@Thomas, Thanks for posting in Q&A.
From your description, I know you want to deploy Intune csp setting but failed on some devices.
Based on my research, there are some suggestions to fix this issue.
1.The error code 0x87d1fde8 can be caused that the OMA-URI used in the above-mentioned policy is not correct, so please check whether the OMA-URI is correct.
2.Please check if there exist conditional access policies applied for the failed 5% devices.
3.It seems "UsePassportForWork" needs to be set for "DisablePostLogonProvisioning" to be honored.
https://www.reddit.com/r/Intune/comments/y9gr60/disable_mandatory_windows_hello_for_business/
Non-official, just for reference.
4.You can try to disable DisablePostLogonProvisioning using GPO following the link below.
https://blog.matrixpost.net/disable-windows-hello-for-business-prompt-on-azure-ad-joined-devices/
Please check above information, if there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.