Configure AirLock for Your Organization

Kiosk Settings

The kiosk is the Unified Portal.

Registry and GPO Keys	Key Type	Description	Value
reg: KioskAlwaysLogout GPO: Always Logout After AirLock	REG_SZ	If enabled, when a user completes a process in AirLock and would otherwise be sent to their desktop, they will instead be logged out of Windows. (This does not affect cases where the user does not need to enter AirLock.)	Default: “true” - meaning enabled. When “false”, AirLock will determine whether to allow desktop access or log the user out based on whether they have met the enforcement rules.
reg: KioskAutoLogonDomains GPO: Authorized domains for Kerberos SSO	REG_SZ	A comma-separated list of domain names that should be authorized to use Kerberos SSO to automatically log into AirLock.	No default. Mandatory for leveraging Windows domain logon for the AirLock kiosk.
reg: KioskImmuneGroupSids GPO: Immune Security IDs	REG_MULTI_SZ	A list of Security IDs (SIDs) corresponding to roles for a user that should be immune to AirLock enforcement.	Default: S-1-5-32-544 This is the built-in Windows administrator SID for local and domain administrators. Any value (including an empty list) will override the default. Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.
reg: KioskLogicCard GPO: Logic to use after PKI-based logon	REG_SZ	The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user logged in with a smart card.	One of: "never" or "validity" (case-sensitive) Default: "never"
reg: KioskLogicConnectivityTest GPO: Logic to use for testing network connectivity	REG_SZ	The method that should be used to determine whether or not the user is online (and therefore whether or not they should be eligible for the AirLock). Active Directory: Test whether the computer's Active Directory network is available. (Default) Direct: Test whether the Axiad Unified Portal server is accessible.	One of “direct” or “ad”. Default: “ad”
reg: KioskLogicPass GPO: Logic to use after regular logon	REG_SZ	The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user did NOT log in with a smart card.	One of: "slb-securityFlag" - See “Module: slb-securityFlag” for additional configuration. “always” to always enforce on use of password “when-online” to enforce when online or “never” to never enforcement on use of password Values are case-sensitive. Default: "never"
reg: KioskOfflinePolicy GPO: Policy for offline users	REG_SZ	The desired action to take when the AirLock detects that a user is offline. Defer: Let the other configured policies ("logic modules") decide what happens. (Default) Bypass: All users are allowed to use their desktop while offline. Admins Only: Admins are allowed to use their desktop while offline. All other users are logged out. Require Certificate: Users that have logged in with a certificate are allowed to use their desktop while offline. All other users are logged out.	One of “defer”, “bypass”, “admins-only”, or “require-certificate”. Default: “defer”
reg: KioskRequireGroupSids GPO: Require Security IDs	REG_MULTI_SZ	A list of Security IDs (SIDs) corresponding to roles of users that should be AirLock enforced. Only users with these roles will be enforced - The opposite effect of KioskImmuneGroupSids.	No default. Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.
reg:KioskSilenceErrors GPO: Silence Standard Error Dialogues	REG_SZ	Whether or not standard error dialogues should be suppressed. These dialogues appear when a malfunction has been detected in the AirLock.	Default: “false”
reg: KioskSplashColor GPO: Splash screen background color	REG_SZ	Kiosk splash screen background color. Must be formatted as 6-character RRGGBB.	Default: "0067A8"
reg: KioskSplashLevel GPO: Splash screen display level	REG_DWORD	Level for configuring splash screen display.	Default: 3 0: No logo or progress bar 1: Show logo but not progress bar 2: Show logo and progress bar 3: Show logo, progress bar, and status updates
reg: KioskUrl GPO: Base URL for the kiosk	REG_SZ	The URL which AirLock will start the kiosk with. This value will follow the pattern: https://portal-<customer>.cloud.axiadids.net/user/	Required
reg: RenewFullscreen GPO: Force optional renewal to become maximized	REG_SZ	Whether or not the optional renewal browser window should be opened in full-screen mode, or as a regular window.	One of “true” or “false”. Default: “false”
reg: KioskIdleExitSeconds GPO: Amount of time a user might be idle	REG_WORD	The number of seconds that users can be idle while viewing the Airlock kiosk, before Airlock will automatically exit.	Default: 60

Registry and GPO Keys

Key Type

Description

Value

reg: KioskAlwaysLogout

GPO: Always Logout After AirLock

REG_SZ

If enabled, when a user completes a process in AirLock and would otherwise be sent to their desktop, they will instead be logged out of Windows. (This does not affect cases where the user does not need to enter AirLock.)

Default: “true” - meaning enabled.

When “false”, AirLock will determine whether to allow desktop access or log the user out based on whether they have met the enforcement rules.

reg: KioskAutoLogonDomains

GPO: Authorized domains for Kerberos SSO

REG_SZ

A comma-separated list of domain names that should be authorized to use Kerberos SSO to automatically log into AirLock.

No default. Mandatory for leveraging Windows domain logon for the AirLock kiosk.

reg: KioskImmuneGroupSids

GPO: Immune Security IDs

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to roles for a user that should be immune to AirLock enforcement.

Default: S-1-5-32-544

This is the built-in Windows administrator SID for local and domain administrators.

Any value (including an empty list) will override the default.

Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.

reg: KioskLogicCard

GPO: Logic to use after PKI-based logon

REG_SZ

The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user logged in with a smart card.

One of: "never" or "validity" (case-sensitive)

Default: "never"

reg: KioskLogicConnectivityTest

GPO: Logic to use for testing network connectivity

REG_SZ

The method that should be used to determine whether or not the user is online (and therefore whether or not they should be eligible for the AirLock).

Active Directory: Test whether the computer's Active Directory network is available. (Default)

Direct: Test whether the Axiad Unified Portal server is accessible.

One of “direct” or “ad”.

Default: “ad”

reg: KioskLogicPass

GPO: Logic to use after regular logon

REG_SZ

The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user did NOT log in with a smart card.

One of:

"slb-securityFlag" - See “Module: slb-securityFlag” for additional configuration.

“always” to always enforce on use of password

“when-online” to enforce when online

or “never” to never enforcement on use of password

Values are case-sensitive.

Default: "never"

reg: KioskOfflinePolicy

GPO: Policy for offline users

REG_SZ

The desired action to take when the AirLock detects that a user is offline.

Defer: Let the other configured policies ("logic modules") decide what happens. (Default)

Bypass: All users are allowed to use their desktop while offline.

Admins Only: Admins are allowed to use their desktop while offline. All other users are logged out.

Require Certificate: Users that have logged in with a certificate are allowed to use their desktop while offline. All other users are logged out.

One of “defer”, “bypass”, “admins-only”, or “require-certificate”.

Default: “defer”

reg: KioskRequireGroupSids

GPO: Require Security IDs

REG_MULTI_SZ

A list of Security IDs (SIDs) corresponding to roles of users that should be AirLock enforced.

Only users with these roles will be enforced - The opposite effect of KioskImmuneGroupSids.

No default.

Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use.

reg:KioskSilenceErrors

GPO: Silence Standard Error Dialogues

REG_SZ

Whether or not standard error dialogues should be suppressed.

These dialogues appear when a malfunction has been detected in the AirLock.

Default: “false”

reg:

KioskSplashColor

GPO: Splash screen background color

REG_SZ

Kiosk splash screen background color. Must be formatted as 6-character RRGGBB.

Default: "0067A8"

reg: KioskSplashLevel

GPO: Splash screen display level

REG_DWORD

Level for configuring splash screen display.

Default: 3

0: No logo or progress bar

1: Show logo but not progress bar

2: Show logo and progress bar

3: Show logo, progress bar, and status updates

reg: KioskUrl

GPO: Base URL for the kiosk

REG_SZ

The URL which AirLock will start the kiosk with.

This value will follow the pattern: https://portal-<customer>.cloud.axiadids.net/user/

Required

reg: RenewFullscreen

GPO: Force optional renewal to become maximized

REG_SZ

Whether or not the optional renewal browser window should be opened in full-screen mode, or as a regular window.

One of “true” or “false”.

Default: “false”

reg: KioskIdleExitSeconds
GPO: Amount of time a user might be idle

REG_WORD

The number of seconds that users can be idle while viewing the Airlock kiosk, before Airlock will automatically exit.

Default: 60

Enforcement Logic

slb-securityFlag

NOTE

All required keys are only required when KioskLogicPass = "slb-securityFlag".

Registry and GPO Keys	Key Type	Description	Value
SlbAction* (where “” is a number) / Helpdesk Enforcement*	REG_SZ	The action which should be appended to the existing KioskUrl when the user's slb-securityFlag AD attribute equals a given value. If a value is supplied that does not match a configured SlbAction* key, enforcement will be bypassed.	E.g.: Defining SlbAction3 as “xyz” would append ?action=xyz to the value of KioskUrl. Valid options are: credentialing for issuance resetPin for PIN reset update for device cert renewal updateQA for resetting the question and answer credentials Default definitions are as follows when no value is supplied for each of the following: "SlbAction3"="credentialing" "SlbAction10"="credentialing" "SlbAction12"="credentialing" "SlbAction24"="resetPin" "SlbAction73"="update" "SlbAction81"="updateQA" To override one of the above defaults, either supply a new action value or: to bypass enforcement, use a value of “internal.bypass” to go to the kiosk without a specific action, use a value of “internal.none”

Registry and GPO Keys

Key Type

Description

Value

SlbAction*

(where “*” is a number) / Helpdesk Enforcement

REG_SZ

The action which should be appended to the existing KioskUrl when the user's slb-securityFlag AD attribute equals a given value.

If a value is supplied that does not match a configured SlbAction* key, enforcement will be bypassed.

E.g.: Defining SlbAction3 as “xyz” would append ?action=xyz to the value of KioskUrl.

Valid options are:

credentialing for issuance
resetPin for PIN reset
update for device cert renewal
updateQA for resetting the question and answer credentials

Default definitions are as follows when no value is supplied for each of the following:

"SlbAction3"="credentialing"
"SlbAction10"="credentialing"
"SlbAction12"="credentialing"
"SlbAction24"="resetPin"
"SlbAction73"="update"
"SlbAction81"="updateQA"

To override one of the above defaults, either supply a new action value or:

to bypass enforcement, use a value of “internal.bypass”
to go to the kiosk without a specific action, use a value of “internal.none”

Validity

NOTE

All required keys are only required when KioskLogicCard = "validity".

Registry and GPO Keys	Key Type	Description	Value
reg: RenewOptionalPeriod GPO: Days before expiration to offer device renewal	REG_DWORD	The number of days before certificate expiration where the user should be asked if they wish to renew their logon cert.	Required
reg: RenewRequiredPeriod GPO: Days before expiration to require device renewal	REG_DWORD	The number of days before certificate expiration where the user is forced to renew their logon cert.	Required
reg: RenewAction GPO: Action to take when nearing expiration	REG_SZ	The action which should be appended to the existing KioskUrl when X509 cert renewal is either required or requested.	E.g.: Defining RenewAction as issue would append ?action=issue to the value of KioskUrl. Default is no action
reg: RenewSilenceAmbiguousCerts GPO: Silence Ambiguous Certificate Renewal Message	REG_SZ	Whether or not display MsgRenewAmbiguous should be hidden when the user's certificate could not be identified amongst other logon certificates currently available devices	Default: "false"

Registry and GPO Keys

Key Type

Description

Value

reg: RenewOptionalPeriod

GPO: Days before expiration to offer device renewal

REG_DWORD

The number of days before certificate expiration where the user should be asked if they wish to renew their logon cert.

Required

reg: RenewRequiredPeriod

GPO: Days before expiration to require device renewal

REG_DWORD

The number of days before certificate expiration where the user is forced to renew their logon cert.

Required

reg: RenewAction

GPO: Action to take when nearing expiration

REG_SZ

The action which should be appended to the existing KioskUrl when X509 cert renewal is either required or requested.

E.g.: Defining RenewAction as issue would append ?action=issue to the value of KioskUrl.

Default is no action

reg: RenewSilenceAmbiguousCerts

GPO: Silence Ambiguous Certificate Renewal Message

REG_SZ

Whether or not display MsgRenewAmbiguous should be hidden when the user's certificate could not be identified amongst other logon certificates currently available devices

Default: "false"

Branding and User Messaging

NOTE

The Registry and GPO key values are under the Customize sub-key.
All manual configurations go in HKLM:\\SOFTWARE\Axiad\AirLock\Customize.
All policy configurations go in HKLM:\\SOFTWARE\Policies\Axiad\AirLock\Customize and override manual configurations.

Registry and GPO Keys	Key Type	Description	Value
reg: MsgDisallowedByPolicy GPO: Offline user logout warning	REG_SZ	The message shown to warn the user that they're being logged out due to the AirLock offline policy.	Default: “Your administrator has configured Axiad AirLock to deny this logon; you will be logged out after this prompt.”
reg: MsgEnforcementReasonCertificateExpiration GPO: Mandatory Enforcement: Certificate Expiration	REG_SZ	The message shown when the user must renew their expiring logon certificate immediately.	Default: “The certificate issued to %s must be renewed immediately.”
reg: MsgRenewOffline GPO: Offline Certificate Renewal Message	REG_SZ	A customized message that displays when a user's certificate is about to expire, and the user is offline. Provide one instance of %s in the string to insert the number of days remaining until the certificate expires.	Default: "Your certificate will expire in %s days. Renew it now?"
reg: MsgRenewOptional GPO: Optional Certificate Renewal Message	REG_SZ	The message that displays when the user's certificate will expire before RenewRequiredPeriod but after RenewOptionalPeriod. Provide one instance of %s in the string to insert the number of days remaining until the certificate must be renewed.	Default: “Your logon certificate will expire in %s days. Renew it now?”
reg: BmpSplashLogo GPO: Splash Screen BMP File	REG_SZ	The fully qualified filename of the logo image to display during enforcement processing.	Default: Empty string which defaults to Axiad’s logo. This must be an absolute filesystem path to a 256x256px .bmp image accessible by any user.
reg: MsgErrorShellMinor GPO: Minor Error Message	REG_SZ	The message displayed when an unexpected but recoverable error has occurred during enforcement. These errors should only occur when AirLock is misconfigured or there is a runtime issue with	Default: “An error occurred; please notify your administrator or support team. Your regular desktop will open after this message.”
reg: MsgErrorShellMajor GPO: Major Error Message	REG_SZ	The message displayed when an unexpected and unrecoverable error has occurred during enforcement. These errors should only occur when AirLock is misconfigured or there is a runtime issue with	Default: “A critical error occurred; you will be logged out after this prompt. Please notify your administrator or support team for assistance.”
reg: MsgErrorValidity GPO: Validity Error message	REG_SZ	The message displayed when the kiosk is launched but fails. These errors should only occur when AirLock is misconfigured or there is a runtime issue.	Default: Your logon certificate may be expiring soon, but an error occurred while trying to offer you a solution.\n\nPlease visit the User Portal in order to renew your certificate.
reg: MsgRenewAmbiguous GPO: Ambiguous Certificate Renewal Message	REG_SZ	Prompt shown when the user's certificate could not be identified amongst other logon certificates currently available devices.	Default: “The Axiad AirLock could not discern which certificate was used to log in. Your certificate might require renewal.”

Registry and GPO Keys

Key Type

Description

Value

reg: MsgDisallowedByPolicy

GPO: Offline user logout warning

REG_SZ

The message shown to warn the user that they're being logged out due to the AirLock offline policy.

Default:

“Your administrator has configured Axiad AirLock to deny this logon; you will be logged out after this prompt.”

reg: MsgEnforcementReasonCertificateExpiration

GPO: Mandatory Enforcement: Certificate Expiration

REG_SZ

The message shown when the user must renew their expiring logon certificate immediately.

Default:

“The certificate issued to %s must be renewed immediately.”

reg: MsgRenewOffline
GPO: Offline Certificate Renewal Message

REG_SZ

A customized message that displays when a user's certificate is about to expire, and the user is offline.

Provide one instance of %s in the string to insert the number of days remaining until the certificate expires.

Default:

"Your certificate will expire in %s days.
Renew it now?"

reg: MsgRenewOptional

GPO: Optional Certificate Renewal Message

REG_SZ

The message that displays when the user's certificate will expire before RenewRequiredPeriod but after RenewOptionalPeriod.

Provide one instance of %s in the string to insert the number of days remaining until the certificate must be renewed.

Default:

“Your logon certificate will expire in %s days.

Renew it now?”

reg: BmpSplashLogo

GPO: Splash Screen BMP File

REG_SZ

The fully qualified filename of the logo image to display during enforcement processing.

Default: Empty string which defaults to Axiad’s logo.

This must be an absolute filesystem path to a 256x256px .bmp image accessible by any user.

reg: MsgErrorShellMinor

GPO: Minor Error Message

REG_SZ

The message displayed when an unexpected but recoverable error has occurred during enforcement.

These errors should only occur when AirLock is misconfigured or there is a runtime issue with

Default:

“An error occurred; please notify your administrator or support team.

Your regular desktop will open after this message.”

reg: MsgErrorShellMajor

GPO: Major Error Message

REG_SZ

The message displayed when an unexpected and unrecoverable error has occurred during enforcement.

These errors should only occur when AirLock is misconfigured or there is a runtime issue with

Default:

“A critical error occurred; you will be logged out after this prompt.

Please notify your administrator or support team for assistance.”

reg: MsgErrorValidity

GPO: Validity Error message

REG_SZ

The message displayed when the kiosk is launched but fails.

These errors should only occur when AirLock is misconfigured or there is a runtime issue.

Default:

Your logon certificate may be expiring soon, but an error occurred while trying to offer you a solution.\n\nPlease visit the User Portal in order to renew your certificate.

reg: MsgRenewAmbiguous

GPO: Ambiguous Certificate Renewal Message

REG_SZ

Prompt shown when the user's certificate could not be identified amongst other logon certificates currently available devices.

Default:

“The Axiad AirLock could not discern which certificate was used to log in. Your certificate might require renewal.”

Troubleshooting

Registry and GPO Keys	Key Type	Description	Value
reg: DebugLogFileService GPO: Log file for the Lockdown Service	REG_SZ	Where debug logs for the Lockdown Service go.	Default: "C:\\Program Files\\Axiad\\AirLock\\Service.log" Note the doubled “\” path separators.
reg: DebugLogFileShell GPO: Log file for the Custom Shell	REG_SZ	Where debug logs for the Custom Shell go.	Default: "%LocalAppData%\\Axiad\\AirLock\\Shell.log" Note the doubled “\” path separators.
reg: DebugLogLevel GPO: Log level	REG_DWORD	The debug log detail level.	Default: 5 The range is from 1-6; 5 is recommended for effective bug reports.
reg: DebugSafeMode GPO: Safe Mode	REG_SZ	If enabled, AirLock will be started in safe mode without fullscreen mode and without the keyboard lockdown. In addition, the debug flags will be enabled in AirLock.	Default: “false” for disabled “true” to enable
reg: DebugSafeModeDumpFile GPO: Network dump file for Safe Mode	REG_SZ	The path to save a network dump when DebugSafeMode is enabled. This file will be overwritten on each launch of AirLock.	Default: “%LocalAppData%\\Axiad\\AirLock\\Network Dump.json”

Registry and GPO Keys

Key Type

Description

Value

reg: DebugLogFileService

GPO: Log file for the Lockdown Service

REG_SZ

Where debug logs for the Lockdown Service go.

Default: "C:\\Program Files\\Axiad\\AirLock\\Service.log"

Note the doubled “\” path separators.

reg: DebugLogFileShell

GPO: Log file for the Custom Shell

REG_SZ

Where debug logs for the Custom Shell go.

Default: "%LocalAppData%\\Axiad\\AirLock\\Shell.log"

Note the doubled “\” path separators.

reg: DebugLogLevel

GPO: Log level

REG_DWORD

The debug log detail level.

Default: 5

The range is from 1-6; 5 is recommended for effective bug reports.

reg: DebugSafeMode

GPO: Safe Mode

REG_SZ

If enabled, AirLock will be started in safe mode without fullscreen mode and without the keyboard lockdown. In addition, the debug flags will be enabled in AirLock.

Default: “false” for disabled

“true” to enable

reg: DebugSafeModeDumpFile

GPO: Network dump file for Safe Mode

REG_SZ

The path to save a network dump when DebugSafeMode is enabled. This file will be overwritten on each launch of AirLock.

Default: “%LocalAppData%\\Axiad\\AirLock\\Network Dump.json”

Configure AirLock for Your Organization

Kiosk Settings

Enforcement Logic

slb-securityFlag

Validity

Branding and User Messaging

Troubleshooting

What's Next