Max Failed Password Attempts Configuration using Intune Policy
Intune: Configure Maximum Failed Password Attempts (Device Lockout) – The Complete 2025 Deep-Dive Guide
In 2025, one of the simplest yet most effective brute-force mitigations for Windows 11 devices is locking the device after X failed sign-in attempts. This is not Azure AD account lockout — this is local device lockout (PIN, password, Windows Hello) that works even when the device is offline.
Why This Still Matters in 2025
- Stops physical attackers trying 000000, 123456, etc.
- Works on Azure AD-joined, Hybrid, and even standalone devices
- Triggers BitLocker recovery screen after threshold (great for lost/stolen laptops)
- Fully cloud-managed — no GPO needed
The Two Settings You Actually Need
| Setting (Settings Catalog) | Path in Intune | Recommended Value (2025) | What It Does |
|---|---|---|---|
| Max Device Password Failed Attempts | Device Lock → Max Device Password Failed Attempts | 5–10 | Locks device after X failed local sign-ins |
| Number of sign-in failures before wiping device | BitLocker → Number of sign-in failures before wiping device | 10–15 (or 999 to disable) | Forces full wipe (only after BitLocker recovery screen) |
Step-by-Step: Deploy via Settings Catalog (2025 Tested)
- Intune Admin Center → Devices → Configuration → Create
Platform: Windows 10 and later
Profile type: Settings catalog - Basics
Name:Device Lock – Max Failed Attempts = 8
Description:Locks device after 8 failed PIN/password attempts + wipe after 12 - Configuration settings → Click Add settings
Search “Device Lock” → pick Device Lock category
- Device Password Enabled → Enabled (required for the policy to apply)
- Max Device Password Failed Attempts → 8 (Microsoft recommends 5–10)
- Max Inactivity Time Device Lock → 5 minutes (optional but recommended)
- Optional – Add Wipe After Threshold
Search “BitLocker” → BitLocker category
- Number of sign-in failures before wiping device → 12
(Device shows BitLocker recovery first → after 12 total failures = full wipe)
- Scope tags → (if you use them)
- Assignments
Include: All corporate Windows devices
Exclude: Shared kiosks, server OS, or break-glass admin devices - Review + create
How It Works in Real Life (Tested on Windows 11 25H2)
| Failed Attempts | What the User Sees |
|---|---|
| 1–7 | Normal “Incorrect PIN” message |
| 8 | Device instantly locks → “This device is locked” screen |
| After lock | Must wait 1 min → 2 min → 4 min (exponential back-off) |
| 12 total | BitLocker recovery screen → final 3 attempts → full wipe |
Monitoring & Proof It Works
- Event Viewer (on device)
Security log → Event ID 4625 (failed logon) → count reaches your threshold → Event ID 4645 “Device Lockout” - Intune Reports
Devices → [Device] → Device configuration → Shows policy applied - Defender for Endpoint (if licensed)
Advanced Hunting query:
DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize FailedCount=count() by DeviceName, bin(Timestamp, 1h)
| where FailedCount >= 82025 Best-Practice Recommendations by Risk Tier
| Tier | Max Failed Attempts | Wipe After | Use Case |
|---|---|---|---|
| Standard users | 10 | Disabled | Normal corporate laptops |
| Sensitive data | 8 | 15 | Finance, Legal, Executives |
| High-security | 5 | 10 | VIPs, regulated industries, C-suite |
| Kiosks/Shared | Disabled (0) | Disabled | Prevent accidental lockouts |
Common Misconceptions (2025)
❌ This does NOT affect Azure AD account lockout (still 10 failed by default)
❌ This does NOT work on macOS or mobile MAM
❌ Windows Hello for Business biometric fallback still counts as failed attempts
Pro Tip: Combine With These Policies for Zero-Trust
- Require TPM + BitLocker
- Block legacy boot & external boot devices
- Defender for Endpoint tamper protection
- Windows Hello for Business (PIN becomes non-exportable)
Deploy this single policy today and you instantly eliminate the #1 physical attack vector against lost Windows laptops in 2025.
Official Microsoft Learn (updated Dec 2025):
https://learn.microsoft.com/en-us/mem/intune/configuration/device-lock-windows
