Intro
Some time ago I was requested by a client to roll out a script so their computers are locked when left unattended, I can certainly understand the importance of this feature as having a computer used by an unauthorised third-party is potentially catastrophic!
The security risks are endless and imagine if there isn’t a timeout set at all; the window of opportunity for unauthorised access is also potentially endless.
This script is designed for a WorkGroup environment. If you have a domain environment, I suggest making these changes using GroupPolicy instead.
Method
We’re going to firstly going to make some changes via the registry; These are CMD commands to be executed with administrator privileges
Lock the computer when the screensaver is enabled:
REG ADD “HKLM\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop” /v ScreenSaverIsSecure /t REG_SZ /d 1
Turn on the screensaver after 600 seconds of idleness:
REG ADD “HKLM\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop” /v ScreenSaveTimeOut /t REG_SZ /d 600
Next, we are going to adjust the Windows power settings, so that the screen turns off shortly after the screensaver, to save power.
These commands are also to be ran in an administrative CMD prompt:
powercfg -change -monitor-timeout-ac 11
powercfg -change -monitor-timeout-dc 11
Thats it, now as long as all the computers have passwords set for their accounts, you’ve reduced the attack surface of idle computers in the organisation!