Dec 232019
 

This is an older upgrade, but you can still use it as a reference point.

There are a lot of guides out there, and this isn’t to repeat any of them, but how I did it.

Great blogs

https://www.carlstalhood.com/workspace-environment-management/

https://www.mycugc.org/blogs/cugc-blogs/2018/07/20/how-to-update-citrix-workspace-environment-managem

WEM Upgrade Process

*NOTE*I use BISF for all my images, In this post, you will see I don’t run these. BISF will do it for me when I seal up my image

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe eqi 3

WEM Upgrade layout

Infrastructure Services

  1. Run the installer of the Infrastructure Services version you want to upgrade to. 
    1. This may not be needed, but I do it as a safety net.
  2. You should manually stop the Norskale Infrastructure Services service before upgrading to ensure the upgrade is successful.
Machine generated alternative text:
ices (L 
Norskale Infrastructure Service 
Stop the service 
Restart the service 
Description: 
Norskale Infrastructure Broker Service 
Net.Tcp Port Sharing Service 
Netlogon 
Network Connection Broker 
Network Connections 
Network Connectivity Assistant 
Network List Service 
Network Location Awareness 
Network Setup Service 
Norskale Infrastructure Service 
Ice can cmmcn lent o ution 
OfficeScan NT Listener 
OfficeScan NT RealTime Scan 
Offline Files 
Optimize drives 
Performance Counter DLL Host 
Performance Logs & Alerts 
Phone Service 
Plug and Play 
Portable Device Enumerator Service 
Power 
Print Spooler 
Printer Extensions and Notifications 
Framework 
Stop 
Resume 
All Tasks 
Refresh 
P rope rties 
Help 
Problem Reports and Solutions Control Panel Support 
Description 
Provides ability to share TCP ports cn.'er 
Maintains a secure channel between thin. 
Brokers connections that allow Window... 
Manages objects in the Network and Din. 
Provides DirectAccess status notification. 
Identifies the networks to which the co... 
Collects and stores configuration infor... 
The Network Setup Service manages th... 
This service delivers network notification. 
Infrastructure Broker Service 
advanced solutions and featur... 
commands and notifications fr... 
Real-time, Scheduled, and Ma... 
ne Files service performs maint... 
e computer run more efficientl... 
emote users and 64-bit process... 
nce Logs and Alerts Collects 
the telephony state on the dev... 
computer to recognize and ad... 
group policy for removable 
power policy and power polic... 
ice spools print jobs and handl... 
This service opens custom printer dialo... 
This service provides support for viewin...
Machine generated alternative text:
Name 
Agent Group Policies 
Configuration Templates 
Citrix Workspace Environment Management Agent Setup.exe 
Citrix Works ce Environment Mana ement Infrastructure Services Setu .exe 
Ope n 
Run as administrator 
Pin to Start 
Restore previous versions 
Send to 
Copy 
Create shortcut 
Delete 
Rename 
Pro perties 
Date modified 
1/2/2019 2:48 PM 
1/2/2019 2:50 PM 
1/2/2019 2:48 PM 
1/2/2019 2:48 PM 
1/2/2019248 PM 
Type 
File folder 
File folder 
Application 
Application 
Application 
Size 
71,557 KB 
66,610 KB
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services - InstallShieId X 
Welcome to the InstallShield Wizard for Citrix 
Workspace Environment Management 
Workspace 
Infrastructure Services 
The InstallShieId(R) Wizard will install Citrix Workspace 
Environment Management Infrastructure Services on your 
computer. To contnue, dick Next. 
WARNING: This program is protected by copyright Ian and 
internatonal treates. 
Next >
<img src="https://lh5.googleusercontent.com/KuesNN5mrm5CYACOhR1zT0AAzgwo3gS_uxyavyEWM3h6YHjk9jmt8WO0JGI62hkt7wd-0JbqRrZx7Kdpfvp-6h7sdgAElhYIw_SjYI3ml7E4dbEox6QFe6iN-CWdTDdcaLX-ZUg" alt="Machine generated alternative text: Citrix Workspace Environment Management Infrastructure Services License Agreement Please read the following license agreement careMIy. CITRIX LICENSE AGREEMENT – InstallShieId This is a legal agreement ("AGREENENT") between the end-user customer ("you"): the providing Citrix entity (the applicable providing entity is hereinafter refe«ed to as "CITRIX"). Your location of receipt of the Citrix pro duct (hereinafter "PRODUCT") an maintenance (hereinafter "NIANTENANCE") detennines the providing entity as identified at
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services - Instal[ShieId 
Customer Information 
Please enter your information. 
user Name: 
Qrganiza bon: 
"star CLI 
InstallShieId 
Next >
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services 
Setup Type 
Choose the setup type that best suits your needs. 
Please select a setup type. 
@Complete 
- InstallShieId 
All program features will be installed. (Requires the most disk 
space.) 
O custo 
Choose which program features pu want installed and where they 
will be installed. Recommended for advanced users. 
InstallShieId 
Next >
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services 
Ready to Install the Program 
The wizard is ready to begin installation. 
Click Install to begin the installation. 
- InstallShieId 
If pu want to review or change any of your installation settings, dick Back. Click Cancel to 
exit the wizard. 
InstallShieId 
Install
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services - InstallShieId 
InstallShield Wizard Completed 
No rkspæe 
The InstallShieId Wizard has installed Citrix 
Workspace Environment Management Infrastructure Services. 
Click Finish to exit the wizard. 
[Z Start the Database Management utility.
  1. Now start the Database Management Utility which will lead in 5b.

Upgrade Database

Machine generated alternative text:
WEM Database Management Utüt-y 
Database Management 
Create 
täB*e r Stibn : 
Upgrade 
ÜætöbSSe pdzte 
ciTR!X• 
Workspace Environment Management
Machine generated alternative text:
Citrix Workspace Environment Management Console - Install... 
Installing Citrix Workspace Environment Management Console 
The program features you selected are being installed. 
Please wait while the InstallShieId Wizard installs Citrix Workspace 
Environment Management Console. This may take several minutes. 
Status: 
Removing backup files 
InstallShieId
  1. Now launch the Infrastructure Services Configuration Utility again:
  1. C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Norskale Broker Service Configuration Utility.exe”
  1. Repopulate with all values that you took the note off in the initial tests and allow the services to restart
C:\2B6A64A5\7B474F2F-D05A-4FF0-B277-E68F9B34537D_files\image013.png

Service account used here.

Machine generated alternative text:
Configuraton Management 
Load Configuration 
Database Settngs 
Save Con figuration 
Net'A•ork Settngs 
Advanced Settngs 
Da tabase Main tenance 
Licensing 
@ Enable scheduled database maintenance 
Stabsbcs retention period (days): 
System monitoring re ten ton period (days): 
Agent registrations retention period (days): 
Execution time (HH:MM): 
02:00
Machine generated alternative text:
WEM Infrastructure Service Configurabon 
Configuraton Management 
Load Configuration 
Database Settings 
Save Con figuration 
Advanced Settings 
Database Maintenance 
Licensing 
Administr a bon por t: 
Agent service port: 
Cache synchr onizaton port: 
WEM monitoring port: 
8287
Machine generated alternative text:
Configuration Management 
L oad Con figura bon 
ave Configuraton 
Net'A'ork Settings 
Infrastructure Service Configuration 
Broker Service will be restarted to apply settngs, Do you vvant to proceed? 
Adva
Machine generated alternative text:
Home 
Configure license server 
L;cense Mar,aoemerit 
Actions 
Applications 
NeF•vork Drives 
Virtual Drives 
Registry Enmes 
Envir onrnen t Variables 
e ports 
Filters 
Assignments 
System Optimization 
Policies and-profiles 
Securiy 
Get Help Options 
Support Local Settng: 
About 
We&spsce 
About Ctrtx Workspace Environment Management Console 
Citrix Workspace Environment Management Console 
Version 1808.0.1.1 
@ 2018 Citrix Systems, Inc. All rights reserved. 
Version 1808.0.1.1 
@ 2018 Citrix Systems, Inc. All rights reserved.

Upgrade Admin Console

Machine generated alternative text:
Application Tools 
View 
Manage 
Home 
* Quick access 
Desktop 
Downloads 
Documents 
[e Pictures 
System32 
This pc 
Netwo rk 
Share 
Workspace- Environment- Management-ve 1808-00-01-01 
Citrix WEM 1808-Latest 
Network jaxnavy.org data 
Name 
Agent Group Policies 
Configuration Templates 
IT 
IT Software Installs 
vsl ctxwen, 
Workspace- Environment- Management-ve 1808-00-01-01 
Date modified 
1/2/2019 2:48 PM 
1/2/2019 2:30 PM 
1/2/2019 2:48 PM 
1/2/2019 248 PM 
1/2/2019 2:48 PM 
Workspace-Erwironment-Management-'F 1808-00-01-01 
Citrix Workspace Environment Management Agent Setup.exe 
Citrix Workspace Environment Management Console Setup.exe 
Citrix Workspace Environment Management Infrastructure Services Setup.exe 
Type 
File folder 
File folder 
Application 
Application 
Application 
Size 
71,557 KB 
60610 KB 
55,992 KB
Machine generated alternative text:
Citrix Workspace Environment Management Console - InstallShieId Wizard 
Preparing to InstaH.„ 
Citrix Workspace Environment Management Console Setup is 
preparing the InstallShieId Wizard, which will guide you 
through the program setup gruess. Please wait. 
Extractng : Citrix Workspace Environment Management 
Console msi

Upgrade Agent host

I just do the basic install, I use to tell it to install the Cache on the D drive. But that’s really not needed anymore. I use BISF, and tell it to move it for me. I like to have a D drive on my machines (PVS).

You can read here in the comments

https://www.mycugc.org/blogs/cugc-blogs/2017/11/30/wem-advanced-guidance-part-1

<img src="https://lh3.googleusercontent.com/y_7dA9IAdcwNO_befM2TzorfgrO2_S4EePHhRS2odleNFuS9k2vHwPZ2HZ_4k3viOxmVF9iX3nnOskjxhCPsRj__eO0n1Py0yYI1z9_xhYKESAL6XbsQuB2JpCFZNWjG8Ygtklo" alt="Machine generated alternative text: Home Share View Application Toolr Workspace-Em.'lronment-Managernent-'F 1808-00-01-01 Manage
Machine generated alternative text:
Citrix Workspace Environment Management Agent - InstallShieId Wizard 
Welcome to the InstallShield Wizard for Citrix 
Workspace Environment Management Agent 
Wo rkspace 
The InstallShieId(R) Wzard will allon pu to modify, repair, or 
remove Citrix Workspace Environment Management Agent. To 
continue, dick Next. 
Next >

Then just follow the basic prompts

Update new ADMX and ADML Files

For me, it’s this

\\Domain.org\SYSVOL\Domain.org\Policies\PolicyDefinitions

Changes In 1903 and up

Keep this in mind

Now If your upgrading beyond 1903 Remember the paths have changed

Reference

James Kindon, has done the work for you, Use his scripts.

The following changes are going to occur so be ready:

  1. A new clean installation of the WEM Agent will result in a complete change of Service Names and Folder Structures as below 
  • The new Service name is: Citrix WEM Agent Host Service 
  • The new process name is: Wem.Agent.Service.exe 
  • The new path structure is: %ProgramFiles%\Citrix\Workspace Environment Management Agent
  1. An upgraded installation of the WEM agent will result in partial changes to your environment: 
  • The new Service name is: Citrix WEM Agent Host Service 
  • The new process name is: Wem.Agent.Service.exe 
  • The path on the file system will not be altered and will remain as it was: %ProgramFiles%\Norskale\Norskale Agent Host

Be aware also that in both clean and upgraded deployments, the Windows Event logs will change from Norskale Agent Service to WEM Agent Service


Old (Pre Cloud Service 1903 and On-Prem 1909)New (Post Cloud Service 1903 and On-Prem 1909)
Installation path%ProgramFiles%\Norskale\Norskale Agent Host%ProgramFiles%\Citrix\Workspace Environment Management Agent
Service nameNorskale Agent Host ServiceCitrix WEM Agent Host Service (WemAgentSvc)
Process nameNorskale Agent Host Service.exeCitrix.Wem.Agent.Service.exe
Event LogsNorskale Agent ServiceWEM Agent Service




1912 has introduced some new changes as well.

https://docs.citrix.com/en-us/workspace-environment-management/current-release/whats-new.html

*One thing to note on Port*

Cache synchronization port. (Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later.) The port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. The cache synchronization port must be the same as the port you configured for the cache synchronization port (WEM Infrastructure Service Configuration > Network Settings) during the infrastructure services configuration. The port defaults to 8285 and corresponds to the AgentCacheSyncPort command-line argument.

Cached data synchronization port. (Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier.) The port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. The cached data synchronization port must be the same as the port you configured for the cached data synchronization port (WEM Infrastructure Service Configuration > Network Settings) during the infrastructure services configuration. The port defaults to 8288 and corresponds to the CachedDataSyncPort command-line argument. Alternatively, you can specify the port using a command-line option in the silent installation of the WEM agent

Wayne Lui states its backward compatible and still listens, But I would add this into your Firewall Ruleset.

Port information

https://docs.citrix.com/en-us/workspace-environment-management/current-release/reference/ports.html

Dec 152019
 

First way
For Scanner settings, this is needed on the Local PC first.

  1. Go here 
  2. Create the Key for the VID and PID like this.
  1. Inside the Registry Key add a DWORD32 with AutoRedirect 0x0000001 (On the same Client)
  1. In Studio, you will need a USB Policy Like this….

Make sure this is checked.

Second way
Citrix Studio Policy
https://support.citrix.com/article/CTX123015
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/general-content-redirection/usb.html

Go here and enable this registry Key (client PC)

When logging into windows

Dec 132019
 

Contents

Generic VS Optimized USB Support.

This is one of those deals that can drive you mad. USB devices in Citrix. In my experience, this is big in health care, and Banks. Typically, users that interact with users a lot! I must admit, the USB docs are here, there, sideways, upside, and backward. The Docs point everywhere, and Citrix has done a great job providing all the information. But at times, I find it hard to put it all together.  I am going to try to put this all in one place, as I know I struggle with this at times.

Optimized vs. generic USB device

Citrix does a good job on this and just touches at a high level the difference.

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/devices.html

Optimized USB ICA Channel

An optimized USB device is one for which Citrix Workspace app has specific support. For example, the ability to redirect webcams using the HDX Multimedia virtual channel.

This means Citrix has worked with the vendors to build the hardware classes inside the Virtual channels to provide superior low bandwidth support. This is geared around Citrix workspace and VDA Virtual Channels.

HDX technology

“HDX technology provides optimized support for most popular USB devices. Optimized support offers an improved user experience with better performance and bandwidth efficiency over a WAN. Optimized support is usually the best option, especially in high latency or security-sensitive environments.”

This link talks about Optimized for 3 sentences only. Then goes straight to Generic.

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/general-content-redirection/usb.html

This link is labeled as Generic USB devices but mostly talks about Optimized.

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/devices/generic-usb-devices.html

Generic USB ICA Channels

 A generic device is a USB device for which there is no specific support in Citrix Workspace app.

This doesn’t mean it will not work, it just saying it’s not optimized and the USB device might not be as fast and will take more bandwidth. They still work, just not as good especially over WAN connections with Remote Offices.

“HDX technology provides generic USB redirection for specialty devices that don’t have optimized support or where it is unsuitable”

Examples

  • The USB device has more advanced features that are not part of optimized support, such as a mouse or webcam having more buttons.
  • Users need functions that are not part of optimized support, such as burning a CD.
  • The USB device is a specialized device, such as test and measurement equipment or an industrial controller.
  • An application requires direct access to the device as a USB device.
  • The USB device only has a Windows driver available. For example, a smart card reader might not have a driver available for Citrix Workspace app for Android.
  • The version of Citrix Workspace app does not provide any optimized support for this type of USB device.
  1. This link talks about Generic USB but is listed under General Content redirection. Which makes sense. It goes in good detail on Generic USB Support.
  2. https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/general-content-redirection/usb.html
  1. Here is another link “Citrix Generic USB Redirection Configuration Guide”
  2. https://support.citrix.com/article/CTX137939
  1. Here is another spin-off for Generic USB, it has some Optimized. But mainly around enabled the auto-redirect setting so users don’t have to inside Desktop Viewer. 
  1. https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/usb-devices-policy-settings.html

There is a lot of information out there, which is where TechZone is going to make this all good. Who knows maybe this will come in handy for them? 

Desktop Viewer legends

https://help-docs.citrix.com/en-us/citrix-workspace-for-windows/display-view-desktops-in-desktop-viewer.html

USB Classes

Another good link is the USB classes and such. This helps me when I am configuring for generic as well.

https://www.usb.org/defined-class-codes

USB device rules

USB device rules use one or more of six identifiers for USB devices. For specific rules, refer to www.usb.org. This website has the identifiers to use with XenDesktop.

User-added image

At times when I need deep information about a USB device, I use a tool called USBDeview. As you can see here it gives some handy information. http://www.nirsoft.net/ is my source for this.

All these setting is from about 6-7 years’ worth of USB situations I been in. 

I break down many options around Generic USB settings. The reason why is it seems to be what a lot of users use due to older devices. But when optimized devices are used, its GOOD! I prefer using the optimized USB virtual channel when I can as the experience is the best for me.

Working Actions and testing

Base settings, No Policies set in Studio, or Receiver/Workspace

No Registry hacks meaning nothing inserted for the Client (local clients)

This is a normal meaning Stock Client (local clients) with in Citrix Workspace

Nothing edited here (local clients) You will often at times see that this location, has a default device rules on what allow or blocked by defaults. 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB

From my experience, I have seen this stop USB device, even when Studio policies are in place.

# Syntax is an ordered list of case insensitive rules where # is line comment

 #  and each rule is (ALLOW | DENY) : ( match )*

 #  and each match is (class|subclass|prot|vid|pid|rel) = hex-number

 # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF

DENY: vid=17e9 # All DisplayLink USB displays

DENY: class=02 # Communications and CDC-Control

DENY: class=09 # Hub devices

DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover

DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover

DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover

DENY:vid=045e pid=07dd # Microsoft Surface Pro JP 3 Type Cover

DENY:vid=045e pid=07de # Microsoft Surface Pro 3_2 Type Cover

DENY:vid=045e pid=07e2 # Microsoft Surface Pro 3 Type Cover

DENY:vid=045e pid=07e4 # Microsoft Surface Pro 4 Type Cover with fingerprint reader

DENY:vid=045e pid=07e8 # Microsoft Surface Pro 4_2 Type Cover

DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer

ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet

ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet

ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet

DENY: class=03 subclass=01 prot=01 # HID Boot keyboards

DENY: class=03 subclass=01 prot=02 # HID Boot mice

DENY: class=0a # CDC-Data

DENY: class=0b # Smartcard

DENY: class=e0 # Wireless controller

DENY: class=ef subclass=04 # Miscellaneous network devices

ALLOW: # Otherwise allow everything else

This is an article Citrix has that will explain it better

HID and some other type of USB device fail to redirect

https://support.citrix.com/article/CTX234916

Let’s launch a Citrix ICA session

So, as you can see the defaults are taken over based on this article

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/general-content-redirection/usb.html

HDX technology provides optimized support for most popular USB devices.  This includes:

  • Monitors
  • Mice
  • Keyboards
  • VoIP phones
  • Headsets
  • Webcams
  • Scanners
  • Cameras
  • Printers
  • Drives
  • Smart card readers

So, it redirected them as it should as Optimized. 

But if you read here…

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/general-content-redirection/usb.html

Optimized support offers an improved user experience with better performance and bandwidth efficiency over a WAN. Optimized support is usually the best option, especially in high latency or security-sensitive environments.

  1. HDX technology provides generic USB redirection when optimized support is not available or unsuitable, for example: Some device just will not work with Optimized enabled
  • The USB device has additional advanced features that are not part of optimized support, such as a mouse or webcam with additional buttons.
  • Users need functions which are not part of optimized support, such as burning a CD.
  • The USB device is a specialized device, such as test and measurement equipment or an industrial controller.
  • An application requires direct access to the device as a USB device.
  • The USB device only has a Windows driver available. For example, a smart card reader may not have a driver available for Citrix Receiver for Android.
  • The version of Citrix Receiver does not provide optimized support for this type of USB device. 
  1. With generic USB redirection:
  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

At the time I written the article, optimized will not work for the scanners in the environment I was in. Generic will have to be set here. The Policies Below can be done to achieve this.

Remember to note this (Will come back to it soon)

Another Leading Missed concept

This doesn’t apply to us as we enable USB support but more information for the future when re-reading this

https://support.citrix.com/article/CTX123015

(Link was moved to here below)

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/usb-devices-policy-settings.html#configure-automatic-redirection-of-usb-devices

USB devices are automatically redirected when USB support is enabled, and the USB user preference settings are set to automatically connect USB devices

So, what I take from this if I have USB enable then it will redirect devices. If I don’t then I can set this reg devices to only allow certain ones.

Note: In Receiver for Windows 4.2, USB devices are also automatically redirected when operating in Desktop Appliance mode, and the connection bar is not present. In earlier versions of Receiver for Windows, USB devices are also automatically redirected when operating in a desktop appliance mode or with Virtual Machine (VM) hosted applications.
However, it is not always best to redirect all USB devices, and this article describes how to configure whether a device must be automatically redirected or not.
Users can explicitly redirect devices from the USB device list that are not automatically redirected. To prevent USB devices from ever listed or redirected, you can use Device Rules on either the client endpoint or the Virtual Desktop Agent (VDA). See Administration Guides for further details.

So, in other words, if I disable USB Device Redirection, I can control it more?

Or does USB have to be enabled but I can stop the auto Redirection? At the time of writing this article, I didn’t fully understand what this mean. OPtimzied USB setting don’t rely of the “USB Enabled? If Citrix Workspace has a Optimized ICA channel it will redirect and appear on the device viewer.

Let’s test this

Testing…..So, I disabled this

Now I will log in and it should not PASS anything.

Nothing passed as expected

Now let’s enable 1 reg setting back on the CTX123015 article. So, I want all Scanners to come through.

Now enable the (Connect USB Device)

Do a gpupdate /force the machine you’re on.

Check the registry to make sure the GPO changed on the client the GPO is applied to.

Reg Setting Set, Receiver GPO Set, log out then back in and it should come through as generic according to Citrix

I couldn’t get this to work, I am uncertain at this time what Citrix means by this.

Updated as of 3/2020) The reason that didn’t work was that I disabled USB redirection (Screenshot above) and at the time I thought by setting the device redirection on the client-side registry it would come through. But that’s not what those settings were for. They were for if USB is enabled, and it has them set up as Generic without the user having to click it every time, they logged in under Desktop Viewer.

I will re-enable USB redirection back and put things the way I had it.

Generic USB Redirection pieces.

https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/configure.html

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/general-content-redirection/usb.html

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/usb-devices-policy-settings.html#configure-automatic-redirection-of-usb-devices

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/usb-devices-policy-settings.html

Again

With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

Generic USB Way 1

To Enable a USB device to be redirected in as a Generic Driver within receiver Preference

The purpose of this is to allow it to be saved within the settings of receiver/Workspace.

Generic Drivers Set by default when it’s set to the location here on the local Client

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB\Devices

The default key is 0, meaning all optimized is my assumption.

Then it comes in as optimized.

By setting these Registry Settings with a DWORD as 1

Is supposed to use the Generic Driver inside the VDA for XenDesktop.

Desktop Viewer Shows.

But when this popped up

If I clicked on it and selected the devices, then they came through as Generic.

(Note I need no user’s interaction so I will set it to pass through and connection as default on the receiver_workspace GPO)

But continue with the method anyways.

Log out then back in and it should do it by its self now. It worked.

Generic USB Way 2

This is intended to make it seamless for the end-user and to make them like Citrix again.

  1. Please get the VID and the PID of the device.
  2. Plugin the device on the local workstation.

Open device manager

Find your device

Right click and go to properties

Click the details tab

Change the property to Hardware Ids

The format you need is this

VID0711 PID5200

Now take this VID0711 PID5200 and create a key in the local registry of the local desktop.

64bit

32 bit

Take out the wow6432Node and it’s the same path

Create a key under Devices. With the VID and PID number

Now add a DWORD called AutoRedirect and a value to 1

Now when you sign in to the XenDesktop Session you will need to open of the Citrix Receiver Preference. And select when a session start, connect the device. THIS IS A MUST for Generic to work (GPO is another option for this setting)

Not to get sidetracked but For that setting, you can do this

Now back to the session…

Log out and back in and you will now see your device redirected in as Generic 

Now if you don’t want to connect the device automatically you have this option. When you first log in you will see this pop-up. Click on it.

Now you get this.

If I select my Fujitsu device, I will still get the generic option. Because I have the Generic Reg setting to 1. Meaning this.   

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB\Devices

Issues I had because of GPO are scoped correctly

My USB mouse and Keyboard keep redirecting in. I couldn’t figure this out. Citrix seen that this policy.

Which applies to….

Then forcing this on my Local Machine.

ALLOW:03 is a global HID for Mouse and Keyboards.

https://msdn.microsoft.com/en-us/library/windows/hardware/ff538820(v=vs.85).aspx

I created a Group and Put the XD7-BUS-### along with my machines and select deny.

Then when through on my machine and delete the orphaned keys. 

Now things work as normal on my machine.

Generic USB Way 3

Citrix Discussion 376957 a user had the same issue. He solved it by doing this.

http://discussions.citrix.com/topic/376957-usb-redirection-and-auto-switching-from-optimized-to-generic-mode/

The problem was that in “Client USB device redirection rule” I have manually inserted some rules like “Allow: class=08”; after I have enabled “Use default value” and with your suggestion, the redirection works as I wanted.

NOTE: https://support.citrix.com/article/CTX137939

 In this article, it talks about adding the PID and VID in the Generic USB settings. It would appear that the Checkbox “Use default values” isn’t the only thing needed. By adding the PID and VID will redirect it as Generic. But I want all scanners to be generic. How do I achieve this? Follow the screenshots below.

This will do it for all Storage devices, or any device that is considered in the Generic Coding within these settings.

Then add registry AutoRedirectStorage=dword:1 ,  mass storage will behave as generic device for redirection 

But for all generic device to be redirected you always have to select below options in cdviewer Preferences:

1. When session start connect device automatically

2. When new device attached connect device automatically

 So overall you have to add registry and set checkboxes in preference, connections tab for auto redirection to work smoothly

Generic USB Way 4

Another Test I did, was I needed to Redirect Mass Storage, But Block my USB Video input for an extra monitor I had.

ALLOW: VID=ABCD PID=1234 #Mass Storage Device as Generic

(With this allow rule above I had to enable this as well)

http://support.citrix.com/article/CTX123015?_ga=1.249948033.660250984.1475149031

DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

This is somewhat confusing, and Citrix E-docs aren’t the best for explaining all this. They have a lot of great information, but it runs together.

On the Windows 7 VDA you can see this. So it’s working as it should. ( Same on windows 10- validated up to 1809) 

Generic USB Way 5

Another Test I would like to do is configure this on the receiver side.

I will remove my Studio USB ALLOW and DENY RULE.

Then apply it to my Citrix Receiver 4.5 ADMX in GPO.

Created the Citrix Receiver 4.5 Rule

Made sure the AutoRedirectStorage is still intact and set to 1 which redirects generic USB according to Citrix

Now on my Desktop (local Client)

Now let login to the VDA

This looked like it works as well.

Little GOTCHA

One thing I noticed that if you use the Citrix Receiver/workspace ADMX for Generic USB Remoting. If you don’t have an ALLOW RULE for your devices. It will pass through but will be optimized by default. It’s like if you use the receiver GPO then use it all the way through.

For example, I am denying USB Video, but my scanner is coming through as Optimized and policy is set and I cannot override it.

I added this rule

Now on my VDA you can see, the Scanner came in great.

 As you can see if I don’t have the USB allow Rule for my Mass Storage device, it come in as optimized and restricted.

Let’s update Citrix Receiver ADMX policy

Allow must before DENY, Like a Firewall ACL

Allow: VID=1DCC PID=482B #Ambir Scanner; Allow: class=08 subclass=06 prot=50 # Mass Storage; DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

Another of the noted example of Rules. Not applied here though

Allow: VID=1DCC PID=482B #Ambir Scanner; DENY: Class=08 Subclass=06 # Mass Storage; DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

DENY: VID=0781 PID=5202

Now he is not restricted but still no generic. I can enable generic. But I rather force it. So USB rule is allow me to use it in my session as generic or optimized.

Set my registry key storage for

Log of and back on.

USB Rule Gotchas

One thing I had to figure out was the Optimize policy setting for the USB device. This was geared around the Client drive redirection.

I would apply a USB rule within the Receiver ADMX file to deny a USB device.

Example: DENY: VID=0781 PID=5202

It then would redirect in and say this.

The device would still come it.

But I found out that I have to disable this policy in studio.

I went ahead and added this too

Now it will show policy restricted and allow the user to redirect it, which is good. For approved thumb drive devices our company will allow them to use.

But let’s say a Vendor has a security flaw on a USB Thumb drive, and I had the VID and PID.

Yes I have seen it were a thumb drive comes with a piece of software on the thumb drive, and it can be used for an entry point in your network. A lot of people I see, don’t take this seriously. This won’t happen to me. But if can and it will one day. I understand we have to provide users a good experience, but I see where a lot of sloppy IT guys just make it work to get them off the phone or are lazy and don’t want to deal with it. This isn’t good. So control it from a higher point will prevent this.

I can now apply the deny rule, and the Redirect option will be grey out.

This will ensure the USB Thumb drive (Mass Storage) device will not be used in the session. XA or XD

Now at this point, you control want is inserted.

http://www.usb.org/developers/defined_class
https://support.citrix.com/article/CTX129558
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/hdx/usb.html

Generic USB reg settings

https://support.citrix.com/article/CTX123015?_ga=1.77053973.1604117216.1478717880

To use generic USB redirection rather than optimized support, you can either:

  • In Citrix Receiver, manually select the USB device to use generic USB redirection, choose Switch to generic from the Devices tab of the Preferences dialog box.
  • Automatically select the USB device to use generic USB redirection, by configuring auto-redirection for the USB device type (for example, AutoRedirectStorage=1) and set USB user preference settings to automatically connect USB devices. For more information, see CTX123015
  • This can bite you if you have USB video cards, just put a deny rule in. So, it will not try to double-dip and redirect again.
  • Example: DENY: VID=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

USB split devices.

There are times where you will need to split the composite USB device. A USB Composite Device is a peripheral device that supports more than one device class. Many different devices are implemented as composite devices. An example of this would be a Jabra or Plantronics headset.

How It Works

“When a user plugs in a simple USB device, the host device checks it against each policy rule consecutively until a match is found. The first match for any device is considered definitive. If the first match is an Allow rule, the device is redirected to the virtual desktop. If the first match is a Deny rule, the device is available only to the local desktop (that is its not redirected). If no match is found, default rules are used.”

“When a user plugs in a composite USB device (a device with multiple functions (interfaces) for example audio headset with speaker, mic and HID button) the host device checks for all functions (interfaces) against each policy rule. If the first match for any function(interface) is a Deny rule, the rule is considered definitive for the composite device and device is denied. If the first match for a function (interface) is an Allow rule, the host device continues to match the rules against next function (interface). The composite device is allowed if no function (interface) is denied by a policy rule. If definitive match for composite device is a Deny Rule, the device is available only to the local desktop otherwise the device is remoted to the virtual desktop. If no match is found, default rules are used.”

Citrix CVAD Troubleshooting.

  • Review the device on the client computer.  Record the class, subclass, VID and PID settings. This setting will block USB devices not matter what you have applied in a policy
  • If USB devices prompting to connect on each session, Enable Connect automatically, and When a device is plugged in connect it. ( you can configure this with GPO/workspace GPO)

Summary and conclusion

As you can see, there are a lot of USB settings. More than I would like to configure. But USB devices have come along way. Users have many options now. This blog is and was to help with the ease and confusion.  If you see something that doesn’t make sense and doesn’t work. Please let me know. I may need to update the base of the setting on a new CR or LTSR release. But I follow this a lot when I forget how to do certain USB options. My experience is around Windows 10 devices or Windows 10 IoT.