(no title)

Intune and basic CA policies ensure unexportable MDM certificates in the TPM are used for all authentication events. This is like day 1 Entra ID / Intune stuff. Not sure why you'd need an external vendor for any of this (especially a vendor more expensive than the above).