> For the complete documentation index, see [llms.txt](https://docs.twosense.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.twosense.ai/windows-authenticator/guides/emergency-disable-mode.md). # Emergency Disable Mode **Emergency Disable Mode** is a controlled, admin-only method for temporarily disabling Twosense behavioral authentication in rare and critical situations — such as troubleshooting, system recovery, or providing emergency access. When enabled, Twosense behavioral authentication is fully disabled. Windows will fall back to its default authentication method or any other configured MFA (e.g., Duo). *** ## ℹ️ Version Requirement * **Introduced in endpoint agent v3.8.0** * This feature will **not work** on earlier versions. *** ## ⚠️ Important Security Notice * While Emergency Disable Mode is active, **Twosense behavioral authentication is not performed at Windows login**. * Authentication will rely only on your default Windows or MFA configuration. * This significantly reduces your security posture. * **Re-enable Twosense as soon as possible after resolving the issue.** *** ## When to Use Use Emergency Disable Mode to: * Troubleshoot login or authentication issues * Perform network or system recovery * Regain access when Twosense service problems prevent login ## When *NOT* to Use Do **not** use Emergency Disable Mode to: * Bypass security policies * Perform routine administrative access * Make long-term configuration changes *** ## Choosing the Right Method | Scenario | Recommended Method | Remote Access? | | ---------------------------------------- | ----------------------------------------------------------- | -------------- | | You have local admin access | [Admin Access](#id-1.-admin-access) | No | | You have remote PowerShell access | [Remote PowerShell](#id-2.-remote-powershell) | Yes | | Remote access unavailable; locked out | [Safe Mode](#id-3.-safe-mode) | No | | Need to disable across multiple machines | [Group Policy Object (GPO)](#id-4.-group-policy-object-gpo) | Yes | *** ## 1. Admin Access Disable Twosense locally via the Windows Registry. ### Prerequisites * Local administrator rights ### Steps 1. Open Registry Editor. 2. Navigate to: ``` HKEY_LOCAL_MACHINE\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator ``` 3. Create a DWORD named `DisableAtLogon` if it doesn't exist, and set its value to 1. 4. Restart the machine or log off/on. ### Re-enable Twosense Set `DisableAtLogon` to `0`, then restart or log back in. *** ## 2. Remote PowerShell Disable Twosense on a remote machine by updating the registry. ### Prerequisites * Administrative privileges * PowerShell Remoting enabled * Network connectivity to target ### Steps 1. In an elevated PowerShell session, run: ```powershell Invoke-Command -ComputerName TARGET_COMPUTER_NAME -ScriptBlock { Set-ItemProperty -Path "HKLM:\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator" -Name "DisableAtLogon" -Value 1 -Type DWord -Force } ``` 2. Restart the target machine or log off/on. ### Re-enable Twosense Run the same command but set the value to `0`. *** ## 3. Safe Mode Use when normal or remote access is unavailable. ### Prerequisites * Physical access * Administrative credentials ### Steps 1. Boot into Windows Safe Mode. 2. Open Registry Editor. 3. Navigate to: ``` HKEY_LOCAL_MACHINE\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator ``` 4. Create a DWORD named `DisableAtLogon` if it doesn't exist, and set its value to 1. 5. Restart normally. ### Re-enable Twosense Log in as admin, set `DisableAtLogon` to `0`, restart. *** ## 4. Group Policy Object (GPO) Disable Twosense across multiple domain-joined machines. ### Prerequisites * Access to Group Policy Management Console (GPMC) * Domain-joined machines receiving GPO updates ### Steps 1. Open GPMC and create or edit a GPO linked to the target OU. 2. Go to: ``` Computer Configuration > Preferences > Windows Settings > Registry ``` 3. Create a new Registry Item: * **Action:** Update * **Hive:** HKEY\_LOCAL\_MACHINE * **Key Path:** SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator * **Value name:** DisableAtLogon * **Value type:** REG\_DWORD * **Value data:** 1 4. Restart target machines. ### Re-enable Twosense Update the same GPO to set `DisableAtLogon` to `0` and apply again. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.twosense.ai/windows-authenticator/guides/emergency-disable-mode.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.