This article describes how to provision Hybrid Azure AD joined virtual machines using Machine Creation Service (MCS). This configuration is specially required when using Citrix Virtual Apps and Desktops workloads with Microsoft Intune.

Note:

• This article is applicable to Citrix Virtual Apps and Desktops only. For DaaS, please refer to https://docs.citrix.com/en-us/citrix-daas/manage-deployment/machine-identities/hybrid-azure-ad-joined.html to provision Hybrid Azure AD joined virtual machines.

• This article is applicable to both single and multi-session VDA for Hybrid Azure AD

• This article is only applicable to single session VDA if the created virtual machines need to be enrolled into Microsoft Intune

---

Instructions

Requirements:

• Master VM (Windows 10 1607 or newer) joined to an Active Directory Domain.
• This process will not function in Federated Identity infrastructures and is compatible with Managed Identity infrastructures. 

Register the master VM to Azure AD, as a Hybrid Azure AD joined device and then leave

Follow these steps to register the master VM to Azure AD Follow Microsoft document here  to set up Intune to manage WVD VMs with policy and apps.

1. Verify that the master VM appears as a Hybrid Azure AD joined device in Azure AD administrative portal. 
2. Run dsregcmd /status on the master VM.  The resulting output “AzureAdJoined : YES” indicates that the master VM client can join correctly. 
3. Run dsregcmd /leave on the master VM so that master VM is NOT Hybrid Azure AD joined.
4. In case master VMs were built and updated using Configuration Manager in an environment where Hybrid Azure AD Join and Co-Management is enabled for all devices (which automatically enrolls devices to Microsoft Intune). When the master image is cloned to create new worker VMs (persistent or non-persistent), the new VMs all share the same Azure AD and Intune device IDs. In this scenario, the Master VMs need to be removed from Intune, before proceeding further to avoid the above issue.
5. Prepare the master VM to get ready for catalog creation  
   • In order to make sure newly created VMs are Hybrid Azure AD joined before user logon.
     • Add dsregcmd /join to the master VM boot sequence so that it executes at every system start using System account. When new VMs are created from the master VM, they will also execute this command when booting.
   • After shutdown, Machine Creation Service (MCS) can use the master VM to create the catalog.

Note:

After the VM in the catalog is created, boot the VM and go to the Azure AD portal to validate that the VM reaches Hybrid Azure AD joined state. The state can take up to a total amount of Azure AD connect sync time, default is 30 minutes. After this, the VM will be in Hybrid Azure AD joined state immediately at subsequent boot.

• Refer to the Microsoft online document  for more information about Hybrid Azure AD joins. 
• For non-persistent VMs, the dsregcmd /join at boot time reuses previously created Azure AD record. 
• For persistent VM, the dsregcmd /join command at boot time has no effect on the Hybrid Azure AD join state after first boot and can be removed, if desired.
• If the master VM is configured with TPM, the MCS provisioned non-persistent VMs will NOT be in Hybrid Azure AD joined state immediately at subsequent boot. They can take up to a total amount of Azure AD connect sync time, default is 30 minutes, to reach the Hybrid Azure AD joined state at every boot.

Intune enrollment

• Follow Microsoft document here to perform Intune enrollment for Hybrid Azure AD joined machines.
• Using Intune to manage non-persistent virtual machines is not recommended by Microsoft. Refer to https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-10-virtual-machines for details.

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains#configure-hybrid-azure-ad-join

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure

https://docs.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop