Automox Worklet: Set Account Lockout Policies

To provide guidance on how to map your cyber hygiene practices to the MITRE ATT&CK framework, we’ve started to create a series of Automox Worklets™. Our goal is to showcase the power and flexibility of these worklets to bolster your cyber hygiene and prevent or mitigate real-world threats.

Both the Center for Internet Security (CIS) security controls and the MITRE ATT&CK framework provide crucial intelligence to maintain a strong cybersecurity posture. By practicing good cyber hygiene as directed by the CIS, you can prevent and mitigate real-world threats identified throughout the MITRE ATT&CK framework.

With this Automox Worklet, we’ve chosen to highlight the first tactic in the ATT&CK matrix, Initial Access, and even more specifically the technique ID:T1078, or Valid Accounts. For additional information on this tactic and technique, refer to our blog on the topic.

Automox Worklet: Set Account Lockout Policies per CIS Recommendations

This Automox Worklet automatically applies the CIS recommendations for (1) Account Policies (1.1) Account Lockout. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.

Please Read - CIS Account Lockout Recommendations

The following policies are broken down in the worklet remediation code below. Most of these settings are configurable by the security admin, but Automox has aligned the default settings in the code to match the CIS recommendations.

1.2 Account Lockout

1.2.1 Ensure ‘Account lockout duration’’ is set to '15 or more minutes(s)’

1.2.2 Ensure ‘Account lockout threshold’ is set to '10 or fewer invalid logon attempt(s), but not 0’

1.2.3 Ensure ‘Reset account lockout counter after’ is set to '15 or more minute(s)’

1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)' [configurable]

This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked until an administrator manually unlocks them.

Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.

The recommended state for this setting is: 15 or more minute(s).

1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’ [configurable]

This policy setting determines the number of failed logon attempts before the account is

locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.

The recommended state for this setting is: 10 or fewer invalid logon attempt(s), but not 0.

1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' [configurable]

This policy setting determines the length of time before the Account lockout threshold

resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.

The recommended state for this setting is: 15 or more minute(s).

CIS Account Lockout Remediation Code

The remediation code will automatically set all of the account lockout policy settings described above when executed from the Worklet across the endpoints. Be sure to configure any values you desire, or keep the defaults. You will copy and paste the remediation code into the new worklet policy when you create it.

To deploy this endpoint hardening Worklet, view the original posting on the Automox Alive community.

Tips for Creating an Automox Worklet

Before deploying an Automox Worklet to the production environment, we suggest testing this on a few devices to confirm its accuracy. If you have any questions, please contact our support team for technical assistance at

For step-by-step instructions on creating the Worklet, see our user documentation: Create a Worklet.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.