How to Configure Screen Lockout Time with Microsoft Intune Using Templates or Scripts

How to Configure Screen Lockout Time with Microsoft Intune Using Templates or Scripts

If you prefer to configure screen lockout time using Intune templates or scripts rather than the setting catalogs, you can achieve this by leveraging PowerShell scripts or custom configuration profiles. This method offers flexibility and allows for more granular control of device settings.

Here’s how to configure the screen lockout time using both methods:

Option 1: Using Configuration Templates (Custom Device Configuration Profile)

You can create a Custom Configuration Profile with an OMA-URI setting to configure the screen lockout time for devices.

Step 1: Create a Custom Configuration Profile

1. Log in to Microsoft Intune Admin Center at https://endpoint.microsoft.com.
2. Navigate to Devices → Configuration Profiles → + Create Profile.
3. Select Windows 10 and later (or the platform you are configuring).
4. Under Profile Type, select Custom.
5. Click Create.

Step 2: Configure the Screen Lockout Time (OMA-URI)

1. In the Profile Name field, provide a name (e.g., “Configure Lockout Time”).
2. Under Configuration Settings, click + Add.
3. In the OMA-URI Settings section, configure the following:
   • Name: Screen Lock Timeout (or a descriptive name of your choice).
   • Description: Set a description (e.g., “Configures screen lockout time for idle devices”).
   • OMA-URI: Use the OMA-URI for screen lock settings:
     • For Windows:

       ./Device/Vendor/MSFT/Policy/Config/LockScreen/IdleTimeBeforeLock
       

     • This OMA-URI is used to configure the lock screen timeout after inactivity.
   • Data type: Integer
   • Value: Enter the desired lockout time in seconds (e.g., 300 for 5 minutes).
     • Example: If you want the lock screen to activate after 5 minutes, the value would be 300.
4. Click Save to add the OMA-URI setting.

Step 3: Assign the Profile to Devices

1. Assign the profile to your target device groups or user groups.
2. Review and click Create to deploy the policy.

Option 2: Using PowerShell Script for Screen Lock Timeout

You can also configure the screen lock timeout using a PowerShell script and deploy it through Intune.

Step 1: Write the PowerShell Script

To configure the screen lockout time, write a PowerShell script to set the screen lock timeout. Here’s an example script that sets the lock screen timeout for 5 minutes (300 seconds):

# Set the screen lock timeout for Windows
$lockTimeout = 300  # Lock screen timeout in seconds (300 = 5 minutes)

# Registry key for screen timeout
$regKey = "HKCU:\Control Panel\Desktop"
$regValue = "ScreenSaveTimeOut"

# Set the screen lock timeout in the registry
Set-ItemProperty -Path $regKey -Name $regValue -Value $lockTimeout

# Enforce the lock screen timeout policy
$lockScreenKey = "HKCU:\Control Panel\Desktop"
Set-ItemProperty -Path $lockScreenKey -Name "ScreenSaverIsSecure" -Value 1  # Enable secure screen lock after inactivity

This script modifies the registry to set the screen timeout and enforce screen lock after inactivity.

Step 2: Upload the PowerShell Script to Intune

1. Go to Microsoft Intune Admin Center and navigate to Devices → Scripts.
2. Click + Add and choose Windows 10 and later.
3. Name the script (e.g., “Configure Screen Lock Timeout”).
4. Upload the PowerShell script you created.
5. Set Run the script in 64-bit and choose User as the execution context.

Step 3: Assign the Script to Devices

1. Choose the device groups that should receive this script.
2. Review and click Add to deploy the script.

Option 3: Using Device Configuration Templates (for Managed Android/iOS Devices)

If you need to configure screen lock settings for Android or iOS devices, Microsoft Intune offers templates that can be used to apply a lockout policy.

For Android:

1. Navigate to Microsoft Intune Admin Center → Devices → Configuration Profiles → + Create Profile.
2. Select Android Enterprise and then Device Restrictions.
3. In the Device Restrictions settings, look for Screen Timeout or Lock Screen settings.
4. Configure the screen lock timeout under Lock screen settings to automatically lock the device after a set period of inactivity.

For iOS/iPadOS:

1. Navigate to Devices → Configuration Profiles → + Create Profile.
2. Select iOS/iPadOS and choose Device Restrictions.
3. Look for Lock Screen Settings and configure the Idle Time Before Lock setting.
4. Assign the profile to the desired device groups.

Step 4: Monitor the Deployment

1. After deploying the configuration profile or script, monitor the deployment status from the Monitor section.
2. Check the Device Configuration and Script Deployment status to confirm if the policy is applied successfully to your devices.

Conclusion

By using Custom Configuration Profiles (OMA-URI) or PowerShell scripts, you can configure the screen lockout time with Microsoft Intune. This gives you flexibility to manage device lock settings and enforce security policies across your organization’s devices.