Configure trusted server configuration
Supported on: All Citrix Workspace supported platforms
Description
Use this policy to control how the client identifies the published application or desktop it is connecting to. The client will determine a trust level, called a ""trust region"" with a connection. The trust region will then determine how the client is configured for the connection. When this policy is enabled, the client can be forced to perform region identification using the "Enforce trusted server configuration" option. By default, region identification is based on the address of the server the client is connecting to. To be a member of the trusted region, the server must be a member of the Windows Trusted Sites zone. You can configure this using the "Windows Internet zone" setting. Alternatively, for compatibility with non-Windows clients, the server address can be specifically trusted using the "Address" setting. This is a comma-separated list of servers supporting the use of wildcards, for example, cps*.citrix.com. Troubleshooting: In the default configuration, when trusted server configuration prevents the client from connecting, the following error message is displayed: "<Server> ERROR: Cannot connect to the Citrix XenApp server. The server (xxx) is not trusted for ICA connections. Connections to the (Untrusted Region) Region are not allowed by lockdown settings. Please contact your administrator." The server identified in the "xxx" must be added to the Windows Trusted Sites zone (as either http:// or https:// for SSL connections) for the connection to succeed. Note that for SSL connections, the certificate common name must be trusted. For non-SSL connections all servers that are contacted must be individually trusted. This means that when using application browsing, both the XML service and the server this redirects to must be trusted.
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\ClientSelectiveTrust REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Configure trusted server configuration
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\ClientSelectiveTrust]
"EnableClientSelectiveTrust"=dword:00000001 PowerShell
# Exported from gporais.com
# Policy: Configure trusted server configuration
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\ClientSelectiveTrust'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'EnableClientSelectiveTrust' -Value 1 -Type DWord Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Configure trusted server configuration
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\ClientSelectiveTrust' -Name 'EnableClientSelectiveTrust' -Expected 1 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Configure trusted server configuration
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\ClientSelectiveTrust'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'EnableClientSelectiveTrust' -Value 1 -Type DWord SCCM CI
# Exported from gporais.com
# Policy: Configure trusted server configuration
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Configure trusted server configuration
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\ClientSelectiveTrust' -Name 'EnableClientSelectiveTrust' -Expected 1 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Configure trusted server configuration
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\ClientSelectiveTrust'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'EnableClientSelectiveTrust' -Value 1 -Type DWord