How to skip SCEP Internal User certificate enrollment during Autopilot Devic Preparation Deployment.

Hello Tony Sutton - Admin,

In addition to the suggestions below, you could try this.

1. Target the SCEP profile to user group and
2. Add an exclusion filter device.enrollmentProfileName -contains "<Autopilot profile name>" Refer to: https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/filters-device-properties?tabs=managed-device#available-properties

This could make sure that the SCEP profile is not deploy in autopilot phase.

Hope this helps!

If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

Device Preparation in Windows Autopilot runs before any user signs in, so any SCEP profile that is assigned and applicable at that stage will target the device (system context). To have SCEP enrollment occur only after a user signs in, the SCEP profile must not be applicable during Device Preparation and must instead be evaluated in the user context.

From the available information, the following controls exist for SCEP profiles and Autopilot:

1. SCEP profile assignment model
   • SCEP certificate profiles in Intune can be assigned to users or devices.
   • For SCEP to work correctly, the SCEP profile and its associated trusted certificate profile must be assigned in a compatible way:

     	SCEP profile assignment	Trusted cert profile assignment	Result
     	User	User	Success
     	User	Device	Failure
     	User	User and Device	Success
     	Device	User	Failure
     	Device	Device	Success
     	Device	User and Device	Success
     	User and Device	Any	Success

   • To avoid enrollment in the system context during Device Preparation and instead enroll after user sign-in, the SCEP profile must be assigned in a way that only evaluates in the user context (for example, user-only assignment with a matching user-only trusted root assignment). If the profile is device-assigned or user-and-device–assigned, it can be processed before a user profile exists.
2. Applicability rules (Windows only)
   • For Windows SCEP profiles, Applicability Rules can refine which devices receive the profile based on OS edition or version.
   • Applicability rules do not provide a direct mechanism to distinguish “Autopilot Device Preparation phase” from “post–user sign-in.” They only filter by OS characteristics, not deployment phase.
3. Autopilot deployment profile behavior
   • Windows Autopilot deployment profiles control OOBE behavior and device join type (including Microsoft Entra hybrid join) but do not provide a setting to suppress or delay specific Intune configuration profiles (such as SCEP) during Device Preparation.
   • Once the device is enrolled and policy evaluation begins, any device-targeted SCEP profile that is applicable will be processed, regardless of Autopilot phase.

Given these behaviors, skipping SCEP enrollment during Device Preparation and deferring it until user sign-in requires:

• Assigning the SCEP certificate profile and its trusted certificate profile to users only, not to devices or to both users and devices.
• Ensuring that the Autopilot-enrolled device does not fall into any device group that receives the SCEP profile.

This way, SCEP enrollment will occur only after a user signs in (when the user-targeted policies are evaluated) and will not attempt to enroll into the system account during Device Preparation.

There is no setting in the provided material that allows explicitly “forcing” a SCEP profile to skip the Device Preparation phase while still being device-targeted.

References:

• Troubleshooting the deployment of SCEP certificates profile to devices in Intune
• Create and assign SCEP certificate profiles in Intune
• Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot
• Enrollment guide: Enroll Windows client devices in Microsoft Intune