Since December 2017 Microsoft Intune introduced support for multiple active SCEP/PFX connectors per tenant in order to provide high availability for certificate handling.

Initially the Microsoft Intune SCEP/PFX connector didn’t provide support for high availability. The SCEP/PFX connector could be installed as a single instance with no option for multiple active connectors.

Microsoft Intune SCEP-PFX ConnectorMicrosoft Intune SCEP/PFX connector support multiple active connectors per tenant.

Notes: by default the connectors listed in the Microsoft Intune portal cannot be identified/linked to the on-premise servers where the SCEP/PFX connectors are installed on. My advice is to rename the first connector after installation and repeat this for each additional connector installed, to overcome this.

Multiple active SCEP/PFX connectors

Customers who use the on-premise SCEP/PFX connector to deliver certificates to devices, can now configure multiple connectors in a single tenant. Each connector pulls certificate tasks (e.g. requests, renewal or revocation) from Intune. If one connector goes offline, the other connector continue to process these certificate requests.

Microsoft Intune PFX connector High Availability 201711Microsoft Intune SCEP/PFX connector High Availability.

Microsoft Intune PFX connector High Availability failover 201711

Microsoft Intune SCEP/PFX connector active failover PFX Connector 1.

Microsoft Intune PFX connector High Availability failover 2 201711Microsoft Intune SCEP/PFX connector active failover PFX Connector 2.

As the SCEP/PFX connector is a key component in a certificate deployment infrastructure high availability support is a must for large enterprises.  End-users which contains a valid certificate are not directly effected in case of a failure, as they’re still able to access corporate resources. Once a device is retired/wiped we must be sure that the certificate revocation is performed.

Microsoft Intune PFX connector High Availability 2 201711Microsoft Intune SCEP/PFX connector High Availability – Certificate Authority failover.

Although Microsoft Intune provides support for multiple active SCEP/PFX connectors, there can be only one Certificate Authority (CA) configured per Microsoft Intune PCKS profile. Defining multiple PCKS profiles can be considered to have multiple CA’s in scope. This from a loadbalancing and/or high available perspective.

Microsoft Intune PKCS profile

Sources

  • Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world…common practices

https://ronnydejong.com/2017/02/20/part-1-deploying-microsoft-intune-pfx-connector-in-an-enterprise-worldcommon-practices/

  • Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting

https://ronnydejong.com/2017/05/02/part-2-deploying-microsoft-intune-connector-in-an-enterprise-world-troubleshooting/

  • What’s new in Microsoft Intune

https://docs.microsoft.com/en-us/intune/whats-new#week-of-december-11-2017

  • How to configure certificates in Microsoft Intune (new Intune Azure portal)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-certificates

  • Configure your Microsoft Intune certificate infrastructure for PKCS (PFX)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-pfx

  • Configure certificate infrastructure for SCEP in Microsoft Intune

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-scep

Previous articleMaarten’s Cloud Journaal – aflevering 29
Next articleGlobal Integration Bootcamp 2018
avatar
Ronny works as principal consultant for InSpark, the #1 Dutch Microsoft Partner specialized in Datacenter & Apps, Modern Workplace, Data/AI, Security & Managed Services. As principal consultant Ronny is member of the Technology Board, which is responsible for technology innovation, strategy & vision of InSpark. Ronny’s primary focus is on Microsoft 365 (Identity-, Modern Workplace-, Security & Threat protection. He‘s responsible for a great team of highly skilled consultant’s helping customers to accelerate by innovation. In his role as Microsoft Valuable Professional (MVP) he’s working closely with various Microsoft product groups to provide (customer) feedback, product improvements & most important, his contribution to the community by sharing knowledge & experience. His presence at various international (community) events like Tech Summit, Expertslive Europe, TechDays & various user group meetings are dedicated by meeting people & again sharing knowledge.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.