Renewing enrolled certificates
When close to expiring, the Microsoft Intune protocol automatically renews certificates on Windows and Android devices. However, as reported in the Microsoft documentation, the iOS, iPadOS, and macOS devices have the following issue.
Renewal behavior on iOS/iPadOS and macOS: Certificates can only be renewed during the renewal threshold phase. In addition, the device has to be unlocked while synching with Intune. If the renewal was not successful, the expired certificate will remain on the device and Intune does not trigger a renewal anymore. Also, Intune does not offer an option to redeploy expired certificates. Affected devices need to be excluded from the SCEP profile temporarily to remove the expired certificate and request a new one.
See https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep for details on this issue.
Therefore, to renew certificates on iOS, iPad, and macOS devices, you must:
Deselect the device on the Intune Company Portal application.
Reenroll the device on the Intune Company Portal.