While corporations can continue to set password rotation controls Windows 10 v1903 — that option is being changed in group security policies to no longer be the “default” as shared below.

https://www.forbes.com/sites/daveywinder/2019/04/27/microsoft-confirms-change-to-windows-10-passwords-that-nobody-saw-coming/

It would appear that, with the arrival of the Windows 10 May update, Microsoft is finally no longer going to be amongst that latter group. According to Aaron Margosis, a principal consultant with Microsoft, Windows 10 will no longer recommend “ancient and obsolete” periodic password expiration in the security baseline settings starting with the May update. While being most welcome, it has to be said nobody I have spoken to in the information security business saw that coming. Not least as the arguments for password expiration have been comprehensively dismantled for some years now yet Microsoft has not shown any inclination to jump from this particular sinking security ship.

The security baseline configuration has been part of the Windows tuning. Yet, as Margosis writes “recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and multi-factor authentication.”

The United States National Institute for Standards and Technology (NIST) has been recommending password expiration is dropped from security policy since 2016. Now it seems that Microsoft has finally caught up and will be dropping the requirement starting from Windows 10 (1903) and Windows Server (1903) onward. This makes perfect sense to me as someone who has been following information security trends for the best part of three decades.

It also isn’t stopping organizations from configuring password expiration if they must, for regulatory compliance reasons for example. “The password-expiration security option is still in Windows and will remain there,” Margosis says, adding “by removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance.”