Standard Operating Procedure (SOP)
Automated Enterprise Screensaver and Power Configuration Deployment
1. Title & Scope
Title: Automated Enterprise Screensaver and Power Configuration Deployment
Scope: Enforces standardized screensaver policies across all Windows workstation profiles.
Target:
- Local machine systems
- Currently logged-in users
- Offline user profiles
- Future user profile templates
2. Purpose
- Security: Automatically locks inactive workstations to protect sensitive corporate information.
- Compliance: Meets enterprise security requirements for workstation inactivity timeouts.
- Uniformity: Overrides monitor power settings to ensure the corporate screensaver is consistently displayed.
3. Prerequisites
- Administrator or SYSTEM privileges
- PowerShell Execution Policy: RemoteSigned or Bypass
- Screensaver file located at: C:\Windows\Branding\Screensaver\Yourfile.scr
4. Deployment Procedure
Step 4.1 – Standardize Power Configuration
Disable monitor power-off and lock settings across every Windows power plan so the corporate screensaver can deploy without interruption.
powercfg /list | Select-String "GUID" | ForEach-Object {
$SchemeGUID = ($_ -split ' ')[3]
powercfg /setacvalueindex $SchemeGUID SUB_VIDEO VIDEOIDLE 0
powercfg /setdcvalueindex $SchemeGUID SUB_VIDEO VIDEOIDLE 0
powercfg /setacvalueindex $SchemeGUID SUB_VIDEO VIDEOCONLOCK 0
powercfg /setdcvalueindex $SchemeGUID SUB_VIDEO VIDEOCONLOCK 0
powercfg /setactive $SchemeGUID
}
Step 4.2 – Apply Machine-Level Policy Rules
Configure HKLM policy locations to enforce the screensaver executable, secure lock, and a four-minute timeout.
$CSP_Personalization = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\ControlPanel_Personalization"
$CSP_Payload = "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\Base\default\Device\ControlPanel_Personalization"
$Local_Policies = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
if (-not (Test-Path $CSP_Personalization)) { New-Item -Path $CSP_Personalization -Force | Out-Null }
Set-ItemProperty -Path $CSP_Personalization -Name "EnableScreenSaver" -Value 1 -Type DWord -Force
Set-ItemProperty -Path $CSP_Personalization -Name "ForceScreenSaver" -Value 1 -Type DWord -Force
Set-ItemProperty -Path $CSP_Personalization -Name "ScreenSaverTimeout" -Value "240" -Type DWord -Force
if (-not (Test-Path $CSP_Payload)) { New-Item -Path $CSP_Payload -Force | Out-Null }
Set-ItemProperty -Path $CSP_Payload -Name "ConfigureScreenSaverName" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force
if (-not (Test-Path $Local_Policies)) { New-Item -Path $Local_Policies -Force | Out-Null }
Set-ItemProperty -Path $Local_Policies -Name "ScreenSaveActive" -Value "1" -Type String -Force
Set-ItemProperty -Path $Local_Policies -Name "ScreenSaverIsSecure" -Value "1" -Type String -Force
Set-ItemProperty -Path $Local_Policies -Name "ScreenSaveTimeOut" -Value "240" -Type String -Force
Set-ItemProperty -Path $Local_Policies -Name "SCRNSAVE.EXE" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force
Step 4.3 – Update Active User Registry Hives
Apply screensaver settings to every currently loaded user profile.
$LoadedSIDs = Get-ChildItem "Registry::HKEY_USERS" |
Where-Object {
$_.PSChildName -like "S-1-5-21-*" -and
$_.PSChildName -notlike "*_Classes"
}
foreach ($SID in $LoadedSIDs.PSChildName) {
$UserRegPath = "Registry::HKEY_USERS\$SID\Control Panel\Desktop"
if (Test-Path $UserRegPath) {
Set-ItemProperty -Path $UserRegPath -Name "ScreenSaveActive" -Value "1" -Type String -Force
Set-ItemProperty -Path $UserRegPath -Name "ScreenSaverIsSecure" -Value "1" -Type String -Force
Set-ItemProperty -Path $UserRegPath -Name "ScreenSaveTimeOut" -Value "240" -Type String -Force
Set-ItemProperty -Path $UserRegPath -Name "SCRNSAVE.EXE" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force
}
}
Step 4.4 – Update Offline and Default Profiles
Load offline NTUSER.DAT registry hives and the Default User profile so future and inactive accounts automatically inherit the required configuration.
$ProfileList = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-*"
$DefaultProfilePath = "C:\Users\Default\NTUSER.DAT"
$UserDats = @()
if (Test-Path $DefaultProfilePath) {
$UserDats += $DefaultProfilePath
}
foreach ($Profile in $ProfileList) {
$PathValue = (Get-ItemProperty -Path $Profile.PSPath).ProfileImagePath
$UserDatPath = "$PathValue\NTUSER.DAT"
if (Test-Path $UserDatPath) {
$UserDats += $UserDatPath
}
}
foreach ($DatFile in $UserDats) {
$TempHiveName = "TempHive_" + (Split-Path (Split-Path $DatFile -Parent) -Leaf)
try {
$FileStream = [System.IO.File]::Open($DatFile,'Open','ReadWrite','None')
$FileStream.Close()
reg load "HKU\$TempHiveName" "$DatFile" | Out-Null
$TargetDesktopPath = "Registry::HKEY_USERS\$TempHiveName\Control Panel\Desktop"
if (Test-Path $TargetDesktopPath) {
Set-ItemProperty -Path $TargetDesktopPath -Name "ScreenSaveActive" -Value "1" -Type String -Force
Set-ItemProperty -Path $TargetDesktopPath -Name "ScreenSaverIsSecure" -Value "1" -Type String -Force
Set-ItemProperty -Path $TargetDesktopPath -Name "ScreenSaveTimeOut" -Value "240" -Type String -Force
Set-ItemProperty -Path $TargetDesktopPath -Name "SCRNSAVE.EXE" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force
}
[gc]::Collect()
[gc]::WaitForPendingFinalizers()
reg unload "HKU\$TempHiveName" | Out-Null
}
catch {
Write-Verbose "Profile $DatFile is currently locked/active."
}
}
5. Validation & Troubleshooting
- Restart the workstation.
- Log in using a test account.
- Confirm the screensaver activates after 240 seconds (4 minutes).
- Verify the screensaver executable is the corporate .scr file.
- If an NTUSER.DAT hive reports as locked, that profile is already active and was updated in Step 4.3.
Tip: Execute the script inside an elevated PowerShell console or deployment tool and monitor verbose output for successful registry updates.
6. Escalation Path
- Tier 1: Verify administrator permissions and confirm the screensaver file exists.
- Tier 2: Review Active Directory Group Policy Objects (GPOs) for conflicting settings.
- Tier 3: Engage the Enterprise Endpoint Management team to review Intune or MDM policy enforcement.