Intune Compliance Policy Sets 1-Minute Lock: Why It Happens and How to Fix It

Intune Compliance Policy vs Configuration Policy: Why Your Windows Device Locks After 1 Minute

The issue you’re describing is common with Intune compliance policies. Here’s what’s happening and how to fix it.

The Root Problem

Compliance policies check settings but don’t usually set them. However, Windows compliance policies can sometimes enforce device lock settings through the DeviceLock CSP (Configuration Service Provider), especially when using Exchange Active Sync (EAS) protocols.learn.microsoft+3

When you set a compliance policy with “Maximum minutes of inactivity before password is required” to 15 minutes, it’s meant to verify that devices meet this requirement. But in some cases, the policy actually enforces a 1-minute lock timeout instead of just checking for compliance.reddit+1

Key Differences Between Policy Types

Compliance Policy:

Checks if devices meet security requirements
Reports compliance status
Can be used with Conditional Access
Sometimes enforces settings via EAS/DeviceLock CSPmicrosoftpressstore

Configuration Policy:

Actually pushes and sets the configuration
Uses Settings Catalog or Administrative Templates
Controls the “Max Inactivity Time Device Lock” settingwhackasstech+1

Solutions to Try

1. Use Configuration Policy Instead

Create a configuration policy to properly set the lock timeout:whackasstech

Go to Devices > Windows > Configuration profiles > Create
Platform: Windows 10 and later
Profile type: Settings catalog
Search for “Max Inactivity Time Device Lock” under Device Lock
Set your desired timeout (15 minutes = 900 seconds)

2. Check Local Security Policy

The 1-minute lock might come from the “Interactive logon: Machine inactivity limit” setting:learn.microsoft+1

Run secpol.msc
Navigate to Local Policies > Security Options
Check “Interactive logon: Machine inactivity limit”
This can override other timeout settings

3. Look for Hardware Features

Some laptops have additional auto-lock features:windowscentral+2

Lenovo ThinkPads: Human Presence Detection sensors that lock after 1 minute when you step away
HP laptops: “Presence Aware” technology
Intel-based systems: Context Sensing Technology or “Lock on leave” features

To disable these:

Check Lenovo Vantage app for “Smart Assist” settings
Look in BIOS for “Intelligent Security” options
Disable “Virtual Lock Sensor” service in Windows
Check Device Manager for “Elliptic Virtual Lock Sensor”

4. Review Policy Conflicts

Check for overlapping policies:reddit

Look for multiple configuration profiles targeting the same devices
Review security baselines that might include lock timeout settings
Use MDM Diagnostic Reports to identify conflicting sources

5. Assignment Method Matters

Change policy assignment from device-based to user-based. Device-assigned compliance policies are more likely to enforce DeviceLock CSP settings immediately.patchmypc

Why This Happens

The compliance policy uses the DeviceLock CSP under the hood, which was originally designed for Exchange Active Sync. This can cause unexpected enforcement behavior rather than just compliance checking.patchmypc+2

Verification Steps

After making changes:

Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock
Look for MaxInactivityTimeDeviceLock value
Sync devices and wait 15-30 minutes for policy application
Test the actual lock behavior

The solution is typically to use a proper configuration policy instead of relying on compliance policy for setting lock timeouts, and to check for any hardware-based presence detection features that might be overriding your policy settings.