Hi Community,
As you might have seen on the socials and on my Linked-In page the Microsoft Intune connector for Active Directory got a security update. The previous version was working with an Intune licensed user with a privileged role. This was a security issue. This has now been resolved by using a Managed Service Account (MSA). You can read all about the setup of the previous version here:
Now back to the MSA account, Managed Service Accounts (MSAs) are special domain accounts that handle their own passwords automatically and usually only have the permissions they need to get their job done. Standalone MSAs can only be used on one domain-joined machine and can only access things within that domain. They’re great for running services securely and with less hassle, while still being able to connect to network resources as a specific user. Because of all this, they’re a better choice for the Intune Connector for Active Directory than using the SYSTEM account.
Right now, Windows Autopilot uses the Intune Connector for Active Directory to set up devices that are Microsoft Entra hybrid joined. To help boost security in our customers’ environments, we’ve updated the Intune Connector to use a Managed Service Account (MSA) instead of the local SYSTEM account.
The older version of the connector that uses the SYSTEM account won’t be available to download through Intune anymore and will stop being supported in late June 2025. After that, it won’t work for new device enrollments. Make sure to follow the steps below to switch over to the new connector.
If you’re already using the old version, it’ll keep working until support ends. And if you still need it for any reason, you can download it from the Microsoft Download Center.
However, check out this Linked-in Post from Thiago Beier with some tips to get a succesful installation/upgrade, there are some quirks apparently.
In this table you can find the differences between the Old and New connector.
| Old Connector | New Connector | |
|---|---|---|
| Logged on account | SYSTEM | Domain\MSA |
| Password management | Set by user, subject to domain rules | Managed by domain only – automatically reset |
| Privilege set size | MAX | 5 Privileges: SeMachineAccountPrivilege - Disabled default SeChangeNotifyPrivilege - Enabled Default SeImpersonatePrivilege - Enabled Default SeCreateGlobalPrivilege - Enabled Default SeIncreaseWorkingSetPrivilege – Disabled default |
| Registry access rights | Full, implicit | Read write, explicit |
| Enrollment certificate rights | Full, implicit | Full, explicit |
| Create computer object rights (required for hybrid Autopilot scenario) | If connector is on the same machine as domain controller, unlimited If connector is not on the domain controller, delegation required | Explicit delegation required |
Now let’s go thru the steps needed to upgrade your Intune Connector.
Uninstall The Old Intune Connector
1st thing to do is check the version of the already installed Intune Connector. To do this go to the Intune portal – Devices – Enrollment – Intune Connector for Active Directory
Here you can see the number of Intune Connectors installed and the most important thing, the version. Everything under 6.2504.2000.5 is not good and is the old Intune Connector. There are already some updates.
New in build 6.2504.2001.8: The sign in page in the wizard now uses WebView2, built on Microsoft Edge, instead of the previously used WebBrowser. Error “MSA account is not valid” which some customers reported during sign in has been fixed. As part of Microsoft’s Secure Future Initiative, we’re making an important security change which will impact customers deploying Microsoft Entra hybrid joined devices with Windows Autopilot and provide guidance on how to prepare. New capabilities or improvements aren’t planned as part of this security change
As you can see in the screenhot i still have the old one as active on DC-02, this needs to be upgraded.
Now to uninstall the Intune connector, on your server go to control panel – Uninstall a program – click the old version and select uninstall, or if you still have the downloaded exe of old version you can also use this to intiate the uninstall.
Install The New Intune Connector
Check the prerequisites first:
- To download the connector you will need at least Intune Service Administrator permissions.
- .Net 4.7.2 must be installed
- Windows Server with 2008 R2 functional level
- Local administrator permissions
- To setup the intune connector you need a Microsoft Entra account with an Intune license assigned and Intune Service Administrator permission
- To setup the intune connector you need a Domain account with permission to create msDS-ManagedServiceAccount objects
To install the new Intune Connector we need to to download this from the Intune portal. To do this go to the Intune portal – Devices – Enrollment – Intune Connector for Active Directory – click Add – click Download the on-premises Intune Connector for Active Directory
Save the ODJConnectorBootstrapper.exe file. Fist we will also need to download and install WebView2 Runtime, you can find the download here:
Choose this one:
This will download the MicrosoftEdgeWebView2RuntimeInstallerX64.exe. Run this prior to the ODJConnectorBootstrapper.exe. If you run the ODJConnectorBootstrapper.exe first you will be presented by this message.
The installation is super straight forward. This is in Dutch for some reason but i think you will figure it out 😉
Accept the license agreement and click install.
When it is finished click Configure now.
Click sign in and you the Microsoft Entra account with an Intune license assigned and at least Intune Service Administrator permission
Now sign in with your account and you will get this message.
Click OK and click Configure Managed Service Account. You will be presented with this message.
In your Intune portal you will see the new intune connector as active, the old one will also still be there, this can be in an active or in error state, this is just a matter of time.
Now we need to set the appropriate permissions in our local AD. If your are upgrading the Intune connector you will also have a domain join policy in your intune environment. This policy is telling us in which OU your device will go. We need to set the create computer objects permission on that OU for the MSA account. In my case this is the AutopilotDevices OU.
If you are not sure, check your Domain join policy in Intune, to do this go to the intune portal – Devices – Configuration – and search for your Domain join policy type. Open the policy and click properties. Here you can find the OU.
Sign in to a computer with the Active Directory Users and Computers console installed, using an account that has the required permissions to modify OU settings.
Open the Active Directory Users and Computers console by running DSA.msc.
Expand the target domain and navigate to the Organizational Unit (OU) where computers will be joined during the Windows Autopilot process.
Right-click the OU and select Properties.
In the OU Properties window, go to the Security tab.
On the Security tab, select Advanced.
In the Advanced Security Settings window, select Add.
In the Permission Entry window, next to Principal, select Select a principal.
In the Select User, Computer, Service Account, or Group window, choose Object Types….
In the Object Types window, check Service Accounts, and then select OK.
Back in the Select User, Computer, Service Account, or Group window, under Enter the object name to select, type the name of the Managed Service Account (MSA) used for the Intune Connector for Active Directory.
Select Check Names to validate the MSA name, and then select OK once it is confirmed.
In the Permission Entry window, set Applies to to This object only. Under Permissions, clear all check boxes except Create Computer objects. Select OK to close the Permission Entry window.
In the Advanced Security Settings window, select Apply or OK to save the changes.
See below for the steps.
The server where the connector is installed AND the Service account need to be added to the OU.
Now on your DC go to Active Directory Users and Computers, right click the corect OU – properties – security – advanced – add
Now click select a principal, in the Select User, Computer, Service Account, or Group window, select the Object Types… button – select Service Accounts and click ok.
In the search box type msaODJ and click check names, the name will be resolved. click ok.
In the Permission Entry windows, select the Applies to: drop-down menu and then select This object only. Under Permissions, unselect all items, and then only select the Create Computer objects check box.
Select OK to close the Permission Entry window. In the Advanced Security Settings window, select either Apply or OK to apply the changes.
Now everything is ready to go back to business and this also concludes this blog post.
And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
Hi.
Can’t attach screenshots, so I’m trying to explain what we ran into…
But first > thank you for this how-to.
Our case is a tiered model (Tier2=workplace, Tier1=app servers etc., Tier0=critical systems like AD) with dedicated machines per service or application.
So there is a dedicated machine running the Intune Connector in Tier1, which is able to communicate with our Domain Controllers (which worked fine since we started 3 years ago)
However, where you got the message “a managed service account was successfully set up”, we only got “managed service account could not be granted permission to create computer objects in the following OU”, followed by the default container “CN=Computers” and the custom path we wrote into the config file you also mentioned.
After some try and error (and elevating accounts that shouldn’t have been elevated that much), manually checking the permissions etc.: it all works. New computer objects are created just fine. But the Connector still says that it cannot grant permissions.
Just wanted to mention that, in case anyone else encounters this problem. Don’t troubleshoot for ours, just test if it works.
(the Intune Connector with all the needed permissions is generally problematic in a tiered environment (because you need a Tier1-Admin which is also a Tier0-Admin (to create the MSA) and you need a fully licensed Intune-Admin)
BR… 🙂
1)MSA account will created by default what is prerequisites like domain logged in account having any rights in doamin controller since MSA account will be created on Domain
2)MSA requires only create object permission
3) MSA account will be stopped every reboot
4)possible to use domain account instead of MSA
hi, i have followed your install guide for the new ODJConnector, everything runs fine untill we want to start the service with the msa account, we have tried this on 2 different domain controllers.
When we click on the button, Configure Managed Service account, we got the following error;
Failed to start service ODJConnectorSvc due to login failure: Access is denied.
Any idea?
Kind regards,
Tony