question

OliverRichter-2592 avatar image
0 Votes"
OliverRichter-2592 asked FanFan-MSFT commented

Workfolder (W2019) and lock screen settings

Hi We switched to Workfolder. The screen lock has been set (as a security function). Now the workstations (W10 Pro - B2004) lock automatically. That's OK so far. But I can't set the time it take to lock the screen anywhere!? That is very bad. We need different periods of time to lock down at different workplaces. How can I distribute this via GPO? Note: Setting the lockscreen timeout via GPO (User Configuration > Policies > Administrative Templates > Control Panel > Personalization) has no effect. Does anyone have an idea how to setup this? Thank for help.

windows-group-policywindows-server-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

If you want to control the screen saver lockout time per computer, you can consider the following setting:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options “Interactive Logon: Machine inactivity limit”  set the value waht you want.
If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy User Configuration\Administrative Templates\Control Panel\Personalization*Enable screen saver*. This policy setting allows you to control the locking time by using Group Policy

If you want to control the the screen saver lockout time per user
The following policies should be considered:

User configuration > Administrative templates\control panel\display\password protect the screen saver ,enable screen saver and screen saver timeout .
42824-11261.jpg

Best Regards,



11261.jpg (123.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OliverRichter-2592 avatar image
0 Votes"
OliverRichter-2592 answered FanFan-MSFT commented

Hi @FanFan-MSFT

thank for your feedback. Unfortunately, it doesn't work the way you write.

This setting: "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options “Interactive Logon: Machine inactivity limit”  is not possible via GPO. Works only locally - but there are too many workstations to do it anywhere by hand.
Is there a way to do that via GPO?

We have already made the second setting: Configuration\Administrative Templates\Control Panel\Personalization*Enable screen saver*.

These settings are passed to the workstations, but this only seems to affect the screen saver. But that is of no use as a solution. There we have set up for the test for example 20 min. This is followed by the following: after approx. 10-15 min the workstation locks via workfolder setup and then after 20 min. the screen saver starts. However, it is not about the screen saver, but about automatic locking via the workfolder settings.

The Workfolder setting to the workstation lock seems to work by other ways! The screen saver settings (Configuration\Administrative Templates\Control Panel\Personalization*Enable screen saver*) have no effect on it.

That is our problem.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
This setting: "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options “Interactive Logon: Machine inactivity limit”  is not possible via GPO. Works only locally - but there are too many workstations to do it anywhere by hand.

Do you mean the GPO didn't work ?

0 Votes 0 ·
OliverRichter-2592 avatar image
0 Votes"
OliverRichter-2592 answered FanFan-MSFT commented

Hi,

the GPO with the settings: configuration\Administrative Templates\Control Panel\Personalization*Enable screen saver* works perfectly! But the Workfolders setting (via server manager) change or set (I don't know how is works) in my option the "Interactive Logon: Machine inactivity limit”. So we have a fine Screensaver setting via GPO but the inactivity time limit break the rule anywhere.

Can you tell exactly what the Workfolder settings (enable Lock Screen Timeout) for a registry parameter change?
Could it possible to set this parameter via GPO -> computer->settings->windows-settings->registry?

Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If possible, would you please run gpresult /h report.html and check if there are any error messages for the user group policy User configuration > Administrative templates\control panel\display\password protect the screen saver ,enable screen saver and screen saver timeout .

It's not the good way to change the registry directly.(third-party link:https://www.ghacks.net/2018/06/02/configure-the-lockscreen-display-timeout-on-windows/)
Best Regards,

0 Votes 0 ·
OliverRichter-2592 avatar image
0 Votes"
OliverRichter-2592 answered FanFan-MSFT commented

Hi,

gpresult /h report.html is the first what I checked up.

I said yes, the screensaver settings work, but that doesn't work if the workfolders blend it.

Interactive Logon: Machine inactivity limit <-> Screensaver time limit.

My comment said this:
"These settings are passed to the workstations, but this only seems to affect the screen saver. But that is of no use as a solution. There we have set up for the test for example 20 min. This is followed by the following: after approx. 10-15 min the workstation locks via workfolder setup and then after 20 min. the screen saver starts. However, it is not about the screen saver, but about automatic locking via the workfolder settings."

I think, what I need is a way the setup "Interactive Logon: Machine inactivity limit" via GPO registry key. Is this possible?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You may test it in a lab and confirm if it works.
The registry for the "Interactive Logon: Machine inactivity limit" is :
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Value Name: InactivityTimeoutSecs

Value Type: REG_DWORD
Value: 0x00000384 (900) (or less)

45141-12045.png
Best Regards,


0 Votes 0 ·
12045.png (53.0 KiB)
OliverRichter-2592 avatar image
0 Votes"
OliverRichter-2592 answered FanFan-MSFT commented

Hi,

the problem is much more difficult than I thought!

I have now done two things for testing:

(1) Set this parameter via GPO - like above. -> No effect, even though the parameter has been correctly applied to the PC.

(2) Set this parameter explicit locally on a PC: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options “Interactive Logon: Machine inactivity limit” 

I set both settings to 30 min. (1800 sec.). Nevertheless, the PC locks after 15 min!
What else can that be? Apparently, the workfolders used a whole different type of lock bypassing the usual paths.

I despair at it. Any ideas again?


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business
I would do more research about it also, if there are any updates , i would share here!
Best Regards,

0 Votes 0 ·