This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 60%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Good morning
For the Security Recommendation "Set 'Account lockout duration' to 15 minutes or more" I want to deploy this setting with the value "15" as a device configuration policy. I know I can set the LockoutPolicy with a OMA-URI "./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy" but how can I set the specific account lockout duration setting?
Thanks in advance and have a good day!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 78%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
I finally found the correct Value string for the OMA-URI on https://github.com/microsoft/osconfig/blob/main/security/SecurityBaseline_WindowsServer_2025-2409.csv (and there are a lot of other good settings there also) as the page at https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock is still missing this information as of December 2024. Note that you need Windows 11 24H2 / Server 2025 or later for this setting to actually take effect. You can validate the settings changes with the command "net accounts".
You would set it as follows in Intune as a Custom OMA-URI (the below example uses lockout values of 15 minute duration and 10 invalid attempts):
Name: <Whatever you want to use here - I used DeviceLockAccountLockoutPolicy>
Description: <Whatever you want to use here - I referenced the GitHub URL above where I found the setting in the correct format plus some other notes>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy
Data type: String
Value (just paste this as-is - it is one long line unlike a MultiString - even if it does not look like it in the Value box in Intune):
AccountLockoutDuration:15, AccountLockoutThreshold:10, ResetAccountLockoutCounterAfter:15
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Michèle Merlo, Thanks for posting in Q&A.
From your description, I know you want to set specific account lockout duration setting.
Based on the official document, the AccountLockoutPolicy setting is only available for Device, therefore, when you create a custom policy, and configure all settings, you should assign the policy to device group, then the device will apply the policy and also every user login on to this device will also be affected by this policy. Therefore, currently, there is no such way to set the specific account lockout duration setting. And it is suggested that you create the policy and assign it to device group and make it to apply all users.
Thanks for your kind understanding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Michèle Merlo, Thanks for posting in Q&A.
I am kindly following up to see if you have any remaining questions or concerns for this issue. Please note that we are always standby to support. Please feel free to reach us if any questions or concerns you may have.
Thanks for your reply! The assigned group only contains devices. It's a security recommendation from the secure score board, how can i implement your recommended setting with intune?
@Michèle Merlo, Thanks for your reply.
Based on my research, there is no such feature in Intune can achieve your goal, however, we can deploy a PowerShell script or using GPO.
Here are some links with useful information.
https://blog.onevinn.com/windows-11-local-account-lockout-policy
https://whackasstech.com/microsoft/msintune/how-to-configure-lockout-policy-with-microsoft-intune/
https://www.anoopcnair.com/windows-11-account-lockout-policy-intune-setup/
Non-official, just for reference.
@Michèle Merlo, Hope things going well.
May I know the above information is helpful? If there is any update, feel free to let me know.
@Michèle Merlo, If the answer is helpful, please click "Accept Answer" and kindly upvote it to help others with the same problem as soon as possible.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 37%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
The Microsoft page says that the OMA-URI is a String, and after setting the settings through local group policy and exporting the list I got this:
Policy,Security Setting
Account lockout duration,0
Account lockout threshold,5 invalid logon attempts
Reset account lockout counter after,15 minutes
(I exported it as a comma delaminated .txt)
It's possible that the String value should be something like that? But I feel like there's extra data in that, like "minutes" or "invalid logon attempts"
trying things via Intune, so far no dice...
Also haven't found an AMDX to import...
And checking regedit for "Accountlockoutduration" didn't get me anywhere
pushing this via Intune in the String:
Accountlockoutduration,0
Accountlockoutthreshold,5
Resetaccountlockoutcounterafter,15
Also returned an error...