For ThreatLocker webinar series 100 days to secure your environment: Week 1

NOTE: Some Group Policy settings might require the necessary ADMX to appear in Group Policy Management Editor. You can download them here.

Here are three methods to configure a secure screensaver on a Windows workstation that requires a password upon return.

Group Policy (Windows Server Active Directory)

Steps for configuring a password protected screensaver via Group Policy:

1. Navigate to Group Policy Management, then Group Policy Management Editor.

2. On the lefthand navigation pane, select User configuration > Administrative Templates > Control Panel > Personalization.

3. Select the Password protect the screen saver and enable it.

PowerShell 

You can set a secure screensaver by updating the appropriate registry keys—either manually or via PowerShell. Below is a sample PowerShell script that you can customize for your environment.

Because these keys must be set for each user under HKEY_USERS, the script loops through all relevant user profiles to apply the settings.

cls
$users = Get-ChildItem "Registry::HKEY_USERS" | Where-Object { $_.Name -match "^HKEY_USERS\\S-1-5-21" -and $_.Name -notmatch "classes$"}

foreach ($user in $users) {
    $userSID = $user.PSChildName
    $regPath = "Registry::HKEY_USERS\$userSID\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
    Write-Output $regPath
    try {
               Set-ItemProperty -Path $regPath -Name "ScreenSaveTimeOut" -Value "600" -Type String
    Set-ItemProperty -Path $regPath -Name "ScreenSaveActive" -Value "1" -Type String
    Set-ItemProperty -Path $regPath -Name "ScreenSaveIsSecure" -Value "1" -Type String
        Write-Output "Successfully set ScreenSaveTimeOut for user: $userSID"
    }
    catch {
        Write-Output "Failed to set registry for user: $userSID - $_"
    }
}

Registry Value(s) 

Set the keys below for each user.
 
Registry Path: HKEY_USERS\Software\Policies\Microsoft\Windows\Control Panel\Desktop 
ValueType: REG_SZ 
ValueName: ScreenSaveActive 
ValueData: 0 
DefaultValue: Remove Value 
 
Registry Path: HKEY_USERS\Software\Policies\Microsoft\Windows\Control Panel\Desktop 
ValueType: REG_SZ 
ValueName: ScreenSaverIsSecure 
ValueData: 1 
DefaultValue: Remove Value 
 
Registry Path: HKEY_USERS\Software\Policies\Microsoft\Windows\Control Panel\Desktop 
ValueType: REG_SZ 
ValueName: ScreenSaveTimeOut 
ValueData: 0 mins (not active) to 1440 mins (24 hrs) 
DefaultValue: Remove Value 
 

Additionally, the following key may need to be set.

Registry path: HKEY_USER\Control Panel\Desktop\ 
ValueName: SCRNSAVE.EXE 
ValueData: C:\Windows\system32\scrnsave.scr 
DefaultValue: Remove Value 

‍

ThreatLocker (Config Manager) 

Steps for configuring a password protected screensaver in ThreatLocker (Config Manager):

1. Sign in to the ThreatLocker portal and navigate to Config Manager module:

2. Password protection settings:
   a. Under the New Policy section, click on Drop down menu.
   b. On the drop down page, look for Set password protected screen saver.
   c. Once created, click Deploy Policies to apply the configuration to your endpoints.

Enforcing a password-protected screensaver helps prevent unauthorized access when devices are idle and can be applied through Group Policy or ThreatLocker Configuration Manager.

Like what you see? There's more.

Register for the no-cost ThreatLocker webinar series 100 days to secure your environment today.