Since December 2017 Microsoft Intune introduced support for multiple active SCEP/PFX connectors per tenant in order to provide high availability for certificate handling.
Initially the Microsoft Intune SCEP/PFX connector didn’t provide support for high availability. The SCEP/PFX connector could be installed as a single instance with no option for multiple active connectors.
Microsoft Intune SCEP/PFX connector support multiple active connectors per tenant.
Notes: by default the connectors listed in the Microsoft Intune portal cannot be identified/linked to the on-premise servers where the SCEP/PFX connectors are installed on. My advice is to rename the first connector after installation and repeat this for each additional connector installed, to overcome this.
Multiple active SCEP/PFX connectors
Customers who use the on-premise SCEP/PFX connector to deliver certificates to devices, can now configure multiple connectors in a single tenant. Each connector pulls certificate tasks (e.g. requests, renewal or revocation) from Intune. If one connector goes offline, the other connector continue to process these certificate requests.
Microsoft Intune SCEP/PFX connector High Availability.
Microsoft Intune SCEP/PFX connector active failover PFX Connector 1.
Microsoft Intune SCEP/PFX connector active failover PFX Connector 2.
As the SCEP/PFX connector is a key component in a certificate deployment infrastructure high availability support is a must for large enterprises. End-users which contains a valid certificate are not directly effected in case of a failure, as they’re still able to access corporate resources. Once a device is retired/wiped we must be sure that the certificate revocation is performed.
Microsoft Intune SCEP/PFX connector High Availability – Certificate Authority failover.
Although Microsoft Intune provides support for multiple active SCEP/PFX connectors, there can be only one Certificate Authority (CA) configured per Microsoft Intune PCKS profile. Defining multiple PCKS profiles can be considered to have multiple CA’s in scope. This from a loadbalancing and/or high available perspective.
- Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world…common practices
- Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting
- What’s new in Microsoft Intune
- How to configure certificates in Microsoft Intune (new Intune Azure portal)
- Configure your Microsoft Intune certificate infrastructure for PKCS (PFX)
- Configure certificate infrastructure for SCEP in Microsoft Intune