Windows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled

Managed to shed some light on this.

In short, ignore the WHFB settings in InTune unless the device is MDM enrolled and managed by InTune.  Essentially this was the associated to a group policy via AD on premises which was already in place for the AD forest/domain.

There was a COMPUTER GP in place which set "Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Enabled.  I imagine that somebody switched it to enabled thinking that would be nice to have.

After enabling HAADJ, a device was becoming hybrid joined, and the subsequent login (from a synced AD user) resulted in a WHFB Set-Up PIN prompt.

If the "Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business” setting been set to Not Configured, this wouldn't have arisen as an issue.

As a note, once we had set the "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled, that took priority over the Computer Configuration policy and the WHFB prompt didn't show.

So lesson learnt is to check those GP settings in an AD on premises prior to mass syncing devices to be Hybrid Azure AD Joined.