SCIgnoreReaders For Internal Readers

Computers with embedded readers will try to pass the SIM card as an RFID card. This happens because of their close proximity to each other within the device itself and can cause a number of odd, inappropriate behaviors by the MFA software. Some of these behaviors can look like:

• Computer beeping as if a card has been scanned at login
• The same username appears to attempt to "badge-in" every time
• Users frequently receive "This card is not registered" when that user is known to be enrolled
• The same username appears on multiple computers that they have never touched
• The computer beeps as if a card has been read then locks itself
• Being unable to enroll a contactless card; seeing a value appear in the card data during an enrollment before you even scan your card

The following instructions will demonstrate an example on how to confirm the behavior, followed by blocking the smart card reader through the registry editor. The steps cannot be generalized into a single .REG file as the values used will be unique to each computer.

Confirming The Reader & Behavior

1. Open the Rapid Identity MFA desktop application.

2. Once open, click on Enrollment Wizard at the bottom.

3. Select the Proximity Card option.

4. The "Serial Number" will quickly populate with a long, overflowing string of hexadecimal values.

   Do not finish the card enrollment process at this step.

   Be sure to take note of the user assigned to this value. They will need to re-enroll their proximity card after this fix because their card was assigned to the SIM card value. You will also need to be sure and clear the client computer's cached credentials (and any others that might have experienced this or been affected by) by following the manual removal instructions or downloading our User Removal Tool.

   

5. Open an elevated command prompt.

6. Run the command: certutil -scinfo
   

   You'll notice that the hex value from Step 3 will appear under one of your computer's readers - typically the Microsoft UICC ISO Reader. This reader is your computer's unique smart card reader value that our software will need instruction to ignore.

Ignoring The Reader

1. Copy the reader name (including the single number at the end of the string, in this example it's the zero).

2. Open your regedit and navigate to HKLM\Software\Foray.

3. Create a new multi-string sub-key:
   "SCIgnoreReaders" MULTI_SZ = <card reader name from Step 1>

   

4. Restart the computer.

Deployable PowerShell Script

The following PowerShell script can be run to automatically perform similar actions as the steps above, but it only accounts for a single UICC reader in the system. Copy/paste or download the code below and be sure to save it as a .ps1. If you receive any errors, be sure you are running this as Administrator.

scignorereaders.ps1

###########################
## SCIgnoreReaders Script #
###########################
clear
Start-Sleep -Seconds 2
Write-Output "Unrestricting ExecutionPolicy...`n"
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy unrestricted -Force

$regkey = "Device"
$registryPath = Get-Item -path 'HKLM:\\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*'

If ($registryPath -eq $null) {
	Start-Sleep -Seconds 2
	Write-Output "Checking for UICC reader...`n"
	Start-Sleep -Seconds 2
    Write-Output "No reader found. Machine is not affected by SCIgnoreReader Issue.`nExiting..."
	Start-Sleep -Seconds 3
	Exit
}
Else {
    Write-Output "Reader found. Adding SCIgnoreReaders key...`n"
	$reader = $registryPath.GetValue($regkey)
    $newpath = "HKLM:\\SOFTWARE\Foray"
    
    # Create SCIgnoreReaders reg key in HKLM\Software\Foray
    New-ItemProperty -Path $newpath -PropertyType MultiString -Name "SCIgnoreReaders" -Value $reader -force | Out-Null
    
    #\Microsoft\Cryptography\Calais\Readers
    $otherpath = "HKLM:\\SOFTWARE\Microsoft\Cryptography\Calais\Readers\$reader"
    $groupvalue = "SCardDisabled"
    New-ItemProperty -Path $otherpath -PropertyType MultiString -Name "Groups" -Value $groupvalue -force | Out-Null
    
	Start-Sleep -Seconds 2
    $msg = "SCIgnoreReaders Registry Key Added: $reader"
    Write-Output $msg
}

Write-Output "`nResetting ExecutionPolicy...`n"
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy restricted -Force
$ExPo = Get-ExecutionPolicy
Start-Sleep -Seconds 2

Write-Output "Checking the reset...`n"
Start-Sleep -Seconds 2

If ($ExPo -eq 'Restricted') {
	Write-Output "ExecutionPolicy: $ExPo.`n`nThe script ran successfully!`n"
	Start-Sleep -Seconds 2
	Write-Output "Closing PowerShell in 5 seconds..."
	Start-Sleep -Seconds 5
	Exit
}
Else {
	Write-Output "Something didn't work quite right. Please check the execution policy again.`n"
	Write-Output "Current ExecutionPolicy: $ExPo"
}

If your computers have more than one UICC reader, you can use the following alternative PowerShell script:

BlockSCReaders.ps1

## Disable all Microsoft UICC Readers by appending "_false" to their "Groups" key value
## If/Else checks that machine's ExecutionPolicy is returned to Restricted when complete
#########################################################################################

clear
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy unrestricted -Force
$ExPo = Get-ExecutionPolicy
Start-Sleep -Seconds 2

If ($ExPo -eq 'Unrestricted') {
	Write-Output "ExecutionPolicy is now: $ExPo`n"
	Set-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\Readers\Microsoft UICC ISO Reader*' -Name Groups -Value 'SCard$DefaultReaders_false'
	Start-Sleep -Seconds 2
	Write-Output "ALL UICC readers have been updated.`n"
}

Write-Output "Resetting ExecutionPolicy...`n"
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy restricted -Force
$ExPo = Get-ExecutionPolicy
Start-Sleep -Seconds 2

Write-Output "Checking the reset...`n"
Start-Sleep -Seconds 2
If ($ExPo -eq 'Restricted') {
	Write-Output "ExecutionPolicy: $ExPo.`n`nThe script ran successfully!`n"
	Start-Sleep -Seconds 2
	Write-Output "Closing PowerShell in 5 seconds..."
	Start-Sleep -Seconds 5
	Exit
}
Else {
	Write-Output "Something didn't work quite right. Please check the execution policy again.`n"
	Write-Output "Current ExecutionPolicy: $ExPo"
}