Forum Discussion
Allow dynamic lock with FIDO key
Hi OliMue,
have you found a solution to this problem in the meantime?
I currently have 2 customers in the healthcare sector who need exactly this solution. Better than LOCK would be LOGOFF....
The staff uses shared computers, until now with a general account. Now everything is being changed to personal accounts and this is causing discontent among the staff. It is tedious and slow to log on, and logging off is not done either.
Therefore, the login is done via FIDO-Key, which caused positive reactions from the staff, but the logout is still the problem....
Regards
Marc
- OliMueOct 24, 2022Copper Contributor
Hi Marc_Gehri,
unfortunately there is still nothing available from Microsoft. We wrote a little tool, that runs as tray icon. It watches for a FIDO key being removed and in that case it locks the screen.
I can't give you the tool, but the most interesting code parts to write the tool yourself, would be these:
private static bool GetIsFidoKeyAvailable() { return new ManagementObjectSearcher("SELECT * FROM Win32_PnPEntity WHERE Manufacturer='FIDO'").Get().Cast<object>().Any<object>(); }
this._managementEventWatcher = new ManagementEventWatcher(); WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_DeviceChangeEvent"); this._managementEventWatcher.EventArrived += delegate(object s, EventArrivedEventArgs e) { var isKeyAvailable = GetIsFidoKeyAvailable(); if(!isKeyAvailable) { // ToDo: Lock or log off current user Process.Start("C:\\WINDOWS\\system32\\rundll32.exe", "user32.dll,LockWorkStation"); } }; this._managementEventWatcher.Query = query; this._managementEventWatcher.Start();
Be aware, that we seen (especially when using USB Hubs), that the key sometimes gets announced to be removed, just to come back a few hundred milliseconds later. For this purpose we debounced the log off to wait for 1 sec before really doing so.
- evalguyOct 13, 2023Copper ContributorCan you please post the entire tool somewhere?
- MICOCVIKOJul 01, 2023Copper ContributorCould you please share the tool you created with us? Thank you!
- baukeokkemaApr 06, 2023Copper Contributor
- Vladislav_ShihovDec 05, 2023Copper Contributor
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class PInvokeUser32 {
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
}
"@
while ($true) {
$fidoPresent = Get-PnpDevice | Where-Object { $_.HardwareId -match "USB\\VID_1050&PID_0407" -and $_.Status -eq "OK" }
if (-not $fidoPresent) {
[console]::beep(500, 500) # Optional: Beep for debugging
[PInvokeUser32]::LockWorkStation() # Lock the workstation
Start-Sleep -Seconds 10 # Wait for 10 seconds before checking again
}
Start-Sleep -Seconds 5 # Check every 5 seconds
}
Or you can use setting for GPO - Interactive logon: Smart card removal behavior and run this service "Smart Card Removal Policy"
Good luck!