I think I've found a device configuration profiles bug.
Here's how to reproduce it:
- Create a new device configuration profile for Windows 10, profile type = Settings catalog,
- In the Settings picker, search for "inactivity", and then select "Local Policies Security Options"
- Add, and then enable, the setting for "Interactive Logon Machine Inactivity Limit"
- Add this new configuration profile to some devices.
After one of my Windows 10 devices (a VM guest I use to test with) picked up this setting, it started locking the screen after just 1 second of inactivity. I had to continually wiggle the mouse to keep it from locking the screen while I debugged the problem.
I found the problematic setting:
- Run gpedit.msc
- go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Observe that "Interactive logon: Machine inactivity limit" is set to 1 second
I went back to Endpoint Manager and disabled "Interactive Logon Machine Inactivity Limit". After the device picked up the new setting, the problem went away, and in gpedit.msc I could see that "Interactive logon: Machine inactivity limit" was now set to 0 seconds.
Seems like Endpoint Manager thinks the setting is a boolean, but gpedit.msc thinks the setting is an integer with units of seconds. I wonder if Endpoint Manager set the boolean value to 1, meaning Enabled, but the policy on the client computer interpreted it as 1 seconds.
This documentation thinks the setting is a boolean:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit
But this documentation thinks the setting is integer seconds:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit
Curiously, a Dell laptop of mine also picked up this setting, but it did not start locking the screen after 1 second, even though in gpedit.msc I could see the setting was "1 second". Dunno why the problem wasn't happening on the Dell laptop. Maybe some other setting needs to be set a certain way to reproduce the bug. My Dell laptop is not configured exactly the same as the VM guest.