Product Documentation

XenDesktop Essentials Service

The Citrix XenDesktop Essentials Service allows management and delivery of Windows 10 virtual desktops from Microsoft Azure.

XenDesktop Essentials is designed specifically for the Azure Marketplace. Citrix and Microsoft partner to deliver an integrated experience for XenDesktop Essentials and Azure IaaS. This partnership gives you a single interface to deliver a complete Windows 10 digital workspace from Azure.

By using XenDesktop Essentials, you can:

  • Deploy and secure Windows 10 virtual desktops on Azure
  • Deliver best-in-class user experience by using Citrix HDX capabilities
  • Provide secure access on any device by using Citrix Receiver
  • Manage and administer the deployment from Microsoft Azure and Citrix Cloud

Citrix XenDesktop Essentials simplifies Windows 10 deployment. You can deploy desktops quickly, manage at scale, and deliver a rich user access experience from a single management plane.

You manage the Windows 10 desktops by using Studio and you monitor sessions from Director. Users connect to their Windows 10 virtual desktops by logging on with Citrix Receiver.

XenDesktop Essentials, the Citrix Cloud, and Microsoft Azure work together. During configuration, you create a Microsoft Azure subscription. After that, you install the Citrix Cloud Connectors, which provide access to your Azure resources from Citrix Cloud. You then create a Windows 10 master image that includes the VDA. The master image provides the template for desktops you deliver to users. When you complete those tasks, you create a host connection to Microsoft Azure. Studio and Director are available in your cloud console. Use Studio and Director to manage and monitor your XenDesktop Essentials Service.

Deploy NetScaler VPX to provide secure access to Windows 10 desktops from anywhere. You provide your users with a URL to a workspace or StoreFront. Users connect to their desktops by using Citrix Receiver, with the URL you provide. When users log on to Citrix Receiver, the Windows 10 desktop icon appears in the workspace or StoreFront window.

Important: For new customers (from December 2017), XenDesktop Essentials includes a workspace URL, usually in the format https://<yourcompanyname> After you set up XenDesktop Essentials, test and share the workspace URL link with your subscribers to give them access to their desktops.

For details about the workspace, see Workspace configuration.

Further updates will follow for customers who purchased XenDesktop Essentials before December 2017. Currently, those customers continue to use cloud-hosted StoreFront, as outlined in this article. (XenDesktop Essentials does not support on premises StoreFront.)

The diagram shows an architectural overview of a XenDesktop Essentials Service deployment.

XenDesktop Essentials architectural overview

How to buy XenDesktop Essentials

For detailed information about buying or canceling XenDesktop Essentials, download How to buy or cancel the XenDesktop Essentials Service.

System Requirements, prerequisites, and compatibility

XenDesktop Essentials Service requires certain complementary products and components and specific account permissions for installation, configuration, and operation.

Microsoft Azure

XenDesktop Essentials Service is designed to support Microsoft Azure exclusively. Your Azure environment must meet certain minimum requirements to support XenDesktop Essentials Service:

  • An Azure subscription with an enterprise agreement
  • Windows Server Active Directory or Azure Active Directory Domain Service
  • An Azure Active Directory tenant

    Important: Microsoft requires the Azure Active Directory tenant in the Azure subscription to deploy Windows 10 desktops. You can use the Azure Active Directory tenant or another active directory to identify authorized users.

  • An Active Directory domain controller.
  • An Azure Resource Manager (ARM) virtual network and subnet in your preferred region. Configure the virtual network with a custom domain name server (DNS) entry pointing to the domain controller. The virtual network must have one subnet that is large enough to hold the desktops.

    Note: Use the same virtual network for the DNS entry and desktop subnet.

  • An Azure Active Directory user with contributor (or greater) permissions within the subscription
  • One virtual machine that has Microsoft Windows 10 installed, including your required customizations and apps

Citrix Cloud Connector

Citrix Cloud Connector authenticates and encrypts communication between Citrix Cloud and your resource locations. With XenDesktop Essentials Service, your resources are located in Microsoft Azure. Citrix Cloud requires that you install the Citrix Cloud Connector on two virtual machines to ensure continuous availability of your resource locations.

For more information about Cloud Connectors, see Citrix Cloud Connector

The Citrix Cloud Connector servers must meet the following minimum requirements:

  • Install the Cloud Connector on Windows Server 2012 R2 or Windows Server 2016 virtual machines in Azure. The virtual machine must have at least 32 GB of disk space and 4 GB of memory (Microsoft Azure Standard A2 v2 virtual machines).
  • Enable .NET 4.5.
  • Install the Cloud Connectors on virtual machines that are domain-joined.
    • The virtual machines must be in the Active Directory domain where User accounts reside.
    • Citrix recommends that you do not install a Cloud Connector on an Active Directory domain controller.
  • Open outbound port 443 to allow access to the internet and the Citrix Cloud service.
  • Disable Internet Explorer Enhanced Security Configuration (IE ESC) during installation.

Note: You cannot clone an installed Cloud Connector virtual machine. Install Cloud Connectors separately on each machine.

Citrix Cloud

  • A Citrix Cloud account
  • Access to the XenApp and XenDesktop Service within Citrix Cloud, which is enabled as a part of your XenDesktop Essentials purchase
  • One Citrix NetScaler VPX configured in ICA Proxy mode. (Optional, for access from outside the corporate network)

Known issues

If you use Azure AD Domain Services: Workspace (or StoreFront) logon UPNs must contain the domain name that was specified when enabling Azure AD Domain Services. Logons cannot use UPNs for a custom domain you create, even if that custom domain is designated as primary.

Deployment Process Overview

Step 1: Connect your Azure subscription to the XenDesktop Essentials Service

  1. Log on to the Azure portal.
  2. In Azure, open a domain-joined Windows Server virtual machine and then open a web browser.
  3. In the web browser in the virtual machine, connect to the Citrix Cloud and log on with your credentials. The XenApp and XenDesktop Service console opens.
  4. From the menu in the upper left corner, click Resource Locations.
  5. On the Resource Locations page, click Download. The file cwcconnector.exe downloads.
  6. After downloading the connector, double-click the Cloud Connector installation program to start the installer.
  7. When prompted, enter your Citrix Cloud credentials. Follow the instructions on your screen to install and configure the Citrix Cloud Connector.
  8. Repeat steps 4, 5, 6, and 7 on any additional virtual machines that you want to function as a Citrix Cloud Connector.

The Cloud Connector accesses the Citrix Cloud during installation to authenticate, validate the installer permissions, and then download and configure the services the Cloud Connector provides. The installation uses the privileges of the user who initiated the installation.

After installation, Citrix Cloud registers your domain in Identity and Access Management. For more information, see Identity and Access Management.

Step 2: Create a host connection

Before you start, ensure that you have your Azure Active Directory credentials and your subscription ID available. The Azure AD user who creates the host connection must be a native cloud user in the Azure AD or synchronized for the enterprise domain. The user account cannot be an invited or delegated Microsoft account.

Connect to Azure

  1. Go to, and log on.
  2. Click Manage and then click Service Creation to open Citrix Studio.
  3. In the left pane, under Citrix Studio, expand Configuration, and then click Hosting.
  4. In the Actions pane, under Hosting, click Add Connection and Resources.
  5. On the Add Connection and Resources page:
    1. In Connection type, select Microsoft Azure.
    2. In the Azure environment, select Azure Global and then click Next.
  6. In Connection Details:
    1. In Subscription ID, type the Azure subscription ID.
    2. In Connection name, type a name for the connection and then either:
      1. Click Create new and then follow the procedure “Option 1: To create a connection.”
      2. Click Use existing and continue configuring the settings. Follow the procedure “Option 2: To use an existing host connection.”
Option 1: To create a connection
  1. Log on to Azure with the subscription contributor (or greater) account.
  2. After a successful logon, Azure creates the host connection automatically. A green check mark with the word Connected appears on the Add Connection and Resources page.
  3. Click Next.
  4. On the Region page, select the region where your virtual network resides, and then click Next.
  5. On the Network page:
    1. Type a name for the resources.
    2. Select the virtual network for the resource group.
    3. Select the subnet that applies to the resource group and then click Next.
  6. On the Summary page, click Finish. The host connection to the Microsoft Azure Resource Manager is complete.
Option 2: To use an existing host connection

After you click Use existing, the Existing Service Principal Details page appears:

  1. In Subscription ID, type the Microsoft Azure subscription ID.
  2. In Subscription name, type the name of the Azure subscription.
  3. Click OK.
  4. On the Connection page:
    1. Click Create a new Connection, type your Microsoft Azure subscription ID and a connection name (optional), and then click Create new. The Citrix XenDesktop Microsoft authentication dialog box appears. Note: If you want to use a connection that you created at another time, choose Use an existing connection. Then, select the connection from the drop-down list.
    2. Type the user name and password for the Microsoft Azure Active Directory user. Citrix Cloud creates a service principal with the rights to create and manage machines for this subscription.
  5. On the Region page, select the Azure region where your Microsoft Azure resource group is located.
  6. On the Network page:
    1. Type a name for the resources. Tip: If you typed a Connection name, use it as the name for the Resources name.
    2. Choose the virtual network for your Microsoft Azure resource group.
    3. Select the subnets to use for this connection. If only one subnet exists, it is selected by default.

Step 3: Create a pool of Windows 10 desktops

In preparation for hosting the desktops, install the Citrix Virtual Delivery Agent (VDA) software on the Windows 10 virtual machine. The VDA software

  • Enables the machine to register with the XenApp and XenDesktop Service
  • Establishes and manages the connection between the machine and the user device
  • Verifies that a Citrix license is available for the user or session
  • Applies any configured policies for the session
  • Communicates session information to the XenApp and XenDesktop Service

To install the VDA on the base image

  1. Start the Windows 10 image.
  2. Go to
  3. Download the VDA for the Desktop OS.
  4. Start the VDA installation.
  5. On the Environment page, click Create a Master Image.
  6. On the HDX 3D Pro page, ensure that you select No, install the standard VDA.
  7. For the subsequent feature choices, select all features except Enable Citrix App-V publishing components.
  8. On the Delivery Controller page, enter the locations of your Citrix Cloud Connector virtual machines.
  9. Click Next and confirm the warning in the dialog box.
  10. On the Features page, select all the default settings and click Next.
  11. Click Next to accept the default settings on the remaining pages in the installation configuration to install the VDA.
  12. On the Summary page, click Install.
  13. Restart the virtual machine and log back on.
  14. Confirm that the settings have taken effect.
  15. Shut down the virtual machine. Shutting down the virtual machine is required for VDA registration.

Create a Storage Account

In Microsoft Azure, you need a storage account to host the base image virtual hard disk. You can host the drive in an existing storage account or create a storage account.

Important: Upload the Windows 10 master image to the destination storage account in Azure before you create the machine catalog.

To create a storage account for images
  1. In Microsoft Azure, in the navigation pane, click Storage accounts.
  2. On the Storage accounts page, click Add.
  3. In Name, provide a name.
  4. In Deployment model, select Resource manager.
  5. In Performance, select Standard.
  6. For Replication, Storage service encryption, and Subscription, leave the default settings.
  7. In Resource group, do one of the following:
    1. Click Create new to create a resource group. Type the name of the group in the text box.
    2. Click Use existing to use an existing resource group. Click the down arrow and select a group from the list.
  8. To have the storage account appear on the dashboard, click Pin to dashboard.
  9. Click Create.

After you create a storage account, create a blob container and then name it to reflect the virtual hard disk, such as “VHDs.”

To create a blob container for image VHDs
  1. In Microsoft Azure, in the navigation pane, click Storage accounts and navigate to the storage account that you created previously.
  2. In the center navigation pane, under BLOB SERVICE, click Containers.
  3. In the details pane, click Container.
  4. In the New container pane, give the container a name.
  5. In Access type, select Blob and then click Create. The new blob container appears in the pane.
  6. Copy the blob URL and save it in a text file. The URL is used later to upload the converted VHD.
Create a machine catalog for XenDesktop Essentials

Machine catalogs are collections of virtual desktops that you manage as a single entity. These virtual desktops are the resources you provide to your users. All the machines in a catalog have the same operating system and the same VDA installed.

Typically, you create a master image and use it to create identical virtual machines in the catalog.

  1. In your Citrix Cloud console, go to the Manage tab and select Service Creation.
  2. In Citrix Studio, click Machine Catalogs in the navigation pane on the left.
  3. In the Actions pane, click Create Machine Catalog.
  4. On the Operating System page, ensure that Desktop OS is the only operating system option available and then click Next.
  5. On the Desktop Experience page:
    1. Select I want users to connect to the same (static) desktop each time they log on.
    2. Select Yes, create a dedicated virtual machine and save changes on the local disk.
  6. On the Master Image page:
    1. Use the navigation tree to select the VHD in the blob storage you created previously. The structure of the navigation tree aligns with the Azure hierarchy:
      • Resource group
      • Storage accounts
      • Containers
      • Virtual hard disks (VHDs)
      • Image names
    2. In Select the minimum functional level for this catalog, choose the XenDesktop version.
  7. On the Storage and License Types page, select the destination storage type and your license preference.
  8. On the Virtual Machines page, select the number of virtual machines and then select the Azure virtual machine size.
  9. On the Network Interface Cards page, select a network adapter to associate it with the Azure subnet name for your Citrix machines. You can also click Add Card to add another network adapter.
  10. On the Computer Accounts page:
    1. Click Create new Active Directory accounts.
    2. Choose the domain for the computer accounts.
    3. Navigate to the organizational unit (OU) for the new machines.
    4. Type an account naming scheme for the new machines. Include two number signs (##) to increment numbers automatically. In the drop-down list, select number or letters. The pound signs translate to the naming scheme. For example, mymachcatalog## becomes mymachcatalog01 or mymachcatalogAB.
  11. On the Domain Credentials page, click Enter Credentials and then in the Windows Security dialog box, type your user name and password. This account is used to create the computer accounts.
  12. The Summary page appears. Type a machine catalog name and the machine catalog description for administrators.
  13. Click Finish.

The virtual machines are created and a new storage account appears in the Microsoft Azure dashboard. While machine catalog services deploy the virtual machines, a preparation virtual machine with a VHS is created temporarily in Azure.

To identify the image name in Microsoft Azure
  1. Log on to
  2. On the Dashboard, in the navigation pane, click All resources. A full list of subscriptions appears.
  3. Choose the subscription.
  4. Click All settings.
  5. Click Resource groups.
  6. Select the resource group.
  7. Select the virtual machine that contains the Windows 10 and the Citrix VDA installation.
  8. Click All settings.
  9. Click Disks.
  10. Select the OS disk. The first text box in the OS disk window contains the URL for the image, which is structured as shown in the following example. You can obtain the storage account name and image name from the URL. For example: https://<storage account name><image name>.
  11. On the Machines page, the templates listed are retrieved directly from your Azure subscription.

Step 4: Assign Windows 10 desktops to your users

A Delivery Group is a collection of machines selected from one or more machine catalogs. The Delivery Group specifies which users can use those machines.

  1. In Citrix Studio, right-click Delivery Groups in the navigation panel and then select Create Delivery Group.
  2. Choose the number of machines that you want to make available to the Delivery Group. The number you specify cannot exceed the number of machines that are in your machine catalog.
  3. On the Delivery Type page, choose Desktops.
  4. On the Users page, choose the option to Leave user management to Citrix Cloud. Selecting this option allows you to manage access to the Delivery Group through Citrix Cloud.
  5. On the Summary page, provide a Delivery Group name and type the display name.

After completing these steps, edit the delivery group to configure access for users. You can add or remove users and change user settings.

Add or remove users in a delivery group

  1. Select Delivery Groups in the Studio navigation pane.
  2. Select a group and then select Edit Delivery Group in the Actions pane.
  3. On the Users page, to add users, click Add, and then specify the users you want to add. To remove users, select one or more users and then click Remove. You can also select or clear the check box that enables or disables access by unauthenticated users.
  4. Click OK.

Change user settings in a delivery group

The name of this page can appear as either User Settings or Basic Settings.

  1. Select Delivery Groups in the Studio navigation pane.
  2. Select a group and then select Edit Delivery Group in the Actions pane.
  3. On the User Settings (or Basic Settings) page:
    1. In Description, type the text that the workspace or StoreFront displays to users.
    2. Set the Time zone to match the Azure time zone.
    3. Select Enable Delivery Group.
    4. Set the maximum number of desktops per user.
  4. Click OK to save settings.

Assign users access in the Citrix Cloud

  1. Log on to the Citrix Cloud portal and then click View Library.
  2. On the desktops tile, click the ellipsis (…) button in the right corner.
  3. Search for the users groups that are allowed access to the Delivery Group and add them to the list.
  4. When finished, click the X to close the window.

Your Windows 10 virtual desktops are assigned to the groups added to the subscribers list.

Step 5: Configure NetScaler VPX in Azure (optional)

The NetScaler VPX virtual appliance is available as an image in the Microsoft Azure Marketplace. When you deploy NetScaler VPX on Microsoft Azure Resource Manager (ARM), you can use the Azure cloud computing capabilities. You can use NetScaler load balancing and traffic management features for your business needs.

You can deploy NetScaler VPX instances on Azure Resource Manager in one of two ways:

  • A standalone instance.
  • A high availability pair in active-active or active-standby modes.

If you have users who connect from a remote location, configure NetScaler VPX in Azure to create secure connections between Citrix Receiver and Windows 10 desktops.

To configure NetScaler VPX in Azure

  1. Log on to the Azure portal with contributor (or greater) permissions.
  2. Click the plus (+) sign to add a resource. Search for NetScaler.
  3. Choose the NetScaler VPX Bring Your Own License virtual machine.
  4. Configure the basic settings, name, and user name. Select Password for the authentication type.
  5. Set and confirm a user password for an administrator user.
  6. Create a Resource Group specifically for the NetScaler VPX. Select the same virtual network that is used by the Windows 10 VDAs.
  7. Choose the machine size for the NetScaler virtual machine. Depending on the number of connections, choose the desired size:
    • For 1,000 HDX sessions or less, select the A2 Standard size.
    • For more than 1,000 HDX sessions, choose the A3 Standard size.
  8. Click OK, verify the Summary settings, and then click Purchase to start the deployment.

When the deployment is complete, use the Remote Desktop Protocol (RDP) to connect to one of the Cloud Connector machines. When you connect, you continue to the NetScaler VPX configuration from the NetScaler administration console.

For complete configuration information, see Deploying Citrix NetScaler VPX on Microsoft Azure in the NetScaler Product Documentation.

After you configure NetScaler VPX in Azure, enable NetScaler Gateway in Citrix Cloud.

To configure the NetScaler Gateway settings for secure access

  1. Log on to the management console by using the NetScaler administrator credentials. You do not need to configure more IP addresses. Click Skip.
  2. In Host Name, DNS IP Address, and Time Zone, use the IP address and the DNS settings of the virtual network. The settings are on your Active Directory domain controller.
  3. Click Done. You do not have to restart NetScaler VPX now.
  4. Click Licenses on the Configuration tab and upload the necessary licenses to configure NetScaler Gateway.
  5. After the licenses upload, restart the appliance.
  6. When the virtual machine restarts, log on again by using NetScaler credentials.

Configure XenDesktop Settings in NetScaler VPX

After you configure the previous settings, run the Quick Configuration Wizard in NetScaler VPX. For more information, see Configuring Settings with the Quick Configuration Wizard.

Configure NetScaler VPX for High Availability and Load Balancing

In a Microsoft Azure deployment, a high availability configuration of two NetScaler virtual machines is achieved by using the Azure load balancer. The load balancer distributes client traffic across the virtual servers configured on both the NetScaler instances.

If the client traffic originates from the internet, deploy an external load balancer between the internet and the NetScaler VPX instances to distribute client traffic. For more information about using this configuration, see Configuring NetScaler VPX in High Availability Mode in Azure Resource Manager (ARM).

You can also add inbound port 80 to the NetScaler network security group to configure NetScaler by using its public IP address. After the configuration is complete, you can delete the inbound port 80 rule to secure access to the management console.

Step 6: Connect users by using Citrix Receiver

Either workspace or cloud-hosted StoreFront delivers the service to user devices. In the Citrix Cloud console:

  • If the left navigation pane includes Workspace Configuration, you use workspace. This should appear if you purchased XenDesktop Essentials on or after December 2017.
  • If the left navigation pane does not include Workspace Configuration, you use cloud-hosted StoreFront.

Service delivery through workspace

After you create the first catalog, XenDesktop Essentials configures the workspace URL automatically. This URL appears under the catalog details. You can customize the workspace URL and the appearance of workspaces. You can also enable the tech preview version of federated authentication using Azure Active Directory. For details, see Workspace configuration.

  1. In the Citrix Cloud console, select Workspace Configuration and then select the Service Integrations tab. The service should be listed.
  2. Test your connection by logging on to the workspace URL with your domain credentials and starting a desktop.
  3. Provide the URL to your users which they can copy. Users can type or paste the URL in the address bar of their browser or Citrix Receiver to access desktops.

Service delivery through cloud-hosted StoreFront

  1. In the Citrix Cloud console, click Manage and then Service Delivery.
  2. Ensure that Cloud Hosted StoreFront is enabled. It is enabled by default if you purchased XenDesktop Essentials before December 2017.
  3. Test your connection by logging on to the StoreFront URL with your domain credentials and starting a desktop.
  4. Provide the URL to your users, which they can copy. Users can type or paste the URL in the address bar of their browser or Citrix Receiver to access desktops.

Remote access using NetScaler VPX

  1. In the Citrix Cloud console, click Manage and then click Service Delivery.
  2. Enable NetScaler Gateway.
  3. Select Use your own NetScaler Gateway in the resource location.
  4. Type the NetScaler Gateway address in the text field. Do not include a protocol. You can include a port number.
  5. Enable session reliability, if you want that feature.
  6. Save.
  7. Test your connection by logging on to the workspace or StoreFront URL with your domain credentials and starting a desktop.
  8. Provide the URL to your users, which they can copy. Users can type or paste the URL in the address bar of their browser or Citrix Receiver to access desktops.

Partner resources

This service is also available through the Microsoft Cloud Solution Provider channel. For details, see Microsoft CSP enablement for Citrix Essentials