Change Screensaver

What the Screensaver Configurator does

This Automox Worklet™ configures Windows screensaver settings for all user profiles on an endpoint. The Worklet modifies the Control Panel\Desktop registry keys for each user, setting the screensaver activation state, which screensaver file (.scr) to use, whether password protection is enabled, and the idle timeout before activation.

The Worklet handles both logged-in users (whose registry hives are already loaded) and logged-out users (whose ntuser.dat files must be loaded temporarily). This approach provides complete coverage for endpoints with multiple user accounts, including shared workstations or kiosk systems.

The Worklet examines registry keys including HKLM:\SOFTWARE\Microsoft\Windows. scr".

An important security behavior: setting ScreenSaveActive to 0 (disabled) while ScreenSaverIsSecure is set to 1 causes Windows to display the lock screen after the timeout period without showing a screensaver. This configuration is useful for organizations that want password-protected lock after idle without the visual distraction of a screensaver.

Why configure screensavers through Automox

Security compliance frameworks often require endpoints to lock after a specified idle period. The PCI-DSS standard, for example, requires workstations to lock after 15 minutes of inactivity. Configuring screensaver settings with password protection provides this capability even on endpoints not managed by Group Policy.

Users can change screensaver settings through Windows preferences, potentially disabling required security controls. Running this Worklet on a schedule detects and remediates configuration drift, maintaining your security baseline even when users make changes. The Worklet reports per-user success or failure for troubleshooting.

Some organizations use screensavers for branding purposes, displaying company logos or information during idle periods. The Worklet supports deploying specific .scr files to standardize the visual experience across endpoints.

How screensaver configuration works

1. Evaluation phase: The Worklet enumerates user profiles from HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. For each user, it loads the ntuser.dat hive if not already loaded, reads the four screensaver registry values (ScreenSaveActive, SCRNSAVE.EXE, ScreenSaverIsSecure, ScreenSaveTimeOut), and compares them against the configured values. Any mismatch flags the endpoint for remediation.

2. Remediation phase: The Worklet iterates through each user profile, loading unloaded registry hives as needed. It uses Set-ItemProperty to write all four screensaver values to HKEY_USERS\{SID}\Control Panel\Desktop for each user. After writing, it verifies each value was set correctly and outputs per-user results. Registry hives are properly unloaded after modification.

Screensaver configuration requirements

• Windows 7, 8, 10, or 11

• PowerShell 2.0 or later

• Configure $screensaveActive: '1' to enable, '0' to disable

• Configure $screensaveExe: full path to .scr file (e.g., 'C:\Windows\system32\Bubbles.scr')

• Configure $screensaverIsSecure: '1' for password on wake, '0' for no password

• Configure $screensaveTimeOut: idle seconds before activation (e.g., '600' for 10 minutes)

• Variables must be identical in evaluation and remediation scripts

Expected screensaver behavior after configuration

After successful remediation, all user profiles have screensaver settings configured as specified. Changes take effect immediately for currently logged-in users, though a reboot may be required for settings to fully reflect in some scenarios. New user sessions use the configured settings from first logon.

The Worklet outputs detailed per-user results showing which settings were successfully applied and any failures. If a setting fails to apply, the output shows both the expected and actual values for troubleshooting. Common issues include corrupted user profiles or permission problems accessing specific registry hives.

How to validate change screensaver changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for change screensaver.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ItemProperty, Where-Object, Select-Object.

4. Validate remediation effects from script operations such as Get-ItemProperty, Where-Object, Select-Object, then rerun evaluation for compliance.