It’s a best practice to lock your computer when you step away from your desk, even if it’s just for a short time. Unfortunately, not everyone follows this practice, which can leave your computer unprotected and vulnerable to data leaks.
To address this, you can create a policy in Intune that will automatically lock your workstation after a specified period of inactivity.
In my other blog post, I discussed how to lock the Windows screen after a period of inactivity using Active Directory Group Policy (GPO). In this post, we will use Intune Admin center to create a policy and review the end-user experience.
Configuring MaxInactivityTimeDeviceLock Policy
- Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
- Platform: Windows 10 and later
- Profile type: Templates.
- Template name: Custom
- Basics tab – Provide a Name and Description of the policy and click Next.
- Configuration settings – Click on Add button to add OMA-URI Setting. Provide below values in the given fields:
- Name: LockScreen
- Description: Lock Windows Screen after 1 minute of Inactivity
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock
- Data type: Integer
- Value: 1 (this value is in minutes)
- Click on Save to proceed to the next step.
MaxInactivityTimeDeviceLock OMA URI is applicable for Windows 10, version 1507 and later and OS Editions Pro, Enterprise, Education, Windows SE, IoT Enterprise/IoT Enterprise LTSC. For more details, please refer to the link: DeviceLock Policy CSP | Microsoft Learn
Note
- Assignments – Click on Add groups and add an Entra security group containing windows devices.
- Applicability Rules – Specify how to apply this profile within an assigned group. Intune will only apply the profile to devices that meet the combined criteria of these rules.
- Review + create – Click on Create.
Please note that a device restart is required for this policy to take effect.
Note
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Monitoring Lock Screen Intune Policy
To monitor the deployment progress of a Device configuration profile, follow below steps:
- Sign in to the Microsoft Intune admin center.
- Click on Devices > Windows > Configuration
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
End User Experience
After the device configuration profile has been deployed and system has been rebooted as well. The screen will lock automatically after the configured Idle time in the policy.
Once the user is on the lock screen, they can login again using their Entra ID credentials.
[Update] – I have been monitoring this policy for a day and can confirm it is functioning as expected. However, it locks the screen after just 1 minute of inactivity, as configured, which is rather inconvenient. As a result, I have adjusted the setting to a more reasonable duration of 15 or 30 minutes.
Screen Lock IME Event Logs
To find logs related to your deployment, open Event viewer> application and services logs> Microsoft > Windows > device management-enterprise-diagnostics-provider> Admin. Right-click on Admin folder > Filter Current log. Filter it using Event ID 813 or 814 and go through the logs to find logs related to a particular Intune deployment.
MDM PolicyManager: Set policy int, Policy: (MaxInactivityTimeDeviceLock), Area: (DeviceLock), EnrollmentID requesting merge: (ECF013C0-C688-44AF-A24D-00371433C793), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).
Event ID 813
Screen Lock Registry Entry
Once the Intune policy is applied, it will also update a registry entry at the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock.
Look for the MaxInactivityTimeDeviceLock registry entry on the right-hand side and confirm that its value matches the one you configured in the policy.
Troubleshooting
- If there are any issues, please check and confirm if the same policy is not getting applied via Active Directory GPO (For Entra Hybrid joined devices).
- Ensure the device is rebooted after the policy is applied.
Other related settings:
- Device configuration profile > Local device security options > Interactive Logon. You will find a setting called Minutes of lock screen inactivity until screen saver activates.
