If you are using Intune and are currently using services/applications that require the devices to be hybrid domain joined and are running Autopilot you may have come across the challenges with domain offline join and pushing out certificates for VPN tunnels to connect as explained in this article: https://www.risual.com/2023/02/always-on-vpn-device-tunnel-intune/
Microsoft are about to introduce cloud PKI: Microsoft Cloud PKI launches as a new addition to the Microsoft Intune Suite | Microsoft Intune Blog
This will allow the publishing of certificates from Intune without requirement of installing and configuring certificate connectors and certificate services.