Setting up and managing device configurations using Intune
This is going to be challenging because user-specific certificate policies and SCEP requests can only begin after the user logs in, triggers a policy sync, and passes conditional access. You should be able though to optimize your setup.
First, pre-deploy your Trusted Root CA. User certificates will fail or stall if the device does not already have the Trusted Root CA certificate installed. Ensure the Root CA and Intermediate CA profiles are assigned to the Device Group rather than the User Group. This ensures the device trusts the certificate infrastructure before the user ever logs in.
Second, adjust your synchronization settings. If these are Autopilot devices, deploying them with User Affinity establishes the device-to-user link early in the onboarding phase. Additionally, make sure your SCEP profile is assigned directly to User Groups instead of Device Groups. When assigned to users, Intune queues the certificate payload the moment the user authenticates to the OS and checks in with the Microsoft Graph API.
Third, look at your backend and network enhancements. Ensure the device has a temporary internet connection immediately upon reaching the desktop. If devices are stuck behind restrictive network filters or Conditional Access blocks, the Intune sync will fail or hang. If you use on-premises NDES/PKI, ensure your Intune Certificate Connector and NDES servers are updated to the latest version. For cloud-native environments, switching from on-premises NDES to Microsoft Cloud PKI can bypass on-premise Active Directory and IIS server latency.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin