2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

The recommended state for this setting is: 900 or fewer second(s), but not 0.

Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit.

Rationale:

If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it.

Impact:

The screen saver will automatically activate when the computer has been unattended for the amount of time specified. The impact should be minimal since the screen saver is enabled by default.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to 900 or fewer second(s), but not 0:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Endpoint protection)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Endpoint protection/Local device security options/Interactive Logon
Setting Name: Minutes of lock screen inactivity until screen saver activates
Configuration: 15

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
Data type: Integer
Value: 900 or fewer, but not 0

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Default Value:

0 seconds. (There is no inactivity limit.)

See Also

https://workbench.cisecurity.org/files/4161