Configure AirLock for Your Organization

reg: KioskAlwaysLogout

GPO: Always Logout After AirLock

REG_SZ

If enabled, when a user completes a process in AirLock and would otherwise be sent to their desktop, they will instead be logged out of Windows. (This does not affect cases where the user does not need to enter AirLock.)

Most situations lead to a logout; however, if the user employs a valid authenticator and the process completed in AirLock does not affect that authenticator, then they can proceed to their Windows session without logging back in.

Default: “true” - meaning enabled.

When “false”, AirLock will determine whether to allow desktop access or log the user out based on whether they have met the enforcement rules.

reg: KioskAutoLogonDomains

GPO: Authorized domains for Kerberos SSO

REG_SZ

A comma-separated list of domain names that should be authorized to use Kerberos SSO to automatically log into AirLock.

No default. Mandatory for leveraging Windows domain logon for the AirLock kiosk.

reg: KioskImmuneGroupSids

GPO: Immune Security IDs

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to roles for a user that should be immune to AirLock enforcement.

Default: S-1-5-32-544

This is the built-in Windows administrator SID for local and domain administrators.

Any value (including an empty list) will override the default.

Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.

reg: KioskLogicCard

GPO: Logic to use after PKI-based logon

REG_SZ

The "logic module" used to determine whether the user must go to the kiosk due to an expired or almost expired certificate on an inserted smartcard (any smartcard that is inserted, not only the one being used for authentication).

validity: User is redirected to AirLock when a certificate is about to expire

when-online: User is redirected to AirLock when a certificate is within renewal window AND Axiad can establish connectivity with the Unified Portal

Never (default): Axiad does not check the certificates of the inserted smartcards

reg: KioskLogicConnectivityTest

GPO: Logic to use for testing network connectivity

REG_SZ

The method that should be used to determine whether or not the user is online (and therefore whether or not they should be eligible for the AirLock).

Active Directory: Test whether the computer's Active Directory network is available. (Default)

Direct: Test whether the Axiad Unified Portal server is accessible.

One of “direct” or “ad”.

Default: “ad”

reg: KioskLogicPass

GPO: Logic to use after regular logon

REG_SZ

The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user did NOT log in with a smart card.

One of:

"slb-securityFlag" - See “Module: slb-securityFlag” for additional configuration.

“always” to always enforce on use of password

“when-online” to enforce when online

or “never” to never enforcement on use of password

Values are case-sensitive.

Default: "never"

reg: KioskOfflinePolicy

GPO: Policy for offline users

REG_SZ

The desired action to take when the AirLock detects that a user is offline.

Defer: Let the other configured policies ("logic modules") decide what happens. (Default)

Bypass: All users are allowed to use their desktop while offline.

Admins Only: Admins are allowed to use their desktop while offline. All other users are logged out.

Require Certificate: Users that have logged in with a certificate are allowed to use their desktop while offline. All other users are logged out.

One of “defer”, “bypass”, “admins-only”, or “require-certificate”.

Default: “defer”

reg: KioskRequireGroupSids

GPO: Require Security IDs

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to roles of users that should be AirLock enforced.

Only users with these roles will be enforced - The opposite effect of KioskImmuneGroupSids.

Registry Deprecation

This registry setting is deprecated in AirLock 2.4+

No default.

Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.

reg:KioskSilenceErrors

GPO: Silence Standard Error Dialogues

REG_SZ

Whether or not standard error dialogues should be suppressed.

These dialogues appear when a malfunction has been detected in the AirLock.

Default: “false”

reg:

KioskSplashColor

GPO: Splash screen background color

REG_SZ

Kiosk splash screen background color. Must be formatted as 6-character RRGGBB.

Default: "0067A8"

reg: KioskSplashLevel

GPO: Splash screen display level

REG_DWORD

Level for configuring splash screen display.

Default: 3

0: No logo or progress bar

1: Show logo but not progress bar

2: Show logo and progress bar

3: Show logo, progress bar, and status updates

reg: KioskUrl

GPO: Base URL for the kiosk

REG_SZ

The URL which AirLock will start the kiosk with.

This value will follow the pattern: https://portal-<customer>.cloud.axiadids.net/user/

Required

reg: RenewFullscreen

GPO: Force optional renewal to become maximized

REG_SZ

Whether or not the optional renewal browser window should be opened in full-screen mode, or as a regular window.

One of “true” or “false”.

Default: “false”

reg: KioskIdleExitSeconds
GPO: Amount of time a user might be idle

REG_WORD

The number of seconds that users can be idle while viewing the Airlock kiosk, before Airlock will automatically exit.

Default: 60

reg:

KioskImmuneUserSids

GPO: SIDs of the users immune to AirLock enforcement

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to users immune from AirLock enforcement.

By default, this list is empty. Providing any entries will enable this feature.

This is an optional configuration.

reg:

KioskAuthBypass

GPO: Authentication providers that bypass AirLock

REG_MULTI_SZ

A list of GUIDs corresponding to the authentication providers that are exempt from AirLock enforcement.

Exception

If KioskLogicCard is set to validity and the user has a smartcard inserted that has an expired certificate, then they will still be redirected to the AirLock workflow even if they use a bypass authenticator.

This applies to any smartcard inserted, not only the one used for authentication.

By default, this list contains the Axiad ID Winlogon provider and the Microsoft Hello authentication providers.

This is an optional configuration.

SlbAction*

(where “*” is a number) / Helpdesk Enforcement

REG_SZ

The action which should be appended to the existing KioskUrl when the user's slb-securityFlag AD attribute equals a given value.

If a value is supplied that does not match a configured SlbAction* key, enforcement will be bypassed.

E.g.: Defining SlbAction3 as “xyz” would append ?action=xyz to the value of KioskUrl.

Valid options are:

• credentialing for issuance

• resetPin for PIN reset

• update for device cert renewal

• updateQA for resetting the question and answer credentials

Default definitions are as follows when no value is supplied for each of the following:

• "SlbAction3"="credentialing"

• "SlbAction10"="credentialing"

• "SlbAction12"="credentialing"

• "SlbAction24"="resetPin"

• "SlbAction73"="update"

• "SlbAction81"="updateQA"

To override one of the above defaults, either supply a new action value or:

• to bypass enforcement, use a value of “internal.bypass”

• to go to the kiosk without a specific action, use a value of “internal.none”

reg: RenewOptionalPeriod

GPO: Days before expiration to offer device renewal

REG_DWORD

The number of days before certificate expiration where the user should be asked if they wish to renew their logon cert.

Required

reg: RenewRequiredPeriod

GPO: Days before expiration to require device renewal

REG_DWORD

The number of days before certificate expiration where the user is forced to renew their logon cert.

Required

reg: RenewAction

GPO: Action to take when nearing expiration

REG_SZ

The action which should be appended to the existing KioskUrl when X509 cert renewal is either required or requested.

E.g.: Defining RenewAction as issue would append ?action=issue to the value of KioskUrl.

Default is no action

reg: RenewSilenceAmbiguousCerts

GPO: Silence Ambiguous Certificate Renewal Message

REG_SZ

Whether or not display MsgRenewAmbiguous should be hidden when the user's certificate could not be identified amongst other logon certificates currently available devices

Registry Deprecation

This registry setting is deprecated in AirLock 2.4+

Default: "false"

reg: MsgDisallowedByPolicy

GPO: Offline user logout warning

REG_SZ

The message shown to warn the user that they're being logged out due to the AirLock offline policy.

Default:

“Your administrator has configured Axiad AirLock to deny this logon; you will be logged out after this prompt.”

reg: MsgEnforcementReasonCertificateExpiration

GPO: Mandatory Enforcement: Certificate Expiration

REG_SZ

The message shown when the user must renew their expiring logon certificate immediately.

Default:

“The certificate issued to %s must be renewed immediately.”

reg: MsgRenewOffline

GPO: Offline Certificate Renewal Message

REG_SZ

A customized message that displays when a user's certificate is about to expire, and the user is offline.

Provide one instance of %s in the string to insert the number of days remaining until the certificate expires.

Default:

"Your certificate will expire in %s days.
Renew it now?"

reg: MsgRenewOptional

GPO: Optional Certificate Renewal Message

REG_SZ

The message that displays when the user's certificate will expire before RenewRequiredPeriod but after RenewOptionalPeriod.

Provide one instance of %s in the string to insert the number of days remaining until the certificate must be renewed.

Default:

“Your logon certificate will expire in %s days.

Renew it now?”

reg: BmpSplashLogo

GPO: Splash Screen BMP File

REG_SZ

The fully qualified filename of the logo image to display during enforcement processing.

Default: Empty string which defaults to Axiad’s logo.

This must be an absolute filesystem path to a 256x256px .bmp image accessible by any user.

reg: MsgErrorShellMinor

GPO: Minor Error Message

REG_SZ

The message displayed when an unexpected but recoverable error has occurred during enforcement.

These errors should only occur when AirLock is misconfigured or there is a runtime issue with

Default:

“An error occurred; please notify your administrator or support team.

Your regular desktop will open after this message.”

reg: MsgErrorShellMajor

GPO: Major Error Message

REG_SZ

The message displayed when an unexpected and unrecoverable error has occurred during enforcement.

These errors should only occur when AirLock is misconfigured or there is a runtime issue with

Default:

“A critical error occurred; you will be logged out after this prompt.

Please notify your administrator or support team for assistance.”

reg: MsgErrorValidity

GPO: Validity Error message

REG_SZ

The message displayed when the kiosk is launched but fails.

These errors should only occur when AirLock is misconfigured or there is a runtime issue.

Default:

Your logon certificate may be expiring soon, but an error occurred while trying to offer you a solution.\n\nPlease visit the User Portal in order to renew your certificate.

reg: MsgRenewAmbiguous

GPO: Ambiguous Certificate Renewal Message

REG_SZ

Prompt shown when the user's certificate could not be identified amongst other logon certificates currently available devices.

Default:

“The Axiad AirLock could not discern which certificate was used to log in. Your certificate might require renewal.”

reg: DebugLogFileService

GPO: Log file for the Lockdown Service

REG_SZ

Where debug logs for the Lockdown Service go.

Default: "C:\\Program Files\\Axiad\\AirLock\\Service.log"

Note the doubled “\” path separators.

reg: DebugLogFileShell

GPO: Log file for the Custom Shell

REG_SZ

Where debug logs for the Custom Shell go.

Default: "%LocalAppData%\\Axiad\\AirLock\\Shell.log"

Note the doubled “\” path separators.

reg: DebugLogLevel

GPO: Log level

REG_DWORD

The debug log detail level.

Default: 5

The range is from 1-6; 5 is recommended for effective bug reports.

reg: DebugSafeMode

GPO: Safe Mode

REG_SZ

If enabled, AirLock will be started in safe mode without fullscreen mode and without the keyboard lockdown. In addition, the debug flags will be enabled in AirLock.

Default: “false” for disabled

“true” to enable

reg: DebugSafeModeDumpFile

GPO: Network dump file for Safe Mode

REG_SZ

The path to save a network dump when DebugSafeMode is enabled. This file will be overwritten on each launch of AirLock.

Default: “%LocalAppData%\\Axiad\\AirLock\\Network Dump.json”