diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index 95bc613cdc..fc2d4b3ddf 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -227,9 +227,15 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
-> [!NOTE]
-> If you change the user's password from a Microsoft Entra hybrid joined device, the Windows Hello for Business cache is invalidated. To update the cache, the user must log off and then log back on.
->
+However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
+
+- Disable password expiration for the user accounts
+- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings?tabs=pin#expiration)
+- If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
+ - Using the Ctrl + Alt + Del > **Change a password** option
+ - Sign in with their password. If the password must be changed, Windows prompts the user to update it
+
+> [!IMPORTANT]
> To change a user's password, the device must be able to communicate with a domain controller.
## Next steps
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index c8a7d312ad..97e372d620 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -275,7 +275,7 @@ For more information, see [Use Windows Hello for Business certificates as smart
## Known issues
-There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Microsoft is aware of this issue and investigating possible solutions.
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: `ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED`. Microsoft is investigating possible solutions.