Microsoft has enabled the Account Lockout Policy by default in Windows 11. The security measure will automatically lock user accounts (including Administrator accounts) after 10 failed login attempts for 10 minutes.

This enables Microsoft to block attackers using brute force process to get into a system. Brute force primarily means guessing passwords with the help of automated tools.

According to David Weston, Microsoft’s VP for Enterprise and OS Security, brute forcing credentials is a popular tactic among threat actors. Attackers use brute force to infringe Windows systems via Remote Desktop Protocol (RDP) whenever they do not know the passwords of the account.

“This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome,” said Weston.

Account Lockout Policy is available on Windows 10 systems although not enabled by default. Administrators can configure the policy on Windows 10 in the Group Policy Management Console from Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

Other security changes introduced by Microsoft include the automatic blocking of Office macros in downloaded documents and the enforcement of multifactor authentication (MFA) in Azure AD.

The sources for this piece include an article in BleepingComputer.