Disable Citrix Smart Card Hook for HYPR Virtual Smart Card on RDP
Purpose
This playbook describes how to disable the Citrix Smart Card Hook on Citrix Virtual Delivery Agents (VDAs) so that HYPR virtual smart card authentication can be used for RDP and Windows logon workflows inside Citrix sessions.
Background
Citrix installs API hook DLLs that intercept smart card calls in VDA processes. When HYPR virtual smart card support is configured alongside Citrix, those hooks intercept the smart card enumeration calls and prevent HYPR from presenting its virtual smart card to the Windows logon stack. Disabling the hook lets HYPR's virtual smart card function correctly inside the Citrix session.
Supported environments
- Windows-based Citrix VDAs
- HYPR Passwordless deployments using virtual smart card authentication for RDP / Windows logon
Prerequisites
- Administrative access to the VDA or its master image (golden image)
- A maintenance window scheduled if running in production
- A registry backup completed (see Back up the registry)
- HYPR Passwordless Client for Windows registration completed and verified on the VDA
Back up the registry
Take a backup of the affected registry keys before making any changes.
Option A — GUI
-
Open
regedit.exe. -
Navigate to:
HKLM\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook -
Right-click Smart Card Hook → Export → save as
SmartCardHook_Backup.reg. -
If present, also export the 32-bit-on-64-bit OS path:
HKLM\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
Option B — Command line
reg export "HKLM\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook" C:\SmartCardHook_Backup.reg
reg export "HKLM\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook" C:\SmartCardHook_Wow6432_Backup.reg
Disable the Smart Card Hook
Step 1 — Disable the 64-bit hook
Set the Flag DWORD value to 0 at:
HKLM\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
DWORD: Flag = 0
Step 2 — Disable the 32-bit hook (on 64-bit OS)
Set the Flag DWORD value to 0 at:
HKLM\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
DWORD: Flag = 0
Step 3 — Reboot the VDA
Reboot the Citrix VDA so the hook DLL is unloaded from running processes.
Validate
- Confirm both
Flagregistry values are set to0. - Initiate an RDP connection from a VDI session that has HYPR Passwordless installed and registered. The HYPR virtual smart card should be presented and authentication should complete.
Operational considerations
With the Citrix Smart Card Hook disabled, physical smart cards no longer redirect through Citrix on the affected VDA. HYPR becomes the sole smart card authority. Validate this is acceptable for your environment before applying to production.
- Re-validate after each Citrix upgrade — Citrix VDA upgrades may reset the hook configuration.
- If using a NetScaler / Citrix Gateway, smart card behavior can also be controlled via NetScaler policy.
Rollback
To restore the previous behavior:
-
Double-click the exported
.regbackup file(s), or run:reg import C:\SmartCardHook_Backup.reg
reg import C:\SmartCardHook_Wow6432_Backup.reg -
Reboot the VDA.
References
- Citrix CTX231743 — How to Disable Smart Card Hook For All Processes
- Citrix documentation for per-application Smart Card Hook disablement (Citrix Support).
- Configure SmartControl — Citrix NetScaler Gateway for NetScaler-side policy.
Related
- Windows Passwordless Login Using Smartcard — broader HYPR virtual smart card configuration playbook
- Playbooks overview