We always face a situation where we would need to delay a specific action during the autopilot process of a machine.
In my case I wanted the SCEP machine certificate to be generated after the device was named using the naming policy.
In my deployment, the devices were having an OEM Windows Pro license and the users were having M365 E3 license. As my machine certificate needs to be generated using the proper computer name the SCEP policy needed to be delayed during the autopilot process. Out-of-the-box Intune as of now doesn’t have any built-in feature for this.
Intune filters came to my rescue. As I wanted to delay the policy I create a filter for Windows 11 Enterprise.
(device.osVersion -startsWith “10.0.2”) and (device.operatingSystemSKU -eq “Enterprise”)
Targeted my policy to this filter. The result was that the policy doesn’t apply on the Win Pro version during autopilot. After the user logs in the auto-activation occurs and the policy also gets applied.
This trick can be used for other use cases also. Hope this was helpful!