Account protection policy settings for endpoint security in Intune

View the settings you can configure in profiles for Account protection (preview), which is available through the Account protection policy for Intune Endpoint security.

The settings in this article apply to:

  • Windows 10
  • Windows 11

Supported platforms and profiles:

  • Windows 10 and later:
    • Profile: Account protection (Preview)


For Local user group membership profiles, see Manage local groups on Windows devices.

For Local admin password solution (Windows LAPS) profiles, see Manage LAPS policy.

Account protection profile

Account protection

  • Block Windows Hello for Business

    Windows Hello for Business is an alternative method for signing into Windows by replacing passwords, Smart Cards, and Virtual Smart Cards.

    • Not configured (default) - Devices provision Windows Hello for Business.
    • Disabled - Devices provision Windows Hello for Business. With this configuration, more settings are available that support configurations for PIN, Trusted Platform Module (TPM), and more.
    • Enabled - Devices don't provision Windows Hello for Business for any user


Due to how Intune determines the scope and applicability of Windows Hello for Business policy, the device may log Event ID 454 as a result of applying policy. This can be safely ignored when policy is being successful applied (and enforced).

  • Enable to use security keys for sign-in

    Enable Windows Hello security key as a sign-in credential for all PCs in the tenant.

    • Not configured (default)
    • Yes
  • Turn on Credential Guard
    CSP: DeviceGuard

    Credential Guard uses Windows Hypervisor to provide protections. Credential Guard requires hardware support for Secure Boot and DMA protections. This setting is only successful on devices that meet the hardware requirements.

    • Not configured (default) - Disable the use of Credential Guard, which is the Windows default.
    • Enable with UEFI lock - Enable Credential Guard and block it from being turned off remotely, as the UEFI persisted configuration must be manually cleared.
    • Enable without UEFI lock - Enable Credential Guard and allow it to be turned off without physical access to the machine.

Next steps

Endpoint security policy for Account protection