-
-
-
Identity pools of different machine identity join types
-
Identity pool of on-premises Active Directory joined machine identity
-
Identity pool of Azure Active Directory joined machine identity
-
Identity pool of Hybrid Azure Active Directory joined machine identity
-
Identity pool of Microsoft Intune enabled machine identity
-
-
Migrate workloads between resource locations using Image Portability Service
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Identity pool of Microsoft Intune enabled machine identity
Note:
Since July 2023, Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. In this document, any reference to Azure Active Directory, Azure AD, or AAD now refers to Microsoft Entra ID.
This article describes how to create identity pool of Microsoft Intune enabled machine identity using Citrix DaaS.
You can create:
- Azure AD joined catalogs enrolled in Microsoft Intune for persistent and non-persistent, single and multi-session VMs. For creating catalogs, see Create Azure AD catalogs enrolled in Microsoft Intune.
- Hybrid Azure AD joined catalogs enrolled in Microsoft Intune for persistent single and multi-session VMs using device credential with co-management capability. For creating catalogs, see Create Hybrid Azure AD joined catalogs enrolled in Microsoft Intune.
For information on requirements, limitations, and considerations, see Microsoft Intune.
Create Azure AD catalogs enrolled in Microsoft Intune
You can create Azure AD catalogs enrolled in Microsoft Intune for persistent and non-persistent VMs using both Studio and PowerShell.
Use Studio
The following information is a supplement to the guidance in Create machine catalogs.
In the catalog creation wizard:
-
On the Machine Identities page:
- Select Azure Active Directory joined and then Enroll the machines in Microsoft Intune. If enabled, enroll the machines in Microsoft Intune for management. You can create Azure AD joined catalogs enrolled in Microsoft Intune for both persistent and non-persistent single-session and multi-session VMs. However, for non-persistent VMs, you must have the VDA version as 2407 or later.
-
Click Select service account and select an available service account from the list. If a suitable service account is not available for the Azure AD tenant that the machine identities will join to, you can create a service account. For information on service account, see Azure AD service accounts.
Note:
The service account that you selected might be in an unhealthy status due to various reasons. You can go to Administrators > Service Accounts to view details and fix the issues according to the recommendations. Alternatively, you can proceed with the machine catalog operation and fix the issues later. If you do not fix the issue, stale Azure AD joined or Microsoft Intune enrolled devices are generated that can block Azure AD join of the machines.
Use PowerShell
The following are the PowerShell steps that are equivalent to operations in Studio.
To enroll machines in Microsoft Intune using the Remote PowerShell SDK, use the DeviceManagementType
parameter in New-AcctIdentityPool
. This feature requires that the catalog is Azure AD joined and that Azure AD possesses the correct Microsoft Intune license. For example:
New-AcctIdentityPool -AllowUnicode -DeviceManagementType "Intune" IdentityType="AzureAD" -WorkgroupMachine -IdentityPoolName "AzureADJoinedCatalog" -NamingScheme "AzureAD-VM-##" -NamingSchemeType "Numeric" -ServiceAccountUid $serviceAccountUid -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->
Troubleshoot
If machines fail to enroll in Microsoft Intune, do the following:
-
Check if the MCS-provisioned machines are Azure AD joined. The machines fail to enroll in Microsoft Intune if they are not Azure AD joined. See https://docs.citrix.com/en-us/citrix-daas/install-configure/create-machine-identities-joined-catalogs/create-azure-ad-joined-catalogs.html to troubleshoot Azure AD join issues.
-
Check if your Azure AD tenant is assigned with the appropriate Intune license. See https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses for license requirements of Microsoft Intune.
-
For catalogs that use master images with VDA version 2206 or earlier, check the provisioning status of the AADLoginForWindows extension for the machines. If the AADLoginForWindows extension does not exist, possible reasons are:
-
IdentityType
of the identity pool associated with the provisioning scheme is not set toAzureAD
orDeviceManagementType
is not set toIntune
. You can verify this by runningGet-AcctIdentityPool
. -
Azure policy has blocked the AADLoginForWindows extension installation.
-
-
To troubleshoot AADLoginForWindows extension provisioning failures, you can check logs under
C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows
on the MCS provisioned machine.Note:
MCS does not rely on the
AADLoginForWindows
extension to join a VM to Azure AD and enroll to Microsoft Intune when using a master image with VDA version 2209 or later. In this case, theAADLoginForWindows
extension is not installed on the MCS-provisioned machine. Therefore,AADLoginForWindows
extension provisioning logs can’t be collected. -
Check Windows event logs under Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider.
-
The service account that you selected might be in an unhealthy status due to various reasons. You can go to Administrators > Service Accounts to view details and fix the issues according to the recommendations. If you do not fix the issue, stale Azure AD joined or Microsoft Intune enrolled devices are generated that can block Azure AD join of the machines.
Create Hybrid Azure AD joined catalogs enrolled in Microsoft Intune
You can create co-management enabled catalogs for Hybrid Azure AD joined catalogs enrolled in Microsoft Intune for persistent single and multi-session VMs. You can create co-management enabled catalogs using both Studio and PowerShell.
Use Studio
The following information is a supplement to the guidance in Create machine catalogs.
In the Machine Catalog Setup wizard:
- On the Machine Identities page, select Hybrid Azure Active Directory joined and then Enroll the machines in Microsoft Intune with Configuration Manager. Using this action, Configuration Manager and Microsoft Intune (that is, co-managed) manages the VMs.
Use PowerShell
The following are the PowerShell steps equivalent to steps in Studio.
To enroll machines in Microsoft Intune with Configuration Manager using the Remote PowerShell SDK, use the DeviceManagementType
parameter in New-AcctIdentityPool
. This feature requires that the catalog is Hybrid Azure AD joined and that Azure AD possesses the correct Microsoft Intune license.
The difference between Hybrid Azure AD joined catalogs and co-management enabled ones lies in the creation of the identity pool. For example:
New-AcctIdentityPool -AllowUnicode -DeviceManagementType "IntuneWithSCCM" IdentityType="HybridAzureAD" -IdentityPoolName "CoManagedCatalog" -NamingScheme "CoManaged-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->
Troubleshoot
If machines fail to enroll in Microsoft Intune or fail to reach co-management state, do the following:
-
Check Intune license
Check if your Azure AD tenant is assigned with the appropriate Intune license. See Microsoft Intune licensing for license requirements of Microsoft Intune.
-
Check Hybrid Azure AD join status
Check if the MCS-provisioned machines are Hybrid Azure AD joined. The machines are not eligible for co-management if not Hybrid Azure AD joined. See Troubleshoot to troubleshoot Hybrid Azure AD join issues.
-
Check co-management eligibility
-
Check if the MCS-provisioned machines are correctly assigned with the expected Configuration Manager site. To get the assigned site, run the following PowerShell command on the affected machines.
(New-Object -ComObject "Microsoft.SMS.Client").GetAssignedSite() <!--NeedCopy-->
-
If no site is assigned to the VM, use the following command to check if the Configuration Manager site can be automatically discovered.
(New-Object -ComObject "Microsoft.SMS.Client").AutoDiscoverSite() <!--NeedCopy-->
-
Ensure that boundaries and boundary groups are well configured in your Configuration Manager environment if no site code can be discovered. See Considerations for details.
-
Check
C:\Windows\CCM\Logs\ClientLocation.log
for any Configuration Manager client site assignment issues. -
Check the co-management states of the machines. Open the Configuration Manager control panel on the affected machines and go to the General tab. The value of Co-management property must be Enabled. If not, check logs under
C:\Windows\CCM\Logs\CoManagementHandler.log
.
-
-
Check Intune enrollment
Machines might fail to enroll in Microsoft Intune even if all prerequisites are satisfied. Check Windows event logs under Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider for Intune enrollment issues.
More information
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.