Posey's Tips & Tricks
How To Dynamically Lock Down an Unattended Windows 10 PC
One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).
One of the biggest security risks in nearly any organization happens when a user walks away from their PC without either locking the console or logging out.
Of course, there are any number of mechanisms that exist for automatically locking a PC. One of the earliest examples was the password-protected screensaver. Unfortunately, most of the automatic locking mechanisms are time-based: They automatically engage after a period of inactivity.
There are a couple of problems with this. First, if a user does walk away from their PC, it may be several minutes before the console is locked, giving others ample opportunity to access the machine before the lock engages. The other problem is that the locks can engage while the user is still sitting at their desk. There are few things more infuriating than having a PC automatically lock while you are in the middle of reading a long document.
Windows 10's dynamic lock feature solves both of these problems. Rather than engaging the lock screen after a period of inactivity, it taps a user's mobile device as a proximity sensor. The PC is tied to the user's device via Bluetooth. Whenever the user steps out of range, the PC detects the absence of the device and locks the console.
Obviously, this method isn't perfect. A user might step away but not go far enough to be out of Bluetooth range, for instance. Even so, I consider dynamic lock to be a far more appealing option than conventional locking mechanisms.
To enable Windows 10's dynamic lock feature, click on the Start button, followed by the Settings button. Once you arrive at the Settings screen, click on Devices. The Devices screen shows you a list of all of the Bluetooth devices that are paired to the PC. You can see what this looks like in Figure 1.
Before you can enable the dynamic lock feature, you will need to pair a phone to the PC (assuming that it has not already been paired). To do so, click on the Add Bluetooth or Other Devices link, shown at the top of Figure 1 above. At this point, you will see a prompt asking what type of device you want to add. Click on the Bluetooth option, shown in Figure 2.
This will put the PC into Bluetooth pairing mode. Now, put your phone into Bluetooth pairing mode and allow it to detect your Windows 10 PC. Complete the Bluetooth pairing process and your phone should be displayed on the PC's list of Bluetooth devices.
Once the pairing process is complete, you can go ahead and enable the dynamic lock feature. To do so, go back to the Windows Settings screen and then click on Accounts, followed by Sign in Options. You can see what the Sign in Options screen looks like in Figure 3.
As you can see in Figure 3 above, Windows 10 provides a wide variety of sign-in options. Assuming that your PC has the necessary hardware, you can log in using facial recognition, a fingerprint or even a picture password.
If you look at the very bottom of the screen capture above, you can see that this same screen also displays a dynamic lock option. To enable dynamic lock, simply click on the checkbox labeled "Allow Windows to automatically lock your device when you're away."
Once you have selected this checkbox, the dynamic lock feature is enabled. Now, if you step away from your PC (and take your phone with you), Windows will lock the PC as soon as you are out of Bluetooth range.
In the interest of full disclosure, I work out of my home, so I don't use the dynamic lock feature in my production environment. There is nobody around who would bother my PC, so there is no need for me to lock it while I am at home. Even so, I have worked with dynamic lock in other environments.
My experience has always been that dynamic lock is really responsive. The feature seems to lock Windows as soon as the user gets out of Bluetooth range. According to the Microsoft documentation, however, it can take a minute or more for the lock to actually engage. Even so, I have never actually seen the locking process take that long.
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.