Client hardware access
Supported on: All Citrix Workspace supported platforms
Description
Use this policy to specify maximum number of serial ports supported by the client platform. Also, use this policy to enable and restrict the remote application or desktop's access to the client’s serial, USB, and parallel ports. This allows the server to use locally attached hardware. Troubleshooting: Remote PDA synchronization uses "virtual COM ports". These are serial port connections that are routed through USB connections. It is necessary to enable serial port access to use PDA synchronization for this reason.
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port This policy sets several registry values:
COMAllowed COMAllowed = (not defined) COMAllowed = false VirtualCOMPortEmulation VirtualCOMPortEmulation = (not defined) VirtualCOMPortEmulation = false CPMAllowed CPMAllowed = (not defined) CPMAllowed = false REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Client hardware access
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port]
; "COMAllowed" = (not defined)
; "VirtualCOMPortEmulation" = (not defined)
; "CPMAllowed" = (not defined)
"MaxPort"=""
"COMAllowed"=dword:00000001
"VirtualCOMPortEmulation"=dword:00000001
"CPMAllowed"=dword:00000001 PowerShell
# Exported from gporais.com
# Policy: Client hardware access
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port'
New-Item -Path $path -Force | Out-Null
# COMAllowed = (not defined)
# VirtualCOMPortEmulation = (not defined)
# CPMAllowed = (not defined)
Set-ItemProperty -Path $path -Name 'MaxPort' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'COMAllowed' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'VirtualCOMPortEmulation' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'CPMAllowed' -Value 1 -Type DWord Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Client hardware access
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
# HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port\COMAllowed: COMAllowed= is not representable as a registry value.
# HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port\VirtualCOMPortEmulation: VirtualCOMPortEmulation= is not representable as a registry value.
# HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port\CPMAllowed: CPMAllowed= is not representable as a registry value.
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'MaxPort' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'COMAllowed' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'VirtualCOMPortEmulation' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'CPMAllowed' -Expected 1 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Client hardware access
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port'
New-Item -Path $path -Force | Out-Null
# COMAllowed = (not defined)
# VirtualCOMPortEmulation = (not defined)
# CPMAllowed = (not defined)
Set-ItemProperty -Path $path -Name 'MaxPort' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'COMAllowed' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'VirtualCOMPortEmulation' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'CPMAllowed' -Value 1 -Type DWord SCCM CI
# Exported from gporais.com
# Policy: Client hardware access
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Client hardware access
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
# HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port\COMAllowed: COMAllowed= is not representable as a registry value.
# HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port\VirtualCOMPortEmulation: VirtualCOMPortEmulation= is not representable as a registry value.
# HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port\CPMAllowed: CPMAllowed= is not representable as a registry value.
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'MaxPort' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'COMAllowed' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'VirtualCOMPortEmulation' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port' -Name 'CPMAllowed' -Expected 1 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Client hardware access
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Serial Port'
New-Item -Path $path -Force | Out-Null
# COMAllowed = (not defined)
# VirtualCOMPortEmulation = (not defined)
# CPMAllowed = (not defined)
Set-ItemProperty -Path $path -Name 'MaxPort' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'COMAllowed' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'VirtualCOMPortEmulation' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'CPMAllowed' -Value 1 -Type DWord