Group Policy Object (GPO) template

This policy setting is used for licensing management. The following licensing modes are used:

License key

use the specified license key for each product server;

License server

use a license server for centralized management of licensing;

For "License key" type of licensing you must specify a string of the key in the corresponding field.

For "License server" type of licensing you must specify a license server name in the name_or_ip:port format, where the port is an optional parameter.

If this policy setting is enabled, the licensing mode will be overridden by this policy setting. It means using GPO License key instead key that determined via the settings interface.

If this policy setting is disabled or not configured, the licensing mode is determined via the settings interface.

This policy setting controls advanced log file rotation behavior. The product may create multiple logs for each user, depending on factors such as Session ID, Process ID (PID), and FabulaTech product module. Each log is stored on disk as a set of log file parts, which are created as the log is rotated. When the active log file part reaches the configured size limit, it is rotated: the current file part is renamed, and a new empty file part is created for the same log. If any of the configured limits are exceeded, the oldest log file parts are automatically removed according to the configured rules.

Maximum log file part size (per file), MB

Range: 50-1000
Specifies the maximum size, in megabytes, of a single log file part. When a log file part exceeds this value, the file is rotated and a new file part is created for the same log.

Maximum log file parts (per log)

Range: 1-99
Specifies the maximum number of log file parts allowed for each individual log. If this limit is exceeded, the oldest file part belonging to that log is removed. If set to 1, only a single log file part is kept. When the maximum file size is reached, the file part is overwritten.

Maximum log file parts (global)

Specifies the maximum total number of log file parts stored on disk across all logs and all users. If this limit is exceeded, the oldest log file parts are removed, regardless of which log they belong to. If 0, no global limit is applied; an unlimited number of log file parts is allowed.

If this policy is disabled or not configured, log file rotation behavior is controlled by the application’s internal log rotation settings.

Log Level

Range: 0–10
This policy setting configures the log level, which determines which events are written to the log files. This setting is intended for troubleshooting purposes and is typically enabled at the request of the FabulaTech technical support team.

The following values are supported:

• 0 - Error
• 1 - Warning
• 2 - Information
• 3 - Debug
• 4 - Dump
• 5–10 - Reserved

If this policy is disabled or not configured, the log level is controlled by the application’s internal logging settings.

This policy setting allows you to configure USB device connection rights. For example, you can deny access to mass storage devices for all users except administrators, or allow access to a specific model of a signature pad for a specific user and automatically connect that device when the user logs on.

Each policy consists of two main components: Device Group, which identifies the USB device or devices Policy Action, which defines how the matching device is handled

A Device Group is a set of properties used to identify one or more USB devices. A Device Group may represent a single USB device or a group of similar devices.

The following USB device properties can be used:

• Vendor ID (VID)
• Product ID (PID)
• Serial number
• Class
• Subclass
• Protocol

To identify a group of USB devices, only a subset of these properties may be specified.

If multiple Device Groups match a USB device, the group with the highest priority is selected. A Device Group has a higher priority when it specifies more identifying properties.

Each property has the following priority weight:

Property (Priority)

• VID (32)
• PID (16)
• Serial number (8)
• Class (4)
• Subclass (2)
• Protocol (1)

The total priority of a Device Group is calculated as the sum of the weights of all specified properties.

If one Device Group specifies VID + PID + Serial number and another specifies Class + Subclass, the first group has a higher priority.

If a USB device is a composite device, multiple Device Groups with the same priority may match the device (depending on the number of USB interfaces). In this case, the Policy Action with the highest priority is applied.

A Policy Action defines how a matching USB device is handled for a specific user. The following actions are supported:

• Exclude (exclude) — The USB device is blocked and hidden from the device list.
• Deny (deny) — The USB device is blocked but remains visible in the device list.
• Allow (allow) — The USB device is allowed to connect.
• Auto-connect (auto) — The USB device is automatically connected at user logon.
• Auto-connect, prevent disconnection (force) — The USB device is automatically connected at user logon and cannot be disconnected by the user.

If a USB device does not match any Device Group, it is allowed to connect (Allow action).

When a USB device matches a Device Group, the system selects the appropriate Policy Action for the logged-on user. If multiple Policy Actions apply (for example, one for a user group and one for a specific user), the action with the highest priority is selected.

Policy Action (Priority)

• Exclude (5)
• Deny (4)
• Auto-connect, prevent disconnection (3)
• Auto-connect (2)
• Allow (1)

If a USB device is a composite device and multiple Device Groups with the same priority match it, the Policy Action with the highest priority is applied.

The Device Policies setting is a multi-string value that represents a list of device policies. Each entry defines the action to be applied to a specific Device Group.

"name" action [hwid vid[:pid]][class cls[:sub[:proto]]][serial "serial"]

Parameters

• name — Policy name (for readability)
• action — Policy action, how a matching USB device is handled (see below)
• vid — USB Vendor ID
• pid — USB Product ID (cannot be used without VID)
• cls — USB device class
• sub — USB device subclass (cannot be used without class)
• proto — USB device protocol (cannot be used without subclass)
• serial — USB device serial number

allow | auto | force | deny | exclude

It's a good practice to deny (prohibit to connect) or exclude (hide and prohibit to connect) all USB device, and allow only specific devices or device groups.

Example 1 - allow only specific signature pad model and any smart card USB devices

"Deny all" deny
"Sigpad" allow hwid 2133:000F
"Smartcards" allow class 0B

Example 2 - auto-connect SpeechMike USB dictation microphone the device at log-on, prevent disconnection

"Exclude all" exclude
"Philips SpeechMike" force hwid 0911:0C1C

Example 3 - automatically connect a specific USB device instance when multiple devices of the same model are present. The target device is uniquely identified by its USB device serial number.

"Deny all" deny
"Gemalto eToken" allow hwid 08E6:34CF serial "66EABC8761C2"

If this policy setting is disabled or not configured, locally configured device policies are used.

This policy setting determines whether the application is allowed to check for updates and notify the logged-on user.

Enabled:
Disables the "Check for updates" feature. The application will not check for updates and users will not receive update notifications.

Disabled:
Enables the "Check for updates" feature. The application can check for updates and notify users when updates are available.

Not Configured:
The application’s local settings determine whether it checks for updates and notifies the user.

Note: If this policy setting is applied at the FabulaTech level, it overrides the same policy setting applied at the product level for all installed FabulaTech products.

This setting is common for multiple FabulaTech products, including USB for Remote Desktop, Sound for Remote Desktop, and Webcam for Remote Desktop.

This policy setting defines how redirected audio devices are isolated across user sessions in a multi-user environment. This setting is relevant when multiple users are logged on to the same server simultaneously and multiple audio devices are present.

FabulaTech isolates audio devices within user sessions so that only the owning user can access the redirected device. To provide isolation, the program relies on a dedicated FabulaTech isolation driver. If the isolation driver is disabled or uninstalled (for example, by an administrator or security software), audio isolation may be affected. As a result, an audio device may become accessible from another user session.

Important: The audio device isolation mode is determined when a user session starts. If this policy setting is changed, existing user sessions are not affected. Users must sign out and sign in again for the new isolation mode to take effect.

To address such scenarios, the following isolation modes are available:

Strict

Provides the highest level of isolation. Audio devices are isolated and accessible only to their owner.

If the isolation driver is disabled or becomes inactive, the audio device immediately becomes unavailable to all users.

Important: Native Remote Desktop audio redirection is not supported in this mode.

This mode is recommended for environments that require maximum session separation and where native audio redirection is not required.

Session-isolated (compatible)

Provides session-based isolation with a compatibility fallback. By default, audio devices are isolated and accessible only to their owner. Native Remote Desktop audio redirection is supported in this mode.

If the isolation driver is disabled or becomes inactive, the audio devices remain accessible globally (without isolation).

This mode is the only option that allows native and FabulaTech audio redirection to be used together.

No isolation

No session isolation is applied. Audio devices are accessible to all logged-on users.

This mode is not recommended for multi-user environments.

It should only be used in special scenarios, such as single-user systems where concurrent sessions are not possible.

If this policy setting is Disabled or Not Configured

The audio isolation mode is controlled by the local settings of the corresponding FabulaTech device redirection software (Sound for Remote Desktop, Webcam for Remote Desktop, or USB for Remote Desktop).