In this article I explain step by step the configuration to deploy Windows 10/11 workloads on Azure using a 100% Cloud deployment with Citrix in these cases:
- Pure Azure Active Directory (AAD),
- AAD MEM(Microsoft Endpoint Management)/Intune enrollment
- NDJ (Non-Domain Joined)
And the best part of this deployment is that there is no need for any traditional on-prem resources including any ADDS (Active Directory Domain Services).
For the three deployment options mentioned above, it is important to note that the Citrix Cloud Connector component is not required for all three which makes each scenario connectorless. This is achieved by using Citrix Rendezvous V2 protocol and also utilizing the Citrix Gateway Service which handles all connections seamlessly. This blog provides all the steps needed to provide access to End-users in approximately 1 hour.
Before discussing the deployment let’s take a quick look first at the End User experience:
We are integrating the full Citrix experience over AVD (Azure Virtual Desktops deployments) in regards to security, performance, and management.
Security – Disable clipboard, show watermark, App protection…
Performance – HDX, Teams Optimizations, Analytics…
Management – Flexibility of Deployment, Easy Redeployment with MCS, Graphical console to administrate all your workloads.
All official Citrix configuration guides for this deployment can be found on these links:
- Control plane: Citrix DaaS
- VDA version: 2203
- VDA type: Single-session and multi-session (virtual desktops only)
- Provisioning type: Machine Creation Services (MCS) (Mandatory for both cases)
- Rendezvous V2 must be enabled to remove the requirement for Citrix Cloud Connectors
Pure Azure AD joined Exclusive requirements:
- Provisioning type: Machine Creation Services (MCS) Persistent using Machine Profile workflow only
- Assignment type: Dedicated
- Hosting platform: Azure only
- Template VM must not be joined to Azure AD
- AAD + intune you will need an E5 licence* assigned to the end-user
Non-domain joined Exclusive requirements:
- Provisioning type: Machine Creation Services (MCS) Persistent and Non-persistent
- Assignment type: Dedicated and pooled
- Hosting platform: All platforms supported by MCS, except Google Cloud Platform
- Azure AD Global admin
- Azure AD subscription active in the same tenant
- Office 365 Licence E5 for MEM/Intune Enrolment
In the video, you can find all the step by step configurations. I created a Windows 10 template and deploy the three desktops from it with our DaaS MCS (Machine Creation Services).
- Link AAD with Citrix
- Change Citrix Workspace authentication to AAD
- Create an empty Resource Location
- Create a DaaS hosting connection linking our Azure subscription and Citrix
- Create a Windows 10 VM template in Azure
- Use Citrix optimizer
- Install VDA 2003 software
- Create GctRegistration registry value to use Rvz v2.
- We also create a brand new AAD user account for this test and assign the correct O365 licence.
- Use MCS to deploy each Machine Catalog for AAD, AAD+MEM/Intune and NDJ
- Create Delivery groups and add subscribers to the desktops
step by step deployment video
- Single sign-on to the AAD/AAD+MEM/intune virtual desktop is not supported at the moment (June 2022). Users must manually enter their credentials in the virtual desktop.
- MEM/Intune enrolment is only supported for W10/11 and persistent VMs
Azure AD login must be unchecked on the VM template creation stage, also if you are deploying AAD VMs make sure that your template is not AAD registered.
If you see any communication issue you need to make sure your Azure VMs can access https://*.nssvc.net, including all subdomains. If you can’t allow all subdomains in that manner, you can use https://*.c.nssvc.net and https://*.g.nssvc.net instead. For more information, see Knowledge Center article CTX270584.
If you are getting the above error message when login probably the AAD user doesn’t have Virtual Machine User Login rights in AAD