From 0f0b2ef62bff29884f583bbbb0b3ab91580e2053 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 11 Jun 2024 14:04:45 -0400
Subject: [PATCH] WHfB updates

---
 .../identity-protection/hello-for-business/how-it-works.md  | 5 +++++
 .../identity-protection/hello-for-business/rdp-sign-in.md   | 6 +++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index f08348d61a..95bc613cdc 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -227,6 +227,11 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
 
 Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
 
+> [!NOTE]
+> If you change the user's password from a Microsoft Entra hybrid joined device, the Windows Hello for Business cache is invalidated. To update the cache, the user must log off and then log back on.
+>
+> To change a user's password, the device must be able to communicate with a domain controller.
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index 72c3fffd3f..c8a7d312ad 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -1,7 +1,7 @@
 ---
 title: Remote Desktop sign-in with Windows Hello for Business
 description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 06/11/2024
 ms.topic: how-to
 ---
 
@@ -273,6 +273,10 @@ While users appreciate the convenience of biometrics, and administrators value t
 
 For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates)
 
+## Known issues
+
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Microsoft is aware of this issue and investigating possible solutions.
+
 <!-- links -->
 
 [MEM-1]: /mem/intune/protect/certificates-scep-configure