Intune Connector for Active Directory security update

Important news for all of those who still do Hybrid joins. Windows Autopilot uses the Intune Connector for Active Directory to deploy devices that are Microsoft Entra hybrid joined to deploy devices. The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account. To enhance security in customers' environments, Microsoft has updated the Intune Connector for Active Directory to utilize a Managed Service Account (MSA) instead of a SYSTEM account.

The outdated connector that relies on the local SYSTEM account will cease to be supported in late May 2025 and will no longer be downloadable in Intune. At that point, Microsoft will stop accepting enrollments from the old connector build.

MSAs are managed domain accounts that have automatic password management and are generally granted only the necessary permissions and privileges to perform their duties. They are more secure when compared to the SYSTEM account. Only a single domain-joined machine may be utilized by MSAs, and they can only access resources within that domain.

Download the new Intune Connector​

You can download the new connector from the Intune admin center and install it in your environment.

More Information: https://techcommunity.microsoft.com...-for-active-directory-security-update/4386898

 

[THDSupport]

Important news for all of those who still do Hybrid joins. Windows Autopilot uses the Intune Connector for Active Directory to deploy devices that are Microsoft Entra hybrid joined to deploy devices. The new connector aims to enhance security by reducing unnecessary privileges and permissions associated with the local SYSTEM account. To enhance security in customers' environments, Microsoft has updated the Intune Connector for Active Directory to utilize a Managed Service Account (MSA) instead of a SYSTEM account.

The outdated connector that relies on the local SYSTEM account will cease to be supported in late May 2025 and will no longer be downloadable in Intune. At that point, Microsoft will stop accepting enrollments from the old connector build.

MSAs are managed domain accounts that have automatic password management and are generally granted only the necessary permissions and privileges to perform their duties. They are more secure when compared to the SYSTEM account. Only a single domain-joined machine may be utilized by MSAs, and they can only access resources within that domain.

Download the new Intune Connector​

You can download the new connector from the Intune admin center and install it in your environment.

More Information: https://techcommunity.microsoft.com...-for-active-directory-security-update/4386898

Hi Prajwal

I'm trying to install the new connector, however the MSA is not getting created. I'm running the installer as Domain Admin. The Azure account is Global Admin. Any idea what am I missing. There's the logs.

ODJ Connector UI Information: 0 : User clicked on SignIn
    DateTime=2025-03-14T15:39:59.2116739Z
ODJ Connector UI Information: 0 : Navigating to URL https://portal.manage.microsoft.com/Home/ClientLogon
    DateTime=2025-03-14T15:39:59.2898053Z
ODJ Connector UI Information: 0 : Browser loaded page https://login.microsoftonline.com/common/oauth2/authorize?client_id=74bcdadc-2fdc-4bb3-8459-76d06952a0e9&redirect_uri=https%3A%2F%2Fportal.manage.microsoft.com%2Fsignin-oidc&response_type=code&prompt=select_account&scope=openid profile&response_mode=form_post&nonce=638775635996879226.MjIwYWI0ODItYTc3YS00NzY2LWEyZTEtMjYyN2Q2MTY4YTkzMTgwNDMyNzMtMmQzNC00MTY1LThhN2ItMDMxOTE2NDA4MDMx&display=host&state=CfDJ8Ji1hs71b9ZDlZfpMprk6xUmh5ZyiH2tn2o80ueQkJnLktqRnri68LHjk9smwi1SW4CxmiwntrTIiqivmIKN4GNOs17XMCIMq_gK50SStqkrPdrTYW092vUJu3uqjVqUxveNpJygWFHIkSw1CDKf-kRD3ugxbsWkKstPzUAtdK_d4vhOEk4PNCXdnL2-D0ZzgrIgMrMHZNSIbF9f0aC1Ya8xHg79E5Ev88B9t87DUeR2KFCoJBKrBcyADHWrfzJxBTQANVdVcA8DSsoczySKv6LyrVsRK0ZgllR2jh9uF4jAY91uDgX3Rby7TMbM9rDrwiDqjgKniaKt4oF1Df7lnB27gG4jSe6ZoOg52y5uxfitA5SkPWuJH-w_0FdNfeRk5g&x-client-SKU=ID_NET472&x-client-ver=8.3.0.0
    DateTime=2025-03-14T15:40:00.0710556Z
ODJ Connector UI Information: 0 : Browser loaded page https://portal.manage.microsoft.com/Home/ClientLogonSuccess
    DateTime=2025-03-14T15:41:26.9508117Z
ODJ Connector UI Information: 0 : Getting the URL for EnrollmentService from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Received Url for EnrollmentService as https://fef.amsua0102.manage.microsoft.com/StatelessEnrollmentService from RestUserAuthLocationService.
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Getting the URL for RAODJPlusFEGatewayService_FEF from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Received Url for RAODJPlusFEGatewayService_FEF as https://fef.amsua0102.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService from RestUserAuthLocationService.
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Searching for any pre-existing Managed Service Accounts installed on this machine.
    DateTime=2025-03-14T15:41:27.7320578Z
ODJ Connector UI Information: 0 : MSA name : msaODJBfuWt
    DateTime=2025-03-14T15:41:27.8414250Z
ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: Microsoft.Management.Services.ConnectorCommon.Exceptions.ConnectorConfigurationException: Failed to create a managed service account - Element not found
   at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.NativeMethods.NetAddServiceAccountWrapper(String accountName)
   at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.ManagedServiceAccountUtilities.CreateManagedServiceAccount(String domainName, String precreatedMsaAccount)
   at ODJConnectorUI.EnrollmentTab.CreateMsa(String domainName, StepsStarted& stepsStartedFlag)
   at ODJConnectorUI.EnrollmentTab.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e)
    DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Storing telemetry: CreateMsaAccount, hasException: True
    DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Sending telemetry: CreateMsaAccount, hasException: True
    DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Sending telemetry to ODJService
    DateTime=2025-03-14T15:41:27.9039290Z
ODJ Connector UI Information: 0 : RAODJPlus Service URL: https://fef.amsua0102.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService/odjConnectorTelemetry/uploadTelemetry
    DateTime=2025-03-14T15:41:27.9039290Z
ODJ Connector UI Information: 0 : Successfully sent request to RAODJPlusFEGatewayService_FEF
    DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Information: 0 : Response from ODJService: OK
    DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Error: 8 : Removing Managed Service Account ...
    DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Error: 8 : Successfully removed Managed Service Account
    DateTime=2025-03-14T15:41:28.2476749Z
ODJ Connector UI Error: 8 : Returning to the home page
    DateTime=2025-03-14T15:41:28.2476749Z