Any reason why PKCS managed to get away with just a connector change?
SCEP is going to be quite painful in comparison. The original rollout proposal where it automatically added the SAN was a lot more favourable imo.
I’m guessing the best course of action would be to rollout the new SCEP certificate first gradually, then make the switch in associated VPN/Wi-Fi profiles to avoid a chicken/egg situation where it kills the profile entirely due to lack of cert whilst transitioning.
Biggest problem I see is AOVPN not taking kindly to config changes for Entra Joined devices. Talking specifically about the https://directaccess.richardhicks.com/2021/09/20/always-on-vpn-short-name-access-failure. Any config changes will reapply the profile and wipe the modified value - meaning you’ll have to wait for scheduled remediation.
All in all, not going to be a fun rollout.