MFA Guides

Disable Smartcard Reader

To disable smartcard readers in MFA using registry edits:

  1. Locate device name with the certutil -scinfo command.

  2. Take note of the smartcard reader name.

  3. Open RegEdit.

  4. Create a new MultiString record in the [HKEY_LOCAL_MACHINE\SOFTWARE\Foray] directory for 64-bit machines called SCIgnoreReaders and copy in the reader's name to be ignored.


    For 32-bit machines, this directory is [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Foray].

  5. Restart the MFA RapidIdentity desktop client.

Second Way to Disable Smartcard Reader

When the Groups value under HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\Readers is updated to an unrecognized group name, the reader is also ignored. So far this has not impacted 4G SIM card connectivity for authentication to the cellular networks.


On Panasonic machines, leave the NXP leaders alone and disable the Microsoft UICC ISO Reader XXXXXXX 0 reader by altering their Groups' REG-MULTI_SZ value to be SCard$DefaultReaders_False. This disables the reader from showing up in the CertUtil -SCInfo command completely.



There may be a better value to place in the Groups value instead of an unrecognized one, perhaps SCARD_ALL_READERS, but this has not been thoroughly tested.


Script Examples

Use this one for most cases:

## Issue:
## Wrong card value being read into RapidIdentity
## Solution:
## Ignore SIM card ATR value through regEdits
## =====================================================================
$regkey = "Device"
$registryPath = Get-Item -path 'HKLM:\\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*' 
    If ($registryPath -eq $null) {    
        #Write-Output "Machine is not affected with SCIgnoreReaderIssue"  
    }  Else    {
        $reader = $registryPath.GetValue($regkey)    
        $newpath = "HKLM:\\SOFTWARE\Foray"
        New-ItemProperty -Path $newpath -PropertyType MultiString -Name "SCIgnoreReaders" -Value $reader -force | Out-Null     
         #\Microsoft\Cryptography\Calais\Readers       $otherpath = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Calais\Readers\$reader"
        $groupvalue = "SCardDisabled"
        New-ItemProperty -Path $otherpath -PropertyType MultiString -Name "Groups" -Value $groupvalue -force | Out-Null
        $msg = "SCIgnoreReaders Registry Key Added: $reader"
        Write-Output $msg

The following two scripts disable Microsoft UICC named readers that often get in the way. The Microsoft UICC ISO Reader is often a SIM card being read in as a smartcard into RapidIdentity. This is technically correct, because SIM cards are smartcards, however this reader still needs to be ignored.

The first script disables the reader through a registry key specific to the RapidIdentity solution. The second script more forcefully disables the reader through updating the smartcard readers' Groups name, which disables the reader from being read into RapidIdentity. Both of these scripts have not impacted 4G connections of using this as a disable method. However, the first script is the safer and more correct script to leverage if you can.


Script to Ignore Readers by SCIgnoreReaders:

$regkey = "Device"
$registryPath = Get-Item -path 'HKLM:\\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*'
$reader = $registryPath.GetValue($regkey)$newpath = "HKLM:\\SOFTWARE\Foray"New-ItemProperty -Path 
$newpath -PropertyType MultiString -Name "SCIgnoreReaders" -Value $reader -force

Script to Ignore Readers by Group:

$regkey = "Device"
$registryPath = Get-Item -path 'HKLM:\\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*'
$reader = $registryPath.GetValue($regkey)
$otherpath = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Calais\Readers\$reader"
$groupvalue = "SCardDisabled"
New-ItemProperty -Path $otherpath -PropertyType MultiString -Name "Groups" -Value $groupvalue -force