Dec 132019
 

Base settings, No Policies set in Studio, or Receiver

No Registry hacks meaning nothing in….

This is normal meaning Stock

Nothing edited here

Let’s launch a XD session

So, as you can see the defaults are taken over based on this article

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/general-content-redirection/usb.html

The Citrix USB settings are in depth at times and kind of all over the place in the docs. But I am sure there is reasons why.

HDX technology provides optimized support for most popular USB devices.  This includes:

  • Monitors
  • Mice
  • Keyboards
  • VoIP phones
  • Headsets
  • Webcams
  • Scanners
  • Cameras
  • Printers
  • Drives
  • Smart card readers

So, it redirected them as it should as Optimized. 

But if you read here…

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/general-content-redirection/usb.html

Optimized support offers an improved user experience with better performance and bandwidth efficiency over a WAN. Optimized support is usually the best option, especially in high latency or security-sensitive environments.

HDX technology provides generic USB redirection when optimized support is not available or unsuitable, for example:

  • The USB device has additional advanced features that are not part of optimized support, such as a mouse or webcam with additional buttons.
  • Users need functions which are not part of optimized support, such as burning a CD.
  • The USB device is a specialized device, such as test and measurement equipment or an industrial controller.
  • An application requires direct access to the device as a USB device.
  • The USB device only has a Windows driver available. For example, a smart card reader may not have a driver available for Citrix Receiver for Android.
  • The version of Citrix Receiver does not provide optimized support for this type of USB device. 

With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

So, optimized will not work for our scanners in the environment I am in.

Generic will have to be set here. The Policies Below can be done to achieve this.

Remember to note this (Will come back to it soon)

Another Leading Missed concept

This doesn’t apply to us as we enable USB support but more information for the future when re-reading this

https://support.citrix.com/article/CTX123015

USB devices are automatically redirected when USB support is enabled, and the USB user preference settings are set to automatically connect USB devices

So what I take from this if I have USB enable then it will redirect devices. If I don’t then I can set this reg devices to only allow certain ones.

Note: In Receiver for Windows 4.2, USB devices are also automatically redirected when operating in Desktop Appliance mode, and the connection bar is not present. In earlier versions of Receiver for Windows, USB devices are also automatically redirected when operating in a desktop appliance mode or with Virtual Machine (VM) hosted applications.
However, it is not always best to redirect all USB devices, and this article describes how to configure whether a device must be automatically redirected or not.
Users can explicitly redirect devices from the USB device list that are not automatically redirected. To prevent USB devices from ever listed or redirected, you can use DeviceRules on either the client endpoint or the Virtual Desktop Agent (VDA). See Administration Guides for further details.

So in other words if I disable USB Device Redirection I can control it more?

Or does USB have to be enabled but I can stop the auto Redirection?

Let’s test this

So I disabled this

Now I will log in and it should not PASS anything.

Nothing passed

Now let’s enable 1 reg setting back on the CTX123015 article. So I want all Scanners to come through.

Now enable the (Connect USB Device)

Do a gpupdate /force the machine you’re on.

Check the registry to make sure the GPO changed on the client the GPO is applied to.

Reg Setting Set, Receiver GPO Set, log out then back in and it should come through as generic according to Citrix

I couldn’t get this to work, I am uncertain at this time what Citrix means by this.

I will re-enable USB redirection back, and put things the way I had it.

Now back to the Generic USB Redirection pieces.

https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/configure.html
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/general-content-redirection/usb.html
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/usb-devices-policy-settings.html#configure-automatic-redirection-of-usb-devices
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/usb-devices-policy-settings.html

Again

With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

Way1

To Enable a USB device to be redirect in as a Generic Driver with in receiver Preference

The purpose of this is to allow it to be saved within the settings of receiver.

Generic Drivers Set by default

When it’s set to 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB\Devices

It comes in as Optimized.

By setting these Registry Settings

Is supposed to use the Generic Driver inside the VDA for Xendekstop.

Desktop shows…..

But when this popped up

If I clicked on it and selected the devices, then they came through as Generic.

(Note I need no user’s interaction so I will set it to pass though and connection as default on the receiver_workspace GPO)

But continue with the method anyways.

Log out then back in and it should do it by its self now. It worked.

Way 2

This is intended to make it seamless for the end user and to make them like Citrix again.

  1. Please get the VID and the PID of the device.
  2. Plug in the device on the local workstation.

Open device manager

Find your device

Right click and go to properties

Click the details tab

Change the property to Hardware Ids

The format you need is this

VID0711 PID5200

Now take this VID0711 PID5200 and create a key in the local registry of the local desktop.

64bit

32 bit

Take out the wow3432Node and it’s the same path

Create a key under Devices. With the VID and PID number

Now add a DWORD called AutoRedirect and a value to 1

Now when you sign in to the XenDesktop Session you will need to open of the Citrix Receiver Preference. And select when a session start, connect the device. THIS IS A MUST for Generic to work (GPO is another option for this setting)

Not to get side tracked but For that setting you can do this

Now back to the session…

Log out and back in and you will now see your device redirected in as Generic 

Now if you don’t want connect device automatically you have this option. When you first login you will see this pop up. Click on it.

Now you get this.

If I select my Fujitsu device, I will still get the generic option. Becaseu I have the Generic Reg setting to 1. Meaning this.   

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\GenericUSB\Devices

Issues I had because of GPO are scoped correctly

My USB mouse and Keyboard keep redirecting in. I couldn’t figure this out. Citrix seen that this policy.

Which applies to….

Then forcing this on my local Machine.

ALLOW:03 is a global HID for Mouse and Keyboards.

https://msdn.microsoft.com/en-us/library/windows/hardware/ff538820(v=vs.85).aspx

I created a Group and Put the XD7-BUS-### along with my machines and select deny.

Then when through on my machine and delete the orphaned keys. 

Now things works as normal on my machine.

Way 3

Citrix Discussion 376957 a user had the same issue. He solved it by doing this.

http://discussions.citrix.com/topic/376957-usb-redirection-and-auto-switching-from-optimized-to-generic-mode/

The problem was that in “Client USB device redirection rule” I have manually inserted some rule like “Allow: class=08”; after I have enabled “Use default value” and with your suggestion the redirection works as I wanted.

NOTE: https://support.citrix.com/article/CTX137939

 In this article it talks about adding the PID and VID in the Generic USB settings. It would appear that the Check box “Use default values” isn’t the only thing needed. By adding the PID and VID it will redirect it as Generic. But I want all scanners to be generic. How do I achieve this? Follow the screen shots below.

This will do it for all Storage devices, or any device that is considered in the Generic Coding with in these settings.

Then add registry AutoRedirectStorage=dword:1 ,  mass storage will behave as generic device for redirection 

But for all generic device to be redirected you always have to select below options in cdviewer Preferences:

1. When session start connect device automatically

2. When new device attached connect device automatically

 So overall you have to add registry and set checkboxes in preference, connections tab for auto redirection to work smoothly

Way 4

Another Test I did, was I needed to Redirect Mass Storage, But Block my USB Video input for an extra monitor I had.

ALLOW: VID=ABCD PID=1234 #Mass Storage Device as Generic

(With this allow rule above I had to enable this as well)

http://support.citrix.com/article/CTX123015?_ga=1.249948033.660250984.1475149031

DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

This is somewhat confusing, and Citrix E-docs aren’t the best for explaining all this. They have a lot of great information, but it runs together.

On the Windows 7 VDA you can see this. So it’s working as it should. ( Same on windows 10- validated up to 1809) 

Way 5

Another Test I would like to do is configure this on the receiver side.

I will remove my Studio USB ALLOW and DENY RULE.

Then apply it to my Citrix Receiver 4.5 ADMX in GPO.

Created the Citrix Receiver 4.5 Rule

Made sure the AutoRedirectStorage is still intact, and set to 1 which is redirect generic USB according to Citrix

Now on my Desktop (local Client)

Now let login to the VDA

This looked like it works as well.

Little GOTCHA

One thing I noticed that if you use the Citrix Receiver/workspace ADMX for Generic USB Remoting. If you don’t have an ALLOW RULE for your devices. It will pass through but will be optimized by default. It’s like if you use the receiver GPO then use it all the way through.

Example I am denying USB Video, but my scanner is coming through as Optimized and policy is set and I cannot override it.

I added this rule

Now on my VDA you can see, the Scanner came in great.

 As you can see if I don’t have the USB allow Rule for my Mass Storage device, it come in as optimized and restricted.

Let’s update Citrix Receiver ADMX policy

Allow must be fore DENY, Like a Firewall ACL

Allow: VID=1DCC PID=482B #Ambir Scanner; Allow: class=08 subclass=06 prot=50 # Mass Storage; DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

Another off the note example of Rules. Not applied here though

Allow: VID=1DCC PID=482B #Ambir Scanner; DENY: Class=08 Subclass=06 # Mass Storage; DENY: VIP=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

DENY: VID=0781 PID=5202

Now he is not restricted but still no generic. I can enable generic. But I rather force it. So USB rule is allow me to use it in my session as generic or optimized.

Set my registry key storage for

Log of and back on.

USB Rule Gotchas

One thing I had to figure out was the Optimize policy setting for USB device. This was geared around Client drive redirection.

I would apply a USB rule within the Receiver ADMX file to deny an USB device.

Example: DENY: VID=0781 PID=5202

It then would come it and say this.

The device would still come it.

But I found out that I have to disable this policy in studio.

I went ahead and added this too

Now it will show policy restricted and allow the user to redirect it, which is good. For approved thumb drive devices our company will allow them to use.

But let’s say a Vendor has a security flaw on a USB Thumb drive, and I had the VID and PID.

Yes I have seen it were a thumb drive comes with a piece of software on the thumb drive, and it can be used for an entry point in your network. A lot of people I see, don’t take this seriously. This won’t happen to me. But if can and it will one day. I understand we have to provide users a good experience, but I see where a lot of sloppy IT guys just make it work to get them off the phone or are lazy and don’t want to deal with it. This isn’t good. So control it from a higher point will prevent this.

I can now apply the deny rule, and the Redirect option will be grey out.

This will ensure the USB Thumb drive (Mass Storage) device will not be used in the session. XA or XD

Now at this point, you control want is inserted.

http://www.usb.org/developers/defined_class
https://support.citrix.com/article/CTX129558
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/hdx/usb.html

Generic USB reg settings

https://support.citrix.com/article/CTX123015?_ga=1.77053973.1604117216.1478717880

To use generic USB redirection rather than optimized support, you can either:

  • In Citrix Receiver, manually select the USB device to use generic USB redirection, choose Switch to generic from the Devices tab of the Preferences dialog box.
  • Automatically select the USB device to use generic USB redirection, by configuring auto-redirection for the USB device type (for example, AutoRedirectStorage=1) and set USB user preference settings to automatically connect USB devices. For more information, see CTX123015
  • This can bite you if you have USB video cards, just put a deny rule in in. So it will not try to double dip and redirect again.
  • Example: DENY: VID=0711 PIC=5200 #Block USB Video connection from Local PC to VDA

Summary:

As you can see, there are a lot of USB settings. More than I would like to configure. But USB devices have came along ways. Users have many options now. This artcel was to help with the ease and confusion. 

If you see something that doesn’t make sense and doesn’t work. Please let me know. I may need to update the settings base on new CR or LTSR release. But I follow this a lot when I forget.

  4 Responses to “Citrix Virtual Apps and Desktop USB guidance”

  1. Wonderful article, just what I was looking for!
    Thanks for all the work you’ve put in.

  2. […] integrated, and it’s still a USB device. (Which Reminds me I need to update My USB Blog….http://www.citrixirc.com/?p=1070) Also make sure “Client USB Plug in Play device redirection is enabled, or nothing will not […]

  3. With my WIndows 10 Audio over UDP worked like a charm. But in my Hosted Shared environment I´m not seeing the UDP Optimized when I check HDX monitor. I used to test same ADC´s and device as we used with Windows 10. Policies was applied as well! Any idea?

    Thank you!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

This site uses Akismet to reduce spam. Learn how your comment data is processed.