For the past few months we have had a profile set up that gets a restriction profile that locks the device into kiosk mode for an app and also has the setting "Join Wi-Fi networks only using configuration profiles" configured. We push out our Wi-Fi network to the devices along with root cert + SCEP profile for certificate based authentication. This has been working great for the past few months.
 
Starting last we were enrolling iPads as we have been doing, but when enrolling the device into Intune it gets the green check mark for 'Get your device managed' and goes to 'Update device settings' and can never confirm device settings. Looking at the device its been disconnected from the WiFi network. Going to Settings -> WiFi; theres no networks available (I have verified there are multiple networks available) and it says 'Your iPad can only join WiFi networks that are configured by your organization's admin'. Checking the management profile on the device I can see all the restrictions and both the SCEP certificate and root certificate, but the WiFi profile is not listed in there. Checking the device in Intune shows that the WiFi profile is still 'pending' for the device, along with the management profile, root cert and SCEP cert. If I enroll a regular user based device assigned the same WiFi profile (but not restrictions profile) it gets the profile and connects without issue. 

It seems like the device is getting the policy to only allow access to the network from the configuration profile and disabling WiFi on the device before it gets the WiFi profile. Has anyone run into this or have a solution? We can remove "Join Wi-Fi networks only using configuration profiles" but I'm not sure how that would impact the already enrolled ~80 devices.