Recent Windows 11 builds have shipped with the Account Lockout Policy enabled by default, according to a tweet by Microsoft’s VP for Enterprise and OS Security. This setting, enabled in the Insider Preview 22528.1000 and newer builds, will help mitigate brute force RDP attempts and other brute force password vectors prevalent in malicious attacks against organizations.
The new default lockout settings found in this build are as follows: 10 invalid logon attempts to trigger a lockout, a 10-minute lockout duration, and 10 minutes until the lockout counter is reset for an account. This will help prevent Remote Desktop Services brute force attempts used by threat actors to gain unauthorized access to systems. According to the FBI, RDP breaches are responsible for roughly 70-80% of all network breaches leading to ransomware attacks.
This recent change is part of Microsoft’s attempt at closing entry vectors used by ransomware operators to breach Windows networks and systems. These changes also include auto-blocking Office macros in downloaded documents and enforcing MFA in Azure AD.