Windows 11 22H2, currently available for Windows Insiders in the Windows Insider program, comes with a massive list of new features and changes. Some of those improvements are not visible at first sight, and users must dig deeper to uncover them. One such change is improved protection from brute force attacks.
David Weston, Microsoft OS Security and Enterprise VP, recently tweeted about Windows 11's new security measures. The operating system now uses brute force attack protection by default, effectively locking the system after ten failed attempts to guess the local password. A brute force attack is a popular way that bad actors leverage to get into systems, sometimes using Remote Desktop Protocol (RDP).
@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022
You can check out the new policies in Local Group Policy Editor by navigating to Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy. By default, Windows 11 locks out after ten failed attempts to guess the password in ten minutes, and IT admins can configure these values according to their needs.
It is worth mentioning that the lockout policies are not exclusive to Windows 11; they are also present (although disabled by default) in earlier Windows versions. With Windows 11 22H2 (starting with build 22528.1000 and higher), Microsoft flipped the switch, effectively making it much harder to get into the operating system using brute force tactics.
If you are interested in consumer-facing changes in Windows 11 22H2, check out our comprehensive review.
Update: David Weston has confirmed that the new lockout policies are coming to Windows 10.