![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 63%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
1,508 questions
Good morning! I understand your concern about enabling Windows Hello for Business (WHfB) company-wide when you only want it for one user. Here's how you can approach this carefully:
Create a Security Group: Set up a security group specifically for the user(s) you want to enable WHfB for. This will allow you to apply policies to just that group.
Exclude the Group from the Global Policy: If WHfB is currently disabled globally, you can exclude this new group from the global policy. This ensures that the global "disabled" setting won't apply to the users in this group.
Apply a New Policy to the Group: Create a new policy that enables WHfB and assign it only to the security group you created. This way, only the users in this group will have WHfB enabled.
Test on a Single Device: Before rolling it out, test the configuration on a single device to ensure everything works as expected.
Monitor and Adjust: Once you're confident the setup is working, you can add more users to the group if needed.
If you're using tools like Microsoft Intune, you can configure WHfB policies through the Configuration Profiles. Alternatively, for Active Directory environments, you can use Group Policy Objects (GPOs) to manage these settings.
- Create a Security Group
You’ll need to create a security group in your directory to target policies for a specific user or set of users.
In Azure AD (for Intune-managed environments):
Log in to the Azure Portal.
Navigate to **Azure Active Directory** > **Groups**.
Click **New Group**.
Group type: **Security**
Group name: Something like “WHfB Users.”
Membership type: **Assigned** (so you can add specific users manually).
Add the user(s) you want to enable WHfB for.
Save the group.
**In Active Directory (On-Premises)**:
Open the **Active Directory Users and Computers** console.
Right-click on the desired Organizational Unit (OU) or domain, then choose **New > Group**.
Group type: **Security.**
Group scope: **Global.**
Group name: Something like “WHfB Users.”
Add your user(s) to this group.
- Exclude This Group from the Global “Disable WHfB” Policy
If Windows Hello for Business is globally disabled, you'll need to exclude your newly created group from the global "disable" policy.
In Microsoft Intune:
Go to Microsoft Intune Admin Center > Endpoint Security > Identity Protection.
Open the existing policy that disables WHfB.
Go to **Assignments** > **Excluded Groups**.
Add the “WHfB Users” group you created earlier to the exclusion list.
Save the changes.
**In Group Policy (for Active Directory-managed environments)**:
Open the **Group Policy Management Console (GPMC)**.
Locate the GPO that disables WHfB and edit it.
Go to **Security Filtering**.
Add the “WHfB Users” group to the **Deny** list for this GPO.
- Create a New Policy to Enable WHfB for the User(s)
Now, you need to create a separate policy to enable WHfB and assign it to the security group.
In Microsoft Intune:
Go to Intune Admin Center > Devices > Configuration profiles.
Click **Create profile**.
Platform: **Windows 10 and later**.
Profile type: **Identity Protection**.
Configure **Windows Hello for Business** settings:
**Enable Windows Hello for Business**: Yes.
Configure additional settings like PIN complexity and biometric options as needed.
Under **Assignments**, assign the policy to the “WHfB Users” group.
Save and deploy the policy.
**In Group Policy (On-Premises)**:
Open **GPMC** and create a new GPO.
Edit the GPO and navigate to:
```ruby
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business
```
Enable the following settings:
**Use Windows Hello for Business**: Set to **Enabled**.
Configure additional options for PIN and biometric usage.
Apply this GPO only to the “WHfB Users” group (through security filtering).
- Test on a Single Device
Before rolling this out widely, test your configuration:
Log in to a device as the user for whom you’ve enabled WHfB.
Ensure that the WHfB setup prompt appears, and verify the PIN or biometric functionality.
- Monitor and Adjust
In Intune: Use the Monitor tab for your configuration profile to ensure it is successfully applied to the target user.
In Group Policy: Run gpresult or check the Group Policy Results Wizard to verify that the correct GPO is applied.
By creating targeted policies and exclusions, you can enable WHfB for just one user while keeping it disabled for the rest of the company. If you’d like even more details on any of these steps, let me know, and I’ll dive deeper!
1. Create a Security Group
You’ll need to create a security group in your directory to target policies for a specific user or set of users.
In Azure AD (for Intune-managed environments):
Log in to the Azure Portal.
Navigate to **Azure Active Directory** > **Groups**.
Click **New Group**.
Group type: **Security**
Group name: Something like “WHfB Users.”
Membership type: **Assigned** (so you can add specific users manually).
Add the user(s) you want to enable WHfB for.
Save the group.
**In Active Directory (On-Premises)**:
Open the **Active Directory Users and Computers** console.
Right-click on the desired Organizational Unit (OU) or domain, then choose **New > Group**.
Group type: **Security.**
Group scope: **Global.**
Group name: Something like “WHfB Users.”
Add your user(s) to this group.
2. Exclude This Group from the Global “Disable WHfB” Policy
If Windows Hello for Business is globally disabled, you'll need to exclude your newly created group from the global "disable" policy.
In Microsoft Intune:
Go to Microsoft Intune Admin Center > Endpoint Security > Identity Protection.
Open the existing policy that disables WHfB.
Go to **Assignments** > **Excluded Groups**.
Add the “WHfB Users” group you created earlier to the exclusion list.
Save the changes.
**In Group Policy (for Active Directory-managed environments)**:
Open the **Group Policy Management Console (GPMC)**.
Locate the GPO that disables WHfB and edit it.
Go to **Security Filtering**.
Add the “WHfB Users” group to the **Deny** list for this GPO.
3. Create a New Policy to Enable WHfB for the User(s)
Now, you need to create a separate policy to enable WHfB and assign it to the security group.
In Microsoft Intune:
Go to Intune Admin Center > Devices > Configuration profiles.
Click **Create profile**.
Platform: **Windows 10 and later**.
Profile type: **Identity Protection**.
Configure **Windows Hello for Business** settings:
**Enable Windows Hello for Business**: Yes.
Configure additional settings like PIN complexity and biometric options as needed.
Under **Assignments**, assign the policy to the “WHfB Users” group.
Save and deploy the policy.
**In Group Policy (On-Premises)**:
Open **GPMC** and create a new GPO.
Edit the GPO and navigate to:
```ruby
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business
```
Enable the following settings:
**Use Windows Hello for Business**: Set to **Enabled**.
Configure additional options for PIN and biometric usage.
Apply this GPO only to the “WHfB Users” group (through security filtering).
4. Test on a Single Device
Before rolling this out widely, test your configuration:
Log in to a device as the user for whom you’ve enabled WHfB.
Ensure that the WHfB setup prompt appears, and verify the PIN or biometric functionality.
5. Monitor and Adjust
In Intune: Use the Monitor tab for your configuration profile to ensure it is successfully applied to the target user.
In Group Policy: Run gpresult or check the Group Policy Results Wizard to verify that the correct GPO is applied.
I hope this helps. Let me know if you have any further questions or need additional assistance.
"If This Answered Your Question, Consider Marking It as Solved"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)