HomeBlog
12 MAY 2020|Security

How to force Windows 10 to lock itself after inactivity, for all users

image/svg+xml

One of the aspects of securing your computers is to ensure that it locks itself after a period of inactivity. So, if the PC is idle, which means the user has likely left it unattended for a while, we want the screen saver to kick in and resuming the user session should require entering the password, by showing the logon screen. Even the most security conscious users can forget to lock the screen when leaving. For example, if the user is at their desk, but not working on their computer, the screen may power off after a while. Now, when the user leaves, they may not realize the screen is still unlocked. So, it is best to automate the screen lockout.

To force the computer screen to lock itself after, say 10 minutes (or a specified time) of inactivity, we need to configure the screen saver settings.

For one user: The user can do this under their Lock Screen settings by clicking on the option to adjust screen saver settings. Here is how to do this in Windows 10:

  1. Get to the desktop. For instance, you could right click the taskbar at the bottom of your screen and select “Show the Desktop.”
  2. Right-click and select “Personalize.”
  3. In the Settings window that opens, select “Lock Screen” (near the left side).
  4. Click “Screen saver settings” near the bottom.
screenLock
  1. In the popup window that opens, in the box marked “Screen saver”:
    • Set the Wait entry in minutes, to say 10 or 15.
    • Make sure that you check the box for “On resume, display logon screen.”
    • You may optionally use the drop-down option (before the settings button) to select a screen saver. We recommend selecting Blank.
    • Click OK to apply these settings and close the popup window.

You may now also close the settings window. If you leave your computer unattended, it will lock itself after the number of minutes you selected above.

For all users: To force this across all users on a particular computer, one can use the local group policy editor, as explained below.

Relevant Settings

We need to configure the following settings:

  • enable screen saver
  • screen saver timeout
  • force specific screen saver
  • password protect the screen saver.
  • (Optionally, to prevent users from over-riding the above settings) prevent changing screen saver

The following explains how to do this in detail, with screenshots.

On Windows 10, press the Windows key and “R” key simultaneously. In the small window that opens on the bottom left, type “gpedit.msc” (without quotes) and press OK.

gpedit.msc options to reach the screen saver related settings

In the window that opens, in the left pane, under User Configuration, double click Administrative Templates, then double click Control Panel and then Personalization (shown as steps 1, 2, and 3 in the picture). This reveals a bunch of settings in the right pane.

We will adjust settings marked 4a through 4d, and optionally, # 5. Let’s take them up one by one below.

Setting 1: Enable Screen Saver

Then on the right, double click Enable Screen Saver. In the window that opens, select “Enabled” and click OK.

enable screen saver

Setting 2: Screen Saver Timeout

Now in the right pane of the local group policy editor, double click Screen saver timeout. Select “Enabled” and set the setting showing “Number of seconds to enable the screen saver” to the number of seconds of inactivity after which you want the screen to lock. For instance, for 15 minutes set it to 900, or for 10 minutes, set it to 600. Click OK.

screen saver timeout

Setting 3: Force Specific Screen Saver

Now, in the right pane, double click Force specific screen saver. Here you need to specify the name of the screen saver to be used. There is no default here, and so if this settings is not configured, the screen lock will not take place.

To find the name of available screen saver programs, open File Explorer and browse to folder “C:\Windows\System32” (the path may be different if your Windows installation uses another drive instead of C-drive). Here, click on Type just above the list of files/folders. This sorts the files by file-type, so that all files of a type appear together. Scroll down until you see files of type “.scr” (Screen Saver). Note one of the file names of type screen saver, such as “scrnsave” or “Bubbles.”

find the available screen savers

Now we need to type the complete path along with the extension “.scr” in the “Force Specific screen saver” settings window. The complete path to be entered is “C:\Windows\System32\scrnsave.scr” if we want to use “scrnsave” as our specific screen saver. This is the “blank screen” screen saver.

specify a screen saver

Click OK to close this setting window.

Setting 4: Password Protect the Screen Saver

The above settings just cause the screen saver to kick in. To require the user to provide a password when they return after the screen saver started, we need to configure this fourth setting.

In the right pane, double click Password protect the screen saver.

password protect the screen saver

In the window that opens, select “Enabled” and click OK.

Your changes will take effect after you restart the computer.

Prevent Changing Screen Saver

The above settings are sufficient to activate the screen lock after machine is idle for all users. However, some users may, inadvertently change the above settings from their individual Personalization settings such as under Lock Screen Settings. They may not be wanting to bypass security but simply desire a different screen saver, but in the process accidentally remove the password requirement. Users may not be aware or not remember that the password requirement is part of your firm’s security policy.

To prevent, or at least make it harder to, accidentally remove the screen saver and login requirements, a fifth setting may be configured. In the right pane of the Local Group Policy Editor window opened above, double-click “Prevent changing screen saver” and set it to enabled.

prevent changing screen saver

All users who you do not trust to correctly configure security settings, either due to their role in your organization or due to their security expertise, should not be given an administrator account. Set their account type to standard user. Administrator permissions allow changing all the above settings following the above steps.

The above steps show how to manually configure each computer. Alternatively, if all your computers are domain joined, you can use a domain policy to configure the security settings on all computers, as explained here. You may want the help of an IT professional in this case.

freeTrialEnEmail600

Topics