Microsoft has released a new version of the Intune connector for Active Directory, The updated Intune Connector for Active Directory is part of Microsoft’s Secure Future Initiative, aimed at enhancing security for customers deploying Microsoft Entra hybrid joined devices with Windows Autopilot. The new connector uses a Managed Service Account (MSA) instead of a SYSTEM account, which provides better security by reducing unnecessary privileges and permissions
As the old connector approaches its end-of-support date in late May 2025, it is crucial for IT professionals to understand the benefits of the new connector and the steps required to upgrade from the old version.
In this article, we will provide an overview of the updated Intune Connector for Active Directory, highlighting its key features and security enhancements. Additionally, we will guide you through the process of upgrading from the old connector to the new one, ensuring a smooth transition and continued protection for your organization’s devices.
Table of Contents
Key Features of the Updated Intune Connector for Active Directory
- Managed Service Account (MSA):
- MSAs are managed domain accounts with automatic password management and limited permissions, making them more secure than SYSTEM accounts.
- Standalone MSAs can only be used on a single domain joined machine and can only access resources within that domain
- Enhanced Security: The new connector follows least privilege principles, ensuring that only necessary permissions are granted2.
- Support Timeline: The old connector, which uses the local SYSTEM account, will no longer be available for download in Intune and will stop being supported in late May 2025
Upgrading from the Old Connector to the New Connector
In my enviroment I have 2 connectors “ODJ-01” and “ODJ-02”
To upgrade from the old Intune Connector for Active Directory to the new one, follow these steps:
- Uninstall the Old Connector: “I will uninstall ODJ-02”
- Sign into the server where the old Intune Connector for Active Directory is installed with an account that has local administrator rights.
- Uninstall the connector from Settings app on Windows
- Then, uninstalling using the ODJConnectorBootstrapper.exe (select Uninstall).
- Install the New Connector:
- Download the updated Intune Connector for Active Directory from the Microsoft Intune admin center.
- Launch the connector wizard and choose Install , once completed click on “Configure Now”
- Sign In and sign in with a Microsoft Entra account with Intune service admin permissions, The user account must have an assigned Intune license.
- Once the sign in process completes, A The Intune Connector for Active Directory successfully enrolled confirmation window appears. Select OK to close the window.
- After a few seconds A Managed Service Account with name “<MSA_name>” was successfully set up confirmation window appears
- The MSA account will be created under “Managed Service Accounts” OU on the Active Directory
- The Enrollment tab shows Intune Connector for Active Directory is enrolled. The Sign In button is greyed out and Configure Managed Service Account is enabled.
- Close the Intune Connector for Active Directory window.
Verify the Updated Intune Connector for Active Directory
Now from Intune admin center, Confirm that the server is displayed under Connector name and shows as Active under Status, with the version greater than or equal “6.2501.2000.5.
Inactive Intune Connectors for Active Directory still appear in the Intune Connector for Active Directory page and will automatically be cleaned up after 30 days.
Troubleshoot the Installation and enrollment of Updated Intune Connector for Active Directory
to track the installation and enrollment of the Updated Intune Connector for Active Directory, there is a log file with name “ODJConnectorUI” , which will be created on the same folder where the installation file is there
The logs will details all steps happened during the installation starting with the user signin, MSA account created, enrollment procedures, then to grant the MSA account the required permissions.
The MSA account granted the required permission to create computer objects in “Computers” OU, we will explain how to grant permission to specific OU
The service “Intune ODJconnector service” will run under the MSA account
Configure the MSA to allow creating objects in specific OU
As mentioned and confirmed from the logs, MSAs only have access to create computer objects in the Computers container, if you configured a specifc OU to have all hybrid object, on old connector we are granting permission to the connector on the OU, but with the updated connector for active directory to allow the MSA to create objects in OUs, you’ll need to update the ODJConnectorEnrollmentWiazard.exe.config file
- On the server where the Intune Connector for Active Directory is installed, navigate to
ODJConnectorEnrollmentWizarddirectory where the Intune Connector for Active Directory was installed, normallyC:\Program Files\Microsoft Intune\ODJConnector\. - In the
ODJConnectorEnrollmentWizarddirectory, open theODJConnectorEnrollmentWizard.exe.configXML file in a text editor, for example, Notepad. - In the
ODJConnectorEnrollmentWizard.exe.configXML file, add in any desired OUs that the MSA should have access to create computer objects in. The OU name should be the distinguished name and if applicable, needs to be escaped. The following example is an example XML entry with the OU distinguished name:
- Once all desired OUs are added, save the
ODJConnectorEnrollmentWizard.exe.configXML file. - Open ODJConnectorEnrollmentWizard (or restart it if it was open) and select the “Configure Managed Service Account” button.A pop up will appear showing success
Conclusion
The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account. This blog describes how to upgrade to the new connector and configure it for your organization.
for more information these are the Microsoft docuemnts related to the updated connector
Microsoft Intune Connector for Active Directory security update | Microsoft Community Hub
Enrollment for Microsoft Entra hybrid joined devices – Windows Autopilot | Microsoft Learn
for the previous connector and more about hybrid Autopilot deployement, please check in Autopilot sections in “IntuneBytes“
Leave a Reply