Forum Discussion
Set 'Account lockout threshold' to 1-10 invalid login attempts
In the security baseline for Windows 10 and later I have configured the Device Lock part.
Number of sign-in failures before wiping device = 10
I have also this set on the Device Restriction policy under Password.
Number of sign-in failures before wiping device = 10
Now in security recommendation on my test device I still get the recommendation to Set 'Account lockout threshold' to 1-10 invalid login attempts.
My question, is this not hitting the same settings?
Same goes for the
Set 'Minimum password age' to '1 or more day(s)'
Set 'Minimum password length' to '14 or more characters'
Received the following from MS support.
(I have reported them as inaccurate recommendations)We can confirm that the configuration options at the moment are not available to set from Intune. This looks like an invalid recommendation originating from Microsoft Defender for Endpoint.
Right now in Intune, the ones below are the settings most similar to the account lockout threshold policy (screenshots with descriptions):
Device configuration profiles (Win 10) > Templates > Administrative templates > Computer Configuration > System > Trusted Platform Module Services
- Standard User Individual Lockout Threshold
- Standard User Total Lockout Threshold
Hi JimmyWork,
Both the security baseline and the device restriction policies configure the Policy CSP - DeviceLock
- DeviceLock/MaxDevicePasswordFailedAttempts
- DeviceLock/MinDevicePasswordLength
- DeviceLock/MinimumPasswordAge
It's not recommended to configure the same settings from 2 different policies. Or did you have a good reason?
Check the reports (for both policies) to see if the settings are in error. I'm wondering if these settings actually apply successfully because an error in applying these settings could explain the security recommendation message.
Perhaps have a look at this techcommunity post, where I dive a little deeper in Security baselines vs other policies. Hope this helps.
- Thank you for answering.
As long as you set the exact same settings then there will be no issue with the policy's, you will get no error and it will work on the device, I checked Intune logs and registry on the device.
If I look at the security recommendation it refers to this setting.
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
This seems not to be found in any policy or OMA-URI available in Intune.
Any suggestion other then creating a remediation script?
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policySet the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold
To the following value: Between 1 and 10
Did you check the security center? Will this apply to that settings because security center is pointing on other settings.
Device lock is it in the security baseline or where did you find this? Just to be clear the setting will not hit the correct configuration. Device lock will not set lockoutthreshold that Secure Score recommends.
Just checked and we always had Device Lock set and this was why I reported it to MS- Did anyone got through this?
Still having some security recommendations that I cannot get rid of because Exposure Score recommendations is looking for GPOs to be in-place...
Set 'Account lockout duration' to 15 minutes or more
Set 'Reset account lockout counter after' to 15 minutes or more
Set 'Minimum password length' to '14 or more characters'
Set 'Enforce password history' to '24 or more password(s)'
Set 'Minimum password age' to '1 or more day(s)'
