Enhanced Domain passthrough for single sign-on
Supported on: All Citrix Workspace supported platforms
Description
This policy allows Citrix Workspace app to use Enhanced Domain passthrough for single sign-on. When this policy is enabled, the sign-in credentials (pass-through authentication) from the local machine are used to authenticate to the remote server without exchanging the actual username and password. This policy requires VDA version 2308 or later.
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials Value name: EnableEnhancedDomainPassthrough
Enabled: EnableEnhancedDomainPassthrough = true
Disabled: EnableEnhancedDomainPassthrough = false
REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Enhanced Domain passthrough for single sign-on
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_LOCAL_MACHINE\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials]
"EnableEnhancedDomainPassthrough"="true" PowerShell
# Exported from gporais.com
# Policy: Enhanced Domain passthrough for single sign-on
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'EnableEnhancedDomainPassthrough' -Value 'true' -Type String Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Enhanced Domain passthrough for single sign-on
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'EnableEnhancedDomainPassthrough' -Expected 'true' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Enhanced Domain passthrough for single sign-on
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'EnableEnhancedDomainPassthrough' -Value 'true' -Type String SCCM CI
# Exported from gporais.com
# Policy: Enhanced Domain passthrough for single sign-on
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Enhanced Domain passthrough for single sign-on
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'EnableEnhancedDomainPassthrough' -Expected 'true' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Enhanced Domain passthrough for single sign-on
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'EnableEnhancedDomainPassthrough' -Value 'true' -Type String