Citrix DaaS

Azure Active Directory joined

Note:

Since July 2023, Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. In this document, any reference to Azure Active Directory, Azure AD, or AAD now refers to Microsoft Entra ID.

This article describes the requirements to create Azure Active Directory (AAD) joined catalogs using Citrix DaaS in addition to the requirements outlined in the Citrix DaaS system requirements section.

Requirements

  • Control plane: See Supported Configurations
  • VDA type: Single-session (desktops only) or multi-session (apps and desktops)
  • VDA version: 2203 or later
  • Provisioning type: Machine Creation Services (MCS), Persistent and Non-persistent using Machine Profile workflow
  • Assignment type: Dedicated and pooled
  • Hosting platform: Azure only
  • Rendezvous V2 must be enabled

Limitations

  • Service continuity is not supported.
  • Single sign-on to virtual desktops not supported. Users must manually enter credentials when signing in to their desktops.
  • Logging in with Windows Hello in the virtual desktop is not supported. Only username and password are supported at this time. If users try to log in with any Windows Hello method, they receive an error stating that they are not the brokered user, and the session is disconnected. Associated methods include PIN, FIDO2 key, MFA, and so on.
  • Support only Microsoft Azure Resource Manager cloud environments.
  • The first time a virtual desktop session is launched, the Windows sign-in screen may show the logon prompt for the last logged on user without the option to switch to another user. The user must wait until the logon times out and the desktop’s lock screen appears, and then click the lock screen to reveal the logon screen once again. At this point, the user is able to select Other Users and enter their credentials. This is the behavior with every new session when the machines are non-persistent.

Considerations

Image configuration

Azure AD joined

  • Consider disabling Windows Hello so users are not prompted to set it up when they log into their virtual desktop. If you are using VDA 2209 or later, this is done automatically. For earlier versions, you can do this in one of two ways:

    • Group policy or local policy

      • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
      • Set Use Windows Hello for Business to:
        • Disabled, or
        • Enabled and select Do not start Windows Hello provisioning after sign-in.
    • Microsoft Intune

      • Create a device profile that disables Windows Hello for Business. Refer to Microsoft documentation for details.
      • Currently, Microsoft supports Intune enrollment of persistent machines only, meaning you cannot manage non-persistent machines with Intune.
  • Users must be granted explicit access in Azure to log into the machines using their AAD credentials. This can be facilitated by adding the role assignment at the resource group level:

    1. Sign into the Azure portal.
    2. Select Resource Groups.
    3. Click the resource group where the virtual desktop workloads reside.
    4. Select Access control (IAM).
    5. Click Add role assignment.
    6. Search for Virtual Machine User Login, select it on the list, and click Next.
    7. Select User, group, or service principal.
    8. Click Select members and select the users and groups you want to provide access to the virtual desktops.
    9. Click Select.
    10. Click Review + assign.
    11. Click Review + assign once again.

Note:

If you choose to let MCS create the resource group for the virtual desktops, you add this role assignment after the machine catalog is created.

  • Master VMs can be Azure AD joined or non-domain-joined. This functionality requires VDA version 2212 or later.

VDA installation and configuration

Follow the steps for installing the VDA:

  1. Make sure to select the following options in the installation wizard:

    • In the Environment page, select Create a master MCS image.

    Azure AD config 1

    • In the Delivery Controller page, select Let Machine Creation Services do it automatically.

    Azure AD config 2

  2. After the VDA is installed, add the following registry value:

    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
    • Value type: DWORD
    • Value name: GctRegistration
    • Value data: 1
  3. For Windows 11 22H2 based master VM, create a scheduled task in the master VM that executes the following command at system startup using SYSTEM account. This task of scheduling a task in the master VM is only required for VDA version 2212 or earlier.

    reg ADD HKLM\Software\AzureAD\VirtualDesktop /v Provider /t REG_SZ /d Citrix /f
    <!--NeedCopy-->
    
  4. If you join the master VM to Azure AD, and then manually remove the join by dsregcmd utility, make sure that the value of AADLoginForWindowsExtensionJoined under HKLM\Software\Microsoft\Windows Azure\CurrentVersion\AADLoginForWindowsExtension is zero.

Where to go next

Once the resource location and hosting connection are available, proceed to create the machine catalog. For more information on creating identity pool of Azure Active Directory joined machine identity, see Identity pool of Azure Active Directory joined machine identity.

Azure Active Directory joined