question

MattDay avatar image
3 Votes"
MattDay asked forwardobservationsgroup-6717 commented

Is this a bug with Intune configuration profiles and the "Interactive Logon Machine Inactivity Limit" setting?

I think I've found a device configuration profiles bug.

Here's how to reproduce it:

  1. Create a new device configuration profile for Windows 10, profile type = Settings catalog,

  2. In the Settings picker, search for "inactivity", and then select "Local Policies Security Options"

  3. Add, and then enable, the setting for "Interactive Logon Machine Inactivity Limit"

  4. Add this new configuration profile to some devices.

After one of my Windows 10 devices (a VM guest I use to test with) picked up this setting, it started locking the screen after just 1 second of inactivity. I had to continually wiggle the mouse to keep it from locking the screen while I debugged the problem.

I found the problematic setting:

  1. Run gpedit.msc

  2. go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

  3. Observe that "Interactive logon: Machine inactivity limit" is set to 1 second

I went back to Endpoint Manager and disabled "Interactive Logon Machine Inactivity Limit". After the device picked up the new setting, the problem went away, and in gpedit.msc I could see that "Interactive logon: Machine inactivity limit" was now set to 0 seconds.

Seems like Endpoint Manager thinks the setting is a boolean, but gpedit.msc thinks the setting is an integer with units of seconds. I wonder if Endpoint Manager set the boolean value to 1, meaning Enabled, but the policy on the client computer interpreted it as 1 seconds.

This documentation thinks the setting is a boolean:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit

But this documentation thinks the setting is integer seconds:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit

Curiously, a Dell laptop of mine also picked up this setting, but it did not start locking the screen after 1 second, even though in gpedit.msc I could see the setting was "1 second". Dunno why the problem wasn't happening on the Dell laptop. Maybe some other setting needs to be set a certain way to reproduce the bug. My Dell laptop is not configured exactly the same as the VM guest.





mem-intune-generalmem-intune-device-configurations
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Confirmed. I'm seeing this same issue in my own environment. I'd like to implement this but if I can't reliably apply it against my workstations, its going to hinder my ability to recommend placing all of these GPOs in a configuration profile. Can we get more attention on this to get these GPO items fixed? I have a number of policies I want to migrate over.

0 Votes 0 ·
Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered Crystal-MSFT edited

@MattDay,Thanks for posting in our Q&A. Based on my test on the VM in lab. I get the same phenomenon as yours. I noticed you have reported this issue in uservoice as well:
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/42775955-bug-with-configuration-profile-that-sets-interacti

We can wait if we can get any update here. Meanwhile, I will try my best to feedback. If I can get any update on this. I will post back.

As this is a feature in preview which means still in testing phrase. as another option, We can consider another setting "Minutes of lock screen inactivity until screen saver activates" under Endpoint protection device configuration to set the maximum minutes of inactivity on the interactive desktop. In my test, I set it as 1 minute which means it will lock after 1 minutes without any user activity.

72270-image.png

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (79.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CorySeaman-8550 avatar image
0 Votes"
CorySeaman-8550 answered

We're experiencing the same issue - one HP Spectre x360 is experiencing immediate logoffs, but other laptops are not.
Please escalate the fix to make the Interactive Logon Machine Inactivity Limit setting an integer value rather than boolean!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.