Product Documentation

Configure USB support

May 27, 2015

USB support enables users to interact with a wide range of USB devices when connected to a virtual desktop. Users can plug USB devices into their computers and the devices are redirected to their virtual desktop. USB devices available for remoting include flash drives, smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets.

Isochronous features in USB devices such as webcams, microphones, speakers, and headsets are supported in typical low latency/high speed LAN environments. This allows these devices to interact with packages such as Microsoft Office Communicator and Skype.

The following types of device are supported directly in a XenDesktop session, and so do not use USB support:

  • Keyboards
  • Mice
  • Smart cards
  • Headsets
  • Webcams
Note: Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can be configured to use USB support. For information on configuring policy rules for other specialist USB devices, see CTX 119722.

By default, certain types of USB devices are not supported for remoting through XenDesktop. For example, a user may have a network interface card attached to the system board by internal USB. Remoting this would not be appropriate. The following types of USB device are not supported by default for use in a XenDesktop session:

  • Bluetooth dongles
  • Integrated network interface cards
  • USB hubs

To update the default list of USB devices available for remoting, edit the usb.conf file, located in $ICAROOT/. For more information, see Update the list of USB devices available for remoting.

To allow the remoting of USB devices to virtual desktops, enable the USB policy rule. For more information, see the XenDesktop documentation.

How USB support works

When a user plugs in a USB device, it is checked against the USB policy, and, if allowed, redirected to the virtual desktop. If the device is denied by the default policy, it is available only to the local desktop.

For desktops accessed through desktop appliance mode, when a user plugs in a USB device, that device is automatically redirected to the virtual desktop. The virtual desktop is responsible for controlling the USB device and displaying it in the user interface.

Mass storage devices

If a user disconnects from a virtual desktop when a USB mass storage device is still plugged in to the local desktop, that device is not redirected to the virtual desktop when the user reconnects. To ensure the mass storage device is redirected to the virtual desktop, the user must remove and re-insert the device after reconnecting.

Note: If you insert a mass storage device into a Linux workstation that has been configured to deny remote support for USB mass storage devices, the device will not be accepted by the Receiver software and a separate Linux file browser may open. Therefore, Citrix recommends that you pre-configure user devices with the Browse removable media when inserted setting cleared by default. On Debian-based devices, do this using the Debian menu bar by selecting Desktop > Preferences > Removable Drives and Media, and on the Storage tab, under Removable Storage, clear the Browse removable media when inserted check box.
Note: If the Client USB device redirection server policy is turned on, mass storage devices are always directed as USB devices even if client drive mapping is turned on.


By default, optimum webcam performance is provided by HDX RealTime Webcam Video Compression. In some circumstances, however, you may require users to connect webcams using USB support. To do this, you must disable HDX RealTime Webcam Video Compression. For more information see, Configure HDX RealTime webcam video compression

Configure start-up modes

Using desktop appliance mode, you can change how a virtual desktop handles previously attached USB devices. In the WfClient section in the file $ICAROOT/config/module.ini on each user device, set DesktopApplianceMode = Boolean as follows.

TRUE Any USB devices that are already plugged in start up provided the device is not disallowed with a Deny rule in the USB policies on either the server (registry entry) or the user device (policy rules configuration file).
FALSE No USB devices start up.

USB classes allowed by default

The following classes of USB device are allowed by the default USB policy rules:

Audio (Class 01)

Includes microphones, speakers, headsets, and MIDI controllers.

Physical Interface (Class 05)

These devices are similar to HIDs, but generally provide real-time input or feedback and include force feedback joysticks, motion platforms, and force feedback exoskeletons.

Still Imaging (Class 06)

Includes digital cameras and scanners. Digital cameras often support the still imaging class which uses the Picture Transfer Protocol (PTP) or Media Transfer Protocol (MTP) to transfer images to a computer or other peripheral. Cameras may also appear as mass storage devices and it may be possible to configure a camera to use either class, through setup menus provided by the camera itself.

Note that if a camera appears as a mass storage device, client drive mapping is used and USB support is not required.

Printers (Class 07)

In general most printers are included in this class, although some use vendor-specific protocols (class ff). Multi-function printers may have an internal hub or be composite devices. In both cases the printing element generally uses the Printers class and the scanning or fax element uses another class; for example, Still Imaging.

Printers normally work appropriately without USB support.

Mass Storage (Class 08)

The most common mass storage devices are USB flash drives; others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers. There are a wide variety of devices having internal storage which also present a mass storage interface; these include media players, digital cameras, and mobile phones. Known subclasses include:

  • 01 Limited flash devices
  • 02 Typically CD/DVD devices (ATAPI/MMC-2)
  • 03 Typically tape devices (QIC-157)
  • 04 Typically floppy disk drives (UFI)
  • 05 Typically floppy disk drives (SFF-8070i)
  • 06 Most mass storage devices use this variant of SCSI

Mass storage devices can often be accessed through client drive mapping, and so USB support is not required.

Important: Some viruses are known to propagate actively using all types of mass storage. Consider carefully whether or not there is a business need to permit the use of mass storage devices, either through client drive mapping, or USB support.

Content Security (Class 0d)

Content security devices enforce content protection, typically for licensing or digital rights management. This class includes dongles.

Video (Class 0e)

The video class covers devices that are used to manipulate video or video-related material, such as webcams, digital camcorders, analog video converters, some television tuners, and some digital cameras that support video streaming.

Personal Healthcare (Class 0f)

These devices include personal healthcare devices such as blood pressure sensors, heart rate monitors, pedometers, pill monitors, and spirometers.

Application and Vendor Specific (Classes fe and ff)

Many devices use vendor specific protocols or protocols not standardized by the USB consortium, and these usually appear as vendor-specific (class ff).

USB device classes denied by default

The following classes of USB device are denied by the default USB policy rules:

Communications and CDC Control (Classes 02 and 0a)

Includes modems, ISDN adapters, network adapters, and some telephones and fax machines.

The default USB policy does not allow these devices, because one of them may be providing the connection to the virtual desktop itself.

Human Interface Devices (Class 03)

Includes a wide variety of both input and output devices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices, graphic tablets, sensors, game controllers, buttons, and control functions.

Subclass 01 is known as the boot interface class and is used for keyboards and mice.

The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1), or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards and mice are handled appropriately without USB support and it is normally necessary to use these devices locally as well remotely when connecting to a virtual desktop.

USB Hubs (Class 09)

USB Hubs allow extra devices to be connected to the local computer. It is not necessary to access these devices remotely.

Smart card (Class 0b)

Smart card readers include contactless and contact smart card readers, and also USB tokens with an embedded smart card equivalent chip.

Smart card readers are accessed using smart card remoting and do not require USB support.

Wireless Controllers (Class e0)

Includes a wide variety of wireless controllers, such as ultra wide band controllers and Bluetooth.

Some of these devices may be providing critical network access, or connecting critical peripherals such as Bluetooth keyboards or mice.

The default USB policy does not allow these devices. However, there may be particular devices it is appropriate to provide access to using USB support.

Update the list of USB devices available for remoting

You can update the range of USB devices available for remoting to desktops by editing the list of default rules contained in the usb.conf file located on the user device in $ICAROOT/.

You update the list by adding new policy rules to allow or deny USB devices not included in the default range. Rules created by an administrator in this way are applied before the default rules when a virtual desktop starts. This allows you to override the default rules provided by XenDesktop.

The default policy configuration for disallowed devices is:

DENY: class=09 # Hub devices

DENY: class=03 subclass=01 # HID Boot device (keyboards and mice)

DENY: class=0b # Smartcard

DENY: class=e0 # Wireless Controllers

DENY: class=02 # Communications and CDC Control

DENY: class=03 # UVC (webcam)

DENY: class=0a # CDC Data

ALLOW: # Ultimate fallback: allow everything else

Create USB policy rules

Tip: When creating new policy rules, refer to the USB Class Codes, available from the USB web site at

Policy rules in usb.conf on the user device take the format {ALLOW:|DENY:} followed by a set of expressions based on values for the following tags:

Tag Description
VID Vendor ID from the device descriptor
REL Release ID from the device descriptor
PID Product ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor
SubClass SubClass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor

When creating new policy rules, be aware of the following:

  • Rules are case-insensitive.
  • Rules may have an optional comment at the end, introduced by "#". A delimiter is not required and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • Whitespace used as a separator is ignored, but cannot appear in the middle of a number or identifier. For example, Deny: Class=08 SubClass=05 is a valid rule; Deny: Class=0 8 Sub Class=05 is not.
  • Tags must use the matching operator "=". For example, VID=1230.


The following example shows a section of the usb.conf file on the user device. For these rules to be implemented, the same set of rules must exist on the server.

ALLOW: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive

DENY: Class=08 SubClass=05 # Mass Storage Devices

DENY: Class=0D # All Security Devices