It's possible to test to see if the userCertificate attribute itself has been updated (using Get-ADReplicationAttributeMetadata), rather than just checking the 'Modified' attribute for all computers.
This should mean there's no need to compare Modified and Created to make sure it was created within the last 5 hours. It will also mean computers leaving Hybrid Azure AD and then rejoining (using dscmd.exe /leave, which clears/recreates 'usercertificate' without updating 'Created') can also be detected and synced more quickly.
I have updated the script to do this in my own branch and will offer a pull request shortly.
It's possible to test to see if the userCertificate attribute itself has been updated (using Get-ADReplicationAttributeMetadata), rather than just checking the 'Modified' attribute for all computers.
This should mean there's no need to compare Modified and Created to make sure it was created within the last 5 hours. It will also mean computers leaving Hybrid Azure AD and then rejoining (using dscmd.exe /leave, which clears/recreates 'usercertificate' without updating 'Created') can also be detected and synced more quickly.
I have updated the script to do this in my own branch and will offer a pull request shortly.