IT managers using MEM to manage Windows devices for schools often struggle with Windows Hello for Windows (WH4B). While the corporate world has a clear requirement for the type of 2FA that WH4B provides it's not that useful in schools.
Unfortunately the default setting found in the Windows-Enrolment in the MEM console turns WH4B on and targets the All Users group and unlike other settings there's no option to edit this group assignment or add an exclusion policy.
Another common complaint is that once you have noticed your mistake and turned WH4B off, this only affects new device enrolments, not devices and user accounts that have picked up the policy. While there are various workarounds for this situation it's not one you really want to be in.
However a preview feature in the MEM Endpoint Security section now allows you to enable/disable WH4B based on user groups, effectively providing a scoping control.
On the MEM console navigate to - Endpoint Security - Account Protection and create a new policy.
The options are limited but you do have the ability to block Windows Hello for Business. If you set this against a a user security group WH4B is removed, exactly as you would expect.Lastly you should note that the WH4W settings in the Windows Enrolment pane are the only ones that apply during OOBE and apply to the entire tenant and, as we have noted, this can’t be scoped. So if you want to remove the WH4B prompt during OOBE you would have to block it for everyone using the tenant wide setting but then turn it back on in the Endpoint Security - Account Protection section making sure you only assign to the appropriate user group.