Merge pull request #17804 from MicrosoftDocs/fix-conflict-release-intune-2504

Fix merge conflicts with main in release-intune-2504

Author: garycentric

.github/workflows/StaleBranch.yml

@@ -2,12 +2,17 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
-      
+
+# This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
+# On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.
+# The workflow should not be configured to run after "deletion day" so that users can review the branches were deleted.
+# Recommendation: configure cron to run on days 1,15-31 where 1 is what's configured in 'DeleteOnDayOfMonth'. If 'DeleteOnDayOfMonth' is set to something else, update cron to run the two weeks leading up to it.
+
 on:
   schedule:
-    - cron: "0 9 1 * *"
+    - cron: "0 9 1,15-31 * *"
 
-  # workflow_dispatch:
+  workflow_dispatch:
 
 
 jobs:

autopilot/device-preparation/requirements.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: madakeva
 manager: aaroncz
-ms.date: 04/02/2025
+ms.date: 04/21/2025
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -119,7 +119,10 @@ Microsoft Entra ID validates user credentials. Additionally, the device is joine
 
 #### Microsoft Intune
 
-Once authenticated, Microsoft Entra ID triggers enrollment of the device into the Intune mobile device management (MDM) service. For more information about Intune's network communication requirements, see [Network endpoints for Microsoft Intune](/mem/intune-service/fundamentals/intune-endpoints).
+Once authenticated, Microsoft Entra ID triggers enrollment of the device into the Intune mobile device management (MDM) service. For more information about Intune's network communication requirements, see the following articles:
+
+- [Network endpoints for Microsoft Intune](/mem/intune-service/fundamentals/intune-endpoints).
+- [Network requirements for PowerShell scripts and Win32 apps](/intune/intune-service/fundamentals/intune-endpoints).
 
 #### Windows Autopilot device preparation automatic device diagnostics collection
 

autopilot/includes/intune-connector.md

@@ -6,7 +6,7 @@ ms.reviewer: madakeva
 ms.subservice: autopilot
 ms.service: windows-client
 ms.topic: include
-ms.date: 02/27/2025
+ms.date: 04/21/2025
 ms.localizationpriority: medium
 ---
 
@@ -22,7 +22,7 @@ The purpose of the Intune Connector for Active Directory, also known as the Offl
 
 > [!IMPORTANT]
 >
-> Starting with Intune 2501, Intune uses an updated Intune Connector for Active Directory that strengthens security and follows least privilege principles by using a [Managed Service Account (MSA)](/windows-server/identity/ad-ds/manage/understand-service-accounts#standalone-managed-service-accounts). When the Intune Connector for Active Directory is downloaded from within Intune, the updated Intune Connector for Active Directory is downloaded. The previous legacy Intune Connector for Active Directory is still available for download at [Intune Connector for Active Directory](https://www.microsoft.com/download/details.aspx?id=105392&msockid=3cb707200c316b2c119712450d8b6a5d), but Microsoft recommends using the updated Intune Connector for Active Directory installer going forward. The previous legacy Intune Connector for Active Directory will continue to work through sometime in May 2025. However, it needs to be updated to the updated Intune Connector for Active Directory before then to avoid loss of functionality. For more information, see [Intune Connector for Active Directory with low-privileged account for Windows Autopilot Hybrid Microsoft Entra join deployments](https://aka.ms/Intune-Connector-blog).
+> Starting with Intune 2501, Intune uses an updated Intune Connector for Active Directory that strengthens security and follows least privilege principles by using a [Managed Service Account (MSA)](/windows-server/identity/ad-ds/manage/understand-service-accounts#standalone-managed-service-accounts). When the Intune Connector for Active Directory is downloaded from within Intune, the updated Intune Connector for Active Directory is downloaded. The previous legacy Intune Connector for Active Directory is still available for download at [Intune Connector for Active Directory](https://www.microsoft.com/download/details.aspx?id=105392&msockid=3cb707200c316b2c119712450d8b6a5d), but Microsoft recommends using the updated Intune Connector for Active Directory installer going forward. The previous legacy Intune Connector for Active Directory will continue to work through sometime in June 2025. However, it needs to be updated to the updated Intune Connector for Active Directory before then to avoid loss of functionality. For more information, see [Intune Connector for Active Directory with low-privileged account for Windows Autopilot Hybrid Microsoft Entra join deployments](https://aka.ms/Intune-Connector-blog).
 >
 > Updating of the Intune Connector for Active Directory to the updated version isn't done automatically. The legacy Intune Connector for Active Directory needs to be manually uninstalled followed by the updated connector manually downloaded and installed. Instructions for the manual uninstall and install process of the Intune Connector for Active Directory are provided in the following sections.
 

autopilot/known-issues.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: madakeva
 manager: aaroncz
-ms.date: 04/08/2025
+ms.date: 04/21/2025
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -43,22 +43,27 @@ This article describes known issues that can often be resolved with configuratio
 
 ### Known issues with the Intune Connector for AD version 6.2501.2000.5
 
-Date added: *April 8, 2025*
+Date added: *April 8, 2025*<br>
+Date updated: *April 18, 2025*
 
 The following issues are under active investigation:
 
 - **Error `MSA account <accountName> is not valid` when signing in.**
-  
-  This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.
 
+  This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.
+  
+  This issue is resolved in build **6.2504.2001.8.**
+  
 - **Error `Failed to create a managed service account - Element not found`.**
 
 - **Error `Cannot start service ODJConnectorSvc on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure` after the MSA is created.**
-  
-  This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting **Log on as a service** privileges.
 
+  This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting **Log on as a service** privileges. For more information on how to mitigate this error, see [Troubleshooting FAQ](/autopilot/troubleshooting-faq#why-is-the-error--cannot-start-service-odjconnectorsvc-on-computer------occurring-when-setting-up-the-intune-connector-for-active-directory-).
+  
 - **Error `System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.`**
 
+  For information on how to mitigate this error, see [Troubleshooting FAQ](/autopilot/troubleshooting-faq#troubleshooting-the-intune-connector-for-active-directory).
+
 ### TPM attestation isn't working for TPMs which use high-range RSA 3072EK
 
 Date added: *April 4, 2025*
@@ -73,8 +78,7 @@ The Windows Autopilot profile setting which enables automatic configuration of t
 
 ### Windows Autopilot report incorrectly shows failure even though the deployment was successful
 
-Date added: *February 11, 2025*
-
+Date added: *February 11, 2025*<br>
 Date updated: *March 20, 2025*
 
 This issue is resolved.

autopilot/troubleshooting-faq.yml

@@ -9,7 +9,7 @@ metadata:
   ms.author: frankroj
   ms.reviewer: madakeva
   manager: aaroncz
-  ms.date: 04/04/2025
+  ms.date: 04/21/2025
   ms.collection:
     - M365-modern-desktop
     - highpri
@@ -472,10 +472,30 @@ sections:
           - The administrator installing and configuring the Intune Connector for Active Directory doesn't have the required permissions as outlined in the [Intune Connector for Active Directory Requirements](windows-autopilot-hybrid.md?tabs=intune-connector-requirements#requirements).
           - The organization unit (OU) specified in the Intune Connector for Active Directory `ODJConnectorEnrollmentWiazard.exe.config` XML configuration file doesn't exist.
 
-          For detailed information on the error and what caused it, see the `ODJConnectorUI.log` normally located in the folder `C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard`.
+          For detailed information on the error and what caused it, see the `ODJConnectorUI.log` normally located in the following folder:
+          
+          `C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard`
+          
+          Follow the steps to [Increase the computer account limit in the Organizational Unit](tutorial/user-driven/hybrid-azure-ad-join-computer-account-limit.md?tabs=updated-connector) if the following error appears in the `ODJConnectorUI.log`:
+          
+          **`System.AggregateException: One or more errors occurred. ---> System.DirectoryServices.DirectoryServicesCOMException: A constraint violation occurred.`**
 
           For more information, see [Install the Intune Connector for Active Directory on the server](windows-autopilot-hybrid.md?tabs=updated-connector#install-the-intune-connector-for-active-directory-on-the-server).
 
+      - question: |
+          Why is the error "Cannot start service ODJConnectorSvc on computer '.'" occurring when setting up the Intune Connector for Active Directory?
+        answer: |
+          This error might occur for several reasons including:
+
+          - The domain has more than one domain controller with a replication latency policy. The MSA was created in one of the domain controllers but the search happened against another domain controller. Wait until replication has completed in accordance with your policy or manually sync. Once the replication is complete, then open the connector and choose **Configure MSA**.
+          
+          - A group policy is configured that doesn't allow services to be started as a non-privileged account. Make sure the MSA account has **Log on as a service** privileges granted. For example, see this instance with Operations Manager to [Enable service logon](/system-center/scom/enable-service-logon#enable-service-log-on-permission-for-run-as-accounts).
+
+      - question: |
+          Why is the error "Microsoft Edge can't read and write to its data directory" occurring?
+        answer: |
+          This error indicates that the user needs read/write permissions to the listed directory. For more information on how to grant these permissions, see [Manage user data folders](/microsoft-edge/webview2/concepts/user-data-folder?tabs=win32).
+
       - question: |
           Why did enrollments start failing when using the Intune Connector for Active Directory?
         answer: |

autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-intune-connector.md

@@ -7,7 +7,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: madakeva
 manager: aaroncz
-ms.date: 02/27/2025
+ms.date: 04/21/2025
 ms.topic: tutorial
 ms.collection:
   - tier1

autopilot/tutorial/user-driven/hybrid-azure-ad-join-intune-connector.md

@@ -7,7 +7,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: madakeva
 manager: aaroncz
-ms.date: 02/27/2025
+ms.date: 04/21/2025
 ms.topic: tutorial
 ms.collection:
   - tier1

autopilot/whats-new.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.reviewer: madakeva
-ms.date: 02/27/2025
+ms.date: 04/21/2025
 ms.collection:
   - M365-modern-desktop
   - tier2
@@ -32,11 +32,24 @@ appliesto:
 >
 > For more information on using RSS for notifications, see [How to use the docs](/mem/use-docs#notifications) in the Intune documentation.
 
+## Updated build for the low privileged account for Intune Connector for Active Directory
+
+Date added: *April 18, 2025*
+
+We've updated the low-privileged Intune Connector for Active Directory build. New in build **6.2504.2001.8:**
+
+- Updated the sign in page to use WebView2, built on Edge, instead of WebBrowser.
+- **Error `MSA account <accountName> is not valid`** when signing in has been fixed.
+- **Error `Cannot start service ODJConnectorSvc on computer '.'`** can now be mitigated. For more information, see [Troubleshooting FAQ](/autopilot/troubleshooting-faq#why-is-the-error--cannot-start-service-odjconnectorsvc-on-computer------occurring-when-setting-up-the-intune-connector-for-active-directory-).
+- **Error `System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.`** can now be mitigated. For more information, see [Troubleshooting FAQ](/autopilot/troubleshooting-faq#why-is-the-error--the-msa-account-couldn-t-be-granted-permission-to-create-computer-objects-in-the-following-ous--occurring-when-installing-the-intune-connector-for-active-directory-).
+
+Download and install the latest version to get these changes.
+
 ## Low privileged account for Intune Connector for Active Directory for Hybrid join Windows Autopilot flows
 <!--9544276-->
 Date added: *February 27, 2025*
 
-We've updated the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will continue to work until deprecation in late May 2025.
+We've updated the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will continue to work until deprecation in late June 2025.
 
 For more information, see [Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot](windows-autopilot-hybrid.md).
 

autopilot/windows-autopilot-hybrid.md

@@ -6,7 +6,7 @@ author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.reviewer: madakeva
-ms.date: 03/28/2025
+ms.date: 04/21/2025
 ms.topic: how-to
 ms.service: windows-client
 ms.subservice: autopilot