Citrix DaaS

Azure Active Directory joined and non-domain joined VDA configuration

The process of installing the VDA and deploying virtual desktops that are pure Azure Active Directory (AD) joined or non-domain joined is similar to that of standard domain-joined machines. You only need to make sure that you satisfy all requirements and select the correct options throughout the process.

Requirements

Pure Azure AD joined requirements:

  • Control plane: Citrix DaaS
  • VDA type: Single-session and multi-session (virtual desktops only)
  • VDA version: 2203
  • Provisioning type: Machine Creation Services (MCS) Persistent using Machine Profile workflow only
  • Assignment type: Dedicated
  • Hosting platform: Azure only
  • Template VM must not be joined to Azure AD
  • Rendezvous V2 must be enabled to remove requirement for Citrix Cloud Connectors

Non-domain joined requirements:

  • Control plane: Citrix DaaS
  • VDA type: Single-session and multi-session (virtual desktops only)
  • VDA version: 2203
  • Provisioning type: Machine Creation Services (MCS) Persistent and Non-persistent
  • Assignment type: Dedicated and pooled
  • Hosting platform: All platforms supported by MCS, except Google Cloud Platform
  • Rendezvous V2 must be enabled to remove requirement for Citrix Cloud Connectors

Known issues and limitations

General

  • Service continuity is not supported.

Pure Azure AD joined

  • The template VM image cannot be joined to Azure AD currently.
  • Single sign-on to the virtual desktop is not supported. Users must manually enter their credentials in the virtual desktop.
  • Logging in with Windows Hello in the virtual desktop is not supported. If users try to use a Windows Hello PIN to log in, they receive an error stating that they are not the brokered user, and the session is disconnected.
  • The first time a virtual desktop session is launched, the Windows sign-in screen shows the logon prompt for the last logged on user without the option to switch to another user. The user must wait until the logon times out and the desktop’s lock screen appears, and then click the lock screen to reveal the logon screen once again. At this point, the user is able to select “Other user” and enter their credentials.

Considerations

Template Image

  • Consider optimizing your Windows image using the Citrix Optimizer tool.
  • To avoid any hardware configuration mismatches and conflicts, make sure the VM used as the template VM and the VMs used for user workloads have matching hardware configurations. In the case of Azure VMs, ensure they are of the same family, or at least have similar hardware profiles. For example, ensure that the template VM and the user workloads both have the same number of disks. Otherwise, you might face problems with your MCS-provisioned machines, such as page file configuration errors, or new hardware detected that might prompt users for reboots.

Pure Azure AD joined

  • Consider disabling Windows Hello so users are not prompted to create a Windows Hello PIN for logging into Windows. Windows Hello is not supported. You can do this one of two ways:
    1. Local group policy in the template VM
      • Run gpedit.msc.
      • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
      • Set Use Windows Hello for Business to:
        • Disabled, or
        • Enabled and select Do not start Windows Hello provisioning after sign-in.
    2. Microsoft Intune (persistent machines only)
      • Create a device profile that disables Windows Hello for Business. Refer to Microsoft documentation for details.
      • Currently, Microsoft supports Intune enrollment of persistent machines only, meaning you cannot manage non-persistent machines with Intune.
  • Users must be granted explicit access in Azure to log into the machines using their AAD credentials. This can be facilitated by adding the role assignment at the resource group level:
    1. Sign into the Azure portal.
    2. Select Resource Groups.
    3. Click the resource group where the virtual desktop workloads reside.
    4. Select Access control (IAM).
    5. Click Add role assignment.
    6. Search for Virtual Machine User Login, select it on the list, and click Next.
    7. Select User, group, or service principal.
    8. Click Select members and select the users and groups you want to provide access to the virtual desktops.
    9. Click Select.
    10. Click Review + assign.
    11. Click Review + assign once again.

Note:

If you choose to let MCS create the resource group for the virtual desktops, you add this role assignment after the machine catalog is created.

VDA installation and configuration

Follow the steps for installing the VDA:

  1. Make sure to select the following options in the installation wizard:

    • In the Environment page, select Create a master MCS image.

    Azure AD config 1

    • In the Delivery Controller page, select Let Machine Creation Services do it automatically.

    Azure AD config 2

  2. After the VDA is installed, add the following registry value:

    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
    • Value type: DWORD
    • Value name: GctRegistration
    • Value data: 1

Proceed to create a machine catalog.

Machine catalog

Before you create the machine catalog for Pure Azure AD joined or non-domain joined machines, you need the following:

  1. New resource location
    • Navigate to the Citrix Cloud admin UI > upper left hamburger menu > Resource Locations.
    • Click + Resource Location.
    • Enter a name for the new resource location and click Save.
  2. Create a hosting connection to Azure
    • Navigate to the Citrix Cloud admin UI > upper left hamburger menu > My Services > DaaS > Manage > Full Configuration.
    • Select the Hosting node on the left.
    • Select Add Connection and Resources.
    • If given the option, choose Create a new connection.
    • Select the following:
      • Connection type: Microsoft Azure
      • Azure environment: Azure Global
      • Zone name: select the zone that corresponds to the Resource Location you created in step 1.
      • Create virtual machines using: Citrix provisioning tools
      • Click Next.

      Azure AD config 3

    • Enter your Azure subscription ID and a name for your hosting connection.
    • Citrix DaaS needs an application registered within your Azure Active Directory:
      • If you want the wizard to create a service principal for you, click Create new…
      • If you prefer to create a service principal manually, click Use existing…

      Azure AD config 4

      • After a successful connection is made to your Azure tenant, proceed with the remainder of the steps in the wizard.

Refer to the Citrix documentation for more details on creating the hosting connection and considerations specific to Azure Resource Manager.

Once the hosting connection is created, proceed to create the machine catalog:

  1. Select the Machine Catalogs node on the left.
  2. Select Create Machine Catalog.
  3. Select Single-session OS as the operating system and click Next.
  4. Select Machines that are power managed, Citrix Machine Creation Services (MCS), and ensure that the correct resources from the new Zone are selected in the Resources drop down list. Click Next.
  5. Select the appropriate desktop experience settings based on whether you want persistent or non-persistent desktops, and whether the desktops are dedicated or pooled. Click Next.
  6. In the master image page:
    • Select the disk you want to use as a master image. This is the disk of the VM you installed the VDA on earlier.
    • Select 2106 (or later) as the functional level.
    • If using pure Azure AD joined machines, you must check Use a machine profile and select the appropriate machine from the list.
    • Click Next.

    Azure AD config 5

  7. Select the appropriate options for your environment in the Storage and License Types, Virtual Machines, Network Cards, Disk Settings, and Resource Group pages.
  8. In the Machine Identities page, make sure to select the correct identity type (Azure Active Directory joined or Non-domain-joined).

    • If you select Azure Active Directory joined as the Identity type, make sure you select Enroll the machines in Microsoft Intune if you want the machines to be enrolled automatically.

      Azure AD Microsoft Intune

  9. Proceed to the remaining steps in the wizard to create the machine catalog.
  10. If using pure Azure AD joined machines, remember that users must be granted explicit access in Azure to log into the machines using their AAD credentials. Refer to the Pure Azure AD joined considerations section for more details.
  11. Refer to the Citrix documentation for more details on creating machine catalogs.
  12. Once the machine catalog is created, proceed to create a delivery group.

Delivery group

Once your machine catalog has been created, you need to create a delivery group:

  1. Select the Delivery Groups node on the left.
  2. Select Create Delivery Group.
  3. In the Machines page, select the machine catalog created earlier, and choose how many machines from that catalog to add to the Delivery Group. Click Next.

    Azure AD config 6

  4. Select Desktops as the delivery type. Click Next.
  5. Select your preferred way to manage user access to the delivery group. Click Next. The option Restrict use of this delivery group to the following users can only be used if Workspace is configured to use Active Directory as the IdP.
  6. If you selected Allow any authenticated users to use this delivery group in the Users page, you can see the Desktop Assignment Rules page.
    • Click Add.
    • Enter a display name for the virtual desktop (the name users see when they log into Workspace).
    • Leave Allow everyone with access to this delivery group to have a desktop assigned.
    • Click OK.
  7. Proceed with the remaining steps in the wizard to create the delivery group.
  8. Refer to the Citrix documentation for more details on creating delivery groups.

Enable Rendezvous

Once the delivery group has been created, you need to enable Rendezvous. Refer to the Rendezvous documentation for details.

Azure Active Directory joined and non-domain joined VDA configuration