Force Lock Screen After User Inactivity using Intune

It’s a best practice to lock your computer when you step away from your desk, even if it’s just for a short time. Unfortunately, not everyone follows this practice, which can leave your computer unprotected and vulnerable to data leaks.

To address this, you can create a policy in Intune that will automatically lock your workstation after a specified period of inactivity, anywhere from 1 second to a maximum of 86,400 seconds (24 hours). Let’s see the steps on how to configure this.

In my other blog post, I discussed how to lock the Windows screen after a period of inactivity using Active Directory Group Policy. In this post, we will use the Intune Admin Center to create a policy and review the end-user experience.

Steps to Configure a Lock Screen Policy using Intune

We will be creating a device configuration profile for locking Windows screen and assign it to Windows devices. Let’s check the steps:

  • Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
  • Platform: Windows 10 and later
  • Profile type: Templates.
  • Template name: Custom
Steps to Configure a Lock Screen Policy using Intune
Steps to Configure a Lock Screen Policy using Intune

Basics tab

  • On the Basics tab, provide a Name and Description of the policy and click Next.

Configuration settings

Click on Add button to add OMA-URI Setting. Provide below values in the given fields:

  • Name: LockScreen
  • Description: Lock Windows Screen after 1 minute of Inactivity
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock
  • Data type: Integer
  • Value: 1 (this value is in minutes)
  • Click on Save to proceed to the next step.

MaxInactivityTimeDeviceLock OMA URI is applicable for Windows 10, version 1507 and later and OS Editions Pro, Enterprise, Education, Windows SE, IoT Enterprise/IoT Enterprise LTSC. For more details, please refer to the link: DeviceLock Policy CSP | Microsoft Learn

Note

Lock Screen OMA-URI
Lock Screen OMA-URI
  • Assignments – Click on Add groups and add an Entra security group containing windows devices.
  • Applicability Rules – Specify how to apply this profile within an assigned group. Intune will only apply the profile to devices that meet the combined criteria of these rules.
  • Review + create – Click on Create.

Please note that a device restart is required for this policy to take effect.

Note

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

Monitoring Lock Screen Intune Policy

To monitor the deployment progress of a Device configuration profile, follow below steps:

  • Sign in to the Microsoft Intune admin center.
  • Click on Devices > Windows > Configuration
  • Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
  • Click on View report to access more detailed information.

End-user Experience

After the device configuration profile has been deployed and system has been rebooted as well. The screen will lock automatically after the configured Idle time in the policy.

Once the user is on the lock screen, they can login again using their Entra ID credentials.

[Update] – I have been monitoring this policy for a day and can confirm it is functioning as expected. However, it locks the screen after just 1 minute of inactivity, as configured, which is rather inconvenient. As a result, I may adjust the setting to a more reasonable duration of 15 or 30 minutes.

Screen Lock IME Event Logs

To find logs related to your deployment, open Event viewer> application and services logs> Microsoft > Windows > device management-enterprise-diagnostics-provider> Admin. Right-click on Admin folder > Filter Current log. Filter it using Event ID 813 or 814 and go through the logs to find logs related to a particular Intune deployment.

MDM PolicyManager: Set policy int, Policy: (MaxInactivityTimeDeviceLock), Area: (DeviceLock), EnrollmentID requesting merge: (ECF013C0-C688-44AF-A24D-00371433C793), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).

Event ID 813

Event ID 813 for MaxInactivityTimeDeviceLock
Event ID 813 for MaxInactivityTimeDeviceLock setting

Screen Lock Registry Entry

Once the Intune policy is applied, it will also update a registry entry at the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock.

Look for the MaxInactivityTimeDeviceLock registry entry on the right-hand side and confirm that its value matches the one you configured in the policy.

MaxInactivityTimeDeviceLock registry entry
MaxInactivityTimeDeviceLock registry entry

Troubleshooting

  • If there are any issues, please check and confirm if the same policy is not getting applied via Active Directory GPO (For Entra Hybrid joined devices).
  • Ensure the device is rebooted after the policy is applied.

Other related settings:

  • Device configuration profile > Local device security options > Interactive Logon. You will find a setting called Minutes of lock screen inactivity until screen saver activates.

Read Next

Leave a Comment