Smart card authentication
Supported on: All Citrix Workspace supported platforms
Description
Use this policy to control how the client uses smart cards attached to the client device. When enabled, this policy allows the remote server to access smart cards attached to the client device for authentication and other purposes. When disabled, the server cannot access smart cards attached to the client device. Troubleshooting: When using smart cards in a Citrix environment, the smart card device driver must be installed on the server. When using a different operating system on the client machine, it may be necessary to ensure that the smart card device drivers in use interoperate correctly.
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard Value name: SmartCardAllowed
Enabled: SmartCardAllowed = *
Disabled: SmartCardAllowed = false
REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Smart card authentication
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard]
"SmartCardAllowed"="*"
"SmartCardAllowed"=dword:00000001
"DisableCtrlAltDel"=dword:00000000 PowerShell
# Exported from gporais.com
# Policy: Smart card authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SmartCardAllowed' -Value '*' -Type String
Set-ItemProperty -Path $path -Name 'SmartCardAllowed' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'DisableCtrlAltDel' -Value 0 -Type DWord Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Smart card authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard' -Name 'SmartCardAllowed' -Expected '*' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard' -Name 'SmartCardAllowed' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard' -Name 'DisableCtrlAltDel' -Expected 0 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Smart card authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SmartCardAllowed' -Value '*' -Type String
Set-ItemProperty -Path $path -Name 'SmartCardAllowed' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'DisableCtrlAltDel' -Value 0 -Type DWord SCCM CI
# Exported from gporais.com
# Policy: Smart card authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Smart card authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard' -Name 'SmartCardAllowed' -Expected '*' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard' -Name 'SmartCardAllowed' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard' -Name 'DisableCtrlAltDel' -Expected 0 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Smart card authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Smartcard'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SmartCardAllowed' -Value '*' -Type String
Set-ItemProperty -Path $path -Name 'SmartCardAllowed' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'DisableCtrlAltDel' -Value 0 -Type DWord