Controlling hibernation of laptops within the user context


Controlling hibernation of laptops within the user context

This blog article will show you how to enable control of hibernation for users without administrative rights on their laptop.  It will show you that there is another method besides switching it off or on which allows users to control timing but not behavior. 

Why give user control?

I’m sure many of you will have that one question in mind, why give users control over hibernation settings when you can do that via a group policy? Recently I ran into a customer that had a policy that hibernation on-premises had to be disabled and when off-premises it had to be enabled. The reason behind this was that users working on-premises should not be bothered with hibernating laptops.
The reason they need hibernation instead of sleep mode is that with sleep mode the disk of the laptop comes back to life differently. When the laptop resumes after sleep mode the disks, encrypted with Checkpoint) are not encrypted anymore. The process of encryption is not started before anyone can access the laptop.

With hibernation this behavior is different, when the laptop comes out of hibernation before you can access the disk encryption is enabled. When the laptop comes out of hibernation, before you can logon to Windows, you first have to enter your credentials for encryption.

First the encryption then the Windows logon..

I can understand why they want this, so let’s figure it out.

Environment

With the requirement in place I went on a search, how hard can it be. The environment we were building was a Microsoft Windows 7 laptop environment with 2000 users. The environment is managed with RES Workspace Manager. 

Hibernation

Hibernation is a system setting, a user does not have the ability to change this. When you open a standard command prompt (so not elevated) you will get an access denied when trying to switch of or on hibernation.

Hibernation is switched off or on with the command C:WindowsSystem32PowerCFG.EXE -H {on/off}
So the ideal situation would be to switch it off when users are on-premises and switch it on when they are not.
With RES Workspace Manager it’s easy to determine if users are online, offline, on-premises or off-premises. So it’s easy to start a task at the change of those moments.
The problem I encountered here is that even though we can start any command at any time all commands we start are in the context of the user. RES Workspace Manager is a User Environment Management solution.
Of course there are ways of starting stuff in the context of the system, we tried Landesk to execute the command at logon that worked but that doesn’t solve or context issue, when the user goes offline the setting isn’t changed.
So we had to come up with something else..

Don’t disable it, change it

So we discovered we can’t disable hibernation from the user context but the user has the option to change the time before hibernation will take place. 
What if we change the timing of hibernation to e.g. 600 minutes when the user is on-premises and change it back to e.g. 2 minutes when they’re not? that would do the job, wouldn’t it? 
So the user is able to change it but not enable or disable it.
Changing the timing settings for hibernation will achieve the same effect as disabling.

Command

The command to change the hibernation settings from a user context is:
C:WindowsSystem32PowerCFG.EXE -change -hibernate-timeout-ac {minutes}
There are more option to configure like this, to be found with the /? command.
The options at hand are:
  • monitor-timeout-ac
  • monitor-timeout-dc
  • disk-timeout-ac
  • disk-timeout-dc
  • standby-timeout-ac
  • standby-timeout-dc
  • hibernate-timeout-ac
  • hibernate-timeout-dc
The command I’m using to control hibernation for on-premises users is C:WindowsSystem32PowerCFG.EXE -change -hibernate-timeout-ac 10 where 10 is 10 minutes.

RES Workspace Manager

With RES Workspace Manager I created two tasks, one for online connections and one for offline connections. I created a connection state detection to verify if a user is online e.g. on-premises. When network connectivity changes RES will detect that and verify.
 Depending on the connection status one of the scripts will run and hibernation will be set to a certain time.

Conclusion

Creating a task like described above gives control over the hibernation without requiring the user to have administrative rights. We’ve tested the environment and it worked flawless. One thing I might have to add is that you can’t use this before the laptop encryption (at least with Checkpoint) is finished indexing. Hibernation is not an option before that.

Leave a Reply

https://tracking.cirrusinsight.com/869c29e2-3a9b-48c5-9232-0b95e7993ae8/controlup-com-pixel-php