from 0 to 1,280.

191

Min Video Height

It is easier to open a video as the value decreases. The value ranges from 0 to 1,280.

191

Proportion Threshold of Single-Frame Natural Image Block

It is easier to open a video as the value decreases. The value ranges from 0.000001 to 1.

0.3

Number of Cyclical Natural Images

It is easier to open a video as the value decreases. The value ranges from 0 to 100.

2

Threshold of the Non-Natural Image Area Percentage

It is harder to exit a video as the value increases. The value ranges from 0.000001 to 1.

0.85

Number of Non-Natural Images

It is harder to exit a video as the value increases. The value ranges from 0 to 100.

25

Other Parameters

Graphics Card Memory (MB)

Device memory capacity. The value ranges from 0 to 64. This parameter affects the bandwidth in some scenarios. Increasing this value reduces the bandwidth usage.

64

Driver Delegation Mode
  • : The driver delegation mode is enabled.
  • : The driver delegation mode is disabled.

Driver Delegation Latency (*30ms)

The value ranges from 1 to 100.

80

Video Latency (*30ms)

The value ranges from 1 to 100.

80

Change Resolution in Computer
  • : After the computer resolution change policy is enabled, end users can change the desktop resolution in system settings on cloud desktops.
  • : After the computer resolution change policy is disabled, end users cannot change the desktop resolution in system settings.

Application Recognition

Configure display policies for specific applications. (Provided by Huawei engineers)

NOTE:

A Windows 10 computer supports up to 4 applications.

-

Files and Clipboards

Configure file & clipboard policies, as shown in Table 6.
Table 6 File & Clipboard policies

Type

Parameter

Description

Example Value

File Redirection

File redirection switch
  • Read-only: Files in drivers and storage devices can only be pre-viewed.
  • Read/write: Files in drivers and storage devices can be modified.

Users can use drivers in file redirection mode on cloud desktops.

Read-only

Fixed driver
  • : Users can use fixed drivers, such as local disks, on cloud desktops in the file redirection mode.
  • : Users cannot use fixed drivers, such as local disks, on cloud desktops in the file redirection mode.
NOTE:

When file redirection is disabled, this function is disabled.

Removable driver
  • : Users can use removable drivers, such as USB flash drives, on cloud desktops in the file redirection mode.
  • : Users cannot use removable drivers, such as USB flash drives, on cloud desktops in the file redirection mode.
NOTE:

When file redirection is disabled, this function is disabled.

CD/DVD-ROM driver
  • : Users can use CD-ROM drivers on cloud desktops in the file redirection mode.
  • : Users cannot use CD-ROM drivers on cloud desktops in the file redirection mode.

Network driver
  • : Users can use network drivers on cloud desktops in the file redirection mode.
  • : Users cannot use network drivers on cloud desktops in the file redirection mode.

Traffic Control
  • : Traffic control is enabled.
  • : Traffic control is disabled.

Good Network Latency Threshold (ms)

Latency threshold of good network. The value ranges from 1 to 1000.

30

Normal Network Latency Threshold (ms)

Latency threshold of normal network. The value ranges from 1 to 1000.

70

Poor Network Latency Threshold (ms)

Latency threshold of poor network. The value ranges from 1 to 1000.

100

Reducing Step (KB)

Step of reducing the transmission speed. The value ranges from 1 to 100.

20

Slow Increasing Step (KB)

Slow step of increasing the transmission speed. The value ranges from 1 to 100.

10

Quick Increasing Step (KB)

Quick step of increasing the transmission speed. The value ranges from 1 to 100.

20

Start Speed (KB/s)

Initial transmission speed. The value ranges from 1 to 10,240.

1024

Test Block Size (KB)

Block size of speed testing. The value ranges from 64 to 1024.

64

Test Time Gap (ms)

Gap of testing. The value ranges from 1,000 to 100,000.

10,000

Compression
  • : Compression is enabled.
  • : Compression is disabled.

Compression Threshold (Byte)

The value ranges from 0 to 10,240.

512

Min Compression Rate

The value ranges from 0 to 1,000.

900

File Size Supported by Linux
  • : File size can be set on Linux.
  • : File size cannot be set on Linux.

File Size Threshold for Linux (MB)

The value ranges from 0 to 4,096.

100

Mobile Client Redirection
  • : Mobile client redirection is enabled.
  • : Mobile client redirection is disabled.

Linux Root Directory Mounting
  • : Root directory mounting is enabled on Linux.
  • : Root directory mounting is disabled on Linux.

Linux Root Directory Mounting Path

If root directory mounting is enabled on Linux, you need to configure the mounting path. The value contains a maximum of 256 characters in UTF-8 format.

\var\log

Linux File System Mounting Path

The value contains a maximum of 256 characters in UTF-8 format.

\media|\Volumes|\swdb\mnt|\home|\storage|\tmp|\run\media

Linux Fixed Driver File System Format

The value contains a maximum of 256 characters in UTF-8 format.

-

Linux Removable Driver File System Format

The value contains a maximum of 256 characters in UTF-8 format.

vfat|ntfs|msdos|fuseblk|sdcardfs|exfat|fuse.fdredir

Linux CD-ROM Driver File System Format

The value contains a maximum of 256 characters in UTF-8 format.

cd9660|iso9660|udf

Linux Network Driver File System Format

The value contains a maximum of 256 characters in UTF-8 format.

smbfs|afpfs|cifs

Path Separator

A single ASCII character

|

Read/Write Speed (Kbit/s)

This option is disabled when File Redirection and Send File From VM to Client are disabled.

The value 0 indicates that the read/write speed is not limited. Other values indicate the configured read/write speed. The default minimum speed is 32 kbit/s. If the minimum speed is lower than 32 kbit/s, 32 kbit/s is used by default.

0

Send File

Send File from VM to Client
  • : Files on a VM can be sent to the client.
  • : Files on a VM cannot be sent to the client.

Clipboard Redirection

Clipboard Redirection
  • Bidirectional: End users can copy data on client cloud desktops and paste the data on on-premises desktops, or copy data on on-premises desktops and paste the data on client cloud desktops.
  • Server to client: After this function is enabled, end users can only copy data on client cloud desktops and paste the data on on-premises desktops.
  • Client to server: After this function is enabled, end users can only copy data on on-premises desktops and paste the data on client cloud desktops.
NOTE:
  • Rich text copy and file copy are supported only when both the client (TC/SC) and desktop run Windows. A maximum of 500 files can be copied at a time.
  • If the OS of a client (TC/SC or mobile client) or desktop is not Windows, only text can be copied.

Bidirectional

Clipboard Rich Text Redirection
  • : Clipboard rich text redirection is enabled.
  • : Clipboard rich text redirection is disabled.
    NOTE:

    Rich text contains format information, such as font style (bold, italic, etc.), color, hyperlink, image, and table.

Clipboard File Redirection
  • : Clipboard file redirection is enabled.
  • : Clipboard file redirection is disabled.

Sessions

Configure session policies, as shown in Table 7.
Table 7 Session policies

Parameter

Description

Recommended Value

Auto Screen Locking
  • : Automatic screen locking is enabled. If the desktop is idle for a period of time after login, screen locking is automatically triggered.
  • : Automatic screen locking is disabled.
    NOTE:

    For a Windows desktop of HDA 23.8.2 or later, when applications (such as video players and meeting software) on the desktop are set to the in-use status, the desktop is identified as being in use and does not trigger the corresponding automatic policy.

Disabled

Validity Period

Specifies the time when the policy takes effect. The time is the local time of the cloud desktop.

-

Screen Locking In (Minute)

Specifies the waiting time before the desktop screen is automatically locked. The value ranges from 3 to 86,400.

10

Auto Disconnect/Log Out/Restart/Stop/Hibernate After Auto Screen Locking

After the desktop is hibernated, the applications on the desktop are paused. After the desktop is woken up, the applications can be restored to the status when they were paused.

  • Disconnect: Auto Screen Locking is enabled and Disconnect is selected. If automatic screen locking is triggered and no keyboard or mouse device is available on the client and no application on the desktop is set to the in-use status after the waiting time, the VM is automatically disconnected.
  • Log out: Auto Screen Locking is enabled and Log out is selected. If automatic screen locking is triggered and no keyboard or mouse device is available on the client and no application on the desktop is set to the in-use status after the waiting time, the VM is automatically logged out of.
  • Restart: Auto Screen Locking is enabled and Restart is selected. If automatic screen locking is triggered and no keyboard or mouse device is available on the client and no application on the desktop is set to the in-use status after the waiting time, the VM is automatically restarted.
  • Stop: Auto Screen Locking is enabled and Stop is selected. If automatic screen locking is triggered and no keyboard or mouse device is available on the client and no application on the desktop is set to the in-use status after the waiting time, the VM is automatically stopped.
  • Hibernate: Auto Screen Locking is enabled and Hibernate is selected. If automatic screen locking is triggered and no keyboard or mouse device is available on the client and no application on the desktop is set to the in-use status after the waiting time, the VM is automatically hibernated.
  • Disabled: This parameter is disabled.

Disabled

Automatic Disconnection/Logout/Restart/Shutdown/Hibernation After Screen Lock In (Minute)

Specifies the waiting time before a desktop is automatically disconnected, logged out of, restarted, shut down, or hibernated. The value ranges from 1 to 86,400.

1440

Automatic Logout/Restart/Shutdown/Hibernation After Disconnection
  • Log out: If the client is disconnected from a VM for a period longer than the waiting time, the VM is automatically logged out of.
  • Restart: If the client is disconnected from a VM for a period longer than the waiting time, the VM is automatically restarted.
  • Shut down: If the client is disconnected from a VM for a period longer than the waiting time, the VM is automatically shut down.
  • Hibernate: If the client is disconnected from a VM for a period longer than the waiting time, the VM is automatically hibernated.
  • Disabled: This parameter is disabled.
    NOTE:
    • Automatic Logout/Restart/Shutdown/Hibernation After Disconnection is available only when Disabled or Disconnect is selected for Automatic Disconnection/Logout/Restart/Shutdown/Hibernation After Screen Lock.
    • If another logout, restart, or shutdown task is performed on the VM within the waiting time, the automatic logout, restart, shutdown, or hibernation operation will not be triggered.

Disabled

Automatic Logout/Restart/Shutdown/Hibernation After Disconnection In (Minute)

Specifies the waiting time before a desktop is automatically logged out of, restarted, shut down, or hibernated after disconnection. The value ranges from 10 to 86,400.

10

Self-help console login preemption

This configuration item is used to determine whether preemption login through the self-help console is allowed when a user desktop has been logged in to. indicates that preemption login is allowed and indicates that preemption login is not allowed. By default, preemption login is enabled. The configuration takes effect only after the cloud desktop is restarted.

Disconnection After Screen Locking

This parameter determines whether to disconnect from a desktop immediately when the desktop is locked. Screen locking may happen when the automatic session locking policy is triggered or the user locks the desktop screen. indicates that the cloud desktop is disconnected from immediately after the screen is locked. This parameter is not enabled by default.

NOTE:
  • This operation can be performed only on Windows desktops.
  • Servers of 24.6.0 or later are supported.

Watermarking

Configure watermark policies, as shown in Table 8.

Table 8 Watermark policies

Parameter

Description

Example Value

Watermarking
  • : After this function is enabled, watermarks are displayed on the screen after users access the cloud desktop.
  • : After this function is disabled, no watermark is displayed on the screen after users access the cloud desktop.
    NOTE:

    Displaying watermarks may compromise video playback on the cloud desktop.

Security First

After this function is enabled, if the client version is earlier than the server version, access is rejected.

Custom Content

The content contains only digits, uppercase letters, lowercase letters, and some special characters, and cannot exceed 45 characters. After you customize the content, the desktop screen displays the watermark in the format of Custom content Login username Time displayed on the desktop. For example, if the custom content is set to CopyRight, the watermark is CopyRight user 2022-01-08 01:01:01.

NOTE:
  • The following special characters are allowed:

    ~!@#$%^&*()-_=+|{};:',<.?

  • If line breaks or other special characters are used, the custom content may not take effect.

-

User Information

Terminal user information. If the user does not enter the mobile number or email address, the user information is not displayed.

  • Username
  • Mobile number
  • Email

Username

Date-Time Sequence

Sequence in which the date and time are displayed:

  • D (Date)
  • T (Time)
  • DT (date-time format)
  • TD (time-date format)

Example: 2020-01-01 16:40 for DT; 16:40 2020-01-01 for TD

DT (date-time format)

Display Mode
  • Fixed position: The watermark is displayed at a fixed position on the screen.
  • Random motion: The watermark moves randomly on the screen every 2 seconds.

Random motion

Alignment

Watermark alignment. Options:

Left alignment, Right alignment, and Center alignment

Left alignment

Quantity

Number of watermarks. This parameter is available when Display Mode is set to Fixed position. The value ranges from 1 to 17.

1

Repeated Watermarks

Number of repeated watermarks. This parameter is available when Display Mode is set to Fixed position. The value ranges from 1 to 17.

1

Repetition Interval

Interval of repeated watermarks. This parameter is available when Display Mode is set to Fixed position. The value ranges from 1 to 17.

10

Tilt

Specifies the tilt of the watermark displayed on the desktop. The value ranges from –90 to 90.

–45

Font Size

Watermark font size. The value ranges from 8 to 100.

30

Color

Watermark color

Opacity (%)

The value ranges from 0 to 100. 0% indicates completely transparent, and 100% indicates completely opaque.

87.5

Preview

You can click to preview the watermark in 16:9 or 4:3.

-

General Audio/Video Bypass

After installing applications and the Huawei Cloud Workspace client on a local terminal running Windows 10, you can configure the audio/video bypass policy to access a cloud desktop from the Huawei Cloud Workspace client and use the applications on the local terminal without installing the applications on the cloud desktop. Table 9 describes the general audio/video bypass policy.

The audio/video bypass function has the following restrictions:

  • This parameter is available only when the local terminal runs Windows 10 and the cloud desktop runs Windows.
  • Non-cloud desktop applications can be mapped to cloud desktops using the general audio/video bypass policy only when these applications work properly on local terminals.
  • Before logging in to a cloud desktop and using an application mapped to the cloud desktop through the audio/video bypass policy, you need to stop the applications that have been started on the local terminal. Otherwise, the application cannot be used on the cloud desktop.
  • Before using applications that are mapped to the cloud desktop through the audio/video bypass policy, ensure that the cloud desktop is in full screen mode.
  • When an application that is mapped to the cloud desktop through the audio/video bypass policy is used on the cloud desktop, other applications on the cloud desktop cannot be used to interact with the application. For example, you cannot use the screenshot software on the cloud desktop to capture the application GUI.
  • The input method used by the application is the terminal-side input method. If you want to switch the input method when using an application that is mapped to the cloud desktop through the audio/video bypass policy on the cloud desktop, you need to switch the input method of the local terminal. For example, an input method is switched by using a keyboard shortcut, or an input method is switched on a local desktop by minimizing a cloud desktop.
  • When an application that is mapped to the cloud desktop through the audio/video bypass policy is used on the cloud desktop, if you press Alt+Tab to switch between windows, the local terminal GUI is displayed.
  • If the Video devices (such as cameras) policy in USB Port Redirection is enabled on the current cloud desktop, the camera on the local terminal cannot be used when you perform video-related operations on the cloud desktop using applications mapped to the cloud desktop through the audio/video bypass policy.
  • If you want to copy text between a cloud desktop and an application mapped to the cloud desktop through the audio/video bypass policy, you need to enable the clipboard redirection policy on the cloud desktop. For details about policy configuration, see How Do I Copy Files Between a Desktop and a Local Storage Device?
  • After a local application is mapped to the cloud desktop through the audio/video bypass policy, you are not advised to use the software package to install the application on the cloud desktop. Otherwise, when you start the application on a web page, the application installed using the software package on the cloud desktop will be started.
Table 9 General audio/video bypass policies

Parameter

Description

Example Value

General Audio/Video Bypass
  • : The general audio/video bypass policy is enabled.
  • : The general audio/video bypass policy is disabled. By default, this parameter is disabled.

Software Path

Used to configure the software path and start parameters for the general audio/video bypass policy.

Separate multiple paths with semicolons (;). If an installation path contains spaces, use double quotation marks ("") to quote the path. Example:

"C:\Users\userName\AppData\Roaming\HuaweiMeeting\HuaweiMeeting\HuaweiMeeting.exe" --bypass; HuaweiMeeting.exe --bypass;

Currently, only Huawei Cloud Meeting is supported.

NOTE:
  • C:\Windows\System32\notepad.exe is the installation path of the corresponding software on the local PC. You can find the shortcut icon of the installed software on the local PC, right-click the shortcut icon, and choose Properties from the shortcut menu. On the Shortcut tab of the application properties, replace the address with that in Target.
  • hello.txt is the start parameter of the corresponding software on the local PC. You need to configure the start parameters only when the software has start parameters. For example, skip this operation for Huawei Cloud Meeting, which does not have start parameters.

C:\Users\Username\AppData\Roaming\HuaweiMeeting\HuaweiMeeting\HuaweiMeeting.exe

Virtual Channels

The administrator can configure a virtual channel policy so that users can access the cloud desktop through the Huawei Cloud Workspace client and download plug-ins. Table 10 describes virtual channel policies.

Table 10 Virtual channel policies

Parameter

Description

Example Value

Virtual Channel Control
  • : The virtual channel control policy is enabled.
  • : The virtual channel control policy is disabled. By default, this parameter is disabled.

Custom Virtual Channel Registered Name

Contact Huawei technical support to obtain it.

-

Configuration Information

Contact Huawei technical support to obtain it.

-

Third-Party Plug-in Name

Used by clients (Windows clients only) to load third-party plug-ins, for example, LyncVdiPluginLib. Multiple plug-in names can be entered and must be separated by spaces or commas (,).

LyncVdiPluginLib

Keyboards and Mouse Devices

Configure keyboard and mouse device policies, as shown in Table 11.
Table 11 Keyboard and mouse device policies

Parameter

Description

Recommended Value

Computer Mouse Device Feedback
  • Adaptive
  • Force
  • Disabled

Adaptive

Computer Mouse Device Simulation Mode

If you select Relative positioning, the value of Change the size of text, apps, and the other items on the display settings cannot be higher than 100% on the user VM.

  • Absolute positioning
  • Relative positioning

Absolute positioning

Self-help Console Login Preemption

This configuration item is used to determine whether preemption login through the self-help console is allowed when a user desktop has been logged in to.

Computer External Cursor Feedback
  • : Computer external cursor feedback is enabled.
  • : Computer external cursor feedback is disabled.

Screen Recording Audit

Configure screen recording audit policies, as shown in Table 12.

If you use screen recording audit for the first time, the OBS resources are required. You need to add access authorization. After the authorization is granted, an agency named workspace_trust_for_obs will be created for you in IAM. Do not delete or modify workspace_trust_for_obs.

Table 12 Screen recording audit policies

Parameter

Description

Recommended Value

Screen Recording Audit
  • : Enable screen recording audit, check the box I have read and agree to enable screen recording audit, and click OK.
  • : Disable screen recording audit.
    NOTE:
    • Screen recording audit might capture private data of end users, so make sure that related permissions are obtained from them. Audited end users will be notified when screen recording audit is enabled.
    • Enabling screen recording will consume a small number of CPU and memory resources on the desktop.
    • Screen recording audit is available only for Windows cloud desktops.
    • Only AccessAgent 24.6.4 and later versions support this function.
    • Screen recording audit is currently in open beta test (OBT) and is free of charge. After the OBT ends, you are charged for using the feature, and an announcement that includes the billing rules will be released in advance.
    • After the screen recording audit policy is enabled, the self-help console function of the client becomes unavailable.
    • After enabling the screen recording audit policy, you need to disable the remote login port of the desktop security group. For details, see How Do I Disable the Remote Login Port of a Desktop Security Group?

Screen Recording Type
  • Continuous: Screen recording happens from the time of connecting to the cloud desktop to the time of disconnection.
  • Interval-based: Screen recording happens within a specified period, covering the entire process from connecting to the cloud desktop until disconnection. The recording will end automatically if a user disconnects before the specified period is reached.

    You can customize the time period.

  • Operation-triggered: Screen recording starts once any of the following operations is detected:
    • Keyboard/Mouse operations: Screen recording starts when end users type or click using the keyboard or mouse device, and stops 10 minutes after they stop typing or clicking.
    • File transfer between cloud desktops and local PCs: Screen recording starts when end users transfer files between cloud desktops and local PCs, and stops 10 minutes after the file transfer is complete.
  • Entire session: Screen recording starts when a session is created and ends when the session is closed.

Continuous

Audio Recording

After the recording starts, determine whether to record the audio of the cloud desktop.

No

Frame Rate

2/5/10/15 FPS

5 FPS

Resolution

720p, 1080p, or original resolution

1080p

Recording File Segment

10/20/30/60 minutes

10 minutes

Save To
  • Auto create: An OBS bucket is automatically created to store the screen recording files of a desktop.
  • Select existing: Select an existing OBS bucket from the drop-down list.
    Retention Period (Days):
    • Temporarily: You can set the screen recording file retention period (range: 1 to 180 days). Screen recording files will be permanently deleted after the retention period expires.
    • Permanently: Screen recording files will be permanently stored in an OBS bucket, but the screen recording records will be stored for only 180 days. After more than 180 days, you need to view the recording files in the OBS bucket.
    NOTE:

    You need to authorize Workspace to store cloud desktop screen recording files in OBS in the current region. This will incur certain fees. For details, see OBS Billing.

Auto create

Key event audit

You can enable this function to collect key events of desktops. For details, see Event Audit.

-

Application monitoring: including application startup, termination, abnormal exit, installation, and uninstallation, and no application response

NOTE:
  • No key event will be reported if an application is opened and closed within 10 seconds.
  • Application installation time is the time that is written into the registry after the installation is complete.
  • Application uninstallation time is the time when the registry of the application is deleted during uninstallation.
  • Monitoring paths for application installation and uninstallation:
    • 64-bit: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion
    • 32-bit: HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion

App Startup/Termination Monitoring

  • Whitelist: Only the startup and termination events of application processes in the whitelist are monitored.
  • Blacklist: The startup and termination events of application processes in the blacklist are not monitored.

File monitoring: file creation, deletion, and renaming

Monitored file extension: including .doc, .ppt, .xlsx, and .txt. A maximum of 1,000 characters are allowed. You can customize the file format. For details about more file name extensions, see Common File Name Extensions.

Protocol behavior monitoring: file redirection, USB insertion and removal, clipboard operations, idle (no operations), and file printing
Parent topic: Creating a Policy