Hi there,
I suppose you can achieve your requirements by using tenant-wide policy. You can create a tenant-wide policy that configures use of Windows Hello for Business on Windows 10/11 devices at the time those devices enroll with Intune.
If you choose not to configure a tenant-wide policy for Windows Hello for Business, you can use a device configuration Identity protection profile to configure groups of devices for Windows Hello.
Manage Windows Hello for Business on devices at the time devices enroll with Intune https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello
--------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--