manage Interactive logon & Windows Hello multi-factor unlock

Hi everyone,

We're going step by step on the passwordless strategy from Microsoft. Windows Hello multi-factor unlock is deployed in a Pilot Group but now I have two questions, which I hope someone here can answer.

Question 1: disable Windows Hello multi-factor unlock

Managed to enable WHMFU over custom OMA-URI Settings. But how can I disable it again? I tried it with a second custom OMA-URI Settings configuration profile which is configured as follows:

It works, but it seems, that it isn't disabled correctly. Sometimes I still get a message in the logon process which says something like "additional factor needs to verify" but it displays very quickly, and I verified that I can log on with only one factor again. Disabling the second unlock factor is configured like this as well.

Question 2: Enable "Interactive logon: Require Windows Hello for Business or smart card"

We want to enable this security option. However, Intune doesn't offer to manage this setting. So, I think that I must enable this over a custom OMA-URI Setting too or PowerShell script. How can I achieve this?