Better integration with Cisco ISE
When using NDES to request certificates on behalf of the user of a mobile device this certificate needs to be published in the AD account of the user. At the moment it is stored in the AD service account of the NDES. This way Cisco ISE cannot do the binary comparison needed for certificate authentication.
If there is a way of integrating Intune/NDES better into Cisco ISE this could be solved or have an option in the CA to tell it to publish the certificate in the correct user account.