diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index 8765cbc8c3..95583c6427 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud
 - Using cloud trust for "Run as"
 - Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
 
+> [!NOTE]
+> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys.
+> 
+> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\<domain-DN\>).
+
 ## Deployment Instructions
 
 Deploying Windows Hello for Business cloud trust consists of two steps:
@@ -256,4 +261,4 @@ Windows Hello for Business cloud trust cannot be used as a supplied credential w
 
 ### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust?
 
-No, only the number necessary to handle the load from all cloud trust devices.
\ No newline at end of file
+No, only the number necessary to handle the load from all cloud trust devices.