Citrix Virtual Apps and Desktops SDK


Creates a new desktop rule in the site’s assignment policy.


New-BrokerAssignmentPolicyRule [-ColorDepth <ColorDepth>] [-Description <String>] -DesktopGroupUid <Int32> [-Enabled <Boolean>] [-ExcludedUserFilterEnabled <Boolean>] [-ExcludedUsers <User[]>] [-IconUid <Int32>] [-IncludedUserFilterEnabled <Boolean>] [-IncludedUsers <User[]>] [-MaxDesktops <Int32>] [-Name] <String> [-PublishedName <String>] [-SecureIcaRequired <Boolean>] [-UUID <Guid>] [-LoggingId <Guid>] [<CitrixCommonParameters>] [<CommonParameters>]


The New-BrokerAssignmentPolicyRule cmdlet adds a new desktop rule to the site’s assignment policy.

A desktop rule in the assignment policy defines the users who are entitled to self-service persistent machine assignments from the rule’s desktop group. A rule defines how many machines a user is allowed from the group for delivery of full desktop sessions.

The following constraints apply when creating a desktop assignment rule for a desktop group:

  • The group’s desktop kind must be Private
  • The group’s delivery type must be DesktopsOnly
  • Only one desktop assignment rule can be created for RemotePC groups.

When a user selects a machine assignment entitlement from a private group, a currently unassigned machine is selected from the group and permanently assigned to the user to create an assigned desktop. A desktop session is then launched to the machine. Subsequent launches are routed directly to the now assigned machine.

Once a machine has been assigned in this way, the original assignment rule plays no further part in access to the new desktop.

Multiple desktop rules in the assignment policy can apply to the same desktop group. Where a user is granted entitlements by more than one rule for the same group, they can have as many machine assignments from the group as the total of their entitlements.



Creates a desktop rule in the assignment policy that grants all members of the SALES\uk-staff group an entitlement to a single machine from the Sales Support desktop group. The entitlement name seen by users is Sales Desktop.

$dg = Get-BrokerDesktopGroup 'Sales Support' New-BrokerAssignmentPolicyRule 'UK Office' -DesktopGroupUid $dg.Uid -IncludedUsers sales\uk-staff -PublishedName 'Sales Desktop'



Specifies the administrative name of the new desktop rule. Each rule in the site’s assignment policy must have a unique name (irrespective of whether they are desktop or application rules).

Type: String
Position: 2
Default value: None
Required: True
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: True
Length range: 1 to 64
Disallowed characters: /;:#.*?=<>\|[]()"'`\ and all ASCII control characters


Specifies the unique ID of the desktop group to which the new desktop rule applies.

Type: Int32
Position: Named
Default value: None
Required: True
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies the color depth of any desktop sessions to machines assigned by the new rule.

Valid values are $null, FourBit, EightBit, SixteenBit, and TwentyFourBit.

The default null value indicates that the equivalent setting from the rule’s desktop group is used.

Type: ColorDepth
Position: Named
Default value: Null (dynamically inherited from the desktop group)
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies an optional description of the new desktop rule. The text may be visible to the end user, for example, as a tooltip associated with the desktop entitlement.

The default null value indicates that the equivalent setting from the rule’s desktop group is used.

Type: String
Position: Named
Default value: Null (dynamically inherited from the desktop group)
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: True
Disallowed characters: All ASCII control characters


Specifies whether the new desktop rule is initially enabled. A disabled rule is ignored when evaluating the site’s assignment policy.

Type: Boolean
Position: Named
Default value: True
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies whether the excluded users filter is initially enabled. If the filter is disabled then any user entries in the filter are ignored when assignment policy rules are evaluated.

Type: Boolean
Position: Named
Default value: False
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies the excluded users filter of the new desktop rule, that is, the users and groups who are explicitly denied an entitlement to a machine assignment from the rule.

This can be used to exclude users or groups who would otherwise gain access by groups specified in the included users filter.

Type: User[]
Position: Named
Default value: (empty list)
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies the unique ID of the icon used to display the machine assignment entitlement to the user, and of the assigned desktop itself following the assignment.

The default null value indicates that the equivalent setting from the rule’s desktop group is used.

Type: Int32
Position: Named
Default value: Null (dynamically inherited from the desktop group)
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies whether the included users filter is initially enabled. If the filter is disabled then any user who satisfies the requirements of the access policy is implicitly granted an entitlement to a machine assignment by the new desktop rule.

Users who would be implicitly granted access when the filter is disabled can still be explicitly denied access using the excluded users filter.

For rules that relate to RemotePC desktop groups however, if the included user filter is disabled, the rule is effectively disabled.

Type: Boolean
Position: Named
Default value: True
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies the included users filter of the new desktop rule, that is, the users and groups who are granted an entitlement to a machine assignment by the rule.

If a user appears explicitly in the excluded users filter of the rule or is a member of a group that appears in the excluded users filter, no entitlement is granted whether or not the user appears in the included users filter.

Type: User[]
Position: Named
Default value: (empty list)
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


The number of machines from the rule’s desktop group to which a user is entitled. Where an entitlement is granted to a user group rather than an individual, the number of machines applies to each member of the user group independently.

Type: Int32
Position: Named
Default value: 1
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


The name of the new machine assignment entitlement as seen by the user, and of the assigned desktop following its usage.

The default null value indicates that the equivalent setting from the rule’s desktop group is used.

Type: String
Position: Named
Default value: Null (dynamically inherited from the desktop group)
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: True
Disallowed characters: /;:#.*?=<>\|[]()"'\ and all ASCII control characters


Specifies whether the new desktop rule requires the SecureICA protocol to be used for desktop sessions to machines assigned using the entitlement.

The default null value indicates that the equivalent setting from the rule’s desktop group is used.

Type: Boolean
Position: Named
Default value: Null (dynamically inherited from the desktop group)
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


An optional GUID for this rule.

Type: Guid
Position: Named
Default value: A new GUID is generated if none is supplied.
Required: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False


Specifies the identifier of the high level operation that this cmdlet call forms a part of. Desktop Studio and Desktop Director typically create High Level Operations. PowerShell scripts can also wrap a series of cmdlet calls in a High Level Operation by way of the Start-LogHighLevelOperation and Stop-LogHighLevelOperation cmdlets.

Type: Guid
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False


This cmdlet supports the common Citrix parameters: -AdminAddress, -AdminClientIP, -BearerToken, -TraceParent, -TraceState and -VirtualSiteId. For more information, see about_CitrixCommonParameters.


This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.



You cannot pipe input into this cmdlet.



New-BrokerAssignmentPolicyRule returns the newly created desktop rule in the assignment policy rule.
