Emergency Disable Mode

Emergency Disable Mode is a controlled, admin-only method for temporarily disabling Twosense behavioral authentication in rare and critical situations — such as troubleshooting, system recovery, or providing emergency access.

When enabled, Twosense behavioral authentication is fully disabled. Windows will fall back to its default authentication method or any other configured MFA (e.g., Duo).

ℹ️ Version Requirement

  • Introduced in endpoint agent v3.8.0

  • This feature will not work on earlier versions.

⚠️ Important Security Notice

  • While Emergency Disable Mode is active, Twosense behavioral authentication is not performed at Windows login.

  • Authentication will rely only on your default Windows or MFA configuration.

  • This significantly reduces your security posture.

  • Re-enable Twosense as soon as possible after resolving the issue.

When to Use

Use Emergency Disable Mode to:

  • Troubleshoot login or authentication issues

  • Perform network or system recovery

  • Regain access when Twosense service problems prevent login

When NOT to Use

Do not use Emergency Disable Mode to:

  • Bypass security policies

  • Perform routine administrative access

  • Make long-term configuration changes

Choosing the Right Method

Scenario
Recommended Method
Remote Access?

You have local admin access

Admin Access

No

You have remote PowerShell access

Remote PowerShell

Yes

Remote access unavailable; locked out

Safe Mode

No

Need to disable across multiple machines

Group Policy Object (GPO)

Yes

1. Admin Access

Disable Twosense locally via the Windows Registry.

Prerequisites

  • Local administrator rights

Steps

  1. Open Registry Editor.

  2. Navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator

  3. Set DisableAtLogon to 1 (create if missing).

  4. Restart the machine or log off/on.

Re-enable Twosense

Set DisableAtLogon to 0, then restart or log back in.

2. Remote PowerShell

Disable Twosense on a remote machine by updating the registry.

Prerequisites

  • Administrative privileges

  • PowerShell Remoting enabled

  • Network connectivity to target

Steps

  1. In an elevated PowerShell session, run:

    Invoke-Command -ComputerName TARGET_COMPUTER_NAME -ScriptBlock {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator" -Name "DisableAtLogon" -Value 1 -Type DWord -Force
}

  2. Restart the target machine or log off/on.

Re-enable Twosense

Run the same command but set the value to 0.

3. Safe Mode

Use when normal or remote access is unavailable.

Prerequisites

  • Physical access

  • Administrative credentials

Steps

  1. Boot into Windows Safe Mode.

  2. Open Registry Editor.

  3. Navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator

  4. Set DisableAtLogon to 1 (create if missing).

  5. Restart normally.

Re-enable Twosense

Log in as admin, set DisableAtLogon to 0, restart.

4. Group Policy Object (GPO)

Disable Twosense across multiple domain-joined machines.

Prerequisites

  • Access to Group Policy Management Console (GPMC)

  • Domain-joined machines receiving GPO updates

Steps

  1. Open GPMC and create or edit a GPO linked to the target OU.

  2. Go to:

    Computer Configuration > Preferences > Windows Settings > Registry

  3. Create a new Registry Item:

    • Action: Update

    • Hive: HKEY_LOCAL_MACHINE

    • Key Path: SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator

    • Value name: DisableAtLogon

    • Value type: REG_DWORD

    • Value data: 1

  4. Restart target machines.

Re-enable Twosense

Update the same GPO to set DisableAtLogon to 0 and apply again.

Last updated