Windows Hello - optional

Good question. There are a few approaches beyond the Entitlement Management suggestion above:

1. The simplest option is to set the Windows Hello for Business policy to "Not configured" at the tenant level (Devices > Enrollment > Windows Hello for Business > set to Disabled at tenant level). Then create a targeted Identity Protection policy that enables it, and assign that policy only to your opt-in security group. Users not in the group simply will not be prompted.

2. If you want users to self-enrol without IT involvement, you can combine this with a self-service group in Entra ID. Create a Microsoft 365 or Security group with "Owners can manage membership" and allow users to request access. When they join the group, the Windows Hello policy applies automatically.

3. Another approach is to use device configuration profiles instead of the Identity Protection policy. Create a Settings Catalog profile with the Windows Hello settings, assign it to your opt-in group, and set the tenant-level WHfB to Disabled. This gives you more granular control over the PIN complexity, biometric settings, etc.

The key is making sure the tenant-wide setting is Disabled first, otherwise it forces WHfB on everyone regardless of your targeted policies.