Jump to content
Updated Privacy Statement
  • 0

USB Redirection Restricted by Policy


Jason Ulloa

Question

Hello,

 

We have some plugable devices to connect vga monitors throught usb. When we start a desktop we can see the adapters listed but all of they have a message "Restricted by Policy" and we can not check the redirect button.

 

 In citrix studio we have a policy with "Client USB device Redirection=allowed" and "Client USB plug and Play device redirection = allowed" but is not working

 

Can some one help me to redirect this devices.

 

Thanks

Link to comment

6 answers to this question

Recommended Posts

  • 1

Hello,

 

with the latest Receiver Version 4.10.1.22 the Registry Key has changed to: 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\GenericUSB (see also: https://support.citrix.com/article/CTX203592

 

by Default the DeviceRules Value looks like:

 

# Syntax is an ordered list of case insensitive rules where # is line comment
 #  and each rule is (ALLOW | DENY) : ( match )*
 #  and each match is (class|subclass|prot|vid|pid|rel) = hex-number
 # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF
DENY: vid=17e9 # All DisplayLink USB displays
DENY: class=02 # Communications and CDC-Control
DENY: class=09 # Hub devices
DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover
DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover
DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover
DENY:vid=045e pid=07e4 # Microsoft Surface Pro 3 Type Cover with fingerprint reader
DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer
ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet
DENY: class=03 subclass=01 prot=01 # HID Boot keyboards
DENY: class=03 subclass=01 prot=02 # HID Boot mice
DENY: class=0a # CDC-Data
DENY: class=0b # Smartcard
DENY: class=e0 # Wireless controller
DENY: class=ef subclass=04 # Miscellaneous network devices
ALLOW: # Otherwise allow everything else
 

for testing I simply deleted all rows with DENY, so it looks like this:

 

# Syntax is an ordered list of case insensitive rules where # is line comment
 #  and each rule is (ALLOW | DENY) : ( match )*
 #  and each match is (class|subclass|prot|vid|pid|rel) = hex-number
 # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF
ALLOW: # Otherwise allow everything else

image.thumb.png.13a69a04c03f42e65151346ad1ff7764.png

 

 

Additionally I created three USB Policies within Studio:

 

Client USB Device Redirection - Allowed

Client USB Device Redirection Rules - Allow: #all ok (Allows all Devices)

Client USB Plug and Play Device Redirection - Allowed

 

image.thumb.png.ebca73f748f1893b8a49486c9b817a70.png

 

If you need the specific VID´s or PID´s you can simply connect via Receiver to your VDA and click on the Connection Bar - Preferences - Devices and move your mouse over the specific device. 

 

image.thumb.png.8240d2647d99ccb25760955f624a6702.png

 

After knowing the correct VID and PID you can create specific rules like Allow: VID=413C PID=2107 (example out of the screenshot)

 

Hope this helps

 

Regards

 

Dennis

 

For german googlers: Durch Richtlinie eingeschränkt

  • Like 1
Link to comment
  • 0

Hubs are restricted by default.  You will have to make an explicit rule to allow them in policy, and also edit the local reg key.

 

 

 

HKEY\LocalMachine\wow64\citrix\portICA\GenericUSB     -  Device Rules 

 

WOW64 or not depending on your OS, this is at the endpoint where receiver is installed as well as on the Virtual Desktop.

 

Good luck probably not supported.

Link to comment
  • 0
On 2018-01-11 at 2:30 PM, Dennis Reimer1709157751 said:

Hello,

 

with the latest Receiver Version 4.10.1.22 the Registry Key has changed to: 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\GenericUSB (see also: https://support.citrix.com/article/CTX203592

 

by Default the DeviceRules Value looks like:

 

# Syntax is an ordered list of case insensitive rules where # is line comment
 #  and each rule is (ALLOW | DENY) : ( match )*
 #  and each match is (class|subclass|prot|vid|pid|rel) = hex-number
 # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF
DENY: vid=17e9 # All DisplayLink USB displays
DENY: class=02 # Communications and CDC-Control
DENY: class=09 # Hub devices
DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover
DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover
DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover
DENY:vid=045e pid=07e4 # Microsoft Surface Pro 3 Type Cover with fingerprint reader
DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer
ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet
DENY: class=03 subclass=01 prot=01 # HID Boot keyboards
DENY: class=03 subclass=01 prot=02 # HID Boot mice
DENY: class=0a # CDC-Data
DENY: class=0b # Smartcard
DENY: class=e0 # Wireless controller
DENY: class=ef subclass=04 # Miscellaneous network devices
ALLOW: # Otherwise allow everything else
 

for testing I simply deleted all rows with DENY, so it looks like this:

 

# Syntax is an ordered list of case insensitive rules where # is line comment
 #  and each rule is (ALLOW | DENY) : ( match )*
 #  and each match is (class|subclass|prot|vid|pid|rel) = hex-number
 # Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF
ALLOW: # Otherwise allow everything else

image.thumb.png.13a69a04c03f42e65151346ad1ff7764.png

 

 

Additionally I created three USB Policies within Studio:

 

Client USB Device Redirection - Allowed

Client USB Device Redirection Rules - Allow: #all ok (Allows all Devices)

Client USB Plug and Play Device Redirection - Allowed

 

image.thumb.png.ebca73f748f1893b8a49486c9b817a70.png

 

If you need the specific VID´s or PID´s you can simply connect via Receiver to your VDA and click on the Connection Bar - Preferences - Devices and move your mouse over the specific device. 

 

image.thumb.png.8240d2647d99ccb25760955f624a6702.png

 

After knowing the correct VID and PID you can create specific rules like Allow: VID=413C PID=2107 (example out of the screenshot)

 

Hope this helps

 

Regards

 

Dennis

 

For german googlers: Durch Richtlinie eingeschränkt

Wow! Thanks Dennis, you just saved my life.

Works like a charm.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...