We stumbled upon an issue regarding the (modern) sleep function in Windows 10 and 11. What is happening there!, after putting the device in sleep mode we would think the device is going to ask for the credentials when going out of sleep. Think again the device logged on without filling in a password. After some investigating we found out that after 15 minutes the logon screen appeared just what we thought it would before.
Is there an policy to lock the device in sleep mode.
what do we know in our set of policy’s we are using now for a while now. Because we want to use the best practices of Microsoft for securing our devices. To accomplish this we are using the Security Baselines under Endpoint Security in Endpoint Manager. We are using Security Baseline for Windows 10 and later version November 2021.
What are the settings for sleep in the Security Baseline policy.
We left the Power settings default and looks like the picture below
Require password on wake while plugged in: This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
First conclusion?
If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. This should do the trick but it doesn’t do anything on several tenants and devices, its only does this in 15 minutes after the sleep state. So this is something we had to take a step further in trying to resolve this.
NOTE, You also need to ask yourself if this settings is needed in the environment for the users or not. In our environments it not a discussion and it is needed
How do we want to set the sleep settings to be working again
Because we want to prompt the password immediately after coming out of sleep mode we had to get a solution for this issue. We did some searching and found the following setting :
If you’ve been away, when should Windows require you to sign in again? options are Every time, 1 minute, 3 minutes, 5 minutes and 15 minutes.
This was not greyed out and set to 15 minutes , this is the setting we wanted to get to the Every time state in our opinion. This can be done via a registry file what we have found
but that’s not that way we want to set this we like to do this via the Settings Catalog so went a view steps further. We used regshot for getting some more info about what’s going on in the backend and came to the following settings.
Setting Catalog items
In the settings catalog we want to set the following
Allow users to select when a password is required when resuming from connected standby
This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device’s screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. If you disable this policy setting, a user cannot change the amount of time after the device’s screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. If you don’t configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device’s screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. If you don’t configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device’s screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose.
Create Setting catalog
Go to Endpoint manager link click on Devices, Configuration profiles and click on the + sign to create a profile.
Set the following setting Windows 10 and later and profile type Setting Catalog (for now still preview) and click Create
After the first step fill in a name and if you want a description and click Next
Click on + Add settings, the settings popup will appear.
Search for Allow users to select when a password is required when resuming from connected standby and follow the steps below 1-4
Click on the X, Now the setting tab is available to set the right settings leave it on disabled
Click Next, give it an assignment, review it and create the policy
Conclusion
After setting the setting catalog policy the If you’ve been away, when should Windows require you to sign in again? was greyed out and set to Every Time. (and security policies on this PC are preventing some options from being shown)
[…] Sleeping on your workplace isn’t secure […]
[…] Sleeping on your workplace isn’t secure […]