Product documentation
Citrix Integration for Windows 365
View PDF

Troubleshooting

June 1, 2026
Contributed by: 
C

Connection to Windows 365

If you are having issues connecting to Windows 365, check the following:

  1. Check that the Windows 365 Citrix connector™ is enabled in Intune.
  2. Check that the credentials provided when connecting to Windows 365 have the appropriate permissions.
  3. Check that the Entra ID directory connected to Citrix Cloud is in the same tenant as the Intune/Windows 365 instance you are trying to connect to.

Note:

Occasionally, a delay in propagating the application permissions in Azure will cause the connection to fail. Retrying the connection to Windows 365 within 15 minutes may solve the problem.

VDA installation and configuration

If you are having trouble with the VDA installation and configuration, check the following:

  1. If you are not seeing any errors and the VDA has not been installed after the Citrix® entitlement was assigned, please ensure enough time has elapsed to allow the VDA installation and configuration to complete. This may take up to 60 minutes.
  2. Check that the Windows 365 Citrix connector is enabled in Intune.
  3. Ensure all connectivity requirements in the pre-requisites section and the Windows 365 documentation are met.
  4. Check for additional details and retry the VDA installation in Intune:
    1. Go to Devices > Windows 365 > All Cloud PCs
    2. Make sure that the Third-party connector column is displayed. You can add this column by selecting Columns > Third party connector.
    3. Locate a Cloud PC to install the VDA.
    4. Check the message under the Third-party connector column. If it shows Citrix install failed, it confirms that the installation was attempted.
    5. Select the warning under the Status column, which reads Provisioned with warning.
    6. A blade opens with additional information on the issue.
    7. Select the Retry Citrix agent installation button at the top of the blade to retry VDA installation.
  5. If your Cloud PCs already have a VDA installed when the Citrix entitlement is assigned, or if you are using custom images with the VDA installed to provision your Cloud PCs, ensure that it is version 2209 or newer. If you are using 2203 LTSR version, make sure it is 2203 CU3 or newer.
  6. Make sure the PowerShell execution policy is configured correctly on the Cloud PCs. For more information, see pre-requisites.
  7. Make sure no security configurations restrict the software installation on the Cloud PC.
  8. If the installation or configuration issue is related to the Intune installation process, the following logs in the Cloud PC might contain additional information:
    1. C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension<version>\Status
    2. C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension<version>\CommandExecution.log
    3. C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension<version>\CustomScriptHandler.log
  9. If the installation or configuration issue is related to the VDA installer or VDA registration tool, the following logs in the Cloud PC might contain additional information:
    1. VDA installation logs: %temp%\Citrix\XenDesktop Installer
    2. VDA Registration Tool: C:\CitrixRegistrationToolFolder\WebSocketVdaRegistrationTool

VDA is not registered after successful installation

  • Review the HDX Rendezvous V2 requirements and considerations.
  • Review the Application log in the Cloud PC’s Event Viewer and look for Citrix Desktop Service errors and warnings.

HDX Sessions fail with Zscaler Internet Access (ZIA)

Zscaler Internet Access performs TLS inspection by default. Citrix Rendezvous V2 does not support packet decryption or TLS inspection — enabling TLS inspection on Citrix endpoints causes HDX sessions to fail.

To resolve:

  1. In the ZIA admin console, navigate to Policy > SSL Inspection.
  2. Add a bypass rule for the following domain:
  • *.nssvc.net (This is the primary domain used by Citrix Gateway Service for Rendezvous V2 connections. In addition, exempt all Citrix Cloud required endpoints from SSL inspection. See Connectivity requirements for the full list.)
  1. Ensure the bypass applies to both TCP 443 and UDP 443 traffic.
  2. Save and apply the policy.

After applying, connect to the Cloud PC with the VDA installed, open a command prompt and test using ctxsession.exe -v. The output should show UDP -> DTLS -> CGP -> ICA or TCP -> SSL -> CGP -> ICA.

HDX Latency issues with Zscaler Private Access (ZPA)

Zscaler Private Access tunnels traffic through its own infrastructure before it reaches the Citrix Gateway Service. This adds latency to HDX sessions and can cause intermittent connection failures.

To resolve:

  1. In the ZPA admin console, create a new Application Segment for Citrix Gateway Service endpoints:
  • Domains: *.nssvc.net, *.c.nssvc.net, *.g.nssvc.net
  • Ports: TCP 443, UDP 443
  1. Set the access policy for this segment to Bypass ZPA (do not tunnel).
  2. Apply the policy to the user groups that access Windows 365 Cloud PCs.

Note:

If your organization cannot allow double-wildcard domain patterns (*.*.nssvc.net), use the alternative forms *.c.nssvc.net and *.g.nssvc.net instead.

Troubleshooting
June 1, 2026
Contributed by: 
C
June 1, 2026
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.