Hello, To deploy user and device certificates you can deploy PKCS certificates. This is easy to do. What you need is to download the PKCS certificate connector. You can find it when you go to the intune portal and Device configuration | Certificate connectors. Click on Add and download the PKCS certificate connector. Go to an on-prem server which is in the same domain as the internal CA server. Don't worry, connection with the certificate connector will be as save encrypted tunnel so no complex firewall settings or other things to worry about. Install the certificate connector and only PKCS have to be installed. If SCEP is applicable you can choose for PKCS ans SCEP during the setup steps of the connector. After installing start the connector. If starting the app later, run the connector as admin. Make sure you have a Azure global admin with an Intune (EM+S) license activated. If not do so but it will take some time before this is active, at least 15 min. In the certificate connector login with the Azure Global Admin, and you are finished. You can see in Intune a green check that the connector is up and running. Next is to create a certificate connector which has the correct certificate requirements. For Intune I believe you have 2 requirements to make sure you can enroll the certificate and that is under Subject Name: Supply in the request, and at permissions, add the server which has the certificate connector installed the read and enroll certificate permissions. I think that is it but be sure to look online for advise when deploying the certificates with Intune. I used this method for always on vpn configurations and WPA2 Enterprise PEAP Wifi Configurations based on user certificates. Hopefully this helps.
... View more