Intune certificate connector redundancy configuration

Copper Contributor

Hello everyone.

Although I am new participating in the Community, I have been using Microsoft tools for some time and more specifically Intune. I come to the Community to ask for help to improve our system.


In my organization we have been using Intune for more than a year for the distribution of certificates for authentication in the corporate wi-fi. For this we have an offline certifier and a certifier that issues certificates (2 Tier structure); and a second server where we have installed the NDES service, and that same server has the Intune certificate connector; using an Intune SCEP template we distribute the certificates to the computers. This configuration works correctly and during this time we have not detected any failures or problems in the system; but we are aware that we have a single point of failure if the Intune connector or the server that hosts the NDES service are offline the certificates will never reach the clients (another point of failure can also be the server that contains the certification authority).


For this we are thinking about a redundant system and this is when our questions arise. After reading documentation and reading that the Intune connector allows to have more than one instance installed it occurs to me that the best way would be to install a second server with NDES and with another Intune connector. So far I understand that it would be to follow the procedure that we have used to implement the first server, is this correct or should I take into account some other issue?


I have noticed that in the Intune SCEP template you can add more than one connection point (SCEP Server URLs) so we could add this second connector URL in that template. Would this be the correct way to proceed, or would I have to add a second certificate distribution template?


We also have questions about the possibility of including a second certification authority to issue certificates, in that case, how should I proceed? The NDES service only allows to connect to one certification authority, installing a second certification authority could make each of the servers with NDES point to one of those certification authorities. In that case, how should I configure the template in Intune, should it be two different templates or could I include it in the same template?


In this second configuration I also have questions about the revocation of the certificates, currently I have a public IIS server that is responsible for this function, the logic tells me that in that server should be the revocations of the two certification authorities and that the OSCP configuration should include the two certification authorities, is this right?


Would there be any other issue that I should take into account when implementing this installation?


Thank you very much in advance.

2 Replies
Good question, let me know if you decide to test it out ;)
I've started the journey ;)
I started a discussion on Microsoft Learn a I get a remarkably interesting answer. I've prepared all our infrastructure and I'm going to test with a small testing group. But still, I've some questions about how to configure SCEP profile on Intune.
Here is the url to that discussion on Learn: