The Intune Connector for Active Directory, also referred to as the Offline Domain Join (ODJ) Connector, is responsible for joining computers to an on-premises domain during the Windows Autopilot process.

This Intune Connector for Active Directory will create computer objects in a specified Organizational Unit (OU) in Active Directory during the domain join process. Unfortunately for Microsoft, it appears as though there have been some issues with setting up the connector with build 6.2501.2000.5.

Common Issues with the Intune Connector for AD version 6.2501.2000.5

According to the feedback that Microsoft received, here are some of the more common challenges that customers run into.

Issue	Details
Error “MSA account <accountName> is not valid” when signing in.	This happens when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Several things could cause this, including replication delays between domain controllers in a single domain, or when the user account exists in a different domain to the connector machine. Fortunately, this issue is resolved in build 6.2504.2001.8.
Error “Failed to create a managed service account – Element not found.”
Error “Cannot start service ODJConnectorSvc on computer ‘.’. —> System.ComponentModel.Win32Exception: The service did not start due to a logon failure” after the MSA is created.	This has been observed when the service can’t run as the MSA. Several issues can cause the service to not be able to run as the MSA, including group or local policy restricting Log on as a service privileges.
Error “System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.”

New and Improved Build

In light of everything, Microsoft released an update and build that intends to address the recent challenges. This update specifically resolves come of the client feedback and it also improves overall functionality. Users can download this new build 6.2504.2001.8 from Microsoft Intune. From this improved version, you can expect:

• A new sign in page in the wizard that now uses WebView2, lives on Microsoft Edge, instead of the previously used WebBrowser.
• There is resolution to the error “MSA account <accountName> is not valid” that some clients were seeing.
• The error “Cannot start service ODJConnectorSvc on computer” is available for mitigation.
• The error “System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred” is also available for troubleshooting and mitigation.

Updated Intune Connector

Windows Autopilot continues to use the Intune Connector for Active Directory to deploy hybrid joined Microsoft Entra devices. Going forward, Intune is looking to enhance security. It does so by updating the connector to use a Managed Service Account (MSA) instead of a SYSTEM account.

Customers will find the updated Connector available for download from within Intune. And although the legacy connector may still be available for download, it will no longer have support in late June 2025. So, before that happens, you need to plan to update the connector because this won’t happen automatically.

Updated Troubleshooting Guide

Problem	Solution
Why is the Intune Connector for Active Directory not logging in Event Viewer even though logging is enabled?	The connector originally logged in the Event Viewer directly under Applications and Services Logs in a log called ODJ Connector Service. But, going forward, logging for the connector has been moved to the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService. This means that users who find the ODJ Connector Service log at the original location empty or not updating should check the new path location.
Why does uninstalling the Intune Connector for Active Directory through the Settings app not fully remove the application?	Uninstalling the connector requires you to use both the Settings app and the Intune Connector for Active Directory installed executable ODJConnectorBoostrapper.exe. To uninstall the connector, run ODJConnectorBoostrapper.exe and select the Uninstall option. Make sure that the ODJConnectorBoostrapper.exe installer version matches the version of the connector you’re uninstalling.
Why is the error “The MSA account couldn’t be granted permission to create computer objects in the following OUs” occurring when installing the Intune Connector for Active Directory?	Different types of failures can cause this error including: The admin installing and configuring the connector not having the required permissions. The OU specified in the Intune Connector for Active Directory ODJConnectorEnrollmentWiazard.exe.config XML configuration file doesn’t exist.   To view more information on the error and what caused it, see the ODJConnectorUI.log normally located in the following folder:   C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard
Why is the error “Cannot start service ODJConnectorSvc on computer ‘.'” occurring when setting up the Intune Connector for Active Directory?	A few reasons could cause this error including the following: The domain has more than one domain controller with a replication latency policy. The MSA was created in one of the domain controllers but the search happened against another domain controller. Wait until replication completes in accordance with your policy or manually sync. Once the replication is complete, then open the connector and choose Configure MSA.A group policy is configured that doesn’t allow services to start as a non-privileged account. Check that the MSA account has Log on as a service privileges granted.
Why is the error “Microsoft Edge can’t read and write to its data directory” occurring?	This error shows that the user needs read/write permissions to the listed directory.
Why did enrollments start failing when using the Intune Connector for Active Directory?	Verify that the Intune Connector for Active Directory is updated to version 6.2501.2000.5 or later and that the legacy version isn’t still being used.
Why are the errors “Navigation to the webpage was canceled” or “Can’t connect securely to this page” occurring while setting up the Intune Connector for Active Directory?	Different types of issues can cause this error including: The server where the admin has chosen to install and configure the Intune Connector for Active Directory lacks the required internet access or required Intune URLs aren’t allowed. The server is sending network requests via TLS 1.0 or 1.1 because PKCS Cryptography is disabled. You can fix this on the server hosting the Intune Connector for Active Directory by deleting the registry key value specified in the following command by running the command from an elevated command prompt:   reg.exe delete “HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS” /v Enabled /f

Pre-installation Requirements for Intune Connector

Before carrying out the installation, you need to verify that you meet all the requirements for the Intune Connector for Active Directory:

• The connector will work best when installed on a computer running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
• The server hosting the Intune Connector for Active Directory must have access to the Internet and Active Directory.
• Multiple connectors can install in a domain, as this will increase scale and availability. Each connector must be able to create computer objects in the domain that it supports.
• The administrator carrying out the installation must be a local administrator on the server where the Intune Connector for Active Directory is installing.
• For the updated Connector, installation will require an account with the following domain rights:
• Required – Create msDs-ManagedServiceAccount objects in the Managed Service Accounts container
• Optional – Modify permissions in OUs in Active Directory – if the administrator installing the updated Intune Connector for Active Directory doesn’t have this right, additional configuration steps by an administrator who has these rights may be essential.

Installation Process

Internet Explorer Enhanced Security Configuration

The change to using WebView2 that comes with build 6.2504.2001.8 means that turning off the Internet Explorer Enhanced Security Configuration setting in Windows Server is no longer necessary. So, as long as you have version 6.2504.2001.8 or later of the connector installed, you should not run into problems with the Internet Explorer Enhanced Security Configuration setting.

DOWNLOADING THE CONNECTOR

To install the new connector in your environment, you can download it from the Intune admin center as follows:

• Sign into the Intune admin center on the server where you want to install the connector.
• Select Devices in the Home screen.
• Select Windows in the Devices | Overview screen, under By platform.
• Select Enrollment in the Windows | Windows devices screen, under Device onboarding.
• Select Intune Connector for Active Directory in the Windows | Windows enrollment screen, under Windows Autopilot.
• Select Add in the Intune Connector for Active Directory screen.
• In the Add connector window that opens, under Configuring the Intune Connector for Active Directory, select Download the on-premises Intune Connector for Active Directory. The link downloads a file called “ODJConnectorBootstrapper.exe.”

INSTALLING THE CONNECTOR ON THE SERVER

• Sign into the the server where you want to install the connector using an account that has local administrator rights.
• Before you can install the updated Intune Connector for Active Directory, you need to first uninstall the legacy connector.
• Open the downloaded “ODJConnectorBootstrapper.exe.” file to launch the Intune Connector for Active Directory Setup install.
• Go through the Intune Connector for Active Directory Setup install.
• When installation is complete, tick the checkbox Launch Intune Connector for Active Directory.

SIGNING IN With Intune Connector

•  Select Sign In in the Intune Connector for Active Directory window, under the Enrollment tab.
•  Sign in with the Microsoft Entra ID credentials of an Intune admin role under the Sign In tab. Also note that the user account needs to have an assigned Intune license.
•  With the sign in process done:
• A “The Intune Connector for Active Directory successfully enrolled” confirmation window appears. Click OK to close the window.
•  An “A Managed Service Account with name “<MSA_name>” was successfully set up” confirmation window appears. The name of the MSA has the format “msaODJ#####” with the ##### representing 5 random characters. Notate the name of the MSA created, and then click OK to close the window.
•  The Enrollment tab shows Intune Connector for Active Directory as officially “enrolled.” The Sign In button will also be gray and Configure Managed Service Account will show as enabled.
•  Close the Intune Connector for Active Directory window.

VERIFICATION

Once authentication finishes, the Intune Connector for Active Directory will finish installation. After the completion of installation, you can verify that the connector is active by following the steps below:

•  Head over to the Microsoft Intune admin center if it’s still open. From there, close the Add connector window if it’s still there. Alternatively, if the Microsoft Intune admin center isn’t still open:
• Sign into the Intune admin center.
• Select Devices in the Home screen.
• Select Windows in the Devices | Overview screen, under By platform.
• Select Enrollment in the Windows | Windows devices screen, under Device onboarding.
• Select Intune Connector for Active Directory in the Windows | Windows enrollment screen, under Windows Autopilot.
• In the Intune Connector for Active Directory page:
• Confirm that the server displays under Connector name and shows as Active under Status.
• Don’t forget to verify that the version is greater than or equal to 6.2501.2000.5 for the updated Connector.

If you don’t see the server displayed, select Refresh or head away from the page before going back to the Intune Connector for Active Directory page. Once the connector installs, it will start logging in the Event Viewer under the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService.

Wrap Up

The previous version of the Microsoft Intune Connector for Active Directory presented several issues for many customers. And as one would expect, these issues reduced the efficiency of the connector and negatively impacted functionality.

Fortunately, with build 6.2504.2001.8, Microsoft is taking heed of the feedback from its clients to make the necessary adjustments. Going forward, clients can look forward to leveraging a connector with better functionality and significantly less issues. And if you do run into any problems, Microsoft provides updates the troubleshooting guide.