Enforcing lock screen after idle time Windows Server 2016 RDS Session Host


Case

A customer had a XenApp environment based on Windows Server 2008 R2 which needed to be upgraded to all the latest versions. This included the server OS used in the XenApp workers.

One of the requirements this customer had was that the session was locked (lock screen) automatically after a certain period of time. For this customer it was not an option to handle this on the client device. They had a BYOD policy, no company managed devices, and they did not want to enforce policies in any way on those devices.

Problem

In Windows Server 2008 R2 you could use the Group Policy Objects (GPOs) for this, and more specifically, in the settings found in User Configuration – Policies – Administrative Templates – Control Panel – Personalization.
Here you’ll find the settings related to the Screensaver options. Easypeasy, force the blank screensaver, set a timeout, require password.

In comes Windows Server 2016 and the related .admx files.
If you check the same settings in those GPOs, you’ll find them changed.

sttl-01
sttl-02
sttl-03
sttl-04
So, the settings are obsolete, in other words, do not use them.
The Notes on these settings suggest using the power options, but I didn’t have much luck configuring the individual user’s power settings in server based computing (virtual desktop) environments. Not so easypeasy anymore.

Solution

I grabbed Visual Studio and created a little program that will lock the user’s session screen after a certain amount of idle time.

It uses native Windows DLLs to query the user idle time and to lock the session screen.
It is a single executable file that is built on the .Net framework so it will work on any Windows Server operating system.

Usage:
In the user’s context, start the executable with a single command line argument (parameter) defining the maximum idle time in seconds before the user’s screen will be locked.

<path to>\SetIdleTimeToLock.exe [<idle time allowed in seconds>]

If you do not provide a maximum idle time in seconds, the executable defaults to 10 minutes (600 seconds).

Examples:
You can reference the executable in a user logon script and define the maximum idle time as a parameter:
sttl-05

In Citrix you can use WEM to create an external task, also defining the maximum allowed idle time as a parameter:
sttl-06
Or simply use whatever solution you have in place for this.

Here’s a screenshot of a demo environment with 5 users logged on:
sttl-07
User 1 has just unlocked his screen.
User 2 is in a screen locked state for about 30 minutes.
User 3 and User 4 have just entered the lock state.
User 5 just logged on.

Q&A

You say you grabbed Visual Studio to create the executable. What language was the executable programmed in?
I used a C# Windows Forms application template in Visual Studio 2017.

What DLLs do you reference in your code, since you mentioned you referenced native Windows DLLs?
I’m referencing User32.dll for the actual screen locking and for checking user idle time. I also reference Kernel32.dll to throw any errors caused by those two functions.

Have you tested this? In production environments?
Yes, but only with a maximum of 15 users so far. I’m running it in my own labs which I use with multiple users frequently and have not encountered any issues yet.

Can I have the source code?
No.
You can download the executable in the TechNet gallery.

Until next time,
Arjan Mensch

 

https://paypal.me/ArjanMensch
BTC: 1AiAL6QDbfNPiduYYEoy3iNS2m6UKJW2He
LTC: Lf52uAJiCRQtiegJyKqVvoh4FuvwMkHPae
DSH: XnRGpf2v36F5iDT5uFaq7DsHPFF435EPmT
ETH: 0x096a12424e991696ad21cfc0e0f3749ab4f8ce1b
XMR: 49UCmvAYNxB3voEVbfL8KDENwcg9SE9PeY5jU8YCaHMuLXHapRmfhgHWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3xumqCq
Advertisements

25+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.

Tagged with: , , , , ,
Posted in Remote Desktop, Tools, Windows 2016
6 comments on “Enforcing lock screen after idle time Windows Server 2016 RDS Session Host
  1. Grant Jennings says:

    The easiest method is to use Group Policy. Starting with Windows Server 2012/Windows 8 and above you can enable the “Interactive logon: Machine inactivity limit” and set a time in seconds, I generally set this to 900 (15 minutes). This can be found under “Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options”.

  2. Denis says:

    Arjan – thankyou this worked very easilly for us.
    2016 RDSH / Win10 look and feel.

    i deployed the Execute .exe via Appsense at login. ( i did not have a “run hidden” field but nothing appears anyway )

    thanks mate

  3. Hannes says:

    Hi

    It doens’t seem to work for me. The excutable running in the background. But no lock after 10min. (Default settings) I do this with gpo and user logon (same as your example)
    I hava a citrix xenapp 7.15 with windows server 2016.

    I don’t see what is going wrong.

    Any tips?

    Tanks

    • Arjan Mensch says:

      Hi Hannes.
      The executable read the idle time using the sytem’s dlls. I can only imagine that there’s another process in the user context that is preventing the session from being idle.

  4. maxpeen says:

    is it not so that in the (latest) updates it is ‘enabled’ again (I don’t see it is not active as shown in your screenshots).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog Authors
https://paypal.me/ArjanMensch
BTC:1AiAL6QDbfNPiduYYEoy3iNS2m6UKJW2He
LTC:Lf52uAJiCRQtiegJyKqVvoh4FuvwMkHPae
ETH:0x096a12424e991696ad21cfc0e0f3749ab4f8ce1b
DSH:XnRGpf2v36F5iDT5uFaq7DsHPFF435EPmT
XMR:49UCmvAYNxB3voEVbfL8KDENwcg9SE9PeY5jU8YCaHMuLXHapRmfhgHWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3xumqCq

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 402 other followers

Blog Stats
  • 2,838,855 hits
%d bloggers like this: