From 0f0b2ef62bff29884f583bbbb0b3ab91580e2053 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 11 Jun 2024 14:04:45 -0400
Subject: [PATCH 1/4] WHfB updates

---
 .../identity-protection/hello-for-business/how-it-works.md  | 5 +++++
 .../identity-protection/hello-for-business/rdp-sign-in.md   | 6 +++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index f08348d61a..95bc613cdc 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -227,6 +227,11 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
 
 Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
 
+> [!NOTE]
+> If you change the user's password from a Microsoft Entra hybrid joined device, the Windows Hello for Business cache is invalidated. To update the cache, the user must log off and then log back on.
+>
+> To change a user's password, the device must be able to communicate with a domain controller.
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index 72c3fffd3f..c8a7d312ad 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -1,7 +1,7 @@
 ---
 title: Remote Desktop sign-in with Windows Hello for Business
 description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 06/11/2024
 ms.topic: how-to
 ---
 
@@ -273,6 +273,10 @@ While users appreciate the convenience of biometrics, and administrators value t
 
 For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates)
 
+## Known issues
+
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Microsoft is aware of this issue and investigating possible solutions.
+
 <!-- links -->
 
 [MEM-1]: /mem/intune/protect/certificates-scep-configure

From 67e65b672c8bad54b1d9eb821a5d99630300cacf Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 12 Jun 2024 08:02:07 -0400
Subject: [PATCH 2/4] password expiration issue

---
 .../hello-for-business/how-it-works.md               | 12 +++++++++---
 .../hello-for-business/rdp-sign-in.md                |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index 95bc613cdc..fc2d4b3ddf 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -227,9 +227,15 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
 
 Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
 
-> [!NOTE]
-> If you change the user's password from a Microsoft Entra hybrid joined device, the Windows Hello for Business cache is invalidated. To update the cache, the user must log off and then log back on.
->
+However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
+
+- Disable password expiration for the user accounts
+- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings?tabs=pin#expiration)
+- If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
+  - Using the <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> > **Change a password** option
+  - Sign in with their password. If the password must be changed, Windows prompts the user to update it
+
+> [!IMPORTANT]
 > To change a user's password, the device must be able to communicate with a domain controller.
 
 ## Next steps
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index c8a7d312ad..97e372d620 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -275,7 +275,7 @@ For more information, see [Use Windows Hello for Business certificates as smart
 
 ## Known issues
 
-There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Microsoft is aware of this issue and investigating possible solutions.
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: `ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED`. Microsoft is investigating possible solutions.
 
 <!-- links -->
 

From 55e9a1d73b8641c3324464093facab67215aa001 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 12 Jun 2024 08:29:34 -0400
Subject: [PATCH 3/4] removed insider note for disablepostlogonprovisioning

---
 .../includes/use-windows-hello-for-business.md         | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
index d850382fae..34185c8503 100644
--- a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
+++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
@@ -16,16 +16,6 @@ Select the option *Don't start Windows Hello provisioning after sign-in* when yo
 - If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
 - If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in
 
-:::row:::
-:::column span="1":::
-:::image type="content" source="../../../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
-:::column-end:::
-:::column span="3":::
-> [!IMPORTANT]
->This policy setting is available via CSP only for [Windows Insider Preview builds](/windows-insider/).
-:::column-end:::
-:::row-end:::
-
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UsePassportForWork](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusepassportforwork) <br><br> `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[DisablePostLogonProvisioning](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)|

From 2a90f96c3588b750e94c8801dbf094627d2e7367 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 12 Jun 2024 13:14:02 -0400
Subject: [PATCH 4/4] updates

---
 .../identity-protection/hello-for-business/how-it-works.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index fc2d4b3ddf..659f4a0e25 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -230,7 +230,7 @@ Changing a user account password doesn't affect sign-in or unlock, since Windows
 However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
 
 - Disable password expiration for the user accounts
-- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings?tabs=pin#expiration)
+- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings.md?tabs=pin#expiration)
 - If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
   - Using the <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> > **Change a password** option
   - Sign in with their password. If the password must be changed, Windows prompts the user to update it