diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 7936af83fa..a1df8320f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -4,6 +4,7 @@ description: This article is a troubleshooting guide for known Windows Hello for
 ms.date: 06/02/2023
 ms.topic: troubleshooting
 ---
+
 # Windows Hello for Business known deployment issues
 
 The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business.
@@ -67,10 +68,10 @@ The issue can be identified using network traces or Kerberos logging from the cl
 Log Name:      Microsoft-Windows-Kerberos/Operational
 Source:        Microsoft-Windows-Security-Kerberos
 Event ID:      107
-GUID:          {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} 
+GUID:          {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1}
 Task Category: None
 Level:         Error
-Keywords:      
+Keywords:
 User:          SYSTEM
 Description:
 
@@ -133,7 +134,7 @@ Date:          <Date and time>
 Event ID:      362
 Task Category: None
 Level:         Warning
-Keywords:     
+Keywords:
 User:          <User SID>
 Computer:      <Computer name>
 Description:
@@ -146,7 +147,7 @@ Local computer meets Windows hello for business hardware requirements: Yes
 User is not connected to the machine via Remote Desktop: Yes
 User certificate for on premise auth policy is enabled: Yes
 Enterprise user logon certificate enrollment endpoint is ready: Not Tested
-Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) 
+Enterprise user logon certificate template is : No ( 1 : StateNoPolicy )
 User has successfully authenticated to the enterprise STS: No
 Certificate enrollment method: enrollment authority
 See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 0ccfdacaac..2c3b021381 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -2,7 +2,7 @@
 title: Windows Hello errors during PIN creation
 description: When you set up Windows Hello, you may get an error during the Create a work PIN step.
 ms.topic: troubleshooting
-ms.date: 04/24/2023
+ms.date: 01/26/2024
 ---
 
 # Windows Hello errors during PIN creation
@@ -28,12 +28,12 @@ If the error occurs again, check the error code against the following table to s
 
 | Hex        | Cause                                                              | Mitigation                                  |
 | :--------- | :----------------------------------------------------------------- | :------------------------------------------ |
-| 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Microsoft Entra ID and rejoin. |
+| 0x80090005 | NTE_BAD_DATA                                                     | Unjoin the device from Microsoft Entra ID and rejoin. |
 | 0x8009000F | The container or key already exists.                               | Unjoin the device from Microsoft Entra ID and rejoin. |
 | 0x80090011 | The container or key was not found.                                | Unjoin the device from Microsoft Entra ID and rejoin. |
 | 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
-| 0x8009002A | NTE\_NO\_MEMORY                                                    | Close programs which are taking up memory and try again. |
-| 0x80090031 | NTE\_AUTHENTICATION\_IGNORED                                       | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
+| 0x8009002A | NTE_NO_MEMORY                                                    | Close programs which are taking up memory and try again. |
+| 0x80090031 | NTE_AUTHENTICATION_IGNORED                                       | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
 | 0x80090035 | Policy requires TPM and the device does not have TPM.              | Change the Windows Hello for Business policy to not require a TPM. |
 | 0x80090036 | User canceled an interactive dialog.                               | User will be asked to try again. |
 | 0x801C0003 | User is not authorized to enroll.                                  | Check if the user has permission to perform the operation​. |
@@ -53,11 +53,11 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure  AD and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings.
 | 0x801C03EE | Attestation failed.                                                | Sign out and then sign in again. |
 | 0x801C03EF | The AIK certificate is no longer valid.                            | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
 | 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Microsoft Entra ID and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
-| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| 
+| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.|
 | 0xC00000BB | Your PIN or this option is temporarily unavailable.                | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.|
 
 ## Errors with unknown mitigation
@@ -70,9 +70,9 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0X80072F0C  | Unknown |
 | 0x80072F8F  | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
 | 0x80090010  | NTE_PERM |
-| 0x80090020  | NTE\_FAIL |
+| 0x80090020  | NTE_FAIL |
 | 0x80090027  | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
-| 0x8009002D  | NTE\_INTERNAL\_ERROR |
+| 0x8009002D  | NTE_INTERNAL_ERROR |
 | 0x801C0001  | ADRS server response is not in a valid format. |
 | 0x801C0002  | Server failed to authenticate the user. |
 | 0x801C0006  | Unhandled exception from server. |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 350c47024f..f1666e6453 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -4,6 +4,7 @@ description: Learn how to configure single sign-on to on-premises resources for
 ms.date: 12/30/2022
 ms.topic: how-to
 ---
+
 # Configure single sign-on for Microsoft Entra joined devices
 
 [!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
@@ -65,7 +66,7 @@ Use this set of procedures to update the CA that issues domain controller certif
 You need to host your new certificate revocation list on a web server so Microsoft Entra joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
 
 > [!IMPORTANT]
-> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. 
+> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
 
 ### Install the web server
 
@@ -119,7 +120,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 > [!Tip]
 > Make sure that users can access **\\\Server FQDN\sharename**.
 
-### Disable Caching 
+### Disable Caching
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
 1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**
 1. Select **Caching**. Select **No files or programs from the shared folder are available offline**
@@ -190,7 +191,7 @@ Validate the new CRL distribution point is working.
 
 #### Reissue domain controller certificates
 
-With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point. 
+With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
 
 1. Sign-in a domain controller using administrative credentials
 1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
diff --git a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/exclude-credential-providers-properties.png b/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/exclude-credential-providers-properties.png
deleted file mode 100644
index 21329d0ffa..0000000000
Binary files a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/exclude-credential-providers-properties.png and /dev/null differ
diff --git a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-exclude-credential-providers.png b/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-exclude-credential-providers.png
deleted file mode 100644
index fd9085fbd1..0000000000
Binary files a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-exclude-credential-providers.png and /dev/null differ
diff --git a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-require-smart-card-policy.png b/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-require-smart-card-policy.png
deleted file mode 100644
index 1ec0fe5a29..0000000000
Binary files a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/gpmc-require-smart-card-policy.png and /dev/null differ
diff --git a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/require-whfb-smart-card-policy.png b/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/require-whfb-smart-card-policy.png
deleted file mode 100644
index 5935422718..0000000000
Binary files a/windows/security/identity-protection/passwordless-strategy/images/passwordless-strategy/require-whfb-smart-card-policy.png and /dev/null differ
diff --git a/windows/security/identity-protection/passwordless-strategy/index.md b/windows/security/identity-protection/passwordless-strategy/index.md
index 24d7e1de6f..91cb4a5cb7 100644
--- a/windows/security/identity-protection/passwordless-strategy/index.md
+++ b/windows/security/identity-protection/passwordless-strategy/index.md
@@ -140,7 +140,7 @@ The journey to password freedom is to take each work persona through each step o
 - Awareness campaign and user education
 - Include remaining users who fit the work persona
 - Validate that **none of the users** of the work personas need passwords
-- Configure user accounts to disallow password authentication
+- Configure user accounts to prevent password authentication
    :::column-end:::
 :::row-end:::
 
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-2.md b/windows/security/identity-protection/passwordless-strategy/journey-step-2.md
index 62cbfe3cba..cb4c006a21 100644
--- a/windows/security/identity-protection/passwordless-strategy/journey-step-2.md
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-2.md
@@ -2,7 +2,7 @@
 title: Reduce the user-visible password surface area
 description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey.
 ms.topic: concept-article
-ms.date: 12/13/2023
+ms.date: 01/26/2024
 ---
 
 # Reduce the user-visible password surface area
@@ -26,13 +26,13 @@ ms.date: 12/13/2023
 
 Now is the time to learn more about the targeted work persona. You should have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The goal is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
 
-| :ballot_box_with_check: | Question |
+| | Question |
 |--|--|
-| :black_square_button: | *What's the name of the application that asked for a password?* |
-| :black_square_button: | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
-| :black_square_button: | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
-| :black_square_button: | *How frequently do you use the application in a given day or week?* |
-| :black_square_button: | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
+| **🔲** | *What's the name of the application that asked for a password?* |
+| **🔲** | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
+| **🔲** | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
+| **🔲** | *How frequently do you use the application in a given day or week?* |
+| **🔲** | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
 
 Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless.
 
@@ -82,7 +82,7 @@ To learn more, see [Windows passwordless experience](../passwordless-experience/
 The *Exclude credential providers* policy setting can be used to disable the password credentail provider. When configured, Windows disables the possibility to uyse passwords for *all accounts*, including local accounts. It also prevents the use of passwords for RDP and *Run as* authentication scenarios. This policy setting might impact support scenarios, such as when a user needs to sign in with a local account to troubleshoot a problem. For this reason, carefully evaluate all scenarios before enabling it.
 
 - GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Exclude credential providers**
-- CSP: ``./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders)
+- CSP: `./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders)
 
 The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
 
@@ -100,6 +100,6 @@ This stage is the significant moment. You have identified password usage, develo
 ## Next steps
 
 > [!div class="nextstepaction"]
-> Congratulations! You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
+> You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
 >
 > [Step 3: transition into a passwordless deployment >](journey-step-3.md)
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
index e3c99b53da..3fd4ac2275 100644
--- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
@@ -28,6 +28,9 @@ In this last step, you're going to include the remaining users that fit the targ
 
 An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain  the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
 
+> [!TIP]
+> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails).
+
 ## Include remaining users that fit the work persona
 
 You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment.
@@ -38,47 +41,31 @@ You've successfully transitioned all users for the targeted work persona to bein
 
 Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions:
 
-| :ballot_box_with_check: | Question |
+| | Question |
 |--|--|
-| :black_square_button: | *Is the reporting user performing a task outside the work persona?* |
-| :black_square_button: | *Is the reported issue affecting the entire work persona, or only specific users?* |
-| :black_square_button: | *Is the outage a result of a misconfiguration?* |
-| :black_square_button: | *Is the outage an overlooked gap from step 2?* |
+| **🔲** | *Is the reporting user performing a task outside the work persona?* |
+| **🔲** | *Is the reported issue affecting the entire work persona, or only specific users?* |
+| **🔲** | *Is the outage a result of a misconfiguration?* |
+| **🔲** | *Is the outage an overlooked gap from step 2?* |
 
 Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
 
 Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
 
-## Configure user accounts to disallow password authentication
+## Configure user accounts to prevent password authentication
 
-You transitioned all the users for the targeted work persona to a passwordless environment and you've successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
+You transitioned all the users for the targeted work persona to a passwordless environment and you've successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password.
 
 ### Password scrambling
 
-If your users are defined in Active Directory, you can scramble their password to a random value.
+While you can't completely remove the password from the user's account, you can prevent the user from using the password to authenticate. The easiest and most effective approach is to set the password to a random value. This approach prevents the user from knowing the password and using it to authenticate, but it allows the user to reset the password whenever needed.
 
-### Password expiration
+> [!TIP]
+> Enable [Microsoft Entra self-service password reset (SSPR)](/entra/identity/authentication/tutorial-enable-sspr) to allow the users to reset their password. Once implemented, users can sign in to their Windows devices using Windows Hello for Business or a FIDO2 security key, and reset their password from https://aka.ms/sspr. Combine it with [password writeback](/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback) to have the password reset synchronized to your on-premises Active Directory.
 
-The users are effectively password-less because:
+If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.
 
-- They don't know their password
-- The user isn't asked to change their password
-- Domain controllers don't allow passwords for interactive authentication
-
-#### Prompt user to change password before expiration
-
-Determines how far in advance (in days) users are warned that their password is about to expire. When you set the policy setting to zero, there is no password expiration warning when the user logs on.
-
-- GPO: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Interactive logon: Prompt user to change password before expiration**
-- CSP: `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`[InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_promptusertochangepasswordbeforeexpiration)
-
-### Password rotation
-
-### Cloud-only users
-
-If your users are defined in Microsoft Entra ID and not synchronized from Active Directory (cloud-only), you can use the Microsoft Graph API to change the user's password to a random value.
-
-The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId.
+The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId agains Microsoft Entra ID.
 Modify the **userId** variable of the script to match your environment (first line), and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with a role capable of resetting passwords.
 
 ```azurepowershell-interactive
@@ -96,7 +83,7 @@ function Generate-RandomPassword{
     $index = $random.Next(0, $chars.Length)
     $password += $chars[$index]
   }
-  return $password  
+  return $password
 }
 
 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
@@ -113,3 +100,35 @@ $passwordParams = @{
 Reset-MgUserAuthenticationMethodPassword @passwordParams
 ```
 
+A similar script can be used to reset the password against Active Directory. Modify the **samAccountName** variable of the script to match your environment (first line), and then run it in a PowerShell session.
+
+```PowerShell
+$samAccountName = <sAMAccountName of the user>
+
+function Generate-RandomPassword{
+    [CmdletBinding()]
+    param (
+      [int]$Length = 64
+    )
+  $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{};:,.<>/?\|`~"
+  $random = New-Object System.Random
+  $password = ""
+  for ($i = 0; $i -lt $Length; $i++) {
+    $index = $random.Next(0, $chars.Length)
+    $password += $chars[$index]
+  }
+  return $password
+}
+
+$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
+
+Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
+```
+
+### Password rotation
+
+Consider implementing automation to rotate the user's password on a regular basis. This approach ensures that the user's password is always randomized and prevents the user from knowing the password.
+
+## Next steps
+
+Microsoft is working hard to make the passwordless journey easier for you. We're working on new features and capabilities to help you transition to a passwordless environment, and to achieves the long-term security promise of a truly passwordless environment. Check back often to see what's new.