To support HIPAA workstation security, configure Microsoft Intune to lock Windows clinic computers after a short period of inactivity and require each workforce member to sign in again before accessing ePHI. An intune device lock auto-lock timer clinic pcs policy can enforce a five-minute inactivity limit on enrolled Windows devices, helping restrict unattended workstations to authorized users under 45 CFR § 164.310(c).
What does HIPAA require for an intune device lock auto-lock timer clinic pcs policy?
HIPAA does not prescribe an exact number of idle minutes. Instead, the Workstation Security standard at 45 CFR § 164.310(c) requires your practice to implement physical safeguards for workstations that access electronic protected health information (ePHI) so access is limited to authorized users.
For a dental or specialty practice, a five-minute lock period is generally a practical starting point for front-desk computers, treatment-room PCs, billing workstations, and provider laptops. It reduces the chance that a patient, visitor, vendor, or another employee can view a schedule, chart, image, insurance record, or open portal when a staff member steps away.
Microsoft Intune satisfies the technical portion of this safeguard for enrolled Windows devices by delivering a device configuration policy that automatically locks the screen after the defined inactivity period. The policy is especially useful for a BYOD program because it lets you enforce an auto-lock control on approved personal Windows devices without manually configuring every computer.
How do you configure the Intune auto-lock timer for Windows clinic PCs?
Use an Intune Windows device configuration profile for this setting. Before creating the policy, make sure each clinic-owned computer and each approved BYOD Windows computer is enrolled in Intune and assigned to a group that reflects its role. Do not assign a device-wide lock policy to every personal device unless your BYOD agreement clearly authorizes that level of management.
- Open the Microsoft Intune admin center. Sign in at
https://intune.microsoft.comusing an account with the Intune Administrator role or another role that can create device configuration policies. - Go to the Windows configuration policy area. Select
Devices, thenWindows, thenConfiguration. - Create a new policy. Select
Create, thenNew policy. - Select the platform and template. Under
Platform, chooseWindows 10 and later. UnderProfile type, chooseTemplates, then selectDevice restrictions, and chooseCreate. - Name the profile clearly. Use a name that an assessor and your IT provider can understand, such as
HIPAA - Windows - 5 Minute Auto-Lock. In the description, state that the policy supports HIPAA Workstation Security, 45 CFR § 164.310(c), by locking unattended Windows devices that can access ePHI. - Open the Device lock settings. On the
Configuration settingspage, expandDevice lock. - Set the inactivity limit. Locate
Maximum minutes of inactivity until screen locksand enter5. This is the setting that creates the Windows auto-lock policy for your enrolled clinic PCs. - Continue to assignments. Select
Nextuntil you reachAssignments. Assign the profile to a dedicated Microsoft Entra ID device group, such asHIPAA - Managed Windows Workstations. For BYOD, create a separate group such asHIPAA - Approved BYOD Windowsand assign the profile only after a user accepts your BYOD agreement and enrolls the device. - Review and create. Confirm that the intended groups are listed, then select
Create. Intune will apply the policy at the next device check-in; a user can also manually sync the device from Company Portal or from Windows Settings.
A five-minute setting is appropriate for many clinical areas, but your risk analysis may support a shorter interval for reception desks, shared charting stations, or computers positioned where patients can see the screen. If your clinicians have a documented workflow need for a longer interval, record the reason, compensating safeguards, and approval in your risk-management documentation rather than quietly creating an exception.
Which devices should receive the policy?
| Device type | Recommended assignment | Suggested inactivity limit |
|---|---|---|
| Front desk and billing Windows PCs | Required Intune enrollment; assign to managed workstation group | 5 minutes |
| Treatment-room shared Windows PCs | Required Intune enrollment; separate shared-device procedures | 3 to 5 minutes |
| Provider-owned Windows BYOD laptops | Assign only after BYOD agreement, enrollment, and approval | 5 minutes |
| Unenrolled personal computers | Do not permit ePHI access that requires device-level protection | Not applicable |
How can you verify that the auto-lock policy took effect?
Do not treat a successful policy creation message as proof that the setting reached your computers. Verify both Intune reporting and actual device behavior on at least one representative device from each assigned group, including an approved BYOD Windows device if your program permits those devices to access ePHI.
- In the Intune admin center, go to
Devices,Windows, thenConfiguration. - Select the
HIPAA - Windows - 5 Minute Auto-Lockprofile. - Open
Device and user check-in status. Confirm that the test computer reportsSucceeded, notPending,Error, orConflict. - On the Windows test device, open
Settings, selectAccounts, thenAccess work or school, select the connected work account, and chooseInfo, thenSyncif a fresh check-in is needed. - Leave the device untouched for five minutes. The screen should lock and display the Windows sign-in screen. Confirm that the user must authenticate before returning to the desktop or any ePHI application.
- For a technical spot check, run the following command in an elevated Command Prompt. A value of
5confirms the managed device-lock value is present.
reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock" /v MaxInactivityTimeDeviceLock
If the test device does not lock, first check for another Intune configuration profile, local policy, or security product that sets a conflicting inactivity value. Resolve the conflict rather than assuming the stricter setting will win. Keep one documented source of authority for the Windows idle-lock setting.
What evidence should you capture for a HIPAA assessor?
Your evidence should show the policy design, the scope of deployment, the successful technical result, and your process for handling exceptions. Screenshots are useful, but date them and store them with the policy export or change record so they are more than an isolated image.
- A screenshot of the Intune profile overview showing the policy name, description, platform, and creation date.
- A screenshot of
Configuration settingswithMaximum minutes of inactivity until screen locksset to5. - A screenshot or export of the
Assignmentspage showing the Microsoft Entra ID groups targeted by the policy. - A screenshot of
Device and user check-in statusshowing successful deployment to representative clinic-owned and approved BYOD Windows devices. - A dated screenshot or short test record showing a Windows device at the lock screen after five minutes and requiring sign-in to resume work.
- The output of the registry verification command for one representative device, saved with the test date and device asset identifier.
- Your BYOD agreement, device approval workflow, and list of approved personal devices that are allowed to access ePHI.
- Any documented exceptions, including the business reason, approving person, expiration date, and compensating controls.
Where does Intune fall short of the HIPAA workstation security control?
Intune can enforce the inactivity lock, but it does not by itself satisfy all of 45 CFR § 164.310(c). HIPAA Workstation Security is a physical safeguard: your practice must also control where devices are used, who can see their screens, and who is permitted to access ePHI after a workstation locks.
For example, the Intune policy cannot stop a receptionist from leaving a printed schedule on the counter, prevent a patient from viewing a monitor positioned toward the waiting room, or ensure that two staff members do not share one Windows sign-in. It also cannot protect an unenrolled personal computer that accesses ePHI outside your approved BYOD process.
Fill those gaps with written workstation-use rules, unique Entra ID accounts, strong sign-in methods such as Windows Hello for Business or multifactor authentication where appropriate, privacy screens in patient-facing areas, clean-desk procedures, secured treatment rooms, staff training, and a process to disable access when an employee or contractor leaves. For shared clinical computers, require each staff member to use an individual account and lock the device whenever they walk away, even if the Intune auto-lock timer has not yet expired.
Next, create your two Entra ID assignment groups—managed clinic workstations and approved BYOD Windows devices—then deploy and test the five-minute Intune policy on one device from each group before broad rollout.