L1 BIO 11.01.05 ISO A.11.2.8 CIS Windows - Inactivity limit

Intune: Interactive Logon Machine Inactivity Limit (15 Minutes)

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Machine inactivity limit = automatic screen lock after idle time - aanbeveling: 900 seconds (15 minutes) maximum.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Inactivity timeout = physical security: Attack: User steps away from desk (unlocked PC) β†’ attacker walks up β†’ full access (read emails, steal files, install malware). Defense: Auto-lock after 15 min idle β†’ attacker finds locked screen β†’ no access. Balance: Te kort (5 min): User frustration (constant re-login), Te lang (30+ min): Large window voor physical access attacks. CIS: 900 seconds (15 min) = reasonable balance.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Inactivity limit: 900 seconds (15 min): No mouse/keyboard activity β†’ lock screen, User: Must re-authenticate (password/PIN/biometric), Combined with: Password-protected screensaver (legacy), Modern: Dynamic Lock (Bluetooth proximity).

Vereisten

  1. Intune subscription
  2. Windows 10/11

Implementatie

Intune Settings Catalog: Local Policies Security Options β†’ Interactive logon: Machine inactivity limit: 900 seconds (15 minutes).

Compliance

CIS Windows Benchmark L1 (900s), BIO 11.01 (Physical security), ISO 27001 A.11.2.8.

Monitoring

Gebruik PowerShell-script interactive-logon-machine-inactivity-limit-is-set-to-900-or-fewer-second-s-but-not-0.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script interactive-logon-machine-inactivity-limit-is-set-to-900-or-fewer-second-s-but-not-0.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' .DESCRIPTION Implementation for Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' .NOTES Filename: interactive-logon-machine-inactivity-limit-is-set-to-900-or-fewer-second-s-but-not-0.ps1 Author: Nederlandse Baseline voor Veilige Cloud #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert) $ErrorActionPreference = 'Stop'; $VerbosePreference = 'Continue'; $PolicyName = "Interactive logon: Machine inactivity limit 900s" function Connect-RequiredServices { if (-not (Get-MgContext)) { Connect-MgGraph -Scopes "Policy.Read.All" -NoWelcome | Out-Null } } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..."; $result = [PSCustomObject]@{ScriptName = "machine-inactivity-limit"; PolicyName = $PolicyName; IsCompliant = $false; TotalResources = 0; CompliantCount = 0; NonCompliantCount = 0; Details = @(); Recommendations = @() }; $result.Details += "Compliance check - implementation required based on control"; $result.NonCompliantCount = 1; return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan; Write-Host " Configuration applied" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance; Write-Host "`n$PolicyName" -ForegroundColor Cyan; Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor Red; return $result } try { Connect-RequiredServices; if ($Monitoring) { Invoke-Monitoring }elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow }else { Invoke-Remediation } }elseif ($Revert) { Write-Host "Revert: not yet implemented" -ForegroundColor Yellow }else { $result = Test-Compliance; if ($result.IsCompliant) { Write-Host "`nCOMPLIANT" -ForegroundColor Green }else { Write-Host "`nNON-COMPLIANT" -ForegroundColor Red } } }catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: Unlocked PC = physical access attack (unattended desk).

Management Samenvatting

Inactivity limit: 900 seconds (15 min). Auto-lock idle PCs. Physical security. Implementatie: 1-2 uur.