Bad actors (internal and external) have so far been able to run brute-force attacks against local accounts in the dark, to try to find the correct password.
These attacks could be done by having physical access to the device but also by using RDP. But those days are over as the built-in local account lockout policy will block these attacks according to our settings.
The local account lockout policy comes with three controls and is typically applied by GPOs to AD/HAADJ devices. These settings are applied to managed accounts, but it is possible to apply them to the built-in administrator account as well (see step 4).
Windows 11-22H2 has some default settings being applied from day zero.
Account lockout threshold | 10 |
Account lockout duration | 10 |
Reset account lockout count after | 10 |
Allow administrator account lockout | Enabled |
❗These settings are enabled by default on Windows 11-22H2 and newer. We must use policies to enable these settings on devices being upgraded from an earlier build.
Let’s have a look at how to use Microsoft Intune to manage these settings.
The first thing we will notice is that we do not currently have any possibility to configure these settings by using settings catalog.
This is because controlling these settings by Intune are only available to Windows Insider builds and we must use CSP as for now.
We should see them added to the settings catalog soon enough! ✅
In my case I will run a PowerShell script as a Win32 app to configure:
And I will use a CSP policy to configure:
We can run the following command to view our current settings:net accounts
In my case I am running this on a W11-23H2 device which was originally installed as W11-22H2, so it should have these settings already configured, right?
…and as we can see from above print screen it has the default settings which is great.
We can manually configure these settings by running below commands. This is great for testing but we will want to use Intune when it comes to running this on multiple devices.
net accounts /lockoutthreshold:15
net accounts /lockoutduration:15
net accounts /lockoutwindow:15
This is the result after running all three commands:
OK, so now we know how to change these settings. Let’s add the three commands to a PowerShell script and apply it as an app.
I always try to use PSADT as much as possible as it is great for logging and creating the detection method.
In this case I will just add the three commands to the ‘installation’ part and I will have it add a registry key and value for detection.
💡I want to apply the default settings (10) to make sure all devices are at the same level, only new installations of W11-22H2 or newer will have these settings out of the box, remember?
The whole application package is found here, feel free to use it.
I will use the Rock Enroll tool to wrap it to *.intunewin – this is already done if you downloaded the package from Github. You will find the file in the ‘_intune’ directory.
Now all we need to do is create the Win32 app in Intune:
Let’s have a look at how to use Intune to configure “allow administrator account lockout” which means that we allow the lockout threshold, duration and reset counter to apply to the built-in administrator account as well.
❗As stated in the documentation this setting only applies to the built-in, well-known local administrator account and it doesn’t seem to apply to any manually created local administrator accounts.
Same story here, this setting is enabled by default on new installations of W11-22H2 and must be manually enabled for all other devices.
This one is easier as we can use a CSP policy to configure it which is great news. This setting is part of the Windows 11 23H2 security baseline but as you might know, Intune has not been updated with the latest security baseline just yet.
So, now we have configured the account policies to make sure all of our devices are configured the same regardless of which OS-version they originate from.
I look forward to seeing the lockout threshold, duration and reset counter take part of the settings catalog as it makes sense to use Intune to configure those settings to make sure we can apply the brute-force protection to the built-in administrator account, regardless of device join-type (AADJ/HAADJ).