Lock Windows PC Remotely: All Methods Explained

A laptop is missing. An employee just walked out with a company device. A PC is sitting unlocked on a conference room table two floors away. In each of those situations, you need to know how to lock a PC remotely, and Windows doesn't give you one clean, universal answer. The right method depends entirely on the situation.

For a personal device signed into a Microsoft account, Find My Device handles this in under two minutes. For company devices on a domain or enrolled in an MDM, the options are different — and so are the surprises.

The biggest surprise: Microsoft Intune's Remote Lock button is greyed out for Windows 10 and 11 desktops. That's not a misconfiguration. This article explains exactly why, and what actually works instead.

What follows covers six methods organized by scenario — personal account, on-network, MDM workarounds, GPO-based auto-lock, and fleet management — plus a section on when remote lock isn't enough on its own.

TL;DR

Windows Find My Device works for personal Microsoft accounts — go to account.microsoft.com/devices to lock in a few clicks, but the PC must be online and pre-configured.
Microsoft Intune's Remote Lock does NOT work for Windows 10/11 desktops — the button is greyed out. This is a confirmed platform limitation, not a misconfiguration.
On a company network or VPN, a PowerShell remote command is the most reliable script-based method — not rundll32, which has a known bug when run remotely.
Group Policy inactivity timeout (15 minutes) is your proactive baseline — configure it once and it catches what reactive remote lock misses.
For terminated employees, triggering BitLocker recovery mode is more effective than a session lock — the user cannot re-enter without the recovery key that only IT holds.
A dedicated MDM tool with PowerShell script deployment gives you remote lock on demand, across your whole fleet, without being on the same network.

What "Remotely Locking a PC" Actually Means (and What It Doesn't)

If you already know the difference between a screen lock, a wipe, and an account revocation, skip to the methods section below.

Locking a Windows PC remotely means sending a signal to a device that forces the screen to lock — requiring a password or PIN before anyone can continue the session. It's not a shutdown, not a wipe, and not the same as disabling a user account. Those are three different actions, and mixing them up leads to picking the wrong tool entirely.

Here's how they actually differ when you're deciding what to do with a lock Windows PC situation:

Screen lock: the session stays active, but the screen requires credentials to unlock. If the disk isn't encrypted, the data is still physically accessible to someone with hardware access.
Remote wipe: device data is erased. Destructive, irreversible, and not appropriate as a first step.
Account disable: the user can't re-authenticate for new sessions, but it does not end an active session already in progress.

Every remote lock method in this article also shares one hard requirement: the device must be online and reachable at the time the command is sent. If it's powered off or disconnected, the lock either queues until reconnection or never arrives at all.

Screen lock also leaves the session active, which means an unencrypted drive can still expose data even after the screen locks. BitLocker full-disk encryption is what closes that gap — someone who pulls the drive gets nothing readable without the recovery key. Lock and BitLocker together form a complete response. Neither one alone is the full answer.

6 Ways to Lock a Windows PC Remotely; Matched to Your Scenario

The right approach for how to lock a PC remotely comes down to three variables: whether the device has a Microsoft account, whether it's on the company network or VPN, and whether it's enrolled in an MDM. Pick the method that matches your current situation — you don't need to read all six.

Method 1: Windows Find My Device (Microsoft Account)

This is the fastest option for how to remotely lock a Windows 10 PC or Windows 11 machine that's signed into a personal or corporate Microsoft account and connected to the internet.

Setup (must be done before an incident):

Windows 11: Settings → Privacy & security → Find my device → toggle On
Windows 10: Settings → Update & Security → Find my device → toggle On

To lock remotely:

Go to account.microsoft.com/devices in any browser
Select the device → click Lock → click Next

The navigation path difference between Windows 10 (Update & Security) and Windows 11 (Privacy & security) is the most commonly missed setup step, admins assume it's in the same place across both versions. It isn't.

Pros:

Built into Windows 10 and 11, no additional software
Free, works from any browser
Fast, under two minutes when pre-configured

Cons/limits:

Requires a Microsoft account (not a local account or domain-only account)
Must be enabled before the incident — no retroactive activation
Requires internet connectivity on the device
Find My Device in Windows 11 24H2 still requires pre-configuration — nothing changed in the latest update

Method 2: Phone Link / Link to Windows (Android App)

As of December 2025, Microsoft added a Lock PC feature to the Link to Windows Android app (v1.25071.165 and newer).

Steps:

Update the Link to Windows app to v1.25071.165 or newer
On the PC: Settings → Bluetooth & devices → Mobile devices → Manage devices → enable Remote PC Controls
Open Link to Windows on the Android phone → tap Lock PC

Pros:

Free and Microsoft-native
Works from anywhere the phone has mobile data
One-tap action — fast for individual users

Cons/limits:

Staged rollout — not all devices have it yet
Requires pre-pairing between the phone and the PC
Locks the Phone Link session too until the PC is unlocked locally
Personal/user-facing tool, not an admin console action — not practical for fleet management

Method 3: PowerShell Remote Command (On Network or VPN)

When the target device is domain-joined or reachable via VPN and you have PS Remoting access, PowerShell via Invoke-Command is the most reliable script-based method.

Correct command (DllImport method):

Invoke-Command -ComputerName TARGETPC -ScriptBlock {
(Add-Type -memberDefinition '[DllImport("user32.dll", SetLastError = true)] public static extern bool LockWorkStation();' -name "Win32LockWorkStation" -namespace Win32Functions -passthru)::LockWorkStation() | Out-Null
}

Do NOT use rundll32.exe user32.dll,LockWorkStation via PsExec for remote execution. This command has a documented calling convention incompatibility per Raymond Chen's Microsoft developer documentation. Spiceworks admins consistently report it "runs successfully" but never locks the screen when executed remotely — it runs in the SYSTEM account context, not the logged-on user's session. The DllImport method above runs correctly via Invoke-Command in the user's session.

Pros:

Free (PowerShell is built in, Sysinternals is free)
Works over VPN
No third-party agent required

Cons/limits:

Requires VPN or LAN access — won't work off-network
PS Remoting must be enabled on the target machine beforehand
Admin credentials required on the target

Troubleshooting: If the PowerShell command runs without error but the screen doesn't lock, confirm that Invoke-Command is executing in the logged-on user's session context, not the SYSTEM account. That's the most common cause of silent failures.

Method 4: Intune — The Gap and the Workaround

If your devices are enrolled in Intune and you're expecting to trigger a remote lock on a Windows PC from the Intune console, you're going to hit a wall. Microsoft Intune's Remote Lock action does not support Windows 10 or Windows 11 desktop devices — confirmed in Microsoft's documentation and a recurring discovery shock across r/Intune threads and Experts Exchange. The button is greyed out. It works for Android, iOS/iPadOS, and macOS. Not Windows.

This is a platform limitation, not a permissions issue. Confirmed still unsupported per 2024–2025 documentation — no changelog entries indicate a change.

Workaround (community-sourced via r/Intune): An Intune Remediation script deploys registry values that disable all Windows Credential Providers, forcing a logoff and displaying a custom legal notice on the sign-in screen. A second reversal script re-enables sign-in when you're ready. This is the closest Intune can get to a native remote lock for Windows desktops without adding third-party tooling.

Pros of workaround:

Works entirely via Intune — no extra software
Achieves a meaningful lockout effect

Cons/limits:

Requires scripting — not a one-click action
Community-supported, not an official Microsoft feature
Device must check in with Intune to receive the script

If you need a supported, console-native remote lock action for Windows — not a scripted workaround — Method 6 covers what Intune's gap leaves behind.

Troubleshooting: If the Remote Lock button appears but is greyed out for a Windows device in Intune, that's expected behavior, it's a platform limitation, not a permissions configuration issue.

Method 5: BitLocker Recovery Mode (Terminated Employee Scenario)

A screen lock isn't the right tool when an employee has been let go and still has a company laptop. A determined user can reboot and re-authenticate with cached credentials. Triggering BitLocker recovery mode forces the device to reboot into a recovery screen requiring a 48-character key that only IT holds — there's no bypass through rebooting or waiting out a timeout.

Steps:

Via PowerShell (run remotely via Invoke-Command): manage-bde -forcerecovery C:
Via Intune or MDM: deploy a Remediation script containing the above command

A practitioner on r/Intune confirmed this approach directly: "We run a script to force BitLocker recovery and restart the device. Locks them completely out of the device."

Pros:

Complete lockout — user cannot re-enter without the recovery key
Far more effective than a session lock for termination scenarios
Pair it with disabling the Entra ID account to block re-authentication from any device

Cons/limits:

Requires a full reboot — disruptive by design
BitLocker must have been enabled on the device before the incident
Not reversible without IT providing the recovery key

The BitLocker pre-condition isn't a flaw in the method, it's an argument for enabling BitLocker at enrollment time, not after a device goes missing. Proactive policy enforcement at enrollment is what makes this method available when you need it.

Troubleshooting: If manage-bde -forcerecovery returns an access denied error when run remotely, confirm the script is running with elevated privileges and that BitLocker was already enabled on that volume.

Method 6: MDM with Remote PowerShell Command Deployment (Fleet Scale)

Methods 3 and 5 work, but they don't scale. If you're managing a fleet of Windows devices, you need remote lock available as a repeatable, on-demand action from a central console, not a script you manually trigger per device over VPN.

An MDM that supports PowerShell script deployment to Windows devices lets you run the DllImport lock command from Method 3 as an immediate, scheduled, or post-enrollment triggered action, without being on the same network as the device.

Trio MDM's remote commands feature supports PowerShell (.ps1) execution on enrolled Windows devices; admins can run commands on-the-go, schedule them for a future time, or configure them to trigger automatically after enrollment.

Pros:

Scales to any fleet size
No VPN required — agent-based, works while the device is online anywhere
Reusable command templates save time across repeated incidents

Cons/limits:

Requires device enrollment and agent installation beforehand
Requires an MDM subscription

The organizational blocker here is usually not technical — it's getting device enrollment done before an incident, not after.

6 Remote PC Lock Methods Compared

Method	Works Off-Network?	Requires Pre-Setup?	Free / Paid	Best For
Find My Device (Microsoft Account)	No	Yes (must enable before incident)	Free	Personal or single corporate device with MS account
Phone Link Lock PC (Android)	Yes (phone data)	Yes (pairing + Remote PC Controls enabled)	Free	User who has an Android phone paired to their own PC
PowerShell via Invoke-Command	No (needs VPN/LAN)	Yes (PS Remoting enabled)	Free	On-network admin managing domain-joined devices
Intune Credential Provider Script	Yes (Intune MDM)	Yes (script must be pre-deployed)	Paid (Intune subscription required)	Intune-managed fleets (workaround for Intune's gap)
BitLocker Recovery Trigger	Yes (MDM or script)	Yes (BitLocker pre-enabled)	Free	Terminated employee lockout — no re-entry without IT-held recovery key
MDM Remote Command (PowerShell)	Yes	Yes (device enrolled, agent installed)	Paid (MDM subscription)	IT admin managing a fleet of Windows devices at scale

When Remote Lock Isn't Enough: The Case for Proactive Policies

The 15-Minute Rule — Why Compliance Frameworks Agree on Inactivity Lock

Remote lock is always reactive — it only runs after you notice a problem. GPO-enforced inactivity lock runs automatically, every time, with no admin action required. It catches the unlocked PC in the conference room before you even realize it's unattended.

DISA STIG V-203599, PCI DSS v4.0 Requirement 8.2.8 (in effect since March 31, 2024), NIST SP 800-171 Rev2 Control 3.1.10, and CMMC 2.0 AC.L2-3.1.10 (final rule effective December 16, 2024) all require session lock after 15 minutes of inactivity. If your environment is subject to any of these, this isn't optional.

To configure via GPO: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "Interactive logon: Machine inactivity limit" → set to 900 seconds. The corresponding registry value is InactivityTimeoutSecs under the System policies key.

GPO covers on-premise and domain-joined environments. For off-network remote workers, MDM policy management is how you extend the same inactivity lock enforcement to devices that never touch the corporate network.

One second-order consequence worth knowing: if your screensaver timeout is shorter than the GPO Machine Inactivity Limit value, the screensaver wins. The screen will lock at the screensaver interval, not the GPO interval. If screensaver is set to 2 minutes and the GPO is set to 15 minutes, the device locks at 2 minutes. That's fine from a security standpoint, just don't assume GPO is the controlling value if both are set.

What to Do When the Device Is Already Offline

Every method in this article — without exception — requires the device to be reachable. If a laptop is stolen, powered off, or connected to a network you can't reach, the lock command queues and may never execute.

The real protection for offline scenarios is BitLocker full-disk encryption, pre-enabled at enrollment. Even if the lock command never arrives, an encrypted drive is unreadable without the recovery key. The average cost of a data breach reached $4.88 million in 2024 (IBM, all industries globally), a record high. Pre-encrypting every managed device is the control that protects data when the lock command can't get through.

Lock is the immediate response when a device goes missing. Encryption is the background protection that works regardless of whether that command ever arrives. For windows device management at scale, both need to be in place before an incident — not configured in response to one.

Which Method Should You Use? A Scenario Guide

The comparison table above shows the specs. This section routes you directly to the right method for your specific situation right now.

Which scenario fits your situation right now?

Microsoft account on the device, connected to the internet → Find My Device (Method 1) — takes under 2 minutes

Android phone already paired to the PC → Phone Link Lock PC (Method 2) — one tap

On the same network or VPN, have admin access → PowerShell Invoke-Command (Method 3)

Using Intune and the Remote Lock button is greyed out → Intune Credential Provider Script workaround (Method 4)

Need to lock out a terminated employee with no chance of re-entry → BitLocker recovery trigger (Method 5)

Managing a fleet and want a repeatable, centralized action → MDM with remote command deployment (Method 6)

Not sure? → If the device is enrolled in an MDM and reachable, start with your MDM console. If it's a personal device or small-office machine, Find My Device is your fastest option — as long as it was pre-configured.

If your fleet includes Android or iPhone devices alongside Windows machines, the approach differs by platform. See remote lock android and remote lock iphone for platform-specific guides.

How Trio MDM Helps You Lock and Manage Windows Devices at Scale

When you're working out how to lock a PC remotely across a Windows fleet — not just one device — the manual methods in this article become difficult to repeat at scale. A script run over VPN works once. It doesn't work at 11pm when a device goes missing and you're not on the corporate network.

Trio MDM's remote commands feature supports PowerShell (.ps1) script execution on enrolled Windows devices. Admins can run the DllImport lock command from Method 3 as an on-the-go action from the console, schedule it for a future time, or configure it to trigger automatically after a device completes enrollment. There's no VPN dependency, the agent handles delivery while the device is online, wherever it is.

For the terminated employee scenario in Method 5, Trio MDM stores BitLocker recovery keys securely on the backend. When you trigger BitLocker recovery mode remotely, the 48-character key is in your Trio MDM console — not in a spreadsheet or a departing admin's inbox.

For compliance-driven environments, Trio MDM fully covers CIS Level 1 and Level 2 frameworks, and covers the full technical implementation domain of HIPAA and GDPR — the non-technical requirements fall outside what any MDM tool can address.

The contrast with manual methods is real: with proper MDM tooling in place, you can lock a device and push a BitLocker recovery trigger in seconds from a single console, no VPN, no running scripts by hand, no relying on pre-paired phones.

Start your free trial or Book a demo to see how Trio MDM handles Windows remote command deployment and BitLocker key escrow in practice.