Workfolder (W2019) and lock screen settings

Oliver Richter 11 Reputation points
2020-11-25T11:39:17.207+00:00

Hi We switched to Workfolder. The screen lock has been set (as a security function). Now the workstations (W10 Pro - B2004) lock automatically. That's OK so far. But I can't set the time it take to lock the screen anywhere!? That is very bad. We need different periods of time to lock down at different workplaces. How can I distribute this via GPO? Note: Setting the lockscreen timeout via GPO (User Configuration > Policies > Administrative Templates > Control Panel > Personalization) has no effect. Does anyone have an idea how to setup this? Thank for help.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,724 questions
Windows Server Storage
Windows Server Storage
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Storage: The hardware and software system used to retain data for subsequent retrieval.
629 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2020-11-26T03:18:03.917+00:00

    If you want to control the screen saver lockout time per computer, you can consider the following setting:

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options “Interactive Logon: Machine inactivity limit”  set the value waht you want.
    If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy User Configuration\Administrative Templates\Control Panel\Personalization**Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy

    If you want to control the the screen saver lockout time per user
    The following policies should be considered:

    User configuration > Administrative templates\control panel\display\password protect the screen saver ,enable screen saver and screen saver timeout .
    42824-11261.jpg

    Best Regards,

    0 comments No comments

  2. Oliver Richter 11 Reputation points
    2020-11-26T07:30:02.953+00:00

    Hi @Fan Fan

    thank for your feedback. Unfortunately, it doesn't work the way you write.

    This setting: "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options “Interactive Logon: Machine inactivity limit”  is not possible via GPO. Works only locally - but there are too many workstations to do it anywhere by hand.
    Is there a way to do that via GPO?

    We have already made the second setting: Configuration\Administrative Templates\Control Panel\PersonalizationEnable screen saver.

    These settings are passed to the workstations, but this only seems to affect the screen saver. But that is of no use as a solution. There we have set up for the test for example 20 min. This is followed by the following: after approx. 10-15 min the workstation locks via workfolder setup and then after 20 min. the screen saver starts. However, it is not about the screen saver, but about automatic locking via the workfolder settings.

    The Workfolder setting to the workstation lock seems to work by other ways! The screen saver settings (Configuration\Administrative Templates\Control Panel\PersonalizationEnable screen saver) have no effect on it.

    That is our problem.


  3. Oliver Richter 11 Reputation points
    2020-11-27T08:20:37.23+00:00

    Hi,

    the GPO with the settings: configuration\Administrative Templates\Control Panel\PersonalizationEnable screen saver works perfectly! But the Workfolders setting (via server manager) change or set (I don't know how is works) in my option the "Interactive Logon: Machine inactivity limit”. So we have a fine Screensaver setting via GPO but the inactivity time limit break the rule anywhere.

    Can you tell exactly what the Workfolder settings (enable Lock Screen Timeout) for a registry parameter change?
    Could it possible to set this parameter via GPO -> computer->settings->windows-settings->registry?

    Thanks.


  4. Oliver Richter 11 Reputation points
    2020-11-30T09:21:35.467+00:00

    Hi,

    gpresult /h report.html is the first what I checked up.

    I said yes, the screensaver settings work, but that doesn't work if the workfolders blend it.

    Interactive Logon: Machine inactivity limit <-> Screensaver time limit.

    My comment said this:
    "These settings are passed to the workstations, but this only seems to affect the screen saver. But that is of no use as a solution. There we have set up for the test for example 20 min. This is followed by the following: after approx. 10-15 min the workstation locks via workfolder setup and then after 20 min. the screen saver starts. However, it is not about the screen saver, but about automatic locking via the workfolder settings."

    I think, what I need is a way the setup "Interactive Logon: Machine inactivity limit" via GPO registry key. Is this possible?


  5. Oliver Richter 11 Reputation points
    2020-12-09T13:17:04.79+00:00

    Hi,

    the problem is much more difficult than I thought!

    I have now done two things for testing:

    (1) Set this parameter via GPO - like above. -> No effect, even though the parameter has been correctly applied to the PC.

    (2) Set this parameter explicit locally on a PC: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options “Interactive Logon: Machine inactivity limit” 

    I set both settings to 30 min. (1800 sec.). Nevertheless, the PC locks after 15 min!
    What else can that be? Apparently, the workfolders used a whole different type of lock bypassing the usual paths.

    I despair at it. Any ideas again?