This one is going to be a short post as a lot of it is documented already. If you ever find yourself doing this and don’t want to use Configuration Manager or Intune Standalone UI to enable it, you might wonder what needs to be specified as Tenantid in OMA-URI.
The PassportForWork Configuration Service Provider(CSP) is used to provision Windows Hello for Business.
Replace Tenantid with your Azure Active Directory Tenant ID and not Intune Tenant ID.
Note: - If you have an Intune subscription then ensure Hello for Business is set to Not configured in UI else custom OMA-URI may not work. This is true for both Hybrid and Intune standalone environments.
To know your Azure Active Directory Tenant ID using PowerShell – Please read https://blogs.technet.microsoft.com/heyscriptingguy/2013/12/31/get-windows-azure-active-directory-tenant-id-in-windows-powershell/
PassportForWork CSP documentation - https://msdn.microsoft.com/en-us/library/windows/hardware/dn987099(v=vs.85).aspx