Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»Intune»Automatically wipe a Windows 10 device after a number of authentication failures
    Intune

    Automatically wipe a Windows 10 device after a number of authentication failures

    Peter KlapwijkBy Peter KlapwijkNovember 14, 2019Updated:December 11, 201923 Mins Read

    Wiping a mobile device, with Android or iOS as OS, after a number of sign-in failures is a commonly used Intune setting to protect the device and corporate data against unauthorized acces. Since the release of the MDM Security Baseline in Microsoft Endpoint Manager (Intune) a comparable setting is available for Windows 10 devices.

    The setting is found in the Device Lock section of the Security Baseline and called Number of sign-in failures before wiping device. The description of the setting states The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
    This is actually not completely true as the behavior is that the device is rebooted after a number of authentication failures and not wiped, but locked in the BitLocker recovery wizard. If the user is able to retrieve the recovery key, the user can gain access again to the device.

    As the Windows device is locked in BitLocker recovery mode, a prerequisite of this setup is the device is encrypted with BitLocker. If the device is not encrypted with BitLocker, the device is not wiped and not locked, it reboots and the user can try to sign-in again.

    Configure MDM Security Baseline

    The setup is pretty simple, as it is just creating the MDM Security Baseline and assign it to your devices. But keep in mind by creating a Security Baseline, by default all settings in the baseline are enabled.

    • Sign-in to the Microsoft Endpoint Manager portal
    • Browse to Endpoint security – Security baselines
    • Click MDM Security Baseline under Windows 10 Security Baselines
    • Click Create profile
    • Give the profile a Name
    • Enter a Description (optional)
    • As this is the only Baseline version, that option is greyed out
    • Click Next
    • Scroll down to the Device Lock section
    • Change the value of Number of sign-in failures before wiping device to your needs or leave it at the default value of 10
    • Review all the other settings in the Baseline
    • Change the settings to your needs
    • Click Next
    • Select a scope if you use scoping on the Scope tags tab
    • Click Next
    • Select a security group to assign to policy to or choose a group from the drop-down list
    • Click Next
    • Verify your settings
    • Click Create

    End-user experience

    Let`s move over to a Windows 10 device on which the policy is applied. Enter a few times a PIN or password which is wrong.

    After a few times of authentication failures the Windows logon screen is locked with a warning message:
    The password isn`t correct. Be careful – if you keep entering the wrong password, you`ll be locked out to help protect your data.
    To unlock, you`ll need a BitLocker key.


    Press Ctrl+Alt+Delete to unlock.

    When the user unlocks the screen, another message is shown with a challenge phrase.
    The user needs to enter A1B2C3 before he can move further.

    After the challenge phrase is entered successful, the user is allowed to try to authenticate another time.
    If the authentication fails again, the device is locked and the user needs to restart the device.

    When the last authentication also fails, the device is restarted and locked in the BitLocker recovery screen.

    Depending on the BitLocker setup, the user can lookup the BitLocker recovery key himself via myprofile.microsoft.com or needs to contact the servicedesk.

    Happy testing!

    Azure AD EMS Identity Management Intune MEM Microsoft 365 Microsoft Endpoint Manager Passwordless Security Windows10
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Secure personal mobile devices with Microsoft Intune and Lookout

    November 9, 2019

    Manage Google Chrome settings with Microsoft Intune

    October 17, 2019

    Configure Windows 10 power settings using Microsoft Intune

    July 4, 2019
    View 2 Comments

    2 Comments

    1. Moe on January 27, 2020 22:18

      Well Done, thanks Peter!

      Reply
    2. Jeremy on September 25, 2022 08:39

      Is there any way to set this without a Security Baseline, I don’t like the excessive options that are set.

      Can’t find it in Settings Catalog, maybe a custom OMA policy?

      Reply
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025

    Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs

    April 13, 2025

    Using Visual Studio with Microsoft Endpoint Privilege Management, some notes

    April 8, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Peter Klapwijk on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • John M on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • Christoffer Jakobsen on Connect to Azure file shares with Microsoft Entra Private Access
    • Ludo on How to block Bluetooth file transfer with Microsoft Intune
    • RCharles on Automatically configure the time zone (during Autopilot enrollment)
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}