Exam MD-101 topic 3 question 46 discussion

SCEP is to onroll certificates to Intune Devices (not necessary) PKCS is to onroll certificates to Intune Devices (not necessary) To trust the (internal) certificate of app1 you need to import the internal root certificate to the 'trused root certification authorities' of the device. You must create a configuration Profile - Trusted certificate to deploy the root certificate to the intune devices Answer = trusted certificate

SCEP Appears to be correct: Intune supports use of the Simple Certificate Enrollment Protocol (SCEP) to authenticate connections to your apps and corporate resources. https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

To use a SCEP certificate profile, a device must have also received the trusted certificate profile that provisions it with your Trusted Root CA certificate. We recommend you deploy both the trusted root certificate profile and SCEP certificate profile to the same groups. Consider the following before you continue: When you assign SCEP certificate profiles to groups, the Trusted Root CA certificate file (as specified in the trusted certificate profile) is installed on the device. The device uses the SCEP certificate profile to create a certificate request for that Trusted Root CA certificate.

the keyword on this question is uses certificate from onprem root CA , i vote B

SCEP is not necesary here

A. "Create and deploy a trusted certificate profile before you create a SCEP, PKCS, or PKCS imported certificate profile" https://learn.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root

B is the correct answer.

In my opion. MS Edge needs to trust with App1 certificate, if not a "can't connect securely to this page" message will be showed on Edge, so you need to deploy the Root CA certificate in Trusted root certification Authorities. A is my ssugested answer.