Windows With regards to Windows, in order to check screenlock configurations you will need to determine whether a password is required when the device is woken from sleep, and then determine what the configured power settings are for the power plans that are currently active. You will also want to check whether the initiation of the screensaver results in a password prompt when resuming activity. macOS This is actually similar in concept to macOS where while there is a screenlock table, the story is actually significantly more complex than that table's boolean output. You need to reconcile its output against power settings, against managed policy settings, etc. For example: Let's say a user had the screenlock configured as demonstrated in the screenshot below. It shows that: • A password will be required when waking the computer after sleep or screensaver has started. • A grace period of 5 minutes (300s) will be permitted wherein a password will not be required after sleep/screensaver If power settings were configured such that the device never went to sleep and never initiated the screensaver, it really does not matter what the grace period, or require password values report back as, because they will never get an opportunity to be used.

Thanks a lot for the detailed answer @fritz! I will review some options with engineering and try to find a solution

@Grigory Emelianov Did your team ever come up with something?

@defensivedepth yes, we have a screenlock query for Windows in the Kolide product. It relies on custom launcher tables (eg.

kolide_wmi

) in order to work though.