Forum Discussion
Allow dynamic lock with FIDO key
Hi Marc_Gehri,
unfortunately there is still nothing available from Microsoft. We wrote a little tool, that runs as tray icon. It watches for a FIDO key being removed and in that case it locks the screen.
I can't give you the tool, but the most interesting code parts to write the tool yourself, would be these:
private static bool GetIsFidoKeyAvailable()
{
return new ManagementObjectSearcher("SELECT * FROM Win32_PnPEntity WHERE Manufacturer='FIDO'").Get().Cast<object>().Any<object>();
}this._managementEventWatcher = new ManagementEventWatcher();
WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_DeviceChangeEvent");
this._managementEventWatcher.EventArrived += delegate(object s, EventArrivedEventArgs e)
{
var isKeyAvailable = GetIsFidoKeyAvailable();
if(!isKeyAvailable)
{
// ToDo: Lock or log off current user
Process.Start("C:\\WINDOWS\\system32\\rundll32.exe", "user32.dll,LockWorkStation");
}
};
this._managementEventWatcher.Query = query;
this._managementEventWatcher.Start();
Be aware, that we seen (especially when using USB Hubs), that the key sometimes gets announced to be removed, just to come back a few hundred milliseconds later. For this purpose we debounced the log off to wait for 1 sec before really doing so.
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class PInvokeUser32 {
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
}
"@
while ($true) {
$fidoPresent = Get-PnpDevice | Where-Object { $_.HardwareId -match "USB\\VID_1050&PID_0407" -and $_.Status -eq "OK" }
if (-not $fidoPresent) {
[console]::beep(500, 500) # Optional: Beep for debugging
[PInvokeUser32]::LockWorkStation() # Lock the workstation
Start-Sleep -Seconds 10 # Wait for 10 seconds before checking again
}
Start-Sleep -Seconds 5 # Check every 5 seconds
}
Or you can use setting for GPO - Interactive logon: Smart card removal behavior and run this service "Smart Card Removal Policy"
Good luck!
