I thought that most people would lock their device when they move away from them for a short break, when they visit the toilet, grab some coffee or else. As a consultant I visit several customers in their own corporate offices, and I was pretty shocked how much devices where not locked while getting physical access to them was pretty easy.

This could be solved with the well-known idle session timers. When a user has no keyboard or mouse input for several minutes the devices locks. This would mean that a device is still accessible for unauthorized people within this time limit. Therefor I would not prefer this as solution, but it will still help a bit.

For my own device I use Dynamic Lock. This feature is not waterproof but can help with automatically locking devices as soon as the user leaves his workplace.

What is Dynamic Lock?

A short introduction to Dynamic Lock, this can be used to pair a device (e.g. notebook) with a secondary Bluetooth device like a smartphone or smartwatch. When these devices lose their pairing state from each other Windows will automatically lock your device (Windows + L).

Bluetooth has a short-range reach which normally means that your device will get locked if you move away a few meters from your notebook.

Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. Source: Microsoft.

What are custom compliance policies?

A few months ago, Microsoft released custom compliance policies. With this feature you can basically check for every requirement devices should meet. Think of BIOS versions, device manufacturer, required (custom) apps being installed, minimal disk space, minimal memory installed, etc. As long as PowerShell can be used it can be used as a custom compliance policy.

Custom compliance policies need a PowerShell script for a detection/query and a JSON file for reporting and/or to verify the setting. The JSON file is basically the required state and the PowerShell script output should match the JSON data.

Andrew Taylor and Rudy Ooms wrote great blogs with some examples. Take a look for some in depth knowledge about custom compliance. Official Microsoft documentation can be found here.

What if my device is not compliant?

Based on your Conditional Access policies, you could block access to Office 365 data or other cloud apps while devices are not compliant. It all depends on your compliance policy within conditional access. Some examples:

  • Dynamic lock is disabled -> Not compliant -> Prevent/Block access to Office 365.
  • Thirth party (SIEM?) application not installed -> Not compliant -> Prevent/Block access to “All cloud apps”.
  • Device manufacturer should be Lenovo -> Current device manufacturer is HP -> Not compliant -> Prevent/Block access to Office 365.

Implement Dynamic Lock Custom Compliance

First, I need to figure out how I could verify if Dynamic Lock was enabled. While using RegShot I found out that this registry setting is being modified from 0 (disabled) to 1 (enabled). This setting can now be used within the PowerShell script. This one is shown below and available for download in my Github repo.

#Determine the current state of EnableGoodby (Dynamic Lock)
    $Registry = Get-ItemPropertyValue -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name EnableGoodbye
    $Value = "1"

    If ($Registry -eq $Value){
    $Value = "1"
    $Value = "0"

$hash = @{ EnableGoodbye = $value}
return $hash | ConvertTo-Json -Compress

Once the PowerShell script is completed, we can implement this custom script into intune. Follow the next steps:

  • Open the Microsoft Endpoint Manager admin center portal and navigate to Endpoint security > Device compliance > Scripts
  • On the Compliance policies | Scripts page,  click Add > Windows 10 and later
  • On the Basics page, specify a Name and optionally a DescriptionPublisher and click Next
  • On the Settings page, specify the following information and click Next. Note: This script can be found in my Github repo.
  • Make sure to select Run this script using the logged on credentials. The registry setting configured in the Powershell script lives in the user context (HKCU).
  • Enfore script signature check is not required.
  • Run script in 64 bit PowerShell Host is recommended.

Create the JSON file which is being used for reporting (and to verify). This can be done.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security Device compliance
  2. On the Compliance policies | Policies page, click Create Policy
  3. select Windows 10 and later with Platform and click Create
  4. On the Basics page, fill in a name for the device compliance policy and click Next
  5. On the Compliance settings page, navigate to the Custom Compliance section, provide the following information and click Next
  • Custom compliance: Select Require
  • Select your discovery script: Select the just uploaded PowerShell script (policy)
  • Upload and validate the JSON file with your custom compliance settings: Select the required JSON file
             "Title":"Dynamic Lock state",
             "Description": "Our corporate compliance policy requires dynamic lock to be enabled."

Deploy the Custom Compliance policy and wait for the results. These results can take a while. Reboot your device to speed up the process. When lucky, you will see the results in a few minutes. In this case my device was marked as compliant.

When I disable dynamic lock, the device will be shown and marked as not complaint as soon as this is re-evaluated. This will happen a few times a day. Because of this delay, devices can be marked as compliant for a while after disabling the required dynamic lock. See more information on this part in Rudy Ooms his blog.

And last reminder. The PowerShell script and JSON file can be found here in my Github repo.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

16 − thirteen =