Lock Screen

Lock Screen | Harden System Security

• Automatically locks device after X seconds of inactivity (just like mobile phones), which is set to 120 seconds (2 minutes) in this app, you can change that to any value you like. CSP

• Requires CTRL+ALT+DEL on the lock screen, kernel protected set of key strokes. The reason and logic behind it is: CSP

  • A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system and capture a user's password. The attacker can then sign into the compromised account with whatever level of user rights that user has.

• Enables a security anti-hammering feature that sets a threshold of 5 for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. Sign-in attempts include Windows password or Windows Hello authentication methods. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.

  • The Harden System Security App automatically saves the 48-digit recovery password of each drive in itself, the location of it will also be visible on the PowerShell console when you run it. It is very important to keep it in a safe and reachable place, e.g. in OneDrive's Personal Vault which requires authentication to access. See Here and Here for more info about OneDrive's Personal Vault

• Configures account lockout policy: Account lockout threshold, Sets the number of allowed failed sign-in attempts to 5. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts. CSP

• Configures account lockout policy: Sets Account lockout duration to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. CSP

• Configures account lockout policy: Sets Reset account lockout counter to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. CSP

• Hides email address of the Microsoft account on lock screen, if your device is in a trusted place like at home then this isn't necessary.

• Don't display username at sign-in; If a user signs in as Other user, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press Enter, the displayed text "Other user" remains unchanged, and is no longer replaced by the user's first and last name, as in previous versions of Windows 10. Additionally, if users enter their domain user name and password and click Submit, their full name isn't shown until the Start screen displays. CSP

  • Useful If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user's full names or domain account names

• Don't display last signed-in; This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop. If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user's sign-in tile displayed. Additionally, if the Switch user feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests both Username + Windows Hello credentials. CSP

  • This feature can be useful to enable if you live in High-Risk Environments and you don't want anyone to get any information about your accounts when you aren't logged-in.

  • This policy will prevent you from using "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.

  • If you use Windows Hello Face or Fingerprint, you can easily login using those credential providers without the need to supply username first.

• Don't Display Network Selection UI on Lock Screen (like WIFI Icon); This setting allows you to control whether anyone can interact with available networks UI on the logon screen. Once enabled, the device's network connectivity state cannot be changed without signing into Windows. Suitable for High-Risk Environments. CSP

• Applies the following PIN Complexity rules to Windows Hello CSP. Please note that, by default, any character can be set as a PIN. However, the following policies ensure that certain characters are always included as a minimum requirement.

  • Must include digits CSP

  • Expires every 180 days (default behavior is to never expire) CSP

    • Setting an expiration date ensures that, in the event of theft, a threat actor cannot indefinitely attempt to guess the PIN. After 180 days, the PIN expires, rendering it unusable even if guessed correctly. To reset the PIN, authentication via a Microsoft account or EntraID—likely inaccessible to the attacker—will be required. Combined with anti-hammering and BitLocker policies, this expiration guarantees that a threat actor cannot endlessly persist in guessing the PIN.

  • History of the 1 most recent selected PIN is preserved to prevent the user from reusing it CSP

  • Must include lower-case letters CSP