We're trying to disable the ability of users to just Lock the Computer...we want them to either shut down or hibernate.
I've created a simple script that does this on two Windows 7 machines:
Set Registry Path HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation of datatype REG_DWORD to value 1
This has worked on a Windows 7 VM machine and one other physical machine.
On all others I get this in the log:
ERROR: setRegistryValue() failed to write registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation
Am I missing something obvious? The error does exactly tell me the "why".
You may get that error if you run a script without a user logged in.
IMO, the best way is to do this via GPO, not a registry hack.
EDIT: To add, hibernation is a POS- let them sleep the PC instead. We disable it so we don't have to worry about hiberfil.sys files eating hard drive space, plus that's another thing to worry about when backing up.
What's the benefit of this? Just curious.
Thanks Dan. Because of PHI and HIPAA regulations both Locking and Sleeping are not allowed: PGP won't activate for a login prompt except from Hibernation and boot up.
I wouldn't have a clue how to add this as a policy though I see the option in gpedit.msc. If anyone could shed light on this piece I'd be most grateful.
Maybe this site will help you.
Can you please let me know where you obtained the fact that PHI and HIPAA forbid workstation locking and sleeping? I deal alot with HIPAA and don't recall ever seeing this as a "must" or as a recommendation.
Or are you saying that just because PGP won't work from a sleep state that it is not PHI/HIPAA compliant?
Hi, Dan. The latter.