Add Multifactor Unlock configuration to WHfB Windows enrollment options, Security Baseline and CSP.
Our Info Sec team won't allow PINs for WHfB unless we use Multifactor Unlock. Currently this cannot be configured in Intune except perhaps by an ADMX backed custom CSP. This needs to be added to the WHfB configuration pages for Windows Enrollment, the Security Baseline and Identity Protection Profile type in Device configuration profiles.
Here is the documentation on the GPO that needs to be translated. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock#create-the-multifactor-unlock-group-policy-object