Citrix Virtual Apps and Desktops

Generic USB redirection and client drive considerations

HDX technology provides optimized support for most popular USB devices. Optimized support offers an improved user experience with better performance and bandwidth efficiency over a WAN. Optimized support is usually the best option, especially in high latency or security-sensitive environments.

HDX technology provides generic USB redirection for specialty devices that don’t have optimized support or where it is unsuitable, for example:

  • The USB device has more advanced features that are not part of optimized support, such as a mouse or webcam having more buttons.
  • Users need functions which are not part of optimized support.
  • The USB device is a specialized device, such as test and measurement equipment or an industrial controller.
  • An application requires direct access to the device as a USB device.
  • The USB device only has a Windows driver available. For example, a smart card reader might not have a driver available for the Citrix Workspace app for Android.
  • The version of the Citrix Workspace app does not provide any optimized support for this type of USB device.

With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

Important:

  • Generic USB redirection can be used together with optimized support. If you enable generic USB redirection, configure Citrix USB devices policy settings for both generic USB redirection and optimized support.
  • The Citrix policy setting in Client USB device optimization rules is a specific setting for generic USB redirection, for a particular USB device. It doesn’t apply to optimized support as described here.

Performance considerations for USB devices

Network latency and bandwidth can affect user experience and USB device operation when using generic USB redirection for some types of USB devices. For example, timing-sensitive devices might not operate correctly over high-latency low-bandwidth links. Use optimized support instead where possible.

Some USB devices require high bandwidth to be usable, for example a 3D mouse (used with 3D apps that also typically require high bandwidth). If bandwidth cannot be increased, you might be able to mitigate the issue by tuning bandwidth usage of other components using the bandwidth policy settings. For more information, see Bandwidth policy settings for Client USB device redirection, and Multi-stream connection policy settings.

Security considerations for USB devices

Some USB devices are security-sensitive by nature, for example, smart card readers, fingerprint readers, and signature pads. Other USB devices such as USB storage devices can be used to transmit data that might be sensitive.

USB devices are often used to distribute malware. Configuration of Citrix Workspace app and Citrix Virtual Apps and Desktops can reduce, but not eliminate, risk from these USB devices. This situation applies whether generic USB redirection or optimized support is used.

Important:

For security-sensitive devices and data, always secure the HDX connection using either TLS or IPsec.

Only enable support for the USB devices that you need. Configure both generic USB redirection and optimized support to meet this need.

Provide guidance to users for safe use of USB devices:

  • Use only USB devices that have been obtained from a trustworthy source.
  • Don’t leave USB devices unattended in open environments - for example, a flash drive in an internet cafe.
  • Explain the risks of using a USB device on more than one computer.

Compatibility with generic USB redirection

Generic USB redirection is supported for USB 2.0 and earlier devices. Generic USB redirection is also supported for USB 3.0 devices connected to a USB 2.0 or USB 3.0 port. Generic USB redirection does not support USB features introduced in USB 3.0, such as super speed.

These Citrix Workspace apps support generic USB redirection:

For Citrix Workspace app versions, see the Citrix Workspace app feature matrix.

If you are using earlier versions of the Citrix Workspace app, see the Citrix Workspace app documentation to confirm that generic USB redirection is supported. See Citrix Workspace app documentation for any restrictions on USB device types that are supported.

Generic USB redirection is supported for desktop sessions from VDA for Single-session OS version 7.6 through current.

Generic USB redirection is supported for desktop sessions from VDA for Multi-session OS version 7.6 through current, with these restrictions:

  • The VDA must be running Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows Server 2022.
  • The USB device drivers must be fully compatible with the Remote Desktop Session Host (RDSH) for the VDA OS (Windows 2012 R2), including full virtualization support.

Some types of USB devices are not supported for generic USB redirection because it would not be useful to redirect them:

  • USB modems.
  • USB network adapters.
  • USB hubs. The USB devices connected to USB hubs are handled individually.
  • USB virtual COM ports. Use COM port redirection rather than generic USB Redirection.

For information on USB devices that have been tested with generic USB redirection, see Citrix Ready Marketplace. Some USB devices do not operate correctly with generic USB redirection.

Configure generic USB redirection

You can control, and separately configure, which types of USB devices use generic USB redirection:

  • On the VDA, using Citrix policy settings. For more information, see Redirection of client drives and user devices and USB devices policy settings in the Policy settings reference
  • In Citrix Workspace app, using Citrix Workspace app-dependent mechanisms. For example, an Administrative Template controls registry settings that configure Citrix Workspace app for Windows. By default, USB redirection is allowed for certain classes of USB devices and denied for others. For more information, see Configure in the Citrix Workspace app for Windows documentation.

This separate configuration provides flexibility. For example:

  • If two different organizations or departments are responsible for the Citrix Workspace app and VDA, they can enforce control separately. This configuration applies when a user in one organization accesses an application in another organization.
  • Citrix policy settings can control USB devices that are allowed only for certain users or for users connecting only over a LAN (rather than by using Citrix Gateway).

Enable generic USB redirection

To enable generic USB Redirection, and not require manual redirection by the user, configure both Citrix policy settings and Citrix Workspace app connections preferences.

In Citrix policy settings:

  1. Add the Client USB device redirection to a policy and set its value to Allowed.

    Client USB device redirection image

  2. (Optional) To update the list of USB devices available for redirection, add the Client USB device redirection rules setting to a policy and specify the USB policy rules.

    Once the policy settings are complete, in Citrix Workspace app:

  3. Specify that devices are connected automatically without manual redirection. You can do this using an Administrative template or in the Citrix Workspace app for Windows > Preferences > Connections.

    Connections image

If you specified the USB policy rules for the VDA in the previous step, specify those same policy rules for the Citrix Workspace app.

For thin clients, consult the manufacturer for details of USB support and any required configuration.

Configuring the types of USB devices available for generic USB redirection

USB devices are automatically redirected when USB support is enabled and the USB user preference settings are set to connect USB devices automatically. USB devices are also automatically redirected when the connection bar is not present.

Users can explicitly redirect devices that are not automatically redirected by selecting the devices from the USB device list. For more information, the Citrix Workspace app for Windows user help article, Display your devices in the Desktop Viewer.

Devices image

To use generic USB redirection rather than optimized support, you can either:

  • In the Citrix Workspace app, manually select the USB device to use generic USB redirection, choose Switch to generic from the Devices tab of the Preferences dialog box.
  • Automatically select the USB device to use generic USB redirection, by configuring auto-redirection for the USB device type (for example, AutoRedirectStorage=1) and set USB user preference settings to automatically connect USB devices. For more information, see Configure automatic redirection of USB devices.

Note:

Only configure generic USB redirection for use with a webcam if the webcam is found to be incompatible with HDX multimedia redirection.

To prevent USB devices from ever being listed or redirected, you can specify device rules for the Citrix Workspace app and the VDA.

For generic USB redirection, you need to know at least the USB device class and subclass. Not all USB devices use their obvious USB device class and subclass. For example:

  • Pens use the mouse device class.
  • Smart card readers can use the vendor-defined or HID device class.

For more precise control, you need to know the Vendor ID, Product ID, and Release ID. You can get this information from the device vendor.

Important:

Malicious USB devices might present USB device characteristics that do not match their intended usage. Device rules are not intended to prevent this behavior.

You control the USB devices available for generic USB redirection by specifying USB device redirection rules, to override the default USB policy rules.

Citrix Virtual Apps and Desktops service:

  • In most cases, download the Citrix Group Policy Management Console MSI (CitrixGroupPolicyManagement_x64.msi) and install it in your Active Directory system, and then manage AD group policies. (Do not install the MSI on a VDA.)

  • For Citrix Workspace app for Windows, edit the user device registry. An Administrative template (ADM file) is included on the installation media so you can change the user device through the Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm

On-premises Citrix Virtual Apps and Desktops:

  • For the VDA, edit the administrator override rules for the Multi-session OS machines through group policy rules. The Group Policy Management Console is included on the installation media:
    • x64: dvd root \os\lang\x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi
    • x86: dvd root \os\lang\x86\Citrix Policy\CitrixGroupPolicyManagement_x86.msi
  • For Citrix Workspace app for Windows, edit the user device registry. An Administrative template (ADM file) is included on the installation media so you can change the user device through the Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm

Warning:

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The product default rules are stored in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB. Do not edit these product default rules. Instead, use them as a guide for creating administrator override rules, which is explained later in this article. The GPO overrides are evaluated before the product default rules.

The administrator override rules are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\PortICA\GenericUSB\DeviceRules. GPO policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by white space.

The following tags are supported:

Tag Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor; see the USB website at http://www.usb.org/ for available USB Class Codes
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor

When creating policy rules, note the following:

  • Rules are case-insensitive.
  • Rules can have an optional comment at the end, introduced by #. A delimiter is not required, and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • White space is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule, but Deny: Class=0 Sub Class=05 is not.
  • Tags must use the matching operator =. For example, VID=1230.
  • Each rule must start on a new line or form part of a semicolon-separated list.

Note:

If you are using the ADM template file, you must create rules on a single line, as a semicolon-separated list.

Examples:

  • The following example shows an administrator-defined USB policy rule for vendor and product identifiers:

    Allow: VID=046D PID=C626 # Allow Logitech SpaceNavigator 3D Mouse Deny: VID=046D # Deny all Logitech products

  • The following example shows an administrator-defined USB policy rule for a defined class, subclass, and protocol:

    Deny: Class=EF SubClass=01 Prot=01 # Deny MS Active Sync devices Allow: Class=EF SubClass=01 # Allow Sync devices Allow: Class=EF # Allow all USB-Miscellaneous devices

Use and remove USB devices

Users can connect a USB device before or after starting a virtual session.

When using Citrix Workspace app for Windows, the following apply:

  • Devices connected after a session begins appear immediately in the USB menu of the Desktop Viewer.
  • If a USB device is not redirecting properly, you can try to resolve the problem by waiting to connect the device until after the virtual session starts.
  • To avoid data loss, use the Windows “Safely Remove Hardware” icon before removing the USB device.

Security controls for USB mass storage devices

Optimized support is provided for USB mass storage devices. This support is part of Citrix Virtual Apps and Desktops client drive mapping. Drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders that have mapped drive letters. To configure client drive mapping, use the Client removable drives setting. This setting is in the File Redirection policy settings section of the ICA policy settings.

With USB mass storage devices you can use either Client drive mapping or generic USB redirection, or both. Control them using Citrix policies. The main differences are:

Feature Client drive mapping Generic USB redirection
Enabled by default Yes No
Read-only access configurable Yes No
Encrypted device access Yes, if encryption is unlocked before the device is accessed Yes
BitLocker To Go devices No No
Safe to delete device during a session No Yes, provided users follow operating system recommendations for safe removal

If both generic USB redirection and the client drive mapping policies are enabled and a mass storage device is inserted either before or after a session starts, it is redirected using client drive mapping. When both generic USB redirection and the client drive mapping policies are enabled and a device is configured for automatic redirection and a mass storage device is inserted either before or after a session starts, it is redirected using generic USB redirection. For more information, see Knowledge Center article CTX123015.

Note:

USB redirection is supported over lower bandwidth connections, for example 50 Kbps. However, copying large files doesn’t work.

Control file access with client drive mapping

You can control whether users can copy files from their virtual environments to their user devices. By default, files and folders on mapped client-drives are available in read/write mode from within the session.

To prevent users from adding or changing files and folders on mapped client-devices, enable the Read-only client drive access policy setting. When adding this setting to a policy, ensure that the Client drive redirection setting is set to Allowed and is also added to the policy.