Smartcard Removal Policy for x86 machine
Supported on: Supported on Citrix Workspace app 4.5 and above
Description
Use this policy to control the behaviour for Smart Card Removal Action when User Authenticates to Citrix Web Interface 5.4 PNAgent Site with Smart Card through Windows Citrix Workspace app. This option enables the user to set the user session behaviour on removing the Smart Card from the client. NOTE: This option is available only on 32bit Operation System. To be able to enable this policy, ensure that the Smart Card Removal option is set on WI XenApp Services. Refer to XenApp documentation for the procedure on setting Smart Card Removal on XenApp. When the policy is Enabled, the user will continue to be logged in to the Citrix Workspace despite removing the smart card from the client. The user, however, will be logged off from the XenApp session.
Registry
SOFTWARE\Citrix\AuthManager Value name: SmartCardRemovalAction
Enabled: SmartCardRemovalAction = ForceLogOff
Disabled: SmartCardRemovalAction =
REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Smartcard Removal Policy for x86 machine
; State: Enabled
; Supported on: Supported on Citrix Workspace app 4.5 and above
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\AuthManager]
"SmartCardRemovalAction"="ForceLogOff" PowerShell
# Exported from gporais.com
# Policy: Smartcard Removal Policy for x86 machine
# State: Enabled
# Supported on: Supported on Citrix Workspace app 4.5 and above
$path = 'HKLM:\SOFTWARE\Citrix\AuthManager'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SmartCardRemovalAction' -Value 'ForceLogOff' -Type String Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Smartcard Removal Policy for x86 machine
# State: Enabled
# Supported on: Supported on Citrix Workspace app 4.5 and above
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Citrix\AuthManager' -Name 'SmartCardRemovalAction' -Expected 'ForceLogOff' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Smartcard Removal Policy for x86 machine
# State: Enabled
# Supported on: Supported on Citrix Workspace app 4.5 and above
$path = 'HKLM:\SOFTWARE\Citrix\AuthManager'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SmartCardRemovalAction' -Value 'ForceLogOff' -Type String SCCM CI
# Exported from gporais.com
# Policy: Smartcard Removal Policy for x86 machine
# State: Enabled
# Supported on: Supported on Citrix Workspace app 4.5 and above
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Smartcard Removal Policy for x86 machine
# State: Enabled
# Supported on: Supported on Citrix Workspace app 4.5 and above
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Citrix\AuthManager' -Name 'SmartCardRemovalAction' -Expected 'ForceLogOff' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Smartcard Removal Policy for x86 machine
# State: Enabled
# Supported on: Supported on Citrix Workspace app 4.5 and above
$path = 'HKLM:\SOFTWARE\Citrix\AuthManager'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SmartCardRemovalAction' -Value 'ForceLogOff' -Type String