Microsoftfirst, why the heck are people still using SCEP with Intune? surely thats just for the manky third party services obsessed with sticking with the 20th century that can't do PFX requests?
secondly, to echo the important part - when can we expect this so that Intune connector can issue strong mapping compatible certs for users and devices through PFX/PKCS?
Don't know if you've found out or not by now... You have to use SCEP if you want your certificate to be hardware bound, i.e. generated by a device's TPM and optionally with Key Attestation. I'm afraid this is the 21st century way of doing things but Microsoft hasn't done a great job in setting us up for this by default. Most people have to completely replace all issuer certs to achieve Key Attestation.
PKCS is technically a poor option because the private key will be generated by the Intune Certificate Connector server, not the device, and then transmitted through the air to the target device. Security best practice would say this is not a great thing to do. You are reliant on the transmission encryption not being broken before such a certificate expires. With SCEP, the private key is generated on the device and is never transmitted beyond it. Intune Certificate Connector secures the NDES service using a policy module.
For ultimate security, your device certificates should be generated by the TPM and then Key Attested. A good security solution would validate the key attestation, e.g. Cisco ISE does this.
Microsoft binds PRT's to the TPM and I think more and more things are beginning to take advantage of this now that more and more hacks are happening against tokens and such like that are not hardware bound.
