let me try to share some light on your questions.
1. The Provisioning Process doesn't move your existing machine account from one group to another. In fact a new machine account item is created. If you use scripts that work with the common name you probably can get some problems cause the common name is identical but the sAMAccountName has the addition $iME. In the Attribute Editor you will also find some differences to the 'normal' account.
At the moment this step doesn't work because Microsoft released the patch MS15-096 that changed some AD Attributes. Now the Object will be created but the acuconfig.exe can't set the right attributes and the management via SCCM doesn't work.
2. The SCS Deployment-Guide Chapter 6 explains some things for the certificate question. If you look at the internet there are some older but still actual instructions from Intel or Microsoft how to build the certificate templates and what they do.
Following Links are great resources for implementing SCS in SCCM.
3.You can wipe the Data via a Mebx-Reset in the Bios but you have to do it manually for each computer and you have to confirm the step after a restart. No scripting for that at the moment. Or you can use the Full-unprovision task that comes with the add one.
Why don't you try ePO Deep Command, you can provision systems with few clicks. No need to use Intel SCS or buy provisioning certificate. You can get it going in less than 30 minutes. ePO is also a robust security management platform where many other security products are integrated into.