Product Documentation

Download full document

XenDesktop Essentials Service

Apr. 11, 2017

The Citrix XenDesktop Essentials Service allows management and delivery of Windows 10 virtual desktops from Microsoft Azure.

XenDesktop Essentials Service is designed specifically for the Azure Marketplace. Citrix and Microsoft partner to deliver an integrated experience for XenDesktop Essentials and Azure IaaS. This partnership gives you a single interface to deliver a complete Windows 10 digital workspace from Azure.

By using XenDesktop Essentials Service, you can:

  • Deploy and secure Windows 10 virtual desktops on Azure
  • Deliver best-in-class user experience by using Citrix HDX capabilities
  • Provide secure access on any device by using Citrix Receiver
  • Manage and administer the deployment from Microsoft Azure and Citrix Cloud

Citrix XenDesktop Essentials Service simplifies Windows 10 deployment. You can deploy desktops quickly, manage at scale, and deliver a rich user access experience from a single management plane.

You manage the Windows 10 desktops by using Studio and you monitor sessions from Director. Users connect to their Windows 10 virtual desktops by logging on with Citrix Receiver.

XenDesktop Essentials, the Citrix Cloud, and Microsoft Azure work together. During configuration, you create a Microsoft Azure subscription. After that, you install the Citrix Cloud Connectors, which provide access to your Azure resources from Citrix Cloud. You then create a Windows 10 master image that includes the VDA. The master image provides the template for desktops you deliver to users.

When you complete those tasks, you create a host connection to Microsoft Azure. Studio and Director are available in your cloud console. Use Studio and Director to manage and monitor your XenDesktop Essentials Service.

Deploy NetScaler VPX to provide secure access to Windows 10 desktops from anywhere. StoreFront is hosted from Citrix Cloud. You provide your users with the URL.

Users connect to their desktops via Citrix Receiver, using the URL you provide. When users log on to Citrix Receiver, the Windows 10 desktop icon appears in the StoreFront window.

The diagram shows an architectural overview of a XenDesktop Essentials Service deployment.

localized image

System Requirements, Prerequisites, and Compatibility

XenDesktop Essentials Service requires certain complementary products and components and specific account permissions for installation, configuration, and operation.

Microsoft Azure

XenDesktop Essentials Service is designed to support Microsoft Azure exclusively. Your Azure environment must meet certain minimum requirements to support XenDesktop Essentials Service:

  • An Azure subscription with an enterprise agreement
  • An Azure Active Directory tenant
    Important: Microsoft requires the Azure AD tenant in the Azure subscription to deploy Windows 10 desktops. You can use the Azure AD tenant or another active directory to identify authorized users.
  • An Azure Resource Manager (ARM) virtual network (VNet) and subnet in your preferred region
  • An Azure AD user with contributor (or greater) permissions within the subscription

Microsoft Azure VNet Requirements

  • An Active Directory domain controller
  • Two Windows Server 2012 R2 or Windows Server 2016 machines that are joined to the domain, on which to install the Citrix Cloud Connector
  • One virtual machine that has Microsoft Windows 10 installed, including your required customizations and apps

The Citrix Cloud Connector servers must meet the following minimum requirements:

  • At least 32 GB of disk space and 4 GB of memory (Microsoft Azure Standard A2 v2 virtual machines)
  • .NET 4.5 installed
  • Active Directory computer account with Read/Write permissions on user and computer objects
  • Outbound port 443 must be open to allow access to the internet.

Citrix Cloud

  • A Citrix Cloud account
  • Access to the XenApp and XenDesktop Service within Citrix Cloud, which is enabled as a part of your XenDesktop Essentials purchase
  • One Citrix NetScaler VPX configured in ICA Proxy mode. (Optional, for access from outside the corporate network)

Deployment Process Overview

Citrix Cloud Connector authenticates and encrypts communication between Citrix Cloud and your resource locations. With XenDesktop Essentials Service, your resources are located in Microsoft Azure. Citrix Cloud requires that you install the Citrix Cloud Connector on two machines to ensure continuous availability of your resource locations.

To install the Citrix Cloud Connector

  1. Go to and log on with your credentials. The XenApp and XenDesktop Service console opens.
  2. From the menu in the upper left corner, click Resource Locations.
  3. Download and install the Citrix Cloud Connector on a Windows Server 2012 R2 or Windows Server 2016 machine in your Azure subscription.
  4. When prompted, enter your Citrix Cloud credentials. Follow the wizard to install and configure the Citrix Cloud Connector.
  5. Repeat steps 3 and 4 on any additional machines that you want to function as a Citrix Cloud Connector.

After installation, Citrix Cloud registers your domain in Identity and Access Management. You can see the domain registered in Identity and Access Management in the left menu. For more information about domain registration and access management, see Identity and Access Management.

Before you start, ensure that you have your Azure Active Directory credentials and your subscription ID available. The Azure AD user who creates the host connection must be a native cloud user in the Azure AD or synchronized for the enterprise domain. The user account cannot be an invited or delegated Microsoft account.

Connect to Azure

  1. Go to, and log on.
  2. Click Manage and then Service Creation to open Citrix Studio.
  3. In the left pane, under Citrix Studio, expand Configuration, and then click Hosting.
  4. In the Actions pane, under Hosting, click Add Connection and Resources.

On the Add Connection and Resources page:

  1. In Connection type, select Microsoft Azure.
  2. In the Azure environment, select Azure Global and then click Next.
  3. In Connection Details:
    1. In Subscription ID, type the Azure subscription ID.
    2. In Connection name, type a name for the connection and then either:
      1. Click Create new and then follow the procedure "Option 1: To create a connection."
      2. Click Use existing and continue configuring the settings. Follow the procedure "Option 2: To use an existing host connection."

Option 1: To create a connection

  1. Log on to Azure with the subscription contributor (or greater) account.
  2. After a successful logon, Azure creates the host connection automatically.
    A green checkmark with the word Connected appears on the Add Connection and Resources page.
  3. Click Next.
  4. On the Region page, select the region where your virtual network resides, and then click Next.
  5. On the Network page:
    1. Type a name for the resources.
    2. Select the virtual network for the resource group.
    3. Select the subnet that applies to the resource group and then click Next.
  6. On the Summary page, click Finish.
    The host connection to the Microsoft Azure Resource Manager is complete.

Option 2: To use an existing host connection

After you click Use existing, the Existing Service Principal Details page appears:

  1. In Subscription ID, type the Microsoft Azure subscription ID.
  2. In Subscription name, type the name of the Azure subscription.
  3. Click OK.
  4. On the Connection page:
    1. Click Create a new Connection, type your Microsoft Azure subscription ID and a connection name (optional), and then click Create new. The Citrix XenDesktop Microsoft authentication dialog box appears.
      NOTE: If you want to use a connection that you created at another time, choose Use an existing connection. Then, select the connection from the drop-down list.
    2. Type the user name and password for the Microsoft Azure Active Directory user. Citrix Cloud creates a service principal with the rights to create and manage machines for this subscription.
  5. On the Region page, select the Azure region where your Microsoft Azure resource group is located.
  6. On the Network page:
    1. Type a name for the resources.
      TIP: If you typed a Connection name, use it as the name for the Resources name.
    2. Choose the virtual network for your Microsoft Azure resource group.
    3. Select the subnets to use for this connection. If only one subnet exists, it is selected by default.

In preparation for hosting the desktops, install the Citrix Virtual Delivery Agent (VDA) software on the Windows 10 virtual machine. The VDA software

  • Enables the machine to register with the XenApp and XenDesktop Service
  • Establishes and manages the connection between the machine and the user device
  • Verifies that a Citrix license is available for the user or session
  • Applies any configured policies for the session
  • Communicates session information to the XenApp and XenDesktop Service

To install the VDA on the base image

  1. Start the Windows 10 image.
  2. Go to
  3. Download the VDA for desktop OS.
  4. Start the VDA installation.
  5. On the Environment page, click Create a Master Image.
  6. On the HDX 3D Pro page, ensure that you select No, install the standard VDA.
  7. For the subsequent feature choices, select all features except Enable Citrix App-V publishing components.
  8. On the Delivery Controller page, enter the locations of your Citrix Cloud Connector VMs.
  9. Click Next and confirm the warning in the dialog box.
  10. On the Features page, select all the default settings and click Next.
  11. Click Next to accept the default settings on the remaining pages in the installation configuration to install the VDA.
  12. On the Summary page, click Install.
  13. Restart the virtual machine and log back on.
  14. Confirm that the settings have taken effect.
  15. Shut down the virtual machine. Shutting down the virtual machine is required for VDA registration.

Create a Storage Account

In Microsoft Azure, you need a storage account to host the base image virtual hard disk. You can host the drive in an existing storage account or create a storage account.

Important: Upload the Windows 10 master image to the destination storage account in Azure before you create the machine catalog.

To create a storage account for images

  1. In Microsoft Azure, in the navigation pane, click Storage accounts.
  2. On the Storage accounts page, click Add.
  3. In Name, provide a name.
  4. In Deployment model, select Resource manager.
  5. In Performance, select Standard.
  6. For Replication, Storage service encryption, and Subscription, leave the default settings.
  7. In Resource group, do one of the following:
    1. Click Create new to create a resource group. Type the name of the group in the text box.
    2. Click Use existing to use an existing resource group. Click the down arrow and select a group from the list.
  8. To have the storage account appear on the dashboard, click Pin to dashboard.
  9. Click Create.

After you create a storage account, create a blob container and then name it to reflect the virtual hard disk, such as "VHDs."

To create a blob container for image VHDs

  1. In Microsoft Azure, in the navigation pane, click Storage accounts and navigate to the storage account that you created previously.
  2. In the center navigation pane, under BLOB SERVICE, click Containers.
  3. In the details pane, click +Container.
  4. In the New container pane, give the container a name.
  5. In Access type, select Blob and then click Create.
    The new blob container appears in the pane.
  6. Copy the blob URL and save it in a text file.
    The URL is used later to upload the converted VHD.

Create a machine catalog for XenDesktop Essentials

Machine catalogs are collections of virtual desktops that you manage as a single entity. These virtual desktops are the resources you provide to your users. All the machines in a catalog have the same operating system and the same VDA installed.

Typically, you create a master image and use it to create identical VMs in the catalog.

To create a machine catalog

In your Citrix Cloud console, go to the Manage tab and select Service Creation.

  1. In Citrix Studio, click Machine Catalogs in the navigation pane on the left.
  2. In the Actions pane, click Create Machine Catalog.
  3. On the Operating System page, ensure that Desktop OS is the only operating system option available and then click Next.
  4. On the Desktop Experience page:
    1. Select I want users to connect to the same (static) desktop each time they log on.
    2. Select Yes, create a dedicated virtual machine and save changes on the local disk.
  5. On the Master Image page:
    1. Use the navigation tree to select the VHD in the blob storage you created previously. The structure of the navigation tree aligns with the Azure hierarchy:
      • Resource group
      • Storage accounts
      • Containers
      • Virtual hard disks (VHDs)
      • Image names
    2. In Select the minimum functional level for this catalog, choose the XenDesktop version.
  6. On the Storage and License Types page, select the destination storage type and your license preference.
  7. On the Virtual Machines page, select the number of virtual machines and then select the Azure virtual machine size.
  8. On the Network Interface Cards page, select a network adapter to associate it with the Azure subnet name for your Citrix machines. You can also click Add Card to add another network adapter.
  9. On the Computer Accounts page:
    1. Click Create new Active Directory accounts.
    2. Choose the domain for the computer accounts.
    3. Navigate to the organizational unit (OU) for the new machines.
    4. Type an account naming scheme for the new machines.
      Include two number signs (##) to increment numbers automatically. In the drop-down list, select number or letters. The pound signs translate to the naming scheme. For example, mymachcatalog## becomes mymachcatalog01 or mymachcatalogAB.
  10. On the Domain Credentials page, click Enter Credentials and then in the Windows Security dialog box, type your user name and password.
    This account is used to create the computer accounts.
  11. The Summary page appears. Type a machine catalog name and the machine catalog description for administrators. Click Finish.

The virtual machines are created and a new storage account appears in the Microsoft Azure dashboard. While machine catalog services deploy the virtual machines, a preparation virtual machine with a VHS is created temporarily in Azure.

To identify the image name in Microsoft Azure

  1. Log on to
  2. On the Dashboard, in the navigation pane, click All resources.
    A full list of subscriptions appears.
  3. Choose the subscription.
  4. Click All settings.
  5. Click Resource groups.
  6. Select the resource group.
  7. Select the virtual machine that contains the Windows 10 and the Citrix VDA installation.
  8. Click All settings.
  9. Click Disks.
  10. Select the OS disk.
    The first text box in the OS disk window contains the URL for the image, which is structured as shown in the following example. You can obtain the storage account name and image name from the URL. For example: https://<storage account name><image name>.
  11. On the Machines page, the templates listed are retrieved directly from your Azure subscription.

A Delivery Group is a collection of machines selected from one or more machine catalogs. The Delivery Group specifies which users can use those machines.

  1. In Citrix Studio, right-click Delivery Groups in the navigation panel and then select Create Delivery Group.
  2. Choose the number of machines that you want to make available to the Delivery Group. The number you specify cannot exceed the number of machines that are in your machine catalog.
  3. On the Delivery Type page, choose Desktops.
  4. On the Users page, choose the option to Leave user management to Citrix Cloud.
    Selecting this option allows you to manage access to the Delivery Group through Citrix Cloud.
  5. On the Summary page, provide a Delivery Group name and type the display name.

After completing these steps, edit the delivery group to configure access for users. You can add or remove users and change user settings.

Add or remove users in a delivery group

  1. Select Delivery Groups in the Studio navigation pane.
  2. Select a group and then select Edit Delivery Group in the Actions pane.
  3. On the Users page, to add users, click Add, and then specify the users you want to add. To remove users, select one or more users and then click Remove. You can also select or clear the check box that enables or disables access by unauthenticated users.
  4. Click OK.

Change user settings in a delivery group

The name of this page can appear as either User Settings or Basic Settings.

  1. Select Delivery Groups in the Studio navigation pane.
  2. Select a group and then select Edit Delivery Group in the Actions pane.
  3. On the User Settings (or Basic Settings) page:
    1. In Description, type the text that StoreFront uses and that users see.
    2. Set the Time zone to match the Azure time zone.
    3. Select Enable Delivery Group.
    4. Set the maximum number of desktops per user.
  4. Click OK to save settings.

Assign users access in the Citrix Cloud

  1. Log on to the Citrix Cloud portal and then click View Library.
  2. On the desktops tile, click the ellipsis (…) button in the right corner.
  3. Search for the users groups that are allowed access to the Delivery Group and add them to the list.
  4. When finished, click the X to close the window.

Your Windows 10 virtual desktops are assigned to the groups added to the subscribers list.

If you have users who connect from a remote location, configure NetScaler VPX in Azure to create secure connections between Citrix Receiver and Windows 10 desktops.

To configure NetScaler VPX in Azure

  1. Log on to the Azure portal with contributor (or greater) permissions.
  2. Click the plus (+) sign to add a resource. Search for NetScaler.
  3. Choose the NetScaler 11.1 VPX Bring Your Own License virtual machine.
  4. Configure the basic settings, name, and user name. Choose to use Password for Authentication type.
  5. Set and confirm a user password for an administrator user.
  6. Choose the Resource group that hosts the Windows 10 VDAs and verify your location for the Resource Group and then click OK.
  7. Create a virtual machine for the NetScaler virtual machine.
  8. Choose the machine size for the NetScaler virtual machine.
    Depending on the number of connections, choose the desired size:
    1. For 1,000 HDX sessions or less, select the A2 Standard size.
    2. For more than 1,000 HDX sessions, choose the A3 Standard size.
  9. Choose the Storage and Network settings to match the same settings for the resource manager hosting the Windows 10 VDAs.
  10. Click OK, verify the Summary settings, and then click Purchase to start the deployment.

When the deployment is complete, use the Remote Desktop Protocol (RDP) to connect to one of the Cloud Connector machines. When you connect, you continue to the NetScaler VPX configuration from the web administration console.

You can also add inbound port 80 to the NetScaler network security group to configure NetScaler by using its public IP address. After the configuration is complete, you can delete the inbound port 80 rule to secure access to the management console.

To configure the NetScaler Gateway settings for secure access

  1. Log on to the management console by using the credentials configured for the NetScaler administrator.
    After you log on, configure a Subnet IP Address.
    Note: Azure NetScaler deployments do not support subnet IP addresses configured on the appliance.
    You remove the subnet IP address in a later step to make NetScaler a single IP address mode appliance. Configure a subnet IP address for now; you can use a valid IP address not used by other devices.
  2. In Host Name, DNS IP Address, and Time Zone, use the same IP address that Active Directory uses in Azure Service Manager (Classic). The settings configure DNS servers.
  3. Click Done.
    You do not have to restart NetScaler VPX now.
  4. Click Licenses on the Configuration tab and upload the necessary licenses to configure NetScaler Gateway.
    After the licenses upload, restart the appliance.

When the virtual machine restarts, log on again by using NetScaler credentials. The next step is to delete the subnet IP address.

To delete the subnet IP address

  1. On the Configuration tab, navigate to System > Network > IP Addresses.
  2. Choose the Subnet IP address and then click Delete.

The next step is to add the two Active Directory domain controllers from the Azure Service Manager (Classic) network.

To add the Azure Service Manager Active Directory domain controllers

  1. Under System > NTP Servers, click Add.
  2. Enter the IP address, minimum and maximum poll intervals and if the domain controller is preferred.
  3. Click OK.

StoreFront manages desktop and application delivery to user devices. Users access StoreFront stores through Citrix Receiver directly or by browsing to a Citrix Receiver for Web or Desktop Appliance site. Users can also access StoreFront using thin clients and other end-user-compatible devices through a XenApp Services site.

Enable Service Delivery through Cloud Hosted StoreFront

  1. In your Citrix Cloud console, select Manage, then Service Delivery.
  2. Make sure Cloud Hosted StoreFront is enabled. By default, Cloud Hosted StoreFront is enabled.
  3. Test your connection by logging on to the StoreFront URL with your domain credentials and starting a Windows 10 desktop.
  4. Provide the URL to your users. Users enter the URL into their browser or Citrix Receiver to access desktops.

Enable Remote Access by using NetScaler VPX

  1. In your Citrix Cloud console, select Manage, then Service Delivery.
  2. Make sure Cloud Hosted StoreFront is enabled. By default, Cloud Hosted StoreFront is enabled.
  3. Enable NetScaler Gateway.
  4. Select Use your own NetScaler Gateway in the resource location.
  5. Enter the NetScaler Gateway address in the text field Do not include a protocol. You can include a port number.
  6. Enable Session Reliability, if you choose that option.
  7. Save.
  8. Test your connection by logging on to the StoreFront URL with your domain credentials and starting a Windows 10 desktop.
  9. Provide the URL to your users. Users enter the URL into their browser or Citrix Receiver to access desktops.
Back to Top