Windows Hello in Windows 10 is a biometric means of recognizing a user and authenticating them to a device using a fingerprint, secure PIN, or face recognition. If a personal or corporate device is capable of face recognition, it can be turned on by going to Settings > Accounts > Sign-in options > Windows Hello Face.
By default, Windows 10 enables the option Automatically dismiss the lock screen if Windows recognizes your face, as shown in the below image.
This means that if a face is recognized by the camera in use by Windows 10, it will automatically unlock the screen and login the user without any other user intervention. This also works great if switching between users on a device where more than one face is stored.
However, there are times when a user or a corporation desires slightly more interaction from the user prior to unlock and login. This simply means that once a face is recognized, a user must also press a mouse button or a key press on the keyboard. The switch in the image above can be toggled off, and then the user input is required to unlock and login.
I’ve seen a use case for this multiple times on a certain Dell 2-in-1 laptop model sitting on a desk powered on, locked, and completely untouched, whereby the screen would flicker on, the camera would enable, and if I was sitting close by and somewhat facing the camera, it would unlock. Perhaps a piece of dust with enough charge encountered the touchpad, or perhaps something within the manufacturer’s drivers or implementation caused the device to look for a face out of the blue. It could be a security risk if the person were walking away and didn’t notice.
This same behavior was occurring with other users as well, so the customer asked me for a solution, and we deployed it with Intune’s PowerShell script capability.
This tutorial provided the initial solution on how to disable the automatic lock screen dismissal using registry keys. However, it was quickly apparent that the tutorial advises the reader to modify a registry key for a single user.
Managing at Scale
Going around to every device and toggling the switch or sending a communication to users to do the same would be inefficient. Therefore, I’ve created this PowerShell script that will automate the process. The script can be deployed with Intune, Configuration Manager, Desired State Configuration, or other tools that can run PowerShell scripts locally on devices. Simply deploy this script to a user or groups of users to disable the automatic lock screen dismissal behavior and force users to press a keyboard or mouse button to obtain access to their devices henceforth.
Hopefully, this helps enable a bit more security by preventing devices near a user from unlocking inadvertently, but at the slight cost of user convenience. Perhaps consider only deploying to those device models that actually need it (if users mention it) through deployment groups, or clone and modify the script to do device model logic within.
Thanks for reading!
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.