Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock

In this blog post, I will explain how to Set Lockout Policy Using Intune Platform. A Lockout Policy is a security measure used in systems or networks to prevent unauthorized access by locking out a user account after a specified number of failed login attempts. This policy is commonly used in organizations to mitigate the risk of brute-force attacks, where an attacker repeatedly attempts to guess a user’s password.

The policy typically includes settings such as the number of failed attempts before the lockout, the duration, and how the account can be unlocked. For instance, an account might be locked after five or ten incorrect attempts and remain locked for 20 or 30 minutes or until an administrator resets it.

Implementing a lockout policy requires balancing security and usability. While it prevents unauthorized access, it could also lock out legitimate users due to forgotten passwords or mistyped credentials. Combining lockout policies with Multi-Factor Authentication (MFA) ensures a more secure and user-friendly approach.

Balance Security and Usability: Set a reasonable threshold for lockout to prevent legitimate users from locking out due to mistakes while deterring brute-force attacks, Audit and Monitoring: Keep logs of failed login attempts and account lockouts to detect patterns that could indicate an attack and Notification: Notify users or administrators when an account is locked due to failed login attempts are few of the best practices.

Patch My PC
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock. Fig. 1
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock . Fig. 1

Key Elements of Lockout Policy

The Key Elements of a Lockout Policy are crucial for ensuring both security and usability. Here are the primary components.

Key ElementsDescription
Account Lockout ThresholdThe maximum number of failed login attempts allowed before the account is locked. For example, after 10 incorrect login attempts, the account may be locked.
Account Lockout DurationSpecifies how long the account remains locked after reaching the threshold. This could be permanent until reset by an administrator or temporary (e.g., a 20-minute lockout).
Reset Counter AfterThe period after which the failed login attempt counter is reset. For instance, after 15 minutes of inactivity, the failed attempts may reset to zero.
Account Unlock ProcedureDefines how an account can be unlocked, whether through manual intervention by an admin, self-service password reset, or an automated unlock after a set duration.
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock. Table. 1

Create a Set Lockout Policy Using Intune Platform Script

Follow the below-mentioned steps to create a PowerShell Script to Set the Lockout Policy Using the Intune Platform Script. Log In to the Microsoft Intune Admin Center using your administrator credentials.

  • Navigate to Devices  Windows > Scripts and remediations
  • Choose > Platform scripts
  • Click on +Add
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock. Fig. 2
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock Fig. 2

In the Basics details pane, we can give the PowerShell Script name “Set Lockout Policy” If needed, provide a brief script description here; I am giving it as “HTMD Org Lockout Policy” and click Next.

Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock. Fig. 3
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock Fig. 3

Prepare a PowerShell Script to Set Lockout Policy Using Intune

Before creating the PS Script for the Lockout policy, we can pull the current setting from one of the machines. To check current settings, run Net Accounts from a elevated Windows PowerShell ISE.

PS C:\Windows\system32> Net Accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 10
Lockout observation window (minutes): 10
Computer role: WORKSTATION
The command completed successfully.

Now, we can create a simple PowerShell Script from scratch to Set the Lockout Policy. Note the commands below and save the script as SetLockoutPolicy.ps1.

Net Accounts /lockoutthreshold:10
Net Accounts /lockoutduration:20
Net Accounts /lockoutwindow:20

In the Script settings pane, we can configure the settings according to our requirements. The first option is mandatory. We have to browse and select our saved PS Script here.

  • Script location – Browse and select the saved script SetLockoutPolicy.ps1
  • Run this script using the logged on credentials – No
  • Enforce script signature check – No
  • Run script in 64 bit PowerShell Host – Yes
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock Fig. 4
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock. Fig. 4

On the next page, leave the scope tags default; if you have any custom scope tag available, you can also select it for this script deployment.

Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock Fig. 5
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock. Fig. 5

Click on Next and assign the script to HTMD – Test Computers. Then click Add groups and select the required device group in the Included groups option.

BBest Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock Fig. 6
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock Fig. 6

On the Review + Add pane, carefully review all the settings you’ve defined for the Set Lockout Policy Using Intune Platform Script. Once you’ve confirmed everything is correct, select Add to implement the changes.

Best Way to Set Lockout Policy Using Intune Platform Script. Fig. 7
Best Way to Set Lockout Policy Using Intune Platform Script Account Lockout Threshold Lockout Duration Unlock. Fig. 7

Monitor the Set Lockout Policy Script Deployment in Intune

This Intune Platform script has been deployed to the Microsoft Entra ID group (HTMD – Test Computers). The policy will take effect as soon as possible once the device is synced.

To monitor the policy deployment status from the Intune Portal, follow the steps below.

  • Navigate to Devices > Windows > Scripts and remediations > Platform scripts

Search for the “Set Lockout Policy” Script. The deployment status for this script can be seen under the Overview status. We can see that both the Device and User statuses have succeeded.

Best Way to Set Lockout Policy Using Intune Platform Script. Fig. 8
Best Way to Set Lockout Policy Using Intune Platform Script. Fig. 8

End User Experience – Set Lockout Policy Using Intune Platform Script

We must now check whether the Intune Platform PS Script has modified the default values. Log in to one of the policy-targeted devices. Open Windows PowerShell ISE or Windows PowerShell with Admin privileges, type Net Accounts, and execute. You can see the marked values have changed as per our PS Script. So, we can conclude that the Script deployment is working as expected!

Best Way to Set Lockout Policy Using Intune Platform Script. Fig. 9
Best Way to Set Lockout Policy Using Intune Platform Script. Fig. 9

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.