Azure Active Directory joined

This article describes the requirements to create Azure Active Directory (AAD) joined catalogs using Citrix DaaS in addition to the requirements outlined in the Citrix DaaS system requirements section.

Requirements

• Control plane: See Supported Configurations
• VDA type: Single-session (desktops only) or multi-session (apps and desktops)
• VDA version: 2203 or later
• Provisioning type: Machine Creation Services (MCS), Persistent and Non-persistent using Machine Profile workflow
• Assignment type: Dedicated and pooled
• Hosting platform: Azure only
• Master VMs must not be joined to Azure AD
• Rendezvous V2 must be enabled

Limitations

• Service continuity is not supported.
• Single sign-on to virtual desktops not supported. Users must manually enter credentials when signing in to their desktops.
• Logging in with Windows Hello in the virtual desktop is not supported. Only username and password are supported at this time. If users try to log in with any Windows Hello method, they receive an error stating that they are not the brokered user, and the session is disconnected. Associated methods include PIN, FIDO2 key, MFA, and so on.
• Support only Microsoft Azure Resource Manager cloud environments.
• The first time a virtual desktop session is launched, the Windows sign-in screen may show the logon prompt for the last logged on user without the option to switch to another user. The user must wait until the logon times out and the desktop’s lock screen appears, and then click the lock screen to reveal the logon screen once again. At this point, the user is able to select Other Users and enter their credentials. This is the behavior with every new session when the machines are non-persistent.

Considerations

Image configuration

• Consider optimizing your Windows image using the Citrix Optimizer tool.

Azure AD joined

• Consider disabling Windows Hello so users are not prompted to set it up when they log into their virtual desktop. If you are using VDA 2209 or later, this is done automatically. For earlier versions, you can do this in one of two ways:

  • Group policy or local policy

    • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
    • Set Use Windows Hello for Business to:
      • Disabled, or
      • Enabled and select Do not start Windows Hello provisioning after sign-in.

  • Microsoft Intune

    • Create a device profile that disables Windows Hello for Business. Refer to Microsoft documentation for details.
    • Currently, Microsoft supports Intune enrollment of persistent machines only, meaning you cannot manage non-persistent machines with Intune.

• Users must be granted explicit access in Azure to log into the machines using their AAD credentials. This can be facilitated by adding the role assignment at the resource group level:

  1. Sign into the Azure portal.
  2. Select Resource Groups.
  3. Click the resource group where the virtual desktop workloads reside.
  4. Select Access control (IAM).
  5. Click Add role assignment.
  6. Search for Virtual Machine User Login, select it on the list, and click Next.
  7. Select User, group, or service principal.
  8. Click Select members and select the users and groups you want to provide access to the virtual desktops.
  9. Click Select.
  10. Click Review + assign.
  11. Click Review + assign once again.

Note:

If you choose to let MCS create the resource group for the virtual desktops, you add this role assignment after the machine catalog is created.

VDA installation and configuration

Follow the steps for installing the VDA:

1. Make sure to select the following options in the installation wizard:

   • In the Environment page, select Create a master MCS image.

   

   • In the Delivery Controller page, select Let Machine Creation Services do it automatically.

   

2. After the VDA is installed, add the following registry value:

   • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
   • Value type: DWORD
   • Value name: GctRegistration
   • Value data: 1

Where to go next

Once the resource location and hosting connection are available, proceed to create the machine catalog. For more information on creating Azure Active Directory joined machine catalogs, see Create Azure Active Directory joined catalogs.