IT administrators can now enhance endpoint security by configuring screensaver settings on Windows devices managed through SureMDM. Enforcing a locked screensaver ensures unattended devices remain protected, helping organizations meet compliance standards and reduce the risk of unauthorized access. This article explains how to enable screensaver lock and screensaver active unless interrupted by user intervention.
Purpose
This functionality ensures continuous device protection and enhances visibility into security compliance by enforcing locked screensavers on enrolled Windows devices. It helps organizations monitor and maintain adherence to company policies by preventing unauthorized access during periods of inactivity.
Prerequisites
- Access to the SureMDM account.
- Permission to create jobs and apply to devices
- Windows devices enrolled and managed through SureMDM should be online.
- A Windows profile configured with branding, including a specified screensaver image and activation time.
Steps
- Log in to the SureMDM Console.
- Navigate to the Jobs → New Job → Windows → Run scripts.
Step 1: Prevent Screen Timeout to Keep Screensaver Active
To ensure the screensaver remains active unless interrupted by user interaction, configure the screen and sleep settings for both battery and plugged-in modes to Never under power and battery settings.
Script to set screen and sleep timeout to Never:
New-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\29f6c1db-86da-48c5-9fdb-f2b67b1f44da” -Force | Out-Null
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\29f6c1db-86da-48c5-9fdb-f2b67b1f44da” -Name “ACSettingIndex” -Value 0 -Type DWord
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\29f6c1db-86da-48c5-9fdb-f2b67b1f44da” -Name “DCSettingIndex” -Value 0 -Type DWord
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\29f6c1db-86da-48c5-9fdb-f2b67b1f44da” -Name “Attributes” -Value 0 -Type DWord
New-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e” -Force | Out-Null
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e” -Name “ACSettingIndex” -Value 0 -Type DWord
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e” -Name “DCSettingIndex” -Value 0 -Type DWord
gpupdate /force
Step 2: Enable Lock Screen on Screensaver Resume
To secure the device when the screensaver resumes, configure the system to require a logon screen upon resume from the screensaver.
Script to enable “On resume, display logon screen”:
Set-ItemProperty -Path “HKCU:\Control Panel\Desktop” -Name “ScreenSaverIsSecure” -Value “1”
Note: Ensure “Execute in the currently logged-in user account” is enabled when running the above script, as screensaver settings are user-specific.
For the changes to take effect, a system restart is required.
Shutdown script: shutdown /r /t 120 /f
To automate the entire process, create a Composite Job in SureMDM by sequencing the screen timeout script, a 10-second delay, the screensaver lock script (set to run under the logged-in user), another 10-second delay, and finally the shutdown script.
Need more help? Here’s how to get help from our experts.