none
Windows 10 Machines do not auto-lock after timeout is hit.

    Question

  • Issue: all the Windows 7 machines in our domain will time out and lock the machine at a set interval, but none of the windows 10 machines do this.

    I have a mixed environment of Windows 7 and windows 10 desktops. We have Windows Server 2008R2 as the DC serving the GPO's and they are properly linked, and all the PCs are in the linked OU. All the screen saver settings on all the machines in our domain are locked from changing at the workstation - however I cannot find any applied GPO that explicitly states that the screens saver settings are locked out like this. In fact every setting I can find related to screen savers, lock screens, password protection of the screen savers are all Not Configured - so I am at a total loss as to how any of the machines are locking at all.   
    So, first question - where is the GPO that is automatically disabling all the screen saver settings ?  (it does this for everyone, even those with local and domain admin rights).

    Second question : Why doesn't the lock out occur on the windows 10 machines like they do on the Win7 machines?!

    Lastly : How to I get both Win 10 and Win 7 to play nice with these settings with GPO?

    *I find a lot of conflicting info on these questions - a lot of info written for other server types - and I don't see the group policy objects in the places I'm seeing to look.. most of what I find points to very specific GPO's needing to be enabled for any of this to work - but when I look at mine, none of these policy objects are actually configured.  

    ~Thank You in advance for the assistance.

    Wednesday, November 30, 2016 9:23 PM

Answers

  • Hi,
    First of all, please run gpresult /h command to view the report and see if the GPO which is working on Windows 7 is applied to windows 10. And is the screensaver the same picture as the wallpaper?
    If both are the same picture and GPO is applied, but the settings are not working on windows 10, you could have a try on a problematic client to delete the following file and log off/log on to see if the is automatically changed then:
    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
    If it works, it might be caused by the cached wallpaper on windows 10 client.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 1, 2016 3:32 AM
    Moderator

All replies

  • Hi,
    First of all, please run gpresult /h command to view the report and see if the GPO which is working on Windows 7 is applied to windows 10. And is the screensaver the same picture as the wallpaper?
    If both are the same picture and GPO is applied, but the settings are not working on windows 10, you could have a try on a problematic client to delete the following file and log off/log on to see if the is automatically changed then:
    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
    If it works, it might be caused by the cached wallpaper on windows 10 client.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 1, 2016 3:32 AM
    Moderator
  • Wendy, Thank You for the reply. 

    EDIT#2:  The "answer" was to run the Gpresult - this showed me where the other policy was coming from so I could remove it and enforce the correct policy. - Thank You Wendy!  /EDIT#2



    I did run the gpresult , and finally found the GPO object controlling this.. it was not in the default domain policy as I originally thought, but a User defined policy applied only to our Employees OU.  (I didn't set up this domain / AD and needless to say, it's a mess)

    It looks to be working and applying properly now... now I'm just awaiting a time out to see what happens.

    One quick follow up question ;  The GPO says that a a screen saver will run if: "A valid screen saver is specified through control panel"

    What happens if on the client side this is set to "None"  - will it just go to the lock screen instead, or will nothing happen?  (no time out, no lock screen?)

    EDIT: So - to answer my own question - If your Workstation shows "none" as the screen saver - the screen saver never runs and never locks the workstation. /EDIT

    More replies to come with testing.





    • Edited by tcarterACD Friday, December 16, 2016 1:32 PM
    Thursday, December 1, 2016 1:25 PM
  • Okay ... so I've "not configured" access to the screen saver - allowing the screen saver to be selected on the workstations (all other settings are greyed out appropriately). 

    Now my only question is thus : I have a screen saver I'd like to use via the GPO to specify the screen saver.
    The screen saver I want to use is not native to any of the clients I have.

    If I toss this .scr on my file server in a share ; all I have to do put the path in the GPO? (does it have to be in a share, does the scr itself have to be shared?? what about permissions?! )

    How exactly does that work? Does it run it from the server or does windows import the .scr to the local machines sys32 folder?

    Other questions : What if I want My Windows 10 machines to just lock to the lock screen at the time out as if you do the Win+L key press?  Is that the Photos Screensaver object?! Is that even possible or must it go to a screen saver first?



    • Edited by tcarterACD Thursday, December 1, 2016 2:27 PM additional ?'s
    Thursday, December 1, 2016 2:24 PM
  • ..more fun..

    Settings didn't work seemingly at all - looked at the GPO again - and decided to "enforce" it (oddly most of our policies are enabled - but not enforced...)  This allowed my own Win10 machine to finally go to the SS as desired - however other Win10 workstations still don't go to the SS at the interval (5min).

    When I gpresult on this other machine - it firstly tells me that the policy being "enforced" is a "special condition"



    When I scroll down to the area where the Screen saver info should be there is the cryptic error we've been seeing in windows 10 when trying to edit GPO's  - that the file name it's referencing is not correct, and I see no info on the screen saver settings.


    Not really sure where to go at this point...

    • Edited by tcarterACD Thursday, December 1, 2016 4:53 PM
    Thursday, December 1, 2016 4:51 PM
  • > Not really sure where to go at this point...
     
    Delete the file that the error mentions.
     
    Friday, December 2, 2016 9:25 AM
  • > Not really sure where to go at this point...
     
    Delete the file that the error mentions.

    Thank You Martin ...  but Actually... 

    To fix this error, the files ‘LocationProviderADM.admx’ and ‘LocationProviderADM.adml’ must be deleted, and the files ‘Microsoft-Windows-Geolocation-WLPAdm.admx’ & ‘Microsoft-Windows Geolocation-WLPAdm.adml’ must be renamed ‘LocationProviderADM.admx’ and ‘LocationProviderADM.adml’ respectively.

    What they don't bother saying is that these files are completely locked away from every account but the "Trusted Installer" - I can't just delete and rename them.
























    Friday, December 2, 2016 4:56 PM
  • Hi,
    ADMX and ADML files are system-protected. To rename or delete these files, you must add NTFS permissions to the files. To do this, use the following commands:
    1. Open an elevated command prompt, and then use takeown.exe to grant ownership to local administrators:
    takeown /F " C:\Windows\PolicyDefinitions\Microsoft-Windows-Geolocation-WLPAdm.admx" /A
    takeown /F " C:\Windows\PolicyDefinitions\en-US\Microsoft-Windows-Geolocation-WLPAdm.adml" /A
    2. Grant administrators Full Control permissions to both files.
    3. Rename both files with an extension of .old, and you will no longer receive the Geolocation pop-ups when you open GPEDIT.MSC.
    Please see details from: https://support.microsoft.com/en-sg/kb/3077013
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 5, 2016 5:34 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 9, 2016 6:07 AM
    Moderator
  • Thank You Wendy.

    We have actually resolved this - first issue was that we actually had screen saver settings enabled and linked in a higher level GPO over riding where I was setting it. Set the higher level GPO as enforced for now - since we're in the midst of re-doing our GPO / AD structure anyway.

    Thank You everyone for the ideas and assistance!




    Friday, December 16, 2016 1:30 PM
  • Hi,
    Thank you for the share and it will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 19, 2016 1:34 AM
    Moderator