Windows 365 and Citrix better together
For this post I have been working together with Tom de Jong. Tom is a Citrix CTA and VMware vExpert.
Last week on the 12th of October Microsoft announced the Public Preview of Citrix HDX Plus for Windows 365. We already knew this was coming so I was ready to jump in the world of Windows 365 with Citrix HDX. Citrix started rolling out the feature on Wednesday morning and they said it should be completed by Monday. It was just a matter of time before it would show up in our test Citrix DaaS Premium tenant.
The feature became available in our tenant on sunday and we started with testing. Microsoft and Citrix both published their documentation with a great how to describing the steps to set up Citrix HDX for Windows 365.
With the release of Windows 365 Cloud PC, Microsoft entered a new era with the virtualized desktop PC. With Cloud PC, it is now possible to have a persistent desktop operating system running in the Azure Cloud. The resources for you Cloud PC will be provisioned in the Microsoft tenant for your users, and you as an administrator can choose to let it connect to your own company network using the vNet integration.
It’s super easy to setup and you don’t have to worry about workspaces, hostpools, scaling and all the stuff you have to manage from an AVD perspective. Yep, that’s right, the underlying infrastructure of Windows 365 is AVD.
Now let’s see what this new integration is all about. We all know Citrix from the desktop virtualization stack. Just recently at Microsoft Ignite they released their offering Citrix for HDX Plus for Windows 365. This means that from now on with Citrix have three options for managing your virtual desktop infrastructure:
- Citrix DaaS (formerly known as Virtual Apps and Desktop Service),
- Citrix Daas Standard for Azure
- Citrix HDX Plus for Windows 365
We are planning on writing multiple posts about this subject, so let’s call this our series of blog post about Windows 365 and Citrix (the love story). We will explain the offerings of Citrix, how Citrix is going to enhance the Cloud PC experience and the value of Citrix with subjects like Rendezvous, ICA and Analytics.
Please keep in mind this feature is in preview
Table Of Contents
What is Windows 365 Cloud PC
Windows 365 is a cloud-based service which you can leverage to provision so called Cloud PC’s for your end users. Each Cloud PC is assigned to an invidiual users and each Cloud PC is persistant. A Cloud PC is highly available, optimized and a scalable virtual machine which provides a complete Windows desktop experience but running in the Cloud. You can leverage Microsoft Endpoint Manager (now called Intune) to manage and secure your desktop just like you would with your on-premises devices.
If you want to know more about Windows 365 I would recommend the Windows in the cloud series from Christiaan Brinkhoff. He is one of the principal PM’s responsible for Windows 365.
We seen it before with AVD and I see it again with Windows 365. Microsoft is working extremely hard to add new features, expand to new regions and help administrator with providing new tools to manage these new Cloud PC’s.
Currently there is no GPU support yet for Windows 365 Cloud PC
Before we begin we need to see the requirements, these are the requirements from the Citrix side as well the Microsoft site.
Citrix Cloud tenant with one of the following licenses
- Citrix HDX Plus for Windows 365
- Citrix DaaS Premium
- Citrix DaaS Premium Plus
Citrix admin account with full admin rights
Cloud PCs must have access to: https://..nssvc.net on TCP 443 and UDP 443 for HDX sessions over TCP and EDT, respectively. https://*.xendesktop.net on TCP 443.
For Hybrid Azure Active Directory (Azure AD) joined deployments: The Azure AD domain must be synchronized from the Azure AD domain that the Cloud PCs belong to. Cloud Connectors to allow Citrix Cloud to connect to your Active Directory domain. For more information, see Citrix Cloud Connector.
- Microsoft Endpoint Manager entitlement
- Azure AD domain
- Windows 365 Enterprise licenses
Azure admin account:
- Azure AD Global Admin
- Intune Admin
What is the addition of Citrix Cloud?
As Citrix themselves say: Citrix HDX Plus for Windows 365 allows you to integrate Citrix Cloud with Windows 365 to use Citrix HDX technologies for an enhanced and more secure Windows 365 Cloud PC experience in addition to other Citrix Cloud services for enhanced manageability. To be able to add HDX Plus to Windows 365 you will need one of the following licenses:
- Citrix HDX Plus for Windows 365.
- Citrix DaaS Premium.
- Citrix DaaS Premium Plus
By using Citrix DaaS technologies, the following techniques are being used:
Citrix HDX Plus for Windows 365 leverages the Rendezvous Protocol and to be specific the V2 variant. Full connector-less with Rendezvous V2 is only available when deploying non-domain joined and Azure AD joined VDAs with MCS, and now with Windows 365 as well. How does the V2 looks like:
The picture shows indeed that there is no need for a cloud connector, the VDA needs an internet connection to directly connect to the DaaS control plane and Gateway Service.
You can use the Analytics part of Citrix for the monitoring of the Cloud PC environment. In our environment we had the availability of Analytics for Performance and Security. We will go deeper in to Analytics for Cloud PC in a later blog.
Citrix Analytics is divided into 3 parts; Performance, Security and Usage. The performance part is a deep dive into your environment, cloud or on-premises. It gives a clear overview about how the infrastructure is performing, but also what the user experience is in your site. It gives you a score that is being calculated on for example the ICA RTT, latency, session logon duration etcetera.
The Security counterpart continuously monitor your environment to check if there are any strange behaviours. It is specifically being build to protect your apps and data. This all is being backed by machine learning to learn to spot malicious behavior.
In the next parts of this series we will be doing a deepdive with Citrix Analytics. More on that later!
As an addition to the ICA protocol, the Enlightened Data Transport (EDT) Protocol has been added. EDT is built on UDP and is a transport protocol. The main advantage over a pure UDP stream is that EDT has reliability and congestion control mechanisms, which make it a reliable protocol riding over UDP. If EDT over UDP is not able, there is a fallback to the “regular” connection, TCP. Due to the fact the lower bandwidth use, and no TCP retransmits, there is more bandwidth available for new packets which increase the user experience by allowing more frames. At this moment RDP shortpath is not yet available, so Citrix is the only one capable of giving video over UDP.
The following picture shows how the ICA protocol is set up:
The pictures shows that the ICA protocol has been divided in different virtual channels. The separate channels are prioritized and gives the best user experience. Also from a security perspective, you can open or close different channels, for example to not allow users to use USB storage devices.
• EDT “…which means that it’s smaller in bandwidth”: also not accurate 😊 o EDT is simply a transport protocol. It doesn’t control the bandwidth requirements of the application o ICA will consume as much bandwidth as it needs o The main advantage compared to TCP is that it’s generally more resilient to higher latencies and loss, which means that in these challenging networks it will provide a better user experience compared to ICA over TCP o The advantage over a pure UDP stream is that EDT has reliability and congestion control mechanisms, which make it a reliable protocol riding over UDP. We also have the capability of using EDT Lossy (unreliable version of EDT, similar to UDP) within the same stream, so any virtual channel that benefits from unreliable UDP-like transport could be sent using the unreliable protocol while everything else is sent over reliable protocol.
First steps connecting Windows 365 to Citrix Cloud
Okay! Now we know more about the what and why, lets go a step further with the how. In the next section of this post we will show you how to prepare your environment and configure Windows 365 and Citrix HDX. Both Microsoft and Citrix published some documentation about how to get started, it’s quite easy to get everything setup. Let’s see.
Connect Azure Active Directory to Citrix Cloud
This is the easiest part but also the best way to completely ruin you setup.
Navigate to endpoint.microsoft.com and log in with your Global Administrator account.
Select Tenant Administration and go to Connectors and Tokens
Select Windows 365 Citrix connector (preview)
- Set the Allow people to use Citrix to connect to their Cloud PCs toggle to On
You should see the connection status change from Not available to Available. This is the only thing you need to do.
If you disable the connector, active sessions are not disconnected immediately. If the connector is not re-enabled within 7 days, Intune will uninstall the VDA from the Cloud PCs and change the access back to RDP.
Connecting Citrix Cloud to your Azure Active Directory
Now we need to make sure we can use our AAD users to authenticate to Citrix DaaS.
- Navigate to citrix.cloud.com and login with you Citrix Cloud administrator account.
Select the Manage tile, this will bring you to the Citrix Webstudio
Hover over the Manage menu and select Quick Deploy, this will bring you to the Windows 365 setup page.
- Select Go to Identity and Access in the Connect Azure Active Directory box.
- Within the Azure Active Directory box click the three dots and select Connect
- Confirm your custom administrator sign-in URL or change it to whatever you like.
- After you press Confirm you need to login with you Azure Global Administrator account and Accept the requested permissions.
Your Citrix Cloud is now connected to your Azure Active Directory tenant, you should see a green dot with the status Connected
Configure the Citrix Workspace
Next step is to configure the Citrix Workspace, we need to configure the workspace to use the Azure Active Directory connection which we have just configured to use for the authentication of our users. For this test environment we are only needed to change the authentication
- Go back to the Windows 365 integration checklist via the menu. Select Go to Workspace Configuration to start configuring the workspace. Since our test workspace was already setup we only need to change the Workspace Authentication to AAD.
Make sure to be carefull with settings like this in your production environment. The only endusers in this environment were Tom and Stefan.
- Click I understand the impact on the subscriber experience and select Confirm
Connect Windows 365 to Citrix Cloud
Now it’s time to connect Windows 365 to Citrix Cloud, we can do this by authorising Citrix Virtual Apps and Desktops -XAC to perform actions against our Windows 365 environment.
- Within the Windows 365 integration checklist go to Connect to Windows 365 and click on Connect
- You need to login with your global administrator account and accept the requested permissions.
Okay, we almost made it! This wasn’t to hard right? Now it’s time to assign the licenses to our test users and let the magic happens.
Assigning licenses to your users
To trigger the onboarding of the Cloud PC to Citrix Cloud we need to assign licenses to our user. Assigning a license will also trigger the installation of the VDA to the users Cloud PC and the onboarding to the machine catalogs and the delivery groups. More on that part later…
At this moment you can only select 10 users at a time and it isn’t possible to use a group for your licenses.
For the last time you need to navigate to the Windows 365 integration checklist. If you don’t remember anymore, go to Manage select Quick Deploy
Click on Start within the **Optimize user experience on Cloud PCs part.
- You probably see a screen that you didn’t assigned any licenses, great! That’s the last step.
- Click on Manage Users and select Add to add new users. Within the next screen you are able to search for users, if you don’t see any result check the configuration of your workspace authentication. This should be set to Azure Active Directory.
That’s it, now you have to wait untill the magic happens! If everything is going like expected, the VDA agent will be installed on the Cloud PC and the machine will be added to our workspace.
Starting your Cloud PC
Now everything is ready and the configuration is complete you will be able to connect to your Cloud PC via the following options:
- Citrix Workspace App
- Citrix Workspace
- Windows 365 Portal
And this is the result of our effort! Pretty cool right? Leveraging Citrix HDX to connect to your Windows 365 Cloud PC! Mission accomplished.
In the next part of this blog we will check and see together what’s going on in the background during the provisioning, the installation of the VDA and our first thought about it.
Now let’s see what happens when you assign a license to a Windows 365 user. The license assignment is the start of the onboarding of the Cloud PC.
When you assign a license, Citrix starts to create the configuration that is needed to setup the connections to your Cloud PC. The first time you assign a license the following configurations will be created.
A new machine catalog will be created per region. If you deploy Cloud PC’s in different regions you will see multiple Machine Catalogs. The machine catalog will have the following naming convention:
CTX-Windows365-< REGION >
The provisioning method for the machine catalog is manual and means the machines will be installed as “Remote PC”. The machine type will be Single-session OS. The user will be assign to this “Remote PC”. A default delivery group will be created only with a desktop assignment rule. Another critical one is the created Citrix Policy. Rendezvous V2 requires a couple of policy settings being enabled, these are also automatically set.
There will also be a new resource location added called: CTX-Windows365-westeurope, managed by Citrix. Because of Rendezvous v2, we don’t need any cloud connectors or such.
This resource location directly creates a corresponding zone in the Full Configuration Studio
Also it creates a new external connectivity tab, but no changes can be made. Everything is managed by Citrix
Currently there is no support for Windows Hello for Business. So make sure you disable the automatic setup prompt.
VDA Installation / upgrade
After the license has been assigned to a user the VDA will be installed on the Cloud PC. We didn’t had the time to figure out how this VDA agent and the configuration is being placed on the Cloud PC. What we did see was a W365VDA folder being created on the root of the the C:\ drive. This folders contains a zip file the VDA, the pre requirements and the binaries for the configuration of the agent. The installation is completely silent, and when completed the Cloud PC will reboot.
In the next few weeks we will dive deeper into this process and the magic behind the scenes. Stay tuned for more…
After the reboot you will see the way you can connect within the Windows 365 portal changed. You can only choose open in Citrix which redirects you to Citrix Workspace.
When the Citrix HDX Plus protocol is turned on, the Windows 365 remoting protocl is still enabled but inactive. Meaning that you cannot anymore via the Remote Desktop client and the HTML5 browser. You can only connect using HDX unless your users are local administrators or the user is a member of the Direct Access Users group on the Cloud PC
You will see the new Cloud PC within the Citrix Cloud DaaS portal. It’s has been added to the machine catalog and is ready to use. You can now use the workspace url or the Workspace App to connect to your Cloud PC leveraging the HDX protocol!
Automatic update of VDA
Because Citrix connects via the Virtual Delivery Agent (VDA) with the control plane, we also want it to stay on the most recent version. Citrix Cloud is able to update the VDA automatically so that we don’t need to. This setting is setup on the machine catalog, and default it uses the LTSR variant. This feature is not enabled by default.
Eventually, if you are a local admin you can still open in the native Windows 365 client, if you are member of the local Direct Access group.
If you detach the license from the user, the VDA will automatically be uninstalled. When the uninstall is complete, the machine will be rebooted.
VDA settings via Intune
In the latest video from Microsoft Mechanics with Scott Manchester and Jeremy Chapman they showed how to configure the Citrix VDA Settings via Intune. You don’t need to add ADMX templates and it would be super easy to search for settings. But this isn’t available yet. So, more on this to come.
Keep in mind that Citrix HDX Plus for Windows 365 is still in preview, which means not everything is working as it should. The first results from our trial are positive and in the next weeks we will test more options and configurations. There a few things we noticed and we already provided some feedback to Citrix. We are really looking forward to testing this new integration more the next few weeks.
This is just our opinion, and we didn’t checked and tried everything. We will update this post to reflect our findings during the next couple of weeks.
- Super easy to setup and integrate
- Currently there is no GPU support for Windows 365
- You can’t use groups for the license assignments
- During the preview you can only add 10 users per batch
- SSO Support for AAD is currently in progress
- When you try to break things like detaching your Windows 365 environment from Citrix it takes a while before everything is being deleted. We also noticed not all the resources within Citrix are being deleted.
- VDA configuration through Intune is not yet available
- We don’t know yet how the VDA installation is being performed, we can see some powershell magic but we need to test some more.
- No power options available within Citrix Studio (You can use the Intune device actions to perform a reboot)
- Restart, Restore, Rename, Troubleshoot options are missing from within the Citrix Workspace (Webinterface and app)
We hope you enjoyed reading this blog post about Windows 365 and Citrix HDX. If you have any feedback, comments or want to get in contact please feel free to reach out to us!
Enjoy the weekend!
Stefan Dingemanse and Tom de Jong
Citrix HDX Plus for Windows 365
Set up Citrix HDX Plus for Windows 365 Enterprise
Preview: Citrix HDX Plus for Windows
Adaptive transport | Citrix Virtual Apps and Desktops 7 2209