Merge branch 'MicrosoftDocs:main' into zwhitt-microsoft-cg-patch1

windows/security/identity-protection/hello-for-business/deploy/index.md

@@ -1,7 +1,7 @@
 ---
 title: Plan a Windows Hello for Business Deployment
 description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-ms.date: 03/12/2024
+ms.date: 05/16/2024
 ms.topic: concept-article
 ---
 
@@ -151,14 +151,16 @@ The goal of Windows Hello for Business is to move organizations away from passwo
 || Deployment model | MFA options |
 |--|--|--|
 | **🔲** | **Cloud-only** | Microsoft Entra MFA |
-| **🔲** | **Cloud-only** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation |
+| **🔲** | **Cloud-only** | Non-Microsoft MFA, via external authentication method in Microsoft Entra ID or federation |
 | **🔲** | **Hybrid** | Microsoft Entra MFA |
-| **🔲** | **Hybrid** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation|
+| **🔲** | **Hybrid** | Non-Microsoft MFA, via external authentication method in Microsoft Entra ID or federation|
 | **🔲** | **On-premises** | AD FS MFA adapter |
 
-For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].
+For more information:
 
-For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+- [Configure Microsoft Entra multifactor authentication settings][ENTRA-4]
+- [Configure Azure MFA as authentication provider with AD FS][SER-1]
+- [Manage an external authentication method in Microsoft Entra ID][ENTRA-11]
 
 #### MFA and federated authentication
 
@@ -298,6 +300,7 @@ Now that you've read about the different deployment options and requirements, yo
 [ENTRA-8]: /entra/identity/conditional-access/overview
 [ENTRA-9]: /entra/identity/authentication/concept-mfa-licensing
 [ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed
+[ENTRA-11]: /entra/identity/authentication/how-to-authentication-external-method-manage
 
 [SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
 [SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -495,7 +495,7 @@ Connector group automatically round-robin, load balance the Microsoft Entra appl
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Under **MANAGE**, select **Application proxy**
 1. Select **Download connector service**. Select **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain
@@ -506,7 +506,7 @@ Sign-in a workstation with access equivalent to a *domain user*.
 1. Start **AADApplicationProxyConnectorInstaller.exe**
 1. Read the license terms and then select **I agree to the license terms and conditions**. Select **Install**
    ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
-1. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**
+1. Sign-in as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
    ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
 1. When the installation completes. Read the information regarding outbound proxy servers. Select **Close**
    ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
@@ -516,7 +516,7 @@ Sign-in a workstation with access equivalent to a *domain user*.
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Under **MANAGE**, select **Application proxy**.
 
@@ -533,7 +533,7 @@ Sign-in a workstation with access equivalent to a *domain user*.
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Under **MANAGE**, select **Application proxy**
 1. Select **Configure an app**
@@ -692,7 +692,7 @@ Optionally (not required), you can configure the Intune connector for certificat
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Select **Groups**. Select **New group**
 1. Select **Security** from the **Group type** list

windows/security/identity-protection/hello-for-business/how-it-works.md

@@ -227,6 +227,17 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
 
 Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
 
+However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
+
+- Disable password expiration for the user accounts
+- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings.md?tabs=pin#expiration)
+- If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
+  - Using the <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> > **Change a password** option
+  - Sign in with their password. If the password must be changed, Windows prompts the user to update it
+
+> [!IMPORTANT]
+> To change a user's password, the device must be able to communicate with a domain controller.
+
 ## Next steps
 
 > [!div class="nextstepaction"]

windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md

@@ -16,16 +16,6 @@ Select the option *Don't start Windows Hello provisioning after sign-in* when yo
 - If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
 - If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in
 
-:::row:::
-:::column span="1":::
-:::image type="content" source="../../../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
-:::column-end:::
-:::column span="3":::
-> [!IMPORTANT]
->This policy setting is available via CSP only for [Windows Insider Preview builds](/windows-insider/).
-:::column-end:::
-:::row-end:::
-
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UsePassportForWork](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusepassportforwork) <br><br> `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[DisablePostLogonProvisioning](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)|

windows/security/identity-protection/hello-for-business/pin-reset.md

@@ -49,7 +49,7 @@ To register the applications, follow these steps:
 
 :::row:::
   :::column span="3":::
-  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
+  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pin-reset/pin-reset-service-prompt.png" lightbox="images/pin-reset/pin-reset-service-prompt.png" border="true":::
@@ -57,7 +57,7 @@ To register the applications, follow these steps:
 :::row-end:::
 :::row:::
   :::column span="3":::
-  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
+  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pin-reset/pin-reset-client-prompt.png" lightbox="images/pin-reset/pin-reset-client-prompt.png" border="true":::

windows/security/identity-protection/hello-for-business/rdp-sign-in.md

@@ -1,7 +1,7 @@
 ---
 title: Remote Desktop sign-in with Windows Hello for Business
 description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 06/11/2024
 ms.topic: how-to
 ---
 
@@ -273,6 +273,10 @@ While users appreciate the convenience of biometrics, and administrators value t
 
 For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates)
 
+## Known issues
+
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: `ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED`. Microsoft is investigating possible solutions.
+
 <!-- links -->
 
 [MEM-1]: /mem/intune/protect/certificates-scep-configure