Configuring Citrix Virtual Channel Security

With Citrix Virtual Apps and Desktops CR 2109 or LTSR 1912 CU4 or later, the Virtual Channel Allow List must be configured to allow the deviceTRUST virtual channel.

Citrix Virtual Apps and Desktops contains a policy titled Virtual channel allow list which controls the processes which are able to open a virtual channel. When enabled, all processes except the Citrix internal virtual channels must be declared. Additional entries are required for the deviceTRUST Agent to be able to connect to the deviceTRUST Client Extension.

  • With Citrix Virtual Apps and Desktops CR 2109 or LTSR 1912 CU4 or later, the Virtual channel allow list is enabled by default.
  • With previous releases of Citrix Virtual Apps and Desktops, the Virtual channel allow list is disabled by default.


There are two options to configure the virtual channel allow list for enabling deviceTRUST in a Citrix Virtual Apps and Desktops environment:

The first is the recommended solution, as it complies with Citrix’s idea of virtual channel security. However both approaches are described here.

Both settings need to be set on the VDA level. The required configuration can be found in the Citrix farm policies. The setting’s name is Virtual channel allow list.



Allowing all Citrix virtual channels plus the deviceTRUST virtual channel

We recommend configuring the deviceTRUST virtual channel explicitly. Doing so will comply with Citrix’s concept of securing the virtual channel feature whilst allowing deviceTRUST to establish its connection between the deviceTRUST Agent and Client. Doing so requires the following steps:

  • Explicitly enable the Virtual channel allow list policy setting
  • Add the following deviceTRUST virtual channel and process names to the allow list
    • DEVTRST,C:\Program Files\deviceTRUST\Agent\Bin\dtagent.exe
    • DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe


  • If you use additional virtual channels for other functions, these need to be added explicitly as well.
  • If you are using only deviceTRUST 21.1 or later then you can remove the entry 'DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe'.

Allowing all virtual channels

A fallback option would be to simply allow all virtual channels to be established. This will work from a technical perspective. It will however work around the security measures Citrix introduced with the 2109 release.