USB devices policy settings
The USB devices section includes policy settings for managing file redirection for USB devices.
Client USB device optimization rules
Client USB device optimization rules can be applied to devices to disable optimization, or to change the optimization mode.
When a user plugs in a USB input device, the host checks if the USB policy settings allow the device. If the device is allowed, the host then checks the Client USB device optimization rules for the device. If no rule is specified, then the device is not optimized. Capture mode (04) is the recommended mode for signature devices. For other devices which have degraded performance over higher latency, administrators can enable Interactive mode (02). See descriptions of the available modes in the table in this article.
Good to know
- For the use of Wacom signature pads and tablets, we recommend that you disable the screen saver. Steps on how to disable the screen saver are at the end of this section.
- Support for the optimization of Wacom STU signature pads and tablets series of products has been preconfigured in the installation of Citrix Virtual Apps and Desktops policies.
- Signature devices work across Citrix Virtual Apps and Desktops and do not require a driver to be used as a signature device. Wacom has more software that can be installed to customize the device further. See http://www.wacom.com/.
- Drawing tablets. Certain drawing input devices might present as an HID device on PCI/ACPI buses and are not supported. Attach these devices on a USB host controller on the client to be redirected inside a Citrix Virtual Desktops session.
Policy rules take the format of tag=value expressions separated by whitespace. The following tags are supported:
Tag Name | Description |
---|---|
Mode | The optimization mode is supported for input devices for class=03. Supported modes are: No optimization - value 01. Interactive mode - value 02. Recommended for devices such as pen tablets and 3D Pro mice. Capture mode - value 04. Preferred for devices such as signature pads. |
VID | Vendor ID from the device descriptor, as a four-digit hexadecimal number. |
PID | Product ID from the device descriptor, as a four-digit hexadecimal number. |
REV | Revision ID from the device descriptor, as a four-digit hexadecimal number. |
Class | Class from either the device descriptor or an interface descriptor. |
SubClass | Subclass from either the device descriptor or an interface descriptor. |
Prot | Protocol from either the device descriptor or an interface descriptor. |
Examples
Mode=00000004 VID=067B PID=1230 class=03 #Input device operating in capture mode
Mode=00000002 VID=067B PID=1230 class=03 #Input device operating in interactive mode (default)
Mode=00000001 VID=067B PID=1230 class=03 #Input device operating without any optimization
Mode=00000100 VID=067B PID=1230 # Device setup optimization disabled (default)
Mode=00000200 VID=067B PID=1230 # Device setup optimization enabled
Disabling the screen saver for Wacom signature pad devices
For the use of Wacom signature pads and tablets, Citrix recommends that you disable the screen saver as follows:
- Install the Wacom-STU-Driver after redirecting the device.
- Install Wacom-STU-Display MSI to gain access to the signature pad control panel.
- Go to Control Panel > Wacom STU Display > STU430 or STU530, and select the tab for your model.
- Choose Change, then select Yes when the UAC security window pops up.
- Select Disable slideshow, then Apply.
After the setting is set for one signature pad model, it is applied to all models.
Client USB device redirection
This setting allows or prevents redirection of USB devices to and from the user device.
By default, USB devices are not redirected.
Client USB device redirection rules
This setting specifies the redirection rules for USB devices.
By default, no rules are specified.
When a user plugs in a USB device, the host device checks it against each policy rule in turn until a match is found. The first match for any device is considered definitive. If the first match is an Allow rule, the device is remoted to the virtual desktop. If the first match is a Deny rule, the device is available only to the local desktop. If no match is found, default rules are used.
Policy rules take the format {Allow:|
Deny:} followed by a set of tag= value expressions separated by whitespace. The following tags are supported:
Tag Name | Description |
---|---|
VID | Vendor ID from the device descriptor |
PID | Product ID from the device descriptor |
REL | Release ID from the device descriptor |
Class | Class from either the device descriptor or an interface descriptor |
SubClass | Subclass from either the device descriptor or an interface descriptor |
Prot | Protocol from either the device descriptor or an interface descriptor |
When creating policy rules, remember:
- Rules are case-insensitive.
- Rules can have an optional comment at the end, introduced by #.
- Blank and pure comment lines are ignored.
- Tags must use the matching operator = (for example, VID=067B_.
- Each rule must start on a new line or form part of a semicolon-separated list.
- See the USB class codes available from the USB Implementers Forum, Inc. website.
Examples of administrator-defined USB policy rules:
- Allow: VID=067B PID=0007 # Another Industries, Another Flash Drive
- Deny: Class=08 subclass=05 # Mass Storage
- To create a rule that denies all USB devices, use “DENY:” without other tags.
Client USB plug and play device redirection
This setting allows or prevents plug-and-play devices such as cameras or point-of-sale (POS) devices to be used in a client session.
By default, plug-and-play device redirection is allowed. When set to Allowed, all plug-and-play devices for a specific user or group are redirected. When set to Prohibited, no devices are redirected.
Configure automatic redirection of USB devices
USB devices are automatically redirected when USB support is enabled. Also, the USB user preference settings are set to automatically connect USB devices.
Note:
In Receiver for Windows 4.2, USB devices are also automatically redirected when operating in Desktop Appliance mode. Also, the connection bar is not present. In earlier versions of Citrix Receiver for Windows, USB devices are also auto-redirected when operate in the following:
- Desktop appliance mode
- Virtual machine (VM) hosted applications
It is not always best to redirect all USB devices. Users can explicitly redirect devices from the USB device list that is not automatically redirected. To prevent USB devices from being listed or redirected, use DeviceRules on either the client endpoint or the DDC policy. See Administration Guides for further details.
Caution:
Using the Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be solved. Use the Registry Editor at your own risk. Be sure to back up the registry before you edit it.
User preferences settings for auto redirection of USB devices
Policy:
- Open Local Group Policy Editor and go to Administrative Templates > Citrix Components > Citrix Receiver > Remoting client devices > Generic USB Remoting.
- Open New USB Devices, select Enabled, and click OK.
- Open Existing USB Devices, select Enabled, and click OK.
Citrix Receiver:
- Go to Citrix Receiver Preferences > Connections.
- Ensure that the following options are selected:
- When a session starts, connect devices automatically
- When a new device is connected while a session is running, connect the device automatically.
- Click OK.
All the registry keys and the policy changes are applied to the Windows client device.
Plain USB printers redirection
The best solution for plain USB printers is to use the dedicated Universal Printer Driver and virtual channel to perform printing. By default, plain USB printers are not automatically redirected.
Plain printers are detected using heuristics. Also, it is expected that advanced printers with scanning functions for example, might need to be redirected using USB support to work completely.
Use this registry to configure whether plain printers are automatically redirected:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectPrinters
Type: DWORD
Data: 00000000
The default value is 0 (does not automatically redirect). Changing the value to any number greater than zero enables USB support to redirect plain USB printers.
You can also deploy Active Directory policies to this registry key and override the non-policy value if both are present:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectAudio
Type: DWORD
Data: 00000000
Plain audio devices redirection
Like plain printers, the best user experience is achieved using the dedicated audio virtual channel of ICA to send audio data from plain audio devices. However, you might need to redirect some specialty devices using USB support. Heuristics are used to determine which devices are plain audio devices.
Use this registry on client endpoint to configure whether plain audio devices are automatically redirected:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectAudio
Type: DWORD
Data: 00000000
The default is set to 0 (does not automatically redirect). Changing the value to non-zero, redirects plain USB audio devices with USB support.
You can use Active Directory policies to deploy this value to the registry key and override the non-policy value if both are present:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectVideo
Type: DWORD
Data: 00000000
Plain storage devices (mass storage device) redirection
For plain storage devices, you achieve the best user experience using the dedicated virtual channel, such as client drive mapping that also performs optimization. In addition to simple reading or writing files, to perform certain special tasks like burning a CD/DVD or accessing encrypted file systems devices, the device might still need to be redirected using generic USB support.
Heuristics are used to determine which devices are plain storage devices. Use this registry key to configure whether plain storage devices are automatically redirected:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectStorage
Type: DWORD
Data: 00000000
The default is set to 0 (does not automatically redirect). Changing the value to non-zero, redirects plain USB storage devices using generic USB support.
You can also use Active Directory policies to deploy this value to the following registry key and override the non-policy value if both are present:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectStorage
Type: DWORD
Data: 00000000
Note:
Read only access to the plain storage device is not configurable if you are using generic USB support, while it is configurable if using CDM.
USB flash drives with hardware encryption redirection
USB flash drives with hardware encryption typically consist of an encrypted storage partition and a second utility partition that contains a utility for unlocking the encrypted partition. For USB Flash Drive devices, achieve the best user experience using the dedicated client drive mapping/dynamic thumb drive mapping HDX virtual channel that also performs optimization.
Generic USB redirection is necessary for the following:
- Non-Windows clients (for example, Linux clients)
- Clients where the customer has restricted (locked down) user access to local functions on the client
Generic USB redirection can redirect any USB storage device without hardware encryption into both Single-session OS and Multi-session OS VDA sessions.
Before Citrix Virtual Apps and Desktops 7 1808, USB flash drives with hardware encryption could not be redirected in any useful way into Single-session OS or Multi-session OS VDA sessions. A new feature enhancement introduced in Citrix Virtual Apps and Desktops 7 1808 supports generic USB redirection of USB flash drives with hardware encryption into Single-session OS and Multi-session OS VDA sessions. After the device is redirected, none of its drives appear on the local client. So, if unlocking the drive is required, perform it in the session. This feature requires Windows update KB4074590.
Plain still image devices (scanners and digital cameras)
For plain still image devices, achieve the best user experience using the dedicated virtual channel (such as the TWAIN virtual channel) that also performs optimization. These devices must adhere to industry standards. Consider that a device is non-compliant or it is not used according to the original intentions. In this case, generic USB redirection might be the only way to use the device. Heuristics are used to determine which devices are plain still image devices.
Use this registry key to configure whether plain still image devices are automatically redirected:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectImage
Type: DWORD
Data: 00000000
The default is set to 0 (does not automatically redirect). Changing the value to non-zero, redirects plain USB still image devices with generic USB.
You can also use Active Directory policies to deploy this value to this registry key and override the non-policy value if both are present:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices
Name: AutoRedirectImage
Type: DWORD
Data: 00000000
Device specific settings
The heuristics used to select Citrix optimizable devices do not always match what you want. The examples for Citrix optimizable devices are printers, audio, video, storage, and still image devices. You might want to control automatic redirection of devices that are not listed above. You can control automatic redirection on a device specific basis.
As an example, the DemoTech 2,000 bar code reader doesn’t need to be redirected using USB support. It has a vendor identifier of 12AB and a product identifier of 5678. These hexadecimal numbers can be found in Device Manager.
To prevent this being automatically redirected, create this device specific registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices\VID12AB PID5678
Name: AutoRedirect
Type: DWORD
Data: 00000000
A value of 0 prevents the device from being automatically redirected. A non-zero value indicates that the device must be considered for automatic redirection (subject to user preferences). There is a single space character between the vendor and product identifiers.
You can also deploy this value using Active Directory policies to this registry key. It overrides the non-policy value if both are present:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices\VID12AB PID5678
Name: AutoRedirect
Type: DWORD
Data: 00000000
Device specific AutoRedirect settings take precedence over the more general AutoRedirectXXX values explained above. The default heuristics for Citrix optimized devices might misinterpret a device as generic. Therefore, set the device specific AutoRedirect value to 1 to redirect it automatically.