-
-
Identity pools of different machine identity join types
-
Identity pool of on-premises Active Directory joined machine identity
-
Identity pool of Microsoft Entra hybrid joined machine identity
-
-
Cloud Connector Standalone Citrix Secure Ticketing Authority (STA) service
-
-
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Identity pool of Microsoft Entra hybrid joined machine identity
This article describes how to create identity pool of:
- Microsoft Entra hybrid joined catalogs
- Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune
For information on requirements, limitations, and considerations, see Microsoft Entra hybrid joined.
Create Microsoft Entra hybrid joined catalogs
Use Web Studio
The following information is a supplement to the guidance in Create machine catalogs.
On the Machine Identities page of the catalog creation wizard:
-
Select Microsoft Entra hybrid joined. The created machines are owned by an organization and are signed into with an Active Directory account that belongs to that organization.
-
To enroll the created machines into Microsoft Intune (including Configuration Manager) for device management, select Enroll the machines in Microsoft Intune with Configuration Manager. To avoid errors during catalog creation, ensure that the master image meets the following requirements:
- Has VDA version 2405 or later installed.
- Has the Configuration Manager client installed with the site code unassigned. For more information, see this Microsoft article.
Note:
If you select Microsoft Entra hybrid joined as the identity type, each machine in the catalog must have a corresponding AD computer account.
Use PowerShell
The following are PowerShell steps equivalent to operations in Web Studio. For information on how to create a catalog using the Remote PowerShell SDK, see https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/latest/creating-a-catalog/.
The difference between on-premises AD joined catalogs and Microsoft Entra hybrid joined ones lies in the creation of the identity pool and the machine accounts.
To create an identity pool along with the accounts for Microsoft Entra hybrid joined catalogs:
New-AcctIdentityPool -AllowUnicode -IdentityType "HybridAzureAD" -Domain "corp.local" -IdentityPoolName "HybridAADJoinedCatalog" -NamingScheme "HybridAAD-VM-##" -NamingSchemeType "Numeric" -OU "CN=AADComputers,DC=corp,DC=local" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
New-AcctIdentity -IdentityPoolName "HybridAADJoinedCatalog" -Count 10 -ADUserName "corp\admin1" -ADPassword $password
Set-AcctAdAccountUserCert -IdentityPoolName "HybridAADJoinedCatalog" -All -ADUserName "corp\admin1" -ADPassword $password
<!--NeedCopy-->
Note:
$passwordis the matching password for an AD user account with Write Permissions.
All other commands used to create Microsoft Entra hybrid joined catalogs are the same as for traditional on-premises AD joined catalogs.
View the status of the Microsoft Entra hybrid join process
In the Web Studio, the status of the Microsoft Entra hybrid join process is visible when Microsoft Entra hybrid joined machines in a delivery group are in a powered-on state. To view the status, use Search to identify those machines and then for each check Machine Identity on the Details tab in the lower pane. The following information can appear in Machine Identity:
- Microsoft Entra hybrid joined
- Not yet joined to Microsoft Entra ID
Note:
- You might experience delayed Microsoft Entra hybrid join when the machine initially powers on. This is caused by the default machine identity sync interval (30 minutes of Microsoft Entra Connect). The machine is in Microsoft Entra hybrid joined state only after the machine identities are synced to Microsoft Entra ID through Microsoft Entra Connect.
- If machines fail to be in Microsoft Entra hybrid joined state, they are not registered with the Delivery Controller. Their registration status appears as Initialization.
Also, using the Web Studio, you can learn why machines are unavailable. To do that, click a machine on the Search node, check Registration on the Details tab in the lower pane, and then read the tooltip for additional information.
Troubleshoot
If machines fail to be Microsoft Entra hybrid joined, do the following:
-
Check if the machine account has been synced to Microsoft Entra ID through the Microsoft Microsoft Entra ID portal. If synced, Not yet joined to Microsoft Entra ID appears, indicating pending registration status.
To sync machine accounts to Microsoft Entra ID, make sure:
- The machine account is in the OU that is configured to be synced with Microsoft Entra ID. Machine accounts without the userCertificate attribute are not synced to Microsoft Entra ID even they are in the OU that is configured to be synced.
- The attribute userCertificate populates in the machine account. Use Active Directory Explorer to view the attribute.
- Microsoft Entra Connect must have been synced at least once after the machine account is created. If not, manually run the
Start-ADSyncSyncCycle -PolicyType Deltacommand in the PowerShell console of the Microsoft Entra Connect machine to trigger an immediate sync.
-
Check if the Citrix managed device key pair for Microsoft Entra hybrid join is correctly pushed to the machine by querying the value of DeviceKeyPairRestored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix.
Verify that the value is 1. If not, possible reasons are:
-
IdentityTypeof the identity pool associated with the provisioning scheme is not set toHybridAzureAD. You can verify this by runningGet-AcctIdentityPool. - The machine is not provisioned using the same provisioning scheme of the machine catalog.
- The machine is not joined to the local domain. Local domain joined is a prerequisite of the Microsoft Entra hybrid join.
-
-
Check diagnostic messages by running the
dsregcmd /status /debugcommand on the MCS-provisioned machine.-
If Microsoft Entra hybrid join is successful, AzureAdJoined and DomainJoined are YES in the output of the command line.
-
If not, refer to the Microsoft documentation to troubleshoot the issues: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current.
-
If you get the error message Server Message: The user certificate is not found on the device with id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, then run the following PowerShell command to repair the user certificate:
Repair-AcctIdentity -IdentityAccountName TEST\VM1 -Target UserCertificate <!--NeedCopy-->For more information about the user certificate issue, see CTX566696.
-
Create Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune
You can create co-management enabled catalogs for Microsoft Entra hybrid joined catalogs enrolled in Microsoft Intune for persistent single and multi-session VMs. You can create co-management enabled catalogs using both Studio and PowerShell.
Use Web Studio
The following information is a supplement to the guidance in Create machine catalogs.
In the Machine Catalog Setup wizard:
- On the Machine Identities page, select Microsoft Entra hybrid joined and then Enroll the machines in Microsoft Intune with Configuration Manager. Using this action, Configuration Manager and Microsoft Intune (that is, co-managed) manages the VMs.
Use PowerShell
The following are the PowerShell steps equivalent to steps in Studio.
To enroll machines in Microsoft Intune with Configuration Manager using the Remote PowerShell SDK, use the DeviceManagementType parameter in New-AcctIdentityPool. This feature requires that the catalog is Microsoft Entra hybrid joined and that Microsoft Entra ID possesses the correct Microsoft Intune license.
The difference between Microsoft Entra hybrid joined catalogs and co-management enabled ones lies in the creation of the identity pool. For example:
New-AcctIdentityPool -AllowUnicode -DeviceManagementType "IntuneWithSCCM" IdentityType="HybridAzureAD" -IdentityPoolName "CoManagedCatalog" -NamingScheme "CoManaged-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->
Troubleshoot
If machines fail to enroll in Microsoft Intune or fail to reach co-management state, do the following:
-
Check Intune license
Check if your Microsoft Entra tenant is assigned with the appropriate Intune license. See Microsoft Intune licensing for license requirements of Microsoft Intune.
-
Check Microsoft Entra hybrid join status
Check if the MCS-provisioned machines are Microsoft Entra hybrid joined. The machines are not eligible for co-management if not Microsoft Entra hybrid joined. See Troubleshoot to troubleshoot Microsoft Entra hybrid join issues.
-
Check co-management eligibility
-
Check if the MCS-provisioned machines are correctly assigned with the expected Configuration Manager site. To get the assigned site, run the following PowerShell command on the affected machines.
(New-Object -ComObject "Microsoft.SMS.Client").GetAssignedSite() <!--NeedCopy--> -
If no site is assigned to the VM, use the following command to check if the Configuration Manager site can be automatically discovered.
(New-Object -ComObject "Microsoft.SMS.Client").AutoDiscoverSite() <!--NeedCopy--> -
Ensure that boundaries and boundary groups are well configured in your Configuration Manager environment if no site code can be discovered. See Considerations for details.
-
Check
C:\Windows\CCM\Logs\ClientLocation.logfor any Configuration Manager client site assignment issues. -
Check the co-management states of the machines. Open the Configuration Manager control panel on the affected machines and go to the General tab. The value of Co-management property must be Enabled. If not, check logs under
C:\Windows\CCM\Logs\CoManagementHandler.log.
-
-
Check Intune enrollment
Machines might fail to enroll in Microsoft Intune even if all prerequisites are satisfied. Check Windows event logs under Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider for Intune enrollment issues.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.