Merge pull request #9935 from MicrosoftDocs/main

Publish main to live, Wednesday 3:30PM PDT, 06/12

windows/security/identity-protection/hello-for-business/how-it-works.md

@@ -227,6 +227,17 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
 
 Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
 
+However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
+
+- Disable password expiration for the user accounts
+- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings.md?tabs=pin#expiration)
+- If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
+  - Using the <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> > **Change a password** option
+  - Sign in with their password. If the password must be changed, Windows prompts the user to update it
+
+> [!IMPORTANT]
+> To change a user's password, the device must be able to communicate with a domain controller.
+
 ## Next steps
 
 > [!div class="nextstepaction"]

windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md

@@ -16,16 +16,6 @@ Select the option *Don't start Windows Hello provisioning after sign-in* when yo
 - If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
 - If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in
 
-:::row:::
-:::column span="1":::
-:::image type="content" source="../../../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
-:::column-end:::
-:::column span="3":::
-> [!IMPORTANT]
->This policy setting is available via CSP only for [Windows Insider Preview builds](/windows-insider/).
-:::column-end:::
-:::row-end:::
-
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UsePassportForWork](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusepassportforwork) <br><br> `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[DisablePostLogonProvisioning](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)|

windows/security/identity-protection/hello-for-business/rdp-sign-in.md

@@ -1,7 +1,7 @@
 ---
 title: Remote Desktop sign-in with Windows Hello for Business
 description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 06/11/2024
 ms.topic: how-to
 ---
 
@@ -273,6 +273,10 @@ While users appreciate the convenience of biometrics, and administrators value t
 
 For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates)
 
+## Known issues
+
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: `ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED`. Microsoft is investigating possible solutions.
+
 <!-- links -->
 
 [MEM-1]: /mem/intune/protect/certificates-scep-configure