AirLock Inadvertent Lockout Resolution
  • 05 Nov 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

AirLock Inadvertent Lockout Resolution

  • Dark
    Light
  • PDF

Article summary

While Axiad recommends thorough testing of any enforcement policies prior to deployment in a production environment, mistakes do happen and can lead to inadvertent lockout. If this occurs in your environment, then you can regain access and roll back changes through one of the following four “break glass” methods.

Use a Local Account

AirLock will always exempt local account access. Using a local administrator/helpdesk account to log in will bypass AirLock and can be useful to uninstall or roll back AirLock policies if a small number of machines are affected.

Rollback Enforcement Policies through a Registry Change

AirLock relies on three registry gets to control enforcement. Rolling these back via GPO or scripted registry change will restore access to locked-out machines:

Registry Key

Corresponding ADMX Template Name

Value to be Set

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskRequireGroupSids

RequireSecurityIDs

Delete this key

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskLogicPass

Logic to use after regular logon

ADMX: No enforcement

Registry: never

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Axiad\Airlock\KioskLogicCard

Logic to use after PKI-based logon

ADMX: No enforcement

Registry: never

Prevent AirLock from Loading at Startup

AirLock modifies the registry to launch its custom shell before explorer.exe. Rolling back the registry key to explorer.exe will prevent AirLock from launching on the next login. The change below can be pushed out via Intune, GPO, or a registry key deployed via a scheduled task:

  1. Modify the registry key Shell in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

  2. The key will point to <airlock install dir>\Axiad AirLock Custom Shell.exe

  3. Change this back to explorer.exe (the default, before AirLock was installed)

  4. Set Axiad AirLock Lockdown Service to disabled

Remotely Remove AirLock

Another option is to uninstall AirLock remotely using msiexec.

First, you will need the MSI product code of the AirLock MSI package that is deployed in your environment. If you have access to a machine with AirLock deployed, then run the following PowerShell command:

Get-CimInstance -Filter 'NAME LIKE "%Airlock%"' -ClassName 'Win32_Product' |
>>     Select Name, IdentifyingNumber, Version,

Name          IdentifyingNumber                      Version
----          -----------------                      -------
Axiad Airlock {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} 2.4

Use the value in IdentifyingNumber to script the uninstall command:

msiexec /x "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" /qn

This script can be distributed via batch file, startup script, or as part of an immediate scheduled task on all affected machines.

Contact Axiad

As always, if you have any issues with Axiad products, feel free to contact Axiad Customer Success for additional assistance.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.