deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

password expiration issue

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-06-12 08:02:07 -04:00
parent 0f0b2ef62b
commit 67e65b672c
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/identity-protection/hello-for-business/how-it-works.md
View File

@ -227,9 +227,15 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
> [!NOTE]
> If you change the user's password from a Microsoft Entra hybrid joined device, the Windows Hello for Business cache is invalidated. To update the cache, the user must log off and then log back on.
>
However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
- Disable password expiration for the user accounts
- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings?tabs=pin#expiration)
- If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
- Using the <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> > **Change a password** option
- Sign in with their password. If the password must be changed, Windows prompts the user to update it
> [!IMPORTANT]
> To change a user's password, the device must be able to communicate with a domain controller.
## Next steps

2
windows/security/identity-protection/hello-for-business/rdp-sign-in.md
View File

@ -275,7 +275,7 @@ For more information, see [Use Windows Hello for Business certificates as smart
## Known issues
There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Microsoft is aware of this issue and investigating possible solutions.
There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: `ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED`. Microsoft is investigating possible solutions.
<!-- links -->