Standard Operating Procedure - Corporate Screensaver Deployment

Standard Operating Procedure (SOP)

Automated Enterprise Screensaver and Power Configuration Deployment

1. Title & Scope

Title: Automated Enterprise Screensaver and Power Configuration Deployment

Scope: Enforces standardized screensaver policies across all Windows workstation profiles.

Target:

  • Local machine systems
  • Currently logged-in users
  • Offline user profiles
  • Future user profile templates

2. Purpose

  • Security: Automatically locks inactive workstations to protect sensitive corporate information.
  • Compliance: Meets enterprise security requirements for workstation inactivity timeouts.
  • Uniformity: Overrides monitor power settings to ensure the corporate screensaver is consistently displayed.

3. Prerequisites

  • Administrator or SYSTEM privileges
  • PowerShell Execution Policy: RemoteSigned or Bypass
  • Screensaver file located at: C:\Windows\Branding\Screensaver\Yourfile.scr

4. Deployment Procedure

Step 4.1 – Standardize Power Configuration

Disable monitor power-off and lock settings across every Windows power plan so the corporate screensaver can deploy without interruption.

powercfg /list | Select-String "GUID" | ForEach-Object {
    $SchemeGUID = ($_ -split ' ')[3]
    powercfg /setacvalueindex $SchemeGUID SUB_VIDEO VIDEOIDLE 0
    powercfg /setdcvalueindex $SchemeGUID SUB_VIDEO VIDEOIDLE 0
    powercfg /setacvalueindex $SchemeGUID SUB_VIDEO VIDEOCONLOCK 0
    powercfg /setdcvalueindex $SchemeGUID SUB_VIDEO VIDEOCONLOCK 0
    powercfg /setactive $SchemeGUID
}

Step 4.2 – Apply Machine-Level Policy Rules

Configure HKLM policy locations to enforce the screensaver executable, secure lock, and a four-minute timeout.

$CSP_Personalization = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\ControlPanel_Personalization"
$CSP_Payload         = "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\Base\default\Device\ControlPanel_Personalization"
$Local_Policies      = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

if (-not (Test-Path $CSP_Personalization)) { New-Item -Path $CSP_Personalization -Force | Out-Null }
Set-ItemProperty -Path $CSP_Personalization -Name "EnableScreenSaver" -Value 1 -Type DWord -Force
Set-ItemProperty -Path $CSP_Personalization -Name "ForceScreenSaver" -Value 1 -Type DWord -Force
Set-ItemProperty -Path $CSP_Personalization -Name "ScreenSaverTimeout" -Value "240" -Type DWord -Force

if (-not (Test-Path $CSP_Payload)) { New-Item -Path $CSP_Payload -Force | Out-Null }
Set-ItemProperty -Path $CSP_Payload -Name "ConfigureScreenSaverName" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force

if (-not (Test-Path $Local_Policies)) { New-Item -Path $Local_Policies -Force | Out-Null }
Set-ItemProperty -Path $Local_Policies -Name "ScreenSaveActive" -Value "1" -Type String -Force
Set-ItemProperty -Path $Local_Policies -Name "ScreenSaverIsSecure" -Value "1" -Type String -Force
Set-ItemProperty -Path $Local_Policies -Name "ScreenSaveTimeOut" -Value "240" -Type String -Force
Set-ItemProperty -Path $Local_Policies -Name "SCRNSAVE.EXE" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force

Step 4.3 – Update Active User Registry Hives

Apply screensaver settings to every currently loaded user profile.

$LoadedSIDs = Get-ChildItem "Registry::HKEY_USERS" |
Where-Object {
    $_.PSChildName -like "S-1-5-21-*" -and
    $_.PSChildName -notlike "*_Classes"
}

foreach ($SID in $LoadedSIDs.PSChildName) {

    $UserRegPath = "Registry::HKEY_USERS\$SID\Control Panel\Desktop"

    if (Test-Path $UserRegPath) {

        Set-ItemProperty -Path $UserRegPath -Name "ScreenSaveActive" -Value "1" -Type String -Force
        Set-ItemProperty -Path $UserRegPath -Name "ScreenSaverIsSecure" -Value "1" -Type String -Force
        Set-ItemProperty -Path $UserRegPath -Name "ScreenSaveTimeOut" -Value "240" -Type String -Force
        Set-ItemProperty -Path $UserRegPath -Name "SCRNSAVE.EXE" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force
    }
}

Step 4.4 – Update Offline and Default Profiles

Load offline NTUSER.DAT registry hives and the Default User profile so future and inactive accounts automatically inherit the required configuration.

$ProfileList = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-*"
$DefaultProfilePath = "C:\Users\Default\NTUSER.DAT"

$UserDats = @()

if (Test-Path $DefaultProfilePath) {
    $UserDats += $DefaultProfilePath
}

foreach ($Profile in $ProfileList) {

    $PathValue = (Get-ItemProperty -Path $Profile.PSPath).ProfileImagePath
    $UserDatPath = "$PathValue\NTUSER.DAT"

    if (Test-Path $UserDatPath) {
        $UserDats += $UserDatPath
    }
}

foreach ($DatFile in $UserDats) {

    $TempHiveName = "TempHive_" + (Split-Path (Split-Path $DatFile -Parent) -Leaf)

    try {

        $FileStream = [System.IO.File]::Open($DatFile,'Open','ReadWrite','None')
        $FileStream.Close()

        reg load "HKU\$TempHiveName" "$DatFile" | Out-Null

        $TargetDesktopPath = "Registry::HKEY_USERS\$TempHiveName\Control Panel\Desktop"

        if (Test-Path $TargetDesktopPath) {

            Set-ItemProperty -Path $TargetDesktopPath -Name "ScreenSaveActive" -Value "1" -Type String -Force
            Set-ItemProperty -Path $TargetDesktopPath -Name "ScreenSaverIsSecure" -Value "1" -Type String -Force
            Set-ItemProperty -Path $TargetDesktopPath -Name "ScreenSaveTimeOut" -Value "240" -Type String -Force
            Set-ItemProperty -Path $TargetDesktopPath -Name "SCRNSAVE.EXE" -Value "C:\Windows\Branding\Screensaver\Yourfile.scr" -Type String -Force
        }

        [gc]::Collect()
        [gc]::WaitForPendingFinalizers()

        reg unload "HKU\$TempHiveName" | Out-Null

    }
    catch {

        Write-Verbose "Profile $DatFile is currently locked/active."

    }
}

5. Validation & Troubleshooting

  • Restart the workstation.
  • Log in using a test account.
  • Confirm the screensaver activates after 240 seconds (4 minutes).
  • Verify the screensaver executable is the corporate .scr file.
  • If an NTUSER.DAT hive reports as locked, that profile is already active and was updated in Step 4.3.
Tip: Execute the script inside an elevated PowerShell console or deployment tool and monitor verbose output for successful registry updates.

6. Escalation Path

  1. Tier 1: Verify administrator permissions and confirm the screensaver file exists.
  2. Tier 2: Review Active Directory Group Policy Objects (GPOs) for conflicting settings.
  3. Tier 3: Engage the Enterprise Endpoint Management team to review Intune or MDM policy enforcement.