Windows - Security - Enforce Lock Screen on Inactivity

What the screen lock inactivity timeout enforcer does

This Automox Worklet™ enforces automatic screen locking on Windows endpoints by configuring the InactivityTimeoutSecs registry value. The Worklet defines a configurable inactivity timeout period (default 15 minutes) and keeps all target endpoints comply with this security policy.

The Worklet sets the registry key at HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ and converts your defined timeout from minutes to seconds (for example, 15 minutes becomes 900 seconds). After the Worklet completes remediation, a system reboot is required for the changes to take effect.

Why enforce screen lock timeouts on Windows endpoints

Unattended workstations in offices, shared workspaces, or remote locations provide direct access to authenticated sessions, open applications, and sensitive data. An attacker who finds an unlocked endpoint can access email, internal systems, file shares, and cloud services using the legitimate user's credentials without triggering any authentication alerts or access logs. This represents one of the easiest and most common attack vectors in physical workspace environments.

Users frequently step away from their endpoints without locking the screen, despite security training and policies. They walk to meetings, take lunch breaks, or leave for the day while remaining logged in. This behavior exposes your organization to data theft, malicious actions performed under legitimate user identities, and compliance violations that auditors cite as evidence of inadequate access controls.

Regulatory frameworks including HIPAA, PCI-DSS, GDPR, and SOC 2 require automatic session timeouts and screen lock policies to prevent unauthorized access to sensitive data. Auditors specifically check for technical controls that enforce these policies, not just written procedures that rely on user compliance. Failing to implement automatic screen lock generates audit findings and puts certifications at risk.

Insider threats and social engineering attacks exploit unlocked endpoints as opportunities to install malware, copy data to USB drives, or access systems that the absent user has permission to use but the attacker does not. These attacks leave minimal forensic evidence because they occur within legitimate user sessions.

How screen lock timeout enforcement works

1. Evaluation phase: The Worklet checks whether the InactivityTimeoutSecs registry value exists at HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ and whether its value matches the configured timeout in seconds. If the value does not exist or does not match the required setting, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet sets or overwrites the InactivityTimeoutSecs registry value with the calculated timeout in seconds. If the registry key or value does not exist, it creates them. The Worklet then notifies administrators that a system reboot is required for the policy to take effect.

Screen lock timeout configuration requirements

• Windows 10, Windows 11, Windows Server 2016, or later versions

• Administrator or SYSTEM privileges to modify Group Policy registry settings

• System reboot required after remediation to activate the new policy

• Configurable timeout variable (default 15 minutes, modify the $minutes parameter as needed)

• Registry access to HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Expected screen lock policy enforcement outcome

The endpoint automatically locks the screen after 15 minutes of inactivity. The Windows lock screen appears, requiring the user to authenticate with their password, PIN, or biometric credential before accessing the desktop. This happens consistently regardless of user behavior or whether users remember to manually lock their screens.

The Group Policy setting Screen saver timeout is configured and enforced on the endpoint. You can verify the setting by checking Registry key HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System or by reviewing Local Group Policy Editor under Computer Configuration > Administrative Templates > Control Panel > Personalization.

Users who leave their endpoints unattended for more than 15 minutes return to find their screens locked. They must re-authenticate to continue working. This prevents unauthorized access during short absences like restroom breaks, coffee runs, or impromptu conversations in hallways.

The timeout setting persists across reboots and user logins. It applies to all users on the endpoint, including administrators and service accounts. Users cannot override this setting through Control Panel or personalization options because it is enforced by Group Policy.

How to validate enforce lock screen on inactivity changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for enforce lock screen on inactivity.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ItemProperty, Write-Output.

4. Validate remediation effects from script operations such as Set-ItemProperty, Write-Output, then rerun evaluation for compliance.