Forum Discussion

JimmyWork's avatar
JimmyWork
Iron Contributor
May 05, 2022

Set 'Account lockout threshold' to 1-10 invalid login attempts

In the security baseline for Windows 10 and later I have configured the Device Lock part. Number of sign-in failures before wiping device = 10   I have also this set on the Device Restriction poli...
Intune
  • JimmyWork's avatar
    JimmyWork
    May 12, 2022

    Received the following from MS support.
    (I have reported them as inaccurate recommendations)

     

    We can confirm that the configuration options at the moment are not available to set from Intune. This looks like an invalid recommendation originating from Microsoft Defender for Endpoint. 

     

    Right now in Intune, the ones below are the settings most similar to the account lockout threshold policy (screenshots with descriptions):

     

    Device configuration profiles (Win 10) > Templates > Administrative templates > Computer Configuration > System > Trusted Platform Module Services

    • Standard User Individual Lockout Threshold
    • Standard User Total Lockout Threshold
Oktay Sari's avatar
Oktay Sari
Iron Contributor
I'll try and see if I can replicate this in my test tenant just to satisfy my curiosity 🙂
JimmyWork's avatar
JimmyWork
Iron Contributor
May 06, 2022
That setting is also already set, and the policy is not available in Intune, I can do a remediation script where I just set the net accounts /lockoutthreshold:10.

But this seems more related to On-prem devices and this is a fully cloud device so not sure why security recommendations are bringing this up as there is currently no way to set this in Intune
  • Oktay Sari's avatar
    Oktay Sari
    Iron Contributor
    May 07, 2022

    JimmyWork I agree. It does look like this does not exist with MEM yet. I think your best bet is to reach out to Intune support at this stage (frustrating....) I'm not sure what they can do... besides point you in the direction of a remediation script (which you already know), but who knows... I do hope that custom ADMX/ADML import (in development) will become available with the next Intune release because I think that can solve your problem.

     

    Please keep us informed about your findings. Sorry couldn't help you out yet, but if I do have news to share, I'll give an update here.

    • JimmyWork's avatar
      JimmyWork
      Iron Contributor
      May 07, 2022
      Thank you, I will create a Microsoft Case just to get more information. Have a great weekend
      • JimmyWork's avatar
        JimmyWork
        Iron Contributor
        May 12, 2022

        Received the following from MS support.
        (I have reported them as inaccurate recommendations)

         

        We can confirm that the configuration options at the moment are not available to set from Intune. This looks like an invalid recommendation originating from Microsoft Defender for Endpoint. 

         

        Right now in Intune, the ones below are the settings most similar to the account lockout threshold policy (screenshots with descriptions):

         

        Device configuration profiles (Win 10) > Templates > Administrative templates > Computer Configuration > System > Trusted Platform Module Services

        • Standard User Individual Lockout Threshold
        • Standard User Total Lockout Threshold

Resources