Windows Hello - optional

No, Intune does not currently allow Windows Hello for Business to be made truly “optional” at the organizational level. You can either enforce it for all targeted users/devices or disable it entirely. The only way to approximate “optional” is by scoping policies to specific security groups, so only those users who want Windows Hello are targeted.

Why It’s Not Optional by Default

• Intune’s “Configure Windows Hello for Business” policy is designed as an enforcement mechanism. Once applied, users are required to set up Windows Hello during sign-in or enrollment.
• There is no built-in toggle for “optional”—Microsoft’s design assumes organizations either want password less authentication everywhere or not at all.
• Even if you disable tenant-wide enrollment, the options for licensed users often remain greyed out, meaning they cannot self-enable without policy assignment.

Workarounds

1. Security Group Targeting (your current setup)
• Continue assigning the Windows Hello policy only to the group of users who request it.
• This effectively makes it “opt-in,” since only those in the group are prompted.
2. Do Not Assign Tenant-Wide Policy
• Avoid configuring Windows Hello at the tenant-wide enrollment level.
• Instead, use Endpoint Security > Account Protection or the Settings Catalog to scope policies narrowly.
3. Communicate Self-Service Options

• Users outside the targeted group cannot enable Windows Hello themselves if no policy is assigned.
• If you want broader adoption, you’ll need to expand the group or create a second “opt-in” group.