Update AD-FS-FAQ.yml for SID extension

WindowsServerDocs/identity/ad-fs/overview/AD-FS-FAQ.yml

@@ -456,3 +456,13 @@ sections:
 
         answer: |
           Yes, but only in Windows Server 2019 or later. AD FS supports Proof Key for Code Exchange (PKCE) for the OAuth Authorization Code Grant flow.
+
+      - question: |
+           How do I get the security identifier (SID) extension in certificates enrolled via AD FS to satisfy the strong mapping criteria enforced at the Key Distribution Center (KDC)?
+
+        answer: |
+          AD FS enrolls for logon certificates on behalf of authenticated accounts under certain Windows Hello For Business scenarios, as documented here - [Configure single sign-on for Azure Virtual Desktop using AD FS](https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-adfs-sso)
+          By default, these certificates do not contain SID extension and will be denied by KDC. For more information about the KDC requirements, [see KB5014754: Certificate-based authentication changes on Windows domain controllers](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16)
+          Updates are now available for AD FS on Windows Server 2019, Windows Server 2022, and Windows Server 2025 to ensure that issued certificates include the SID extension to satisfy strong mapping requirements.
+          To enable this behavior, install the latest Windows Updates on all AD FS servers of the farm, and run the following cmdlet on the primary AD FS server:
+            - Set-AdfsCertificateAuthority -EnrollmentAgent -AddSIDCertificateExtension $true