Profiles that use certificate based authentication should not be installed until the certificate is installed
For configuration profiles that use certificate based authentication they should not be installed until the associated certificate is installed.
We use certificate based authentication for e-mail using ActiveSync. This uses two different profiles; one is a profile with the e-mail configuration the other is a profile with the user certificate. The e-mail profile typically installs before the certificate profile, Once the e-mail profile is installed it prompts the user to enter their password. If they enter their password it uses their password instead of certificate based authentication.
If we configure our e-mail profile to use certificate based authentication we need Intune to wait until the associated certificate is installed before Intune installs the e-mail profile.
We also use this for deploying WiFi profiles with PKCS certificates. During autopilot, certificates will not apply before the WiFi is deployed causing the WiFi to drop if it is currently connected to the same SSID that is deployed. This would stream line the whole process with WiFi.