Disable windows hello for a existing devices but enable with oobe for new users

Question

Disable windows hello for a user group
I do have a question around windows hello for business and autopilot/endpoint manager

1> whfb currently disabled at Devices > Enrollment > Enroll devices > Windows enrollment > Windows Hello for Business.

2> There are about 200 devices currently in intune (aad/intune managed). - windows hellow shouldn't be enable

3> new set of devices needs windows hello enable

4> indetity policy define to enable whfb under device configuration and targeted the new group which needs whfb enable

5> the policy dosent always apply as part of oobe (needs atleast one reboot) - mixed results mostly apply after first reboot (not part of oobe)

The best way to apply whfb is to apply at windows enrollment however will it impact the 200 devices which are already in intune. i do not want those devices to be enabled with windows hello (but new devices to get whfb as part of oobe)

based on

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization

Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy.
wonder if I configure as below will it impact the existing devices

1> enable whfb in windows enrolment (tenant settings)

2> disable whfb using the identity policy (device configuration) targetted for the old 200 devices & 200 users

Answer 1

I blogged about this a while ago although my requirement was the opposite. However you can modify the configuration to suit yours based on the details covered in blog post here. how-to-block-windows-hello-for-business.html

Answer 2

The simpliest way is to use exclude group in whfb config profile. You dont need to enable whfb for autopilot.