We will start using Microsoft Intune for all our devices soon, and while configuring Intune, the question came up of which certificate to choose, for authentication etc.
I have followed this link and others similar: https://learn.microsoft.com/en-us/intune/certificates-configure
However these links only explain how to install CA's, configure settings etc. I can not find a clear differentiation between the 2 certificates (SCEP and PFX) and why one would choose one over the other.
Are there any general guidelines to follow?
Edit: Our devices are mostly company laptops, with Windows 10.
It's hard to say how to choose one kind rather than the other one. It really depends on what devices you're using and what platforms runs for those devices:
You can create and assign a PKCS or SCEP certificate profile for devices running the following platforms:
iOS 8.0 and later
Android 4.0 and later
Android for Work Windows 10
(desktop and mobile) and later
You can only use a SCEP certificate profile for devices running the following platforms:
macOS 10.9 and later
Windows Phone 8.1 and later
So, it's clear that If your devices are using macOS 10.9 and later ,Windows Phone 8.1 and later platforms, you must choose to use SCEP certificates.
Also, it sometimes depends on what CA that your Network devices support. E.g, if your VPN devices only supports SCEP CA,you just need to use SCEP CA.
You can also refer to this Tech Note of Cisco to find more details about SCEP and PKCS.
For same devices:
If you are building a prototype or a small not critical service then go with PKCS12.
If you use SCEP profiles, you need to configure a Network Device Enrollment Service (NDES) server. So,If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).
Hope this helps!