Configuring USB support
USB support enables you to interact with a wide range of USB devices when connected to a virtual desktop. You can plug USB devices into their computers and the devices are remote to their virtual desktop. USB devices available for remoting include flash drives, smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. Desktop Viewer users can control whether USB devices are available on the virtual desktop using a preference in the toolbar.
Isochronous features in USB devices, such as webcams, microphones, speakers, and headsets are supported in typical low latency/high-speed LAN environments. This allows these devices to interact with packages, such as Microsoft Office Communicator and Skype.
The following types of device are supported directly in a XenApp and XenDesktop session, and so does not use USB support:
- Smart cards
Specialist USB devices (for example, Bloomberg keyboards and 3-D mice) can be configured to use USB support. For information on configuring Bloomberg keyboards, see Configure Bloomberg keyboards. For information on configuring policy rules for other specialist USB devices, see Knowledge Center article CTX122615
By default, certain types of USB devices are not supported for remoting through XenDesktop and XenApp. For example, a user may have a network interface card attached to the system board by internal USB. Remoting this device would not be appropriate. The following types of USB device are not supported by default for use in a XenDesktop session:
- Bluetooth dongles
- Integrated network interface cards
- USB hubs
- USB graphics adapters
USB devices connected to a hub can be remote, but the hub itself cannot be remote.
The following types of USB device are not supported by default for use in a XenApp session:
- Bluetooth dongles
- Integrated network interface cards
- USB hubs
- USB graphics adapters
- Audio devices
- Mass storage devices
For instructions on modifying the range of USB devices that are available to users, see Update the list of USB devices available for remoting.
For instructions on automatically redirecting specific USB devices, see Knowledge Center article CTX123015.
How USB support works
When a user plugs in a USB device, it is checked against the USB policy, and, if allowed, remoted to the virtual desktop. If the device is denied by the default policy, it is available only to the local desktop.
When a user plugs in a USB device, a notification appears to inform the user about a new device. The user can decide which USB devices are remoted to the virtual desktop by selecting devices from the list each time they connect. Alternatively, the user can configure USB support so that all USB devices plugged in both before and/or during a session are automatically remoted to the virtual desktop that is in focus.
Mass storage devices
For mass storage devices only, in addition to USB support, remote access is available through client drive mapping, which you configure through the Citrix Receiver policy Remoting client devices > Client drive mapping. When this policy is applied, the drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders with mapped drive letters.
The main differences between the two types of remoting policy are:
|Feature||Client drive mapping||USB support|
|Enabled by default||Yes||No|
|Read-only access configurable||Yes||No|
|Safe to remove device during a session||No||Yes, if the user clicks Safely Remove Hardware in the notification area|
If both Generic USB and the Client drive mapping policies are enabled and a mass storage device is inserted before a session starts, it will be redirected using client drive mapping first, before being considered for redirection through USB support. If it is inserted after a session has started, it will be considered for redirection using USB support before client drive mapping.
USB device classes allowed by default
Different classes of USB device are allowed by the default USB policy rules.
Although they are on this list, some classes are only available for remoting in XenDesktop and XenApp sessions after additional configuration. These are noted below.
- Audio (Class 01). Includes audio input devices (microphones), audio output devices, and MIDI controllers. Modern audio devices generally use isochronous transfers, which is supported by XenDesktop 4 or later. Audio (Class01) is not applicable to XenApp because these devices are not available for remoting in XenApp using USB support.
Some specialty devices (for example, VOIP phones) require additional configuration. For more information, see Knowledge Center article CTX123015.
Physical Interface Devices (Class 05). These devices are similar to Human Interface Devices (HIDs), but generally provide “real-time” input or feedback and include force feedback joysticks, motion platforms, and force feedback exoskeletons.
Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras often support the still imaging class which uses the Picture Transfer Protocol (PTP) or Media Transfer Protocol (MTP) to transfer images to a computer or other peripheral. Cameras may also appear as mass storage devices and it may be possible to configure a camera to use either class, through setup menus provided by the camera itself.
If a camera appears as a mass storage device, client drive mapping is used and USB support is not required.
Printers (Class 07). In general most printers are included in this class, although some use vendor-specific protocols (class ff). Multi-function printers may have an internal hub or be composite devices. In both cases the printing element generally uses the Printers class and the scanning or fax element uses another class; for example, Still Imaging.
Printers normally work appropriately without USB support.
This class of device (in particular printers with scanning functions) requires additional configuration. For instructions on this, see Knowledge Center article CTX123015.
Mass Storage (Class 08). The most common mass storage devices are USB flash drives; others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers. There are a wide variety of devices with internal storage that also present a mass storage interface; these include media players, digital cameras, and mobile phones. Mass Storage (Class 08) is not applicable to XenApp because these devices are not available for remoting in XenApp using USB support. Known subclasses include:
- 01 Limited flash devices
- 02 Typically CD/DVD devices (ATAPI/MMC-2)
- 03 Typically tape devices (QIC-157)
- 04 Typically floppy disk drives (UFI)
- 05 Typically floppy disk drives (SFF-8070i)
- 06 Most mass storage devices use this variant of SCSI
Mass storage devices can often be accessed through client drive mapping, and so USB support is not required.
Some viruses are known to propagate actively using all types of mass storage. Carefully consider whether or not there is a business need to permit the use of mass storage devices, either through client drive mapping or USB support.
Content Security (Class 0d). Content security devices enforce content protection, typically for licensing or digital rights management. This class includes dongles.
Video (Class 0e). The video class covers devices that are used to manipulate video or video-related material, such as webcams, digital camcorders, analog video converters, some television tuners, and some digital cameras that support video streaming.
Most video streaming devices use isochronous transfers, which is supported by XenDesktop 4 or later. Some video devices (for example webcams with motion detection) require additional configuration. For instructions on this, see Knowledge Center article CTX123015.
Personal Healthcare (Class 0f). These devices include personal healthcare devices such as blood pressure sensors, heart rate monitors, pedometers, pill monitors, and spirometers.
Application and Vendor Specific (Classes fe and ff). Many devices use vendor specific protocols or protocols not standardized by the USB consortium, and these usually appear as vendor-specific (class ff).
USB devices classes denied by default
The following different classes of USB device are denied by the default USB policy rules.
Communications and CDC Control (Classes 02 and 0a). The default USB policy does not allow these devices, because one of the devices may be providing the connection to the virtual desktop itself.
Human Interface Devices (Class 03). Includes a wide variety of both input and output devices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices, graphic tablets, sensors, game controllers, buttons, and control functions.
Subclass 01 is known as the “boot interface” class and is used for keyboards and mice.
The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1), or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards and mice are handled appropriately without USB support and it is normally necessary to use these devices locally as well remotely when connecting to a virtual desktop.
USB Hubs (Class 09). USB hubs allow extra devices to be connected to the local computer. It is not necessary to access these devices remotely.
Smart Card (Class 0b). Smart card readers include contactless and contact smart card readers, and also USB tokens with an embedded smart card-equivalent chip.
Smart card readers are accessed using smart card remoting and do not require USB support.
Wireless Controller (Class e0). Some of these devices may be providing critical network access, or connecting critical peripherals, such as Bluetooth keyboards or mice.
The default USB policy does not allow these devices. However, there may be particular devices to which it is appropriate to provide access using USB support.
Miscellaneous network devices (Class ef, subclass 04). Some of these devices may be providing critical network access. The default USB policy does not allow these devices. However, there may be particular devices to which it is appropriate to provide access using USB support.
Update the list of USB devices available for remoting
You can update the range of USB devices available for remoting to desktops by editing the Citrix Receiver for Windows template file. This allows you to make changes to the Citrix Receiver for Windows using Group Policy. The file is located in the following installed folder:
<root drive>:\Program Files\Citrix\ICA Client\Configuration\en
Alternatively, you can edit the registry on each user device, adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name=”DeviceRules” Value=
Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
The product default rules are stored in:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=
Do not edit the product default rules.
For details of the rules and their syntax, see the Knowledge Center article CTX119722.
Configuring USB audio
- When you upgrade or install Citrix Receiver for Windows for the first time, you must add the latest template files to the local GPO. For more information on adding template files to the local GPO, see Configuring the Group Policy Object administrative template. In case of an upgrade, the existing settings are retained while importing the latest files.
- This feature is available only on XenApp server.
To configure USB audio devices
- Open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
- Under the Computer Configuration node, go to Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User experience, and select Audio through Generic USB Redirection.
- Edit the settings.
- Click Apply and OK.
- Open cmd prompt in administrator mode.
- Run the below command: