Can't enable Windows Lock Screen?
This guide is for you.
An important information security element is to lock the computer screen when not in use. Most often we forget to do that, leaving it vulnerable for anyone to access.
However, the auto-lock screen policy can fix this flaw.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Windows queries.
In this context, we shall look into how we can enable Windows Lock Screen on domain computers or servers using Group Policy.
To begin, we will create and configure a domain Group Policy to manage screen lock options:
1. Open the Group Policy Management console (gpmc.msc), create a new GPO object, and link it to the domain root.
2. Then edit the policy edit and go to the User Configuration -> Policies -> Administrative Templates -> Control Panel -> Personalization.
3. There are some options to manage screen saver and screen lock settings in the GPO section:
a. Enable screen saver
b. Password protect the screen saver
c. Screen saver timeout
d. Force specific screen saver
e. Prevent changing screen saver
4. Enable all policies and set a computer idle time in the Screen saver timeout policy.
5. Then wait for it to update on the clients or refresh them manually with the command:
$ gpupdate /force
Once done, screen saver and screen lock settings will be protected from editing in the Windows interface.
In Windows Server 2012/Windows 8 or newer, there is a separate computer security policy that sets a computer inactivity time.
The policy is called Interactive logon: Machine inactivity limit. We can find it in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
In some cases, we may need to configure different lock policies for different user groups.
For example, the screens of office workers should lock after 10 minutes and the screens of production or SCADA operators should never lock.
To implement such a strategy, we can use the GPO Security Filtering or Item Level Targeting in GPP.
We can configure computer lock settings using the registry instead of GPO and deploy the corresponding registry settings to users’ computers via GPO.
The following registry parameters match the policies above.
They are in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop:
1. Password protect the screen saver is a REG_SZ parameter with the name ScreenSaverIsSecure = 1.
2. Screen saver timeout is a REG_SZ parameter with the name ScreenSaveTimeout = 300.
3. Force specific screen saver is a REG_SZ parameter with the name ScreenSaveActive = 1 and SCRNSAVE.EXE = scrnsave.scr.
Create a domain security group (grp_not-lock-prod) for which we want to disable the screen lock policy and add users to it.
Then create the registry parameters described above in the corresponding GPO section.
Using Item Level Targeting, set for each parameter that the policy must not be applied for the specific security group.
In addition, we have to create 4 additional registry parameters with a value REG_SZ 0, that forcefully disable screen lock for the group grp_not-lock-prod.