Login
      Contents x
      AirLock Inadvertent Lockout Resolution
      • 05 Nov 2024
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      AirLock Inadvertent Lockout Resolution

      • Updated on 05 Nov 2024
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      While Axiad recommends thorough testing of any enforcement policies prior to deployment in a production environment, mistakes do happen and can lead to inadvertent lockout. If this occurs in your environment, then you can regain access and roll back changes through one of the following four “break glass” methods.

      Use a Local Account

      AirLock will always exempt local account access. Using a local administrator/helpdesk account to log in will bypass AirLock and can be useful to uninstall or roll back AirLock policies if a small number of machines are affected.

      Rollback Enforcement Policies through a Registry Change

      AirLock relies on three registry gets to control enforcement. Rolling these back via GPO or scripted registry change will restore access to locked-out machines:

      Registry Key

      Corresponding ADMX Template Name

      Value to be Set

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskRequireGroupSids

      RequireSecurityIDs

      Delete this key

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskLogicPass

      Logic to use after regular logon

      ADMX: No enforcement

      Registry: never

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskLogicCard

      Logic to use after PKI-based logon

      ADMX: No enforcement

      Registry: never

      Prevent AirLock from Loading at Startup

      AirLock modifies the registry to launch its custom shell before explorer.exe. Rolling back the registry key to explorer.exe will prevent AirLock from launching on the next login. The change below can be pushed out via Intune, GPO, or a registry key deployed via a scheduled task:

      1. Modify the registry key Shell in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

      2. The key will point to <airlock install dir>\Axiad AirLock Custom Shell.exe

      3. Change this back to explorer.exe (the default, before AirLock was installed)

      4. Set Axiad AirLock Lockdown Service to disabled

      Remotely Remove AirLock

      Another option is to uninstall AirLock remotely using msiexec.

      First, you will need the MSI product code of the AirLock MSI package that is deployed in your environment. If you have access to a machine with AirLock deployed, then run the following PowerShell command:

      Get-CimInstance -Filter 'NAME LIKE "%Airlock%"' -ClassName 'Win32_Product' |
>>     Select Name, IdentifyingNumber, Version,

Name          IdentifyingNumber                      Version
----          -----------------                      -------
Axiad Airlock {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} 2.4

      Use the value in IdentifyingNumber to script the uninstall command:

      msiexec /x "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" /qn

      This script can be distributed via batch file, startup script, or as part of an immediate scheduled task on all affected machines.

      Contact Axiad

      As always, if you have any issues with Axiad products, feel free to contact Axiad Customer Success for additional assistance.

      Was this article helpful?
      What's Next
      101 Metro Drive, Suite 560
      San Jose, CA 95110
      United States
      Social
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout