diff --git a/.azdo/ci.yml b/.azdo/ci.yml
index 517abf335..796b4868c 100644
--- a/.azdo/ci.yml
+++ b/.azdo/ci.yml
@@ -10,13 +10,6 @@ pr:
     include:
     - latestw_all
 
-resources:
-  repositories:
-  - repository: ComplianceRepo
-    type: github
-    endpoint: ComplianceGHRepo
-    name: PowerShell/compliance
-
 stages:
 - stage: Build
   displayName: Build Win32-OpenSSH
@@ -88,36 +81,6 @@ stages:
         Write-Host "##vso[artifact.upload containerfolder=$artifactName;artifactname=$artifactName;]$configFilePath"
       displayName: Upload Win32-OpenSSH build artifacts
 
-- stage: Compliance
-  displayName: Compliance
-  dependsOn: Build
-  jobs:
-  - job: ComplianceJob
-    pool:
-      vmImage: windows-latest
-    steps:
-    - checkout: self
-      clean: true
-    - checkout: ComplianceRepo
-      clean: true
-    - download: current
-      artifact: 'Win32-OpenSSH'
-    - template: ci-compliance.yml@ComplianceRepo
-      parameters:
-        # credscan
-        suppressionsFile: ''
-    # Documentation: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/security-analysis-report-build-task
-    - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@2
-      continueOnError: true
-      displayName: 'Guardian Export'
-      inputs:
-        GdnExportVstsConsole: true
-        GdnExportSarifFile: true
-        GdnExportHtmlFile: true
-        GdnExportAllTools: false
-        GdnExportGdnToolCredScan: true
-        #this didn't do anything GdnExportCustomLogsFolder: '$(Build.ArtifactStagingDirectory)/Guardian'
-
 - stage: Test
   displayName: Test Win32-OpenSSH
   dependsOn: Build
diff --git a/contrib/win32/openssh/config.h.vs b/contrib/win32/openssh/config.h.vs
index 25a868e10..8f730c287 100644
--- a/contrib/win32/openssh/config.h.vs
+++ b/contrib/win32/openssh/config.h.vs
@@ -349,7 +349,7 @@
 /* #undef HAVE_DEV_PTS_AND_PTC */
 
 /* Define to 1 if you have the <dirent.h> header file. */
-/* #undef HAVE_DIRENT_H
+/* #undef HAVE_DIRENT_H */
 
 /* Define to 1 if you have the `dirfd' function. */
 /* #undef HAVE_DIRFD */
diff --git a/contrib/win32/win32compat/win32_groupaccess.c b/contrib/win32/win32compat/win32_groupaccess.c
index 4d2faa402..4e84bad4c 100644
--- a/contrib/win32/win32compat/win32_groupaccess.c
+++ b/contrib/win32/win32compat/win32_groupaccess.c
@@ -248,18 +248,17 @@ ga_init(const char *user, gid_t base)
 
 	if ((user_token = get_user_token(user_name, 0)) == NULL) {
 		/*
-		 * TODO - We need to fatal() all the times when we fail to generate the user token.
+		 * No fatal call here so experience when called by servconf parsing Match block
+		 * is consistent for an invalid user (does not find password, but is not fatal yet)
+		 * and a valid user without a token (ex: group policy forbidding login)
 		 */
-		if (get_custom_lsa_package()) {
-			error("%s, unable to resolve user %s", __func__, user_name);
-			return 0;
-		} else {
-			fatal("%s, unable to resolve user %s", __func__, user_name);
-		}
+		get_custom_lsa_package();
+		error("%s, unable to resolve user %s", __func__, user_name);
+		return 0;
 	}
 		
 	/* 
-	 * supposed to retun number of groups associated with user 
+	 * supposed to return number of groups associated with user 
 	 * since we do lazy group evaluation, returning 1 here
 	 */
 
diff --git a/misc.c b/misc.c
index 813c2e65e..0e09d23ed 100644
--- a/misc.c
+++ b/misc.c
@@ -22,7 +22,9 @@
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
-//#include <sys/mman.h>
+#ifndef WINDOWS
+#include <sys/mman.h>
+#endif /* WINDOWS */
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/time.h>
diff --git a/servconf.c b/servconf.c
index 44c0fe518..5affc02fa 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1871,6 +1871,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		/* XXX appends to list; doesn't respect first-match-wins */
  parse_allowdenygroups:
 		while ((arg = argv_next(&ac, &av)) != NULL) {
+			if (*arg == '\0')
+				fatal("%s line %d: empty %s pattern",
+				    filename, linenum, keyword);
+			found = 1;
 #ifdef WINDOWS
 			// it can be a SID string; if it is - use localized name for that SID
 			PSID Sid = NULL;
@@ -1899,11 +1903,6 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 				debug3_f("'%s' not recognized as SID", arg);
 			}
 #endif // WINDOWS
-			if (*arg == '\0' ||
-				match_user(NULL, NULL, NULL, arg) == -1)
-					fatal("%s line %d: empty %s pattern",
-					filename, linenum, keyword);
-			found = 1;
 			if (!*activep)
 				continue;
 			opt_array_append(filename, linenum, keyword,