This new Windows feature will protect users against phishing campaigns

Microsoft has updated its official support page to announce a new security feature for all supported Windows clients that will protect users against brute-force phishing attacks where hackers try to take over systems by guessing passwords. The Redmond giant mentions that brute force attacks are one of the top three ways used by attackers to compromise Windows machines. The new local admin account lockout feature will prevent attackers from hitting the account with an unlimited number of password-guessing attempts. Earlier, Windows didn’t allow users to lock out local admins and these brute-force attacks were highly successful against systems that have a short and simple password.
Windows local admin lockout feature: Availability
The company’s official blog mentions that new machines that include Windows cumulative updates before they are set up will have this feature enabled as default. However, machines that are already running supported Windows versions and need to separately install this new update will have to manually enable the feature.

Windows local admin lockout feature: How it works
Hackers using brute-force phishing attacks when successfully cracks the password of a system can take over all the other systems that are connected to the local admin account. To prevent this, Microsoft has announced the local admin account lockout feature.
According to Microsoft, hackers often initiate these phishing attacks with the help of the remote desktop protocol (RDP) feature that works over a network and is frequently targeted by ransomware groups who try to gain access to systems. The local admin account lockout feature will prevent hackers from taking over all the connected devices if one of them is compromised.
This new feature has four settings that include — enabling the local admin account feature, the number of failed attempts before the feature is activated, the time taken by the feature to activate after the last failed attempt and the duration of the lockout.

Microsoft recommends users enable the feature and set the rest of the options to 10. This will mean that the account lockout feature will automatically activate after 10 failed attempts, within 10 minutes of the last attempt and will continue for 10 minutes after the attack. When the time count is over the account will unlock automatically.
Apart from this, the company will also enforce password complexity on new machines that uses a local administrator account. These machines will need at least three of the four basic character types (lower case, upper case, numbers, and symbols) in their passwords. This will further secure the systems against brute-force attacks.