Update Windows Hello for Business policy hierarchy

2025-06-17 19:33:37 +00:00 · 2024-02-12 11:49:59 +01:00
parent 7e7688e9d3
commit 68bf101664
3 changed files with 10 additions and 18 deletions
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@ -24,13 +24,20 @@ Some of the Windows Hello for Business policies are available for both computer
 - Windows Hello for Business policy settings are enforced using the following hierarchy:
  - User GPO
  - Computer GPO
-  - User MDM
-  - Device MDM
-  - Device Lock policy
+  - User MDM (PassportForWork CSP)
+  - Device MDM (PassportForWork CSP)
+  - Exchange Active Sync (DeviceLock CSP)

 >[!IMPORTANT]
 >All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.

+<!--
+>[!IMPORTANT]
+>If you configure password lenght and complexity settings that are part of the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN lenght and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies.
+>
+>The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287).
+-->
+
 >[!NOTE]
 > If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.

@ -72,8 +79,6 @@ There are different ways to enable and configure Windows Hello for Business in I
  - [Account protection policy][MEM-5]
  - [Identity protection policy template][MEM-6]

-[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)]
-
 ### Verify the tenant-wide policy

 To check the Windows Hello for Business policy settings applied at enrollment time:
--- a/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md
+++ b/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md
@ -1,11 +0,0 @@
---
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2024
-ms.topic: include
---
-
->[!IMPORTANT]
->If you configure password lenght and complexity settings that are part of the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN lenght and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies.
->
->The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287).
--- a/windows/security/identity-protection/hello-for-business/policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@ -38,8 +38,6 @@ Select one of the tabs to see the list of available settings:

 # [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin)

-[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)]
-
 |Setting Name|CSP|GPO|
 |-|-|-|-|
 |[Expiration](#expiration)|✅|✅|