Everyone that use Citrix XenDesktop know the great problem of using it with usb devices to digitally sign documents.
For this reasons, after the latest “ nightmare” with the last one USB key, the CNS, I’ve decided to write down a simple guide to help people like me with this problems.
This is my last key that I setup up under Xen Desktop and my environment was an Citrix Virtual Apps and Desktops formerly known as xendesktop 7.15 cu3 with Wyse 3040 windows embedded and Windows 7 Ent with PVD.
First, we have to enable the USB redirection policy under “Studio’s policy”.
And then, we need to enable the class 08 (Mass storage) and 0b (Smart card) see this guide CTX137939
At this point, just to do a test, we need to change local DeviceRules in the the device where we’ve installed the Citrix WorkSpace (Formerly know as Citrix Receiver).
this is the key : HKLM\Software\WOW6432Node\Citrix|ICA Client\GenericUSB
Normally this is the “DeviceRules” setting :
1 |
<strong>Normally this is the “DeviceRules” setting :</strong><br> <br><br> # Syntax is an ordered list of case insensitive rules where # is line comment<br> # and each rule is (ALLOW | DENY) : ( match )*<br> # and each match is (class|subclass|prot|vid|pid|rel) = hexnumber<br><br> DENY: vid=17e9 # All DisplayLink USB displays<br> DENY: class=02 # Communications and CDC-Control<br> DENY: class=09 # Hub devices<br> DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover<br> DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover<br> DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07dd # Microsoft Surface Pro JP 3 Type Cover<br> DENY:vid=045e pid=07de # Microsoft Surface Pro 3_2 Type Cover<br> DENY:vid=045e pid=07e2 # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07e4 # Microsoft Surface Pro 4 Type Cover with fingerprint reader<br> DENY:vid=045e pid=07e8 # Microsoft Surface Pro 4_2 Type Cover<br> DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer<br> ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet<br> DENY: class=03 subclass=01 prot=01 # HID Boot keyboards<br> DENY: class=03 subclass=01 prot=02 # HID Boot mice<br> DENY: class=0a # CDC-Data<br> DENY: class=0b # Smartcard<br> DENY: class=e0 # Wireless controller<br> DENY: class=ef subclass=04 # Miscellaneous network devices<br> ALLOW: # Otherwise allow everything else<br><br><br><strong>And we need to change to :</strong><br><br> # Syntax is an ordered list of case insensitive rules where # is line comment<br> # and each rule is (ALLOW | DENY) : ( match )*<br> # and each match is (class|subclass|prot|vid|pid|rel) = hexnumber<br> <br> DENY: vid=17e9 # All DisplayLink USB displays<br> DENY: class=02 # Communications and CDC-Control<br> DENY: class=09 # Hub devices<br> DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover<br> DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover<br> DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07dd # Microsoft Surface Pro JP 3 Type Cover<br> DENY:vid=045e pid=07de # Microsoft Surface Pro 3_2 Type Cover<br> DENY:vid=045e pid=07e2 # Microsoft Surface Pro 3 Type Cover<br> DENY:vid=045e pid=07e4 # Microsoft Surface Pro 4 Type Cover with fingerprint reader<br> DENY:vid=045e pid=07e8 # Microsoft Surface Pro 4_2 Type Cover<br> DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer<br> ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet<br> ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet<br> DENY: class=03 subclass=01 prot=01 # HID Boot keyboards<br> DENY: class=03 subclass=01 prot=02 # HID Boot mice<br> DENY: class=0a # CDC-Data<br> <strong>#DENY: class=0b # Smartcard <=========== !!!!!!!!!!!</strong><br> DENY: class=e0 # Wireless controller<br> DENY: class=ef subclass=04 # Miscellaneous network devices<br> ALLOW: # Otherwise allow everything else |
Just for help, we can use the USBDeview to find the VendorID,ProductID and USB Class
This is before intert the usb key
Then, after inserted …
At this point, we need to modify the master image or, the users sessione (if it’s a static desk or has the PVD feature).
Delete this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\citrix\CtxHook\AppInit_Dlls\
Restart the terminal and connect to it again..
Connect your USB key and switch it to generic.
Now you can launch your key !
That’s it!