Citrix DaaS

Create Microsoft Intune enabled catalogs


Since July 2023, Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. In this document, any reference to Azure Active Directory, Azure AD, or AAD now refers to Microsoft Entra ID.

This article describes how to create Microsoft Intune enabled catalogs using Citrix DaaS. You can enable Microsoft Intune by using the Full Configuration interface or PowerShell.

For information on requirements, limitations, and considerations, see Microsoft Intune.

Use the Full Configuration interface

The following information is a supplement to the guidance in Create machine catalogs. This feature requires the selection of Azure Active Directory joined in Machine Identities during catalog creation. Follow the general guidance in that article, minding the details specific to this feature.

In the catalog creation wizard:

  • On the Machine Identities page, select Azure Active Directory joined and then Enroll the machines in Microsoft Intune. If enabled, enroll the machines in Microsoft Intune for management.

Use PowerShell

The following are PowerShell steps equivalent to operations in Full Configuration.

To enroll machines in Microsoft Intune using the Remote PowerShell SDK, use the DeviceManagementType parameter in New-AcctIdentityPool. This feature requires that the catalog is Azure AD joined and that Azure AD possesses the correct Microsoft Intune license. For example:

New-AcctIdentityPool -AllowUnicode -DeviceManagementType "Intune" IdentityType="AzureAD" -WorkgroupMachine -IdentityPoolName "AzureADJoinedCatalog" -NamingScheme "AzureAD-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"


If machines fail to enroll in Microsoft Intune, do the following:

  • Check if the MCS-provisioned machines are Azure AD joined. The machines fail to enroll in Microsoft Intune if they are not Azure AD joined. See to troubleshoot Azure AD join issues.

  • Check if your Azure AD tenant is assigned with the appropriate Intune license. See for license requirements of Microsoft Intune.

  • For catalogs that use master images with VDA version 2206 or earlier, check the provisioning status of AADLoginForWindows extension for the machines. If the AADLoginForWindows extension does not exist, possible reasons are:

    • IdentityType of the identity pool associated with the provisioning scheme is not set to AzureAD or DeviceManagementType is not set to Intune. You can verify this by running Get-AcctIdentityPool.

    • The AADLoginForWindows extension installation is blocked by Azure policy.

  • To troubleshoot AADLoginForWindows extension provisioning failures, you can check logs under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows on the MCS provisioned machine.


    MCS does not rely on the AADLoginForWindows extension to join a VM to Azure AD and enroll to Microsoft Intune when using a master image with VDA version 2209 or later. In this case, the AADLoginForWindows extension will not be installed on the MCS-provisioned machine. Therefore, AADLoginForWindows extension provisioning logs can’t be collected.

  • Check Windows event logs under Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider.

Create Microsoft Intune enabled catalogs