From e285d10d0093503e4ebcbe11b9149f05c3bcb7e3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 20 Jun 2023 17:24:52 -0400
Subject: [PATCH] update to cert doc

---
 .../hello-for-business/hello-deployment-rdp-certs.md       | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 0b255e1d93..e9aeb46f9f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -5,7 +5,7 @@ ms.collection:
   - ContentEngagementFY23
   - tier1
 ms.topic: article
-ms.date: 03/15/2023
+ms.date: 06/20/2023
 ---
 
 # Deploy certificates for remote desktop (RDP) sign-in
@@ -88,8 +88,11 @@ Follow these steps to create a certificate template:
 
 ## Deploy certificates via Intune
 
-> [!NOTE]
+> [!CAUTION]
 > This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
+>
+> If you deploy certificates via Intune and configure Windows Hello for Business via group policy, the devices will fail to obtain a certificate, logging the error code `0x82ab0011` in the `DeviceManagement-Enterprise-Diagnostic-Provider` log.\
+> To avoid the error, configure Windows Hello for Business via Intune instead of group policy.
 
 Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to: