Sometimes your security team will be your best friend. They will be the “bad guy” in your IT organization and prevent certain applications from being installed or they will require that remote users have reduced access. Recently, I was approached by my security team to prevent access to the clipboard, local printers, and local drives for a certain group of users. This better secures our environment and reduces ICA bandwidth and speeds up login times. When I created a new Citrix policy to put these restrictions in place, I found that USB hard-drives were still being mapped.
Searching the Citrix eDocs site, I came across the following detail at the bottom of the Drives Folder section in the Policy Rules Reference:
Enabling or Disabling HDX Plug-n-Play for USB Storage Devices
HDX Plug-n-Play for USB storage devices is enabled by default. To change the settings for HDX Plug-n-Play for USB storage devices, manually change the key specified below on the XenApp server. Changes apply to all users.
Caution: Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
Toggle USB drive redirection on and off using the following registry key on the server:
On XenApp 32-bit edition
On XenApp 64-bit edition
1 = redirection disabled
0 = redirection enabled
Note: HDX Plug-n-Play for USB storage devices is enabled when the registry key is not present.
Once I added the registry setting (and logged back in), I was no longer able to see any mapped USB hard drives. This is also referenced in the following CTX articles: How to Prevent Manual Mapping of Client Connected USB Drives and How to Disable USB Drive Redirection