Microsoft published a new draft release of the security configuration baseline settings for both Windows 10 version 1903 and Windows Server version 1903.
Download here: Windows-10-1903-Security-Baseline-DRAFT (direct download link from Microsoft). It includes GPO backups, GPO reports, scripts to apply settings to local GPO, Policy Analyzer rules files for each baseline and for the full set, and spreadsheets documenting all available GPOs and recommended settings, etc.
One of the noticeable change is the Dropping of the Password-Expiration Policies that require periodic password changes. Why?
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.
In addition, Microsoft is considering dropping the enforcement of the default behavior of disabling the built-in Administrator and Guest accounts. The Guest account is disabled by default on both Windows 10 and Windows Server while the built-in administrator account is only disabled on Windows 10 but not on Windows Server.