Create Microsoft Intune enabled catalogs
This article describes how to create Microsoft Intune enabled catalogs using Citrix DaaS. You can enable Microsoft Intune by using the Full Configuration interface or PowerShell.
For information on requirements, limitations, and considerations, seeMicrosoft Intune.
Use the Full Configuration interface
The following information is a supplement to the guidance inCreate machine catalogs. This feature requires the selection ofAzure Active Directory joinedinMachine Identitiesduring catalog creation. Follow the general guidance in that article, minding the details specific to this feature.
In the catalog creation wizard:
- On theMachine Identitiespage, selectAzure Active Directory joinedand thenEnroll the machines in Microsoft Intune. If enabled, enroll the machines in Microsoft Intune for management.
Use PowerShell
The following are PowerShell steps equivalent to operations in Full Configuration.
To enroll machines in Microsoft Intune using the Remote PowerShell SDK, use theDeviceManagementTypeparameter inNew-AcctIdentityPool. This feature requires that the catalog is Azure AD joined and that Azure AD possesses the correct Microsoft Intune license. For example:
New-AcctIdentityPool -AllowUnicode -DeviceManagementType "Intune" IdentityType="AzureAD" -WorkgroupMachine -IdentityPoolName "AzureADJoinedCatalog" -NamingScheme "AzureAD-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05" Troubleshoot
If machines fail to enroll in Microsoft Intune, do the following:
Check if the MCS-provisioned machines are Azure AD joined. The machines fail to enroll in Microsoft Intune if they are not Azure AD joined. Seehttps://docs.citrix.com/en-us/citrix-daas/install-configure/create-machine-identities-joined-catalogs/create-azure-ad-joined-catalogs.htmlto troubleshoot Azure AD join issues.
Check if your Azure AD tenant is assigned with the appropriate Intune license. Seehttps://learn.microsoft.com/en-us/mem/intune/fundamentals/licensesfor license requirement of Microsoft Intune.
Check the provisioning status ofAADLoginForWindowsextension for the machines. MCS relies on this extension to join a virtual machine to Azure AD and enroll in Microsoft Intune. If theAADLoginForWindowsextension does not exist, possible reasons are:
IdentityTypeof the identity pool associated with the provisioning scheme is not set toAzureADorDeviceManagementTypeis not set toIntune. You can verify this by runningGet-AcctIdentityPool.TheAADLoginForWindowsextension installation is blocked by Azure policy.
To troubleshootAADLoginForWindowsextension provisioning failures, you can check logs under
C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindowson the MCS provisioned machine.Check Windows event logs underApplication and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider.