Microsoft Cloud PKI for Intune automates certificate management for enrolled devices, but you must manually handle the expiration of the certification authority (CA). When your Cloud PKI issuing CA approaches its expiration date, you need to create a new CA and update your SCEP certificate profiles to maintain uninterrupted service. This guide explains the expiration process, potential impacts, and the steps required to transition to a new issuing CA.
Source