Account protection policy settings for endpoint security in Intune

View the settings you can configure in profiles for Account protection policy in the endpoint security node of Intune as part of an Endpoint security policy.

Supported platforms and profiles:

  • Windows 10 and later:
    • Profile: Account protection (Preview)

Account protection profile

Account protection

  • Block Windows Hello for Business

    Windows Hello for Business is an alternative method for signing into Windows by replacing passwords, Smart Cards, and Virtual Smart Cards.

    • Not configured (default) - Devices provision Windows Hello for Business.
    • Disabled - Devices provision Windows Hello for Business.
    • Enabled - Devices don't provision Windows Hello for Business for any user
  • Enable to use security keys for sign-in

    Enable Windows Hello security key as a sign-in credential for all PCs in the tenant.

    • Not configured (default)
    • Yes
  • Turn on credential guard
    CSP: []DeviceGuard

    Credential Guard uses Windows Hypervisor to provide protections. Credential Guard requires hardware support for Secure Boot and DMA protections. This setting is only successful on devices that meet the hardware requirements.

    • Not configured (default) - Disable the use of Credential Guard, which is the Windows default.
    • Enable with UEFI lock - Enable Credential Guard and block it from being turned off remotely, as the UEFI persisted configuration must be manually cleared.
    • Enable without UEFI lock - Enable Credential Guard and allow it to be turned off without physical access to the machine.

Next steps

Endpoint security policy for Account protection