How to configure Lockout Policy with Microsoft Intune? When securing your organization the Lockout Policy is an important setting you want to configure. It makes sure, that user access is preventing unauthorized entry into your systems. Inn this blog post, we?ll dive into the configuration of lockout policies with MIcrosoft Intune.
Table of Contents
What are Lockout Policies?
Lockout policies are essential measurements that protect against unauthorized access attempts, most likely brute force attacks. With the settings you can define, when a user account should be temporarily locked after a certain number of failed login attempts. There are 3 important settings you need to consider:
- Lockout Threshold: This setting determines the number of failed login attempts allowed before triggering an account lockout, acting as a barrier against brute force attacks.
- Lockout Duration: Dictating the duration for which an account remains locked after reaching the threshold of failed login attempts, this setting aims to temporarily restrict access to deter further unauthorized access attempts and protect against account compromise.
- Lockout Window: The time frame during which failed login attempts are counted towards the lockout threshold, this setting allows organizations to specify a period for monitoring and responding to suspicious activity, ensuring a balanced approach to security without overly penalizing legitimate users.
What are we going to do?
Unfortunately the Lockout Policy setting is not available directly in the Microsoft Intune settings cataloge. A shame in my opinion :). To configure the setting we need to have a look at a different approach. From my perspective the simpliest way to configre the Lockout Policy is to create a PowerShell script and deploy it with Microsoft Intune. In this blog post I will show you, how you can configure the Lockout Policy with a PowerShell script which we are going to deploy with Microsoft Intune.
- Step 1: Create PowerShell script
- Step 2: Upload and deploy with Microsoft Intune
- Step 3: Check deployment
How to configure Lockout Policy with Microsoft Intune
In this section we will show you the process of configure the Lockout Policy. As mentioned above, we are going to create a PowerShell script and deploy it with Microsoft Intune.
Create PowerShell script
In step 1 we are going to create a PowerShell script and define the designated settings. Just follow the steps below:
- Create a new PowerShell script and copy the script below.
- Save the PowerShell script, we need this in step 2.
- Change the orange numbers for your own settings. There is a description below of all the settings.
net accounts /lockoutthreshold:5 net accounts /lockoutduration:15 net accounts /lockoutwindow:15
Lockoutthreshold: The lockoutthreshold defines the number of failed login attempts allowed before triggering an account lockout. I will use the best practice and define 5 login attempts until the account lockout will be triggered.
Lockoutduration: The lockoutduration setting determines the number of minutes that an account is locked out before it automaticall unlocks. I will use 15 minutes.
Lockoutwindow: The Lockout Counter setting determines the time in minutes that the failed logon attempt counter resets to 0 bad logon attempts. I will also use 15 minutes.
Upload and deploy with Microsoft Intune
In this section we are going to upload the created PowerShell script to Microsoft Intune and deploy it to our environment. Just follow the steps:
- Go to intune.microsoft.com
- Click on Devices
- Click on Windows
- Click on Scripts and remediations
- Click on Platform script
- Click on Add
On the Basics tab enter a Name and Description (Optional) and click on Next.
On the Script settings we are going to upload the PowerShell script first:
- Click on the script location and upload the created script from step 1.
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: Yes
- On the Assignments tab assign the script to a Group and click on Next.
- And Review + add
Check deployment
After we have deployed the PowerShell script we can check, if it was successfull. If you want to check on the device itself you can use the following command:
Net accounts
This will give you all the configured settings back and you can check if the script was deployed sucessfully.
Conclusion
In this blog post you learned what Lockout Policy are and why we should use them. We created a PowerShell script and defined the Lockout threshold, Lockout duration and the Lockout observation window. We deployed the script with Microsoft Intune and checked with a command if the script was successfully.
Did you enjoy this article? Dont forget to follow us and share this article. You may also like the the following articles.
kindly share remediation script for common scenarios for windows devices