none
Windows PIN Account Lockout Behavior RRS feed

  • Question

  • Hello,

    I'm trying to find any documentation on how Windows Convenience PIN's handle failed login attempts.  I've found a few blog posts stating that after 4 failed attempts you are challenged and after a few more attempts you are prompted to reboot the device.  I'd like to know the flow of how this works and if there is any GPO's that handle this behavior.  I've been searching but have found nothing official from MS that flows this all out.

    Here is a response that doesn't really detail the whole process out from the answers forum.

    • After 1 more failure, you must restart the machine
      You'll see "You've entered an incorrect PIN too many times"
      After a couple iterations of the above being challenged and restarting the device (multiple times), the PIN is blocked.

    https://answers.microsoft.com/en-us/windows/forum/windows_10-security/pin-makes-windows-less-far-far-less-secure/56f923be-0cf6-4135-9f97-a676e77acc11

    Thanks!

    Nick

    Monday, July 10, 2017 8:49 PM

All replies

  • Hi Nick,

    Open group policy editor and navigate to the following path to check the threshold of your computer

    Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

    More information please refer to this documentation: Account lockout threshold

    https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/account-lockout-threshold

    Besides, there is a help article explain what Convenience PIN / Windows Hello Behavior has been changed in Windows 10 Version 1607

    Can't configure a PIN when Convenience PIN and Hello for Business policies are enabled in Windows 10 Anniversary Update

    https://support.microsoft.com/en-us/help/3201940/can-t-configure-a-pin-when-convenience-pin-and-hello-for-business-poli

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 11, 2017 1:30 AM
    Moderator
  • Teemo,

    The location of the GPO has options for account lock out in a traditional sense with authenticating with your domain account but nothing associated with how the PIN lockout functions.  I'm looking for functions such as after 4 incorrect PIN attempts the user is prompted to enter "A1B2C3".  

    Thanks for the link for the differences between Hello for Business and a Convenience PIN but I've read that article and it doesn't cover any of the behavior. Such as how to define X number of logon attempts prior to prompting to enter the character string.  

    Thanks!

    Nick


    Tuesday, July 11, 2017 5:53 PM
  • Nick,

    Yes, you are right, it’s my negligence, PIN is tied to the device, not account, we need to consider device component, such as TPM.

    TPM modules will prompt for the PIN to gain access to secure data. Depending on the system, the TPM will accept a certain amount of failed PIN entries, referred to as the Failure Threshold, before the system will lock the TPM. There is a set lockout period in which the TPM may not be accessed. This is referred to as the TPM being in a "Lockout Condition." After the lockout period has passed, further attempts to access the TPM may be attempted. Repeated failed PIN attempts after a lockout period will force increasingly longer lockout periods, based on the system.

    We can use this GPO to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM)

    Standard User Individual Lockout Threshold

    Which is located in:

    Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\

    If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.

    For more information, please refer to this Microsoft article.

    https://docs.microsoft.com/en-us/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings#standard-user-individual-lockout-threshold

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 12, 2017 9:01 AM
    Moderator
  • Would you mind letting me know the update of the problem? If you need further assistance, feel free to let me know. I will be more than happy to be of assistance.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 21, 2017 8:54 AM
    Moderator