Microsoft announced the configuration baseline settings draft release for Windows 10 v1903 (19H1) and Windows Server v1903, as well as the intention to drop password expiration policies starting with the Windows 10 May 2019 Update.
Once removed, the preset password expiration settings should be replaced by organizations with more modern and better password-security practices such as multi-factor authentication, detection of password-guessing attacks, detection of anomalous log on attempts, and the enforcement of banned passwords lists (such as Azure AD’s password protection currently available in public preview).
However, as Redmond further explains, “While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.”
Back in 2016, the United States National Institute for Standards and Technology (NIST) also advised government organizations to remove password expiration policies and recommends forced password changes only after a fraudulent activity is observed.
As detailed in the ‘Special Publication 800-63-3: Digital Authentication Guidelines’, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”