Blog Post

Intune Customer Success
6 MIN READ

Microsoft Intune Connector for Active Directory security update

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Feb 27, 2025

Updated 04/18/25: Based on customer feedback around challenges with setting up the connector with build 6.2501.2000.5, we have released an updated build with improved functionality and updated our troubleshooting documentation with more guidance on avoiding configuration issues in your environment. The new build 6.2504.2001.8 is available for download in Microsoft Intune.

New in build 6.2504.2001.8:

  • The sign in page in the wizard now uses WebView2, built on Microsoft Edge, instead of the previously used WebBrowser.
  • Error "MSA account <accountName> is not valid" which some customers reported during sign in has been fixed.

As part of Microsoft’s Secure Future Initiative, we’re making an important security change which will impact customers deploying Microsoft Entra hybrid joined devices with Windows Autopilot and provide guidance on how to prepare. New capabilities or improvements aren’t planned as part of this security change. Review Microsoft’s recommendations based on your organization’s needs.

Updated connector

Today, Windows Autopilot uses the Intune Connector for Active Directory to deploy devices that are Microsoft Entra hybrid joined. To strengthen security in our customers’ environments, we’ve updated the Intune Connector for Active Directory to use a Managed Service Account (MSA) instead of a SYSTEM account.

The old connector which uses the local SYSTEM account will no longer be available for download in Intune and will stop being supported in late June 2025. At that point, we’ll stop accepting enrollments from the old connector build. Follow the guidance provided below to update your environment to the new connector.

The old connector build will continue to work for existing customers who already have it installed until the end of support date and is available for download in the Microsoft Download Center if needed.

What is a Managed Service Account (MSA)?

MSAs are managed domain accounts that have automatic password management and are generally granted just enough permissions and privileges to perform their duties. Standalone MSAs can only be used on a single domain joined machine and can only access resources within that domain. An MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources as a specific user principal. All these reasons make them a better fit for the Intune Connector for Active Directory than the current SYSTEM account option.

Comparing the account permissions required between the new and old connector

 

Old Connector

New Connector

Logged on account

SYSTEM

Domain\MSA

Password management

Set by user, subject to domain rules

Managed by domain only – automatically reset

Privilege set size (see notes for more details)

MAX

5 Privileges:

  • SeMachineAccountPrivilege - Disabled default
  • SeChangeNotifyPrivilege - Enabled Default
  • SeImpersonatePrivilege  -  Enabled Default
  • SeCreateGlobalPrivilege -   Enabled Default
  • SeIncreaseWorkingSetPrivilege – Disabled default 

Registry access rights

Full, implicit

Read write, explicit

Enrollment certificate rights

Full, implicit

Full, explicit

Create computer object rights (required for hybrid Autopilot scenario)
  • If connector is on the same machine as domain controller, unlimited
  • If connector is not on the domain controller, delegation required

Explicit delegation required

 

Setting up the connector

Before you begin

First, you need to uninstall the existing connector by:

  1. Uninstalling from the Settings app on Windows
  2. Then, uninstalling using the ODJConnectorBootstrapper.exe (select Uninstall).


To install and set up the new connector, you need the following minimum requirements:

  1. Downloading the connector build from Intune:
    1. Microsoft Entra account with Intune Service Administrator permissions
  2. Installation:
    1. .Net 4.7.2
    2. Windows Server with 2008 R2 functional level
    3. Local administrator permissions
  3. Setting up the connector:
    1. Microsoft Entra account with an Intune license assigned and Intune Service Administrator permission
    2. Domain account with local administrator privileges
      1. Domain account should have permission to create msDS-ManagedServiceAccount objects

Downloading the connector

You can download the new connector from the Intune admin center and install in your environment. To set it up, launch the connector wizard and choose Sign In and sign in with a Microsoft Entra account with Intune service admin permissions and you’ll notice a new Configure Managed Service Account option. After signing in, the connector will enroll and only the Configure Managed Service Account option will be available. The account with Intune admin permissions should select that option to complete set up. For more detailed steps on installing the connector, review: Install the Intune Connector.

Intune Connector for Active Directory installation shows the MSA has been configured.

Configuring organizational units (OUs) for domain join

By default, MSAs don’t have access to create computer objects in any OU. If you wish to use a custom OU for domain join, you’ll need to update the ODJConnectorEnrollmentWiazard.exe.config file. This can be done at any time (either before enrollment, or after the connector is enrolled):

  1. Update ODJConnectorEnrollmentWizard.exe.config:
    1. Default location is “C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard”
    2. Add all the OUs required in OrganizationalUnitsUsedForOfflineDomainJoin
    3. OU name should be the distinguished name (see Additional information section)

      Note that the MSA is only granted access to the OUs configured in this file (and the default Computers container). If any OUs are removed from this list, completing the rest of the steps will revoke access.
      A screenshot of the connector file with the included organizational units.

       

  2. Open ODJConnectorEnrollmentWizard (or restart it if it was open) and select the “Configure Managed Service Account” button.
    A screenshot of the Intune connector for Active directory window with the "Configure Managed Service Account" button highlighted.

     

  3. Success! – A pop up will appear showing success.
    A screenshot of the Intune connector for Active directory window with a successful pop-up highlighting that the setup was successful.

Using the Intune Connector with multiple domains

Customers who are already using the connector with more than one domain will be able to use the new connector by setting up a separate server per domain and installing a separate connector build for each domain.

Configuring the connector

  1. The Intune Connector for Active Directory needs to be installed on each domain that you plan to use for domain join. If you need to have a second account redundancy, you will need to install the connector on a different server (in the same domain).
  2. Follow the steps above to ensure the connector is configured correctly, and that the MSA has appropriate permissions on the desired OUs.
  3. Ensure that all connectors are present in the in the Microsoft Intune admin center (Devices > Enrollment > Windows > under Windows Autopilot, select Intune Connector for Active Directory) and that the version is greater than 6.2501.2000.5:

    A list of Intune Connectors for Active Directory and their version in the Microsoft Intune admin center.

Configure Domain Join profile:

Follow the steps for configuring a domain join profile:

  1. Create a domain join profile for each domain that you want to use for hybrid joining devices during Autopilot.
  2. Target the domain join profile to the appropriate device groups.

Example of 2 domain join profiles targeted to different groups, with different domain names configured:

Example 1: Connector in domain F11.F1.com will only join domain F11.F1.com.Example 1: Connector in domain F12.F1.com will only join domain F12.F1.com.
  1. Expected result:
    1. Connector in domain F11.F1.com will only join domain F11.F1.com.
    2. Connector in domain F12.F1.com will only join domain F12.F1.com.


Additional information

Retrieving Organizational Unit Distinguished Name

If you need to customize the OUs that the MSA has access to, here are two easy methods to retrieve the distinguished name for these OUs:

Let’s assume we have the following structure:

 

Powershell

  1. Get-ADOrganizationalUnit (ActiveDirectory) | Microsoft Learn
  2. Get “=TestOUWithSpecialChars=”:
    1. PS Cmd: Get-ADOrganizationalUnit -Filter 'Name -like "*TestOUWithSpecialChar*"' | Format-Table Name, DistinguishedName
    2. Output: “OU=\=TestOUWithSpecialChars\=,DC=modesh2,DC=nttest,DC=microsoft,DC=com”
      1. Note, ‘=’ is escaped
  3. Get “NestedOU”
    1. PS Cmd: Get-ADOrganizationalUnit -Filter 'Name -like "NestedOU"' | Format-Table Name, DistinguishedName
    2. Output: “OU=NestedOU,OU=\=TestOUWithSpecialChars\=,DC=modesh2,DC=nttest,DC=microsoft,DC=com”
    3. Note, ‘=’ is still escaped

Active Directory Users and Computers

  1. Select “View” from the menu, and enable “Advanced Features”
  2. Right click on the specific OU and click “Properties”
  3. Navigate to the “Attribute Editor” tab
  4. Select “distinguishedName” attribute and click “View”

Summary

The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account. This blog describes how to set up the new connector and configure it for your organization. Make sure to install the new connector by late June 2025 before the old connector becomes unsupported.

 

If you have any questions, leave a comment on this post or reach out to us on X @IntuneSuppTeam.

 

Post updates:
04/18/25: Updated post with a note on our release of our latest build, version 6.2504.2001.8, improving user experience and system performance. Supportability for the old connector has also been updated to June 2025 (previously May).

Updated Apr 18, 2025
Version 5.0
windows autopilot

91 Comments

Sort By
  • RDBC's avatar
    RDBC
    Copper Contributor
    Jul 11, 2025

    Hello Intune team,

    After deploying the new Intune Connector for Active Directory based on an sMSA, we have encountered an operational constraint.

    Most of our customers operate a single forest with multiple child domains. With a single connector in the root domain, Autopilot devices enroll successfully in root domain OUs, yet fail to complete enrollment in the child domains. Documentation states that one connector is required per domain or child domain, which forces us to deploy and maintain several machines for a service that consumes minimal resources. This requirement increases licensing, infrastructure, and support costs—especially for small-sized organizations.

    We would appreciate clarification on whether any supported method allows a single connector (or a single gMSA) to serve multiple child domains within the same forest, and whether there are short-term plans to introduce support for multi-host gMSAs or traditional service accounts.

    Any official guidance you can provide will greatly assist us in planning service continuity and optimizing resources for our customers.

    Thank you for your attention.

  • JasonB2115's avatar
    JasonB2115
    Copper Contributor
    Jul 01, 2025

    Any chance an update will be released that will allow the selection of a specific OU/container for the MSA to live rather than requiring the default "Managed Services Account" container to exist?

  • leinad13's avatar
    leinad13
    Copper Contributor
    Jun 17, 2025

    We have an issue installing the new connector - we followed the article and gave the installation user all the correct permissions.

    The msa account was created, but encountered permission errors in the ODJConnector log. So we gave the msa account full control of the OU and ensured it have Create and Delete Computer objects. We get this error : 

     Failed to grant the Managed Service Account with the name "msaODJAf7Sv" permission to create computer objects in the Organizational Unit with the name "CN=Computers,DC=xxx,DC=xxx,DC=com" due to the following error: Unknown error: System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.

    I logged a support case for out issue, and have been working with an engineer to resolve it for over 6 weeks with no progress. We have asked several times for them to contact the product team and get the  date the old connector will stop working, with no response.

    We don't know where to go now, we are told the old connector will stop working - Microsoft Support are unable to get the new connector working and unwilling to escalate to the product team. 

    • Miguel Sanabia's avatar
      Miguel Sanabia
      Copper Contributor
      Jul 01, 2025

      Ever get this sorted out.   We had our update successfully configured last week and then all of a sudden today (July 1st) we are unable to enroll and getting the exact same message about permission to create computer objects.   So frustrating as it just stopped abruptly.

      • leinad13's avatar
        leinad13
        Copper Contributor
        Jul 02, 2025

        Microsoft Support couldn't figure out the permissions issues we were having - so we uninstalled and reinstalled with a domain admin which had full Active Directory rights and this resolved the issue for us.

    • onyeabor's avatar
      onyeabor
      Copper Contributor
      Jun 23, 2025

      Hi,

      Just to confirm, did you modify the ODJConnectorEnrollmentWizard.exe.config XML file found in C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard to allow the MSA to create objects in OUs- 

      In the add key element of the ODJConnectorEnrollmentWizard.exe.config XML file:
      <add key="OrganizationalUnitsUsedForOfflineDomainJoin" value="OU=CN=Computers,DC=xxx,DC=xxx,DC=com=com" />

    • Five's avatar
      Five
      Copper Contributor
      Jun 18, 2025

      I have the same problem as you. The issue is still not resolved even though I have opened a ticket to Microsoft support. 🤔

  • Matter's avatar
    Matter
    Copper Contributor
    Jun 17, 2025

    We see the following Message after we added the Account to the Logon as a Service via GPO:

    Access denied

     

    I gave the MSA-Account full rights at this Path "C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorSvc".
    This did not help.
    Does anyone have any idea?

    • henleyj's avatar
      henleyj
      Copper Contributor
      Jun 20, 2025

      We had the same problem. Give the local users group Modify rights, then try again. 

    • Matter's avatar
      Matter
      Copper Contributor
      Jun 17, 2025

      It's works on a Domain Member Server.

  • AndrewMcN_SFRS's avatar
    AndrewMcN_SFRS
    Copper Contributor
    Jun 12, 2025

    Deployed the new version and despite encountering the WebView folder permission issue, everything seems to be working. One strange issue though. The enrolment wizard was only run once but it seemed to spawn two new enrolments for the same server. One appears to be a dud and the old original enrolment is still showing in Intune too. So, I have two dead ODJ connectors showing in Intune. How do I clean this up? It's been two days now and they haven't self-cleaned.

     

  • StevePhillips's avatar
    StevePhillips
    Copper Contributor
    May 28, 2025

    I too have followed the above instructions exactly and find that the ODJ Connector only works when I am logged in on the ODJ Connector server.

    When not logged in, the following two errors are repeated under Event Viewer → Applications and Services Logs → Microsoft → Intune > ODJConnectorService:

    Note that we do not make use of a proxy, so that is a false error.

    Are there further configuration steps that are required for the MSA account to enable this to correctly communicate with Intune when there is not a Domain Administrator logged in on the ODJ Connector server?

    Thanks, 

    Steve

     

    • StevePhillips's avatar
      StevePhillips
      Copper Contributor
      May 29, 2025

      By way of a reply to my own question, I discovered that the server Internet access was being prevented when an admin was not logged into the server. Once I modified our firewall to permit access, the ODJ Connector started working as expected.

  • MateuszJ's avatar
    MateuszJ
    Copper Contributor
    May 23, 2025

    I did everything according to the documentation, but the computer object won't create in the specified OU. There is a timeout and in Event log I see this.

    msaODJ account is created and added to those OUs, Connector is running in Intune as well. Server was rebooted any idea?

    The only strange what i see in the log is that domain name is my root domain not child domain where I have computers. msaODJ account also was created in root domain. I used admin which is also in root domain. Connector server is also in root domain but all computers I have in child domain.

    • StevePhillips's avatar
      StevePhillips
      Copper Contributor
      May 28, 2025

      This appears to be similar to the error I am encountering. I would be interested in whether the ODJ Connector works if you log in to the server?

  • DaniBlou's avatar
    DaniBlou
    Copper Contributor
    May 16, 2025

    Autopilot Hybrid Join Deployment – Stuck at "Waiting for ODJ blob"
    Hello everyone, I'm currently facing an issue with an Autopilot deployment in Hybrid Azure AD Join mode. I’ve followed the setup as described  and configured the Intune Connector for Active Directory accordingly.
    I also ran the Get-AutopilotDiagnostics script, which confirms that the process hangs at the following stages for over 20 minutes:

    Waiting for ODJ blob
    Starting wait for ODJ blob
    Profile downloaded

    Eventually, I get this error:

    Could not establish connectivity
    Timed out waiting for ODJ blob or connectivity

    Context:
    The Autopilot profile is properly assigned in Intune I'm using the latest version of the ODJ with a managed service account (MSA/gMSA)
    The device has network connectivity (DNS resolution and DC ping are successful)
    No computer object is created in the target OU
     The Microsoft Intune Connector Service has been restarted
    No critical errors found in the Event Viewer logs on the connector server

    Any suggestions, insights, or shared experiences would be greatly appreciated. Thanks in advance for your help!

    • AndrewMcN_SFRS's avatar
      AndrewMcN_SFRS
      Copper Contributor
      May 21, 2025

      I last had this a couple of months ago (before this shift to an MSA)... it was because the computer account being used by the Connector had not been delegated permissions to the target OU. So, it couldn't write the computer objects. You'll want to examine the permissions on the relevant OU(s) and check that the MSA has the expected permissions. It took me days to even consider this, as I had forgotten a colleague replaced my original Connector server with a new one without knowing the Connector needed to be on it. I put it back without even considering the OU permissions. Research online led me in the wrong direction. It had been as simple as permissions.

  • joebartlett_qnrl's avatar
    joebartlett_qnrl
    Copper Contributor
    May 14, 2025

    The instructions for migrating from the legacy to the new connector are clear - You have to uninstall the old version, then install & configure the new one.

    My question is, what's the recommended process for upgrading from 6.2501.2000.5 to 6.2504.2001.8 (and subsequent versions, when they are released)? Do we need to do full reinstallation again, or can we do an in-place upgrade?

    Thanks,
    Joe

  • VinChenzino's avatar
    VinChenzino
    Copper Contributor
    May 13, 2025

    For anyone experiencing Error "Element not found" or MSA Not Found

     

    You will need to run the below in Powershell. This will update the Managed Services Account with the default GUID.

    $DomainDN = (Get-ADDomain).distinguishedName
    $TargetOWKOIDString = "1EB93889E40C45DF9F0C64D23BBB6237" # Identifier for wellknown SID. 
    $TargetOWKOTemplate = "B:32:$TargetOWKOIDString`:{0}" # String.Format replacable string.
    $TargetDN = "CN=Managed Service Accounts,$DomainDN"

    $OtherWellKnownObjectsOG = (Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects
    $TargetOWKOIndex = $OtherWellKnownObjectsOG.IndexOf( $OtherWellKnownObjectsOG.where({ $PSItem -like "*$TargetOWKOIDString*"})[0])

    Set-ADObject -Identity $DomainDN -Add @{ 'otherwellknownobjects' = ($TargetOWKOTemplate -f "$TargetDN") } -Remove @{ 'otherwellknownobjects' = $OtherWellKnownObjectsOG[$TargetOWKOIndex] }

    (Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects

     

    End result:

     

    • BRamirez's avatar
      BRamirez
      Copper Contributor
      May 16, 2025

      We were looking for a fix for this for 2 weeks. Thanks for posting - this worked!