Intune Standalone Device-Based Certificate Issue

My SCEP/NDES environment is already setup and I have been delivering certs to users for some time, so I know everything is working on that end.  Heck, I feel comfortable in saying I can deliver certs to users until the cows come home, but the same can not be said when it comes to devices, however.  When I create a device based SCEP policy and target it at my Intune registered devices, the requested cert is never delivered to the target machines' personal certificate store.  I have forced syncs, waited for days, and nothing.   Upon further inspection, what I realized was happening was the cert was actually being delivered, but it was being delivered to the current logged in user on those targeted devices, and stored in that user's personal store making it essentially a user cert, and utterly useless for what I need.  I have repeated this process and confirmed that this is the behavior.  That said, I still wasn't convinced that there wasn't  SOMETHING  I was doing wrong so I opened a support ticket.  After several days back and forth (an exchange that left me feeling unsure how knowledgeable the tech I was working with was on this particular topic) I was told that this is the expected behavior.  Needless to say, I was not completely convinced by this answer (hence my post here).  I'm still finding it hard to believe there is no way of doing this.   I'm attaching screenshots of the policy setup and results for anyone interested.