From 76a1a78899f4f14af0caa4ad18efd3fb9fa2524e Mon Sep 17 00:00:00 2001
From: Mark Renoden <markreno@microsoft.com>
Date: Fri, 10 Jun 2022 11:10:50 +1000
Subject: [PATCH] Update hello-hybrid-cloud-trust.md

Adding a clarification for the 2016+ Domain Controller requirements.
---
 .../hello-for-business/hello-hybrid-cloud-trust.md              | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index a86fb2633a..cfc435c989 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -48,6 +48,8 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec
 
 More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
 
+If using the hybrid cloud trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Read-Write Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
+
 ## Prerequisites
 
 | Requirement | Notes |