# Emergency Disable Mode **Emergency Disable Mode** is a controlled, admin-only method for temporarily disabling Twosense behavioral authentication in rare and critical situations — such as troubleshooting, system recovery, or providing emergency access. When enabled, Twosense behavioral authentication is fully disabled. Windows will fall back to its default authentication method or any other configured MFA (e.g., Duo). *** ## ℹ️ Version Requirement * **Introduced in endpoint agent v3.8.0** * This feature will **not work** on earlier versions. *** ## ⚠️ Important Security Notice * While Emergency Disable Mode is active, **Twosense behavioral authentication is not performed at Windows login**. * Authentication will rely only on your default Windows or MFA configuration. * This significantly reduces your security posture. * **Re-enable Twosense as soon as possible after resolving the issue.** *** ## When to Use Use Emergency Disable Mode to: * Troubleshoot login or authentication issues * Perform network or system recovery * Regain access when Twosense service problems prevent login ## When *NOT* to Use Do **not** use Emergency Disable Mode to: * Bypass security policies * Perform routine administrative access * Make long-term configuration changes *** ## Choosing the Right Method | Scenario | Recommended Method | Remote Access? | | ---------------------------------------- | ----------------------------------------------------------- | -------------- | | You have local admin access | [Admin Access](#id-1.-admin-access) | No | | You have remote PowerShell access | [Remote PowerShell](#id-2.-remote-powershell) | Yes | | Remote access unavailable; locked out | [Safe Mode](#id-3.-safe-mode) | No | | Need to disable across multiple machines | [Group Policy Object (GPO)](#id-4.-group-policy-object-gpo) | Yes | *** ## 1. Admin Access Disable Twosense locally via the Windows Registry. ### Prerequisites * Local administrator rights ### Steps 1. Open Registry Editor. 2. Navigate to: ``` HKEY_LOCAL_MACHINE\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator ``` 3. Create a DWORD named `DisableAtLogon` if it doesn't exist, and set its value to 1. 4. Restart the machine or log off/on. ### Re-enable Twosense Set `DisableAtLogon` to `0`, then restart or log back in. *** ## 2. Remote PowerShell Disable Twosense on a remote machine by updating the registry. ### Prerequisites * Administrative privileges * PowerShell Remoting enabled * Network connectivity to target ### Steps 1. In an elevated PowerShell session, run: ```powershell Invoke-Command -ComputerName TARGET_COMPUTER_NAME -ScriptBlock { Set-ItemProperty -Path "HKLM:\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator" -Name "DisableAtLogon" -Value 1 -Type DWord -Force } ``` 2. Restart the target machine or log off/on. ### Re-enable Twosense Run the same command but set the value to `0`. *** ## 3. Safe Mode Use when normal or remote access is unavailable. ### Prerequisites * Physical access * Administrative credentials ### Steps 1. Boot into Windows Safe Mode. 2. Open Registry Editor. 3. Navigate to: ``` HKEY_LOCAL_MACHINE\SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator ``` 4. Create a DWORD named `DisableAtLogon` if it doesn't exist, and set its value to 1. 5. Restart normally. ### Re-enable Twosense Log in as admin, set `DisableAtLogon` to `0`, restart. *** ## 4. Group Policy Object (GPO) Disable Twosense across multiple domain-joined machines. ### Prerequisites * Access to Group Policy Management Console (GPMC) * Domain-joined machines receiving GPO updates ### Steps 1. Open GPMC and create or edit a GPO linked to the target OU. 2. Go to: ``` Computer Configuration > Preferences > Windows Settings > Registry ``` 3. Create a new Registry Item: * **Action:** Update * **Hive:** HKEY\_LOCAL\_MACHINE * **Key Path:** SOFTWARE\TWOSENSE.AI\TwosenseAuthenticator * **Value name:** DisableAtLogon * **Value type:** REG\_DWORD * **Value data:** 1 4. Restart target machines. ### Re-enable Twosense Update the same GPO to set `DisableAtLogon` to `0` and apply again.