Account Protection

Configure account protection policies in Intune to secure user identities on Windows devices. Includes Windows Hello for Business, Credential Guard, and local account management.

Windows Hello for Business

Replace passwords with strong two-factor authentication using biometrics or PIN tied to the device.

Setting	Options
Enable Windows Hello	Yes / No / Not Configured
Minimum PIN Length	4-127 characters
Maximum PIN Length	4-127 characters
Lowercase in PIN	Allowed / Required / Not Allowed
Uppercase in PIN	Allowed / Required / Not Allowed
Special Characters	Allowed / Required / Not Allowed
PIN Expiration (days)	0-730
Allow Biometric	Yes / No
Use TPM	Yes / No (recommended)

Credential Guard

Protect derived domain credentials by isolating them in a virtualization-based security container.

Enable with UEFI lock — Cannot be disabled remotely (most secure)
Enable without lock — Can be disabled via policy change
Not configured — Follows device defaults

Note: Requires UEFI firmware, Secure Boot, and virtualization extensions.

Local Administrator Password Solution (LAPS)

Enable LAPS — Activate automatic password management
Password Age — How often to rotate the password
Administrator Account — Built-in admin or custom account
Password Complexity — Length and character requirements
Post-Authentication Actions — Reset password after use

Account Lockout

Lockout Threshold — Failed attempts before lockout
Lockout Duration — Minutes the account stays locked
Reset Counter After — Minutes before counter resets

Best Practices

Deploy Windows Hello for Business as primary auth
Enable Credential Guard on compatible devices
Use LAPS for local admin accounts
Set account lockout thresholds
Require TPM-backed credentials

API Reference

GET /api/devices/security/account-protection — List policies
POST /api/devices/security/account-protection — Create policy
GET /api/devices/security/account-protection/:id/status — Get status
GET /api/devices/security/laps/:deviceId — Get LAPS password