2,093 questions
You might have to push registry settings to enable it by users.
Make sure the enrollment there is set at what you want too for the device;
How to disable/enable Windows Hello for Business in Intune?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Artur
20
Reputation points
Hello,
After deletion by Microsoft Identity Protection configuration template in July, what is the way to block Windows Hello for Business for all users and then enable it for only one group?
Previously, it was "Configure Windows Hello for Business" with Enable/Disable options.
In Endpoint security > Account protection I don't see this option.
It's not in the settings catalog either (Devices > Configuration > Policies).
Microsoft Security Intune Configuration
Windows for business Windows Client for IT Pros User experience Other
Microsoft Security Intune Other
5,569 questions
Accepted answer
-
Philippe Levesque 5,836 Reputation points2024-08-13T14:07:05.9766667+00:00 -
Artur 20 Reputation points
2024-08-14T08:19:29.6866667+00:00 Thank you, I will try it. One more question.
I have an old policy disabling Windows Hello for Business for all users. It uses Identity protection template.In this policy I set Excluded group with only one user in it. My idea was to remove this policy for this user only, so that I can enable Windows Hello with another policy.
Unfortunately, after more than 24 hours, the policy is still active on this user's device. Do you have any idea how I can exclude this user from this policy?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2024-09-11T08:28:28.8766667+00:00 Thanks Philippe Levesque for sharing helpful information. Have a nice day!
Sign in to comment -
1 additional answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 83%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
Neuvi Jiang 1,540 Reputation points Microsoft External Staff2024-08-16T07:58:19.2966667+00:00 Hi Artur,
Thank you for posting in the Q&A Forums.
Using Group Policy
If your environment is based on Active Directory, you can manage the enabling and disabling of Windows Hello Enterprise via Group Policy.
Steps:
Open the Group Policy Management Editor (gpedit.msc).
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business (note that the path may be slightly different depending on the Windows version, but roughly similar).
Find the relevant policy setting, such as “Enable Windows Hello for Business” or similar, and set it to “Disabled” to prevent all users from using it.
Next, in order to enable Windows Hello for Business for just one specific group, you may need to create a new Group Policy Object (GPO) and link it to the OU (Organizational Unit) that contains that user group.
In the new GPO, enable the appropriate Windows Hello Enterprise policy settings.
Using Microsoft Intune or Endpoint Manager
If your organization uses a modern management solution such as Microsoft Intune or Endpoint Manager, you can configure policies using these tools.
Steps:
Log in to the Microsoft Endpoint Manager management portal.
Navigate to the Device Configuration or Policies section.
Create a new profile, selecting Windows 10 and later as the target platform.
In the profile, find the settings related to Windows Hello Enterprise and set it to Allow only specific groups.
Assign this policy to the Azure AD group that contains the target user group.
Best regards
NeuviJ
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.