When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy. Countermeasure: Enable this setting. Potential Impact: Users must change their device password with the frequency specified. Fix: (1) GPO: Computer ConfigurationAdministrative TemplatesLAPSDo not allow password expiration time longer than required by policy (2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoft ServicesAdmPwd!PwdExpirationProtectionEnabled

[enabled/disabled]

(1) GPO: Computer Configuration\Administrative Templates\LAPS\Do not allow password expiration time longer than required by policy (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd!PwdExpirationProtectionEnabled