To configure Intune to enroll devices with internal PKI certificates and with SCCM in co-management mode read first the articles below:

https://docs.microsoft.com/en-us/intune/certificates-configure

https://docs.microsoft.com/en-us/intune/certificates-scep-configure

https://support.microsoft.com/en-us/help/4459540/troubleshoot-ndes-configuration-for-use-with-intune

https://howtomanagedevices.com/intune/258/intune-certificate-deployment-guide/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2015/02/25/part-4-protecting-ndes-with-azure-ad-application-proxy/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/

 

NDES troubleshooting articles:

https://gsecse.wordpress.com/2015/10/06/ndes-deployment-and-troubleshooting/

https://docs.microsoft.com/en-us/intune/certficates-pfx-configure

https://blogs.technet.microsoft.com/askds/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates/

https://blog.hosebei.ch/2016/11/28/configmgr-ndes-certificate-deployment-fails-due-to-network-device-enrollment-service-failure/

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Configuring-and-Troubleshooting-PFX-PKCS/ba-p/516450

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

Note : a GitHub script to validate the NDES configuration: Validate-NDESConfiguration.ps1.

https://github.com/microsoftgraph/powershell-intune-samples/tree/master/CertificationAuthority