Case
A customer had a XenApp environment based on Windows Server 2008 R2 which needed to be upgraded to all the latest versions. This included the server OS used in the XenApp workers.
One of the requirements this customer had was that the session was locked (lock screen) automatically after a certain period of time. For this customer it was not an option to handle this on the client device. They had a BYOD policy, no company managed devices, and they did not want to enforce policies in any way on those devices.
Problem
In Windows Server 2008 R2 you could use the Group Policy Objects (GPOs) for this, and more specifically, in the settings found in User Configuration – Policies – Administrative Templates – Control Panel – Personalization.
Here you’ll find the settings related to the Screensaver options. Easypeasy, force the blank screensaver, set a timeout, require password.
In comes Windows Server 2016 and the related .admx files.
If you check the same settings in those GPOs, you’ll find them changed.
So, the settings are obsolete, in other words, do not use them.
The Notes on these settings suggest using the power options, but I didn’t have much luck configuring the individual user’s power settings in server based computing (virtual desktop) environments. Not so easypeasy anymore.
Solution
I grabbed Visual Studio and created a little program that will lock the user’s session screen after a certain amount of idle time.
It uses native Windows DLLs to query the user idle time and to lock the session screen.
It is a single executable file that is built on the .Net framework so it will work on any Windows Server operating system.
Usage:
In the user’s context, start the executable with a single command line argument (parameter) defining the maximum idle time in seconds before the user’s screen will be locked.
<path to>\SetIdleTimeToLock.exe [<idle time allowed in seconds>]
If you do not provide a maximum idle time in seconds, the executable defaults to 10 minutes (600 seconds).
Examples:
You can reference the executable in a user logon script and define the maximum idle time as a parameter:
In Citrix you can use WEM to create an external task, also defining the maximum allowed idle time as a parameter:
Or simply use whatever solution you have in place for this.
Here’s a screenshot of a demo environment with 5 users logged on:
User 1 has just unlocked his screen.
User 2 is in a screen locked state for about 30 minutes.
User 3 and User 4 have just entered the lock state.
User 5 just logged on.
Q&A
You say you grabbed Visual Studio to create the executable. What language was the executable programmed in?
I used a C# Windows Forms application template in Visual Studio 2017.
What DLLs do you reference in your code, since you mentioned you referenced native Windows DLLs?
I’m referencing User32.dll for the actual screen locking and for checking user idle time. I also reference Kernel32.dll to throw any errors caused by those two functions.
Have you tested this? In production environments?
Yes, but only with a maximum of 15 users so far. I’m running it in my own labs which I use with multiple users frequently and have not encountered any issues yet.
Can I have the source code?
No.
You can download the executable in the TechNet gallery.
Update (March 17th 2021): TechNet gallery, r.i.p. For now you can find the download in my personal OneDrive here.
Until next time,
Arjan Mensch
https://paypal.me/ArjanMensch
BTC: 1AiAL6QDbfNPiduYYEoy3iNS2m6UKJW2He
LTC: Lf52uAJiCRQtiegJyKqVvoh4FuvwMkHPae
DSH: XnRGpf2v36F5iDT5uFaq7DsHPFF435EPmT
ETH: 0x096a12424e991696ad21cfc0e0f3749ab4f8ce1b
XMR: 49UCmvAYNxB3voEVbfL8KDENwcg9SE9PeY5jU8YCaHMuLXHapRmfhgHWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3xumqCq
30+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.
Arjan Mensch
msfreaks 
The easiest method is to use Group Policy. Starting with Windows Server 2012/Windows 8 and above you can enable the “Interactive logon: Machine inactivity limit” and set a time in seconds, I generally set this to 900 (15 minutes). This can be found under “Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options”.
Hi Grant,
Thank you for your suggestions but does that also work for you in a multi-session environment?
It didn’t for me?
Arjan – thankyou this worked very easilly for us.
2016 RDSH / Win10 look and feel.
i deployed the Execute .exe via Appsense at login. ( i did not have a “run hidden” field but nothing appears anyway )
thanks mate
Hi
It doens’t seem to work for me. The excutable running in the background. But no lock after 10min. (Default settings) I do this with gpo and user logon (same as your example)
I hava a citrix xenapp 7.15 with windows server 2016.
I don’t see what is going wrong.
Any tips?
Tanks
Hi Hannes.
The executable read the idle time using the sytem’s dlls. I can only imagine that there’s another process in the user context that is preventing the session from being idle.
is it not so that in the (latest) updates it is ‘enabled’ again (I don’t see it is not active as shown in your screenshots).
Microsoft made and aggregation / confusion between Lock screen and Power-off screen. Powering-off screen is a nonsense is a RDSH environnement. Screen Power being driven on the client-side.
The result of that bad design is that Users setting for lock screen is governed by the Computer setting and can’t be changed by regular users for their own preferences.
My workaround is to come back to the good old “screen-saver” although stamped as deprecated.
– Lock screen :
Computer/Security settings/Local Policy / security options /interactive logon machine activity limit : 0.
– Screen Saver :
Users/Administratives Templates/Ctrl Panel/Personnalization/Enable screen saver : enabled
Users/Administratives Templates/Ctrl Panel/Personnalization/Force specific screen saver : scrnsave.scr (This is the blankscreen saver. You don’t want “bubbles” or alike eating your bandwidth and CPU / GPU)
Users/Administratives Templates/Ctrl Panel/Personnalization/Password protect the screen saver : enabled
To configure a new default “Wait” time
Users/Preferences/Windows setttings/registry/ Add
HKEY_CURRENT_USER\Control Panel\Desktop
Reg_SZ : ScreenSaveActive
You may set “Apply once and do not re-apply” to allow users to change it.
We have tried both options above, but we get inconsistent behavior. We see a screen flash but the screen does not lock. We believe there is some process active not allowing the setidlelock.exe to work consistently. And the deprecated policies from microsoft still produce a flash and not lock…. if anyone has came up with a solution for this we are all ears. Thanks
Any chance you still have this tool? Doesn’t seem to be on the TechNet Gallery anymore and have all sorts of issues configuring idle session timeouts for users that have session roaming from internal to external and vise versa.
Hi Steph,
Thank you for this. I didn’t realize TechNet Gallery is no longer available.
For now the SetIdleTimeToLock.exe tool is on my personal OneDrive, and you can download it here: https://1drv.ms/u/s!AsW_17cdkibqlMQZ14Awuk6V9FnX5A?e=ZCQLro
Thank you so much Arjan!! You are a Life saver
Arjan, Nice Little tool you built. One question…would you be able to change the lock to disconnect instead? That would be extremely helpful!!
thanks,
Steph