To configure Intune to enroll devices with internal PKI certificates and with SCCM in co-management mode read first the articles below:
https://docs.microsoft.com/en-us/intune/certificates-configure
https://docs.microsoft.com/en-us/intune/certificates-scep-configure
https://support.microsoft.com/en-us/help/4459540/troubleshoot-ndes-configuration-for-use-with-intune
https://howtomanagedevices.com/intune/258/intune-certificate-deployment-guide/
NDES troubleshooting articles:
https://gsecse.wordpress.com/2015/10/06/ndes-deployment-and-troubleshooting/
https://docs.microsoft.com/en-us/intune/certficates-pfx-configure
Note : a GitHub script to validate the NDES configuration: Validate-NDESConfiguration.ps1.
https://github.com/microsoftgraph/powershell-intune-samples/tree/master/CertificationAuthority