Account lockout threshold is not configured to lockout accounts after 20 failed logons
"Account lockout threshold:" The number of failed logon attempts that will cause a user account to be locked. "Account lockout duration:" The number of minutes a locked-out account remains locked out before getting unlocked automatically. Attackers can try to guess the password or use brute force attacks to crack the password. To prevent this, account lockout threshold must be configured to lockout accounts after 20 failed logon attempts.
Follow the below steps in GPO to resolve the misconfiguration.
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "20" or fewer invalid logon attempts (excluding "0", which is unacceptable).
Vulnerability Manager Plus helps you to monitor security configurations and resolve misconfigurations in your network systems from a centralized console.