Improved Check: Windows Screen Lock Disabled/Insecure

This is a follow-up post to the announcement we made about the macOS Screen Lock Check. In that macOS Check we really dug deep into the spirit of what Screen Lock means beyond just ensuring the setting for the feature is enabled.

While we already had a Windows Screen Lock check, it wasn’t nearly as thoughtfully put together as the macOS one. To rectify this, we have shipped a new replacement check called Windows Screen Lock Disabled / Insecure.

Like its macOS sibling, a Windows Device needs to meet the following conditions to pass.

1. The “On resume, display logon screen” setting is checked under the Security and Privacy pane in the Screen Saver Settings panel OR the “When PC wakes up from sleep option” is selected in under the “Require sign-in” header in the “Sign-in options” section of Windows Settings
2. Your system must either be configured to sleep or activate the screensaver after 15 minutes of idle time, regardless if it is running on battery or directly connected to an electrical outlet.

This Check replaces the original check and has a new ID and URL. Don’t worry though, we have ported over your tags and notification options to the new Check.

We encourage you to take a look at the new Check and enable notifications so that your users can better secure their devices.

New Inventory - Screenlock Configs

In addition, we have also exposed data about Windows Screenlock configurations in Inventory. You can find this Inventory item at: https://k2.kolide.com/x/inventory/windows_screenlock_configs

In this Inventory Item we expose the following columns:

• Screensaver Lock Enabled - True if the ‘On resume, display logon screen’ option is checked under the Screen Saver Settings control panel.
• User Screensaver Idle - The amount of time in seconds before the Screen Saver is initiated. This is controlled by the dropdown labeled: ‘Wait: … minutes minutes’  on the Screen Saver Settings control panel.
• Requires Password on Wake AC - True if the setting Require Sign-in dropdown is configured to ‘When PC wakes up from sleep’  in the Sign-In Options screen. By default this dropdown controls both AC and Battery settings but they can be different if configured manually via RegEdit or Group Policy.
• Requires Password on Wake Battery - True if the setting Require Sign-in dropdown is configured to ‘When PC wakes up from sleep’  in the Sign-In Options screen. By default this dropdown controls both AC and Battery settings but they can be different if configured manually via RegEdit or Group Policy.
• Max Device Sleep Idle  - The worst-case scenario for how long the device can be left idle before the configured Power Plan will initiate device sleep (either on AC or Battery power)
• Device Sleep Idle AC  - The amount of time in seconds (or “Never”) the computer must be idle while connected to power before it goes to sleep. Controlled by Power Plan Settings.
• Display Sleep Idle Battery - The amount of time in seconds (or “Never”) the computer must be idle while running on Battery power, before it goes to sleep. Controlled by Power Plan Settings.
• Lid Close Action AC - Describes the behavior of mobile devices (laptops) when the physical lid is closed on AC power. Controlled by the Control Panel: ‘Change what closing the lid does’. May be one of the following options: (Nothing, Sleep, Hibernate, Shutdown). 
• Lid Close Action Battery - Describes the behavior of mobile devices (laptops) when the physical lid is closed on Battery power. Controlled by the Control Panel: ‘Change what closing the lid does’. May be one of the following options: (Nothing, Sleep, Hibernate, Shutdown) 

As always, let us know if you have any questions, concerns or feedback about this Check!