diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 2e2b5f172a..0f92c2bbd8 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -39,6 +39,9 @@ The **Maximum password age** policy setting determines the period of time (in da
 
 Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
 
+> [!NOTE]
+> Security baseline recommended by Microsoft doesn't contain the password-expiration policy, as this mitigation is less effective than modern ones. However, companies that didn't implement Azure AD Password Protection, multifactor authentication or other modern mitigations of password-guessing attacks, should leave this policy effective.
+
 ### Location
 
 **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**