I finally found the correct Value string for the OMA-URI on https://github.com/microsoft/osconfig/blob/main/security/SecurityBaseline_WindowsServer_2025-2409.csv (and there are a lot of other good settings there also) as the page at https://zcusa.951200.xyz/en-us/windows/client-management/mdm/policy-csp-devicelock is still missing this information as of December 2024. Note that you need Windows 11 24H2 / Server 2025 or later for this setting to actually take effect. You can validate the settings changes with the command "net accounts".
You would set it as follows in Intune as a Custom OMA-URI (the below example uses lockout values of 15 minute duration and 10 invalid attempts):
Name: <Whatever you want to use here - I used DeviceLockAccountLockoutPolicy>
Description: <Whatever you want to use here - I referenced the GitHub URL above where I found the setting in the correct format plus some other notes>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy
Data type: String
Value (just paste this as-is - it is one long line unlike a MultiString - even if it does not look like it in the Value box in Intune):
AccountLockoutDuration:15, AccountLockoutThreshold:10, ResetAccountLockoutCounterAfter:15