Enforcing Windows Lock Screen After Idle Time with GPO

It’s a best practice to lock your computer when you step away from your desk, even if it’s just for a short time. Unfortunately, not everyone follows this practice, which can leave your computer unprotected and vulnerable to data leaks.

To address this, you can create a Group Policy Object that will automatically lock your workstation after a specified period of inactivity, anywhere from 1 second to a maximum of 86,400 seconds (24 hours). Let’s see the steps on how to configure this.

Create a Group Policy Object

To create a Group Policy object (GPO) and configure this setting. Follow the below steps:

  1. Login on a Domain controller and Open Server Manager.
  2. Click on “Tools” and click on Group Policy Management.
Create a Group Policy Object
Create a Group Policy Object
  1. Right-click on Group Policy Objects > Click on New.
Create a Group Policy Object
Create a Group Policy Object
  1. Provide a Name of the GPO. For Example Workstation_AutoLock_Policy. Click on OK.
Create a Group Policy Object
Create a Group Policy Object
  1. Right-click on “Workstation_AutoLock_Policy” and click on Edit.
Create a Group Policy Object
Create a Group Policy Object
  1. Navigate to User Configuration > Policies > Administrative Templates > Control Panel > Personalization and Enable below settings:
    • Enable Screen Saver: Enabled
    • Password Protect the screen saver: Enabled
    • Screen Saver timeout: Enabled (Provide the timeout value in Seconds. For Example: To activate the lock screen after 20 minutes of Idle time, provide a value of 1200).
Create a Group Policy Object
Create a Group Policy Object
  1. The next step is to Enable one more setting called “Loopback processing mode”. This is required when you are creating a GPO based on User configuration and Linking that GPO to Workstations/Computers OU.
    • Go to Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode: Enabled, Mode: Merge
Create a Group Policy Object
Create a Group Policy Object
Create a Group Policy Object
Create a Group Policy Object
  1. Once you have configured all settings in this GPO, Link it to an OU containing Computers. To link this GPO with an OU. Right-click on it and select “Link an Existing GPO...”.
Create a Group Policy Object
Create a Group Policy Object
  1. Select the “Workstation_AutoLock_Policy” policy and click on OK.
Create a Group Policy Object
Create a Group Policy Object
  1. Workstation_AutoLock_Policy policy has been Linked to Workstation OU.
Create a Group Policy Object
Create a Group Policy Object

End-user Experience

To apply this policy, a reboot of the target device is recommended. After successful implementation, users will see a lock screen when their idle time reaches the duration specified in the ‘Screen Saver timeout‘ setting.

If you encounter any issues with the GPO not applying to the device, you can resolve it by opening a command prompt with administrator privileges and running the ‘Gpupdate /force‘ command. This command will retrieve the latest policies for the device and ensure their application.

To confirm that the Group Policy has been applied to the target workstation, follow these steps:

  1. Press Win + R keys to open the Run dialog box.
  2. In the ‘Run’ box, type ‘rsop.msc‘ and press Enter.
  3. Navigate to the Screen saver group policy settings as configured using a GPO to find the applied policy settings on your device.

Leave a Comment

Discover more from TechPress

Subscribe now to keep reading and get access to the full archive.

Continue reading