cloudflare · deadlypants1973 · Feb 19, 2025 · Feb 20, 2025
@@ -27,13 +27,23 @@ WARP settings define the WARP client modes and permissions available to end user
 
 :::note
 
-In order to enable **Admin override**, [**Lock WARP switch**](#lock-warp-switch) must also be enabled.
+To use **Admin override**, you must first have enabled the [**Lock WARP switch**](#lock-warp-switch).
 
 :::
 
-When `Enabled`, end users can turn off the WARP client using an override code provided by an admin. This feature allows users to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
+When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot turn the WARP client off on their device. Enabling **Admin override** gives users the ability to turn off the WARP client using an override code provided by an admin.
 
-You can set a **Timeout** to define how long a user can toggle on or off the WARP switch. The timer starts when the user first enters their code into the WARP client. The code remains valid and can be reused anytime during this time period. For example, if **Timeout** is 24 hours, the user can re-enter the code at 23:59:00 and continue to turn off WARP until 47:59:00 (up to 48 hours total).
+**Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
+
+As admin, you can set a **Timeout** to define how long a user can toggle the WARP switch on or off after entering the override code. Cloudflare generates a new override code every hour that an admin can send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user.
+
+:::caution[Troubleshooting]
+
+To learn more about override code timeouts and how Cloudflare calculates an override code's valid duration, refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-entered-an-override-code-for-warp-that-was-supposed-to-be-valid-for-3-hours-but-the-override-code-expired-faster-than-i-expected).
+
+If [**Auto connect**](#auto-connect) is enabled, WARP will turn on even when using a **Admin override**. Refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-disabled-warp-using-an-override-code-but-warp-turned-on-by-itself-before-my-override-code-expired) for more details.
+
+:::
 
 #### Retrieve the override code
 
@@ -165,8 +175,8 @@ Allows the user to turn off the WARP switch and disconnect the client.
 
 **Value:**
 
-- `Disabled`: (default) The user is able to turn the switch on or off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
-- `Enabled`: The user is prevented from turning off the switch. The WARP client will always start in the connected state.
+- `Disabled`: (default) The user is able to turn the WARP switch on or off at their discretion. When the WARP switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
+- `Enabled`: The user is prevented from turning off the WARP switch. The WARP client will always start in the connected state.
 
 On MDM deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
 

@@ -267,3 +267,33 @@ Turning off TLS decryption should be a temporary measure. TLS decryption should
 ## I am getting an `Error 401: deleted_client - The OAuth Client was deleted` authorization error.
 
 <Render file="access/error-401" product="cloudflare-one" />
+
+## I entered an override code for WARP that was supposed to be valid for 3 hours but the override code expired faster than I expected.
+
+[Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) codes are time-sensitive and adhere to fixed-hour time blocks. An override code's validity is attached to the hour it was generated in. Override codes cannot be reused after their timeout has expired. When an override code timeout has expired, the user must receive a new override code from the admin. Refer to the following scenarios.
+
+### Scenario one: Admin generates an override code at 9:00 AM with a timeout of one hour.
+
+If admin generates an override code with a timeout of one hour at **9:00 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle WARP on and off until **10:59 AM** (a one hour duration.)
+
+However, if the user attempts to enter the override code at **10:00 AM**, the override code will not work. The override code will not work because the override code was generated at **9:00 AM** and its one hour validity was counted as used in the 9:00 AM to 10:00 AM hour.
+
+### Scenario two: Admin generates an override code at 9:30 AM with timeout of three hours.
+
+If admin generates an override code with a timeout of three hours at **9:30 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle WARP on and off until **12:59 PM** (a three hour duration.)
+
+However, if the user attempts to enter the override code at **10:00 AM**, the override code will only be valid until **12:00 PM** (a two hour duration). The override code was generated at **9:30 AM** and one hour of its total three hour validity was counted as used in the 9:00 AM to 10:00 AM hour.
+
+### Scenariot three: Admin generates an override code at 12:30 PM with a timeout of 24 hours.
+
+If admin generates an override code with a timeout of 24 hours at **12:00 PM** and the user inputs the override code in their device at **12:59 PM** the same day, the user will be able to toggle WARP on and off until **12:59 PM** the next day (a 24 hour duration.)
+
+However, if the user attempts to enter the override code at **1:00 PM** the same day, the override code will only be valid until **11:00 AM** the next day (a 23 hour duration). The override code was generated at **12:00 PM** and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour.
+
+If the user attempts to enter the override code at **12:59 PM** the next day, the override code will only be valid until **1:59 PM** (a one hour duration). The override code was generated at **12:00 PM** and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration).
+
+## I disabled WARP using an override code but WARP turned on by itself before my override code expired.
+
+If you are using an [Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code with [Auto connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) enabled, WARP will turn on automatically according to the Timeout set for **Auto connect** even when an override code has been entered by the user.
+
+To prevent WARP from auto connecting while using an admin override code, temporarily disable **Auto connect** or temporarily set a longer **Timeout** for **Auto connect**.