If you’ve been working with Intune and Autopilot for at least the last few years, you’ve probably heard the saying “Friends don’t let friends use Hybrid-Joined Autopilot”. Trust me, I agree with that, but as an IT Consultant/Advisor, you can only guide and advise clients. You can’t force them to do things. In addition, some organizations aren’t ready for cloud-native endpoints, but showing them how Intune can help and getting them started by using hybrid-joined endpoints can lead to increased adoption. Plus, hybrid-joined autopilot can still significantly improve their workstation onboarding provisioning process. Ultimately, the reality is that organizations are utilizing this technology and will likely continue to do so for at least a few more years.
Hybrid-joined Autopilot has more moving pieces than an entra-join profile. This is due to the domain join process and how it works on the backend. To help facilitate that process, you install the Intune Connector for Active Directory in your environment. A few months ago (as of the date of this writing), Microsoft released a new version of the Intune Connector for Active Directory and deprecated the previous version. As of July 1, 2025, the older versions were deprecated. The new version is significantly more secure than the earlier version. Details on the new release can be found here – Microsoft Intune Connector for Active Directory security update | Microsoft Community Hub.
We won’t be getting into specifics on the new connector in this post. Rather, we will take a look at an error during installation that I hadn’t encountered before, and it didn’t seem to be well-documented. If you are looking for a deeper dive into the new connector and a guide on installing it, here are two links that take you through the process in detail:
- Security Update – Microsoft Intune Connector for Active Directory – IntuneStuff
- https://youtu.be/cZZ0O1vn2do?si=JYDyOMxICEMXrVPC&t=1
The Managed Service Account Error
The process of upgrading/installing the new connector is pretty simple. I’ve helped a few clients with this and never had any issues until the most recent instance. After installing the new connector and authenticating to Entra, a managed service account gets automatically created in AD. However, the connector couldn’t create the account:
The error clearly indicates that an AD container is not found. Technically, the container is named “Managed Service Accounts” (plural), even though the error is stating Managed Service Account. I checked AD, and the built-in container for Managed service accounts was indeed missing. To make sure, I deleted this container in my lab and was able to reproduce the same error.
After doing some troubleshooting and research, the Intune Connector will look for this container by its well-known GUID and place the Intune Connector managed service account in that container. So, simply creating a new container or OU with the same name won’t help. You’ll still see the same error when trying to configure the Intune Connector.
Active Directory has well-known objects mapped by their well-known GUID (found here). I checked this in several other environments, and they all had the same mapping for the Managed Service Accounts container showing in “other well known objects”. Which was “1EB93889E40C45DF9F0C64D23BBB6237”
Let’s check the mapping in my environment where the container has been deleted:
$dn = (Get-ADDomain).DistinguishedName
Get-ADObject $dn -Properties otherWellKnownObjects
We can see that it exists, but it’s pointing at a deleted object. We can tell by the “0ADEL:” in the full distinguished name.
Restoring if AD Recycle Bin is Enabled
Since we know it’s deleted, but the mapping exists, you should first check to see if it’s in the AD recycle Bin. In my case, it wasn’t. First, check if the recycle bin is even enabled. if it isn’t, then you can’t restore. You can use this PowerShell line to see if the AD recycle bin is enabled:
Get-ADOptionalFeature -Filter {name -like "Recycle Bin Feature"} | Select EnabledScopesIf the scopes are empty, then it’s not enabled.
If you’re lucky and it’s enabled, you can try restoring from the recycle bin:
$dn = (Get-ADDomain).DistinguishedName
$deletedObjectsContainer = "CN=Deleted Objects,$dn"
$filter = '(&(isDeleted=TRUE)(cn=Managed Service Accounts*))'
$deletedMSA = Get-ADObject -IncludeDeletedObjects -SearchBase $deletedObjectsContainer -LDAPFilter $ldapFilter -Properties LastKnownParent,ObjectGUID,WhenChanged
$deletedMSA | Format-List Name, DistinguishedName, LastKnownParent, ObjectGUID, WhenChangedHere we can see my Managed Services Account container:
If yours is listed (and recycle bin was enabled), try to restore it with:
Restore-ADObject -Identity $deletedMSA.ObjectGUIDRestoring if AD Recycle Bin isn’t enabled
If you’re in the same boat that I was, AD recycle bin was not enabled and we can’t restore. So how do we get this container back and have it mapped to the well known GUID? There are a couple of ways, but I prefer the less intrusive way. This script will recreate the Managed Service Accounts container, remove the old otherwellknownobjects mapping from the delated object, and replace it to point to the new container:
$dn = (Get-ADDomain).DistinguishedName
$msaguid = '1EB93889E40C45DF9F0C64D23BBB6237'
$msaDN = "CN=Managed Service Accounts,$dn"
#Create new Managed Service Accounts container
New-ADObject -Name 'Managed Service Accounts' -Type container -Path $dn
#prep variables for remapping
$domainObj = Get-ADObject $dn -Properties otherWellKnownObjects
$currentList = @($domainObj.otherWellKnownObjects)
$new = "B:32:$($msaguid):$msaDN"
#remove mapping from deleted container
$oldobj = $currentList | Where-Object { $_ -match $msaguid -and $_ -ne $new }
Set-ADObject $dn -Remove @{ otherWellKnownObjects = $oldobj }
#set new mapping
Set-ADObject $dn -Add @{ otherWellKnownObjects = $new }
#verify:
Get-ADObject $dn -Properties otherWellKnownObjectsThe final line that verifies everything worked should show the well-known managed service accounts identifier (B:32:1EB93889E40C45DF9F0C64D23BBB6237) pointing to our new managed service accounts container:
And after that, you should be able to finish configuring the Intune connector for AD:
If you wanted an alternate solution (but slightly more risky), others on Reddit have said that this has also worked for them – koolaid.info: Dude, Where’s My Managed Service Accounts?
Add this to the list of reasons why you should be convincing your clients to move to cloud-native endpoints.