- 05 Nov 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
AirLock Inadvertent Lockout Resolution
- Updated on 05 Nov 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
While Axiad recommends thorough testing of any enforcement policies prior to deployment in a production environment, mistakes do happen and can lead to inadvertent lockout. If this occurs in your environment, then you can regain access and roll back changes through one of the following four “break glass” methods.
Use a Local Account
AirLock will always exempt local account access. Using a local administrator/helpdesk account to log in will bypass AirLock and can be useful to uninstall or roll back AirLock policies if a small number of machines are affected.
Rollback Enforcement Policies through a Registry Change
AirLock relies on three registry gets to control enforcement. Rolling these back via GPO or scripted registry change will restore access to locked-out machines:
Registry Key | Corresponding ADMX Template Name | Value to be Set |
---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskRequireGroupSids | RequireSecurityIDs | Delete this key |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskLogicPass | Logic to use after regular logon | ADMX: No enforcement Registry: |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskLogicCard | Logic to use after PKI-based logon | ADMX: No enforcement Registry: |
Prevent AirLock from Loading at Startup
AirLock modifies the registry to launch its custom shell before explorer.exe
. Rolling back the registry key to explorer.exe
will prevent AirLock from launching on the next login. The change below can be pushed out via Intune, GPO, or a registry key deployed via a scheduled task:
Modify the registry key
Shell
inHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
The key will point to
<airlock install dir>\Axiad AirLock Custom Shell.exe
Change this back to
explorer.exe
(the default, before AirLock was installed)Set
Axiad AirLock Lockdown Service
todisabled
Remotely Remove AirLock
Another option is to uninstall AirLock remotely using msiexec.
First, you will need the MSI product code of the AirLock MSI package that is deployed in your environment. If you have access to a machine with AirLock deployed, then run the following PowerShell command:
Get-CimInstance -Filter 'NAME LIKE "%Airlock%"' -ClassName 'Win32_Product' |
>> Select Name, IdentifyingNumber, Version,
Name IdentifyingNumber Version
---- ----------------- -------
Axiad Airlock {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} 2.4
Use the value in IdentifyingNumber
to script the uninstall command:
msiexec /x "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" /qn
This script can be distributed via batch file, startup script, or as part of an immediate scheduled task on all affected machines.
Contact Axiad
As always, if you have any issues with Axiad products, feel free to contact Axiad Customer Success for additional assistance.