Here it depends. Is AD in Azure? This privacy statement seems to indicate that Microsoft has full access to your data and that it’s just company policy that keeps them out.
If your servers are on site and firewalled, then Microsoft would need some sort of remote access tool that tracks each server. This means that on-site licensing and patching needs to be done. I can’t think of any other service off the top of my head, but I’m only a desktop engineer.
There is nothing to prevent MS from sending the keys from every intune instance.
You don’t have to store them in intune, as far as I know. I’m not a desktop engineer, but I know at my workplace they historically are stored in AD.
Here it depends. Is AD in Azure? This privacy statement seems to indicate that Microsoft has full access to your data and that it’s just company policy that keeps them out.
If your servers are on site and firewalled, then Microsoft would need some sort of remote access tool that tracks each server. This means that on-site licensing and patching needs to be done. I can’t think of any other service off the top of my head, but I’m only a desktop engineer.