Thanks Balaji for the quick response.  

It is an internal Microsoft CA server and you can see in the attached iphone snapshot provided that it has been installed in the iphone, just the intermediary cert that isn't taken. Does this need to be in FDQN?

thanks!

Hi Balali,

Forgot to include the other snapshot that may be helpful, sorry forgot to include that earlier 

if that is internal CA, that is expected. or you need to manually upload root certificate to devices. - so the device can trust your Local CA certs

Thanks for the reply Robert.  Yes, we used Microsoft Intune to push the certificate to the iPhone and you can see the root certificate installed on the iPhone but not the internal CA certificate.  The iPhone shows that it is not trusted and with over 1K, it should be trusted automatically (the internal CA certificate has bee installed on the in ISE and it can see it).  Just wondering why the iPhone doesn't trust it automatically and had to hit the "Trust" option.  It wouldn't be feasible to hit the trust button on every phone.  thanks! 

When you say root certificate, do you mean from ISE?  Since you're specifying both I'm assuming the internal CA is your MS PKI and the root is from ISE.  If that is the case, which one of them signed the certificate that is presented to the device by ISE? Look in Admin -> Certificates and look for the one being used for EAP authentication, make sure the issued by is indeed the certificate you are pushing with Intune into the trust store

try :

https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root

No Rsharp001 - still having the same issue.