How to tell if my installation of the new Intune Connector for Active Directory is successful?

Question

How to tell if my installation of the new Intune Connector for Active Directory is successful?

Woody Chiu at RASI 231

My old Intune Connector for AD was completely disappeared by itself before I could be aware of it. That was then discovered because I failed numerous times deploying a laptop by an Hybrid Entra Join Enrollment profile during the Autopilot process. When I found there was no even any ICAD listed on Intune, I followed the web resources on how to install the new (after June 2025 version) ICAD and installed a couple new ICADs on two Server 2022. I wasn't aware that whether I could reuse the same installer downloaded or have to use two separately downloaded installers and separately install onto the two Server 2022. I tried a few times starting the installer first and then that led downloading the WebView2 runtime in the middle of the installation. This sequence appeared to crash the installation process. Then, I ran into all sorts undocumented sequence of screens that just told me that the ICAD installation was not successful. So, i was uninstalling and reinstalling multiple times still with no luck. Then, I found the right sequence was that the WebView2 Runtime has to be installed before starting ICAD installer. That appeared to be working. I set up two new ICADs that appeared on Intune as green "Active". Then, I began to try redeploy the laptop and still failed stuck at the message "Something went wrong...." etc. The Autopilot status page did not come up which is normally after the offline domain join is completed. Then I came across that I might have used the same installer to install both ICADs. I went all over again. I uninstalled all ICAD components on the two Server 2022. When I saw them showing as error on Intune portal, I removed the two Server on-prem and spun up another single Server 2022 and going through the ICAD installer process again and was successfully completed. This server currently showing green "Active" on Intune. The managed service account msaXXXX was set with Create Computer Object permission on the OU that was specified inside the ICAD server's C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard\ODJConnectorEnrollmentWizard.exe.config and Hybrid Entra Join Configuration Profile in Intune.

With everything appeared to be all set, then I found the ICAD server's event log under "Applications and Service Logs" > Microsoft > Intune > CertificateConnectors > Operational kept showing errors below while another Operational log showing all normal. User's image

User's image

Do these errors mean the Certificate Connector failed to enroll Intune ICAD certificates for the operations of the ICAD process? I tried many times to fix it by also reinstalling the ICAD server and whitelisting some Microsoft URLs that my research told they might needed to be allowed for outgoing on the internet firewall. Nothing with luck. The errors continued. Do I need to fix the error in order to have the ICAD working anyway? It was a painful process I would describe it. lol! Hope someone can shed some light. Appreciated! Woody

7 answers

Your answer

Answer 1

Hi Woody,

I completely understand your frustration here, I hope my explanation below would bring your more insight into the issue.

Here is the direct answer to your question regarding the error logs.

Do these errors mean the Certificate Connector failed to enroll?

=> Technically, yes, the ServiceLocationLength 215 error indicates a corruption in the internal configuration string parsing (likely a URL or proxy string that exceeds expected character limits) within the Connector's .NET config.

However, this is likely NOT the reason your laptop deployment is failing. Look at your second image.

- Event ID 30121: ODJRequestHandlingPipelineDownload_NoWork: No requests pending to be downloaded.It means the Connector is successfully authenticating to the Intune Cloud and asking, "Do you have any computer accounts for me to create?" Intune is replying, "No."

If the Connector were broken (due to the ServiceLocationLength error), you would see authentication failures or connection timeouts. The fact that it reports "No Work" means the communication pipe is open, but Intune is simply not sending the Offline Domain Join (ODJ) blob to the server.

Since the server is creating a connection but receiving no tasks, the issue lies in the Intune Policy Assignment or the Device Registration, not the Server 2022 installation.

You ought to check these three specific items immediately:

The "Domain Join" Configuration Profile: Go to Intune > Devices > Windows > Configuration Profiles. Locate your Domain Join profile (the one where you specify the Domain Name and OU). => Crucial!! Ensure this profile is assigned to the Device Group containing your Autopilot devices. If this profile is not assigned, the device never asks Intune to generate the ODJ blob, and your server log remains empty ("No Work"), causing the laptop to time out.
Verify the Computer Name Prefix: Inside that same Domain Join profile, ensure the "Computer name prefix" is set. If this is blank or invalid, the blob generation fails silently in the cloud before it ever reaches your connector.
Targeting the Device, not the User: Hybrid Autopilot requires the Domain Join profile to be assigned to Device Groups, not User Groups, because the join happens before any user logs in.

Even though the "No Work" log proves connectivity, the ServiceLocationLength 215 error is messy and implies a corrupted config file or registry key, likely a remnant of your multiple install/uninstall attempts. This can prevent the connector from auto-updating in the future.

To clear this error and ensure a "clean" state:

Uninstall the Intune Connector from the Server.
Registry Cleanup (Mandatory):
- Open regedit.
- Navigate to HKLM\SOFTWARE\Microsoft\Intune\ODJConnector.
- Delete this entire key. (The uninstaller often leaves the ServiceEndpoint or Proxy strings here, which causes the "Length 215" error upon reinstall).
- Navigate to HKLM\SOFTWARE\Microsoft\Intune\ODJConnectorService.
- Delete this key as well if it exists.
File Cleanup:
- Delete C:\Program Files\Microsoft Intune\ODJConnector.
Reinstall:
- Run the installer (ensure WebView2 is already there, as you noted).
- Do not reuse an old setup file if possible; download a fresh ODJConnectorBootstrapper.exe from the Intune portal to ensure the certificates are fresh.
Sign-in:
- Complete the sign-in.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer then. Should you have more questions, feel free to leave a message. Have a nice day!

VP

Woody Chiu at RASI 231 Reputation points

2025-12-07T03:50:13.0466667+00:00

Hi VP,

Thank you for your quick reply.

What about the other two old ICAD servers that I already removed them. Please see the image below.

Do I need to worry their registries were not cleaned up before they were brought offline?

Hope to get your answer on that before I go ahead the registry cleaning process on my current Active ICAD server.

Thank you.

Answer 2

Hi Woody Chiu at RASI,

You definitely don't need to worry about the registries on those two old servers (ODJCON01 and ODJCON02).

The registry keys (HKLM\SOFTWARE\Microsoft\Intune\...) are local configurations stored specifically on the hard drive of the machine they are installed on. They don't replicate to the cloud or affect other servers in your environment. Since those old servers are offline or destroyed, their "dirty" registry state effectively vanished with them and cant interfere with your current active server (ODJCON05).

You can safely ignore them technically, but for administrative cleanliness, you should remove them from your Intune view so you don't accidentally troubleshoot the wrong entry later.

Here is my recommendation for the Old Servers: Go to the Intune Portal screen shown in your screenshot. Select the check box next to ODJCON01. Click the Delete button (usually located in the top menu or the ellipsis ... menu). Repeat this for ODJCON02.

This simply tells Intune to stop expecting a heartbeat from them. Once those are gone, you can proceed with confidence to perform the registry cleanup and re-installation on your current server (ODJCON05) to resolve the local errors there.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer then. Should you have more questions, feel free to leave a message. Have a nice day!

VP

Answer 3

Woody Chiu at RASI 231

Hi VP,

I couldn't find where to delete the two Inactive ICADs at all. Is that normal? User's image

Woody

Answer 4

Yes, this is completely normal.

It is a known quirk of the Intune Connector for Active Directory interface: There is no manual "Delete" button. Unlike devices or policies that you can manually remove, these connector records are simply status reports. Microsoft’s backend handles them automatically.

Since you have already destroyed the servers ODJCON01 and ODJCON02, they will never "check in" again. They will sit in that list as Inactive for a set period (typically around 30 days). After that period of silence, Microsoft's "garbage collection" process will automatically remove them from the list.

So you can safely ignore ODJCON01 and ODJCON02. They are "ghosts" in the UI only. They don;t consume licenses, don't block your new server (ODJCON05) and don't confuse Intune (Intune only sends requests to "Active" connectors).

Since we have confirmed the old servers are not a blocker, you should proceed immediately with the plan for your Active server (ODJCON05) to fix those event log errors.

To recap the plan for ODJCON05:

Uninstall the Intune Connector via Control Panel.

Delete the Registry Key: HKLM\SOFTWARE\Microsoft\Intune\ODJConnector (This is the critical step to fix the "Length 215" error).

Delete the Folder: C:\Program Files\Microsoft Intune\ODJConnector.

Reinstall the connector using a fresh setup file.

Once you do that, ODJCON05 should show up as "Active" again, but this time without the internal corruption errors in the Event Viewer.

VP

Woody Chiu at RASI 231 Reputation points

2025-12-07T20:14:52.27+00:00

I haven't deleted the registry but I already found the registry it's not there in ODJCON05. There is no Intune folder under Microsoft folder. Please see the image below.

Answer 5

Well, the Intune key is missing from its standard alphabetical location (between Internet Explorer and IsoBurn), and you do see a MicrosoftIntune key further down the list, but that is typically used for the server's own MDM enrollment, not the ODJ Connector configuration. it means the fact that the Intune registry key is missing but the service was running (and throwing errors) confirms that your installation is in a "zombie" state. The corruption causing the ServiceLocationLength 215 error is not in the registry, but it is sitting inside the physical configuration files on your hard drive.

Since the registry is already clean, you can skip the registry delete step. So to fix the ODJCON05 server:

Step 1: Uninstall

Go to Control Panel > Programs and Features => Uninstall the Intune Connector for Active Directory.

Step 2: Delete the Corrupted Files: Since the registry was empty, the "bad data" causing the error is definitely in the installation folder => Open File Explorer => Navigate to C:\Program Files\Microsoft Intune. =>Delete the entire ODJConnector folder.

Note: If it says "File in use," make sure the "Intune ODJConnector Service" is stopped in services.msc.

Step 3: Check the "Hidden" Registry (Optional): Just to be 100% thorough, sometimes the installer puts keys in the 32-bit compatibility zone. In Registry Editor, go to: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft. If you see an Intune folder there, delete it. If not, you are clear.

Step 4: Reinstall

Run the ODJConnectorBootstrapper.exe (installer).

Important: When asked, sign in with your Global Admin or Intune Admin account to re-issue a fresh certificate.

Once this is done, the service will create a fresh configuration file and a fresh registry key. The "Length 215" error will be gone, and since your Intune policies (Domain Join profile) are already correct, the connector should start picking up requests.

VP

Woody Chiu at RASI 231 Reputation points

2025-12-08T17:10:40.79+00:00

I followed through your suggestions. When I tried to reinstall with a fresh download installer, I got the below message. Not sure that will cause any issue again or not. I took the Uninstall option to finish up and rebooted. Then I started reinstall.

The fresh installed ICAD was successfully enrolled.

A new managed service account was successfully setup.

Now is 11:06am. The Event 8 "Agent Certificate renew was requested by: Expiration" stayed in Event log for 2 hours now.

Another log appeared to be the same all along.

I got in the registry and noticed that it still has no "Intune" folder under \HKEY_LM\SOFTWARE\Microsoft. However, I saw \ODJConnector folder under \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftIntune. Please see the below images. Just wondering if this is the actual registry that I would need to remove before uninstalling and reinstalling.

I saw the info inside the \MSA folder is for the newly created MSA account. However, I am not sure if the info inside the \Enrollment folder presenting the current one or still any previously enrollment info.

Inside the Certificate - Local Computer\Personal\ store still has no certificate presented. However, there is a value FF626xxxxxxxx presented for the "EncryptionCertThumbprint" key as well as the "RenewalPeriod" key. Do they appear to be old info to you? Please see the image below.

FYI. here is how my ICAD portal looks like now.

Hope you can sum up with the next suggestion.

Have a nice day.

Share via

How to tell if my installation of the new Intune Connector for Active Directory is successful?

7 answers

Your answer