USB Filter Driver Exclusion List
Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
Description
This feature is to exclude the USB devices which have compatibilty issues with App Protection feature. When the policy is: Not Configured - None of the USB devices are part of the exclusion list. USB Filter attaches to all the USB devices if App Protection is active. Enabled - Excludes the USB devices(Pairs of vendor ID and product ID) mentioned in the exclusion list from the App Protection. Disabled - Clears device exclusion list. The USB Filter Driver Exclusion List field allows admins to add pairs of vendor ID and product ID information that can be excluded from the App Protection. Sample format to add vendor IDs and product IDs to the exclusion list: [ { "deviceName": "Device1", "vendorID": "FFFF", "productID": "FFFF" }, { "deviceName": "Device2", "vendorID": "FFFF", "productID": "FFFF" } ]
Registry
Software\Policies\Citrix\AppProtection REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: USB Filter Driver Exclusion List
; State: Enabled
; Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
[HKEY_LOCAL_MACHINE\Software\Policies\Citrix\AppProtection]
"USBFilterDriverExclusionList"=hex(7):00,00
; REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. PowerShell
# Exported from gporais.com
# Policy: USB Filter Driver Exclusion List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKLM:\Software\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'USBFilterDriverExclusionList' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: USB Filter Driver Exclusion List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\AppProtection' -Name 'USBFilterDriverExclusionList' -Expected @() -Kind MultiString)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: USB Filter Driver Exclusion List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKLM:\Software\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'USBFilterDriverExclusionList' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. SCCM CI
# Exported from gporais.com
# Policy: USB Filter Driver Exclusion List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: USB Filter Driver Exclusion List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\AppProtection' -Name 'USBFilterDriverExclusionList' -Expected @() -Kind MultiString)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: USB Filter Driver Exclusion List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKLM:\Software\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'USBFilterDriverExclusionList' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting.