Windows 10

Account Lockout Policies in Windows 10


Whilst testing some Fine Grained Password Policies in Windows 10 today I came across the following message which I had not seen before:


I did a bit of investigation and it turns out that there is a setting which will reboot the desktop and put it into BitLocker recovery mode if you enter your password wrong.  This is set by the default SCM Templates to a threshold of 10.  Whilst this setting is obviously for security reasons I would imagine its one of these settings which is more trouble than its worth in a large Enterprise Deployment.  I can imagine a lot of calls to helpdesk being made!

You can disable the setting by setting the following GPO setting to 0:

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold


So if you are setting Account Lockout settings at the Domain Level then make sure that you set this setting to higher than your User Account Lockout threshold otherwise you may find your users machines becoming unusable even though their User accounts are not locked out.

More information can be found in this setting here:

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *