Update Windows Hello for Business policy hierarchy

windows/security/identity-protection/hello-for-business/configure.md

@@ -24,13 +24,20 @@ Some of the Windows Hello for Business policies are available for both computer
 - Windows Hello for Business policy settings are enforced using the following hierarchy:
   - User GPO
   - Computer GPO
-  - User MDM
+  - User MDM (PassportForWork CSP)
-  - Device MDM
+  - Device MDM (PassportForWork CSP)
-  - Device Lock policy
+  - Exchange Active Sync (DeviceLock CSP)
 
 >[!IMPORTANT]
 >All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
 
+<!--
+>[!IMPORTANT]
+>If you configure password lenght and complexity settings that are part of the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN lenght and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies.
+>
+>The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287).
+-->
+
 >[!NOTE]
 > If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
 
@@ -72,8 +79,6 @@ There are different ways to enable and configure Windows Hello for Business in I
   - [Account protection policy][MEM-5]
   - [Identity protection policy template][MEM-6]
 
-[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)]
-
 ### Verify the tenant-wide policy
 
 To check the Windows Hello for Business policy settings applied at enrollment time:

windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md

@@ -1,11 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2024
-ms.topic: include
----
-
->[!IMPORTANT]
->If you configure password lenght and complexity settings that are part of the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN lenght and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies.
->
->The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287).

windows/security/identity-protection/hello-for-business/policy-settings.md

@@ -38,8 +38,6 @@ Select one of the tabs to see the list of available settings:
 
 # [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin)
 
-[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)]
-
 |Setting Name|CSP|GPO|
 |-|-|-|-|
 |[Expiration](#expiration)|✅|✅|