Force screensaver with flexible lock time / time out value in Powershell

Due to security compliancy a customer recently asked me to apply a setting that would force a screensaver after an idle time of 20 minutes. At the same time, employees should be able to change the time out value to anything between 1 and 20 minutes.

Group Policies / GPO’s do not provide this functionality, and since the customer does not use any additional tooling, it had to be done with some custom script (see below).

Screensaver settings are saved in the registry (HKEY_CURRENT_USER\Control Panel\Desktop). Changing values at logon therefor looked like the easiest solution. However, since changes to the registry are not applied realtime to the current user session, users had to log off and on again to activate the new settings.
To solve this, I had to use the following command: rundll32.exe user32.dll, UpdatePerUserSystemParameters
This command does the same as clicking the “OK” button in the Screensaver window. Changes made in the registry are then immediately applied in the same Windows session. Neat!

All but one of the desired functionality was now accomplished. The last step was to force the timeout value to be between 1 and 20 minutes. With Powershell, this can be done quite easily: check if the current timeout is between 1-20. If so, do nothing. If not, reset the value to 20. In this way, users who set their timeout value to 10 minutes will not be bothered.

One drawback is that users can still adjust the timeout value when they’re logged on to Windows. Screensaver settings are user settings after all. However, users will learn fast if you schedule the script for every hour. 🙂 🙂

Here’s the powershell script for anyone who’s interested. If you have comments or questions, feel free to reply!

#Values to customize
$ScreenSaveActive = 1 #set to 1 if you want the screensaver enabled, 0 to disable
$TimeOutValue = 1200 # number of idle seconds before screensaver gets active
$ScreenSaverFile = "C:\Windows\system32\scrnsave.scr" # full path to screensaver file
$ScreenSaverIsSecure = 1 # set to 1 if you need a password to get out of screensaver, a.k.a. unlocking the pc

#If the screensaver is not compliant with $ScreenSaveActie, we reset it to the preferred value
if((Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveActive").ScreenSaveActive -ne $ScreenSaveActive)
    { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveActive" -Value $ScreenSaveActive }

#If user set screensaver timeout to a value larger than 1200 seconds (20 minutes), we set the value back to 1200 seconds
[int]$Current_TimeOutValue = (Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveTimeOut").ScreenSaveTimeOut
if($Current_TimeOutValue -eq 0 -OR $Current_TimeOutValue -gt 1200)
   { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveTimeOut" -value 1200 }

#If no screensaver file is set or if the path doesn't exist anymore, we set it to the blank screensaver
$Current_ScreenSaverFile = (Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "SCRNSAVE.EXE")."SCRNSAVE.EXE"
if($Current_ScreenSaverFile -eq "" -OR (Test-Path $Current_ScreenSaverFile) -eq $false)
    { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "SCRNSAVE.EXE" -Value $ScreenSaverFile }

#If the screensaver "lock" is not compliant with $ScreenSaverIsSecure, we reset it to the preferred value
if((Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaverIsSecure").ScreenSaverIsSecure -ne $ScreenSaverIsSecure)
    { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaverIsSecure" -Value $ScreenSaverIsSecure }

#Before our changes become active in the current Windows session, we need to run the following command more than 3 times
for ($i=1; $i -le 4; $i++)
    { rundll32.exe user32.dll, UpdatePerUserSystemParameters }

 

5 2 votes
Article Rating
Subscribe
Notify of
guest
8 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Annie

This is great script i was looking for. Thanks for sharing.
I have applied this script in two of my forests, however in one of my Domain Powershell is restricted to run as per security concern and i am unable to run this as i think that it will not work since powershell script is in restricted mode.
Do you have any script that works the same but in VB so that it can be applied thru GPO?
Or please suggest if there is a workaround so that we can still run powershell script without overriding security.

Radegonda

Nice code, but I feel a little error in the “1200 minutes”
I think it’s in Seconds, no ?

cheers, E.R.

Dustin

Wow, amazing… thank you!

William

I’ve tried the script and it doesn’t seem to work, the script get through all steps correctly but then when I go in settings, nothing changed.. if I set it to 1 hour in settings and run the script (nothing changed, it will set it to 20 minutes) it will remain at 1 hour in settings even if I close Settings and re-open it 5minutes later.

8
0
Would love your thoughts, please comment.x
()
x