View Other Properties

Contents

View Other Properties

How to List Screenlock Status Across All Windows Devices

Using Kolide, you can easily view and query Windows Screenlock Status across your fleet.

Introduction

Windows has a security feature which allows your device to lock and require a password after a period of inactivity. It consists of several interrelated toggles from separate control panels which together determine when an idle Windows device will require a password:

  • Power Options
  • Screen Saver Settings
  • Sign-in options

This inventory captures all of these controls to give a big-picture view of the screenlock settings on a device. The configuration of a safe screenlock policy helps prevent unauthorized access to your device if it is left unattended.

What Windows Screenlock Status Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Windows Screenlock Status from Windows devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Windows Screenlock Status Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

device_sleep_idle_ac Bigint

The amount of time in seconds the device must be idle while connected to power before the screen turns off based on the effective value after considering the GPO and user's settings

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never sleep when connected to A/C power
device_sleep_idle_battery Bigint

The amount of time in seconds the device must be idle while running on battery power before the screen turns off based on the effective value after considering the GPO and user's settings

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never sleep when running on battery power
device_user_id Foreign Key

The Device User associated with the entry

gpo_device_sleep_idle_ac Bigint

The amount of time in seconds the device must be idle while connected to power before the screen turns off based on Group Policy preferences

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never sleep when connected to A/C power
gpo_device_sleep_idle_battery Bigint

The amount of time in seconds the device must be idle while running on battery power before the screen turns off based on Group Policy preferences

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never sleep when running on battery power
gpo_requires_password_on_wake_ac Boolean

true if Group Policy requires the devices to prompt for a password when the device is worken up when connected to power.

false if Group Policy requires the devices to NEVER prompt for a password when the device is worken up when connected to power.

gpo_requires_password_on_wake_battery Boolean

true if Group Policy requires the devices to prompt for a password when the device is worken up when connected to the battery.

false if Group Policy requires the devices to NEVER prompt for a password when the device is worken up when connected to the battery.

gpo_screensaver_idle Bigint

The amount of time in seconds the device must be idle before it activates the screensaver based on Group Policy preferences.

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never activate the screensaver based on this user-based preference
gpo_screensaver_lock_enabled Boolean

true if Group Policy enforces the screensaver to prompt for a password when the screensaver is dimissed; otherwise false.

lid_close_action_ac Enum::Text

Describes how a Windows laptop device behaves when the lid is closed and the device is connected to power.

Can be one of the following:

  • Nothing
  • Sleep
  • Hibernate
  • Shut Down
lid_close_action_battery Enum::Text

Describes how a Windows laptop device behaves when the lid is closed and the device is running on battery.

Can be one of the following:

  • Nothing
  • Sleep
  • Hibernate
  • Shut Down
max_device_sleep_idle Bigint

The amount of time in seconds the device must be idle before it sleeps.

The value here is the "worst case" scenario between the A/C and battery settings (if the device has a battery). For example, if a device is on A/C power and your device takes 900 seconds to sleep, but on battery power it only takes 300 seconds to sleep, the value in this column will be 900.

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never activate the screensaver or sleep
requires_password_on_wake_ac Boolean

true if "When PC wakes up from sleep" option is selected in under the "Require sign-in" header in "Sign-in options", or, Group Policy requires the devices to prompt for a password when the device is worken up when connected to power

false if the option is set to "Never" or this feature is disabled when the device is connected to power, or, Group Policy requires the devices to NEVER prompt for a password when the device is worken up when connected to power.

requires_password_on_wake_battery Boolean

true if "When PC wakes up from sleep" option is selected in under the "Require sign-in" header in "Sign-in options", or, Group Policy requires the devices to prompt for a password when the device is worken up when connected to the battery;

false if the option is set to "Never" or this feature is disabled when the device is connected to power, or, Group Policy requires the devices to NEVER prompt for a password when the device is worken up when connected to the battery.

screensaver_idle Bigint

The amount of time in seconds the device must be idle before it activates the screensaver based on the effective value after considering the GPO and user's settings

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never activate the screensaver based on this user-based preference
screensaver_lock_enabled Boolean

true if the "On resume, display logon screen" setting is checked under the Security and Privacy pane in the Screen Saver Settings panel, or, Group Policy enforces the screensaver to prompt for a password when the screensaver is dimissed; otherwise false.

user_device_sleep_idle_ac Bigint

The amount of time in seconds the device must be idle while connected to power before the screen turns off based on the User's settings

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never sleep when connected to A/C power
user_device_sleep_idle_battery Bigint

The amount of time in seconds the device must be idle while running on battery power before the screen turns off based on the user's settings

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never sleep when running on battery power
user_requires_password_on_wake_ac Boolean

true if "When PC wakes up from sleep" option is selected in under the "Require sign-in" header in "Sign-in options".

false if the option is set to "Never" or this feature is disabled when the device is connected to power.

user_requires_password_on_wake_battery Boolean

true if "When PC wakes up from sleep" option is selected in under the "Require sign-in" header in "Sign-in options".

false if the option is set to "Never" or this feature is disabled when the device is connected to the battery.

user_screensaver_idle Bigint

The amount of time in seconds the device must be idle before it activates the screensaver based on the user's preferences.

Special Values:

  • 9223372036854775807 - (MAX INT) - Device will never activate the screensaver based on this user-based preference
user_screensaver_lock_enabled Boolean

true if the "On resume, display logon screen" setting is checked under the Security and Privacy pane in the Screen Saver Settings panel; otherwise false.

username Text

The username of the user account in which the screenlock settings are associated.

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

Why Should I Collect Windows Screenlock Status?

Understanding the state and verifying the desired configuration of screenlock is a critical compliance requirement for many IT & Security teams.

A device with an insecure screenlock configuration is at higher risk of unauthorized access and compromise.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

No personally identifiable or sensitive data is collected or transmitted as part of this Inventory.

When you use Kolide to list Windows Screenlock Status data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Mac Screenlock Status
screenlock, security, privacy
New
Mac Kernel Extensions
kernel, security, stability, extensions
New
Mac Location Services Status
location, privacy, tcc
View full list of Kolide's Device Properties
Book A Demo
Book A Demo