Windows Hello for Business is a method for signing in to Windows devices by replacing passwords, smart cards, and virtual smart cards. To support Windows Hello for Business with Microsoft Intune, you must create one or more identity protection profiles. Each identity protection profile will enable Windows Hello for Business for devices and users, and configure various PIN and authentication settings.

To configure an identity protection profile for Windows Hello for Business

1. Log in to the Microsoft Azure portal.
2. Log in to Intune.
3. Click Devices.
4. Under Policy, click Configuration profiles.
5. Click Create profile.
   The Create profile page appears.
6. For Platform, select Windows 10 and later.
7. For Profile type, select Templates.
8. Search or select Identity protection, then click Create.
9. For Name, enter a unique name to identify the identity protection profile.
10. For Description, enter a description for the identity protection profile.
11. Scroll down to the Identity protection pane.
12. Under Configuration settings, configure the following settings: 

    1. For Configure Windows Hello for Business, select Enabled.

    2. For Minimum PIN length, enter the minimum PIN length.

    3. For Maximum PIN length, enter the maximum PIN length.

    4. For Lowercase letters in PIN, select whether lowercase letters are not allowed, allowed but not required, or required in a PIN.

    5. For Uppercase letters in PIN, select whether uppercase letters are not allowed, allowed but not required, or required in a PIN.

    6. For Special characters in PIN, select whether special characters (non-alphanumeric characters) are not allowed, allowed but not required, or required in a PIN

    7. For PIN expiration (days), select the number of days a PIN can be used before it expires. Users must change their PIN after the configured number of days.

    8. For Remember PIN history, select how many previous PINs are remembered. When users change their PIN, they cannot reuse this number of previously-used PINs.

    9. For Enable PIN recovery, select Enable to allow users to recover their PIN using the Windows Hello for Business PIN recovery service.

    10. For Use a Trusted Platform Module (TPM), select Enable to allow only devices with an accessible TPM to provision Windows Hello for Business.

    11. For Allow biometric authentication, select Enable to allow Windows Hello for Business to authenticate using biometric authentication.

    12. For Use enhanced anti-spoofing, when available, select Enable to use anti-spoofing features on the device when available.

    13. For Certificate for on-premise resources, select Enable to allow Windows Hello for Business to use certificates for authentication to on-premises resources.

    14. For Use security keys for sign-on, select Enable to allow users to sign in with Windows Hello security key.

13. Click Next.
14. Under Assignments:
    
    1. For Include, select the Azure Active Directory groups you want to include with the identity protection profile.
    2. For Exclude, select the Azure Active Directory groups you want to exclude from the identity protection profile.
15. Click Next.
16. Under Applicability Rules:
    1. If required, configure any rules to work with your environment.
    2. Click Next.
17. Under Review + create:
    1. Review the identity protection profile. Change any settings if required.
    2. Click Create to create the identity protection profile.