Hello. Im doing this from memory, but the choices are this:
(1) Put a unique certificate on each desktop that has the IP address in it, which is assigned the generic name "Blast". Not sure if this can be done through a windows CA request auto-enrolment, but if so, it would probably occur after the blast service had started. So this option is probably not going to work.
(2) Get a wildcard digital certificate which is installed on each desktop. There is a group policy telling horizon to connect using DNS names instead of IP address (can't remember what it's called). The issue here is that it relies on the DNS being 100% accurate. In our case, using application layering and machine rebuilding, deleting all the time, it get's out of whack. So we cant.
Hope that helps.