With the latest update for Microsoft Intune in August 2018 it is now possible to deploy Windows Hello with a device configuration profile and assign it to a device or user group. This is perfect for pilot deployment of Windows Hello, earlier it was only possible to set Windows Hello as a tenant wide settings, so it was a all or nothing setting unless you did it with a custom profile.
I created this Intune user voice back in march 2017 – the main reason for that user voice was a cloud only solution I had done on a school and when the students was AzureAD joining there devices a two-step verification was presented to the end user and they need to confirm there identity with a phone call or a text message – this was not a great solution for students from 0 – 5 grade.
Later on I has also found that when a Windows 10 device is hybrid AzureAD joined and Co-managed with SCCM the Windows Hello and the two-step verification will also kicks in – if that is ok in the corporate environment then it is fine, but not we can do a pilot on Windows Hello instead of doing it as a tenant wide setting.
How to set up a pilot with Windows Hello:
We need to start by turning of the tenant wide setting if it is not already done, start Microsoft 365 device admin center – https://devicemanagement.portal.azure.com
- Click Device enrollment
- Click Windows Enrollment
- Click Windows Hello for business
- Click default
- Click Settings
- Configure Windows Hello for Business – Disable (By default it is enabled)
Note: If the settings it enabled on a tenant level it will work with Windows Autopilot – so if you are disabling it on a tenant level you can experience that it is not working as part of the enrollment process for the device.
Now you need to create a new Windows Hello profile so that you can enable Windows Hello for a device or user group.
- Click Device Configuration
- Click Profile
- Click Create profile
- Enter a name for the profile
- Select platform : Windows 10 and later
- Select Profile type : Identity Protection
- Select Settings
- Configure Windows Hello for Business: Enable
- Minimum PIN length:
- Maximum PIN length:
- Lowercase letters in PIN: Allowed
- Uppercase letters in PIN: Allowed
- Special characters in PIN: Allowed
- PIN expiration (days): 365
- Remember PIN history: 3
- Enable PIN recovery: Enable
- Use a Trusted Platform Module (TPM): Enable *
- Allow biometric authentication: Enable
- Use enhanced anti-spoofing, when available: Enable
- Certificate for on-premise resources: Enable
The settings is what I normally use – you need to see if that match your corporate security policies and adjust the profile so it match.
Note:if TPM is set to enabled it will require a TPM on the devices
Then you are ready to assign the profile – you can assign the profile to groups of users or devices, and the exclude groups will also work in this scenario,
Note: The new Windows Hello profile will apply to the end users at the next sync from there Windows device to Intune and not only on login,
Windows Hello User experience:
The end user will be presented for the 3 screen shown below – the end user needs to confirm with a Phone call it a text message and the create a PIN on the device – the PIN will only be on the device and cannot be used on other devices so it is more save then a password,
Read more:
Integrate Windows Hello for Business with Microsoft Intune
How to setup Windows Hello for Business in the new Intune portal
Cloud First 
wonder if you enable under autopilot/device setting (tenant wide) will it prompt for windows hello for the devices which are alredy enrolled (which i want to allow). I wanted to have windows hello as part of the oobe (autopilot) however defining as the identity policy is a hit and miss. (sometimes i have to reboot after first login toget the windows hello prompt)