Require Password After Sleep on Windows Machines: PowerShell Script

Key Takeaways

• Ensuring a password requirement upon waking from sleep is a frontline defense against unauthorized access.
• The provided PowerShell script automates the process of enabling this security feature.
• The script is especially useful for IT professionals and MSPs managing multiple devices.
• Running the script as an Administrator is a necessity.
• Traditional manual methods are less efficient for larger deployments compared to the script.
• Testing in controlled environments and regular registry backups are recommended best practices.
• NinjaOne can complement such scripts, offering a centralized IT management solution.

In today’s security-conscious environment, protecting user data has become paramount. One of the common vulnerabilities arises when a computer is left unattended after waking from sleep or hibernation. Ensuring that Windows requires a password after sleep mode is not only a best practice but also a frontline defense against unauthorized access.

Background

This script is designed to modify specific Windows settings related to power management, particularly when waking from sleep or hibernation. The ability to automate this process is invaluable for IT professionals and Managed Service Providers (MSPs) who manage multiple machines. Without automation, setting up this feature across numerous devices would be tedious, prone to errors, and time-consuming.

The Script

#Requires -Version 2.0

<#
.SYNOPSIS
    Enables password on wake from sleep/hibernation.
.DESCRIPTION
    Enables password on wake from sleep/hibernation.
.EXAMPLE
    No parameters needed.
    Enables password on wake from sleep/hibernation.
.EXAMPLE
    PS C:> Set-RequirePasswordOnWake.ps1
    Enables password on wake from sleep/hibernation.
.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 7, Windows Server 2012
    Release Notes:
    Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
    LocalUserAccountManagement
#>

[CmdletBinding()]
param ()

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))
        { Write-Output $true }
        else
        { Write-Output $false }
    }
    function Set-ItemProp {
        param (
            $Path,
            $Name,
            $Value,
            [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
            $PropertyType = "DWord"
        )
        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) {
            Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false | Out-Null
        }
        else {
            New-Item -Path $Path -ItemType Directory -Force -Confirm:$false | Out-Null
            New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false | Out-Null
        }
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    # Require a password when a computer wakes
    $Path = "HKLM:SoftwarePoliciesMicrosoftPowerPowerSettings�e796bdb-100d-47d6-a2d5-f7d2daa51f51"
    $ACName = "ACSettingIndex"
    $DCName = "DCSettingIndex"
    $Enable = "1"

    # Plugged In
    try {
        Set-ItemProp -Path $Path -Name $ACName -Value $Enable
    }
    catch {
        Write-Error $_
        exit 1
    }
    
    # On Battery
    try {
        Set-ItemProp -Path $Path -Name $DCName -Value $Enable
    }
    catch {
        Write-Error $_
        exit 1
    }
}
end {}

 

Detailed Breakdown

The script provided is a PowerShell script, meant to enable password requirement upon wake:

• Preliminary Configuration: The script starts by providing some meta-information, such as its synopsis, description, outputs, notes, and component.
• Function Definitions:
• Test-IsElevated: Checks if the script is being run with Administrator rights, essential for modifying registry keys.
• Set-ItemProp: A utility function to set or create a property in the Windows registry.
• Process Block: If the script isn’t run as an Administrator, it immediately throws an error. It then sets the path to the Windows registry key responsible for the password-on-wake setting and modifies it for both ‘Plugged In’ and ‘On Battery’ scenarios.

Potential Use Cases

Case Study: Sarah, an IT administrator at a mid-sized company, was tasked with ensuring all company laptops require a password after sleep. Instead of manually configuring each device, she used this script, saving hours of work and guaranteeing consistency across devices.

Comparisons

The traditional method of setting this feature involves navigating the Control Panel or Windows Settings and manually changing power options. While feasible for single machines, it becomes impractical for larger deployments. This script offers a scalable, efficient, and error-free method to achieve the same result.

FAQs

• Do I need special permissions to run this script?
  Yes, it must be run as an Administrator.
• Is the script compatible with all versions of Windows?
  The script supports Windows 7, Windows Server 2012, and newer versions.
• Can I modify the script for other power settings?
  Yes, with proper knowledge of the Windows registry and PowerShell.

Implications

Requiring a password after sleep adds a layer of security, reducing risks associated with unauthorized access. This measure ensures that temporary absences, like a coffee break, don’t turn into potential data breaches.

Recommendations

• Always test scripts in a controlled environment before broad deployment.
• Maintain regular backups of your Windows registry.
• Ensure that users are educated about the importance of strong passwords.

Final Thoughts

NinjaOne, a comprehensive IT monitoring and management platform, can further complement such scripts. It provides a centralized approach to IT management, ensuring systems are secure, compliant, and efficient. Incorporating scripts like the one discussed can bolster the platform’s effectiveness, ensuring a more secure IT environment.