I am trying to enable users to configure Windows Hello for Business, but NOT require it. I've read the MS doucmentaion, but I can never if a settings enables or requires WHfB. The language is not clear enough. There is also like 5 ways of doing so.

We are a Hybrid AD shop with most of the machines being Azure AD joined (that is all I care about at the moment - forget HAADJ).

So far I've goten to a point where:

• in Windows enrollment the WHfB settings it set to Not Configured and the "Use security keys for sign-in" is set to Enabled
• created a windows configuration profile of "idenitity protection" type with "Configure Windows Hello for Business" set to "Enable" and the other realted settings set

I've applied the policy to a test group with just my user in it. After a sync and a restart I got a prompt for IR face recognition, which I skipped, and then it said I am REQUIRED to configure a PIN. I've cancalled out of the authenticaion windows that poped up and that let me "Skip it for now".

I am trying to avoid any kind of prompt for the users. Long time ago I once set a group policy in an AD only enviorment to allow WHfB and that did not prompt the users to set a PIN, rather simply un-grayed out the options in the settings menu.