Can’t enable Windows Lock Screen After Inactivity via GPO? As part of our Windows Hosting Support, we assist our customers with several Windows queries.

How To Enable Windows Lock Screen?

Initially, we will create and configure a domain Group Policy to manage screen lock options:

1. Initially, open the Group Policy Management console (gpmc.msc), create a new GPO object, and link it to the domain root.
2. Then edit the policy edit and go to the User Configuration -> Policies -> Administrative Templates -> Control Panel -> Personalization
3. There are some options to manage screen saver and screen lock settings in the GPO section:
   a) Enable screen saver
   b) Password protect the screen saver
   c) Screen saver timeout
   d) Force specific screen saver
   e) Prevent changing screen saver
4. Now, enable all policies and set a computer idle time in the Screen saver timeout policy.
5. Then wait for it to update on the clients or refresh them manually with the command:
   

Once done, screen saver and screen lock settings will be protected from editing in the Windows interface. In Windows Server 2012/Windows 8 or newer, there is a separate computer security policy that sets a computer inactivity time. The policy is called Interactive logon: Machine inactivity limit. We can find it in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

In some cases, we may need to configure different lock policies for different user groups. For example, the screens of office workers should lock after 10 minutes and the screens of production or SCADA operators should never lock. To implement such a strategy, we can use the GPO Security Filtering or Item Level Targeting in GPP.

We can configure computer lock settings using the registry instead of GPO and deploy the corresponding registry settings to users’ computers via GPO. The following registry parameters match the policies above. They are in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop:

• Password protect the screen saver is a REG_SZ parameter with the name ScreenSaverIsSecure = 1
• Screen saver timeout is a REG_SZ parameter with the name ScreenSaveTimeout = 300
• Force specific screen saver is a REG_SZ parameter with the name ScreenSaveActive = 1 and SCRNSAVE.EXE = scrnsave.scr

Create a domain security group (grp_not-lock-prod) for which we want to disable the screen lock policy and add users to it. Then create the registry parameters described above in the corresponding GPO section. Using Item Level Targeting, set for each parameter that the policy must not be applied for the specific security group.

In addition, we also have to create 4 additional registry parameters with a value REG_SZ 0, that forcefully disable screen lock for the group grp_not-lock-prod.

Conclusion

To conclude, we saw how to Enable Windows Lock Screen on domain computers or servers using Group Policy from our Experts.