Jump to content
Welcome to our new Citrix community!
  • 0

Redirect USB Flash Drives with hardware encryption

Markus Fumasoli1709152661


Hi all


According the support article https://support.citrix.com/article/CTX123015 Virtuals Apps 1808 should support generic USB redirection for USB Flash Drives with hardware encryption. 

I tried this with an Ironkey from imation. This usb device has an encrypted Partition and cdrom drive with an helper app on it. When I redirect this device to the Virtual Apps Session on a Windows Server 2016, only the encrypted partition is visible in the explorer.

OS is Windows Server 2016 and the september patches from MIcrosoft are installed. Client OS is Windows 10 with Workspace App 1809


Did somebody manage to redirect an encrypted usb flashdrive?




Link to comment

10 answers to this question

Recommended Posts

  • 0

@Guang Liu

When I open the Device Manager in the user session, I see the CDRom drive in the list. Here I connected an external USB CDROM and the Encrypted USB Device. Both CDRoms are visible, but no drive letter was assigned?! The drive letter I:\ is the vmware cdrom.




How can I assign a drive letter to this drives?






UPDATE: When I gave the user admin rights on the server, the drive mapping works fine. This is a clean server from ISO with no GPO

Link to comment
  • 0

hi all, this is a how to fix FYI. try to contact software or driver vendor then add FILE_FLAG_SESSION_AWARE flag to CreateFile API. 

please also make sure the above microsoft update already installed. 

such issue should be also exist on microsoft REMOTEUSB Redirection solution 


below information also FYI. 




Although RemoteFX USB Redirection for Windows 7 SP1 was implemented for client SKUs with a single session, RemoteFX USB Redirection for Windows Server 2012 R2 supports redirection from multiple clients and provides session isolation for redirected devices. Therefore, users will see only USB devices that belong to them. When USB device redirection is enabled in RDS or MultiPoint, USB devices are assigned to the particular session into which they've been redirected. Only user-mode code that's running in that same session can access these devices.

The default behavior of the I/O Manager is to deny access when a service that's running in session 0 tries to open one of these devices unless the service does this by passing the c. The theory here is that when developers updated their services to use this flag to open devices, they also added new functionality to make sure that their services restricted access to those devices to any other apps from other sessions that might also be using the service (for example, if the service is a COM server).

Session 0 is the base session where services run and is typically also the console session.  In Windows Vista this has been changed to exclusively run services, and the console session is typically Session 1.  

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...