Setting up and managing device configurations using Intune
When you remove or unassign a certificate profile policy from Microsoft Intune, the deployed PKCS certificate is automatically removed from the device.
As per https://learn.microsoft.com/en-us/intune/device-configuration/certificates/remove-profiles
Certificates that were provisioned by Intune are also removed when the profile that provisioned the certificate no longer targets the device or user.
This behavior occurs because certificates maintain a direct lifecycle link with the management service. When a device synchronizes with Intune after you remove the assignment, Intune sends a direct cleanup command to the local device management client. The client then processes this command and deletes the associated certificate from the local user or computer certificate store. An exception to this rule applies to Imported PKCS certificates, which are only deleted if the device is completely unenrolled or wiped.
Settings staying behind represent so called "policy tattooing." For standard configuration policies (such as modifying registry keys, setting power options, or changing desktop wallpapers) removing the policy merely stops Intune from enforcing it, leaving the modified settings intact. However, certificate profiles do not tattoo the device. They are cleanly wiped from the system once the policy is no longer targeted to the user or device.
This removal process does not happen instantly upon deleting the policy in the admin center. The certificate will remain on the device until the next successful device check-in and synchronization session. Depending on the operating system and platform, this removal typically finishes within a few minutes of a manual sync, or up to 8 hours during normal automatic background sync cycles.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin