-
-
WebSocket communication between VDA and Delivery Controller™
-
-
Identity pools of different machine identity join types
-
Identity pool of on-premises Active Directory joined machine identity
-
Identity pool of Microsoft Entra hybrid joined machine identity
-
Identity pool of Microsoft Intune enabled machine identity
-
-
Migrate workloads between resource locations using Image Portability Service
-
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Identity pool of Microsoft Intune enabled machine identity
This article describes how to create identity pool of Microsoft Intune enabled machine identity using Citrix DaaS.
You can create:
- Microsoft Entra joined catalogs enrolled in Microsoft Intune for persistent and non-persistent, single and multi-session VMs. For creating catalogs, see Create Microsoft Entra catalogs enrolled in Microsoft Intune.
- Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune for persistent single and multi-session VMs using device credential with co-management capability. For creating catalogs, see Create Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune. You can also create Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune for non-persistent single and multi-session VMs. However, this is currently under Preview. See Enrollment of Hybrid Entra ID joined non-persistent VMs into Microsoft Intune.
For information on requirements, limitations, and considerations, see Microsoft Intune.
Create Microsoft Entra catalogs enrolled in Microsoft Intune
You can create Microsoft Entra catalogs enrolled in Microsoft Intune for persistent and non-persistent VMs using both Studio and PowerShell.
For information on requirements, limitations, and considerations, see:
- Requirements for Microsoft Entra joined catalogs enrolled in Microsoft Intune
- Limitations for Microsoft Entra joined catalogs enrolled in Microsoft Intune
Use Studio
The following information is a supplement to the guidance in Create machine catalogs.
In the catalog creation wizard:
-
On the Machine Identities page:
- Select Microsoft Entra joined and then Enroll the machines in Microsoft Intune. If enabled, enroll the machines in Microsoft Intune for management. You can create Microsoft Entra joined catalogs enrolled in Microsoft Intune for both persistent and non-persistent single-session and multi-session VMs. However, for non-persistent VMs, you must have the VDA version as 2407 or later.
-
Click Select service account and select an available service account from the list. If a suitable service account is not available for the Microsoft Entra tenant that the machine identities will join to, you can create a service account. For information on service account, see Microsoft Entra service accounts.
Note:
The service account that you selected might be in an unhealthy status due to various reasons. You can go to Administrators > Service Accounts to view details and fix the issues according to the recommendations. Alternatively, you can proceed with the machine catalog operation and fix the issues later. If you do not fix the issue, stale Microsoft Entra joined or Microsoft Intune enrolled devices are generated that can block Microsoft Entra join of the machines.
Use PowerShell
The following are the PowerShell steps that are equivalent to operations in Studio.
To enroll machines in Microsoft Intune using the Remote PowerShell SDK, use the DeviceManagementType parameter in New-AcctIdentityPool. This feature requires that the catalog is Microsoft Entra joined and that Microsoft Entra ID possesses the correct Microsoft Intune license. For example:
New-AcctIdentityPool -AllowUnicode -DeviceManagementType "Intune" IdentityType="AzureAD" -WorkgroupMachine -IdentityPoolName "AzureADJoinedCatalog" -NamingScheme "AzureAD-VM-##" -NamingSchemeType "Numeric" -ServiceAccountUid $serviceAccountUid -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->
Example to create a Microsoft Entra catalog enrolled in Microsoft Intune using a prepared image:
New-ProvScheme -ProvisioningSchemeName <name> -ImageVersionSpecUid <preparedVersionSpecUid> -HostingUnitUid <hostingUnitUid> -IdentityPoolUid <IdentityPoolUid> [-CleanOnBoot] -NetworkMapping @{"0"="XDHyp:\HostingUnits\<hostingunitName>\<region>.region\virtualprivatecloud.folder\<resourcegroupName>.resourcegroup\<vnetName>.virtualprivatecloud\<sunNetName>.network"} -ServiceOffering <serviceofferingPath> [-MachineProfile <machineProfilePath>] [-CustomProperties <>]
<!--NeedCopy-->
Troubleshoot
If machines fail to enroll in Microsoft Intune, do the following:
-
Check if the MCS-provisioned machines are Microsoft Entra joined. The machines fail to enroll in Microsoft Intune if they are not Microsoft Entra joined. See Troubleshoot to troubleshoot Microsoft Entra join issues.
-
Check if your Microsoft Entra tenant is assigned with the appropriate Intune license. See https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses for license requirements of Microsoft Intune.
-
For catalogs that use master images with VDA version 2206 or earlier, check the provisioning status of the AADLoginForWindows extension for the machines. If the AADLoginForWindows extension does not exist, possible reasons are:
-
IdentityTypeof the identity pool associated with the provisioning scheme is not set toAzureADorDeviceManagementTypeis not set toIntune. You can verify this by runningGet-AcctIdentityPool. -
Azure policy has blocked the AADLoginForWindows extension installation.
-
-
To troubleshoot AADLoginForWindows extension provisioning failures, you can check logs under
C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindowson the MCS provisioned machine.Note:
MCS does not rely on the
AADLoginForWindowsextension to join a VM to Microsoft Entra ID and enroll to Microsoft Intune when using a master image with VDA version 2209 or later. In this case, theAADLoginForWindowsextension is not installed on the MCS-provisioned machine. Therefore,AADLoginForWindowsextension provisioning logs can’t be collected. -
Check Windows event logs under Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider.
-
The service account that you selected might be in an unhealthy status due to various reasons. You can go to Administrators > Service Accounts to view details and fix the issues according to the recommendations. If you do not fix the issue, stale Microsoft Entra joined or Microsoft Intune enrolled devices are generated that can block Microsoft Entra join of the machines.
Create Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune
You can create co-management enabled catalogs for Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune for persistent single and multi-session VMs. You can create co-management enabled catalogs using both Studio and PowerShell.
For information on requirements, limitations, and considerations, see:
- Requirements for Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune
- Limitations for Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune
Use Studio
The following information is a supplement to the guidance in Create machine catalogs.
In the Machine Catalog Setup wizard:
- On the Machine Identities page, select Microsoft Entra hybrid joined and then Enroll the machines in Microsoft Intune with Configuration Manager. Using this action, Configuration Manager and Microsoft Intune (that is, co-managed) manages the VMs.
Use PowerShell
The following are the PowerShell steps equivalent to steps in Studio.
To enroll machines in Microsoft Intune with Configuration Manager using the Remote PowerShell SDK, use the DeviceManagementType parameter in New-AcctIdentityPool. This feature requires that the catalog is Microsoft Entra hybrid joined and that Microsoft Entra ID possesses the correct Microsoft Intune license.
The difference between Microsoft Entra hybrid joined catalogs and co-management enabled ones lies in the creation of the identity pool. For example:
New-AcctIdentityPool -AllowUnicode -DeviceManagementType "IntuneWithSCCM" IdentityType="HybridAzureAD" -IdentityPoolName "CoManagedCatalog" -NamingScheme "CoManaged-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->
You can also create a persistent Hybrid Microsoft Entra catalog enrolled in Microsoft Intune using a prepared image. For the complete set of PowerShell commands to create image definition, image version, and prepared image version spec, see:
- Azure virtualization environment: Use PowerShell.
- VMware virtualization environment: Use PowerShell
After creating the prepared image version spec, create the identity pool and machine catalog. For example:
New-AcctIdentityPool -IdentityPoolName "mypool" -NamingScheme ACC## -NamingSchemeType "Numeric" -ZoneUid $zoneuid -Domain $domainName -OU "OU=HAAD Computers,DC=haad,DC=link" -IdentityType "HybridAzureAD" -DeviceManagement IntuneWithSCCM
New-ProvScheme -ProvisioningSchemeName <name> -ImageVersionSpecUid <preparedVersionSpecUid> -HostingUnitUid <hostingUnitUid> -IdentityPoolUid <IdentityPoolUid> [-CleanOnBoot] -NetworkMapping @{"0"="XDHyp:\HostingUnits\<hostingunitName>\<region>.region\virtualprivatecloud.folder\<resourcegroupName>.resourcegroup\<vnetName>.virtualprivatecloud\<sunNetName>.network"} -ServiceOffering <serviceofferingPath> [-MachineProfile <machineProfilePath>] [-CustomProperties <>]
<!--NeedCopy-->
Note:
Enrollment of Microsoft Entra hybrid joined non-persistent VMs into Microsoft Intune is currently under preview.
Troubleshoot
If machines fail to enroll in Microsoft Intune or fail to reach co-management state, do the following:
-
Check Intune license
Check if your Microsoft Entra tenant is assigned with the appropriate Intune license. See Microsoft Intune licensing for license requirements of Microsoft Intune.
-
Check Hybrid Microsoft Entra join status
Check if the MCS-provisioned machines are Microsoft Entra hybrid joined. The machines are not eligible for co-management if not Microsoft Entra hybrid joined. See Troubleshoot to troubleshoot Hybrid Microsoft Entra join issues.
-
Check co-management eligibility
-
Check if the MCS-provisioned machines are correctly assigned with the expected Configuration Manager site. To get the assigned site, run the following PowerShell command on the affected machines.
(New-Object -ComObject "Microsoft.SMS.Client").GetAssignedSite() <!--NeedCopy--> -
If no site is assigned to the VM, use the following command to check if the Configuration Manager site can be automatically discovered.
(New-Object -ComObject "Microsoft.SMS.Client").AutoDiscoverSite() <!--NeedCopy--> -
Ensure that boundaries and boundary groups are well configured in your Configuration Manager environment if no site code can be discovered. See Considerations for details.
-
Check
C:\Windows\CCM\Logs\ClientLocation.logfor any Configuration Manager client site assignment issues. -
Check the co-management states of the machines. Open the Configuration Manager control panel on the affected machines and go to the General tab. The value of Co-management property must be Enabled. If not, check logs under
C:\Windows\CCM\Logs\CoManagementHandler.log.
-
-
Check Intune enrollment
Machines might fail to enroll in Microsoft Intune even if all prerequisites are satisfied. Check Windows event logs under Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider for Intune enrollment issues.
More information
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.