Inconsistent InteractiveLogon_MachineInactivityLimit in Intune Security Baseline and configuration profile

Guillaume Bossiroy 25 Reputation points
2023-05-05T06:24:16.8033333+00:00

Hi,

I have been implementing security baselines for Windows devices (MDM Security Baseline for Windows 10 and later for November 2021 template) in Microsoft Intune. However, there seems to have an issue with the InteractiveLogon_MachineInactivityLimit policy.

Indeed, I have a custom profile that enforces a Machine Inactivity Limit of 900 seconds on devices. When I configure the Security Baseline, the "Minutes of lock screen inactivity until screen saver activates" policy (equivalent to InteractiveLogon_MachineInactivityLimit which cannot be set to Not configured) with 15 minutes (description mentions that it should be set in minutes and not in seconds), I have a conflict for this policy between my profile and Security Baseline. I have tried adapting the Security Baseline by entering 900 seconds, but the conflict remains.

Is there anything that I would be missing here?

I am also aware that having two profiles for one policy is not recommended but in my case, the same value is enforced so there should be no conflict. I would therefore like to understand what is the difference between the two and how they are working.

Thank you in advance for the help.

Guillaume

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,771 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,574 questions
{count} votes

Accepted answer
  1. Crystal-MSFT 44,931 Reputation points Microsoft Vendor
    2023-05-08T02:02:04.9566667+00:00

    @Guillaume Bossiroy, Thanks for posting in Q&A. For your request, we have duplicated the link you mentioned. We will follow in this link.

    For your issue, based on my checking, I find the setting "Minutes of lock screen inactivity until screen saver activates:" using the CSP "./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit" to deploy the value is the amount of inactivity time (in seconds).

    https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-november-2021#local-policies-security-options

    https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_machineinactivitylimit

    And I notice you have configured a custom policy with the same CSP with the same seconds value.

    Then I go to test in my environment. I find the same issue as yours. It seems we can't configure the same setting in two different policies. It will cause conflict.

    User's image

    I think we need to unassign one policy to the user group or device group to avoid the conflict issue.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful