Citrix Virtual Apps and Desktops

Create a Microsoft Azure catalog

April 22, 2024

Contributed by:

C C

Create machine catalogs describes the wizards that create a machine catalog. The following information covers details specific to Microsoft Azure Resource Manager cloud environments.

Note:

Before creating a Microsoft Azure catalog, you need to finish creating a connection to Microsoft Azure. See Connection to Microsoft Azure.

Azure on-demand provisioning

With Azure on-demand provisioning, VMs are created only when Citrix Virtual Apps and Desktops initiates a power-on action, after the provisioning completes.

When you use MCS to create machine catalogs in the Azure Resource Manager, the Azure on-demand provisioning feature:

Reduces your storage costs
Provides faster catalog creation

When you create an MCS catalog, the Azure portal displays the network security group, network interfaces, base images, and identity disks in the resource groups.

The Azure portal does not show a VM until Citrix Virtual Apps and Desktops initiates a power-on action for it. There are two types of machines with the following differences:

For a pooled machine, the operating system disk and write-back cache exist only when the VM exists. When you shut down a pooled machine in the console, the VM is not visible in the Azure portal. There is a significant storage cost saving if you routinely shut down machines (for example, outside of working hours).
For a dedicated machine, the operating system disk is created the first time the VM is powered on. The VM in the Azure portal remains in storage until the machine identity is deleted. When you shut down a dedicated machine in the console, the VM is still visible in the Azure portal.

Create a machine catalog

You can create a machine catalog in two ways:

Create a machine catalog using an Azure Resource Manager image in Web Studio

An image can be a disk, snapshot, or an image version of an image definition inside Azure Compute Gallery that is used to create the VMs in a machine catalog. Before creating the machine catalog, create an image in Azure Resource Manager. For general information about images, see Create machine catalogs.

During image preparation, a preparation VM is created based on the original VM. This preparation VM is disconnected from the network. To disconnect the network from the preparation VM, a network security group is created to deny all inbound and outbound traffic. The network security group is created automatically once per catalog. The network security group’s name is Citrix-Deny-All-a3pgu-GUID, where GUID is randomly generated. For example, Citrix-Deny-All-a3pgu-3f161981-28e2-4223-b797-88b04d336dd1.

In the machine catalog creation wizard:

The Machine Type and Machine Management pages do not contain Azure-specific information. Follow the guidance in the Create machine catalogs article.
On the Master Image page, select an image that you want to use as the master image for all machines in the catalog. The Select an image wizard appears.
1. (Applicable only to connections configured with shared images within or across tenants) Select a subscription where the image resides.
2. Select a resource group.
3. Navigate to the Azure VHD, the Azure Compute Gallery, or the Azure image version. Add a note for the selected image if needed.
When selecting an image, consider the following:
- Verify that a Citrix VDA is installed on the image.
- If you select a VHD attached to a VM, you must shut down the VM before proceeding to the next step.
Note:
- The subscription corresponding to the connection (host) that created the machines in the catalog is denoted with a green dot. The other subscriptions are those that have the Azure Compute Gallery shared with that subscription. In those subscriptions, only shared galleries are shown. For information about how to configure shared subscriptions, see Share images within a tenant (across subscriptions) and Share images across tenants.
- Using a machine profile with trusted launch as Security Type is mandatory when you select an image or snapshot that has trusted launch enabled. You can then enable or disable SecureBoot and vTPM by specifying their values in the machine profile. Trusted Launch is not supported for Shared Image Gallery. For information about Azure trusted launch, see https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch.
- You can create a provisioning scheme using ephemeral OS disk on Windows with trusted launch. When you select an image with trusted launch, then you must select a machine profile with trusted launch that is enabled with vTPM. To create machine catalogs using ephemeral OS disk, see How to create machines using ephemeral OS disks.
- When image replication is in progress, you can proceed and select the image as the master image and complete the setup. However, catalog creation might take longer to complete while the image is being replicated. MCS requires the replication to complete within an hour starting from catalog creation. If the replication times out, catalog creation fails. You can verify the replication status in Azure. Try again if the replication is still pending or after the replication completes.
- When you select a master image for machine catalogs in Azure, MCS identifies the OS type based on the master image and machine profile you select. If MCS can’t identify it, select the OS type that matches the master image.
- You can provision a Gen2 VM catalog by using a Gen2 image to improve boot time performance. However, creating a Gen2 machine catalog using a Gen1 image is not supported. Similarly, creating a Gen1 machine catalog using a Gen2 image is also not supported. Also, any older image that does not have generation information is a Gen1 image.
Choose whether you want VMs in the catalog to inherit configurations from a machine profile. By default, the Use a machine profile (mandatory for Azure Active Directory) check box is selected. Click Select a machine profile to browse to a VM or an ARM template spec from a list of resource groups.

Validate the ARM template spec to make sure whether it can be used as a machine profile to create a machine catalog. There are two ways to validate the ARM template spec:
- After you select the ARM template spec from the resource group list, click Next. Error messages appear if the ARM template spec has errors.
- Run one of the following PowerShell commands:
  - Test-ProvInventoryItem -HostingUnitName <string> -InventoryPath <string>
  - Test-ProvInventoryItem -HostingUnitUid <Guid> -InventoryPath <string>
Examples of configurations that VMs can inherit from a machine profile include:
- Accelerated networking
- Boot diagnostics
- Host disk caching (relating to OS and MCSIO disks)
- Machine size (unless otherwise specified)
- Tags placed on the VM
After you create the catalog, you can view the configurations that the image inherits from the machine profile. On the Machine Catalogs node, select the catalog to view its details in the lower pane. Then, click the Template Properties tab to view machine profile properties. The Tags section displays up to three tags. To view all tags placed on the VM, click View all.

If you want MCS to provision VMs on an Azure dedicated host, enable the Use a dedicated host group check box and then select a host group from the list. A host group is a resource that represents a collection of dedicated hosts. A dedicated host is a service that provides physical servers that host one or more VMs. Your server is dedicated to your Azure subscription, not shared with other subscribers. When you use a dedicated host, Azure ensures that your VMs are the only machines running on that host. This feature is suitable for scenarios where you must meet regulatory or internal security requirements. To learn more about host groups and considerations for using them, see Azure dedicated hosts.
Important:
- Only host groups that have Azure auto-placement enabled are shown.
- Using a host group changes the Virtual Machines page offered later in the wizard. Only machine sizes that the selected host group contains are shown on that page. Also, Availability Zones are selected automatically and not available for selection.
The Storage and License Types page appears only when you use an Azure Resource Manager image.

You have the following storage types to use for the machine catalog:
- Premium SSD. Offers a high-performance, low-latency disk storage option suitable for VMs with I/O-intensive workloads.
- Standard SSD. Offers a cost-effective storage option that is suitable for workloads that require consistent performance at lower IOPS levels.
- Standard HDD. Offers a reliable, low-cost disk storage option suitable for VMs that run latency-insensitive workloads.
- Azure ephemeral OS disk. Offers a cost-effective storage option that reuses the local disk of the VMs to host the operating system disk. Alternatively, you can use PowerShell to create machines that use ephemeral OS disks. For more information, see Azure ephemeral disks. Be aware of the following considerations when using an ephemeral OS disk:
  - Azure ephemeral OS disk and MCS I/O cannot be enabled at the same time.
  - To update machines that use ephemeral OS disks, you must select an image whose size does not exceed the size of the VM’s cache disk or temporary disk.
  - You cannot use the Retain system disk during power cycles option offered later in the wizard.
Note:

The identity disk is always created using Standard SSD irrespective of the storage type that you choose.

The storage type determines which machine sizes are offered on the Virtual Machines page of the wizard. MCS configures premium and standard disks to use Locally Redundant Storage (LRS). LRS makes multiple synchronous copies of your disk data within a single data center. Azure ephemeral OS disks use the local disk of the VMs to store the operating system. For details about Azure storage types and storage replication, see the following:
Select whether to use existing Windows licenses or Linux licenses.
- Windows licenses: Using Windows licenses along with Windows images (Azure platform support images or custom images) lets you run Windows VMs in Azure at a reduced cost. There are two types of licenses:
  - Windows Server license. Lets you use your Windows Server or Azure Windows Server licenses, allowing you to use Azure Hybrid Benefits. For details, see https://azure.microsoft.com/en-us/pricing/hybrid-benefit/. Azure Hybrid Benefit reduces the cost of running VMs in Azure to the base compute rate, waiving the cost of extra Windows Server licenses from the Azure gallery.
  - Windows Client license. Lets you bring your Windows 10 and Windows 11 licenses to Azure, allowing you to run Windows 10 and Windows 11 VMs in Azure without the need for extra licenses. For details, see Client Access Licenses and Management Licenses.
You can verify that the provisioned VM is using the licensing benefit by running the following PowerShell command: Get-AzVM -ResourceGroup MyResourceGroup -Name MyVM.
- For the Windows Server license type, verify that the license type is Windows_Server. More instructions are available at https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing/.
- For the Windows Client license type, verify that the license type is Windows_Client. More instructions are available at https://docs.microsoft.com/en-us/azure/virtual-machines/windows/windows-desktop-multitenant-hosting-deployment/.
Alternatively, you can use the Get-Provscheme PowerShell SDK to do the verification. For example: Get-Provscheme -ProvisioningSchemeName "My Azure Catalog". For more information about this cmdlet, see https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/latest/MachineCreation/Get-ProvScheme/.
- Linux licenses: With bring-your-own-subscription (BYOS) Linux licenses, you do not have to pay for the software. The BYOS charge only includes the compute hardware fee. There are two types of licenses:
  - RHEL_BYOS: To use RHEL_BYOS type successfully, enable Red Hat Cloud Access on your Azure subscription.
  - SLES_BYOS: The BYOS versions of SLES include support from SUSE.
  You can set the LicenseType value to Linux options at New-ProvScheme and Set-ProvScheme.
  
  Example of setting LicenseType to RHEL_BYOS at New-ProvScheme:
```
New-ProvScheme -CleanOnBoot -ProvisioningSchemeName "azureCatalog" -RunAsynchronously -Scope @() -SecurityGroup @() -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" /><Property xsi:type="StringProperty" Name="StorageAccountType" Value="StandardSSD_LRS" /><Property xsi:type="StringProperty" Name="ResourceGroups" Value="hu-dev-mcs" /><Property xsi:type="StringProperty" Name="OsType" Value="Linux" /><Property xsi:type="StringProperty" Name="LicenseType" Value="RHEL_BYOS" /></CustomProperties>'

```
  Example of setting LicenseType to SLES_BYOS at Set-ProvScheme:
```
Set-ProvScheme -ProvisioningSchemeName "azureCatalog" -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" /><Property xsi:type="StringProperty" Name="StorageAccountType" Value="StandardSSD_LRS" /><Property xsi:type="StringProperty" Name="ResourceGroups" Value="hu-dev-mcs" /><Property xsi:type="StringProperty" Name="OsType" Value="Linux" /><Property xsi:type="StringProperty" Name="LicenseType" Value="SLES_BYOS" /></CustomProperties>'

```
  Note:
  
  If LicenseType value is empty, then the default values are Azure Windows Server License or Azure Linux License, depending on OsType value.
  
  Example of setting LicenseType to empty:
```
Set-ProvScheme -ProvisioningSchemeName "azureCatalog" -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" /><Property xsi:type="StringProperty" Name="StorageAccountType" Value="StandardSSD_LRS" /><Property xsi:type="StringProperty" Name="ResourceGroups" Value="hu-dev-mcs" /><Property xsi:type="StringProperty" Name="OsType" Value="Linux" /></CustomProperties>'

```
See the following documents to understand License types and their benefits:
- https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachine.licensetype?view=azure-dotnet
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/azure-hybrid-benefit-linux
Azure Compute Gallery (formerly Azure Shared Image Gallery) is a repository for managing and sharing images. It lets you make your images available throughout your organization. We recommend that you store an image in SIG when creating large non-persistent machine catalogs because doing that enables faster resets of VDA OS disks. After you select Place prepared image in Azure Compute Gallery, the Azure Compute Gallery settings section appears, letting you specify more Azure Compute Gallery settings:
- Ratio of virtual machines to image replicas. Lets you specify the ratio of virtual machines to image replicas that you want Azure to keep. By default, Azure keeps a single image replica for every 40 non-persistent machines. For persistent machines, that number defaults to 1,000.
- Maximum replica count. Lets you specify the maximum number of image replicas that you want Azure to keep. The default is 10.
On the Virtual Machines page, indicate how many VMs you want to create. You must specify at least one and select a machine size. After catalog creation, you can change the machine size by editing the catalog.
The NICs page does not contain Azure-specific information. Follow the guidance in the Create machine catalogs article.
On the Disk Settings page, choose whether to enable write-back cache. With the MCS storage optimization feature enabled, you can configure the following settings when creating a catalog. These settings apply to both Azure and GCP environments.

After enabling write-back cache, you can do the following:
- Configure the size of the disk and RAM used for caching temporary data. For more information, see Configure cache for temporary data.
- Select the storage type for the write-back cache disk. The following storage options are available to use for the write-back cache disk:
  - Premium SSD
  - Standard SSD
  - Standard HDD
- Choose whether you want the write-back cache disk to persist for the provisioned VMs. Select Enable write-back cache to make the options available. By default, Use non-persistent write-back cache disk is selected.
- Select the type for the write-back cache disk.
  - Use non-persistent write-back cache disk. If selected, the write-back cache disk is deleted during power cycles. Any data redirected to it will be lost. If the VM’s temporary disk has sufficient space, it is used to host the write-back cache disk to reduce your costs. After catalog creation, you can check whether the provisioned machines use the temporary disk. To do so, click the catalog and verify the information on the Template Properties tab. If the temporary disk is used, you see Non-persistent Write-back Cache Disk and its value is Yes (using VM’s temporary disk). If not, you see Non-persistent Write-back Cache Disk and its value is No (not using VM’s temporary disk).
  - Use persistent write-back cache disk. If selected, the write-back cache disk persists for the provisioned VMs. Enabling the option increases your storage costs.
- Choose whether to retain system disks for VDAs during power cycles.
  - Retain system disk during power cycles. By default, the system disk is deleted on shutdown and recreated on startup. This ensures that the disk is always in a clean state but results in longer VM restart times. If system writes are redirected to the RAM cache and overflow to the cache disk, the system disk remains unchanged. Enabling this option increases your storage costs but reduces VM restart times. Select Enable write-back cache to make this option available.
    - Retain VMs across power cycles. Select this option to retain your VM customization and to enable the VMs to be started through the Azure portal.
- Choose whether to enable storage cost savings. If enabled, save storage costs by downgrading the storage disk to Standard HDD when the VM shuts down. The VM switches to its original settings on restart. The option applies to both storage and write-back cache disks. Alternatively, you can also use PowerShell. See Change the storage type to a lower tier when a VM is shut down.
- Choose whether to encrypt data on the machines provisioned in the catalog. Server-side encryption with a customer-managed encryption key lets you manage encryption at a managed disk level and protect data on the machines in the catalog. For more information, see Azure server side encryption.
On the Resource Group page, choose whether to create resource groups or use existing groups.
- If you choose to create resource groups, select Next.
- If you choose to use existing resource groups, select groups from the Available Provisioning Resource Groups list. Remember: Select enough groups to accommodate the machines you’re creating in the catalog. A message appears if you choose too few. You might want to select more than the minimum required if you plan to add more VMs to the catalog later. You can’t add more resource groups to a catalog after the catalog is created.
For more information, see Azure resource groups.
On the Machine Identities page, choose an identity type and configure identities for machines in this catalog. If you select the VMs as Azure Active Directory joined, you can add them to an Azure AD security group. Detailed steps are as follows:
1. From the Identity type field, select Azure Active Directory joined. The Azure AD security group (optional) option appears.
2. Click Azure AD security group: Create new.
3. Enter a group name, and then click Create.
4. Follow the onscreen instructions to sign in to Azure. If the group name doesn’t exist in Azure, a green icon appears. Otherwise, an error message appears requesting you to enter a new name.
5. Enter the machine account naming scheme for the VMs.
After catalog creation, Citrix Virtual Apps and Desktops accesses Azure on your behalf and creates the security group and a dynamic membership rule for the group. Based on the rule, VMs with the naming scheme specified in this catalog are automatically added to the security group.

Adding VMs with a different naming scheme to this catalog requires you to sign in to Azure. Citrix Virtual Apps and Desktops can then access Azure and create a dynamic membership rule based on the new naming scheme.

When deleting this catalog, deleting the security group from Azure also requires signing in to Azure.
The Domain Credentials and Summary pages do not contain Azure-specific information. Follow the guidance in the Create machine catalogs article.

Complete the wizard.

Conditions for Azure temporary disk to be eligible for write-back cache disk

You can use the Azure temporary disk as write-back cache disk only if all the following conditions are satisfied:

The write-back cache disk must non-persist as the Azure temporary disk is not appropriate for persistent data.
The chosen Azure VM size must include a temporary disk.
The ephemeral OS disk is not required to be enabled.
Accept to place the write-back cache file on Azure temporary disk.
The Azure temporary disk size must be greater than the total size of (write-back cache disk size + reserved space for paging file + 1 GB buffer space).

Non-persistent write-back cache disk scenarios

The following table describes three different scenarios when temporary disk is used for write-back cache while creating machine catalog.

Scenario	Outcome
All conditions to use temporary disk for write-back cache are satisfied.	The WBC file `mcsdif.vhdx` is placed on the temporary disk.
Temporary disk has insufficient space for write-back cache usage.	A VHD disk `MCSWCDisk` is created and WBC file `mcsdif.vhdx` is placed on this disk.
Temporary disk has sufficient space for write-back cache usage but `UseTempDiskForWBC` is set to false.	A VHD disk `MCSWCDisk` is created and WBC file `mcsdif.vhdx` is placed on this disk.

Create an Azure template spec

You can create an Azure template spec in the Azure portal and use it in Web Studio and PowerShell commands to create or update an MCS machine catalog.

To create an Azure template spec for an existing VM:

Go to the Azure portal. Select a resource group, and then select the VM and network interface. From … menu on the top, click Export template.
Clear Include parameters check box if you want to create a template spec for catalog provisioning.
Click Add to library to modify the template spec later.
On the Importing template page, enter the required information such as Name, Subscription, Resource Group, Location, and Version. Click Next: Edit Template.
You also need a network interface as an independent resource if you want to provision catalogs. Therefore, you must remove any dependsOn specified in the template spec. For example:
```
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'tnic937')]"
],

```
Create Review+Create and create the template spec.
On the Template Specs page, verify the template spec you just created. Click the template spec. On the left panel, click Versions.
You can create a new version by clicking Create new version. Specify a new version number, make changes to the current template spec, and click Review + Create to create the new version of the template spec.

You can get information about the template spec and template version using the following PowerShell commands:

To get information about the template spec, run:

 get-item XDHyp:\HostingUnits\East\machineprofile.folder\abc.resourcegroup\bggTemplateSpec.templatespec
 <!--NeedCopy-->

To get information about the template spec version, run:

 get-item XDHyp:\HostingUnits\East\machineprofile.folder\abc.resourcegroup\bggTemplateSpec.templatespec\bgg1.0.templatespecversion
 <!--NeedCopy-->

Use template spec in creating or updating a catalog

You can create or update an MCS machine catalog using a template spec as a machine profile input. To do this, you can use the Web Studio or PowerShell commands.

For Web Studio, see Create a machine catalog using an Azure Resource Manager image in Web Studio
For PowerShell, see Use template spec in creating or updating a catalog using PowerShell

Azure server side encryption

Citrix Virtual Apps and Desktops supports customer-managed encryption keys for Azure managed disks through Azure Key Vault. With this support you can manage your organizational and compliance requirements by encrypting the managed disks of your machine catalog using your own encryption key. For more information, see Server-side encryption of Azure Disk Storage.

When using this feature for managed disks:

To change the key that the disk is encrypted with, you change the current key in the DiskEncryptionSet. All resources associated with that DiskEncryptionSet change to be encrypted with the new key.
When you disable or delete your key, any VMs with disks using that key automatically shut down. After shutting down, the VMs are not usable unless the key is enabled again or you assign a new key. Any catalog using the key cannot be powered on, and you cannot add VMs to it.

Important considerations when using customer-managed encryption keys

Consider the following when using this feature:

All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must reside in the same subscription and region.
Once you have enabled the customer-managed encryption key that you cannot disable it later. If you want to disable or remove the customer-managed encryption key, copy all the data to a different managed disk that is not using the customer-managed encryption key.
Disks created from encrypted custom images using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. These disks must be in the same subscription.
Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription.
Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.
Refer to the Microsoft site for limitations on disk encryption sets per region.

Note:

See Quickstart: Create a Key Vault using the Azure portal for information on configuring Azure server side encryption.

Azure Customer-managed encryption key

When creating a machine catalog, you can choose whether to encrypt data on the machines provisioned in the catalog. Server-side encryption with a customer-managed encryption key lets you manage encryption at a managed disk level and protect data on the machines in the catalog. A Disk Encryption Set (DES) represents a customer-managed key. To use this feature, you must first create your DES in Azure. A DES is in the following format:

/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet

Select a DES from the list. The DES you select must be in the same subscription and region as your resources. If your image is encrypted with a DES, use the same DES when creating the machine catalog. You cannot change the DES after you create the catalog.

If you create a catalog with an encryption key and later disable the corresponding DES in Azure, you can no longer power on the machines in the catalog or add machines to it.

See Creating a machine catalog using customer-managed key.

Azure disk encryption at host

You can create an MCS machine catalog with encryption at host capability. Currently, MCS supports only the machine profile workflow for this feature. You can use a VM or a template spec as an input for a machine profile.

This encryption method does not encrypt the data through the Azure storage. The server hosting the VM encrypts the data and then the encrypted data flows through the Azure storage server. Hence, this method of encryption encrypts data end to end.

Restrictions:

Azure disk encryption at host is:

Not supported for all Azure machine sizes
Incompatible with Azure disk encryption

To create a machine catalog with encryption at host capability:

Check if the subscription has the encryption at host feature enabled or not. To do this, see https://learn.microsoft.com/en-us/rest/api/resources/features/get?tabs=HTTP/. If not enabled, you must enable the feature for the subscription. For information on enabling the feature for your subscription, see https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell#prerequisites/.

Check if a particular Azure VM size supports encryption at host or not. To do this, in a PowerShell window, run one of the following:

PS XDHyp:\Connections\<your connection>\east us.region\serviceoffering.folder>
<!--NeedCopy-->

PS XDHyp:\HostingUnits\<your hosting unit>\serviceoffering.folder>
<!--NeedCopy-->

Create a VM or a template spec, as an input for machine profile, in Azure portal with encryption at host enabled.
- If you want to create a VM, select a VM size that supports encryption at host. After you create the VM, the VM property Encryption at host is enabled.
- If you want to use a template spec, assign the parameter Encryption at Host as true inside securityProfile.
Create an MCS machine catalog with machine profile workflow by either selecting a VM or a template spec.
- OS disk / Data Disk: Gets encrypted through Customer-managed key and Platform-managed key
- Ephemeral OS Disk: Gets encrypted only through Platform-managed key
- Cache Disk: Gets encrypted through Customer-managed key and Platform-managed key
You can create the machine catalog using Web Studio or running PowerShell commands.

Double encryption on managed disk

You can create a machine catalog with double encryption. Any catalogs created with this feature have all disks server side encrypted with both platform and customer managed keys. You own and maintain the Azure Key Vault, Encryption Key, and the Disk Encryption Sets (DES).

Double encryption is platform-side encryption (default) and customer-managed encryption (CMEK). Therefore, if you are a high security sensitive customer who is concerned about the risk associated with any encryption algorithm, implementation, or a compromised key, you can opt for this double encryption. Persistent OS and data disks, snapshots, and images are all encrypted at rest with double encryption.

Note:

You can create and update a machine catalog with double encryption using Web Studio and PowerShell commands. See Create a machine catalog with double encryption for PowerShell commands.

You can use non-machine profile-based workflow or machine profile-based workflow for creating or updating a machine catalog with double encryption.

If you use non-machine profile-based workflow workflow to create a machine catalog, you can reuse the stored DiskEncryptionSetId.

If you use a machine profile, you can use a VM or template spec as a machine profile input.

Limitations:

Double encryption is not supported for Ultra Disks or Premium SSD v2 disks.
Double encryption is not supported on unmanaged disks.
If you disable a DiskEncryptionSet key associated with a catalog, then the VMs of the catalog are disabled.
All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
You can only create up to 50 disk encryption sets per region per subscription.
You cannot update a machine catalog that already has a DiskEncryptionSetId with a different DiskEncryptionSetId.

Azure resource groups

Azure provisioning resource groups provide a way to provision the VMs that provide applications and desktops to users. You can add existing empty Azure resource groups when you create an MCS machine catalog, or have new resource groups created for you. For information about Azure resource groups, see the Microsoft documentation.

Azure Resource Group Usage

There is no limit on the number of virtual machines, managed disks, snapshots, and images per Azure Resource Group. (The limit of 240 VMs per 800 managed disks per Azure Resource Group has been removed.)

When using a full scope service principal to create a machine catalog, MCS creates only one Azure Resource Group and uses that group for the catalog.
When using a narrow scope service principal to create a machine catalog, you must supply an empty, pre-created Azure Resource Group for the catalog.

Azure ephemeral disks

An Azure ephemeral disk allows you to repurpose the cache disk or temporary disk to store the OS disk for an Azure-enabled virtual machine. This functionality is useful for Azure environments that require a higher performant SSD disk over a standard HDD disk. For information on creating a catalog with an Azure ephemeral disk, see Create a catalog with an Azure ephemeral disks.

Note:

Persistent catalogs do not support ephemeral OS disks.

Ephemeral OS disks require that your provisioning scheme uses managed disks and a Shared Image Gallery.

Storing an ephemeral OS temporary disk

You have the option of storing an ephemeral OS disk on the VM temp disk or a resource disk. This functionality enables you to use an ephemeral OS disk with a VM that either doesn’t have a cache, or has insufficient cache. Such VMs have a temp or resource disk to store an ephemeral OS disk, such as Ddv4.

Consider the following:

An ephemeral disk is stored either in the VM cache disk, or the VM’s temporary (resource) disk. The cache disk is preferred over the temporary disk, unless the cache disk is not large enough to hold the contents of the OS disk.
For updates, a new image that is larger than the cache disk but smaller than the temp disk results in replacing the ephemeral OS disk with the VM’s temp disk.

Azure ephemeral disk and Machine Creation Services (MCS) storage optimization (MCS I/O)

Azure ephemeral OS disk and MCS I/O cannot be enabled at the same time.

The important considerations are as follows:

You cannot create a machine catalog with both ephemeral OS disk and MCS I/O enabled at the same time.
The PowerShell parameters (UseWriteBackCache and UseEphemeralOsDisk) fail with proper error messages if you set them to true in New-ProvScheme or Set-ProvScheme.
For existing machine catalogs created with both features enabled, you can still:
- update a machine catalog.
- add or delete VMs.
- delete a machine catalog.

Azure Compute Gallery

Use Azure Compute Gallery (formerly Azure Shared Image Gallery) as a published image repository for MCS provisioned machines in Azure. You can store a published image in the gallery to accelerate the creation and hydration of OS disks, improving start and application launch times for non-persistent VMs. Shared image gallery contains the following three elements:

Gallery: Images are stored here. MCS creates one gallery for each machine catalog.
Gallery Image Definition: This definition includes information (operating system type and state, Azure region) about the published image. MCS creates one image definition for each image created for the catalog.
Gallery Image Version: Each image in a Shared Image Gallery can have multiple versions, and each version can have multiple replicas in different regions. Each replica is a full copy of the published image.

Note:

Shared Image Gallery functionality is only compatible with managed disks. It is not available for legacy machine catalogs.

For more information, see Azure Compute Gallery overview.

For information on creating or updating a machine catalog using Azure Compute Gallery image using PowerShell, see Create or update a machine catalog using an Azure Compute Gallery image.

Azure Marketplace

Citrix Virtual Apps and Desktops supports using a master image on Azure that contains plan information to create a machine catalog. For more information, see Microsoft Azure Marketplace.

Tip:

Some images found on the Azure Marketplace, like the standard Windows Server image, do not append plan information. Citrix Virtual Apps and Desktops feature is for paid images.

Ensure that the image created in Shared Image Gallery contains Azure plan information

Use the procedure in this section to view Shared Image Gallery images in Web Studio. These images can optionally be used for a master image. To put the image into a Shared Image Gallery, create an image definition in a gallery.

Azure Marketplace Shared Image Gallery

In the Publishing options page, verify the purchase plan information.

The purchase plan information fields are initially empty. Populate those fields with the purchase plan information used for the image. Failure to populate purchase plan information can cause the machine catalog process to fail.

Azure Marketplace verifies VDA publishing options

After verifying the purchase plan information, create an image version within the definition. This is used as the master image. Click Add version:

Azure Marketplace add VDA version

In the Version details section, select the image snapshot or managed disk as the source:

Azure Marketplace select VDA options

Create a machine catalog using PowerShell

This section details how you can create catalogs using PowerShell:

Create a catalog with non-persistent write-back cache disk
Create a catalog with persistent write-back cache disk
Improve boot performance with MCSIO
Use template spec in creating or updating a catalog using PowerShell
Machine catalogs with Trusted launch
Use machine profile property values
Create a machine catalog with customer-managed encryption key
Create a machine catalog with double encryption
Create a catalog with an Azure ephemeral disks
Azure dedicated hosts
Create or update a machine catalog using an Azure Compute Gallery image
Configure Shared Image Gallery
Provision machines into specified Availability Zones
Storage types
Page file location
Update page file setting

Create a catalog with non-persistent write-back cache disk

To configure a catalog with non-persistent write-back cache disk, use the PowerShell parameter New-ProvScheme CustomProperties. The custom property UseTempDiskForWBC indicates whether you are accepting to use the Azure temporary storage to store the write-back cache file. This must be configured to true when running New-ProvScheme if you want to use the temporary disk as write-back cache disk. If this property is not specified, the parameter is set to False by default.

For example, using the CustomProperties parameter to set UseTempDiskForWBC to true:

-CustomProperties '<CustomProperties xmlns=" http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"> `
<Property xsi:type="StringProperty" Name="PersistWBC" Value="false"/> `
<Property xsi:type="StringProperty" Name="PersistOsDisk" Value="false"/> `
<Property xsi:type="StringProperty" Name="PersistVm" Value="false"/> `
<Property xsi:type="StringProperty" Name="StorageAccountType" Value="Premium_LRS"/> `
<Property xsi:type="StringProperty" Name="WBCDiskStorageType" Value="Premium_LRS"/> `
<Property xsi:type="StringProperty" Name="LicenseType" Value="Windows_Client"/> `
<Property xsi:type="StringProperty" Name="UseTempDiskForWBC" Value="true"/> `
</CustomProperties>'
<!--NeedCopy-->

Note:

After you commit the machine catalog to use Azure local temporary storage for write-back cache file, it cannot be changed to use VHD later.

Create a catalog with persistent write-back cache disk

To configure a catalog with persistent write-back cache disk, use the PowerShell parameter New-ProvScheme CustomProperties. This parameter supports an extra property, PersistWBC, used to determine how the write-back cache disk persists for MCS provisioned machines. The PersistWBC property is only used when the UseWriteBackCache parameter is specified, and when the WriteBackCacheDiskSize parameter is set to indicate that a disk is created.

Examples of properties found in the CustomProperties parameter before supporting PersistWBC include:

<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" />
<Property xsi:type="StringProperty" Name="StorageAccountType" Value="Premium_LRS" />
<Property xsi:type="StringProperty" Name="ResourceGroups" Value="benvaldev5RG3" />
</CustomProperties>
<!--NeedCopy-->

When using these properties, consider that they contain default values if the properties are omitted from the CustomProperties parameter. The PersistWBC property has two possible values: true or false.

Setting the PersistWBC property to true does not delete the write-back cache disk when the Citrix Virtual Apps and Desktops administrator shuts down the machine using Web Studio.

Setting the PersistWBC property to false deletes the write-back cache disk when the Citrix Virtual Apps and Desktops administrator shuts down the machine using Web Studio.

Note:

If the PersistWBC property is omitted, the property defaults to false and the write-back cache is deleted when the machine is shutdown using Web Studio.

For example, using the CustomProperties parameter to set PersistWBC to true:

<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" />
<Property xsi:type="StringProperty" Name="StorageAccountType" Value="Premium_LRS" />
<Property xsi:type="StringProperty" Name="ResourceGroups" Value="benvaldev5RG3" />
<Property xsi:type="StringProperty" Name="PersistWBC" Value="true" />
</CustomProperties>
<!--NeedCopy-->

Important:

The PersistWBC property can only be set using the New-ProvScheme PowerShell cmdlet. Attempting to alter the CustomProperties of a provisioning scheme after creation has no impact on the machine catalog and the persistence of the write-back cache disk when a machine is shut down.

For example, set New-ProvSchemeto use the write-back cache while setting the PersistWBC property to true:

New-ProvScheme
-CleanOnBoot
-CustomProperties "<CustomProperties xmlns=`"http://schemas.citrix.com/2014/xd/machinecreation`" xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`"><Property xsi:type=`"StringProperty`" Name=`"UseManagedDisks`" Value=`"true`" /><Property xsi:type=`"StringProperty`" Name=`"StorageAccountType`" Value=`"Premium_LRS`" /><Property xsi:type=`"StringProperty`" Name=`"ResourceGroups`" Value=`"benvaldev5RG3`" /><Property xsi:type=`"StringProperty`" Name=`"PersistWBC`" Value=`"true`" /></CustomProperties>"
-HostingUnitName "adSubnetScale1"
-IdentityPoolName "BV-WBC1-CAT1"
-MasterImageVM "XDHyp:\HostingUnits\adSubnetScale1\image.folder\GoldImages.resourcegroup\W10MCSIO-01_OsDisk_1_a940e6f5bab349019d57ccef65d2c7e3.manageddisk"
-NetworkMapping @{"0"="XDHyp:\HostingUnits\adSubnetScale1\\virtualprivatecloud.folder\CloudScale02.resourcegroup\adVNET.virtualprivatecloud\adSubnetScale1.network"}
-ProvisioningSchemeName "BV-WBC1-CAT1"
-ServiceOffering "XDHyp:\HostingUnits\adSubnetScale1\serviceoffering.folder\Standard_D2s_v3.serviceoffering"
-UseWriteBackCache
-WriteBackCacheDiskSize 127
-WriteBackCacheMemorySize 256
<!--NeedCopy-->

Improve boot performance with MCSIO

You can improve boot performance for Azure and GCP managed disks when MCSIO is enabled. Use the PowerShell PersistOSDisk custom property in the New-ProvScheme command to configure this feature. Options associated with New-ProvScheme include:

<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" />
<Property xsi:type="StringProperty" Name="StorageAccountType" Value="Premium_LRS" />
<Property xsi:type="StringProperty" Name="Resource <!--NeedCopy-->
``````<!--NeedCopy-->
<!--NeedCopy-->
````````Groups" Value="benvaldev5RG3" />
<Property xsi:type="StringProperty" Name="PersistOsDisk" Value="true" />
</CustomProperties>
<!--NeedCopy-->

To enable this feature, set the PersistOSDisk custom property to true. For example:

New-ProvScheme
-CleanOnBoot
-CustomProperties "<CustomProperties xmlns=`"http://schemas.citrix.com/2014/xd/machinecreation`" xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`"><Property xsi:type=`"StringProperty`" Name=`"UseManagedDisks`" Value=`"true`" /><Property xsi:type=`"StringProperty`" Name=`"StorageAccountType`" Value=`"Premium_LRS`" /><Property xsi:type=`"StringProperty`" Name=`"ResourceGroups`" Value=`"benvaldev5RG3`" /><Property xsi:type=`"StringProperty`" Name=`"PersistOsDisk`" Value=`"true`" /></CustomProperties>"
-HostingUnitName "adSubnetScale1"
-IdentityPoolName "BV-WBC1-CAT1"
-MasterImageVM "XDHyp:\HostingUnits\adSubnetScale1\image.folder\GoldImages.resourcegroup\W10MCSIO-01_OsDisk_1_a940e6f5bab349019d57ccef65d2c7e3.manageddisk"
-NetworkMapping @{"0"="XDHyp:\HostingUnits\adSubnetScale1\\virtualprivatecloud.folder\CloudScale02.resourcegroup\adVNET.virtualprivatecloud\adSubnetScale1.network"}
-ProvisioningSchemeName "BV-WBC1-CAT1"
-ServiceOffering "XDHyp:\HostingUnits\adSubnetScale1\serviceoffering.folder\Standard_D2s_v3.serviceoffering"
-UseWriteBackCache
-WriteBackCacheDiskSize 127
-WriteBackCacheMemorySize 256
<!--NeedCopy-->

Use template spec in creating or updating a catalog using PowerShell

You can create or update an MCS machine catalog using a template spec as a machine profile input. To do this, you can use the Web Studio or PowerShell commands.

For Web Studio, see Create a machine catalog using an Azure Resource Manager image in Web Studio

Using PowerShell commands:

Open the PowerShell window.
Run asnp citrix*.

Create or update a catalog.

To create a catalog:

Use the New-ProvScheme command with a template spec as a machine profile input. For example:

New-ProvScheme -MasterImageVM "XDHyp:/HostingUnits/azure/image.folder/fgthj.resourcegroup/nab-ws-vda_OsDisk_1_xxxxxxxxxxa.manageddisk"
MachineProfile "XDHyp:/HostingUnits/azure/machineprofile.folder/fgthj.resourcegroup/test.templatespec/V1.templatespecversion"
-ProvisioningSchemeName <String>
-HostingUnitName <String>
-IdentityPoolName <String>
[-ServiceOffering <String>][-CustomProperties <String>
[-LoggingId <Guid>]
[-BearerToken <String>][-AdminAddress <String>]
[<CommonParameters>]
<!--NeedCopy-->

Finish creating the catalog.

To update a catalog, use Set-ProvScheme command with a template spec as a machine profile input. For example:

 Set-ProvScheme -MasterImageVm 'XDHyp://Connections/Azure/East Us.region/vm.folder/MasterDisk.vm'
 MachineProfile 'XDHyp:/HostingUnits/azure/machineprofile.folder/fgthj.resourcegroup/testing.templatespec/V1.templatespecversion'
 [-ProvisioningSchemeName] <String>
 [-CustomProperties <String>][-ServiceOffering <String>] [-PassThru]
 [-LoggingId <Guid>] [-BearerToken <String>][-AdminAddress <String>] [<CommonParameters>]
 <!--NeedCopy-->

Machine catalogs with Trusted launch

To successfully create a machine catalog with Trusted launch, use:

A machine profile with Trusted launch
A VM size that supports Trusted launch
A Windows VM version that supports Trusted launch. Currently, Windows 10, Windows Server 2016, 2019, and 2022 support trusted launch.

Important:

Trusted launch requires the creation of new VMs. You cannot enable Trusted launch on existing VMs that were initially created without it.

To view the Citrix Virtual Apps and Desktops offering inventory items, and to determine whether the VM size supports Trusted launch, run the following command:

Open a PowerShell window.
Run asnp citrix* to load the Citrix-specific PowerShell modules.

Run the following command:

$s = (ls XDHyp:\HostingUnits\<name of hosting unit>\serviceoffering.folder\"<VM size>.serviceoffering)
<!--NeedCopy-->

Run $s | select -ExpandProperty Additionaldata
Check the value of the SupportsTrustedLaunch attribute.
- If SupportsTrustedLaunch is True, the VM size supports Trusted launch.
- If SupportsTrustedLaunch is False, the VM size does not support Trusted launch.

As per Azure’s PowerShell, you can use the following command to determine the VM sizes that support Trusted launch:

(Get-AzComputeResourceSku | where {$_.Locations.Contains($region) -and ($_.Name -eq "<VM size>") })[0].Capabilities
<!--NeedCopy-->

Following are examples that describe whether the VM size supports Trusted launch after you run the Azure PowerShell command.

Example 1: If the Azure VM supports only Generation 1, that VM does not support trusted launch. Therefore, the TrustedLaunchDisabled capability is not displayed after you run the Azure PowerShell command.
Example 2: If the Azure VM supports only Generation 2 and the TrustedLaunchDisabled capability is True, the Generation 2 VM size is not supported for Trusted launch.
Example 3: If the Azure VM supports only Generation 2 and the TrustedLaunchDisabled capability is not displayed after you run the PowerShell command, the Generation 2 VM size is supported for Trusted launch.

For more information on Trusted launch for Azure virtual machines, see the Microsoft document Trusted launch for Azure virtual machines.

Errors while creating machine catalogs with Trusted launch

You get appropriate errors in the following scenarios while creating a machine catalog with trusted launch:

Scenario	Error
If you select a machine profile while creating an unmanaged catalog	`MachineProfileNotSupportedForUnmanagedCatalog`
If you select a machine profile that supports Trusted launch while creating a catalog with unmanaged disk as the master image	`SecurityTypeNotSupportedForUnmanagedDisk`
If you do not select a machine profile while creating a managed catalog with a master image source with Trusted launch as the security type	`MachineProfileNotFoundForTrustedLaunchMasterImage`
If you select a machine profile with a security type different from the security type of the master image	`SecurityTypeConflictBetweenMasterImageAndMachineProfile`
If you select a VM size that does not support Trusted launch but use a master image that supports Trusted launch while creating a catalog	`MachineSizeNotSupportTrustedLaunch`

Use machine profile property values

The machine catalog uses the following properties that are defined in the custom properties:

Availability zone
Dedicated Host Group Id
Disk Encryption Set Id
OS type
License type
Storage type

If these custom properties are not defined explicitly, then the property values are set from the ARM template spec or VM, whichever is used as the machine profile. In addition, if ServiceOffering is not specified, then it is set from the machine profile.

Note:

If some of the properties are missing from the machine profile and not defined in the custom properties, then the default values of the properties take place wherever applicable.

The following section describes some scenarios at New-ProvScheme and Set-ProvScheme when CustomProperties either have all the properties defined or values are derived from the MachineProfile.

New-ProvScheme Scenarios

MachineProfile has all the properties and CustomProperties are not defined. Example:

New-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpA.vm"

The following values are set as custom properties for the catalog:

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="<mpA-value>"/>
 <Property xsi:type="StringProperty" Name="OSType" Value="<mpA-value>"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="<mpA-value>"/>
 <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="<mpA-value>"/>
 <Property xsi:type="StringProperty" Name="DedicatedHostGroupId" Value="<mpA-value>"/>
 <Property xsi:type="StringProperty" Name="Zones" Value="<mpA-value>"/>
 </CustomProperties>
 <!--NeedCopy-->

MachineProfile has some properties and CustomProperties are not defined. Example: MachineProfile only has LicenseType and OsType.

New-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpA.vm"

The following values are set as custom properties for the catalog:

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="OSType" Value="<mpA-value>"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="<mpA-value>"/>
 </CustomProperties>
 <!--NeedCopy-->

Both MachineProfile and CustomProperties define all properties. Example:

New-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpA.vm" -CustomProperties $CustomPropertiesA

Custom properties take priority. The following values are set as custom properties for the catalog:

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="<CustomPropertiesA-value>"/>
 <Property xsi:type="StringProperty" Name="OSType" Value="<CustomPropertiesA-value>"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="<CustomPropertiesA-value>"/>
 <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="<CustomPropertiesA-value>"/>
 <Property xsi:type="StringProperty" Name="DedicatedHostGroupId" Value="<CustomPropertiesA-value>"/>
 <Property xsi:type="StringProperty" Name="Zones" Value="<CustomPropertiesA-value>"/>
 </CustomProperties>
 <!--NeedCopy-->

Some properties are defined in MachineProfile and some properties are defined in CustomProperties. Example:

CustomProperties define LicenseType and StorageAccountType
MachineProfile define LicenseType, OsType, and Zones

New-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpA.vm" -CustomProperties $CustomPropertiesA

The following values are set as custom properties for the catalog:

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="<CustomPropertiesA-value>"/>
 <Property xsi:type="StringProperty" Name="OSType" Value="<mpA-value>"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="<CustomPropertiesA-value>"/>
 <Property xsi:type="StringProperty" Name="Zones" Value="<mpA-value>"/>
 </CustomProperties>
 <!--NeedCopy-->

Some properties are defined in MachineProfile and some properties are defined in CustomProperties. In addition, ServiceOffering is not defined. Example:

CustomProperties define StorageType
MachineProfile define LicenseType

 New-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mp.vm"
 -ServiceOffering "XDHyp:\HostingUnits\azureunit\serviceoffering.folder\<explicit-machine-size>.serviceoffering"
 <!--NeedCopy-->

The following values are set as custom properties for the catalog:

 Get-ProvScheme | select ServiceOffering
 serviceoffering.folder\<explicit-machine-size>.serviceoffering

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="explicit-storage-type"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="value-from-machineprofile"/>
 </CustomProperties>
 <!--NeedCopy-->

If the OsType is in neither in the CustomProperties nor in the MachineProfile, then:
- The value is read from the master image.
- If the master image is an unmanaged disk, the OsType is set to Windows. Example:
New-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpA.vm" -MasterImageVM "XDHyp:\HostingUnits\azureunit\image.folder\linux-master-image.manageddisk"

The value from the master image is written to the custom properties, in this case Linux.
```
 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="OSType" Value="Linux"/>
 </CustomProperties>
 
```

Set-ProvScheme Scenarios

An existing catalog with:
- CustomProperties for StorageAccountType and OsType
- MachineProfile mpA.vm that defines zones

Updates:

MachineProfile mpB.vm that defines StorageAccountType
A new set of custom properties $CustomPropertiesB that defines LicenseType and OsType

Set-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpB.vm" -CustomProperties $CustomPropertiesB

The following values are set as custom properties for the catalog:

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="<mpB-value>"/>
 <Property xsi:type="StringProperty" Name="OSType" Value="<CustomPropertiesB-value>"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="<CustomPropertiesB-value>"/>
     </CustomProperties>
 <!--NeedCopy-->

An existing catalog with:
- CustomProperties for StorageAccountType and OsType
- MachineProfile mpA.vm that defines StorageAccountType and LicenseType

Updates:

A new set of custom properties $CustomPropertiesB that defines StorageAccountType and OsType.

Set-ProvScheme -CustomProperties $CustomPropertiesB

The following values are set as custom properties for the catalog:

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="<CustomPropertiesB-value>"/>
 <Property xsi:type="StringProperty" Name="OSType" Value="<CustomPropertiesB-value>"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="<mp-A-value>"/>
 </CustomProperties>
 <!--NeedCopy-->

An existing catalog with:
- CustomProperties for StorageAccountType and OsType
- MachineProfile mpA.vm that defines Zones

Updates:

A MachineProfile mpB.vm that defines StorageAccountType and LicenseType
ServiceOffering is not specified

Set-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpB.vm"

The following values are set as custom properties for the catalog:

 Get-ProvScheme | select ServiceOffering
 serviceoffering.folder\<value-from-machineprofile>.serviceoffering

 Get-ProvScheme | select CustomProperties
 <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="<mpB-value>"/>
 <Property xsi:type="StringProperty" Name="OSType" Value="<prior-CustomProperties-value>"/>
 <Property xsi:type="StringProperty" Name="LicenseType" Value="<mpB-value>"/>
 </CustomProperties>
 <!--NeedCopy-->

Create a machine catalog with customer-managed encryption key

The detailed steps on how to create a machine catalog with customer-managed encryption key are:

Open a PowerShell window.
Run asnp citrix* to load the Citrix-specific PowerShell modules.
Enter cd xdhyp:/.
Enter cd .\HostingUnits\(your hosting unit).
Enter cd diskencryptionset.folder.
Enter dir to get the list of the Disk Encryption Sets.
Copy the Id of a Disk Encryption Set.

Create a custom property string to include the Id of the Disk Encryption Set. For example:

$customProperties = "<CustomProperties xmlns=`"http://schemas.citrix.com/2014/xd/machinecreation`" xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`">
<Property xsi:type=`"StringProperty`" Name=`"StorageAccountType`" Value=`"Standard_LRS`" />
<Property xsi:type=`"StringProperty`" Name=`"persistWBC`" Value=`"False`" />
<Property xsi:type=`"StringProperty`" Name=`"PersistOsDisk`" Value=`"false`" />
<Property xsi:type=`"StringProperty`" Name=`"UseManagedDisks`" Value=`"true`" />
<Property xsi:type=`"StringProperty`" Name=`"DiskEncryptionSetId`" Value=`"/subscriptions/0xxx4xxx-xxb-4bxx-xxxx-xxxxxxxx/resourceGroups/abc/providers/Microsoft.Compute/diskEncryptionSets/abc-des`"/>
</CustomProperties>
<!--NeedCopy-->

Create an identity pool if not already created. For example:

New-AcctIdentityPool -IdentityPoolName idPool -NamingScheme ms## -Domain def.local -NamingSchemeType Numeric
<!--NeedCopy-->

Run the New-ProvScheme command: For example:

New-ProvScheme -CleanOnBoot -HostingUnitName "name" -IdentityPoolName "name" -InitialBatchSizeHint 1
-MasterImageVM "XDHyp:\HostingUnits\azure-res2\image.folder\def.resourcegroup\def.snapshot"
-NetworkMapping @{"0"="XDHyp:\HostingUnits\azure-res2\\virtualprivatecloud.folder\def.resourcegroup\def-vnet.virtualprivatecloud\subnet1.network"}
-ProvisioningSchemeName "name"
-ServiceOffering "XDHyp:\HostingUnits\azure-res2\serviceoffering.folder\Standard_DS2_v2.serviceoffering"
-MachineProfile "XDHyp:\HostingUnits\<adnet>\machineprofile.folder\<def.resourcegroup>\<machine profile vm.vm>"
-CustomProperties $customProperties
<!--NeedCopy-->

Finish creating the machine catalog.

Create a machine catalog with double encryption

You can create and update a machine catalog with double encryption using Web Studio and PowerShell commands.

The detailed steps on how to create a machine catalog with double encryption are:

Create an Azure Key Vault and DES with Platform-managed and customer-managed keys. For information on how to create an Azure Key Vault and a DES, see Use the Azure portal to enable double encryption at rest for managed disks.
To browse available DiskEncryptionSets in your hosting connection:
1. Open a PowerShell window.
2. Run the following PowerShell commands:
  1. asnp citrix*
  2. cd xdhyp:
  3. cd HostingUnits
  4. cd YourHostingUnitName (ex. azure-east)
  5. cd diskencryptionset.folder
  6. dir
You can use an Id of the DiskEncryptionSet to create or update a catalog using custom properties.
If you want to use machine profile workflow, create a VM or template spec as a machine profile input.
- If you want to use a VM as a machine profile input:
  1. Create a VM in Azure Portal.
  2. Navigate to Disks>Key management to encrypt the VM directly with any DiskEncryptionSetID.
- If you want to use a template spec as a machine profile input:
  1. In the template, under properties>storageProfile>osDisk>managedDisk, add diskEncryptionSet parameter and add the id of the double encryption DES.

Create the machine catalog.

If using Web Studio, do one of the following in addition to the steps in Create machine catalogs.
- If you do not use machine-profile based workflow, on the Disk Settings page, select Use the following key to encrypt data on each machine. Then, select your double encryption DES from the dropdown. Continue creating the catalog.
- If using machine profile workflow, on the Master Image page, select a master image and a machine profile. Make sure that the machine profile has a disk encryption set id in its properties.
All machines created in the catalog are double encrypted by the key associated with the DES you selected.

If using PowerShell commands, do one of the following:

If not using machine profile-based workflow, add the custom property DiskEncryptionSetId in the New-ProvScheme command. For example:

 New-ProvScheme -CleanOnBoot -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" />
 <Property xsi:type="StringProperty" Name="StorageAccountType" Value="Premium_LRS" />
 <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="/subscriptions/12345678-xxxx-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet" />
 </CustomProperties>'
 -HostingUnitName "Redacted"
 -IdentityPoolName "Redacted"
 -InitialBatchSizeHint 1
 -MasterImageVM "Redacted"
 -NetworkMapping @{"0"="Redacted"}
 -ProvisioningSchemeName "Redacted"
 -ServiceOffering "Redacted"
 <!--NeedCopy-->

If using machine profile-based workflow, use a machine profile input in the New-ProvScheme command. For example:

 New-ProvScheme -CleanOnBoot
 -HostingUnitName azure-east
 -IdentityPoolName aio-ip
 -InitialBatchSizeHint 1
 -MasterImageVM XDHyp:\HostingUnits\azure-east\image.folder\abc.resourcegroup\fgb-vda-snapshot.snapshot
 -NetworkMapping @{"0"="XDHyp:\HostingUnits\azure-east\virtualprivatecloud.folder\apa-resourceGroup.resourcegroup\apa-resourceGroup-vnet.virtualprivatecloud\default.network"}
 -ProvisioningSchemeName aio-test
 -MachineProfile XDHyp:\HostingUnits\azure-east\machineprofile.folder\abc.resourcegroup\abx-mp.templatespec\1.0.0.templatespecversion
 <!--NeedCopy-->

Finish creating a catalog using remote powershell sdk. For information on how to create a catalog using the Remote PowerShell SDK, see https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/latest/creating-a-catalog/. All machines created in the catalog are double encrypted by the key associated with the DES you selected.

Convert an unencrypted catalog to use double encryption

You can update a machine catalog’s encryption type (using custom properties or machine profile) only if the catalog was previously unencrypted.

If not using machine profile-based workflow, add the custom property DiskEncryptionSetId in the Set-ProvScheme command. For example:

 Set-ProvScheme -ProvisioningSchemeName "SampleProvSchemeName"
 -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="/subscriptions/12345678-xxxx-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet" />
 </CustomProperties>'
 <!--NeedCopy-->

If using machine profile-based workflow, use a machine profile input in the Set-ProvScheme command. For example:

 Set-ProvScheme -ProvisioningSchemeName mxiao-test -MachineProfile XDHyp:\HostingUnits\azure-east\machineprofile.folder\aelx.resourcegroup\elx-mp.templatespec\1.0.0.templatespecversion
 <!--NeedCopy-->

Once successful, all new VMs that you add in your catalog are double encrypted by the key associated with the DES you selected.

Verify the catalog is double encrypted

In the Web Studio:
1. Navigate to Machine Catalogs.
2. Select the catalog you want to verify. Click the Template Properties tab located near the bottom of the screen.
3. Under Azure Details, verify the Disk Encryption Set ID in Disk Encryption Set. If the catalog’s DES Id is blank, the catalog is not encrypted.
4. In the Azure Portal, verify that the encryption type of the DES associated with the DES Id is platform-managed and customer-managed keys.
Using PowerShell command:
1. Open the PowerShell window.
2. Run asnp citrix* to load the Citrix-specific PowerShell modules.
3. Use Get-ProvScheme to get the information of your machine catalog. For example:
```
Get-ProvScheme -ProvisioningSchemeName "SampleProvSchemeName"

```
4. Retrieve the DES Id custom property of the machine catalog. For example:
```
<Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet" />

```
5. In the Azure Portal, verify that the encryption type of the DES associated with the DES Id is platform-managed and customer-managed keys.

Create a catalog with an Azure ephemeral disks

To use ephemeral disks, you must set the custom property UseEphemeralOsDisk to true when running New-ProvScheme.

Note:

If the custom property UseEphemeralOsDisk is set to false or a value is not specified all provisioned VDAs continue to use a provisioned OS disk.

The following is an example set of custom properties to use in the provisioning scheme:

"CustomProperties": [
            {
                "Name": "UseManagedDisks",
                "Value": "true"
            },
            {
                "Name": "StorageType",
                "Value": "Standard_LRS"
            },
            {
                "Name": "UseSharedImageGallery",
                "Value": "true"
            },
            {
                "Name": "SharedImageGalleryReplicaRatio",
                "Value": "40"
            },
            {
                "Name": "SharedImageGalleryReplicaMaximum",
                "Value": "10"
            },
            {
                "Name": "LicenseType",
                "Value": "Windows_Server"
            },
            {
                "Name": "UseEphemeralOsDisk",
                "Value": "true"
            }
        ],
<!--NeedCopy-->

Configure an ephemeral disk for a catalog

To configure an Azure ephemeral OS disk for a catalog, use the UseEphemeralOsDisk parameter in Set-ProvScheme. Set the value of the UseEphemeralOsDisk parameter to true.

Note:

To use this feature, you must also enable the parameters UseManagedDisks and UseSharedImageGallery.

For example:

Set-ProvScheme -ProvisioningSchemeName catalog-name -CustomProperties <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" />
<Property xsi:type="StringProperty" Name="UseSharedImageGallery" Value="true" />
<Property xsi:type="StringProperty" Name="UseEphemeralOsDisk" Value="true" />
</CustomProperties>'
<!--NeedCopy-->

Important considerations for ephemeral disks

To provision ephemeral OS disks using New-ProvScheme, consider the following constraints:

The VM size used for the catalog must support ephemeral OS disks.
The size of the cache or temporary disk associated with the VM size must be greater than or equal to the size of the OS disk.
The temporary disk size must be greater than the cache disk size.

Also consider these issues when:

Creating the provisioning scheme.
Modifying the provisioning scheme.
Updating the image.

Azure dedicated hosts

You can use MCS to provision VMs on Azure dedicated hosts. Before provisioning VMs on Azure dedicated hosts:

Create a host group.
Create hosts in that host group.
Ensure that there is sufficient host capacity reserved for creating catalogs and virtual machines.

You can create a catalog of machines with host tenancy defined through the following PowerShell script:

New-ProvScheme <otherParameters> -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Property xsi:type="StringProperty" Name="HostGroupId" Value="myResourceGroup/myHostGroup" />
 ...other Custom Properties...
 </CustomProperties>
<!--NeedCopy-->

When using MCS to provision virtual machines on Azure dedicated hosts, consider:

A Dedicated host is a catalog property and cannot be changed once the catalog is created. Dedicated tenancy is currently not supported on Azure.
A pre-configured Azure host group, in the region of the hosting unit, is required when using the HostGroupId parameter.
Azure auto-placement is required. This functionality makes a request to onboard the subscription associated with the host group. For more information, see VM Scale Set on Azure Dedicated Hosts - Public Preview. If auto-placement is not enabled, MCS throws an error during catalog creation.

Create or update a machine catalog using an Azure Compute Gallery image

When selecting an image to use for creating a machine catalog, you can select images you created in the Azure Compute Gallery.

For these images to appear, you must:

Configure a Citrix Virtual Apps and Desktops site.
Connect to the Azure Resource Manager.
In the Azure portal, create a resource group. For details, see Create an Azure Compute Gallery using the portal.
In the resource group, create an Azure Compute Gallery.
In the Azure Compute Gallery, create an image definition.
In the image definition, create an image version.

Use the following PowerShell commands to create or update a machine catalog using an image from Azure Compute Gallery:

Open a PowerShell window.
Run asnp citrix* to load the Citrix-specific PowerShell modules.

Select a resource group, and then list all galleries of that resource group.

Get-ChildItem -LiteralPath @("XDHyp:\HostingUnits\testresource\image.folder\sharedImageGalleryTest.resourcegroup")
<!--NeedCopy-->

Select a gallery, and then list all image definitions of that gallery.

Get-ChildItem -LiteralPath @("XDHyp:\HostingUnits\testresource\image.folder\sharedImageGalleryTest.resourcegroup\sharedImageGallery.sharedimagegallery")
<!--NeedCopy-->

Select one image definition, and then list all image versions of that image definition.

Get-ChildItem -LiteralPath @("XDHyp:\HostingUnits\testresource\image.folder\sharedImageGalleryTest.resourcegroup\sharedImageGallery.sharedimagegallery\sigtestimage.imagedefinition")
<!--NeedCopy-->

Create and update an MCS catalog using the following elements:
- Resource group
- Gallery
- Gallery image definition
- Gallery image version
For information on how to create a catalog using the Remote PowerShell SDK, see https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/latest/creating-a-catalog/.

Configure Shared Image Gallery

Use the New-ProvScheme command to create a provisioning scheme with Shared Image Gallery support. Use the Set-ProvScheme command to enable or disable this feature for a provisioning scheme and to change the replica ratio and replica maximum values.

Three custom properties were added to provisioning schemes to support the Shared Image Gallery feature:

UseSharedImageGallery

Defines whether to use the Shared Image Gallery to store the published images. If set to True, the image is stored as a Shared Image Gallery image, otherwise the image is stored as a snapshot.
Valid values are True and False.
If the property is not defined, the default value is False.

SharedImageGalleryReplicaRatio

Defines the ratio of machines to gallery image version replicas.
Valid values are integer numbers greater than 0.
If the property is not defined, default values are used. The default value for persistent OS disks is 1000 and the default value for non-persistent OS disks is 40.

SharedImageGalleryReplicaMaximum

Defines the maximum number of replicas for each gallery image version.
Valid values are integer numbers greater than 0.
If the property is not defined, the default value is 10.
Azure currently supports up to 10 replicas for a gallery image single version. If the property is set to a value greater than that supported by Azure, MCS attempts to use the specified value. Azure generates an error, which MCS logs then leaves the current replica count unchanged.

Tip:

When using Shared Image Gallery to store a published image for MCS provisioned catalogs, MCS sets the gallery image version replica count based on the number of machines in the catalog, the replica ratio, and the replica maximum. The replica count is calculated by dividing the number of machines in the catalog by the replica ratio (rounding up to the nearest integer value) and then capping the value at the maximum replica count. For example, with a replica ratio of 20 and a maximum of 5, 0–20 machines have one replica created, 21–40 have 2 replicas, 41–60 have 3 replicas, 61–80 have 4 replicas, 81+ have 5 replicas.

Use case: Updating the Shared Image Gallery replica ratio and replica max

The existing machine catalog uses Shared Image Gallery. Use the Set-ProvScheme command to update the custom properties for all existing machines in the catalog and any future machines:

Set-ProvScheme -ProvisioningSchemeName catalog-name -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Property xsi:type="StringProperty" Name="StorageType" Value="Standard_LRS"/> <Property xsi:type="StringProperty" Name="UseManagedDisks" Value="True"/> <Property xsi:type="StringProperty" Name="UseSharedImageGallery" Value="True"/> <Property xsi:type="IntProperty" Name="SharedImageGalleryReplicaRatio" Value="30"/> <Property xsi:type="IntProperty" Name="SharedImageGalleryReplicaMaximum" Value="20"/></CustomProperties>'
<!--NeedCopy-->

Use Case: Converting a snapshot catalog to a Shared Image Gallery catalog

For this use case:

Run Set-ProvScheme with the UseSharedImageGallery flag set to True. Optionally include the SharedImageGalleryReplicaRatio and SharedImageGalleryReplicaMaximum properties.
Update the catalog.
Power cycle the machines to force an update.

For example:

Set-ProvScheme -ProvisioningSchemeName catalog-name -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Property xsi:type="StringProperty" Name="StorageType" Value="Standard_LRS"/> <Property xsi:type="StringProperty" Name="UseManagedDisks" Value="True"/> <Property xsi:type="StringProperty" Name="UseSharedImageGallery" Value="True"/> <Property xsi:type="IntProperty" Name="SharedImageGalleryReplicaRatio" Value="30"/> <Property xsi:type="IntProperty" Name="SharedImageGalleryReplicaMaximum" Value="20"/></CustomProperties>'
<!--NeedCopy-->

Tip:

The parameters SharedImageGalleryReplicaRatio and SharedImageGalleryReplicaMaximum are not required. After the Set-ProvScheme command completes the Shared Image Gallery image has not yet been created. Once the catalog is configured to use the gallery, the next catalog update operation stores the published image in the gallery. The catalog update command creates the gallery, the gallery image, and the image version. Power cycling the machines updates them, at which point the replica count is updated, if appropriate. From that time, all existing non-persistent machines are reset using the Shared Image Gallery image and all newly provisioned machines are created using the image. The old snapshot is cleaned up automatically within a few hours.

Use Case: Converting a Shared Image Gallery Catalog to a snapshot catalog

For this use case:

Run Set-ProvScheme with the UseSharedImageGallery flag set to False or not defined.
Update the catalog.
Power cycle the machines to force an update.

For example:

Set-ProvScheme -ProvisioningSchemeName catalog-name -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Property xsi:type="StringProperty" Name="StorageType" Value="Standard_LRS"/> <Property xsi:type="StringProperty" Name="UseManagedDisks" Value="True"/> <Property xsi:type="StringProperty" Name="UseSharedImageGallery" Value="False"/></CustomProperties>'
<!--NeedCopy-->

Tip:

Unlike updating from a snapshot to a Shared Image Gallery catalog, the custom data for each machine is not yet updated to reflect the new custom properties. Run the following command to see the original Shared Image Gallery custom properties: Get-ProvVm -ProvisioningSchemeName catalog-name. After the Set-ProvScheme command completes the image snapshot has not yet been created. Once the catalog is configured to not use the gallery, the next catalog update operation stores the published image as a snapshot. From that time, all existing non-persistent machines are reset using the snapshot and all newly provisioned machines are created from the snapshot. Power cycling the machines updates them, at which point the custom machine data is updated to reflect that UseSharedImageGallery is set to False. The old Shared Image Gallery assets (gallery, image, and version) are automatically cleaned up within a few hours.

Provision machines into specified Availability Zones

You can provision machines into specific Availability Zones in Azure environments. You can achieve that using the PowerShell.

Note:

If no zones are specified, MCS lets Azure place the machines within the region. If more than one zone is specified, MCS randomly distributes the machines across them.

Configure Availability Zones through PowerShell

Using PowerShell, you can view the offering inventory items by using Get-Item. For example, to view the Eastern US region Standard_B1ls service offering:

$serviceOffering = Get-Item -path "XDHyp:\Connections\my-connection-name\East US.region\serviceoffering.folder\Standard_B1ls.serviceoffering"
<!--NeedCopy-->

To view the zones, use the AdditionalData parameter for the item:

$serviceOffering.AdditionalData

If Availability Zones are not specified, there is no change in how machines are provisioned.

To configure Availability Zones through PowerShell, use the Zones custom property available with the New-ProvScheme operation. The Zones property defines a list of Availability Zones to provision machines into. Those zones can include one or more Availability Zones. For example, <Property xsi:type="StringProperty" Name="Zones" Value="1, 3"/> for Zones 1 and 3.

Use the Set-ProvScheme command to update the zones for a provisioning scheme.

If an invalid zone is provided, the provisioning scheme is not updated, and an error message appears providing instructions on how to fix the invalid command.

Tip:

If you specify an invalid custom property, the provisioning scheme is not updated and a relevant error message appears.

Storage types

Select different storage types for virtual machines in Azure environments that use MCS. For target VMs, MCS supports:

OS disk: premium SSD, SSD, or HDD
Write back cache disk: premium SSD, SSD, or HDD

When using these storage types, consider the following:

Ensure that your VM supports the selected storage type.
If your configuration uses an Azure ephemeral disk, you do not get the option for write-back cache disk setting.

Tip:

StorageType is configured for an OS type and storage account. WBCDiskStorageType is configured for write-back cache storage type. For a normal catalog, StorageType is required. If WBCDiskStorageType is not configured, the StorageType is used as the default for WBCDiskStorageType.

If WBCDiskStorageType is not configured, then StorageType is used as the default for WBCDiskStorageType

Configure storage types

To configure storage types for VM, use the StorageType parameter in New-ProvScheme. Set the value of the StorageType parameter to one of the supported storage types.

The following is an example set of the CustomProperties parameter in a provisioning scheme:

Set-ProvScheme -ProvisioningSchemeName catalog-name -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" />
<Property xsi:type="StringProperty" Name="StorageType" Value="Premium_LRS" />
<Property xsi:type="StringProperty" Name="LicenseType" Value="Windows_Client" />
</CustomProperties>'
<!--NeedCopy-->

Enable zone-redundant storage

You can select zone-redundant storage during catalog creation. It synchronously replicates your Azure managed disk across multiple availability zones, which allows you to recover from a failure in one zone by utilizing the redundancy in others.

You can specify Premium_ZRS and StandardSSD_ZRS in the storage type custom properties. ZRS storage can be set using existing custom properties or through the MachineProfile template. ZRS storage is also supported with Set-ProvVMUpdateTimeWindow command with -StartsNow and -DurationInMinutes -1 parameters, and you can change existing machine from LRS to ZRS storage.

Limitations:

Supported only for managed disks
Supported only with premium and standard solid-state drives (SSD)
Not supported with StorageTypeAtShutdown
Available only in certain regions.
Performance of Azure drops when creating ZRS disks at scale. Therefore, for the first power on, turn on the machines in smaller batches (less than 300 machines at a time)

Set zone-redundant storage as the disk storage type

You can select zone-redundant storage during the initial catalog creation, or you can update your storage type in an existing catalog.

Select zone-redundant storage using PowerShell commands

When creating a new catalog in Azure using the New-ProvScheme Powershell command, use Standard_ZRS as the value in the StorageAccountType. For example:

<Property xsi:type="StringProperty" Name="StorageAccountType" Value="StandardSSD_ZRS" />
<!--NeedCopy-->

When setting this value, it is validated by a dynamic API that determines if it can be used properly. The following exceptions can occur if the use of ZRS is not valid for your catalog:

StorageTypeAtShutdownNotSupportedForZrsDisks: The StorageTypeAtShutdown custom property cannot be used with ZRS storage.
StorageAccountTypeNotSupportedInRegion: This exception occurs if you try to use ZRS Storage in an Azure Region that does not support ZRS
ZrsRequiresManagedDisks: You can use zone-redundant storage only with managed disks.

You can set the disk storage type using the following custom properties:

StorageType
WBCDiskStorageType
IdentityDiskStorageType

Note:

During catalog creation, the machine profile’s OS disk StorageType is used if the custom properties are not set.

Page file location

In Azure environments, the page file is set up to an appropriate location when the VM is first created. The paging file setting is configured in the format <page file location>[min size] [max size] (the size is in MB). For more information, see the Microsoft document How to determine the appropriate page file.

When you create ProvScheme during image preparation, MCS determines the page file location based on certain rules. After you create ProvScheme:

VM size change is blocked if the incoming VM size causes the page file setting to be different.
Machine profile update is blocked if the service offering is changed because of the machine profile update causing page file setting to be different.
Ephemeral OS disk (EOS) and MCSIO properties cannot be changed.

Page file location determination

The features like EOS and MCSIO have their own expected page file location and are exclusive to each other. The table shows the expected page file location for each feature:

Feature	Expected page file location
EOS	OS disk
MCSIO	Azure temporary disk first, otherwise Write-back cache disk

Note:

Even if image preparation is decoupled from the provisioning scheme creation, MCS correctly determines the page file location. The default page file location is on OS disk.

Page file setting scenarios

The table describes some possible scenarios of page file setting during image preparation and provisioning scheme update:

During	Scenario	Outcome
Image preparation	Source image page file is set on the temporary disk, while the VM size specified in provisioning scheme has no temporary disk	The page file is placed on the OS disk
Image preparation	Source image page file is set on the OS disk, while the VM size specified in provisioning scheme has temporary disk.	The page file is placed on the temporary disk
Image preparation	Source image page file is set on the temporary disk, while the ephemeral OS disk is enabled in provisioning scheme.	The page file is placed on the OS disk
Provisioning scheme update	You attempt to update the provisioning scheme, the original VM size has temporary disk, and the target VM has no temporary disk.	Rejects the change with an error message
Provisioning scheme update	You attempt to update the provisioning scheme, the original VM size has no temporary disk, and the target VM has temporary disk	Rejects the change with an error message

Update page file setting

You can also specify the page file setting, including the location and size, explicitly using the PoSH command. This overrides the value determined by MCS. You can do this by running the New-ProvScheme command and including the following custom properties:

PageFileDiskDriveLetterOverride: Page file location disk drive letter
InitialPageFileSizeInMB: Initial page file size in MB
MaxPageFileSizeInMB: Maximum page file size in MB

Example of using the custom properties:

-CustomProperties '<CustomProperties xmlns=" http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"> `
<Property xsi:type="StringProperty" Name="PersistOsDisk" Value="false"/> `
<Property xsi:type="StringProperty" Name="PersistVm" Value="false"/> `
<Property xsi:type="StringProperty" Name="PageFileDiskDriveLetterOverride" Value="d"/> `
<Property xsi:type="StringProperty" Name="InitialPageFileSizeInMB" Value="2048"/> `
<Property xsi:type="StringProperty" Name="MaxPageFileSizeInMB" Value="8196"/> `
<Property xsi:type="StringProperty" Name="StorageAccountType" Value="Premium_LRS"/> `
<Property xsi:type="StringProperty" Name="LicenseType" Value="Windows_Client"/> `
</CustomProperties>'
<!--NeedCopy-->

Constraints:

You can update the page file setting only when creating provisioning scheme by running the New-ProvScheme command and the page file setting cannot be changed later.
Provide all the page file setting relative properties (PageFileDiskDriveLetterOverride, InitialPageFileSizeInMB, and MaxPageFileSizeInMB) in the custom properties or do not provide any of them.
The initial page file size must be between 16 MB and 16777216 MB.
The maximum page file size must be greater than or equal to the initial page file size and less than 16777216 MB.
This feature is not supported in Web Studio.

Where to go next

If this is the first catalog created, Web Studio guides you to create a delivery group
To review the entire configuration process, see Install and configure
To manage catalogs, see Manage machine catalogs and Manage a Microsoft Azure catalog

More information

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Create a Microsoft Azure catalog

April 22, 2024

Contributed by:

C C

April 22, 2024

Contributed by:

C C

Azure on-demand provisioning
Create a machine catalog
Conditions for Azure temporary disk to be eligible for write-back cache disk
Non-persistent write-back cache disk scenarios
Create an Azure template spec
Use template spec in creating or updating a catalog
Azure server side encryption
Azure Customer-managed encryption key
Azure disk encryption at host
Double encryption on managed disk
Azure resource groups
Azure ephemeral disks
Azure Compute Gallery
Azure Marketplace
Create a machine catalog using PowerShell
Create a catalog with non-persistent write-back cache disk
Create a catalog with persistent write-back cache disk
Improve boot performance with MCSIO
Use template spec in creating or updating a catalog using PowerShell
Machine catalogs with Trusted launch
Use machine profile property values
Create a machine catalog with customer-managed encryption key
Create a machine catalog with double encryption
Create a catalog with an Azure ephemeral disks
Azure dedicated hosts
Create or update a machine catalog using an Azure Compute Gallery image
Configure Shared Image Gallery
Provision machines into specified Availability Zones
Storage types
Page file location
Update page file setting
Where to go next
More information

Create a Microsoft Azure catalog

Azure on-demand provisioning

Create a machine catalog

Create a machine catalog using an Azure Resource Manager image in Web Studio

Conditions for Azure temporary disk to be eligible for write-back cache disk

Non-persistent write-back cache disk scenarios

Create an Azure template spec

Use template spec in creating or updating a catalog

Azure server side encryption

Important considerations when using customer-managed encryption keys

Azure Customer-managed encryption key

Azure disk encryption at host

Double encryption on managed disk

Azure resource groups

Azure Resource Group Usage

Azure ephemeral disks

Storing an ephemeral OS temporary disk

Azure ephemeral disk and Machine Creation Services (MCS) storage optimization (MCS I/O)

Azure Compute Gallery

Azure Marketplace

Ensure that the image created in Shared Image Gallery contains Azure plan information

Create a machine catalog using PowerShell

Create a catalog with non-persistent write-back cache disk

Create a catalog with persistent write-back cache disk

Improve boot performance with MCSIO

Use template spec in creating or updating a catalog using PowerShell

Machine catalogs with Trusted launch

Errors while creating machine catalogs with Trusted launch

Use machine profile property values

Create a machine catalog with customer-managed encryption key

Create a machine catalog with double encryption

Convert an unencrypted catalog to use double encryption

Verify the catalog is double encrypted

Create a catalog with an Azure ephemeral disks

Configure an ephemeral disk for a catalog

Important considerations for ephemeral disks

Azure dedicated hosts

Create or update a machine catalog using an Azure Compute Gallery image

Configure Shared Image Gallery

Use case: Updating the Shared Image Gallery replica ratio and replica max

Use Case: Converting a snapshot catalog to a Shared Image Gallery catalog

Use Case: Converting a Shared Image Gallery Catalog to a snapshot catalog

Provision machines into specified Availability Zones

Configure Availability Zones through PowerShell

Storage types

Configure storage types

Enable zone-redundant storage

Set zone-redundant storage as the disk storage type

Select zone-redundant storage using PowerShell commands

Page file location

Page file location determination

Page file setting scenarios

Update page file setting

Where to go next

More information

In this article