# CSC - Caregiver Device Lockdown - computer STARTUP script (runs as SYSTEM each boot, idempotent).
# Deployed by GPO 'CSC - Caregiver Device Lockdown' linked to OU=Caregiver Devices.
# Settings (Howard, 2026-06-05): lock at 3 min, auto sign-out at 15 min with 90s warning, never sleep.
$ErrorActionPreference = 'SilentlyContinue'

# 1) LOCK: machine inactivity limit = 180s (3 min). OS locks the workstation on idle.
$sysKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
if (-not (Test-Path $sysKey)) { New-Item -Path $sysKey -Force | Out-Null }
Set-ItemProperty -Path $sysKey -Name 'InactivityTimeoutSecs' -Type DWord -Value 180

# 2) POWER: display off 10 min; never sleep/hibernate (shared station must stay reachable, and a
#    sleeping PC can't run the idle sign-out). Applies to AC and battery.
powercfg /change monitor-timeout-ac 10
powercfg /change monitor-timeout-dc 10
powercfg /change standby-timeout-ac 0
powercfg /change standby-timeout-dc 0
powercfg /change hibernate-timeout-ac 0
powercfg /change hibernate-timeout-dc 0

# 3) Drop the idle-monitor script that runs in each caregiver's session.
$dir = 'C:\ProgramData\Cascades'
if (-not (Test-Path $dir)) { New-Item -ItemType Directory -Path $dir -Force | Out-Null }
$monitor = @'
# Idle warning + auto sign-out. Runs in the logged-on user's session (scheduled task, at logon).
$ErrorActionPreference = "SilentlyContinue"
Add-Type @"
using System; using System.Runtime.InteropServices;
public class IdleTimer {
  [StructLayout(LayoutKind.Sequential)] struct LASTINPUTINFO { public uint cbSize; public uint dwTime; }
  [DllImport("user32.dll")] static extern bool GetLastInputInfo(ref LASTINPUTINFO plii);
  public static uint Seconds() {
    LASTINPUTINFO lii = new LASTINPUTINFO(); lii.cbSize = (uint)Marshal.SizeOf(lii);
    GetLastInputInfo(ref lii);
    return ((uint)Environment.TickCount - lii.dwTime) / 1000;
  }
}
"@
$warnAt   = 810   # 13.5 min -> show 90s warning
$logoffAt = 900   # 15 min   -> sign out
$warned = $false
while ($true) {
  $idle = [IdleTimer]::Seconds()
  if ($idle -ge $logoffAt) { & shutdown.exe /l; break }
  elseif ($idle -ge $warnAt -and -not $warned) {
    $warned = $true
    & msg.exe * /TIME:90 "You will be signed out in 90 seconds due to inactivity. Move the mouse or press a key to stay signed in."
  }
  if ($idle -lt $warnAt) { $warned = $false }
  Start-Sleep -Seconds 10
}
'@
Set-Content -Path "$dir\idle-logoff.ps1" -Value $monitor -Encoding UTF8 -Force

# 4) Register the scheduled task: runs the monitor in each interactive user's session at logon.
$taskName = 'CSC Caregiver Idle Logoff'
$action    = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\Cascades\idle-logoff.ps1"'
$trigger   = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -GroupId 'S-1-5-32-545' -RunLevel Limited   # BUILTIN\Users -> runs as whoever logs on, in their session
$settings  = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit ([TimeSpan]::Zero) -MultipleInstances IgnoreNew
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Description 'Idle warning + auto sign-out (15 min total, 90s warning) for shared caregiver devices.' | Out-Null