We ran into a situation where we wanted a computer to remain unlocked, but for the screen to still turn off. This was surprisingly complicated.
First of all there are a number of things that can control when a Windows 10+ computer locks. First there is the “Machine inactivity limit”, this controls the absolute time a machine can be inactive before credentials are required. Then there is the Screen Saver, which needs to be both disabled and have password protection turned off. Next, you have a hidden setting in the power profile that controls whether a password is required when waking from sleep. Finally, if you configure all of these settings you also need to ENABLE the policy allowing users to choose whether a password is required when resuming from standby.
Let’s say you want a GPO that allows a 4 hour window before locking:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| $DomainController = Get-ADDomainController -Discover | Select-Object -ExpandProperty HostName
$GPO = New-GPO -Name 'Screen Timeout' -Server $DomainController
$GPOSysvolPath = '\\{0}\sysvol\{1}\policies\{2}' -f $DomainController, $GPO.DomainName, ([guid]$GPO.Id).ToString('b')
$Timeout = [timespan]::FromHours(4).TotalSeconds
# this section sets the Inactivity Timeout security policy
$GptTmplInf = @'
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs=4,{0}
'@ -f $Timeout
$SecEditPath = Join-Path $GPOSysvolPath 'Machine\Microsoft\Windows NT\SecEdit'
New-Item -Path $SecEditPath -ItemType Directory -Force > $null
$GptTmplInfPath = Join-Path $SecEditPath 'GptTmpl.inf'
$GptTmplInf | Out-File -FilePath $GptTmplInfPath -Encoding unicode
# this section bumps the GPO version and enables the SecEdit extension
$GptIni = @'
[General]
Version=1
'@
$GptIniPath = Join-Path $GPOSysvolPath 'GPT.INI'
$GptIni | Out-File -FilePath $GptIniPath -Encoding ascii
Set-ADObject -Identity $GPO.Path -Replace @{
gPCMachineExtensionNames = '[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]'
versionNumber = 1
} -Server $DomainController
# this section disables the screen saver and screen saver password
$GPO | Set-GPRegistryValue -Key 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop' -ValueName 'ScreenSaveActive' -Value '0' -Type String -Server $DomainController
$GPO | Set-GPRegistryValue -Key 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop' -ValueName 'ScreenSaverIsSecure' -Value '0' -Type String -Server $DomainController
# this section disables the wake password
$GPO | Set-GPRegistryValue -Key 'HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' -ValueName 'ACSettingIndex' -Value 0 -Type DWord -Server $DomainController
$GPO | Set-GPRegistryValue -Key 'HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' -ValueName 'DCSettingIndex' -Value 0 -Type DWord -Server $DomainController
# this section makes the screen turn off after 15 minutes
$GPO | Set-GPRegistryValue -Key 'HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E' -ValueName 'ACSettingIndex' -Value 900 -Type DWord -Server $DomainController
$GPO | Set-GPRegistryValue -Key 'HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E' -ValueName 'DCSettingIndex' -Value 900 -Type DWord -Server $DomainController
# finally we need to prevent the default for domain joined computers which is prompting
# for password immediately after waking
$GPO | Set-GPRegistryValue -Key 'HKLM\Software\Policies\Microsoft\Windows\System' -ValueName 'AllowDomainDelayLock' -Value 1 -Type DWord -Server $DomainController
|
WARNING: This policy configuration is destructive and should only be used to create a new policy