Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)
SOLVED

Set 'Account lockout threshold' to 1-10 invalid login attempts

%3CLINGO-SUB%20id%3D%22lingo-sub-3326418%22%20slang%3D%22en-US%22%3ESet%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3326418%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20security%20baseline%20for%20Windows%2010%20and%20later%20I%20have%20configured%20the%20Device%20Lock%20part.%3C%2FP%3E%3CP%3E%3CSPAN%3ENumber%20of%20sign-in%20failures%20before%20wiping%20device%20%3D%2010%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENow%20in%20security%20recommendation%20on%20my%20test%20device%20I%20still%20get%20the%20recommendation%20to%26nbsp%3BSet%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20question%2C%20is%20this%20not%20hitting%20the%20same%20settings%3F%3CBR%20%2F%3ESame%20goes%20for%20the%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESet%20'Minimum%20password%20age'%20to%20'1%20or%20more%20day(s)'%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESet%20'Minimum%20password%20length'%20to%20'14%20or%20more%20characters'%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3326418%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3329953%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3329953%22%20slang%3D%22en-US%22%3EThank%20you%20for%20answering.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20long%20as%20you%20set%20the%20exact%20same%20settings%20then%20there%20will%20be%20no%20issue%20with%20the%20policy's%2C%20you%20will%20get%20no%20error%20and%20it%20will%20work%20on%20the%20device%2C%20I%20checked%20Intune%20logs%20and%20registry%20on%20the%20device.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20look%20at%20the%20security%20recommendation%20it%20refers%20to%20this%20setting.%3CBR%20%2F%3E%3CBR%20%2F%3EComputer%20Configuration%5CPolicies%5CWindows%20Settings%5CSecurity%20Settings%5CAccount%20Policies%5CAccount%20Lockout%20Policy.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20seems%20not%20to%20be%20found%20in%20any%20policy%20or%20OMA-URI%20available%20in%20Intune.%3CBR%20%2F%3EAny%20suggestion%20other%20then%20creating%20a%20remediation%20script%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Faccount-lockout-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Faccount-lockout-policy%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3328312%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3328312%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415515%22%20target%3D%22_blank%22%3E%40JimmyWork%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBoth%20the%20security%20baseline%20and%20the%20device%20restriction%20policies%20configure%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-devicelock%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EPolicy%20CSP%20-%20DeviceLock%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FP%3E%3CUL%3E%3CLI%3EDeviceLock%2FMaxDevicePasswordFailedAttempts%3C%2FLI%3E%3CLI%3EDeviceLock%2FMinDevicePasswordLength%3C%2FLI%3E%3CLI%3EDeviceLock%2FMinimumPasswordAge%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIt's%20not%20recommended%20to%20configure%20the%20same%20settings%20from%202%20different%20policies.%20Or%20did%20you%20have%20a%20good%20reason%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheck%20the%20reports%20(for%20both%20policies)%20to%20see%20if%20the%20settings%20are%20in%20error.%20I'm%20wondering%20if%20these%20settings%20actually%20apply%20successfully%20because%20an%20error%20in%20applying%20these%20settings%20could%20explain%20the%26nbsp%3B%3CSPAN%3Esecurity%20recommendation%20message.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222022-05-05_22h48_39.jpg%22%20style%3D%22width%3A%20743px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F369581i3F78972BD4E6D47E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222022-05-05_22h48_39.jpg%22%20alt%3D%222022-05-05_22h48_39.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EPerhaps%20have%20a%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fmdm-security-baseline-vs-intune-profile%2Fm-p%2F3300953%23M2254%22%20target%3D%22_self%22%3Ethis%20techcommunity%20post%3C%2FA%3E%2C%20where%20I%20dive%20a%20little%20deeper%20in%20Security%20baselines%20vs%20other%20policies.%20Hope%20this%20helps.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3330091%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3330091%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F132717%22%20target%3D%22_blank%22%3E%40Oktay%20Sari%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESet%20the%20following%20Group%20Policy%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CI%3EComputer%20Configuration%5CPolicies%5CWindows%20Settings%5CSecurity%20Settings%5CAccount%20Policies%5CAccount%20Lockout%20Policy%5CAccount%20lockout%20threshold%3C%2FI%3E%3CBR%20%2F%3E%3CSPAN%3ETo%20the%20following%20value%3A%26nbsp%3B%3C%2FSPAN%3E%3CI%3EBetween%201%20and%2010%3C%2FI%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JimmyWork_0-1651817241100.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F369691iE408E1C7F322FAF7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JimmyWork_0-1651817241100.png%22%20alt%3D%22JimmyWork_0-1651817241100.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3335265%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3335265%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415515%22%20target%3D%22_blank%22%3E%40JimmyWork%3C%2FA%3E%26nbsp%3Bthis%20is%20interesting.%20The%20only%20thin%20I%20can%20find%20about%20the%26nbsp%3B%20GPO%20you%20are%20referring%20to%20(%3CI%3EComputer%20Configuration%5CPolicies%5CWindows%20Settings%5CSecurity%20Settings%5CAccount%20Policies%5CAccount%20Lockout%20Policy%5CAccount%20lockout%20threshold%3C%2FI%3E)%20and%20it's%20azure%20counterpart%20is%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-smart-lockout%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Smart%20Lockout%3C%2FA%3E%3C%2FSTRONG%3E.%20Have%20a%20look%20at%20this%20doc%20and%20in%20particular%20%22%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-smart-lockout%23verify-on-premises-account-lockout-policy%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Everify%20on-premises%20account%20lockout%20policy%3C%2FA%3E%22%20This%20is%20where%20they%20refer%20to%20your%20GPO%20%3CSTRONG%3EComputer%20Configuration%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPolicies%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EWindows%20Settings%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESecurity%20Settings%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAccount%20Policies%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAccount%20Lockout%20Policy%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E.%26nbsp%3B%20A%20little%20below%20that%20%22%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-smart-lockout%23manage-azure-ad-smart-lockout-values%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20Azure%20AD%20smart%20lockout%20values%3C%2FA%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo...If%20I%20had%20to%20guess%2C%20it%20looks%20like%20that%20the%20security%20recommendation%20is%20not%20about%20your%20baseline%20or%20device%20configuration%20profile%2C%20but%20about%20Azure%20smart%20lockout.%20Can%20you%20have%20a%20look%20at%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3335301%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3335301%22%20slang%3D%22en-US%22%3EI'll%20try%20and%20see%20if%20I%20can%20replicate%20this%20in%20my%20test%20tenant%20just%20to%20satisfy%20my%20curiosity%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3335517%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3335517%22%20slang%3D%22en-US%22%3EThat%20setting%20is%20also%20already%20set%2C%20and%20the%20policy%20is%20not%20available%20in%20Intune%2C%20I%20can%20do%20a%20remediation%20script%20where%20I%20just%20set%20the%20net%20accounts%20%2Flockoutthreshold%3A10.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20this%20seems%20more%20related%20to%20On-prem%20devices%20and%20this%20is%20a%20fully%20cloud%20device%20so%20not%20sure%20why%20security%20recommendations%20are%20bringing%20this%20up%20as%20there%20is%20currently%20no%20way%20to%20set%20this%20in%20Intune%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3336940%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3336940%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415515%22%20target%3D%22_blank%22%3E%40JimmyWork%3C%2FA%3E%26nbsp%3BI%20agree.%20It%20does%20look%20like%20this%20does%20not%20exist%20with%20MEM%20yet.%20I%20think%20your%20best%20bet%20is%20to%20reach%20out%20to%20Intune%20support%20at%20this%20stage%20(frustrating....)%20I'm%20not%20sure%20what%20they%20can%20do...%20besides%20point%20you%20in%20the%20direction%20of%20a%20remediation%20script%20(which%20you%20already%20know)%2C%20but%20who%20knows...%20I%20do%20hope%20that%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fin-development%23import-custom-admx-and-adml-administrative-templates-to-create-a-device-configuration-profile%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ecustom%20ADMX%2FADML%20import%3C%2FA%3E%26nbsp%3B(in%20development)%20will%20become%20available%20with%20the%20next%20Intune%20release%20because%20I%20think%20that%20can%20solve%20your%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20keep%20us%20informed%20about%20your%20findings.%20Sorry%20couldn't%20help%20you%20out%20yet%2C%20but%20if%20I%20do%20have%20news%20to%20share%2C%20I'll%20give%20an%20update%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3336949%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3336949%22%20slang%3D%22en-US%22%3EThank%20you%2C%20I%20will%20create%20a%20Microsoft%20Case%20just%20to%20get%20more%20information.%20Have%20a%20great%20weekend%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3366820%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3366820%22%20slang%3D%22en-US%22%3E%3CP%3EReceived%20the%20following%20from%20MS%20support.%3CBR%20%2F%3E(I%20have%20reported%20them%20as%20inaccurate%20recommendations)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWe%20can%20confirm%20that%20the%20configuration%20options%20at%20the%20moment%20are%20not%20available%20to%20set%20from%20Intune.%20This%20looks%20like%20an%20invalid%20recommendation%20originating%20from%20Microsoft%20Defender%20for%20Endpoint.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%20in%20Intune%2C%20the%20ones%20below%20are%20the%20settings%20most%20similar%20to%20the%20account%20lockout%20threshold%20policy%20(screenshots%20with%20descriptions)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EDevice%20configuration%20profiles%20(Win%2010)%20%26gt%3B%20Templates%20%26gt%3B%20Administrative%20templates%20%26gt%3B%20Computer%20Configuration%20%26gt%3B%20System%20%26gt%3B%20Trusted%20Platform%20Module%20Services%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EStandard%20User%20Individual%20Lockout%20Threshold%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EStandard%20User%20Total%20Lockout%20Threshold%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3367836%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20'Account%20lockout%20threshold'%20to%201-10%20invalid%20login%20attempts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3367836%22%20slang%3D%22en-US%22%3EThx%20for%20the%20update%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415515%22%20target%3D%22_blank%22%3E%40JimmyWork%3C%2FA%3E%2C%20much%20appreciated!%3C%2FLINGO-BODY%3E
Contributor

In the security baseline for Windows 10 and later I have configured the Device Lock part.

Number of sign-in failures before wiping device = 10

 

I have also this set on the Device Restriction policy under Password.
Number of sign-in failures before wiping device = 10

 

Now in security recommendation on my test device I still get the recommendation to Set 'Account lockout threshold' to 1-10 invalid login attempts.

 

My question, is this not hitting the same settings?
Same goes for the 

Set 'Minimum password age' to '1 or more day(s)'

Set 'Minimum password length' to '14 or more characters'

10 Replies

Hi @JimmyWork,

 

Both the security baseline and the device restriction policies configure the Policy CSP - DeviceLock

  • DeviceLock/MaxDevicePasswordFailedAttempts
  • DeviceLock/MinDevicePasswordLength
  • DeviceLock/MinimumPasswordAge

It's not recommended to configure the same settings from 2 different policies. Or did you have a good reason?

 

Check the reports (for both policies) to see if the settings are in error. I'm wondering if these settings actually apply successfully because an error in applying these settings could explain the security recommendation message.

 

2022-05-05_22h48_39.jpg

Perhaps have a look at this techcommunity post, where I dive a little deeper in Security baselines vs other policies. Hope this helps.

 

Thank you for answering.

As long as you set the exact same settings then there will be no issue with the policy's, you will get no error and it will work on the device, I checked Intune logs and registry on the device.

If I look at the security recommendation it refers to this setting.

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

This seems not to be found in any policy or OMA-URI available in Intune.
Any suggestion other then creating a remediation script?
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account...

@Oktay Sari 

Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold
To the following value: Between 1 and 10

JimmyWork_0-1651817241100.png

 

@JimmyWork this is interesting. The only thin I can find about the  GPO you are referring to (Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold) and it's azure counterpart is Azure Smart Lockout. Have a look at this doc and in particular "verify on-premises account lockout policy" This is where they refer to your GPO Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy..  A little below that "Manage Azure AD smart lockout values"

 

So...If I had to guess, it looks like that the security recommendation is not about your baseline or device configuration profile, but about Azure smart lockout. Can you have a look at that?

 

 

I'll try and see if I can replicate this in my test tenant just to satisfy my curiosity :)
That setting is also already set, and the policy is not available in Intune, I can do a remediation script where I just set the net accounts /lockoutthreshold:10.

But this seems more related to On-prem devices and this is a fully cloud device so not sure why security recommendations are bringing this up as there is currently no way to set this in Intune

@JimmyWork I agree. It does look like this does not exist with MEM yet. I think your best bet is to reach out to Intune support at this stage (frustrating....) I'm not sure what they can do... besides point you in the direction of a remediation script (which you already know), but who knows... I do hope that custom ADMX/ADML import (in development) will become available with the next Intune release because I think that can solve your problem.

 

Please keep us informed about your findings. Sorry couldn't help you out yet, but if I do have news to share, I'll give an update here.

Thank you, I will create a Microsoft Case just to get more information. Have a great weekend
best response confirmed by JimmyWork (Contributor)
Solution

Received the following from MS support.
(I have reported them as inaccurate recommendations)

 

We can confirm that the configuration options at the moment are not available to set from Intune. This looks like an invalid recommendation originating from Microsoft Defender for Endpoint. 

 

Right now in Intune, the ones below are the settings most similar to the account lockout threshold policy (screenshots with descriptions):

 

Device configuration profiles (Win 10) > Templates > Administrative templates > Computer Configuration > System > Trusted Platform Module Services

  • Standard User Individual Lockout Threshold
  • Standard User Total Lockout Threshold
Thx for the update @JimmyWork, much appreciated!