Blog Post

Intune Customer Success
6 MIN READ

Microsoft Intune Connector for Active Directory security update

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Feb 27, 2025

As part of Microsoft’s Secure Future Initiative, we’re making an important security change which will impact customers deploying Microsoft Entra hybrid joined devices with Windows Autopilot and provide guidance on how to prepare. New capabilities or improvements aren’t planned as part of this security change. Review Microsoft’s recommendations based on your organization’s needs.

Updated connector

Today, Windows Autopilot uses the Intune Connector for Active Directory to deploy devices that are Microsoft Entra hybrid joined. To strengthen security in our customers’ environments, we’ve updated the Intune Connector for Active Directory to use a Managed Service Account (MSA) instead of a SYSTEM account.

The old connector which uses the local SYSTEM account will no longer be available for download in Intune and will stop being supported in late May 2025. At that point, we’ll stop accepting enrollments from the old connector build. Follow the guidance provided below to update your environment to the new connector.

The old connector build will continue to work for existing customers who already have it installed until the end of support date and is available for download in the Microsoft Download Center if needed.

What is a Managed Service Account (MSA)?

MSAs are managed domain accounts that have automatic password management and are generally granted just enough permissions and privileges to perform their duties. Standalone MSAs can only be used on a single domain joined machine and can only access resources within that domain. An MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources as a specific user principal. All these reasons make them a better fit for the Intune Connector for Active Directory than the current SYSTEM account option.

Comparing the account permissions required between the new and old connector

 

Old Connector

New Connector

Logged on account

SYSTEM

Domain\MSA

Password management

Set by user, subject to domain rules

Managed by domain only – automatically reset

Privilege set size (see notes for more details)

MAX

5 Privileges:

  • SeMachineAccountPrivilege - Disabled default
  • SeChangeNotifyPrivilege - Enabled Default
  • SeImpersonatePrivilege  -  Enabled Default
  • SeCreateGlobalPrivilege -   Enabled Default
  • SeIncreaseWorkingSetPrivilege – Disabled default 

Registry access rights

Full, implicit

Read write, explicit

Enrollment certificate rights

Full, implicit

Full, explicit

Create computer object rights (required for hybrid Autopilot scenario)
  • If connector is on the same machine as domain controller, unlimited
  • If connector is not on the domain controller, delegation required

Explicit delegation required

 

Setting up the connector

Before you begin

First, you need to uninstall the existing connector by:

  1. Uninstalling from the Settings app on Windows
  2. Then, uninstalling using the ODJConnectorBootstrapper.exe (select Uninstall).


To install and set up the new connector, you need the following minimum requirements:

  1. Downloading the connector build from Intune:
    1. Microsoft Entra account with Intune Service Administrator permissions
  2. Installation:
    1. .Net 4.7.2
    2. Windows Server with 2008 R2 functional level
    3. Local administrator permissions
  3. Setting up the connector:
    1. Microsoft Entra account with an Intune license assigned and Intune Service Administrator permission
    2. Domain account with local administrator privileges
      1. Domain account should have permission to create msDS-ManagedServiceAccount objects

Downloading the connector

You can download the new connector from the Intune admin center and install in your environment. To set it up, launch the connector wizard and choose Sign In and sign in with a Microsoft Entra account with Intune service admin permissions and you’ll notice a new Configure Managed Service Account option. After signing in, the connector will enroll and only the Configure Managed Service Account option will be available. The account with Intune admin permissions should select that option to complete set up. For more detailed steps on installing the connector, review: Install the Intune Connector.

Intune Connector for Active Directory installation shows the MSA has been configured.

Configuring organizational units (OUs) for domain join

By default, MSAs don’t have access to create computer objects in any OU. If you wish to use a custom OU for domain join, you’ll need to update the ODJConnectorEnrollmentWiazard.exe.config file. This can be done at any time (either before enrollment, or after the connector is enrolled):

  1. Update ODJConnectorEnrollmentWizard.exe.config:
    1. Default location is “C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard”
    2. Add all the OUs required in OrganizationalUnitsUsedForOfflineDomainJoin
    3. OU name should be the distinguished name (see Additional information section)

      Note that the MSA is only granted access to the OUs configured in this file (and the default Computers container). If any OUs are removed from this list, completing the rest of the steps will revoke access.
      A screenshot of the connector file with the included organizational units.

       

  2. Open ODJConnectorEnrollmentWizard (or restart it if it was open) and select the “Configure Managed Service Account” button.
    A screenshot of the Intune connector for Active directory window with the "Configure Managed Service Account" button highlighted.

     

  3. Success! – A pop up will appear showing success.
    A screenshot of the Intune connector for Active directory window with a successful pop-up highlighting that the setup was successful.

Using the Intune Connector with multiple domains

Customers who are already using the connector with more than one domain will be able to use the new connector by setting up a separate server per domain and installing a separate connector build for each domain.

Configuring the connector

  1. The Intune Connector for Active Directory needs to be installed on each domain that you plan to use for domain join. If you need to have a second account redundancy, you will need to install the connector on a different server (in the same domain).
  2. Follow the steps above to ensure the connector is configured correctly, and that the MSA has appropriate permissions on the desired OUs.
  3. Ensure that all connectors are present in the in the Microsoft Intune admin center (Devices > Enrollment > Windows > under Windows Autopilot, select Intune Connector for Active Directory) and that the version is greater than 6.2501.2000.5:

    A list of Intune Connectors for Active Directory and their version in the Microsoft Intune admin center.

Configure Domain Join profile:

Follow the steps for configuring a domain join profile:

  1. Create a domain join profile for each domain that you want to use for hybrid joining devices during Autopilot.
  2. Target the domain join profile to the appropriate device groups.

Example of 2 domain join profiles targeted to different groups, with different domain names configured:

Example 1: Connector in domain F11.F1.com will only join domain F11.F1.com.Example 1: Connector in domain F12.F1.com will only join domain F12.F1.com.
  1. Expected result:
    1. Connector in domain F11.F1.com will only join domain F11.F1.com.
    2. Connector in domain F12.F1.com will only join domain F12.F1.com.


Additional information

Retrieving Organizational Unit Distinguished Name

If you need to customize the OUs that the MSA has access to, here are two easy methods to retrieve the distinguished name for these OUs:

Let’s assume we have the following structure:

 

Powershell

  1. Get-ADOrganizationalUnit (ActiveDirectory) | Microsoft Learn
  2. Get “=TestOUWithSpecialChars=”:
    1. PS Cmd: Get-ADOrganizationalUnit -Filter 'Name -like "*TestOUWithSpecialChar*"' | Format-Table Name, DistinguishedName
    2. Output: “OU=\=TestOUWithSpecialChars\=,DC=modesh2,DC=nttest,DC=microsoft,DC=com”
      1. Note, ‘=’ is escaped
  3. Get “NestedOU”
    1. PS Cmd: Get-ADOrganizationalUnit -Filter 'Name -like "NestedOU"' | Format-Table Name, DistinguishedName
    2. Output: “OU=NestedOU,OU=\=TestOUWithSpecialChars\=,DC=modesh2,DC=nttest,DC=microsoft,DC=com”
    3. Note, ‘=’ is still escaped

Active Directory Users and Computers

  1. Select “View” from the menu, and enable “Advanced Features”
  2. Right click on the specific OU and click “Properties”
  3. Navigate to the “Attribute Editor” tab
  4. Select “distinguishedName” attribute and click “View”

Summary

The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account. This blog describes how to set up the new connector and configure it for your organization. Make sure to install the new connector by late May 2025 before the old connector becomes unsupported.

 

If you have any questions, leave a comment on this post or reach out to us on X @IntuneSuppTeam.

Updated Feb 27, 2025
Version 3.0
windows
windows autopilot
  • echikongen's avatar
    echikongen
    Occasional Reader
    Mar 12, 2025

    I can confirm the strange behaviour of the Sign In.

    I signed in successful but nothing happened. After that I hit the Sign In button several times and after the fith or sixth try it worked. Very strange.

  • William__Leininger2332's avatar
    William__Leininger2332
    Copper Contributor
    Mar 10, 2025

    Intune_Support_TeamIntune_Support_Teamcan we get a link to the official support end date? As current this reads effectively that support will end late May 2025 along with functionality. 
    I do like the progress on security. 
    When will we see the legacy auth in Windows Autopilot go away so that we don't have to do configurations in 3rd party IdPs to allow for Entra Join or Hybrid Join Autopilot? Especially when working with our Education customers who adopted google during early covid who need GSuite federation for a few years while migrating to M365 - google doesn't support Window's legacy auth.
    e.g.
    https://learn.microsoft.com/en-us/education/windows/federated-sign-in?tabs=intune#how-to-use-federated-sign-in

  • FelixF's avatar
    FelixF
    Brass Contributor
    Mar 04, 2025

    We tried installing the new connector and ran into an error. When we run the Wizzard, we can log into with the Global Admin / Intune Admin but can't move any forward. We don't receive any error message in the GUI.

    The account on the server has delegated the permission to create Service Accounts in AD and is local Admin on the server (even tried Domain Admin). A service account is created in the OU in Active Directory every time I click "Sign In". Running Test-ADServiceAccount even returns a "True" for this account on the server.

     

    The Wizzard log (ODJConnectorUI.log) is showing following:

    ODJ Connector UI Information: 0 : Browser loaded page https://portal.manage.microsoft.com/Home/ClientLogonSuccess
    DateTime=2025-03-04T08:11:59.1540429Z
ODJ Connector UI Information: 0 : Getting the URL for EnrollmentService from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
    DateTime=2025-03-04T08:11:59.4821790Z
ODJ Connector UI Information: 0 : Received Url for EnrollmentService as https://fef.msub05.manage.microsoft.com/StatelessEnrollmentService from RestUserAuthLocationService.
    DateTime=2025-03-04T08:11:59.4821790Z
ODJ Connector UI Information: 0 : Getting the URL for RAODJPlusFEGatewayService_FEF from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
    DateTime=2025-03-04T08:11:59.4821790Z
ODJ Connector UI Information: 0 : Received Url for RAODJPlusFEGatewayService_FEF as https://fef.msub05.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService from RestUserAuthLocationService.
    DateTime=2025-03-04T08:11:59.4821790Z
ODJ Connector UI Information: 0 : Searching for any pre-existing Managed Service Accounts installed on this machine.
    DateTime=2025-03-04T08:11:59.4977923Z
ODJ Connector UI Information: 0 : MSA name : msaODJAb91q
    DateTime=2025-03-04T08:11:59.7165453Z
ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: Microsoft.Management.Services.ConnectorCommon.Exceptions.ConnectorConfigurationException: MSA account msaODJAb91q is not valid!
   at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.ManagedServiceAccountUtilities.CreateManagedServiceAccount(String domainName, String precreatedMsaAccount)
   at ODJConnectorUI.EnrollmentTab.CreateMsa(String domainName, StepsStarted& stepsStartedFlag)
   at ODJConnectorUI.EnrollmentTab.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e)
    DateTime=2025-03-04T08:11:59.9040514Z
ODJ Connector UI Information: 0 : Storing telemetry: CreateMsaAccount, hasException: True
    DateTime=2025-03-04T08:11:59.9040514Z
ODJ Connector UI Information: 0 : Sending telemetry: CreateMsaAccount, hasException: True
    DateTime=2025-03-04T08:11:59.9040514Z
ODJ Connector UI Information: 0 : Sending telemetry to ODJService
    DateTime=2025-03-04T08:11:59.9040514Z
ODJ Connector UI Information: 0 : RAODJPlus Service URL: https://fef.msub05.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService/odjConnectorTelemetry/uploadTelemetry
    DateTime=2025-03-04T08:11:59.9040514Z
ODJ Connector UI Information: 0 : Successfully sent request to RAODJPlusFEGatewayService_FEF
    DateTime=2025-03-04T08:12:00.2946816Z
ODJ Connector UI Information: 0 : Response from ODJService: OK
    DateTime=2025-03-04T08:12:00.2946816Z
ODJ Connector UI Error: 8 : Removing Managed Service Account ...

     

    Can you please advice what going wrong here?

    • HEALTH_DISCO's avatar
      HEALTH_DISCO
      Copper Contributor
      Mar 11, 2025

      Exact same error. User is Intune admin, intune license assigned, all the rights in AD. I can successfully login and use the MFA the first time, then nothing happens. No error message, nothing. Click on signin does absolutely nothing from GUI and get the same error message you have in the log. Any update?

    • jgkelser's avatar
      jgkelser
      Copper Contributor
      Mar 07, 2025

      I got it working.  You need to have the Intune Administrator role explicitly assigned to your account/role group.  Global Administrator is NOT sufficient.

      • FelixF's avatar
        FelixF
        Brass Contributor
        Mar 10, 2025

        Unfortunately, this didn't work for me. I've the Global Admin and the Intune Administrator assigned in Entra ID.

        Intune_Support_Teamcan we get some feedback?

    • Dobby1968's avatar
      Dobby1968
      Copper Contributor
      Mar 07, 2025

      Any resolution? 

      Was getting the same issue on one server after about 10 reinstalls it finally worked. 

      Now updating a secondary server and its happening on this one as well. still not working. 

       

  • swaterson's avatar
    swaterson
    Copper Contributor
    Feb 28, 2025

    Same thing here...   removed and installed but NO managed account option...?

    • Intune_Support_Team's avatar
      Intune_Support_Team
      Icon for Microsoft rankMicrosoft
      Mar 01, 2025

      The updated version is being rolled out gradually across all tenants globally. Please keep an eye out for it and keep us posted if you don't see it in your tenants early next week.

  • Beredan's avatar
    Beredan
    Copper Contributor
    Feb 28, 2025

    Look forward to having to automate updating the config file so that each connector across 10 domains populates the config for 200 + OUs each, yay!.

  • Miguel Sanabia's avatar
    Miguel Sanabia
    Brass Contributor
    Feb 27, 2025

    Says that "The old connector build will continue to work for existing customers who already have it installed until the end of support date and is available for download in the Microsoft Download Center if needed."   For clarification, does this mean it will no longer work beyond the support date of late May 2025?

    • Intune_Support_Team's avatar
      Intune_Support_Team
      Icon for Microsoft rankMicrosoft
      Feb 27, 2025

      Hi Miguel Sanabia, that is correct. To ensure continued functionality, install the new connector before late May 2025, as the old version will no longer be supported or work beyond this date.

      • sb79's avatar
        sb79
        Copper Contributor
        Feb 28, 2025

        And where can we get new one? as every download we take ... we get version 6.2304.38.4