Lock Windows PC Remotely: All Methods Explained

A laptop is missing. An employee just walked out with a company device. A PC is sitting unlocked on a conference room table two floors away. In each of those situationsyou need to know how to lock a PC remotelyand Windows doesn't give you one cleanuniversal answer. The right method depends entirely on the situation.

For a personal device signed into a Microsoft accountFind My Device handles this in under two minutes. For company devices on a domain or enrolled in an MDMthe options are different — and so are the surprises.

The biggest surprise: Microsoft Intune's Remote Lock button is greyed out for Windows 10 and 11 desktops. That's not a misconfiguration. This article explains exactly whyand what actually works instead.

What follows covers six methods organized by scenario — personal accounton-networkMDM workaroundsGPO-based auto-lockand fleet management — plus a section on when remote lock isn't enough on its own.

TL;DR

What "Remotely Locking a PC" Actually Means (and What It Doesn't)

If you already know the difference between a screen locka wipeand an account revocationskip to the methods section below.

Locking a Windows PC remotely means sending a signal to a device that forces the screen to lock — requiring a password or PIN before anyone can continue the session. It's not a shutdownnot a wipeand not the same as disabling a user account. Those are three different actionsand mixing them up leads to picking the wrong tool entirely.

Here's how they actually differ when you're deciding what to do with a lock Windows PC situation:

• Screen lock: the session stays activebut the screen requires credentials to unlock. If the disk isn't encryptedthe data is still physically accessible to someone with hardware access.
• Remote wipe: device data is erased. Destructiveirreversibleand not appropriate as a first step.
• Account disable: the user can't re-authenticate for new sessionsbut it does not end an active session already in progress.

Every remote lock method in this article also shares one hard requirement: the device must be online and reachable at the time the command is sent. If it's powered off or disconnectedthe lock either queues until reconnection or never arrives at all.

Screen lock also leaves the session activewhich means an unencrypted drive can still expose data even after the screen locks. BitLocker full-disk encryption is what closes that gap — someone who pulls the drive gets nothing readable without the recovery key. Lock and BitLocker together form a complete response. Neither one alone is the full answer.

6 Ways to Lock a Windows PC Remotely; Matched to Your Scenario

The right approach for how to lock a PC remotely comes down to three variables: whether the device has a Microsoft accountwhether it's on the company network or VPNand whether it's enrolled in an MDM. Pick the method that matches your current situation — you don't need to read all six.

Method 1: Windows Find My Device (Microsoft Account)

This is the fastest option for how to remotely lock a Windows 10 PC or Windows 11 machine that's signed into a personal or corporate Microsoft account and connected to the internet.

Setup (must be done before an incident):

• Windows 11: Settings → Privacy & security → Find my device → toggle On
• Windows 10: Settings → Update & Security → Find my device → toggle On

To lock remotely:

• Go to account.microsoft.com/devices in any browser
• Select the device → click Lock → click Next

The navigation path difference between Windows 10 (Update & Security) and Windows 11 (Privacy & security) is the most commonly missed setup stepadmins assume it's in the same place across both versions. It isn't.

Pros:

• Built into Windows 10 and 11no additional software
• Freeworks from any browser
• Fastunder two minutes when pre-configured

Cons/limits:

• Requires a Microsoft account (not a local account or domain-only account)
• Must be enabled before the incident — no retroactive activation
• Requires internet connectivity on the device
• Find My Device in Windows 11 24H2 still requires pre-configuration — nothing changed in the latest update

Method 2: Phone Link / Link to Windows (Android App)

As of December 2025Microsoft added a Lock PC feature to the Link to Windows Android app (v1.25071.165 and newer). 

Steps:

• Update the Link to Windows app to v1.25071.165 or newer
• On the PC: Settings → Bluetooth & devices → Mobile devices → Manage devices → enable Remote PC Controls
• Open Link to Windows on the Android phone → tap Lock PC

Pros:

• Free and Microsoft-native
• Works from anywhere the phone has mobile data
• One-tap action — fast for individual users

Cons/limits:

• Staged rollout — not all devices have it yet
• Requires pre-pairing between the phone and the PC
• Locks the Phone Link session too until the PC is unlocked locally
• Personal/user-facing toolnot an admin console action — not practical for fleet management

Method 3: PowerShell Remote Command (On Network or VPN)

When the target device is domain-joined or reachable via VPN and you have PS Remoting accessPowerShell via Invoke-Command is the most reliable script-based method.

Correct command (DllImport method):

Invoke-Command -ComputerName TARGETPC -ScriptBlock {
(Add-Type -memberDefinition '[DllImport("user32.dll"SetLastError = true)] public static extern bool LockWorkStation();' -name "Win32LockWorkStation" -namespace Win32Functions -passthru)::LockWorkStation() | Out-Null
}

Do NOT use rundll32.exe user32.dll,LockWorkStation via PsExec for remote execution. This command has a documented calling convention incompatibility per Raymond Chen's Microsoft developer documentation. Spiceworks admins consistently report it "runs successfully" but never locks the screen when executed remotely — it runs in the SYSTEM account contextnot the logged-on user's session. The DllImport method above runs correctly via Invoke-Command in the user's session.

Pros:

• Free (PowerShell is built inSysinternals is free)
• Works over VPN
• No third-party agent required

Cons/limits:

• Requires VPN or LAN access — won't work off-network
• PS Remoting must be enabled on the target machine beforehand
• Admin credentials required on the target

Troubleshooting: If the PowerShell command runs without error but the screen doesn't lockconfirm that Invoke-Command is executing in the logged-on user's session contextnot the SYSTEM account. That's the most common cause of silent failures.

Method 4: Intune — The Gap and the Workaround

If your devices are enrolled in Intune and you're expecting to trigger a remote lock on a Windows PC from the Intune consoleyou're going to hit a wall. Microsoft Intune's Remote Lock action does not support Windows 10 or Windows 11 desktop devices — confirmed in Microsoft's documentation and a recurring discovery shock across r/Intune threads and Experts Exchange. The button is greyed out. It works for AndroidiOS/iPadOSand macOS. Not Windows.

This is a platform limitationnot a permissions issue. Confirmed still unsupported per 2024–2025 documentation — no changelog entries indicate a change.

Workaround (community-sourced via r/Intune): An Intune Remediation script deploys registry values that disable all Windows Credential Providersforcing a logoff and displaying a custom legal notice on the sign-in screen. A second reversal script re-enables sign-in when you're ready. This is the closest Intune can get to a native remote lock for Windows desktops without adding third-party tooling.

Pros of workaround:

• Works entirely via Intune — no extra software
• Achieves a meaningful lockout effect

Cons/limits:

• Requires scripting — not a one-click action
• Community-supportednot an official Microsoft feature
• Device must check in with Intune to receive the script

If you need a supportedconsole-native remote lock action for Windows — not a scripted workaround — Method 6 covers what Intune's gap leaves behind.

Troubleshooting: If the Remote Lock button appears but is greyed out for a Windows device in Intunethat's expected behaviorit's a platform limitationnot a permissions configuration issue.

Method 5: BitLocker Recovery Mode (Terminated Employee Scenario)

A screen lock isn't the right tool when an employee has been let go and still has a company laptop. A determined user can reboot and re-authenticate with cached credentials. Triggering BitLocker recovery mode forces the device to reboot into a recovery screen requiring a 48-character key that only IT holds — there's no bypass through rebooting or waiting out a timeout.

Steps:

• Via PowerShell (run remotely via Invoke-Command): manage-bde -forcerecovery C:
• Via Intune or MDM: deploy a Remediation script containing the above command

A practitioner on r/Intune confirmed this approach directly: "We run a script to force BitLocker recovery and restart the device. Locks them completely out of the device."

Pros:

• Complete lockout — user cannot re-enter without the recovery key
• Far more effective than a session lock for termination scenarios
• Pair it with disabling the Entra ID account to block re-authentication from any device

Cons/limits:

• Requires a full reboot — disruptive by design
• BitLocker must have been enabled on the device before the incident
• Not reversible without IT providing the recovery key

The BitLocker pre-condition isn't a flaw in the methodit's an argument for enabling BitLocker at enrollment timenot after a device goes missing. Proactive policy enforcement at enrollment is what makes this method available when you need it.

Troubleshooting: If manage-bde -forcerecovery returns an access denied error when run remotelyconfirm the script is running with elevated privileges and that BitLocker was already enabled on that volume.

Method 6: MDM with Remote PowerShell Command Deployment (Fleet Scale)

Methods 3 and 5 workbut they don't scale. If you're managing a fleet of Windows devicesyou need remote lock available as a repeatableon-demand action from a central consolenot a script you manually trigger per device over VPN.

An MDM that supports PowerShell script deployment to Windows devices lets you run the DllImport lock command from Method 3 as an immediatescheduledor post-enrollment triggered actionwithout being on the same network as the device.

Trio MDM's remote commands feature supports PowerShell (.ps1) execution on enrolled Windows devices; admins can run commands on-the-goschedule them for a future timeor configure them to trigger automatically after enrollment.

Pros:

• Scales to any fleet size
• No VPN required — agent-basedworks while the device is online anywhere
• Reusable command templates save time across repeated incidents

Cons/limits:

• Requires device enrollment and agent installation beforehand
• Requires an MDM subscription

The organizational blocker here is usually not technical — it's getting device enrollment done before an incidentnot after.

When Remote Lock Isn't Enough: The Case for Proactive Policies

The 15-Minute Rule — Why Compliance Frameworks Agree on Inactivity Lock

Remote lock is always reactive — it only runs after you notice a problem. GPO-enforced inactivity lock runs automaticallyevery timewith no admin action required. It catches the unlocked PC in the conference room before you even realize it's unattended.

DISA STIG V-203599PCI DSS v4.0 Requirement 8.2.8 (in effect since March 312024)NIST SP 800-171 Rev2 Control 3.1.10and CMMC 2.0 AC.L2-3.1.10 (final rule effective December 162024) all require session lock after 15 minutes of inactivity. If your environment is subject to any of thesethis isn't optional.

To configure via GPO: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "Interactive logon: Machine inactivity limit" → set to 900 seconds. The corresponding registry value is InactivityTimeoutSecs under the System policies key.

GPO covers on-premise and domain-joined environments. For off-network remote workersMDM policy management is how you extend the same inactivity lock enforcement to devices that never touch the corporate network.

One second-order consequence worth knowing: if your screensaver timeout is shorter than the GPO Machine Inactivity Limit valuethe screensaver wins. The screen will lock at the screensaver intervalnot the GPO interval. If screensaver is set to 2 minutes and the GPO is set to 15 minutesthe device locks at 2 minutes. That's fine from a security standpointjust don't assume GPO is the controlling value if both are set.

What to Do When the Device Is Already Offline

Every method in this article — without exception — requires the device to be reachable. If a laptop is stolenpowered offor connected to a network you can't reachthe lock command queues and may never execute.

The real protection for offline scenarios is BitLocker full-disk encryptionpre-enabled at enrollment. Even if the lock command never arrivesan encrypted drive is unreadable without the recovery key. The average cost of a data breach reached $4.88 million in 2024 (IBMall industries globally)a record high. Pre-encrypting every managed device is the control that protects data when the lock command can't get through.

Lock is the immediate response when a device goes missing. Encryption is the background protection that works regardless of whether that command ever arrives. For windows device management at scaleboth need to be in place before an incident — not configured in response to one.

Which Method Should You Use? A Scenario Guide

The comparison table above shows the specs. This section routes you directly to the right method for your specific situation right now.

If your fleet includes Android or iPhone devices alongside Windows machinesthe approach differs by platform. See remote lock android and remote lock iphone for platform-specific guides.

How Trio MDM Helps You Lock and Manage Windows Devices at Scale

When you're working out how to lock a PC remotely across a Windows fleet — not just one device — the manual methods in this article become difficult to repeat at scale. A script run over VPN works once. It doesn't work at 11pm when a device goes missing and you're not on the corporate network.

Trio MDM's remote commands feature supports PowerShell (.ps1) script execution on enrolled Windows devices. Admins can run the DllImport lock command from Method 3 as an on-the-go action from the consoleschedule it for a future timeor configure it to trigger automatically after a device completes enrollment. There's no VPN dependencythe agent handles delivery while the device is onlinewherever it is.

For the terminated employee scenario in Method 5Trio MDM stores BitLocker recovery keys securely on the backend. When you trigger BitLocker recovery mode remotelythe 48-character key is in your Trio MDM console — not in a spreadsheet or a departing admin's inbox.

For compliance-driven environmentsTrio MDM fully covers CIS Level 1 and Level 2 frameworksand covers the full technical implementation domain of HIPAA and GDPR — the non-technical requirements fall outside what any MDM tool can address.

The contrast with manual methods is real: with proper MDM tooling in placeyou can lock a device and push a BitLocker recovery trigger in seconds from a single consoleno VPNno running scripts by handno relying on pre-paired phones.

Start your free trial or Book a demo to see how Trio MDM handles Windows remote command deployment and BitLocker key escrow in practice.