Windows 10 hides the system lock timeout from the ordinary Settings UI, but you can control it precisely — safely and permanently — by using the registry, Group Policy (Pro/Enterprise), or built-in command‑line tools such as PowerShell and powercfg; this feature is known as the Interactive logon: Machine inactivity limit and is implemented by the registry value InactivityTimeoutSecs under the System policies key.
Background / Overview
Windows historically keeps several overlapping mechanisms for protecting an idle session: the screensaver on resume lock, the sign‑in requirement after sleep, Dynamic Lock (Bluetooth‑based), and a less-visible machine inactivity limit that enforces a lock after a configurable elapsed time of no input. The visible Settings controls (Accounts → Sign‑in options → If you’ve been away…) cover many use cases, but they don’t expose the per‑machine inactivity timeout that some administrators and power‑users need. The same setting is accessible to Pro and Enterprise through Local Security Policy / Group Policy as Interactive logon: Machine inactivity limit, and the underlying value written for both GPO and registry edits is InactivityTimeoutSecs.Why this matters in practice:
- Some workflows require the system to lock after pure inactivity (no key or mouse input) even if the display is still on or power settings differ.
- Screensavers and sleep-based locks don't always align with advanced scripts, power plans, or kiosk/shared device requirements.
- Enterprise security baselines and STIGs often mandate a concrete value (for example, 900 seconds / 15 minutes) and check for the registry value directly.
How the Windows lock timeout works (technical summary)
What the policy does
- Interactive logon: Machine inactivity limit is a security policy that instructs Windows to lock the current interactive session after X seconds of user‑input inactivity. It is measured in elapsed seconds and is independent of display power off or sleep timers. If configured, it can also act when a screensaver triggers or the display turns off.
Where the value lives
- Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: InactivityTimeoutSecs (DWORD, seconds)
When Group Policy sets the Machine inactivity limit, it writes the same registry value. If the value is missing, the default behavior is that no automatic inactivity lock is enforced by this policy (though screensaver or sign‑in after sleep might still lock).
Supported range and limits
- Microsoft documents the valid range as 0 through 599,940 seconds (≈166.65 hours). A value of 0 disables the policy (no inactivity locking). Use sensible values; extremely large values are technically allowed but often undesirable.
Methods to change the system lock timeout
Below are three practical methods: Registry (Windows 10 Home / any edition), Group Policy (Pro / Enterprise), and PowerShell/powercfg (scriptable / admin). Use the one appropriate to your edition and environment.Method A — Registry edit (All editions; manual)
This is the direct method that writes the same value the GPO uses.- Press Win + R, type regedit, and press Enter to open Registry Editor with administrative rights.
- Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - If a DWORD named InactivityTimeoutSecs exists, double‑click it and choose Decimal. Enter the number of seconds for the timeout (for example, 300 for 5 minutes). If it does not exist, create it:
- Right‑click System → New → DWORD (32‑bit) Value
- Name it: InactivityTimeoutSecs
- Double‑click it → Base: Decimal → Value data: (seconds)
- Click OK. Sign out and back in (or restart) for the change to fully take effect.
- InactivityTimeoutSecs = 600 (Decimal)
- Back up the registry key or create a System Restore point before editing.
- If your device is domain‑joined or managed by Intune, a domain policy may overwrite local registry changes.
Method B — Group Policy (Windows 10 Pro / Enterprise)
If your PC includes the Local Group Policy Editor, use it to set the value through the GUI, which writes the same registry entry.- Press Win + R, type gpedit.msc, press Enter.
- Navigate to:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options - Find Interactive logon: Machine inactivity limit and set the value (seconds).
- Apply and run gpupdate /force or reboot.
Method C — One‑line PowerShell (scriptable, admin)
Use an elevated PowerShell window to create or set the registry value in one command:PowerShell (run as Administrator)
Code:
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "InactivityTimeoutSecs" -Value 300 -PropertyType DWord -ForceRelated power and display settings you should understand
- Display vs. lock timeout: Windows has separate timing for display turn‑off and session lock. The machine inactivity policy specifically locks the session independent of sleep/display timers; conversely, display‑off or sleep settings do not necessarily lock the session unless “Require sign‑in on wake” is enabled.
- Console Lock Display Off Timeout: Windows has an advanced power setting called Console lock display off timeout (GUID SUB_VIDEO / VIDEOCONLOCK) that controls how quickly the display is turned off while the console is locked. It is hidden by default in the Advanced Power Options, but you can expose and change it via powercfg. Microsoft documents the exact powercfg commands to set VIDEOIDLE (unlocked), VIDEOCONLOCK (locked), and to expose the hidden control. This is important when your goal is to control the lock behavior versus the display power behavior.
- Expose the Console Lock Display Off Timeout option in Advanced Settings:
powercfg.exe -attributes SUB_VIDEO 8EC4B3A5-6868-48c2-BE75-4F3044BE88A7 -ATTRIB_HIDE - Set console lock display off timeout (seconds) for current scheme on AC:
Code:powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK 600 powercfg.exe /setactive SCHEME_CURRENT
Practical examples and recommended values
- Personal laptop, home use: 300–900 seconds (5–15 minutes) balances convenience and security.
- Shared kiosk or public workstation: 60–300 seconds (1–5 minutes) to reduce exposure.
- Enterprise devices (STIG or baseline): many guidance documents mandate 900 seconds (15 minutes) or less; consult your security baseline. The STIG checks explicitly look for InactivityTimeoutSecs and often require 900 seconds or lower.
Troubleshooting: when changes don’t stick
- Settings are greyed out or revert:
- Often a domain GPO or MDM policy controls this. Confirm with gpresult /h report.html or check with IT. Managed policies trump local edits.
- The system still doesn’t lock after setting InactivityTimeoutSecs:
- Sign out/sign in or restart. Some changes require a user session restart to apply. If using gpedit, run gpupdate /force to refresh policies.
- Display turns off but session doesn’t lock:
- Verify “Require sign‑in on wake” in Settings → Accounts → Sign‑in options or confirm your screensaver settings include “On resume, display logon screen.” The inactivity policy is separate from display power settings.
- Devices waking unexpectedly:
- Check powercfg -devicequery wake_armed and device power management settings (Device Manager → device → Power Management → Allow this device to wake the computer). Use powercfg /requests to see processes preventing sleep. These checks help diagnose spurious wakes that interfere with expected lock behavior.
- Advanced power settings not visible:
- Use the powercfg -attributes command above to unhide the Console lock display off timeout. Then set VIDEOCONLOCK as needed.
Security, compliance, and operational considerations
- Group Policy and MDM precedence: On corporate or managed devices, local registry edits can be overwritten. Always validate the effective policy using gpresult or RSOP (Resultant Set of Policy). If you’re an end user on a managed machine, coordinate with IT before changing these settings.
- Compliance baselines: Military and government baselines (e.g., STIG) often require explicit registry values and may flag devices where InactivityTimeoutSecs is missing or set too high. If a machine falls under such baselines, follow the documented values.
- Risk of disabling: Setting 0 or a very high timeout reduces security. Avoid disabling inactivity lock on devices handling sensitive data or on machines in semi‑public spaces.
- Interactions with Dynamic Lock: Dynamic Lock supplements but does not replace inactivity or GPO controls. It depends on Bluetooth RSSI and idle state. Don’t rely on it as a primary policy for security‑critical systems.
Strengths and weaknesses of each method (quick comparison)
- Registry edit
- Strengths: Works on every edition, immediate and direct.
- Weaknesses: Manual, risk of typing errors, overwritten by higher‑order policies.
- Group Policy (gpedit)
- Strengths: Managed, auditable, preferred in enterprise.
- Weaknesses: Not available on Home edition; GPOs may be overridden by domain policies.
- PowerShell / Script
- Strengths: Scriptable for automation; ideal for managed rollouts where direct registry write is acceptable.
- Weaknesses: Still subject to policy overrides; requires admin elevation.
- powercfg
- Strengths: Controls display off behavior on locked/unlocked screens; exposes hidden power options.
- Weaknesses: Focused on display timeout rather than the session lock policy itself.
Step‑by‑step checklist for safe rollout (single machine)
- Decide target timeout (seconds) based on security needs (e.g., 600 for 10 minutes).
- If using a corporate device, confirm there is no conflicting domain GPO or MDM policy.
- Back up registry or create a System Restore point.
- Apply the change via Group Policy (preferred) or PowerShell/Registry.
- If you alter power behavior too, unhide VIDEOCONLOCK and set the lock display timeout to match expectations.
- Sign out and sign back in, or reboot, then test by leaving the machine idle.
- Run monitoring commands (powercfg /requests and powercfg -devicequery wake_armed) if behavior diverges from expectations.
Final analysis and recommendations
Windows exposes multiple overlapping lock and power timing mechanisms, and the hidden InactivityTimeoutSecs registry value (or the Interactive logon: Machine inactivity limit policy) is the most reliable way to enforce a lock after pure inactivity. For personal users on Windows 10 Home, editing the registry (or using the PowerShell one‑liner) is the practical route. For Pro and Enterprise, always prefer Group Policy so the change is consistent with other security settings and auditable. Microsoft documents both the policy and the powercfg methods for handling display timeouts on locked screens, and compliance frameworks like STIG specifically check for the InactivityTimeoutSecs presence and value.Key takeaways:
- Use InactivityTimeoutSecs to enforce idle lock independent of screensaver or sleep.
- Use gpedit where available for manageability; use PowerShell or registry when gpedit isn’t available.
- Expose and use VIDEOCONLOCK via powercfg to control the lock‑screen display timeout, not just the session lock.
- Watch for domain/Intune policies that can override local changes and for compliance baselines that require specific values.
Source: AddictiveTips How to Change the Windows 10 System Lock Timeout
