May 062020

I recently ran into having to create a chunk of MCS dedicated machines for this COVID-19 situation the world is in. MCS Dedicated machines are very different from MCS Pool machines. One of the HUGE differences is updating the machine’s images and updating the targets. As your aware MCS Pooled is very similar to PVS and it’s a nice update feature for the PVS/MCS targets. But MSC dedicated machines are not the same. 

This Blog is around MCS Dedicated Full Clones only and updating the Master image to update only new created machines.

Dedicated desktops are assigned to individual users and the data and settings will persist on the desktops. Optionally, the Citrix Profile Management solution can be used to store the user profile and data on central file servers. For dedicated desktops there is a new option available under Desktop OS Catalogs virtual machine copy mode, “Use full copy for better data recovery and migration support, with potentially reduced IOPS after the machines are created”.

“When you deploy the image, you will notice that MCS will do a full VMDK copy of your snapshot chain into a folder of every datastore that is defined in your hosted XenDesktop environment. This makes desktop creations extremely quick when scaling out additional VMs because it 1) negates the need to potentially copy VMDKs across datastores during desktop creation and 2) negates the need to consolidate snapshots during creation. The folder will typically be the machine catalog name + basedisk + random datastore identifier assigned by XenDesktop. This applies to all MCS images; static and pooled.”

You can see the base Snapshot MCS created called Citrix_XD_Name. This is the initial snapshot Studio-MCS makes. But ideally can keep them all around. So my steps are as outline below

Deleting all Snapshots. (Deleted All Yes) I didn’t want any old stuff floating around.

Create new snapshot

Now I’ll update all tools, software and whatever I need to update.

Let check the Provision Scheme so I can get the Provisioning Scheme and the XDhyp information and display the list of snapshots on the virtual machine:

I copied it from PowerShell and put it in OneNote so I could see what I was looking for. As you can see here it still shows my old snapshots. We will update that.

Note to find the ProvisiongSchemeName   (Its list in the Get-ProveSheme) Command. Keep this name for later

  1. Now at this time, I need to run this

a. Get-ChildItem -Recurse -Path ‘XDHyp:\hostingunits\%hostName%\%vmName%.vm’

b. This will list the Snapshot that is associated with the VM itself

c. For me it’s this:

d. get-childitem -Recurse -Path “XDHyp:\HostingUnits\XA_XD Netwrk Connection VS1VC01_PROD_176\XD7MSTRHR.vm”

  1. Then my output is

*Note* you can see that it shows my snapshot listed

  1. I need to take the “Full Path” and note it for the next command.
  1. Second command is:
  1. Publish-ProvMasterVmImage -ProvisioningSchemeName “%provisioningSchemeName%” -MasterImageVM “%templatePSPath%”
  2. For me Its:
  3. Publish-ProvMasterVmImage -ProvisioningSchemeName “Citrix Human Resources Desktop” –masterimagevm “XDHyp:\HostigUnits\XA_XD Netwrk Connection VS1VC01_PROD_176\XD7MSTRHR.vm\ImageUpdate.snapshot”

While this is running in my Hypervisor you will see this.

Once it’s completed you will see

Now Run Get-ProvScheme

These updates will only apply to new machines created from the MCS full Clones. It will not update previously created ones. That is the downfall of MCS Dedicated full clones. 


Mar 072020

UDP over Audio for Citrix

Many people use Audio in Citrix VAD. It works well, but at times it can be choppy, jittery, and lagging.

I wouldn’t say it’s hard, but Citrix is kind of all over the place with the docs. The Tech Zone does a nice job on the material. One of the reasons I started blogging is I see all kinds of blogs, but I want to do something different. I want to share my settings and get feedback on your experience. Then update my blog with your professional experience. Of course with your approval and your credit for the work. This will allow each one to share different configurations and what works. My intention isn’t to redo blogs or Techzone but to show ALL configurations around a specific topic, like this one. I want more than. Just links, I want detailed setups from start to finish. So, let’s start.

  1. Studio default Citrix policies
  2. So, as you can see 3 policies are set by default within Citrix Studio. The reason I am showing this is that I just wanted to ensure people that no Studio Policies need to be configured.

  1. Another thing I found is that if the Audio is set to medium, the quality is better, and it helps for MICS that us Optimized USB ICA virtual channel.

  1. Once these are set, they are by default. Then you need to tell the Workspace Clients how to use this policy. If these are not set, UDP will not work over audio.
  • Enable audio
  • Sound quality medium
  • Enable Real-Time transport (16500 – 16509)
  • Allow Real-Time transport through Gateway

2. Client settings for UDP

Workspace GPO, setting that reflects the bullet points above.

  1. The next question will be, how does this work for non-domain, BYOD devices?
  2. For this to take effect, you must update the Default.ICA on your storefront servers.
  3. On the StoreFront machine, open C:\inetpub\wwwroot\Citrix\<Store Name>\App_Data\default.ica with an editor such as notepad ++
  4. Some people may not like editing the default.ica file. I understand and get it. But after all, that is what really makes up the ica packet from launching resources. It would be nice for Citrix to add a GUI option. Such as In storefront for this, some drop down the says enable UDP for all workspace clients. Checkbox =enable. 
  5. Anyways let continue. So, for me, it’s this…. C:\inetpub\wwwroot\Citrix\MFA\App_Data
  1. Make the entries below under the [Application] section.

  1. Firewall requirements
  2. The Audio UDP port range specifies the range of port numbers that the Virtual Delivery Agent (VDA) uses to exchange audio packet data with the user device.
  1. By default, the range is 16500 – 16509
  2. Base Citrix Layout. I took this from the EDT CTX Article.
  3. Some people think that these ports need external as well. But in fact, it is from SNIP to the VDA Network. Then it’s wrapped up in the ICA packet.

  1. I have seen some documentation stating you need these ports open, however that is from the NSG gateway to the VDA backend. This isn’t what they mean.
  1. This is what it will look like in terms of an ICA packet.
  2. Internet Firewall: Additional rules must be added to your firewall(s) to allow the following UDP traffic.
  • Client/Citrix Receiver > NetScaler Gateway – UDP/443
  • NetScaler Gateway > XenDesktop VDA – UDP/16500-16509  

h. Ideally, if you could blow up the ICA packet, and analyze the data inside it, It would look like this

  1. NetScaler Settings needed
  • Enable the DTLS flag on the NetScaler Gateway Virtual Server.


            I didn’t have to do this But based on my research people have done this and then it would work.

  • Unbind the SSL certificate pair from the NetScaler Gateway Virtual Server.
  • (Re)bind the SSL certificate pair to the Netscaler Virtual Server.  (Note: when rebinding the SSL certificate 
  • I didn’t get any message saying, “No usable ciphers configured on the SSL vServer/service.” This is a known issue and can be ignored). Some say they have, but I didn’t.
  1. Go to the Gateway settings, then click the desired Gateway and edit
  2. Go to the Gateway, and Edit the vServer

  1. After this select DTLS (checkbox), under Basic settings. This is right at the top after you are in the Gateway settings.
  1. Now go down to the SSL local and unbind the SSL cert. After you unbind it, go down and press done to the NetScaler will commit the changes.
  1. Go back into the Gateway, and now Bind again. After you bind it, go down and press done to the NetScaler will commit the changes.

  1. Now at this point, you will see this in the DTLS setting 
  1. As you can see here, once the user starts connecting in, you will see the Client port and XenApp/XenDesktop port show the UDP audio port.

  1. Finally results
  1. 2016 Windows Server/Windows 10 1608 LTSC
  2. VDA 19122016 Windows Server /VDA1909 Windows 10 LTSC
  3. Logitech h570 headset (Optimized USB support)/ SONY PS3 Mic
  4. Citrix Workspace 1911
  5. FSLogix profiles (Just in case anyone asks)





*Update* For XenDesktop 3/7/2020

I needed to show Xendesktop Settings based on a Slack conversation I had. My settings are the same, nothing changed other than ( I had to enable USB support for this VDA) Even though Citrix is picking it up as optimized. It’s not integrated, and it’s still a USB device. (Which Reminds me I need to update My USB Blog…. Also make sure “Client USB Plug in Play device redirection is enabled, or nothing will not happen.

My only headset laying around was my old PS3 Mic. Dang Citrix picked it right up, and optimized it  but restricted it. I must be blocking it.

I am 🙂

Allowed now.

I have to restart my session, for the restriction to go away. The sound would go through to the mic.

Then check and see if optimized is right for this mic

Ok so it’s open now.

Still no Audio through Mic, as I am talking into it here.

Toggle it to Generic

Windows 10 will install a drive for me. 🙂

Generic it is… ( This is also how I test optimized and Generic) 

See more here

My testing was around XenApp (Virtual Apps) XenDesktop (VD), and this is for Avaya OneXcommunicator without VDI equinox communicator on the client.

Here are some blogs I picked through to get my information.

  • This was on Windows 8 and Citrix Receiver 4.2

As you can see, UDP is far more valuable and is a must. Seems like Citrix nailed this and did a wonderful Job from a bandwidth perspective. But is the audio really better?  

Some discussions around this.

This article states to use High

Avaya states UDP and medium

UDP with the multi-stream set, interesting Article talks about multi-stream and how it can help


References and data, I collected for this blog



But as you can see, the data is scattered and it’s tough to get it all. Well, in my opinion. If you have a different configuration and did something different please share and with your permission, I’ll update this with you steps outlined for your setup In your environment. I feel that a master blog would benefit everyone.

Feb 292020

DPI scaling and Citrix workspace Client-side issues are such a pain

There are times, a user will have 2,3 or maybe 4 monitors.

  • You will see at times when they launch an application you will see this.
  • You also will Mouse Cursor offset by a few millimeters on an external display 
  • You also will see the display is really off and the users can’t do much
  • You will also, go crazy!

Why is this? It’s the local clients’ DPI settings, that are passed from their client into the Citrix session. 

The application is cut off. Now the first thought is something is wrong with Citrix. Send it to Engineer. But in fact, it’s the local client screen resolution and DPI settings.

Example: Monitor 3

Example: Monitor 2

Example: Monitor 1

To address this, you have 2 options.

1. Make all DPI settings the same on the local client they are connecting from. But most users, complain about changing things, as they are not tech-savvy, and don’t like change. I get that as well, I don’t like change either ☺

2. Option 2, adjust the workspace to see this.

  • How do you ask? 

3. In the menu option right click on Citrix workspace and select Advanced.

Click High DPI 

4. Now select use High DPI or “YES” You will have to log the user out of the Citrix session all the way. Important., Or you can click “no, use my native resolution” as well.

Let’s try this method now! 😉

6. Now after we change it, we need to log the user out of the session, But the DPI setting is jacked up and we can’t form the client-side. Or can we? Right-click on the Workspace and go to connections. Select the Server and logoff. Simple as that. Of course, you can do it from the director, but this will allow you to do it faster.

7. Relaunch application now with it set to HIGH or “yes”

  • Hey look, it matched my DPI settings, and my Mouse is spot on.

Let’s face it, at times Citrix is confusing and can be any tech support nightmare. But it doesn’t have to if you have the correct support and proper team.

Reading material to better understand this concept.

Check out CTX202319, it looks like DPI, not matching can cause this too.

Use case: Operating System Scaling (also known as DPI scaling)
OS scaling is the default and is identical in behavior to previous receiver versions. This corresponds to the UI setting “Let the operating system scale the resolution”, or the High DPI policy set to disabled. This lets Windows handle all DPI scaling. The resolution on the VDA will be scaled and based on the DPI, resulting in a smaller resolution than the client device. This works well for single monitor sessions, and is efficient when connecting to XenApp 6.5 hosts, or supported XenApp/XenDesktop VDAs configured for Legacy Graphics.

This method does not support Mixed DPI; all monitors must have the same DPI or the session will not work. Scaling can cause blurriness in the images, particularly in the case of the text. This setting is recommended for users on Windows 7 endpoints if DPI matching is not possible, or those connecting to Legacy VDAs. It can also be used on Windows 10 if there is no Mixed DPI. 

Problem Cause

The use of different DPIs between monitors is not supported in Citrix XenDesktop and XenApp environments for receiver versions older than 4.10, as documented in CTX201696 – Citrix XenDesktop and XenApp – Support for Monitors Including 4K Resolution and Multi-monitors.

You can verify the DPI (% scaling) by going to the Windows Control Panel > Display options.

Feb 292020

How to send a group of users to a single desktop or a group of Desktops

This would come in handy if you have a piece of software that can only register on desktop “Name” Depending on the vendor licensing schemes.


On the right hand side click manage tags

Machine generated alternative text:
Deli Grou 
Create Delivery Group 
Add Machines 
Edit Delivery Group 
Manage AppDtsks 
Ma ge Tags 
n Maintenance Mode 
Rename Delivery Group 
Delete Delivery Group 
View Machines 
Test Delivery Group 

Create a tag name

Machine generated alternative text:
Mana e T 
Manage Tags for the Machine 
Use the checkboxes to attach tags to the selected item. You can also add edit or 
delete existing tag definitions. 
AppPro Print.. 
Citrix Test 
LCC-Cert Test 
Ray & Mike-Test 
Red Gate 
OPM Test 
Via-Center 10„. 
For the DBAS Only 
Limit Users for LIPM Testing 
Vid-Center 10-1-5 TEST

On the machines right-click the machine and click manage tags

Machine generated alternative text:
—'Its fu Catalcg. 
OS V&t-ires 
Sm OS (6) 
Sessions 1 
De ivety 
O i scare 
Reg State 
Regi red 
Reg red 
Log Off 
Sh Down 
Manage Tsgs 
Turn On 
'vr•ew Sessions

Add the Tag for the machines you would like to send the users to.

Machine generated alternative text:
Search results for '(Delivery Group Is "DG-MFA-IT-2016')' 
Details - 
Server OS Machines (9) 
Machine Catalog 
DeDivery Group 
Maintenance MO... 
Mana e Ta s 
Persist user Cha... 
Power State 
Manage Tags for the Machine 'JAXNFCU\VSIXAIO' 
use the checkboxes to attach tags to the selected item. You can also add, edit, or 
delete existing tag definitions. 
LCC 2012R2 
Ray & Mike-Test 
Red Gate 
Vid-Center 10... 
For the DBAs Only 
Viz-Center 10-1-5 TEST 

Edit the Deliver Controller, and create a new Desktop, with the Tag

Machine generated alternative text:
•e Catalogs 
y Groups 
p-V Publishing 
Delivery Group 
Server OS 
Desktop OS 
Desktop OS 
Desktop OS 
CHS -Maint-Servers 
Server OS 
Desktop OS 
Server OS 
Server OS 
Desktop OS 
Desktop OS 
Desktop OS 
CHG -VendorAp ps 
Server OS 
CHS -Vendor-Win 10 
Desktop OS 
Applications and Desktops 
D esktops 
(Static machine assignment) 
Deskto ps 
(Static machine assignment) 
(Static machine assignment) 
Applications and Desktops 
D esktops 
Applications and Desktops 
Add Machines 
Add Applications 
Edit Delive Grou 
Manage AppDisks 
Manage Tags 
Turn On Maintenance Mode 
Rename Delivery Group 
Delete Delivery Group 
View Machines 
View Applications 
Test Delivery Group 
No. of machines 
Total: 2 
Unregistered: O 
Total: 25 
Total: 6 
Total: O 
Total: 6 
Unregistered: 2 
Total: 19 
Total: 2 
Unregistered: O 
Total: 9 
Total: I 
Total: 4 
Unregistered: O 
Total: O 
Total: I 
Unregistered: I 
Total: 15 
Unregistered: O 
Sessions in use 
Total: O 
Total: O 
Total: 4 
Total: O 
Total: I 
Total: O 
Total: O 
Total: 33 
Total: O 
Total: O 
Total: O 
Total: O 
Total: O 
- : -ns and Desktops 
h ine assignment) 
h ine assignment) 
h ine assignment) 
h ine assignment) 
Details - 
lications Desktops 
Machine Catalogs 
Application Groups 

Add Desktop

Machine generated alternative text:
'lication Prelaunch 
'lication Lingering 
ess Policy 
tart Schedule 
Add users or groups who can launch a desktop from this Delivery Group. 
Re m cwe.„ 
Tag restriction 

Check to Restrict launch to Machines with Tag “Select the Tag from the Drop Down” Click ok

Machine generated alternative text:
Display name: 
it Deskto 
MFA-Published Desktop DBAs 
Example.' Assigned desktops for Finance Dept. 
The name and description are shown in Receiver. 
Restrict launches to machines with tag: 
Red Gate 
Allow everyone with access to this Delivery Group to use a desktop 
• Restrict desktop use to: 
ISAE Database Maint 
Enable desktop 
Clear this check box to disable delivery of this desktop.

Go to workspace and Refresh apps.


Machine generated alternative text:
All (10) 
Favorites (2) 
DG -Ramquest- 
Win10 (1) 
Win10 (2) 
Win10 (3) 
DG -Ramquest- 
Win10 (4) 
Maintenance Test 
VyStar Desktop


Machine generated alternative text:
All (11) 
Favorites (2) 
Win10 (1) 
Win10 (2) 
Win10 (3) 
Win10 (4) 
Maintenance Test 
Desktop DBAs 
VyStar Desktop 
Recycle Bin 
Reader DC 
Excel 201 
Outlook 2( 
VyStar Il 

Launch it to make sure it the number 10 Server

Machine generated alternative text:
MFA-Published Desktop DBAs - Desktop Viewer 
MFA-Published Desktop DBAs 

The Tag took me to the desktop that I needed for special Software that has to do with machine licensing.

Machine generated alternative text:
MFA-Published Desk-too DBAs - Desk-too Viewer 
icrosoft Windows [Version 18.8.14393] 
(c) 2816 microsoft Corporation. All rights reserved 
s xa 
837 AM 

I am sure there is more ways to do this, but this helps me. Maybe it will help you.

Dec 152019

First way
For Scanner settings, this is needed on the Local PC first.

  1. Go here 
  2. Create the Key for the VID and PID like this.
  1. Inside the Registry Key add a DWORD32 with AutoRedirect 0x0000001 (On the same Client)
  1. In Studio, you will need a USB Policy Like this….

Make sure this is checked.

Second way
Citrix Studio Policy

Go here and enable this registry Key (client PC)

When logging into windows

Dec 132019

Base settings, No Policies set in Studio, or Receiver

No Registry hacks meaning nothing in….

This is normal meaning Stock

Nothing edited here

Let’s launch a XD session

So, as you can see the defaults are taken over based on this article

The Citrix USB settings are in depth at times and kind of all over the place in the docs. But I am sure there is reasons why.

HDX technology provides optimized support for most popular USB devices.  This includes:

  • Monitors
  • Mice
  • Keyboards
  • VoIP phones
  • Headsets
  • Webcams
  • Scanners
  • Cameras
  • Printers
  • Drives
  • Smart card readers

So, it redirected them as it should as Optimized. 

But if you read here…

Optimized support offers an improved user experience with better performance and bandwidth efficiency over a WAN. Optimized support is usually the best option, especially in high latency or security-sensitive environments.

HDX technology provides generic USB redirection when optimized support is not available or unsuitable, for example:

  • The USB device has additional advanced features that are not part of optimized support, such as a mouse or webcam with additional buttons.
  • Users need functions which are not part of optimized support, such as burning a CD.
  • The USB device is a specialized device, such as test and measurement equipment or an industrial controller.
  • An application requires direct access to the device as a USB device.
  • The USB device only has a Windows driver available. For example, a smart card reader may not have a driver available for Citrix Receiver for Android.
  • The version of Citrix Receiver does not provide optimized support for this type of USB device. 

With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

So, optimized will not work for our scanners in the environment I am in.

Generic will have to be set here. The Policies Below can be done to achieve this.

Remember to note this (Will come back to it soon)

Another Leading Missed concept

This doesn’t apply to us as we enable USB support but more information for the future when re-reading this

USB devices are automatically redirected when USB support is enabled, and the USB user preference settings are set to automatically connect USB devices

So what I take from this if I have USB enable then it will redirect devices. If I don’t then I can set this reg devices to only allow certain ones.

Note: In Receiver for Windows 4.2, USB devices are also automatically redirected when operating in Desktop Appliance mode, and the connection bar is not present. In earlier versions of Receiver for Windows, USB devices are also automatically redirected when operating in a desktop appliance mode or with Virtual Machine (VM) hosted applications.
However, it is not always best to redirect all USB devices, and this article describes how to configure whether a device must be automatically redirected or not.
Users can explicitly redirect devices from the USB device list that are not automatically redirected. To prevent USB devices from ever listed or redirected, you can use DeviceRules on either the client endpoint or the Virtual Desktop Agent (VDA). See Administration Guides for further details.

So in other words if I disable USB Device Redirection I can control it more?

Or does USB have to be enabled but I can stop the auto Redirection?

Let’s test this

So I disabled this

Now I will log in and it should not PASS anything.

Nothing passed

Now let’s enable 1 reg setting back on the CTX123015 article. So I want all Scanners to come through.

Now enable the (Connect USB Device)

Do a gpupdate /force the machine you’re on.

Check the registry to make sure the GPO changed on the client the GPO is applied to.

Reg Setting Set, Receiver GPO Set, log out then back in and it should come through as generic according to Citrix

I couldn’t get this to work, I am uncertain at this time what Citrix means by this.

I will re-enable USB redirection back, and put things the way I had it.

Now back to the Generic USB Redirection pieces.


With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.


To Enable a USB device to be redirect in as a Generic Driver with in receiver Preference

The purpose of this is to allow it to be saved within the settings of receiver.

Generic Drivers Set by default

When it’s set to 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB\Devices

It comes in as Optimized.

By setting these Registry Settings

Is supposed to use the Generic Driver inside the VDA for Xendekstop.

Desktop shows…..

But when this popped up

If I clicked on it and selected the devices, then they came through as Generic.

(Note I need no user’s interaction so I will set it to pass though and connection as default on the receiver_workspace GPO)

But continue with the method anyways.

Log out then back in and it should do it by its self now. It worked.

Way 2

This is intended to make it seamless for the end user and to make them like Citrix again.

  1. Please get the VID and the PID of the device.
  2. Plug in the device on the local workstation.

Open device manager

Find your device

Right click and go to properties

Click the details tab

Change the property to Hardware Ids

The format you need is this

VID0711 PID5200

Now take this VID0711 PID5200 and create a key in the local registry of the local desktop.


32 bit

Take out the wow3432Node and it’s the same path

Create a key under Devices. With the VID and PID number

Now add a DWORD called AutoRedirect and a value to 1

Now when you sign in to the XenDesktop Session you will need to open of the Citrix Receiver Preference. And select when a session start, connect the device. THIS IS A MUST for Generic to work (GPO is another option for this setting)

Not to get side tracked but For that setting you can do this

Now back to the session…

Log out and back in and you will now see your device redirected in as Generic 

Now if you don’t want connect device automatically you have this option. When you first login you will see this pop up. Click on it.

Now you get this.

If I select my Fujitsu device, I will still get the generic option. Becaseu I have the Generic Reg setting to 1. Meaning this.   

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB\Devices

Issues I had because of GPO are scoped correctly

My USB mouse and Keyboard keep redirecting in. I couldn’t figure this out. Citrix seen that this policy.

Which applies to….

Then forcing this on my local Machine.

ALLOW:03 is a global HID for Mouse and Keyboards.

I created a Group and Put the XD7-BUS-### along with my machines and select deny.

Then when through on my machine and delete the orphaned keys. 

Now things works as normal on my machine.

Way 3

Citrix Discussion 376957 a user had the same issue. He solved it by doing this.

The problem was that in “Client USB device redirection rule” I have manually inserted some rule like “Allow: class=08”; after I have enabled “Use default value” and with your suggestion the redirection works as I wanted.


 In this article it talks about adding the PID and VID in the Generic USB settings. It would appear that the Check box “Use default values” isn’t the only thing needed. By adding the PID and VID it will redirect it as Generic. But I want all scanners to be generic. How do I achieve this? Follow the screen shots below.

This will do it for all Storage devices, or any device that is considered in the Generic Coding with in these settings.

Then add registry AutoRedirectStorage=dword:1 ,  mass storage will behave as generic device for redirection 

But for all generic device to be redirected you always have to select below options in cdviewer Preferences:

1. When session start connect device automatically

2. When new device attached connect device automatically

 So overall you have to add registry and set checkboxes in preference, connections tab for auto redirection to work smoothly

Way 4

Another Test I did, was I needed to Redirect Mass Storage, But Block my USB Video input for an extra monitor I had.

ALLOW: VID=ABCD PID=1234 #Mass Storage Device as Generic

(With this allow rule above I had to enable this as well)

DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

This is somewhat confusing, and Citrix E-docs aren’t the best for explaining all this. They have a lot of great information, but it runs together.

On the Windows 7 VDA you can see this. So it’s working as it should. ( Same on windows 10- validated up to 1809) 

Way 5

Another Test I would like to do is configure this on the receiver side.

I will remove my Studio USB ALLOW and DENY RULE.

Then apply it to my Citrix Receiver 4.5 ADMX in GPO.

Created the Citrix Receiver 4.5 Rule

Made sure the AutoRedirectStorage is still intact, and set to 1 which is redirect generic USB according to Citrix

Now on my Desktop (local Client)

Now let login to the VDA

This looked like it works as well.


One thing I noticed that if you use the Citrix Receiver/workspace ADMX for Generic USB Remoting. If you don’t have an ALLOW RULE for your devices. It will pass through but will be optimized by default. It’s like if you use the receiver GPO then use it all the way through.

Example I am denying USB Video, but my scanner is coming through as Optimized and policy is set and I cannot override it.

I added this rule

Now on my VDA you can see, the Scanner came in great.

 As you can see if I don’t have the USB allow Rule for my Mass Storage device, it come in as optimized and restricted.

Let’s update Citrix Receiver ADMX policy

Allow must be fore DENY, Like a Firewall ACL

Allow: VID=1DCC PID=482B #Ambir Scanner; Allow: class=08 subclass=06 prot=50 # Mass Storage; DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

Another off the note example of Rules. Not applied here though

Allow: VID=1DCC PID=482B #Ambir Scanner; DENY: Class=08 Subclass=06 # Mass Storage; DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

DENY: VID=0781 PID=5202

Now he is not restricted but still no generic. I can enable generic. But I rather force it. So USB rule is allow me to use it in my session as generic or optimized.

Set my registry key storage for

Log of and back on.

USB Rule Gotchas

One thing I had to figure out was the Optimize policy setting for USB device. This was geared around Client drive redirection.

I would apply a USB rule within the Receiver ADMX file to deny an USB device.

Example: DENY: VID=0781 PID=5202

It then would come it and say this.

The device would still come it.

But I found out that I have to disable this policy in studio.

I went ahead and added this too

Now it will show policy restricted and allow the user to redirect it, which is good. For approved thumb drive devices our company will allow them to use.

But let’s say a Vendor has a security flaw on a USB Thumb drive, and I had the VID and PID.

Yes I have seen it were a thumb drive comes with a piece of software on the thumb drive, and it can be used for an entry point in your network. A lot of people I see, don’t take this seriously. This won’t happen to me. But if can and it will one day. I understand we have to provide users a good experience, but I see where a lot of sloppy IT guys just make it work to get them off the phone or are lazy and don’t want to deal with it. This isn’t good. So control it from a higher point will prevent this.

I can now apply the deny rule, and the Redirect option will be grey out.

This will ensure the USB Thumb drive (Mass Storage) device will not be used in the session. XA or XD

Now at this point, you control want is inserted.

Generic USB reg settings

To use generic USB redirection rather than optimized support, you can either:

  • In Citrix Receiver, manually select the USB device to use generic USB redirection, choose Switch to generic from the Devices tab of the Preferences dialog box.
  • Automatically select the USB device to use generic USB redirection, by configuring auto-redirection for the USB device type (for example, AutoRedirectStorage=1) and set USB user preference settings to automatically connect USB devices. For more information, see CTX123015
  • This can bite you if you have USB video cards, just put a deny rule in in. So it will not try to double dip and redirect again.
  • Example: DENY: VID=0711 PIC=5200 #Block USB Video connection from Local PC to VDA


As you can see, there are a lot of USB settings. More than I would like to configure. But USB devices have came along ways. Users have many options now. This artcel was to help with the ease and confusion. 

If you see something that doesn’t make sense and doesn’t work. Please let me know. I may need to update the settings base on new CR or LTSR release. But I follow this a lot when I forget.

Oct 182019

Update 10/29/19: Added search (username/userfullname) to the Sessions tab.

Studio always seems extremely sluggish to me when trying to navigate between different areas. I’m always waiting a few seconds for the refresh circle to go away every single time I navigate somewhere new.

Most of the time I just need to put a machine in/out of maintenance, perform a power action, or logoff/disconnect a session. I found that power shell is MUCH faster, so I wrote a new little tool.

.net 4.5
The broker admin powershell snapin (available on the install media -alternatively you can run this on the delivery controller itself and use localhost as the connection string)

You can select each server/desktop/session individually, or select multiple. Then simply right click and select the operation to perform. I have tested this on versions 7.15 through 1906. Note: There is no warning! When you select the action to perform it will just do it.
Here is the download link

Operations allowed (depending on state):
Machines – turn on/off maintenance, shutdown, restart, reset, poweroff
Sessions – Disconnect, Log Off