Intune RBAC & Windows Hello for Business
Not every admin should have the same power. Learn how Intune role-based access control limits who can do what, and how Windows Hello for Business replaces passwords with biometrics and PINs.
Who can do what in Intune?
Think of Intune RBAC like hotel staff keys.
The general managerβs key opens every room, the restaurant, and the safe. A housekeeperβs key opens guest rooms but not the safe. A receptionist can check guests in but canβt enter rooms. Everyone has the access they need β and nothing more.
Intune works the same way. The IT director gets full access. The helpdesk gets βread device info + remote actions.β The app team gets βmanage apps only.β Nobody gets more access than their job requires.
Built-in Intune roles
Chen Wei at Meridian Bank has a team of 15 IT staff. He doesnβt want every team member to have the power to wipe 10,000 devices. Here are the built-in roles he uses:
| Role | What They Can Do | Who Gets It |
|---|---|---|
| Intune Administrator | Everything in Intune | Chen Wei (IT Security Lead) only |
| Helpdesk Operator | View device/user info, perform remote actions (lock, sync, restart), reset passcodes | Helpdesk team (5 staff) |
| Application Manager | Manage apps: add, assign, update, delete. Canβt touch device policies. | App deployment team (2 staff) |
| Endpoint Security Manager | Manage security baselines, compliance policies, conditional access integration | Security team (3 staff) |
| Read Only Operator | View everything, change nothing | Auditors, junior staff |
| Policy and Profile Manager | Create and manage config profiles and compliance policies | Device config team (2 staff) |
| School Administrator | Manage devices and apps for education tenants | Not used at Meridian |
Custom roles
If built-in roles donβt fit, you can create custom roles:
- Intune admin center β Tenant administration β Roles β Create role
- Pick a name and description
- Select specific permissions (e.g., βRemote tasks: wipe = Yes, Remote tasks: retire = Noβ)
- Assign the role to a group with a scope group (limits which devices they manage)
Exam tip: scope tags and scope groups
RBAC in Intune has two scope concepts β donβt confuse them:
- Scope groups = which users/devices the admin can manage (e.g., βonly devices in the Finance departmentβ)
- Scope tags = which Intune objects (policies, profiles, apps) the admin can see (e.g., βonly policies tagged βFinanceββ)
Together, they create fine-grained access: an admin might only manage Finance department devices AND only see Finance-tagged policies. This is especially useful in large orgs like Meridian Bank where different teams manage different business units.
Windows Hello for Business
What is it?
Windows Hello for Business replaces your password with your face, fingerprint, or a PIN that never leaves your device.
Instead of typing a password that could be stolen, phished, or guessed, you unlock your device with something only you have (biometrics) or something tied to your specific device (a hardware-backed PIN). Even if someone sees your PIN, it only works on YOUR device.
Hello for Business vs regular Windows Hello
| Feature | Windows Hello | Windows Hello for Business |
|---|---|---|
| Purpose | Consumer convenience | Enterprise security |
| Key storage | Software-based | TPM-backed (hardware) |
| Managed by | User | IT admin via Intune or GPO |
| Credential type | Local PIN/biometric | Asymmetric key pair + PIN/biometric |
| Phishing resistant | Basic | Yes β private key never transmitted |
| Multi-factor | No | Yes β device possession + biometric/PIN |
Configuring Hello for Business with Intune
Chen Wei enables Hello for Business across all Meridian Bank devices:
-
Intune admin center β Devices β Enrollment β Windows Hello for Business
-
Configure the tenant-wide settings:
- Enable: Yes
- Minimum PIN length: 6 (Chen Wei sets 8 for banking compliance)
- Maximum PIN length: 127
- Lowercase letters in PIN: Required
- Uppercase letters in PIN: Required
- Special characters in PIN: Allowed
- PIN expiration: Not configured (Microsoft recommends against PIN expiration)
- Use biometrics: Yes
- Use TPM: Required
- Allow phone sign-in: No (Chen Wei blocks this for security)
-
Alternatively, create a device configuration profile or identity protection policy for group-specific settings
Deep dive: Hello for Business deployment models
There are several deployment models, and the exam may test awareness of them:
- Cloud-only β simplest. Entra ID + Intune. No on-prem infrastructure. Best for cloud-native orgs like CloudForge.
- Hybrid key trust β uses Entra ID + on-prem AD + Entra Connect. The on-prem DC validates the key. Common during migration.
- Hybrid certificate trust β adds PKI (certificate authority). The on-prem DC validates a certificate. More complex, needed for RDP scenarios.
- On-premises key trust β purely on-prem AD with Windows Server 2016+. No cloud dependency.
For the exam, focus on: cloud-only is simplest, hybrid key trust is most common during migration, all models require TPM 1.2 or later.
π¬ Video walkthrough
Flashcards
Knowledge Check
Chen Wei has a helpdesk team of 5 staff who need to view device information and perform remote actions like lock and restart β but must NOT be able to create or modify policies. Which approach follows the principle of least privilege?
Aroha at CloudForge is deploying Windows Hello for Business to her 30-person startup. All devices are cloud-native (Entra Joined, no on-prem AD). Which deployment model should she use?
Next up: Compliance Policies & Conditional Access β defining what βcompliantβ means and blocking non-compliant devices from accessing resources.