Citrix Modern Cloud deployment in Azure (AAD, MEM/Intune and Non-domain Windows 10/11 desktops ) step-by-step configuration

In this article I explain step by step the configuration to deploy Windows 10/11 workloads on Azure using a 100% Cloud deployment with Citrix in these cases:

  • Pure Azure Active Directory (AAD),
  • AAD MEM(Microsoft Endpoint Management)/Intune enrollment
  • NDJ (Non-Domain Joined)

And the best part of this deployment is that there is no need for any traditional on-prem resources including any ADDS (Active Directory Domain Services).

For the three deployment options mentioned above, it is important to note that the Citrix Cloud Connector component is not required for all three which makes each scenario connectorless. This is achieved by using Citrix Rendezvous V2 protocol and also utilizing the Citrix Gateway Service which handles all connections seamlessly. This blog provides all the steps needed to provide access to End-users in approximately 1 hour.

Before discussing the deployment let’s take a quick look first at the End User experience:

We are integrating the full Citrix experience over AVD (Azure Virtual Desktops deployments) in regards to security, performance, and management.

Security – Disable clipboard, show watermark, App protection…

Performance – HDX, Teams Optimizations, Analytics…

Management – Flexibility of Deployment, Easy Redeployment with MCS, Graphical console to administrate all your workloads.

All official Citrix configuration guides for this deployment can be found on these links:

In the case that you like to deploy W10 Multisession Intune workloads in Azure, I have another blog explaining this deployment: https://citrixie.wordpress.com/2022/09/19/citrix-pure-aad-intune-integration-for-windows-10-11-single-session-and-multisession/

Requirements

  • Control plane: Citrix DaaS
  • VDA version: 2203
  • VDA type: Single-session and multi-session (virtual desktops only)
  • Provisioning type: Machine Creation Services (MCS) (Mandatory for both cases)
  • Rendezvous V2 must be enabled to remove the requirement for Citrix Cloud Connectors

Pure Azure AD joined Exclusive requirements:

  • Provisioning type: Machine Creation Services (MCS) Persistent using Machine Profile workflow only
  • Assignment type: Dedicated
  • Hosting platform: Azure only
  • Template VM must not be joined to Azure AD
  • AAD + intune you will need an E5 licence* assigned to the end-user

Non-domain joined Exclusive requirements:

  • Provisioning type: Machine Creation Services (MCS) Persistent and Non-persistent
  • Assignment type: Dedicated and pooled
  • Hosting platform: All platforms supported by MCS, except Google Cloud Platform

Azure

  • Azure AD Global admin
  • Azure AD subscription active in the same tenant
  • Office 365 Licence E5 for MEM/Intune Enrolment

Deployment

In the video, you can find all the step by step configurations. I created a Windows 10 template and deploy the three desktops from it with our DaaS MCS (Machine Creation Services).

  1. Link AAD with Citrix
    1. Change Citrix Workspace authentication to AAD
  2. Create an empty Resource Location
  3. Create a DaaS hosting connection linking our Azure subscription and Citrix
  4. Create a Windows 10 VM template in Azure
    1. Use Citrix optimizer
    2. Install VDA 2003 software
    3. Create GctRegistration registry value to use Rvz v2.
    4. We also create a brand new AAD user account for this test and assign the correct O365 licence.
  5. Use MCS to deploy each Machine Catalog for AAD, AAD+MEM/Intune and NDJ
  6. Create Delivery groups and add subscribers to the desktop

step-by-step deployment video

FAQ

  • Single sign-on to the AAD/AAD+MEM/intune virtual desktop is not supported at the moment (June 2022). Users must manually enter their credentials in the virtual desktop.
  • MEM/Intune enrolment is only supported for W10/11 and persistent VMs

Troubleshooting

Azure AD login must be unchecked on the VM template creation stage, also if you are deploying AAD VMs make sure that your template is not AAD registered.

If you see any communication issue you need to make sure your Azure VMs can access https://*.nssvc.net, including all subdomains. If you can’t allow all subdomains in that manner, you can use https://*.c.nssvc.net and https://*.g.nssvc.net instead. For more information, see Knowledge Center article CTX270584.

If you are getting the above error message when login probably the AAD user doesn’t have Virtual Machine User Login rights in AAD

One thought on “Citrix Modern Cloud deployment in Azure (AAD, MEM/Intune and Non-domain Windows 10/11 desktops ) step-by-step configuration

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.