Interactive logon: Machine account lockout threshold

Applies to

  • Windows 10
  • Windows 11
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine account lockout threshold security policy setting.

Reference

The Interactive logon: Machine account threshold security policy setting enforces the lockout policy on computers with and without having BitLocker enabled to protect operating system volumes.

Failed password attempts on workstations or member servers that have been locked by using either Ctrl + Alt + Delete or password-protected screen savers count as failed sign-in attempts.

The security setting allows you to set a threshold for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.

When BitLocker isn't used, the server is still rebooted.

Possible values

You can set the invalid logon attempts value between 1 and 999. Values from 1 to 3 are interpreted as 4. If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting.

Best practices

Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the Account lockout threshold policy setting is set at 50, then setting Interactive logon: Machine account lockout threshold at 60 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out.

Note

Microsoft recommends to not use low values for the lockout threshold. Many applications use excessive retries with incorrect passwords, locking out the user with just a few bad attempts.

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Default values

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

Server type or GPO Default value
Default Domain Policy Not defined
Default Domain Controller Policy Not defined
Stand-Alone Server Default Settings Disabled
DC Effective Default Settings Disabled
Member Server Effective Default Settings Disabled
Client Computer Effective Default Settings Disabled

Policy management

This section describes features and tools that are available to help you manage this policy.

Restart requirement

A restart is required for changes to this policy to become effective when they're saved locally or distributed through Group Policy.

Group Policy

Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those devices that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy.

When setting this policy, consider the Account lockout threshold policy setting, which determines the number of failed sign-in attempts that will cause a user account to be locked out.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

When the threshold is set, an attacker can cause a reboot of the device anonymously. If BitLocker is enabled, the device will not boot into normal operation mode successfully.

Vulnerability

This policy setting helps protect a device from attackers attempting to brute-force guess the Windows sign-in password. If not set, then attackers can attempt innumerable passwords, if no other account protection mechanisms are in place.

Countermeasure

Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the Account lockout threshold policy setting is set at 50, then setting Interactive logon: Machine account lockout threshold at 60 allows the user to restore access to resources without having to restore access to the device.

With the avaialbility of multi-factor authentication using solutions like Windows Hello for Business or FIDO2, you can rely on the second factor to prevent accounts from being compromised. Then the password can be complex and auditing of bad password attempts is sufficient to protect accounts, and machine and user account lockout thresholds are not needed anymore.

Potential impact

If not set, the device could be compromised by an attacker using brute-force password cracking software.

If set too low, productivity might be hindered because users who become locked out will be unable to access the device without providing the 48-digit BitLocker recovery password or waiting for the reboot to complete. On a reboot, the user may lose unsaved data.