4

We need to configure the screen lock timeout on our laptop machines so that the inactivity time dynamically changes according to the connection: if the laptop is directly connected to the corporate network through Ethernet, then the screen should lock after 15mn, but in any other circumstances (laptop either not connected to any network, or connected but through VPN) this time should be reduced (let's say, down to 5 minutes)...

All client machines run on Windows 7 or 10 Enterprise.

Please note that this has to be independent of the power options, and that the screen lock timeout could change several times during a single user session. For example, a user removes his/her laptop from its docking station (screen lock timeout gets changed from 15mm to 5mn), then later on shuts it down, boots it while disconnected from the network (still 5mn screen lock timeout), works a while through VPN (still 5mn), then puts it back on the docking station and the laptop reconnects to the corporate network through Ethernet (screen lock timeout back to 15m)...

GPO's administrative templates don't allow for configuring the screen lock based on the network connection. Any ideas of the best ways to implement this?

So far, I was thinking about using event-triggered scheduled tasks. But I do not know what events could be used to accurately link such task triggers...

Sam Erde
  • 3,549
MXM
  • 51

1 Answers1

0

One way that you could accomplish this is by monitoring NetworkProfile event IDs 10000 and 10001, and running a script after each instance of these events.

To set a 5 minute screen saver timeout when a user has disconnected from the network, create a new scheduled task, give it a relevant name, and for the trigger, select "When an event is logged." Then specify on the next screen:

  • Log: Microsoft-Windows-NetworkProfile/Operational
  • Source: NetworkProfile
  • Event ID: 10001 (Network Disonnected)

For the action, use a PowerShell script (or whatever you're comfortable with) to set the screen saver timeout period.

To set a 15 minute timeout for trusted networks, you'll need to do a little more legwork to figure out if you have consistent enough network names or IP ranges to identify as your trusted networks for the purposes of this script. When this event is triggered, you can check the network name from the most recent event ID 10000, and reduce the screen saver timeout if the network name is trusted.

Of course, both of these are not foolproof. A network name could always be spoofed or incidentally match the name of your trusted network. One possible way that you could cover for this is to (1) check for a network name that matches the name of your internal domain, and then (2) use the Get-ADDomainController PowerShell cmdlet to see if you can reach a domain controller and confirm that you actually are connected to this network.

There may be other/better methods, including possibly Group Policy preferences with item level targeting. Again, there are challenges around timing (how often it re-evaluates and re-applies policies) and how you identify the current network state. ILT with WMI queries would probably be the closest, but this approach would not be as "real-time" as using tasks triggered on logged event IDs.

There's no script for you here, but hopefully this gets things going in the right direction if you (or anybody else) is still looking for a solution.

Sam Erde
  • 3,549