[German]Microsoft has back ported a group policy from Windows 11/Windows Server 2022, to protect local administrator accounts against brute-force attacks, to all supported Windows versions. This feature will be available with the Windows security updates released on October 11, 2022. This is intended to make one of the three most common methods of attacking Windows computers today more difficult. This is because administrators can use Group Policy to specify that an administrator account should be locked after a certain number of logon attempts.
Administrator accounts cannot be locked out easily on Windows systems. Therefore, without proper network segmentation or the presence of an intrusion detection service, unlimited brute-force attacks on Windows administrator accounts to determine passwords are possible. These attacks can happen via RDP over the network. If the passwords are not long or complex, the time required for such an attack becomes trivial with modern CPUs/GPUs. Therefore, brute force attacks are one of the three most common attack methods on Windows computers today.
Back in July, Microsoft's David Weston pointed out in a tweet darauf that Windows 11 builds have an account lockout policy to make RDP and other brute-force password attacks more difficult. Now Microsoft has ported this security feature back to older versions of Windows. This is according to support article KB5020282—Account lockout available for local administrators from October 2022.
To prevent further brute force attacks/attempts, Microsoft has introduced the option for account lockouts for administrator accounts on Windows. Once the October 11, 2022 or later cumulative security update is installed for the Windows version in question, a corresponding local policy is available. This can be used to lock down local administrator accounts. This policy can be found at
Local Computer Policies\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
There, the Allow administrator account locking policy is available to enable administrator account locking on systems with a local or domain GPO. Microsoft also suggests adjusting the other three policies under Account Lockout Policies and set their value to 10/10/10. This means that an account will be locked out after 10 failed attempts within 10 minutes and the lockout will last for 10 minutes.
For Windows 11 22H2 systems or systems with older versions of Windows that include the October 11, 2022 cumulative Windows updates in the installation media, this setting is set by default during installation. This occurs when the SAM database is first instantiated on a new machine. If these defaults are not to be applied, the "Allow Administrator Account Lockout" policy can be set to disabled.
If a machine was set up and the October update was installed later, the policy settings must be made manually. Microsoft also enforces a certain password complexity for local administrator accounts on newly installed machines. The password must contain at least three of the four basic character types (lowercase, uppercase, numbers and symbols). This helps ensure that these accounts cannot be compromised by a brute force attack.
For those who want to use a less complex password, the appropriate password guidelines are available at
Local Computer Policies\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
The above policies apply to the following Windows versions:
- Windows Server 2008 / R2 ESU
- Windows 7 Enterprise ESU
- Windows 7 Professional ESU
- Windows 7 Ultimate ESU
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012 /R2
- Windows 10 Windows 10
- Windows Server 2016
- Windows 11
- Windows Server 2022
For more details, please refer to Microsoft's KB5020282—Account lockout available for local administrators .
Cookies helps to fund this blog: Cookie settings