Connection settings window

Connection settings for a Windows VM

The Connection settings window lets you customize how IAP Desktop connects to your VMs. You can configure connection settings for individual VMs or entire zones or projects.

Connection settings support inheritance: If you configure a connection setting for a project, this setting applies to all zones and VMs in the project. Similarly, if you configure a connection setting for a zone, it applies to all VMs in that zone:

Settings inheritance

You can override inherited settings at lower levels. Whenever a setting deviates from the (inherited) default, its value is shown in bold typeface.

Connection settings are stored on your local computer and don't affect the configuration of the remote VM.

Windows Credentials

These settings control which user account you log on with. If you don't configure Windows credentials, IAP Desktop might prompt you for credentials when you first try to connect.

You can use the following types of user accounts:

a local Windows user account
an Active Directory user account

The user account must have permission to use Remote Desktop. Typically, this requires that the user is either a member of the Administrators group or the Remote Desktop users group.

Setting	Description	Required
Username	Username or UPN, for example `bob` or `bob@example.com`.	No
Password	Account password	No
Domain	Leave blank if you're using an UPN as username Use the NetBIOS domain name if the username is a NetBIOS username Use `.` if you're using a local Windows user account	No

Remote Desktop Connection

These settings control how IAP Desktop connects to your VM. You can let IAP Desktop connect in one of two ways:

IAP Tunnel: By default, IAP Desktop connects to the internal IP address of your VM through an IAP-TCP forwarding tunnel .
VPN/Interconnect: Alternatively, you can let IAP Desktop connect to the VM's internal IP address through Cloud VPN or Interconnect. If you use this option, IAP Desktop doesn't use IAP-TCP forwarding.

Setting	Description	Default
Connect via	Controls how IAP Desktop connects to your VM, see description above.
Connection timeout	Timeout for connecting to the VM, in seconds.	30 seconds
Server port	Port to connect to.	`3389`

Remote Desktop Display

These settings control the display settings for Remote Desktop.

Setting	Description	Default
Color depth	Color depth to use.	True color (24-bit)
Connection bar	Controls the behavior of the connection bar that's shown when you set the Remote Desktop session to full-screen.	Auto hide
Display resolution	Controls the screen resolution and size of the remote desktop. Adjust automatically: Adjust the size and resolution to fit the IAP Desktop window. Same as this computer: Use the same size and resolution as the current monitor on your local computer.	Adjust automatically
Display scaling	Controls whether to scale the size of texts, fonts, and apps on the remote desktop. Same as this computer: Use the same scaling setting as your local computer. Disabled (100%): Disable scaling and show texts, fonts, and apps at their regular size.	Disabled (100%)

Remote Desktop Resources

These settings control which local and remote resources you want to share.

Setting	Description	Default
Audio playback	Controls where to play back audio.	Play on this computer
Microphone	Share default input device so that you can use it on the remote VM. This setting only applies if you've set Audio playback to Play on this computer. Sharing your microphone with a Windows 10/11 VM typically doesn't require any additional configuration on the VM. To share your microphone with a Windows Server VM, install the Remote Desktop Session Host role on the VM and ensure that the Windows Audio Service is running.	Don't share
Windows shortcuts	Controls whether IAP Desktop redirects Windows shortcuts (such as `Win+R`) to the VM: Don't redirect: Don't redirect shortcuts and handle them locally instead. Redirect to remote VM: Always redirect shortcuts and handle them remotely. Redirect in full-screen: Only redirect shortcuts when the Remote Desktop session is in full-screen mode.	Only in full-screen mode
Clipboard	Share clipboard contents between your local computer and the remote VM.	Share
Printers	Share local printers so that you can use them on the remote VM.	Don't share
Smart cards	Share smart cards so that you can use them on the remote VM.	Don't share
Local ports	Share local ports (COM, LPT) so that you can access them on the remote VM.	Don't share
Drives	Share local drives so that you can access them on the remote VM.	Don't share
Plug and Play devices	Share local Plug and Play devices so that you can use them on the remote VM.	Don't share
WebAuthn authenticators	Share WebAuthn authenticators and Windows Hello devices so that you can use WebAuthn on the remote VM.	Share

Remote Desktop Security Settings

These settings control which RDP security mechanism to apply.

Setting	Description	Default
Automatic logon	Controls how IAP Desktop behaves if you haven't configured any Windows credentials. When set to Enabled, IAP Desktop proactively shows a credential prompt that offers a Remember me option so that it can log you in automatically the next time. When set to Disabled, IAP Desktop won't offer a Remember me option, and won't try to log you in automatically unless you manually configure Windows credentials. Set this to Disabled for VMs that use the Always prompt for password upon connection group policy setting to prevent duplicate password prompts. The setting is automatically set to Disabled if your local computer is subject to the Do not allow passwords to be saved group policy.	See description
Network level authentication	Controls whether to secure connection using network level authentication (NLA). Leave NLA enabled unless you're connecting to a VM that uses a custom credential service provider such as the Google Credential Provider for Windows. Disabling NLA automatically enables server authentication.	Enabled
Restricted Admin mode	Controls whether to use Restricted Admin mode, which disables the transmission of reusable credentials to the VM. To use Restricted Admin mode, you must ensure that the following prerequisites are met: You're using a user account that has local administrator privileges on the VM. You've configured the VM to permit Restricted Admin mode. If you don't meet these prerequisites, connecting to the VM might fail with the error Account restrictions are preventing this user from signing in.	Disabled
Session type	Controls the type of RDP session to use: Normal user session: Establishes a normal user session. RDS admin-session: Establishes an administrative session, equivalent to running `mstsc /admin`. This setting only affects VMs that operate as RDS session hosts. For further details, see Changes to Remote Administration in Windows Server 2008.	Normal user session

SSH Connection

These settings control how IAP Desktop connects to your VM. The settings are analogous to the Remote Desktop Connection settings.

SSH Credentials

These settings control which user account you log on with, and which authentication method to use.

IAP Desktop supports the following SSH authentication methods:

publickey
password
keyboard-interactive

When you use publickey, IAP Desktop automatically publishes a public key to the VM, and uses the corresponding private key to authenticate. Depending on the VM's configuration, IAP Desktop uses either OS Login or metadata keys to publish the public key.

Setting	Description	Default
Public key authentication	Controls the authentication method to use: Enabled: Use `publickey` authentication and let IAP Desktop automatically create an SSH key and publish it using OS Login or metadata keys. Disabled: Use `password` or `keyboard-interactive`-based authentication.	Enabled
Username	Linux/Unix username. This setting is ignored when using OS Login because OS Login automatically determines your username.
Password	Linux/Unix password