Some of you reported that you were trying to provision new devices using Windows Autopilot with ESP enabled, and were running into issues when trying to deploy Windows Hello for Business (useful for single sign-on scenarios) via Intune and SCEP. The challenge: ESP would be waiting for the certs to install before Windows Hello for Business (WHfB) was set up, and since those certs were dependent on WHfB that wouldn’t work.
So, we implemented a change in Intune that will work around this. Instead of delivering the certificate policies during user ESP, it will instead wait until later, allowing ESP to complete and the WHfB enrollment process to complete. So if you had disabled user ESP because of this issue, try turning it back on again.