Set Account Lockout for Windows

What the account lockout policy configurator does

This Automox Worklet™ configures account lockout policies on Windows endpoints to protect user accounts from brute force attacks and unauthorized access. The Worklet uses PowerShell and the Windows Security Editor (secedit) to modify three critical security parameters: the number of failed login attempts before lockout, the duration users remain locked out, and the time period before the failed login counter resets.

The Worklet exports the current security policy, modifies the account lockout settings with recommended values, and reapplies the policy to the endpoint. This ensures that account lockout protections are consistently enforced across your Windows infrastructure without requiring manual configuration.

Why configure account lockout policies

Account lockout is a fundamental defense against credential attacks. Without these policies in place, attackers can attempt unlimited password guesses against user accounts, potentially compromising your network. Organizations face escalating threats from brute force attacks targeting Windows endpoints, and account lockout policies provide a cost-effective preventive measure.

Implementing lockout policies helps you meet compliance requirements from security frameworks like CIS Benchmarks and NIST 800-53. These standards explicitly require account lockout configurations as part of access control strategies. By automating these settings through the Worklet, you reduce administrative overhead and eliminate configuration drift across your endpoint fleet.

How account lockout configuration works

1. Evaluation phase: The Worklet checks the current account lockout settings on the endpoint. It verifies whether the failed login threshold, lockout duration, and reset count are configured according to security best practices. Exit code 1 indicates that configuration is needed.

2. Remediation phase: The Worklet exports the security policy database, modifies the LockoutBadCount (10 attempts), LockoutDuration (15 minutes), and ResetLockoutCount (15 minutes) parameters, and applies these settings using secedit /configure. The security policy is updated and the temporary export file is removed.

Account lockout policy requirements

• Windows Server 2012 R2 or later, or Windows 10 and later

• Local Administrator or Domain Administrator privileges to modify security policy

• PowerShell execution enabled on the endpoint

• Access to the Windows Security Editor (secedit.exe), which is built into Windows

Expected account lockout behavior

After the Worklet completes remediation, user accounts on the endpoint will enforce account lockout policies automatically. Users who enter incorrect credentials 10 times will be locked out of their accounts for 15 minutes. The failed login counter resets every 15 minutes of inactivity, allowing legitimate users to attempt login again without permanent lockout.

You can verify policy application by checking Windows Event Viewer for Account Lockout events (Event ID 4740) or by viewing the Security Policy settings in secpol.msc. These changes apply immediately and persist across endpoint restarts, protecting your infrastructure from ongoing brute force attacks.

How to validate set account lockout for windows changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for set account lockout for windows.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Get-Content, Out-File, then rerun evaluation for compliance.