Need help with prelogin Intune deployment

Hi,

We have hybrid domain join working with Intune AutoPilot. This configuration includes a Certificate Authority and we deploy certificates from that CA to newly deployed devices using NDES and SCEP. We recently moved from the Windows-based Always-On VPN client to the Cato SDP Client. We just leveraged the existing setup and it works like a charm. No user interaction is needed for deployment and domain joins, etc. So, this is where I'm coming from. 

Anyway, some things that might be useful to you:

• We're storing the certificate in the Cert:\LocalMachine\My store, because we use device based connections. But I guess you want user based authentication, so Cert:\CurrentUser\My should be fine.
• Make sure that the .pfx / PKCS#12 certificate is trusted -> This is important. Which service signed the cert? 
• If you need access to any on-prem resources, make sure you have those configured in Access / Client Access / Pre Login. If you are doing a hybrid domain join, you need at least a line-of-sight to your domain controllers.
• In the Registry, add PreLogin = 1 as a DWORD and your subdomain as a STRING. You only need your Cato subdomain, no need to add ".via.catonetworks.com". 
• The only modification we've made to our ESP is that the Cato client has to be installed before the device can be used. The required Registry keys are deployed using the Intune Platform Scripts feature.
• We haven't made any changes to your deployment profiles. 

I don't know enough about your environment, so I assumed a few things. ;-) 

Hope this helps. 

Regards,

Erwin G.