Disable Smartcard Reader
To disable smartcard readers in MFA using registry edits:
Locate device name with the
certutil -scinfo
command.Take note of the smartcard reader name.
Open
RegEdit
.Create a new MultiString record in the
[HKEY_LOCAL_MACHINE\SOFTWARE\Foray]
directory for 64-bit machines called SCIgnoreReaders and copy in the reader's name to be ignored.Note
For 32-bit machines, this directory is
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Foray]
.Restart the MFA RapidIdentity desktop client.
Second Way to Disable Smartcard Reader
When the Groups value under HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\Readers is updated to an unrecognized group name, the reader is also ignored. So far this has not impacted 4G SIM card connectivity for authentication to the cellular networks.
https://docs.microsoft.com/en-us/windows/win32/api/winscard/nf-winscard-scardlistreadersa
On Panasonic machines, leave the NXP leaders alone and disable the Microsoft UICC ISO Reader XXXXXXX 0
reader by altering their Groups' REG-MULTI_SZ
value to be SCard$DefaultReaders_False
. This disables the reader from showing up in the CertUtil -SCInfo
command completely.
Note
There may be a better value to place in the Groups value instead of an unrecognized one, perhaps SCARD_ALL_READERS
, but this has not been thoroughly tested.
https://docs.microsoft.com/en-us/windows/win32/api/winscard/nf-winscard-scardlistreadergroupsa
Script Examples
SCIgnoreReaders
Use this one for most cases:
## Issue: ## Wrong card value being read into RapidIdentity ## ## Solution: ## Ignore SIM card ATR value through regEdits ## ===================================================================== $regkey = "Device" $registryPath = Get-Item -path 'HKLM:\\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*' If ($registryPath -eq $null) { #Write-Output "Machine is not affected with SCIgnoreReaderIssue" } Else { $reader = $registryPath.GetValue($regkey) #\Foray $newpath = "HKLM:\\SOFTWARE\Foray" New-ItemProperty -Path $newpath -PropertyType MultiString -Name "SCIgnoreReaders" -Value $reader -force | Out-Null #\Microsoft\Cryptography\Calais\Readers $otherpath = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Calais\Readers\$reader" $groupvalue = "SCardDisabled" New-ItemProperty -Path $otherpath -PropertyType MultiString -Name "Groups" -Value $groupvalue -force | Out-Null $msg = "SCIgnoreReaders Registry Key Added: $reader" Write-Output $msg }
The following two scripts disable Microsoft UICC named readers that often get in the way. The Microsoft UICC ISO Reader is often a SIM card being read in as a smartcard into RapidIdentity. This is technically correct, because SIM cards are smartcards, however this reader still needs to be ignored.
The first script disables the reader through a registry key specific to the RapidIdentity solution. The second script more forcefully disables the reader through updating the smartcard readers' Groups name, which disables the reader from being read into RapidIdentity. Both of these scripts have not impacted 4G connections of using this as a disable method. However, the first script is the safer and more correct script to leverage if you can.
SCIgnoreReaders
Script to Ignore Readers by SCIgnoreReaders:
$regkey = "Device" $registryPath = Get-Item -path 'HKLM:\\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*' $reader = $registryPath.GetValue($regkey)$newpath = "HKLM:\\SOFTWARE\Foray"New-ItemProperty -Path $newpath -PropertyType MultiString -Name "SCIgnoreReaders" -Value $reader -force
SCIgnoreReaders-Force
Script to Ignore Readers by Group:
$regkey = "Device" $registryPath = Get-Item -path 'HKLM:\\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*' $reader = $registryPath.GetValue($regkey) $otherpath = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Calais\Readers\$reader" $groupvalue = "SCardDisabled" New-ItemProperty -Path $otherpath -PropertyType MultiString -Name "Groups" -Value $groupvalue -force