Microsoft has added an option to all supported versions of Windows to protect local admin accounts from bruteforce attacks. According to Microsoft, brute force attacks are in the top three most common methods of attacking Windows machines. System administrators can set a lockout policy that if there are too many failed login attempts on an account, the account will be locked.
However, no option was available to lock a local system administrator's account. This makes it possible for attackers to retrieve the password of the local administrator via an unrestricted brute force attack. This can be done via the remote desktop protocol (RDP) as well as the network. To further limit the use of bruteforce attacks, there is now also an account lockout for admin accounts.
New Windows 11 machines running version 22H2 and the October updates have this lockout policy enabled by default. Administrators can disable the policy if desired. In addition, Microsoft now also imposes requirements on the complexity of the password of local admin accounts. These passwords must have three of the four types of character types (letter, capital letter, number and symbol). This should provide further protection against brute force attacks.