How to Set an Intune Auto-Lock Timer for Clinic PCs

How to Set an Intune Auto-Lock Timer for Clinic PCs

Set a 5-minute intune device lock auto-lock timer clinic pcs policy in Microsoft Intune and document HIPAA-ready proof of enforcement.

LakeRidge Team
July 16, 2026
7 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

To support HIPAA workstation security, configure Microsoft Intune to lock Windows clinic computers after a short period of inactivity and require each workforce member to sign in again before accessing ePHI. An intune device lock auto-lock timer clinic pcs policy can enforce a five-minute inactivity limit on enrolled Windows devices, helping restrict unattended workstations to authorized users under 45 CFR § 164.310(c).

What does HIPAA require for an intune device lock auto-lock timer clinic pcs policy?

HIPAA does not prescribe an exact number of idle minutes. Instead, the Workstation Security standard at 45 CFR § 164.310(c) requires your practice to implement physical safeguards for workstations that access electronic protected health information (ePHI) so access is limited to authorized users.

For a dental or specialty practice, a five-minute lock period is generally a practical starting point for front-desk computers, treatment-room PCs, billing workstations, and provider laptops. It reduces the chance that a patient, visitor, vendor, or another employee can view a schedule, chart, image, insurance record, or open portal when a staff member steps away.

Microsoft Intune satisfies the technical portion of this safeguard for enrolled Windows devices by delivering a device configuration policy that automatically locks the screen after the defined inactivity period. The policy is especially useful for a BYOD program because it lets you enforce an auto-lock control on approved personal Windows devices without manually configuring every computer.

How do you configure the Intune auto-lock timer for Windows clinic PCs?

Use an Intune Windows device configuration profile for this setting. Before creating the policy, make sure each clinic-owned computer and each approved BYOD Windows computer is enrolled in Intune and assigned to a group that reflects its role. Do not assign a device-wide lock policy to every personal device unless your BYOD agreement clearly authorizes that level of management.

  1. Open the Microsoft Intune admin center. Sign in at https://intune.microsoft.com using an account with the Intune Administrator role or another role that can create device configuration policies.
  2. Go to the Windows configuration policy area. Select Devices, then Windows, then Configuration.
  3. Create a new policy. Select Create, then New policy.
  4. Select the platform and template. Under Platform, choose Windows 10 and later. Under Profile type, choose Templates, then select Device restrictions, and choose Create.
  5. Name the profile clearly. Use a name that an assessor and your IT provider can understand, such as HIPAA - Windows - 5 Minute Auto-Lock. In the description, state that the policy supports HIPAA Workstation Security, 45 CFR § 164.310(c), by locking unattended Windows devices that can access ePHI.
  6. Open the Device lock settings. On the Configuration settings page, expand Device lock.
  7. Set the inactivity limit. Locate Maximum minutes of inactivity until screen locks and enter 5. This is the setting that creates the Windows auto-lock policy for your enrolled clinic PCs.
  8. Continue to assignments. Select Next until you reach Assignments. Assign the profile to a dedicated Microsoft Entra ID device group, such as HIPAA - Managed Windows Workstations. For BYOD, create a separate group such as HIPAA - Approved BYOD Windows and assign the profile only after a user accepts your BYOD agreement and enrolls the device.
  9. Review and create. Confirm that the intended groups are listed, then select Create. Intune will apply the policy at the next device check-in; a user can also manually sync the device from Company Portal or from Windows Settings.

A five-minute setting is appropriate for many clinical areas, but your risk analysis may support a shorter interval for reception desks, shared charting stations, or computers positioned where patients can see the screen. If your clinicians have a documented workflow need for a longer interval, record the reason, compensating safeguards, and approval in your risk-management documentation rather than quietly creating an exception.

Which devices should receive the policy?

Device type Recommended assignment Suggested inactivity limit
Front desk and billing Windows PCs Required Intune enrollment; assign to managed workstation group 5 minutes
Treatment-room shared Windows PCs Required Intune enrollment; separate shared-device procedures 3 to 5 minutes
Provider-owned Windows BYOD laptops Assign only after BYOD agreement, enrollment, and approval 5 minutes
Unenrolled personal computers Do not permit ePHI access that requires device-level protection Not applicable

How can you verify that the auto-lock policy took effect?

Do not treat a successful policy creation message as proof that the setting reached your computers. Verify both Intune reporting and actual device behavior on at least one representative device from each assigned group, including an approved BYOD Windows device if your program permits those devices to access ePHI.

  1. In the Intune admin center, go to Devices, Windows, then Configuration.
  2. Select the HIPAA - Windows - 5 Minute Auto-Lock profile.
  3. Open Device and user check-in status. Confirm that the test computer reports Succeeded, not Pending, Error, or Conflict.
  4. On the Windows test device, open Settings, select Accounts, then Access work or school, select the connected work account, and choose Info, then Sync if a fresh check-in is needed.
  5. Leave the device untouched for five minutes. The screen should lock and display the Windows sign-in screen. Confirm that the user must authenticate before returning to the desktop or any ePHI application.
  6. For a technical spot check, run the following command in an elevated Command Prompt. A value of 5 confirms the managed device-lock value is present.
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock" /v MaxInactivityTimeDeviceLock

If the test device does not lock, first check for another Intune configuration profile, local policy, or security product that sets a conflicting inactivity value. Resolve the conflict rather than assuming the stricter setting will win. Keep one documented source of authority for the Windows idle-lock setting.

What evidence should you capture for a HIPAA assessor?

Your evidence should show the policy design, the scope of deployment, the successful technical result, and your process for handling exceptions. Screenshots are useful, but date them and store them with the policy export or change record so they are more than an isolated image.

  • A screenshot of the Intune profile overview showing the policy name, description, platform, and creation date.
  • A screenshot of Configuration settings with Maximum minutes of inactivity until screen locks set to 5.
  • A screenshot or export of the Assignments page showing the Microsoft Entra ID groups targeted by the policy.
  • A screenshot of Device and user check-in status showing successful deployment to representative clinic-owned and approved BYOD Windows devices.
  • A dated screenshot or short test record showing a Windows device at the lock screen after five minutes and requiring sign-in to resume work.
  • The output of the registry verification command for one representative device, saved with the test date and device asset identifier.
  • Your BYOD agreement, device approval workflow, and list of approved personal devices that are allowed to access ePHI.
  • Any documented exceptions, including the business reason, approving person, expiration date, and compensating controls.

Where does Intune fall short of the HIPAA workstation security control?

Intune can enforce the inactivity lock, but it does not by itself satisfy all of 45 CFR § 164.310(c). HIPAA Workstation Security is a physical safeguard: your practice must also control where devices are used, who can see their screens, and who is permitted to access ePHI after a workstation locks.

For example, the Intune policy cannot stop a receptionist from leaving a printed schedule on the counter, prevent a patient from viewing a monitor positioned toward the waiting room, or ensure that two staff members do not share one Windows sign-in. It also cannot protect an unenrolled personal computer that accesses ePHI outside your approved BYOD process.

Fill those gaps with written workstation-use rules, unique Entra ID accounts, strong sign-in methods such as Windows Hello for Business or multifactor authentication where appropriate, privacy screens in patient-facing areas, clean-desk procedures, secured treatment rooms, staff training, and a process to disable access when an employee or contractor leaves. For shared clinical computers, require each staff member to use an individual account and lock the device whenever they walk away, even if the Intune auto-lock timer has not yet expired.

Next, create your two Entra ID assignment groups—managed clinic workstations and approved BYOD Windows devices—then deploy and test the five-minute Intune policy on one device from each group before broad rollout.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.