Export (0) Print
Expand All
Expand Minimize

Interactive logon: Machine account lockout threshold

Published: February 14, 2013

Updated: November 15, 2012

Applies To: Windows 8, Windows Server 2012

This security policy reference topic for the IT professional describes the best practices, location, values, management, and security considerations for this policy setting.

Beginning with Windows Server 2012 and Windows 8, the Interactive logon: Machine account threshold security policy setting enforces the lockout policy on those computers that have BitLocker enabled to protect operating system volumes.

The security setting allows you to set a threshold for the number of failed logon attempts that causes the computer or device to be locked by using BitLocker. This means, if the specified maximum number of failed logon attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.

Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed logon attempts.

You can set the invalid logon attempts value between 1 and 999. Values from 1 to 3 are interpreted as 4. If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting.

Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the Account lockout threshold policy setting is set at 4, then setting Interactive logon: Machine account lockout threshold at 6 allows the user to restore access to resources without having to restore access to the computer or device resulting from a BitLocker lock out.

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

 

Server type or GPO Default value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

This policy setting was introduced in Windows Server 2012 and Windows 8.

This section describes features and tools that are available to help you manage this policy.

A restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy.

Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those computers that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy and is BitLocker-enabled.

When setting this policy, consider the Account lockout threshold policy setting, which determines the number of failed logon attempts that will cause a user account to be locked out. For more information, see Best practices.

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

This policy setting helps protect a BitLocker-encrypted device from attackers attempting to brute-force guess the Windows sign-in password. If not set, then attackers can attempt innumerable passwords, if no other account protection mechanisms are in place.

Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the Account lockout threshold policy setting is set at 4, then setting Interactive logon: Machine account lockout threshold at 6 allows the user to restore access to resources without having to restore access to the computer or device resulting from a BitLocker lock out.

If not set, the computer or device could be compromised by an attacker using brute-force password cracking software.

If set too low, productivity might be hindered because users who become locked out will be unable to access the computer or device without providing the 48-digit BitLocker recovery password.

See Also

Concepts

Security Options

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft