Let’s learn to configure automatic lock screen for inactive device Using Intune. You can protect your device from an unauthorized use by lock a computer when idle for some time. The device lock feature allows you to screen lock out option after a period of inactivity.
When you lock the computer, you will be taken to the lock screen by default to unlock and sign in when ready to continue where you left off. However the other users can still sign in to their accounts from the sign-in screen.
If the Machine inactivity limitsecurity policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings.
The device lock feature provides protection for lost or stolen devices and provides a means for legitimate users who accidentally enter the device lock state to recover their device and continue using it.
Interactive logon messages may also helpful to reinforce corporate policy by notifying employees of the appropriate policy during the logon process. You can configure this setting in a manner consistent with the security and operational requirements of your organization.
- Enable Interactive Logon CTRL ALT DEL Using Intune
- Collect Intune Logs from MEM Portal Diagnostic Data
- Intune Logs Event IDs IME Logs Details For Windows Client Side Troubleshooting
Set Automatic Lock Screen for Inactive Device Using Intune
Let’s follow the step below to manage device lock inactivity usingIntune–
- Sign in to theEndpoint Manager Intune portalhttps://endpoint.microsoft.com/
- SelectDevices>Windows >Configuration profiles>Create profile.
In Create Profile, SelectPlatform,Windows 10, and laterandProfile, SelectProfile TypeasSettings catalog. Click onCreatebutton.
On theBasicstab, enter a descriptivename, such asAutomatic Lock Screen for Inactive Device or Automic Lock for Inactive Windows Device. Optionally, enter aDescriptionfor the policy, then selectNext.
InConfiguration settings, clickAdd settingsto browse or search the catalog for the settings you want to configure.
On the Settings Picker windows, SelectDevice Lockto see all the settings in this category. Selectthe below settings, Max Inactivity Time Device Lock.
After adding your settings,clickthecross markat the right-hand corner toclose the settings picker.
Note –In policy, usethe searchbox to find specific settings. You can search by category or a keyword, such asMax Inactivity Time Device Lock/Inactivity Time It will display all the related settings available.
The setting is shown and configured with a default value Disabled. SetDevice Password EnabledtoEnabledand configure Max Inactivity Time Device Lock with value . And ClickNext.
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
UnderAssignments, InIncluded groups,clickAdd groupsand then chooseSelect groups to includeone or more groups. ClickNextto continue.
InScope tags, you can assign a tag to filter the profile to specific IT groups. Addscope tags (if required)and clickNext.
InReview + create, review your settings. When you selectCreate, your changes are saved, and the profile is assigned.
A notification will appear automatically in the top right-hand corner with a message. Here you can see thatPolicy “Automatic Lock for Inactive Windows Device” created successfully.The policy is also shown in the Configuration profiles list.
Your groups will receive your profile settings when the devices check-in with the Intune service. Once the policy applies to the devices, you may required to log out and back in before the policy takes effect.
Reporting – Configure Automatic Lock for Inactive Windows Device
You can checkIntune settings catalog profile reportfromIntunePortal, which provides an overall view of device configuration policies deployment status.
To monitor the policy assignment, from the list of Configuration Profiles, select the policy, and here you can check the device and user check-in status. If you clickView Report,additional details are displayed.
Intune MDM Event Log
The Intune event ID indicates a string policy is applied on the Windows 10 or 11 devices. You can also see the exact value of the policy being applied on those devices.
In the target device, You can check theEvent log pathto confirm –Applications and Services Logs–Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.
you can look at theEvent ID 813generated for the configured policies for managing apps, Here are the highlights from the Event logs.
MDM PolicyManager: Set policy int, Policy: (MaxInactivityTimeDeviceLock), Area: (DeviceLock), EnrollmentID requesting merge: (78BF73E9-4EBB-4575-9EF5-21B30DB3FD4E), Current User: (Device), Int: (0xF), Enrollment Type: (0x6), Scope: (0x0).
Validate Registry
Here you can validate whether the registry values are changed or not. You can see the registry entries related to the Device Lock Inactivity Time in the followingregistry path–
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock MaxInactivityTImeDeviceLock (Data should be visible as the value you defined in the policy)
