Configuring the Transparent Screen Lock

The Transparent Screen Lock (TSL) blocks user interaction with applications and Microsoft Windows operating systems by intercepting the information from interface devices (such as the computer mouse and keyboard) until the user is authenticated.

As the computer screen stays visible, the user can observe all the information in real time but cannot interact until the screen is unlocked.

Activating the Transparent Screen Lock

After the user logs on to Microsoft Windows, DigitalPersona checks if the Enable transparent screen lock GPO setting is enabled.

If the Transparent Screen Lock is enabled and running, its initial state is 'passive' while it waits for an activation event to lock the screen. In the passive state, the Transparent Screen Lock monitors the user's input but does not block it.

The Transparent Screen Lock activates when the user either:

Has been inactive for a certain period of time as defined by the Transparent screen lock timeout GPO setting
Presses the Transparent Screen Lock hotkey combination as defined by the Transparent screen lock hotkey GPO setting
Presents their enrolled contactless card or fingerprint credential if enabled by the Activate Transparent Screen Lock GPO setting

In the active state:

The only keyboard combination available to the user is CTRL+ALT+DEL allowing them to log off, restart or shut down the computer
The Transparent Screen Lock blocks the Task Manager link in the CTRL+ALT+DEL screen for administrative users, making it impossible to use the Task Manager to stop the application and access the protected screen

When the Transparent Screen Lock is active, it prevents all the user interaction with the computer screen until one of the unlocking events occurs.

Note:

When the Transparent Screen Lock is running, a crossed red circle cursor is visible around the screen
The Transparent Screen Lock is not visible in the system Task bar
Provides protection against efforts to break in, such as a forced keystroke auto-repeat
Generates Windows Event messages to track the screen locks/unlocks
It also reports efforts to break the protection.
Does not allow running the second instance of the application for the same user but it can be run separately for every logged in user

Unlocking Transparent Screen Lock

To unlock the protected screen and allow user interaction, the Transparent Screen Lock supports DigitalPersona multi-factor authentication (using the Verify Your Identity dialog). The user can trigger the authentication process by:

Pressing a non-system keyboard key
Clicking the mouse
Presenting their enrolled contactless card or fingerprint credential to the reader

The Transparent Screen Lock stays in the active state if:

The authentication fails
There is no user input in the Verify Your Identity dialog for two minutes, after which it will close

The user can manually close the dialog by pressing Esc key or clicking on the close button.

When a user locks the computer, or puts it to sleep/hibernate, the Transparent Screen Lock stops running and resumes when the computer is unlocked.

When a user logs off, or shuts down the computer, the Transparent Screen Lock closes securely.

Configuring the Transparent Screen Lock

By default, the feature is disabled. To enable it, use the Enable transparent screen lock GPO setting in Computer Configuration\Policies\Administrative Templates/HID DigitalPersona (AD)/Workstations/Transparent Screen Lock.

Once you have enabled the Transparent screen lock feature, you can configure the additional settings:

Setting	Description	Default value
Transparent screen lock timeout	Specifies the idle time after which the Transparent Screen Lock will be automatically activated Set to Enabled to change the default timeout (10 minutes): Minimum - 1 minute Maximum - 60 minutes	Not configured - the default timeout of 10 minutes is applied
Transparent screen lock hotkey	Specifies the hotkey combination on the keyboard to activate the Transparent Screen Lock If Enabled, you can also configure the hotkey combination (by default, CTRL+Z) The supported values are: Modifier key: CTRL WIN ALT SHIFT Second key: Numerical keys from 0-9 Alphabetical keys from A-Z Space key	Disabled - the Transparent Screen Lock cannot be activated using the hotkey combination
Quick Actions - Activate Transparent Screen Lock	Specifies if credentials (contactless card or fingerprint) can be used to activate the Transparent Screen Lock	Disabled - the Transparent Screen Lock cannot be activated using credentials

Setting

Description

Default value

Transparent screen lock timeout

Specifies the idle time after which the Transparent Screen Lock will be automatically activated

Set to Enabled to change the default timeout (10 minutes):

Minimum - 1 minute
Maximum - 60 minutes

Not configured - the default timeout of 10 minutes is applied

Transparent screen lock hotkey

Specifies the hotkey combination on the keyboard to activate the Transparent Screen Lock

If Enabled, you can also configure the hotkey combination (by default, CTRL+Z)

The supported values are:

Modifier key:
- CTRL
- WIN
- ALT
- SHIFT
Second key:
- Numerical keys from 0-9
- Alphabetical keys from A-Z
- Space key

Disabled - the Transparent Screen Lock cannot be activated using the hotkey combination

Quick Actions - Activate Transparent Screen Lock

Specifies if credentials (contactless card or fingerprint) can be used to activate the Transparent Screen Lock

Disabled - the Transparent Screen Lock cannot be activated using credentials

Note:

After enabling/disabling the Transparent Screen Lock, you need to wait at least five seconds before you can change the mode again
For the GPO setting changes to take effect, the user must log off and log on again