USB devices policy settings

The USB devices section contains policy settings for managing file redirection for USB devices.

Client USB device optimization rules

Client USB device optimization rules can be applied to devices to disable optimization, or to change the optimization mode.

When a user plugs in a USB input device, the host checks if the USB policy settings allow the device. If the device is allowed, the host then checks the Client USB device optimization rules for the device. If no rule is specified, then the device is not optimized. Capture mode (04) is the recommended mode for signature devices. For other devices which have degraded performance over higher latency, administrators can enable Interactive mode (02). See descriptions of the available modes in the table in this article.

Good to know

  • For the use of Wacom signature pads and tablets, we recommend that you disable the screen saver. Steps on how to disable the screen saver are at the end of this section.
  • Support for the optimization of Wacom STU signature pads and tablets series of products has been preconfigured in the installation of Citrix Virtual Apps and Desktops policies.
  • Signature devices work across Citrix Virtual Apps and Desktops and do not require a driver to be used as a signature device. Wacom has more software that can be installed to customize the device further. See http://www.wacom.com/.
  • Drawing tablets. Certain drawing input devices might present as an HID device on PCI/ACPI buses and are not supported. Attach these devices on a USB host controller on the client to be redirected inside a Citrix Virtual Desktops session.

Policy rules take the format of tag=value expressions separated by whitespace. The following tags are supported:

Tag Name Description
Mode The optimization mode is supported for input devices for class=03. Supported modes are: No optimization - value 01. Interactive mode - value 02. Recommended for devices such as pen tablets and 3D Pro mice. Capture mode - value 04. Preferred for devices such as signature pads.
VID Vendor ID from the device descriptor, as a four digit hexadecimal number.
PID Product ID from the device descriptor, as a four digit hexadecimal number.
REV Revision ID from the device descriptor, as a four digit hexadecimal number.
Class Class from either the device descriptor or an interface descriptor.
SubClass Subclass from either the device descriptor or an interface descriptor.
Prot Protocol from either the device descriptor or an interface descriptor.

Examples

Mode=00000004 VID=067B PID=1230 class=03 #Input device operating in capture mode

Mode=00000002 VID=067B PID=1230 class=03 #Input device operating in interactive mode (default)

Mode=00000001 VID=067B PID=1230 class=03 #Input device operating without any optimization

Mode=00000100 VID=067B PID=1230 # Device setup optimization disabled (default)

Mode=00000200 VID=067B PID=1230 # Device setup optimization enabled

Disabling the screen saver for Wacom signature pad devices

For the use of Wacom signature pads and tablets, Citrix recommends that you disable the screen saver as follows:

  1. Install the Wacom-STU-Driver after redirecting the device.
  2. Install Wacom-STU-Display MSI to gain access to the signature pad control panel.
  3. Go to Control Panel > Wacom STU Display > STU430 or STU530, and select the tab for your model.
  4. Choose Change, then select Yes when the UAC security window pops up.
  5. Select Disable slideshow, then Apply.

After the setting is set for one signature pad model, it is applied to all models.

Client USB device redirection

This setting allows or prevents redirection of USB devices to and from the user device.

By default, USB devices are not redirected.

Client USB device redirection rules

This setting specifies redirection rules for USB devices.

By default, no rules are specified.

When a user plugs in a USB device, the host device checks it against each policy rule in turn until a match is found. The first match for any device is considered definitive. If the first match is an Allow rule, the device is remoted to the virtual desktop. If the first match is a Deny rule, the device is available only to the local desktop. If no match is found, default rules are used.

Policy rules take the format {Allow:|Deny:} followed by a set of tag= value expressions separated by whitespace. The following tags are supported:

Tag Name Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor

When creating policy rules, remember:

  • Rules are case-insensitive.
  • Rules can have an optional comment at the end, introduced by #.
  • Blank and pure comment lines are ignored.
  • Tags must use the matching operator = (for example, VID=067B_.
  • Each rule must start on a new line or form part of a semicolon-separated list.
  • See the USB class codes available from the USB Implementers Forum, Inc. website.

Examples of administrator-defined USB policy rules:

  • Allow: VID=067B PID=0007 # Another Industries, Another Flash Drive
  • Deny: Class=08 subclass=05 # Mass Storage
  • To create a rule that denies all USB devices, use “DENY:” without other tags.

Client USB plug and play device redirection

This setting allows or prevents plug-and-play devices such as cameras or point-of-sale (POS) devices to be used in a client session.

By default, plug-and-play device redirection is allowed. When set to Allowed, all plug-and-play devices for a specific user or group are redirected. When set to Prohibited, no devices are redirected.

Configure automatic redirection of USB devices

USB devices are automatically redirected when USB support is enabled, and the USB user preference settings are set to automatically connect USB devices.

Note:

In Receiver for Windows 4.2, USB devices are also automatically redirected when operating in Desktop Appliance mode, and the connection bar is not present. In earlier versions of Citrix Receiver for Windows, USB devices are also automatically redirected when operating in a desktop appliance mode or with virtual machine (VM) hosted applications.

It is not always best to redirect all USB devices. Users can explicitly redirect devices from the USB device list that is not automatically redirected. To prevent USB devices from being listed or redirected, use DeviceRules on either the client endpoint or the Virtual Desktop Agent (VDA). See Administration Guides for further details.

Caution

Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

User preferences settings for auto redirection of USB devices

Policy:

  1. Open Local Group Policy Editor and go to Administrative Templates > Citrix Components > Citrix Receiver > Remoting client devices > Generic USB Remoting.
  2. Open New USB Devices, select Enabled, and click OK.
  3. Open Existing USB Devices, select Enabled, and click OK.

Citrix Receiver:

  1. Go to Citrix Receiver Preferences > Connections.
  2. Ensure that the following options are selected:
    • When a session starts, connect devices automatically
    • When a new device is connected while a session is running, connect the device automatically.
  3. Click OK.

All the registry keys and the policy changes are applied to the Windows client device.

Plain USB printers redirection

The best solution for plain USB printers is to use the dedicated Universal Printer Driver and virtual channel to perform printing. By default, plain USB printers are not automatically redirected.

Plain printers are detected using heuristics, and it is expected that advanced printers with scanning functions for example, might need to be redirected using USB support to work completely.

Use this registry to configure whether plain printers are automatically redirected:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectPrinters

Type: DWORD

Data: 00000000

The default is set to 0 (does not automatically redirect). Changing the value to non-zero enables USB support to redirect plain USB printers.

You can also deploy Active Directory policies to this registry key, and overrides the non-policy value if both are present:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectAudio

Type: DWORD

Data: 00000000

Plain audio devices redirection

Like plain printers, the best user experience is achieved using the dedicated audio virtual channel of ICA to send audio data from plain audio devices. However, you might need to redirect some specialty devices using USB support. Heuristics are used to determine which devices are plain audio devices.

Use this registry to configure whether plain audio devices are automatically redirected:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectAudio

Type: DWORD

Data: 00000000

The default is set to 0 (does not automatically redirect). Changing the value to non-zero, redirects plain USB audio devices with USB support.

You can use Active Directory policies to deploy this value to the registry key and override the non-policy value if both are present:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectVideo

Type: DWORD

Data: 00000000

Plain storage devices (mass storage device) redirection

For plain storage devices, you achieve the best user experience using the dedicated virtual channel, such as client drive mapping that also performs optimization. In addition to simple reading or writing files, to perform certain special tasks like burning a CD/DVD or accessing encrypted file systems devices, the device might still need to be redirected using generic USB support.

Heuristics are used to determine which devices are plain storage devices. Use this registry key to configure whether plain storage devices are automatically redirected:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectStorage

Type: DWORD

Data: 00000000

The default is set to 0 (does not automatically redirect). Changing the value to non-zero, redirects plain USB storage devices using generic USB support.

You can also use Active Directory policies to deploy this value to the following registry key and override the non-policy value if both are present:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectStorage

Type: DWORD

Data: 00000000

Note:

Read only access to the plain storage device is not configurable if you are using generic USB support, while it is configurable if using CDM.

USB flash drives with hardware encryption redirection

USB flash drives with hardware encryption typically consist of an encrypted storage partition and a second utility partition that contains a utility for unlocking the encrypted partition. For USB Flash Drive devices, achieve the best user experience using the dedicated client drive mapping/dynamic thumbdrive mapping HDX virtual channel that also performs optimization.

Generic USB redirection is necessary for non-Windows clients (for example, Linux clients) and clients where the customer has restricted (locked down) user access to local functions on the client. Generic USB redirection can redirect any USB storage device without hardware encryption into both Desktop OS and Server OS VDA sessions.

Before Citrix Virtual Apps and Desktop 7 1808, USB flash drives with hardware encryption could not be redirected in any useful way into Desktop OS or Server OS VDA sessions. A new feature enhancement introduced in Citrix Virtual Apps and Desktop 7 1808 supports generic USB redirection of USB flash drives with hardware encryption into Desktop OS and Server OS VDA sessions. After the device is redirected, none of its drives appear on the local client. So, if unlocking the drive is required, perform it in the session. This feature requires Windows update KB4074590.

Plain still image devices (scanners and digital cameras)

For plain still image devices, achieve the best user experience using the dedicated virtual channel (such as the TWAIN virtual channel) that also performs optimization. These devices must adhere to industry standards. If a device is non-compliant or if it is not used according to the original intentions, generic USB redirection might be the only way to use the device. Heuristics are used to determine which devices are plain still image devices.

Use this registry key to configure whether plain still image devices are automatically redirected:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectImage

Type: DWORD

Data: 00000000

The default is set to 0 (does not automatically redirect). Changing the value to non-zero, redirects plain USB still image devices with generic USB.

You can also use Active Directory policies to deploy this value to this registry key and override the non-policy value if both are present:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices

Name: AutoRedirectImage

Type: DWORD

Data: 00000000

Device specific settings

The heuristics used to select Citrix optimizable devices (such as printers, audio, video, storage, and still image devices) do not always match what you want. You might want to control automatic redirection of devices that are not listed above. You can control automatic redirection on a device specific basis.

As an example, the DemoTech 2,000 bar code reader doesn’t need to be redirected using USB support. It has a vendor identifier of 12AB and a product identifier of 5678. These hexadecimal numbers can be found in Device Manager.

To prevent this being automatically redirected, create this device specific registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB\Devices\VID12AB PID5678

Name: AutoRedirect

Type: DWORD

Data: 00000000

A value of 0 prevents the device from being automatically redirected. A non-zero value indicates that the device must be considered for automatic redirection (subject to user preferences). There is a single space character between the vendor and product identifiers.

You can also deploy this value using Active Directory policies to this registry key. It overrides the non-policy value if both are present:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB\Devices\VID12AB PID5678

Name: AutoRedirect

Type: DWORD

Data: 00000000

Device specific AutoRedirect settings take precedence over the more general AutoRedirectXXX values explained above. The default heuristics for Citrix optimized devices might misinterpret a device as generic. Therefore, set the device specific AutoRedirect value to 1 to redirect it automatically.