![](https://marcoschiavon.net/wp-content/uploads/2019/05/Citrix_nightmare.jpg)
Everyone that use Citrix XenDesktop know the great problem of using it with usb devices to digitally sign documents.
For this reasons, after the latest “ nightmare” with the last one USB key, the CNS, I’ve decided to write down a simple guide to help people like me with this problems.
This is my last key that I setup up under Xen Desktop and my environment was an Citrix Virtual Apps and Desktops formerly known as xendesktop 7.15 cu3 with Wyse 3040 windows embedded and Windows 7 Ent with PVD.
![The smart cards nightmare with Citrix Xendesktop / Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/CNS_01-1.jpg)
First, we have to enable the USB redirection policy under “Studio’s policy”.
![The smart cards nightmare with Citrix Xendesktop / Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/studio_1.jpg)
And then, we need to enable the class 08 (Mass storage) and 0b (Smart card) see this guide CTX137939
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/Studio_2.jpg)
At this point, just to do a test, we need to change local DeviceRules in the the device where we’ve installed the Citrix WorkSpace (Formerly know as Citrix Receiver).
this is the key : HKLM\Software\WOW6432Node\Citrix|ICA Client\GenericUSB
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/Device_rule.jpg)
Normally this is the “DeviceRules” setting :
1 |
<strong>Normally this is the “DeviceRules” setting :</strong><br> <br><br> # Syntax is an ordered list of case insensitive rules where # is line comment<br> # and each rule is (ALLOW | DENY) : ( match )*<br> # and each match is (class|subclass|prot|vid|pid|rel) = hexnumber<br><br> DENY: vid=17e9 # All DisplayLink USB displays<br> DENY: class=02 # Communications and CDC-Control<br> DENY: class=09 # Hub devices<br> DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover<br> DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover<br> DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07dd # Microsoft Surface Pro JP 3 Type Cover<br> DENY:vid=045e pid=07de # Microsoft Surface Pro 3_2 Type Cover<br> DENY:vid=045e pid=07e2 # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07e4 # Microsoft Surface Pro 4 Type Cover with fingerprint reader<br> DENY:vid=045e pid=07e8 # Microsoft Surface Pro 4_2 Type Cover<br> DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer<br> ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet<br> DENY: class=03 subclass=01 prot=01 # HID Boot keyboards<br> DENY: class=03 subclass=01 prot=02 # HID Boot mice<br> DENY: class=0a # CDC-Data<br> DENY: class=0b # Smartcard<br> DENY: class=e0 # Wireless controller<br> DENY: class=ef subclass=04 # Miscellaneous network devices<br> ALLOW: # Otherwise allow everything else<br><br><br><strong>And we need to change to :</strong><br><br> # Syntax is an ordered list of case insensitive rules where # is line comment<br> # and each rule is (ALLOW | DENY) : ( match )*<br> # and each match is (class|subclass|prot|vid|pid|rel) = hexnumber<br> <br> DENY: vid=17e9 # All DisplayLink USB displays<br> DENY: class=02 # Communications and CDC-Control<br> DENY: class=09 # Hub devices<br> DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover<br> DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover<br> DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07dd # Microsoft Surface Pro JP 3 Type Cover<br> DENY:vid=045e pid=07de # Microsoft Surface Pro 3_2 Type Cover<br> DENY:vid=045e pid=07e2 # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07e4 # Microsoft Surface Pro 4 Type Cover with fingerprint reader<br> DENY:vid=045e pid=07e8 # Microsoft Surface Pro 4_2 Type Cover<br> DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer<br> ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet<br> DENY: class=03 subclass=01 prot=01 # HID Boot keyboards<br> DENY: class=03 subclass=01 prot=02 # HID Boot mice<br> DENY: class=0a # CDC-Data<br> <strong>#DENY: class=0b # Smartcard <=========== !!!!!!!!!!!</strong><br> DENY: class=e0 # Wireless controller<br> DENY: class=ef subclass=04 # Miscellaneous network devices<br> ALLOW: # Otherwise allow everything else |
Just for help, we can use the USBDeview to find the VendorID,ProductID and USB Class
This is before intert the usb key
![](https://marcoschiavon.net/wp-content/uploads/2019/02/usb_first.jpg)
Then, after inserted …
![](https://marcoschiavon.net/wp-content/uploads/2019/02/usb_after2.jpg)
At this point, we need to modify the master image or, the users sessione (if it’s a static desk or has the PVD feature).
Delete this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/user_ses.jpg)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\citrix\CtxHook\AppInit_Dlls\
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/User_ses_2.jpg)
Restart the terminal and connect to it again..
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/Workspace.jpg)
Connect your USB key and switch it to generic.
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/connect_the_card.jpg)
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/Switch_to_gen1.jpg)
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/Switch_to_gen2.jpg)
Now you can launch your key !
![smart cards Citrix Xendesktop Virtual Apps and Desktops](https://marcoschiavon.net/wp-content/uploads/2019/02/Thatsit2.jpg)
That’s it!