Citrix DaaS

Azure Active Directory joined

This article describes the requirements to create Azure Active Directory (AAD) joined catalogs using Citrix DaaS in addition to the requirements outlined in the Citrix DaaS system requirements section.

Requirements

  • Control plane: See Supported Configurations
  • VDA type: Single-session (desktops only) or multi-session (apps and desktops)
  • VDA version: 2203 or later
  • Provisioning type: Machine Creation Services (MCS), Persistent and Non-persistent using Machine Profile workflow
  • Assignment type: Dedicated and pooled
  • Hosting platform: Azure only
  • Rendezvous V2 must be enabled

Limitations

  • Service continuity is not supported.
  • Single sign-on to virtual desktops not supported. Users must manually enter credentials when signing in to their desktops.
  • Logging in with Windows Hello in the virtual desktop is not supported. Only username and password are supported at this time. If users try to log in with any Windows Hello method, they receive an error stating that they are not the brokered user, and the session is disconnected. Associated methods include PIN, FIDO2 key, MFA, and so on.
  • Support only Microsoft Azure Resource Manager cloud environments.
  • The first time a virtual desktop session is launched, the Windows sign-in screen may show the logon prompt for the last logged on user without the option to switch to another user. The user must wait until the logon times out and the desktop’s lock screen appears, and then click the lock screen to reveal the logon screen once again. At this point, the user is able to select Other Users and enter their credentials. This is the behavior with every new session when the machines are non-persistent.
  • When you shut down a non-persistent VM, it might not always unregister from Azure AD and as such, leaves stale device information in Azure. To clean up stale Azure AD devices using script, see CTX477042.

Considerations

Image configuration

Azure AD joined

  • Consider disabling Windows Hello so users are not prompted to set it up when they log into their virtual desktop. If you are using VDA 2209 or later, this is done automatically. For earlier versions, you can do this in one of two ways:

    • Group policy or local policy

      • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
      • Set Use Windows Hello for Business to:
        • Disabled, or
        • Enabled and select Do not start Windows Hello provisioning after sign-in.
    • Microsoft Intune

      • Create a device profile that disables Windows Hello for Business. Refer to Microsoft documentation for details.
      • Currently, Microsoft supports Intune enrollment of persistent machines only, meaning you cannot manage non-persistent machines with Intune.
  • Users must be granted explicit access in Azure to log into the machines using their AAD credentials. This can be facilitated by adding the role assignment at the resource group level:

    1. Sign into the Azure portal.
    2. Select Resource Groups.
    3. Click the resource group where the virtual desktop workloads reside.
    4. Select Access control (IAM).
    5. Click Add role assignment.
    6. Search for Virtual Machine User Login, select it on the list, and click Next.
    7. Select User, group, or service principal.
    8. Click Select members and select the users and groups you want to provide access to the virtual desktops.
    9. Click Select.
    10. Click Review + assign.
    11. Click Review + assign once again.

Note:

If you choose to let MCS create the resource group for the virtual desktops, you add this role assignment after the machine catalog is created.

  • Master VMs can be Azure AD joined or non-domain-joined. This functionality requires VDA version 2212 or later.

VDA installation and configuration

Follow the steps for installing the VDA:

  1. Make sure to select the following options in the installation wizard:

    • In the Environment page, select Create a master MCS image.

    Azure AD config 1

    • In the Delivery Controller page, select Let Machine Creation Services do it automatically.

    Azure AD config 2

  2. After the VDA is installed, add the following registry value:

    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
    • Value type: DWORD
    • Value name: GctRegistration
    • Value data: 1
  3. For Windows 11 22H2 based master VM, create a scheduled task in the master VM that executes the following command at system startup using SYSTEM account.

    reg ADD HKLM\Software\AzureAD\VirtualDesktop /v Provider /t REG_SZ /d Citrix /f
    <!--NeedCopy-->
    

Where to go next

Once the resource location and hosting connection are available, proceed to create the machine catalog. For more information on creating Azure Active Directory joined machine catalogs, see Create Azure Active Directory joined catalogs.

Azure Active Directory joined