This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hello, what is the difference between configuring Windows Hello in the Device Enrollment stack and through Configuration Policy.
As far as I understand, only that the policy can be applied to devices. And Enrollemt will be applied to users, no matter what device it runs on, i.e. at the organizational level.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Mountain Pond,Thanks for posting in Q&A.
From your description, I know you want to know the difference in Windows Hello settings in Device Enrollment and through Configuration Policy.
Based on my research, here are some differences between Windows Hello settings in Device Enrollment and through Configuration Policy.
1.Windows Hello for Business settings in Device enrollment is only available during device enroll in Intune and also support Windows Autopilot out-of-box-experience, but Windows Hello for Business through configuration policy is available after device enrollment.
2.Windows Hello for Business settings in Device enrollment is available for All users which means it will apply to your entire organization, but Windows Hello for Business through configuration policy available for both devices group and users' group. When you assign it to device group, all users get prompt to configure WHfB at first-time log on to the device, if you assign it to user group, the targeted user didn’t get WHfB prompt at first log on, until the WHfB policy is synced.
https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-configure
https://msendpointmgr.com/2022/09/04/manage-windows-hello-for-business-whfb-with-intune/
Non-official, just for reference.
Hope above information can help you.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.