From 7e7688e9d3ce844ea5a03c4d8c0b5eb8c8e2f3a8 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 12 Feb 2024 11:16:02 +0100
Subject: [PATCH] Add note-devicelock-csp include

---
 .../hello-for-business/configure.md                   |  2 ++
 .../includes/note-devicelock-csp.md                   | 11 +++++++++++
 .../hello-for-business/policy-settings.md             |  2 ++
 3 files changed, 15 insertions(+)
 create mode 100644 windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md

diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md
index 7c498d0bb4..d4c47fb6cd 100644
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@@ -72,6 +72,8 @@ There are different ways to enable and configure Windows Hello for Business in I
   - [Account protection policy][MEM-5]
   - [Identity protection policy template][MEM-6]
 
+[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)]
+
 ### Verify the tenant-wide policy
 
 To check the Windows Hello for Business policy settings applied at enrollment time:
diff --git a/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md b/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md
new file mode 100644
index 0000000000..3b8bf1d30a
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/note-devicelock-csp.md
@@ -0,0 +1,11 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+>[!IMPORTANT]
+>If you configure password lenght and complexity settings that are part of the [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock), and PIN lenght and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies.
+>
+>The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287).
diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md
index 050b2a862d..c8bc44dd24 100644
--- a/windows/security/identity-protection/hello-for-business/policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@@ -38,6 +38,8 @@ Select one of the tabs to see the list of available settings:
 
 # [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin)
 
+[!INCLUDE [note-devicelock-csp](includes/note-devicelock-csp.md)]
+
 |Setting Name|CSP|GPO|
 |-|-|-|-|
 |[Expiration](#expiration)|✅|✅|