Intune's policy "Number of repeated sign-in failures to allow before the device is wiped" is not woking.
I’m testing Intune’s policy "Number of repeated sign-in failures to allow before the device is wiped”.
It is not working properly.
- Windows 10 Client is just reboot, not wiped.
- When change number of setting, number before reboot is changed but just reboot.
- After remove policy, windows 10 doesn’t require reboot with many sign-in failures.
Environment is below
* Tested Windows 10 build is 10586.494
* OMA-DM based management.
* Intune environment is just created for this test(evaluation)
* Windows 10 device is workplace joined.
* Just remote wipe command is working fine..
Anyone have idea about this?
I suspect this is mismatch between configuration name and real rehavior…
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
This policy must be wrapped in an Atomic command.
This policy has different behaviors on the mobile device and desktop.
On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
There should be a way to disable this policy so devices aren't wiped at all
Rob de Roos commented
Also for iOS this is not working as expected. The 10th time the device gets locked. The 11th time is not even possible so a device Wipe is not taking place at all.
Muhammed Zengin commented
Another item to add in..
The maximum value for “Number of sign-in failures before wiping device” is 11 and this is by design.
We have already had 2 users accidently factory wipe there device by just cleaning there screen.
There should be a way to change the maximum number or have this option not configured.
@Masahiko, how much RAM does the Win10 device have? I know there was an issue we saw where if the device had less than 4 GB of RAM and you tried to wipe it, the behavior was wonky, and it turned out to be a Windows thing. Don't know if it's related, but that's the first thing that popped in my brain.