I spend a fair bit of time with Citrix MCS, it’s a wonderful provisioning solution that the industry has enjoyed for a long time.
Many environments have multiple MCS Catalogs. Each Catalog, when deployed using MCS, is tied to an image via the Provisioning Scheme construct. This is captured as the ProvisioningScheme.MasterImage.Name
attribute when consuming the API. That image may be used across multiple different Catalogs.
For example, in the Nutanix world, our hosting is currently linked to a Nutanix Cluster via Prism Element, so when we have multiple Clusters, we have multiple Catalogs, those multiple Catalogs may all share the same image which is replicated around the hosting layer to the multiple different Clusters.
In the below image, you can see a rough mockup of how the ProvScheme is linked to a Catalog and a specific Hosting Connection. You can also see the indicative relationship between the image defined on the ProvScheme and the associated snapshot on the Nutanix Clusters. These are identified as the coloured objects A, B, and C.
This update process can be a touch tedious to manage in Studio, it typically means navigating to each Catalog and selecting an update job, trawling the Hosting Connection for the updated snapshot, and then proceeding with the usual update wizard options.
Lucky for us, there are automation options to help make things nice and fast. Less clicks, more happiness.
I’m sharing a small script that I have written which leverages both the Citrix DaaS and the new Citrix Virtual Apps and Desktops API to handle Catalog updates with zero snapins and zero dependencies outside of PowerShell 7, a version of CVAD that supports the API (or DaaS), and appropriate credentials.
The idea of this script is that you can define multiple Catalogs within a single Site boundary, and a single image name, and have all Catalogs updated programmatically. The script uses the Hosting Connection defined on ProvScheme associated with the Catalog (for the nerds, that’s the ProvisioningScheme.ResourcePool.Hypervisor
) to validate that the image you have supplied is reachable. If it is, then it will clap its hands with joy, and proceed to validate the next Catalog. For any that can’t reach the snapshot, they are ignored.
Once certain that all is well and happy, each Catalogs ProvScheme is simply updated to reflect the new image, pending the next reboot. Happy times.
What you are responsible for:
This script is currently scoped for only Nutanix hosting support; however, this is a pretty simple concept to expand on based on your environment and hosting construct. The script currently does a quick validation of the hypervisor against a supported list, then sets the MasterImagePath
to the appropriate format, and processes an update. You can alter both the supported list and the path manipulation as you see fit. The rest is standard Citrix Rest API work.
This is a basic utility, but I have been very much enjoying breaking away from Citrix legacy snapins and being able to process common tasks via the Rest API. This opens the platforms that you can execute your code from. Farewell asnp Citrix*
You can download the script from here. It’s also added to the script index here.
]]>Customers across the globe have enjoyed Citrix workloads running on VMware ESXi with Nutanix Cloud Infrastructure for many years.
In some scenarios, the choice to use ESXi was made because it was known and was a logical decision. For others, AHV may not have had the relevant feature set required at the time.
Nutanix AHV is an enterprise-grade, proven hypervisor that supports Citrix deployments all over the world at a significant scale. All Nutanix customers are entitled to it.
Regardless of the original reason for choosing ESXi, given the current state of the industry, it’s likely time to visit whether you need to pay for an additional hypervisor for your Citrix workloads.
Additionally, moving to AHV unlocks the simplicity and power of Nutanix Cloud Clusters (NC2) allowing a single hypervisor to be deployed across multiple data centers, and private or public cloud providers such as Azure and AWS. This is a compelling story for Citrix workloads.
Switching your Citrix environment from ESXi to AHV may seem like a significant task, however, the recent guide published by the solutions engineering team has you covered.
We provide guidance on migrating:
We also provide best practices collateral for deploying your Citrix solutions on Nutanix with a focus on AHV:
]]>This post is an attempt to help current Citrix customers who are feeling the pinch of changes occurring within both Citrix under Cloud Software Group (CSG) and the EUC industry in general, understand what they have at their fingertips in a Citrix technology stack whilst assessing their next steps.
CSG has made significant changes to the way they sell Citrix, both in the pricing model and at what scale/size they will play, along with how the partner network comes into play. Not all of these are wonderful changes, nor are they the only ones doing this.
Changes in the pricing model, and reducing the customer footprint/focus size, are not for a second impacting the core product. The day-to-day technology that Citrix brings to the table has never been in a better place. The roadmap is strong, and the core product set is cranking. The engagement from Citrix within those accounts that are in their current target scope is elevated. This doesn’t help those who feel slighted and don’t make the list. I get it, but it is an important factor to be thinking about amidst chaos.
Some customers are rightly so, considering their options. Some feel slighted and have already made the call to eject, others are looking at where they could go and what else is out there. The challenge is that the options are limited for those with mature delivery estates. What can muddy the water even more, is that many partners are feeling the pinch, and as such may be pitching alternate solutions and strategies.
There are of course options in the market. Some of those solutions are great and will offer what is needed, but the grass isn’t always as green as it may seem on the other side, despite the marketing hype. Customers may well be paying more than they initially planned both in transitional costs, operational costs, management tooling (particularly at scale), and for public cloud-based solutions, the seemingly constant price hikes in that space. Some of course, particularly if angry, may not care (for now).
Whatever the path, I sincerely hope that customers consider delivery solutions that do not lock them into one cloud platform or end up in a position where they are told what platform they must run in their data centers. I also hope that the entire picture is assessed inclusive of how those suggesting certain solutions are compensated.
Sometimes it helps to take a step back and assess what you have available to you, what you are consuming, what you maybe are not consuming and could be, and what you stand to lose with a change. Shelfware is an expensive issue.
A delivery solution requires thinking about more than simply brokering a workload. Security, applications, industry, graphics, workload placement, connectivity challenges, and many other factors come into play.
Below is an outline of what I see customers using (or maybe not using when they could be), along with some considerations and info to help find the value in the existing investment. Maybe it helps, maybe it doesn’t, but there doesn’t seem to be a single place out there that has a nice overview of the portfolio customers may be entitled to.
I have kept my tone relatively neutral, except where I believe false marketing or half information is provided against an existing solution. For that, I am completely unapologetic.
With both Citrix DaaS and Citrix VAD, customers can choose wherever they want to deploy workloads. This can be Microsoft Azure, Amazon Web services, Google Cloud Platform, IBM, Alibaba, vSphere, Nutanix including NC2, Hyper-V, XenServer and pretty much anything you can power on including physical desktops and servers.
To delve into this a touch more, alternate solutions that might seem appealing, could well be locking you into not just their cloud platform, but also dictating what you can run in your datacentres. Additionally, if you decide to make the leap and deploy supported on-premises infrastructure solutions, you are going to incur charges for the service, which is expected, but should be considered.
Citrix Image Portability Service (IPS) provides Citrix administrators with a simple workflow to manage workloads between on-premises and public cloud platforms. Amongst other scenarios, its goal is to support:
Citrix DaaS and CVAD are Platform agnostic allowing you to run whatever workload you like, on whatever platform you like (within appropriate licensing constraints). You have the freedom to move as and when it makes sense. Citrix Image Portability Service is the mechanism to support a single image operating in multiple different cloud environments. This is one of the most important factors. Customers should be allowed to consume what makes sense and when, not be locked in because of their brokering provider choice.
Citrix supports Windows Client, Windows 10/11 Client Multi-Session, and Windows Server Operating systems, alongside a long list of Linux distributions. If you are a Linux customer needing to deliver virtual desktops, then your range of alternatives slims down a little.
Customers often invest heavily in extremely powerful desktop workstations to address developer or designer workload demands. These can present a challenge when a user removes themselves from the physical location hosting the desktop.
With Citrix Remote PC Access for DaaS or CVAD, customers can deploy the Citrix Virtual Delivery Agent onto these endpoints and have them report to their existing delivery solution. Consumers can then access those workloads over the HDX protocol, with all the security and management features expected for virtual workloads.
This is often missed in customer deployments but is technology available out of the box. It is one of the most under-utilized components of a Citrix solution.
Citrix supports Windows and Linux workloads. Citrix Remote PC Access provides secure connectivity to physical endpoints integrated with the full management stack of Citrix.
MCS and PVS are two extraordinarily powerful technologies that any CVAD or DaaS environment at scale will have taken as a given.
The whole idea of VDI and DaaS is to achieve simplicity, security, and consistency. For non-persistent scenarios, MCS and PVS are the two baseline technologies that provide this globally for organizations.
Moving back to solutions that offer only persistent VMs natively brings back all the challenges of managing RDS farms. Sure, there are tools like Intune, etc. to manage them, but it’s not at all similar to what can be delivered with modern approaches, and very much falls back to a legacy methodology.
Maybe this doesn’t matter to smaller deployments, but it sure will for those that are focused on security, management, scale updates, consistent images, and rapid change response scenarios.
Want to see just how powerful and advanced MCS is in Azure? You can track the progress here.
Citrix MCS and PVS are the crown jewels of provisioning, addressing scale challenges, security, and image management. Some of the commonly suggested alternatives take you back to the days of RDS unless you bring in 3rd party tooling to try and make things more like Citrix. You should consider how alternate solutions handle this process, and if third-party tooling is required, which will impact your TCO of the solution.
Citrix Workspace in Citrix DaaS is the single landing page for all users, regardless of where they are coming from and where their workload lives. It is a customizable workspace that can be branded and provides notifications, disclaimers (sign-in policies), and associated user experience controls. For CVAD deployments, this is provided by StoreFront. The gap between these two solutions is changing under the new Citrix mantra of hybrid. This means that both solutions, either Workspace or StoreFront, should ultimately offer the same technical capability moving forward.
Users can choose to access resources (or administrators can control it) via either an HTML 5 site or a native client.
Citrix Workspace can also be integrated with on-premises CVAD sites to provide a central aggregation point and additional security services such as Remote Browser Isolation and Secure Private Access.
Service Continuity is a feature of the workspace that allows access during offline or cloud outage conditions to DaaS service resources through Workspace app.
From an access standpoint (how users get into the environment), Citrix leverages two Gateway functionalities depending on the deployment and requirement:
Citrix has intelligent services and capabilities to ensure that workloads are connected in the most optimal fashion. Solutions like Rendezvous Protocol ensure the most optimal path to the virtual desktop or application for users that operate externally, whereas features like Direct Workload Connection or HDX Direct allow endpoints with a direct line of sight to connect directly to that workload, bypassing a Gateway altogether.
Access doesn’t just mean how to get to a workload, it means addressing security considerations before allowing access to occur. This is often handled at the authentication layer but also expands out to endpoint awareness and device posture.
Citrix has several solutions. For DaaS customers, there is the new Device Posture Service which is like the Advanced Endpoint Analysis feature delivered by a traditional NetScaler which still serves both DaaS and CVAD customers depending on their architecture. Additionally, Adaptive Access from Citrix offers a range of controls and advanced capabilities including network location-based resource enumeration.
Conversely, if you want to get really down and dirty with contextual security and access across both Citrix and other technologies, then DeviceTRUST is out-of-control awesome in this space, allowing far more flexibility than any provider has natively. This is pure gold in a security-conscious deployment.
Citrix solutions offer many different authentication capabilities and approaches. From standard everyday SAML integration with the likes of Okta, Azure Active Directory, Google, etc., out to Adaptive Authentication for selective authentication requirements with DaaS. Choose your identity model and requirement, and there is a good chance Citrix supports it. Federated Authentication Service (FAS) is used to issue certificates based on SAML requests. This allows for SSO to resources.
Citrix solutions provide multiple access methods and connectivity options. Additionally, Citrix provides adaptive and flexible authentication options for advanced use cases. NetScaler capability can be a massive differentiator in some environments where control and visibility are non-negotiable.
ICA and HDX. Two acronyms that the industry has always associated with End User Computing. HDX/ICA is easily the benchmark of protocols and always has been. This protocol is the core of resource delivery for Citrix resources and provides a dynamic, adaptive, secure, and performant protocol with exceptional user experience.
This focal point might not be all that important for some, but many verticals rely on HDX heavily to provide responsive and rich experiences across a broad range of challenging environments.
The protocol is always enhanced, offering huge strides in performance capability. Some examples of recent enhancements:
The Citrix HDX protocol is the meat and beans of Citrix Delivery. It is the industry benchmark for protocol performance and security. Several of the alternative solutions use RDP. Does the job, and has some enhancements over the years, but it is no HDX. Does this matter? You be the judge.
Customers using Citrix Delivery technology will rely on Director, Monitor, and Analytics to support the environment. These tools not only provide visibility into the environment but also provide a delegated control plane for managing sessions and user issues.
This is typically the first, and last touchpoint for administrators and support staff that provides an absolute wealth of capability and control.
Analytics is an additional product assisting with trending, visibility, and analysis into the full connection stack including infrastructure monitoring.
When looking at an alternative solution, it’s important to be thinking about the operational changes. Does your next solution have anything close to these tools? Some do have capabilities for sure, but not all are built equally. Some are even going to land you extra costs, so it’s worth investigating and factoring that in.
Desktop and Application Probing is an inbuilt functionality within Citrix solutions to proactively test access to published resources, and alert on failure. The data is rolled up and presented with Director/Monitor for historical reporting and trending. The idea here is that administrators are aware of problems before users are.
Citrix Monitor/Director is the first touchpoint for managing a Citrix Delivery environment, providing a wealth of visibility and control that other solutions don’t come close to. Citrix Desktop and Application probing is designed to proactively test an environment with the goal of alerting administrators before users experience a service outage. Do the alternatives come even close to this? Does it matter? A factor to consider either way.
Citrix DaaS in particular has some great wins for Cloud environments when looking with a cost-reduction lens. With a focus on Azure, DaaS offers:
Citrix Autoscale aims to balance costs and user experience by proactively power-managing machines. The capability includes:
Autoscale from Citrix is one of the most efficient ways of managing costs. Combined with Machine Creation Services’ cost-saving capabilities, the reduction in cloud computing costs can be significant.
Alternative solutions with workloads running purely on the public cloud will talk to reserved instances (longer commit) and/or reduced rates depending on how aggressive the pitch is, but they typically have minimal technology within the service to help. More often than not, customers are paying for 3rd party tooling to help manage costs. Some solutions that offer hybrid deployment options have some good capabilities.
Citrix Autoscale is an extremely powerful solution to assist with cost management and user experience. Citrix MCS also aims to significantly decrease run costs.
Citrix Workspace Environment Management is a powerful user environment management tool. Its job is to optimize and enhance the user experience, as well as provide a fine-grained control system to build out the user environment based on any number of filters and conditions. It also has a huge security focus with privilege elevation engines along with AppLocker integration etc.
WEM is not just a static point-in-time solution either, it is actively developed with features and enhancements released quarterly. You can track the progress of the Citrix Workspace Environment Management Solution here and the Service Offering here
The equivalent when you leave? Mostly Group Policy Preferences, some Intune capability (limited), and the good old days of whatever customers did on physical desktops before modern capability was introduced. Some providers offer some UEM controls, but it could be a significant shift.
Citrix policies control user access and session behaviour. Citrix policies are an efficient method of controlling connection, security, and bandwidth settings. You can create policies for specific groups of users, devices, or connection types.
Citrix Policies are not the same as Microsoft Group Policies. They work in conjunction to secure and control an environment, however, Citrix Policies control almost every aspect of the connection and session. These policies directly control the behaviour of HDX etc.
Citrix Workspace Environment Management is an out-of-the-box technology set designed to enhance, control, and secure user environment management. Citrix Policy engine allows fine-grained tuning.
Citrix provides its profile management solution in the form of the Citrix Profile Management product. CPM has been the benchmark of profile solution technologies for a long time and has never stopped innovation and development. It offers both file and container-based solutions.
For customers with advanced user-driven application installations, Citrix offers User Personalisation Layers which operate alongside CPM.
Citrix Profile Management even includes an equivalent engine to FSLogix AppMasking capability in the form of App Access Control allowing for even more control of the user environment.
Sadly, for the EUC world, Microsoft has let FSLogix deteriorate over time, in both stability and feature development. It is still a solid technology but has fallen out of favour with the lack of features, constant string of bugs, and horrific support. I wrote previously about some considerations of both CPM and FSLogix and then updated with some newer thoughts here.
You can track the progress of the Citrix Profile Management Solution here
Citrix Profile Management offers flexibility and enhanced profile-based capability, both file and container depending on the scenario requirements. It is rare that any other provider has their own profile tooling (some do) and most fall back on FSLogix. Does this make sense for you?
For regulated and sensitive environments, Citrix Session Recording offers an integrated solution to record, monitor, and review user sessions. Session Recording captures and archives screen updates, including mouse activity and visible output of keystrokes to provide a record of activity for specific users, applications, and servers.
Additional capabilities exist for enhanced security, alternate solutions may have an offering so whilst this isn’t a differentiator, it’s still important to note.
Some alternate solutions offer similar capabilities in one form or another.
Citrix Session Recording is a highly advanced security and auditing toolset that is heavily used in regulated and sensitive environments. Citrix provides anti-screen capture and watermarking and an option for anti-keylogging. Are you using these now? Should you be using these now?
With both CVAD and DaaS, desktop and application delivery can be easily architected for efficient disaster recovery. DaaS supports all the platforms listed above and provides tooling to ensure seamless failover to different environments based on different conditions.
CVAD is catching up to DaaS with the new direction of Citrix, and whilst there are more components to think about with CVAD, DR is still a simple achievable goal across multiple platforms.
Citrix supports a robust disaster recovery solution that can span multiple clouds and platforms. Are you taking advantage of these features today? What do the alternatives offer, does it suit your organisation?
Citrix has a solution called App Layering. Love it or hate it, App Layering is a technology set that allows applications to be installed into a “layer”. Layers are combined to create an image (which can be deployed by either PVS or MCS) allowing customers to update and manage application sets outside of the underlying Operating System.
Citrix solutions also support a range of application delivery capabilities, including some that are in lockstep with Microsoft, such as App-V and MSIX including App-Attach.
Whilst Microsoft has made it clear that MSIX is the future of their packaging and app virtualization capability, the success rate is not amazing with customers still utilizing App-V heavily.
Citrix out-of-the-box integrates and drives the delivery of those packages. For customers who are happy with MSIX including App-Attach, Citrix supports the integration and delivery of these packages also.
Again, conversely, for any platform handling either of these package types, it would be completely remiss of me to not include a reference to the sensational work Bram Wolfs has done in building out the AppVentix solution which trumps both Microsoft and Citrix delivery methods.
Citrix has App Layering and management of both MSIX & App-V solutions. How are you going to deliver the same packages if you are looking at something else? How much fun have you had with MSIX to date?
Printing in any remoting solution is a pain and always has been. Citrix offers the Universal Print Server solution to take away some of the driver challenges at scale.
Let’s be fair, regardless of the tech you choose, at scale, most customers use a third-party management solution to take away the headache of printer management.
Citrix provides the Universal Print Server. Printing sucks without 3rd party tooling.
IT Service Management (ITSM) Adapter is a Citrix Cloud service that lets customers extend ServiceNow capabilities into Citrix DaaS environments. With the service, IT teams and end users can deliver and manage Citrix virtual apps and desktops using ITSM workflows in ServiceNow.
Citrix provides integration into ServiceNow via ITSM
Based on what we have discussed above, let’s summarize in a table. Instead of doing a direct comparison with any one solution, I am going to leave this table as a placeholder for you to think about:
Feature | Citrix | Alternative |
---|---|---|
Platform | Nutanix, Azure, AWS, GCP, IBM, Alibaba, vSphere, Hyper-V, XenServer, Private Cloud (provider supplied) | ❓ |
Authentication | Any IDP supporting SAML. Citrix FAS for SSO | ❓ |
Access | Citrix Gateway Service (DaaS) NetScaler Gateway (DaaS and CVAD) Direct Workload Connection (DaaS) Rendezvous (DaaS) | ❓ |
Provisioning | Machine Creation Services & Provisioning Services | ❓ |
Remote PC | Remote PC Access | ❓ |
User Environment Management | Citrix Workspace Environment Management & GPO | ❓ |
Profile Management | Citrix Profile Management (Containers and File based) on any SMB solution | ❓ |
Application Delivery | Citrix App Layering, MSIX Delivery including App-Attach integration & App-V Delivery | ❓ |
Session Recording | Citrix Session Recording | ❓ |
Monitoring, Helpdesk and Analytics | Citrix Monitor (DaaS), Citrix Director (CVAD), Citrix Analytics is additional 💰 | ❓ |
Autoscale | Full-fledged solution within CVAD and DaaS | ❓ |
Proactive Session Testing | Citrix App and Desktop probing | ❓ |
Protocol | ICA/HDX | ❓ |
Policy Control for protocol and session handling | Citrix Policy to control the connection. Security, Network, Client, offload capability etc | ❓ |
OS Support | Windows Server, Windows Client, Windows Client Multi-Session, Linux | ❓ |
User Resource Access | Citrix Workspace or Citrix StoreFront, HTML 5 or Client based, highly customisable with inbuilt continuity | ❓ |
Printing | Citrix Universal Print Server | ❓ |
Images | Image Portability Service | ❓ |
Cloud Cost Management | Autoscale (including Predictive Scaling), On-Demand Provisioning, Disk Tiering changes, Ephemeral Disks, VDI reclamation service | ❓ |
Disaster Recovery | With DaaS, any platform, any provider, cloud-managed. With CVAD, multi-site architectures provide DR | ❓ |
Enhanced Security Features | Watermarking, anti-screen capture, anti-key Logging | ❓ |
Here is the one product I am going to touch on with specifics. This isn’t a negative shot, it’s an awareness piece and tells a story of how things are often a touch more than they seem on the surface.
AVD is often considered free. If customers have an entitlement to use the Service, then the brokering and Gateway capability is not charged whilst you are in Azure natively (different story for Azure Stack HCI). The following costs exist when using the native AVD solution:
It is unlikely that customers can manage AVD appropriately at any form of scale natively, so additional tooling starts to be required, for example:
The following soft costs are harder to quantify, but are also often not considered:
Are you thinking about these components when looking at a cost comparison between solutions? Are there more? This is just my list. What else is there?
My goal in this post is just to bring some focus onto what customers may or may not have in place currently and get them thinking about whether or not there are options to find additional value in their current investments.
Let me leave you with some personal thoughts for what it’s worth.
Many environments are well suited to some of the solutions that aren’t Citrix. But try and see through the marketing hype that seeks to understate the capability and value that Citrix can (and does) deliver to an organization.
Am I going to change minds, and does it even matter? That’s not the point of this post. CSG has a clear path for Citrix, and many customers are not in a position to even afford the technology anymore. That is a shame, and it is frustrating for some, but it doesn’t change the fact that Citrix is the pinnacle of innovation and capability when it comes to modern application and desktop delivery.
You want to be sure you are not losing out if you are deciding to egress. The costs are likely still floating around, they are just sneaking up on you in different places.
]]>A few years back, I put together my thoughts on Citrix Profile Management (CPM) and FSLogix Profiles and where they make sense. That post is over two years old now, and the world moved on significantly. I have updated the old post with some commentary around the changes, but felt it was nice to keep this historical data.
This post is designed as a brief point in time thought provoker on where I see the same two technology sets and their current state of play.
Again, as per last time, this article is Citrix focused. If you don’t have access to CPM technology, then as you were soldier.
FSLogix came to the table with a bang. Office Containers, Profile Containers and AppMasking. All capabilities that were ground-breaking and changed how we could deliver solutions in the EUC space. The Office Container was a huge enabler for customers moving to M365, whereas in reality, a Profile Container wasn’t a new concept, FSLogix just did a fantastic job at executing on it, vs Microsoft’s own User Profile Disk in RDSH.
FSLogix was led by some very cool and massively switched on humans. The company was cool, the technology was great, the trajectory was huge, and the people were fun. Good times ahead. Until they were acquired by Microsoft.
At first things seemed great. FSLogix for everyone effectively. What could go wrong? Read the historical rants I have on exactly what could, and did go wrong with this model. A default lean towards Containers for everything, outages everywhere due to the wrong solutions being implemented in the wrong context, laziness aplenty and a lack of understanding on what was actually being introduced and more importantly, why it was being introduced.
At the same time as this was going, Citrix Profile Management was somewhat forgotten about and pushed to the side for many organisations and consultants. A sad reality given its history, but also somewhat understandable given how much you did_not_have_to_do with FSLogix Containers. Luckily for us, Citrix never appeared to be worried, and kept building, building, building.
The age of file based profiles was dead
. Was it? Citrix CPM is dead, everyone is going to FSLogix
. Hrm was it? FSLogix is free
. Within reason sure. But there was always a cost somewhere else.
Without this being a history lesson, two key things happened, or more accurately, continued to happen over the last few years.
For where we stand now, I struggle to find a reason for any Citrix customer to not use CPM capability, be it Container or Files, in their deployments. Outside of the effort to change, I don’t think (and am happy to be wrong) that FSLogix Containers offer anything that Citrix technology does not.
It is absolutely no surprise, that we have reached a pivot point where the conversations are now back to a CPM lead. Just look at the progression of the solution on a quarterly release cadence.
Whilst Citrix have done a great job at building their capability, they have not done a great job of advertising what they have built. Below is a quick high-level mapping of the cool stuff between technologies where I think it’s relevant:
Capability | FSLogix | CPM |
---|---|---|
Profile Disk Modes | Direct, Try for read write, fallback to RO, RW and RO Profile Modes | RW by default. Excusive Access if enabled ✅ |
Multi Location Resiliency | Cloud Cache | Replicate User Stores and Local Caching for Containers ✅ |
Office Data | ODFC Container | OneDrive Container, Outlook Search Experience ✅ |
UWP | InstallAppXPackages | UWP App Roaming ✅ |
Space Reclamation | VHD Compaction | Compaction ✅ |
Multi Access | Mode 3 Profile Disks with limitations ❌ | Multi Session write-back ✅ |
Selective Containerization | Nil ❌ | Large File Handling ✅ |
Async GPO Processing | Reverted ❌ | Async Processing ✅ |
Auto Expansion | Dynamic Disks | VHD auto-expansion ✅ |
As you can see, by my math, there is nothing that FSLogix does, that CPM does not outside of specific Read Only profile disk scenarios.
Note that this is purely related to Container technologies. There is a whole lot more that they bring to the table when you look at file based as well.
A few handy references hidden away in the Citrix documentation
This write-up is not about down talking FSLogix, but more about raising awareness around the current state of capabilities with CPM, and why it might make more sense. There are so many conversations that we regularly have where people have absolutely no awareness of how fast things are moving in the CPM world, and we still hear misinformation being spread based on concepts from years ago which are simply not true.
Are you going to be in trouble or have a bad experience if you use FSLogix? Absolutely not. It’s a great tool. But if staying supported, having significant innovation and development along with ongoing enhancements is important to you, then CPM is going to look a lot more appealing.
]]>Migration seems to be the theme of my scripting over the last few months, the world of persistent VDI workloads is an extensive one.
Conversely, the title image of the post is a bunch of camels walking across a desert. Far stretch to associate a camel with a VM migration - but I guess you kinda could? Anyhoo, I amuse myself 😂 onwards to relevance.
Years back I put together some very basic scripts that allowed the migration of Persistent VDI workloads from an on-premises CVAD deployment to Citrix Cloud DaaS. These scripts did their job but had some glaring holes in them (which happens when you write them onsite…) so I figured I would clean them up. Which of course, meant re-writing, error handling, adapting for changes in the Citrix landscape and crosschecking a few more bits and bobs.
Pipe down and get to the point? Fair play. Two new scripts below:
The script is designed to move a dedicated single-session machines from one CVAD site to another whilst retaining full power management. It does the following:
This script uses 100% Citrix PowerShell snapins. As such, you are stuck at PowerShell 5.1. You will need to execute on a machine where you have appropriate connectivity and access to both sites.
If using the MCS migration options, read the fine print in the readme and the note below.
You can find the script in the usual github repo MigrateDedicatedMachines.ps1. Also linked to in the Script Index section of my site.
Similar to the above script, this one is designed to move dedicated single-session machines from one CVAD site to Citrix Cloud DaaS whilst retaining full power management. It does the following:
This script uses a combination of Citrix PowerShell snapins for the CVAD components and Citrix Cloud APIs for the DaaS components. As such, you are stuck at PowerShell 5.1. You will need to execute on a machine where you have appropriate connectivity to the source CVAD Site and internet access to the Citrix Cloud environment. Authentication is best handled by DaaS using a Secure Client File.
If using the MCS migration options, read the fine print in the readme and the note below.
You can find the script in the usual github repo MigrateDedicatedMachinesDaaS.ps1. Also linked to in the Script Index section of my site.
Previously I have typically written specific exclusions for MCS provisioned workloads, but with these scripts, I am including the ability to include MCS full cloned workloads as source machine candidates, and include the ability to clean up the source MCS catalogs once the machine has migrated successfully. This is an optional component that you need to enable via the appropriate parameters.
If you are using a newer version of the Citrix PowerShell Snapins than your site is currently running, the -ForgetVM
switch may not operate as documented, and the VM entity will be removed/deleted (yes deleted) from the hypervisor ☠️.
This has been validated as a bug in scenarios such as Site Version: 2203 LTSR
and Studio/PowerShell Version 2305
on a remote server. It is wise to keep operational components at a similar version.
Test before executing production workloads (scope with a MachineList
specific command set)
These scripts are 100% Citrix component only focused. You will need to think about VDA registration and switching OU locations etc to get policies. All very easy with AD PowerShell modules.
These scripts have been tested with as many different platforms as I can get my hands on, but I don’t have access to them all. Always use the -whatif
switch to identify what the script will do prior to executing. And test first.
Anything you want to fix - feel free to submit a pull request, or shoot me the detail. In particular, Hyper-V is a dark spot.
Cool story, but you know Citrix has the automated configuration tool right?
Indeed. But this is way more granular and gives you some funky features that ACT does not. ACT is also limited to DaaS and CVAD current releases with the orchestration APIs in preview.
Why not just use the Remote PowerShell SDK for DaaS and save yourself the heartache of API mapping
That would be boring, and combining the Remote PS SDK with the On-prem one is a nightmare. API for DaaS it is.
Did anyone actually ask you these questions?
Absolutely not.
]]>It’s 2023 and yet we are still seeing (regularly), consultants and customers implementing AppData folder redirection into modern EUC deployments. The most common justification: We did it on legacy OS, why not do it on the new one
. 🤯
Firstly, let’s address that. AppData redirection on legacy OS was bad behaviour. The reason it didn’t impact as badly as it does now, is that modern applications tend to write more data into AppData, and those modern applications aren’t typically deployed on legacy Operating Systems.
In this day and age, AppData redirection is significantly frowned upon and is a key component of badly performing environments. Imagine the impact on file servers when you have services like Microsoft Teams, Slack, Office Temp files, Application logs, etc. all pounding a File Server? Nothing good comes from this.
What’s even more mind-boggling, is when customers implement container technology for their profile solution and then redirect AppData out of it and onto a file share. Madness.
AppData redirection was brought in as an option to centralise data when multiple machines/sessions may have been used. The reality is, that the use case has well and truly dwindled off over time, and better methodologies have been introduced to handle the scenario where data is required across multiple sessions.
AppData is a pretty dirty dumping ground these days. With file-based profile solutions, you need to tune them to remove the crud and reduce the amount of useless rubbish roaming around (which will impact logon and logoff times). With container technologies, most customers are trying to exclude or redirect the data out of the container so it’s not retained.
Folder Redirection as a whole is not a new talking point. Aaron Parker, Helge Klein and Shawn Bass had a presentation on this back in 2015. That is almost 10 years ago
. Aaron has documented the series here for anyone who is interested.
There are some use cases that make sense for Folder Redirection, be it to a network location, or to something like OneDrive, these are primarily the users desktop
for consistency and because it’s often the first thing they see, and documents
as it tends to be the default save location for most things by default, and is commonly used by users.
Pretty much everything else is a waste of time.
Here is a list of what can be redirected, vs. what should be considered for redirection:
Component | Yes/No | Detail |
---|---|---|
AppData/Roaming | ❌ | It’s 2023. Stop it |
Contacts | ❌ | Has anyone used this in the history of Windows? |
Desktop | 🤔 | Good option for consistency |
Documents | 🤔 | Good option for consistency |
Downloads | ❌ | Not sure why this data should be retained in any environment |
Favorites | ❌ | It’s 2023. Stop using IE |
Links | ❌ | This is from the days before man. No need for this. |
Music | ❌ | Are you really storing users music files? |
Pictures | 🤔 | Are you really storing users picture files? |
Saved Games | ❌ | I don’t even need to address this |
Searches | ❌ | Don’t do this |
Start Menu | ❌ | Definitely do not do this unless you enjoy pain |
Videos | ❌ | Are you really storing users video files? |
As outlined by mr James Rankin, use of Group Policy to push Folder Redirection Policies can force your GPO processing into Synchronous Mode which impacts logon times. So even if you reverse the settings via GPO, you are still going to be hitting this challenge (see script below). If you are a Citrix customer and still need something like desktop or documents redirected, then Citrix Policy does not use a CSE and as such does not impact GPO processing, nor does Citrix WEM configurations. Food for thought.
Please stop implementing legacy methodology into modern deployments. It hurts the user experience, it impacts file servers and other services relying on them, it can hurt the application performance, and it is dead logic.
If you want to revert folder redirection without having to use the revert back to local
policy settings, you can use a small script I have here to help right the wrongs.
Many Nutanix customers deploy persistent workloads on Nutanix infrastructure. These workloads may be Windows Client (Windows 10 or Windows 11) desktops, or they could be custom-built Windows Server (2019, 2022 etc) based Operating Systems.
Regardless of how a workload is built (note that we are not talking about MCS in this article), integrating it with a Power-Managed Catalog in Citrix allows administrators and support folk to manage the machine within both Citrix Web Studio and Citrix Director.
Currently, Citrix VAD & DaaS integration with the Nutanix platform is via Prism Element.
The integration for each workload is made up of two components:
HypervisorConnectionUid
). This tells Citrix which Hosting Connection each workload is associated with, or in human speak: “Where the workload lives”.HostedMachineId
) identifies the virtual machine at the hypervisor layer. In the Nutanix world, this unique identity matches the unique virtual machine UUID
in the Nutanix AHV hypervisor.There are scenarios where these records can become out of sync and a workload can be orphaned:
In either of these scenarios, without intervention, Citrix no longer understands where the workload resides and in some scenarios such as in a Protection Domain Activation, how to identify the workload as its UUID
will have changed.
We have released two art-of-the-possible scripts to show how you can handle this transition of workloads across clusters whilst maintaining full visibility within Citrix.
For CVAD we leveraged Citrix Powershell Snapins and Nutanix v2 API with PowerShell and for DaaS we leveraged Citrix Cloud DaaS API and Nutanix v2 API with PowerShell.
Both projects are another example of zero touch configuration with Nutanix and Citrix technology. You can read up on the process and details below:
A shortcut to the scripts can be found below:
]]>I started a blog journey a while back running on a basic wordpress site. That was cool for a while, but I watched a few folks I respect jump across to Github pages with the likes of Jekyll etc.
Being a free option, and obviously what the cool kids were doing, I quickly jumped onboard and rebuilt my site using Github Pages, Jekyll and the Beautiful Jekyll theme by Dean Attali. This took some learning, and a lot of time in moving wordpress posts into markdown, but it was fun, it was free and it did the job. Goodbye Wordpress and your fees and advertising.
I use Windows for most of my work, and managed to get through the miraculous outcome of running Ruby locally, with the ability to serve my pages locally prior to publishing. I say it was a miracle because, frankly, it was a nightmare that I never wanted to do again.
Like that was going to happen.
There are a few awesome sites built on the Hydejack theme which was making me nerd-jealous. So, of course, I decided to follow along with the cool kids in an attempt to modernise and gain some funky new stuff. It was a bit of an adventure and had some learnings along the way. Outlined below are a few.
You will note in this blog I am using the hydejack-pro theme. I decided to purchase it for a few reasons:
You can use the free version just as easily, the process is the same, you will just have different theme configurations. In fact, I did the entire build outside of the contact form on the free version prior to upgrading. It’s fantastic.
Aaron Parker and Dave Brett have both done a really nice job on their sites using Hydejack (those are the cool kids I refer to).
After my initial fun fest with Ruby on Windows, I took a brief stab at trying to render the initial Hydejack site locally. That went down like a bag of bricks in a lake. After Google hunting like a boss, I gave up and decided not to break what was currently working.
Enter Docker Containers. This was an appealing option as I figured I could simply spin up a container and render my content in a disposable fashion as needed. That was a great theory, but a few things to learn along the way.
Whilst trialling a ridiculous number of different pre-built containers such as github-pages, jekyll, even basic default ubuntu, I had challenges all over the place. I finally settled on the Ruby image for my container, because, well, it was for Ruby, and it worked first go. Being a simple human, that was enough for me.
Ultimately, I built a very basic docker container to allow me to rebuild as required. Dockerfile below:
FROM ruby:latest
RUN gem install bundler
RUN gem update --system
RUN gem update
RUN ln -sf /bin/bash /bin/sh
RUN sh
After deciding on a container, I needed to get my content into that container so that I could render (serve) it. I wanted to be able to edit using my Visual Studio Code editor as per normal on my Windows machine, but render that content via the Container. This also had a couple of challenges, maybe self-imposed, maybe not.
I choose to mount the local copy of my files when I ran the container. This looks like this:
docker run --name prod_blog --mount src=C:\Temp\Site\hydejack-pro-9.1.6\starter-kit-gh-pages\,target=/website,type=bind -p 4000:4000 -it ruby sh
This ultimately means that:
c:\temp\site\hydejack-pro-9.1.6\start-kit-gh-pages\
windows directory to the /website
folder within the Container.4000
from the local host running Docker to the container on port 4000
.ruby
and naming it prod_blog
.sh
command so we can do stuff.I am by no means of any use with Container logic. There may well be smarter ways to handle the mount methodology.
From here, once starting to serve the content within the container (read on), we should, in a web browser on the local Windows machine, access https://127.0.0.1:4000
which will port forward into the Container down to Jekyll, which will also be listening on port 4000
.
And herein lies the rub. I have always run my jekyll serving as below on Windows:
bundle exec jekyll serve --drafts
This has been great, and it binds the the Jekyll serving to to the 127.0.0.1:4000
address locally. Happy times. In a container however, this will not work. You have to bind the Jekyll serving to 0.0.0.0:4000
within the Container as follows:
bundle exec jekyll serve --host 0.0.0.0 --incremental --watch --force_polling --strict_front_matter --drafts
There are a couple of switches there of note
--host 0.0.0.0
command will force Jekyll to bind to the local 0.0.0.0
address which then allows port-forwarding (thanks google).--incremental
switch is used to pick up changes as you make them, and force rendering of that changed content. The --force_polling
switch was needed as funny enough, when running a Linux Docker Container on Windows and using a mount
to local content, change detection doesn’t work.--watch
command was used as part of my testing on the above, I left it there as it wasn’t doing any damage.--strict_front_matter
switch as I had so much to rework from my old posts that I was making mistakes all over the place. This helped me understand what I broke.--drafts
allows you to serve draft posts located in the _drafts
folder.So when I start my container now, I simply change directory across to /website
and then run my serve command bundle exec jekyll serve --host 0.0.0.0 --incremental --watch --force_polling --strict_front_matter --drafts
If I was to rebuild that container (I’ve chosen to make it persistent for now), then the following is used to update all the required gems and bring everything to life. There is likely composition that you can do etc if you are a real Docker person, but I am not and this serves my need.
cd /website
bundle install
ln -sf /bin/bash /bin/sh
sh
bundle exec jekyll serve --host 0.0.0.0 --incremental --watch --force_polling --strict_front_matter --drafts
The reason for the ln -sf /bin/bash /bin/sh
command, was to allow me to use the up/down keys for command history within the container itself.
The nice thing here also, is that for testing, breaking and trialling, I could easily have multiple containers with different configs.
Some time consuming P-I-T-A components that I had to deal with:
I branched my current site and simply replaced all my current configurations with my new staged site. Pushed to Github, and then changed my Github Pages publishing source to the new branch for testing.
Once happy, I merged to main, and changed my publishing again. I then opened a ticket with Github to remove the fork status from my original site.
There were some challenges with initial builds in github, this was likely due to the amount of hacking and cracking that had been done locally. The easiest way to fix, was using the github-pages-starter-kit
that was provided with Hydejack. Starting from scratch, and then simply porting over images, pages, authors, _config.yml settings and cleaning up the appropriate default stuff was the easiest path to a win.
There are few really handy references who have done some cool stuff with Hydejack sites (both running Pro), a couple below worth checking out:
In particular, a shout out to Dan who fielded a few noob questions from a random on the other side of the world. Kudos.
Some tools I have found very useful in my adventures:
This post was likely more satisfying my own need to retain the last two weeks worth of learnings and trials, but I also hope that it helps others should they tread down this path. I feel a lot less like I am sitting on a ticking timebomb with Ruby on Windows now out of the way.
]]>There is a lot of constant improvement being executed by the MCS team at Citrix, the release cadence is impressive and the feature enhancements significant. I spend a lot of time in Microsoft Azure with Citrix Cloud with a lot of happy customers. I thought it would be worthwhile keeping a rolling tally of new features with MCS and how it relates to Azure, so that we don’t lose sight of how much value add is provided.
I will do my best to maintain this list as and when features come out, as well as some commentary around their value where I can.
It is important to be across the options when designing your delivery platform on Azure, many changes have a direct implication on the ongoing operational costs associated with running workloads on/in Azure, as well as availability and global deployment options. Looking at what we have now, vs what was available 12 months ago, many designs and deployments would look remarkably different.
Starting an existing VM on Azure is now faster than launching a new one, making it a more efficient choice to retain VMs across power cycles. In response to this change, Citrix has combined the options Retain VMs across power cycles and Retain system disk during power cycles into a single option Retain VM and system disk during power cycles. This means that when you select this option to reduce VM restart times by retaining system disks, your VMs are retained as well.
Once you choose a machine profile with Encryption at Host enabled during Azure machine catalog creation or management, only machine sizes that support this feature are displayed.
You can now view the following image information through the Template Properties of the machine catalog:
This enhancement provides better clarity on the image information and ensures that the administrators have all the information about the machine catalog in one place.
In Azure environments, a customer-managed resource tagged with all Citrix tags is detected as an orphaned resource. With this feature, if you add another tag CitrixDetectIgnore
with value as true to that resource, then the resource is ignored while detecting orphaned resources.
After creating multiple VMs using MCS, the System Center Configuration Manager (SCCM) displayed only one VM on its console because of duplicated GUIDs. This issue is now resolved by adding a step in the image preparation. This step deletes the existing certificates and GUID information within master image. The step is enabled by default.
Not azure specific, but will impact Azure provisioned VMs.
With this feature, you can reset the identity information of active computer accounts that have identity-related problems. You can choose to reset only the machine password and trust keys, or reset all configuration of the identity disk. This implementation is applicable to both persistent and non-persistent machine catalogs. Currently, the feature is supported only for Azure and VMware virtualization environments.
In Azure environments, with this feature, you can now know whether encryption at host is enabled for a machine profile input (VM or template spec) using PowerShell commands.
Azure confidential computing VMs ensures that your virtual desktop is encrypted in memory and protected in use. With this feature, you can now use MCS to create a catalog with Azure confidential VMs. You must use the machine profile workflow to create such a catalog. You can use both VM and ARM template spec as a machine profile input.
With this feature, you can now change the memory and disk cache size of the Write-back cache (when MCSIO is enabled) using a PowerShell command without creating a new machine catalog. This implementation helps you to have the optimized cache configuration that is suitable for your business needs. This feature is applicable to:
In Azure environments, you can now create a Citrix Provisioning catalog enabled with customer-managed encryption key (CMEK) using the Full Configuration interface and PowerShell commands.
With this feature, in Azure environment, you can now copy tags specified in a machine profile to all the resources such as, multiple NICs and disks (OS disk, Identity disk, and write-back cache disk) of a new VM or an existing VM in a machine catalog.
The machine profile source can be a VM or an ARM template spec.
In Azure environments, you can create an MCS machine catalog that supports hibernation. Using this feature, you can suspend a VM, and then reconnect to the previous state of the VM when a user signs in again.
Previously, you could assign a specific drive letter to the write-back cache disk only by using a PowerShell cmdlet. You can now accomplish the same task using Full Configuration.
For Machine Creation Services-provisioned Azure machines, you can now change the following property settings using Full Configuration:
When you change any of these settings, Full Configuration automatically identifies related settings and provides automatic synchronization or prompt messages requesting you to reselect related settings. This capability ensures consistent changes across associated settings, preventing potential configuration errors.
With Full Configuration, you can now create Azure VMs with multiple NICs. A VM’s maximum NIC count is determined by the machine size setting while its actual NIC count allowed is defined by the machine profile setting
Creating empty machine catalogs now extends to non-MCS-provisioned machines, including:
With this feature, you can now create machine catalogs without the need to add machines to them during catalog creation.
Previously, the NIC settings of the master image were not retained in the provisioned VMs. For example, if you configured the DNS settings on the master image, the provisioned VMs did not retain the configured DNS settings of the master image. With this feature, the provisioned VMs can now retain the NIC settings of the master image. The settings are retained even after a Windows update.
The filter driver is automatically installed if you do a fresh installation of VDA version 2308 or later on a Hyper-V (Azure) deployed machine through the MCS master image installations. However, currently, if you upgrade from an older version of VDA (version less than 2308) and want to install the filter driver, then you must select the checkbox Citrix HyperV Filter Driver on the Additional Components page while upgrading the VDA.
This feature is applicable to:
With this feature, you can now detect the orphaned resources in your Azure deployment, enabling efficient resource management. After the orphaned resources are identified, you can take further action, bringing in more productivity and cost reduction.
When monitoring image update statuses for catalogs in Full Configuration, you can now view a new status Preparing image, in addition to the existing ones Fully updated, Partially updated, and Pending update.
In Full Configuration, you can now create a machine catalog without immediate VM creation. With this feature, you can postpone VM creation until back-end hosts are fully prepared or VM provisioning is completed, gaining more flexibility in creating catalogs. Currently, this feature applies only to Machine Creation Services-provisioned catalogs.
In line with the closure of Microsoft Cloud Deutschland on October 29, 2021, Citrix removed the Azure Germany option from the host connection creation page.
With Full Configuration, you can now enable VDA Upgrade for machine catalogs created through Azure Quick Deploy and then perform Upgrade VDA on them for immediate or scheduled upgrades.
An Azure only feature right now, you can now update properties of individual VMs in a persistent MCS machine catalog using a PowerShell command. This implementation helps you to manage individual VMs efficiently without updating the entire machine catalog.
As per Azure policy, you cannot upload or download more than five disks or snapshots at the same time with the same disk access object. With this feature, the limit of five concurrent upload or download is not enforced if you:
ProxyHypervisorTrafficThroughConnector
in CustomProperties
, andPreviously, the Windows operating system automatically assigned a drive letter to MCS I/O write-back cache disk. You can now assign a specific drive letter to MCS I/O write-back cache disk. This implementation helps to avoid conflicts between the drive letter of any applications that you use and the drive letter of MCS I/O write-back cache disk. This feature is applicable to only Windows operating system.
Not applicable when Azure temporary disk is used as write-back cache disk
Applicable drive letter for write-back cache disk: E
to Z
When catalog creation fails, you can now retry the creation job. On failure, you can review troubleshooting information to help resolve the issues. The information describes the issues found and provides recommendations for resolving them. Failed catalogs are marked with an error icon. To see the details, go to the Troubleshoot tab of each catalog.
This one scrapes in on the Azure front, but only just. Citrix introduced an option to simplify the cleanup of stale Azure AD joined devices in Citrix DaaS. Previously, you had to run a custom PowerShell script to perform the task. Enabling this option grants host connections permission to automatically clean stale Azure AD joined devices.
You can now monitor image update statuses for non-persistent machine catalogs using a new column, Image Update. This column indicates whether images of a catalog are Fully updated, Partially updated, or Pending update.
To show the column in the Machine Catalogs table, follow these steps:
Displaying the Image update column might degrade the console performance. We recommend displaying it only when necessary.
When selecting master images for machine catalogs, you can now quickly get the most up-to-date master image list using the Refresh option at the top right. Additionally, a Refresh option is available for machine profiles and host groups in Azure catalogs.
In Azure environments, you can now get a list of orphaned resources that are created by MCS but are no longer used by MCS. This feature helps to avoid extra costs.
When creating a catalog of multi-session machines, you can now specify whether to make them persistent. For persistent multi-session machines, keep in mind that changes users make to the desktops are saved and accessible to all authorized users.
With this feature, stale Azure AD devices can be consistently deleted by assigning the Cloud Device Administrator role to the service principal and modifying the custom property of the hosting connection. If you do not delete the Azure stale AD devices, then the corresponding non-persistent VM stays in the initializing state until you manually remove it from the Azure AD portal.
When selecting master images for machine catalogs, you can now quickly get the most up-to-date master image list using the Refresh option at the top right. Additionally, a Refresh option is available for machine profiles and host groups in Azure catalogs.
Previously, you only got the latest warnings and errors associated with a machine catalog. With this feature, you can now get a list of the historical warnings and errors of an MCS machine catalog. This list helps you to understand any issues with your MCS machine catalog and fix those issues.
When you provision Azure VMs, Full Configuration now preconfigures the following settings based on the selected machine profile:
Traditionally, customers relied on the public internet to let Azure endpoints interact with resources in the environment. As a result, security concerns were raised because the public internet was accessed. With this feature, MCS enables network traffic to be routed through Citrix Cloud Connectors in the environment. This makes the environment safer because all Azure managed traffic originates from the customers environment. To enable this, add ProxyHypervisorTrafficThroughConnector
in CustomProperties
.
After you set the custom properties, you can configure Azure policies to have private disk access to Azure managed disks.
Azure Monitor Agent (AMA) collects monitoring data and delivers it to Azure Monitor. With this feature, you can provision MCS machine catalog VMs (persistent and non-persistent) with AMA installed as an extension. This implementation enables monitoring by uniquely identifying the VMs in monitoring data.
Currently, MCS supports only the machine profile workflow for this feature.
In Azure, you can now use a VM or template spec as a machine profile input to convert a non-machine profile-based machine catalog to machine profile-based machine catalog. Existing VMs and new VMs added to the catalog take property values from the machine profile unless overwritten by explicit custom properties.
In Azure, you can now create an MCS machine catalog with double encryption. Double encryption is platform-side encryption (default) and customer-managed encryption (CMEK). If you are a high security sensitive customer who is concerned about the risk associated with any encryption algorithm, implementation, or a compromised key, you can opt for this double encryption. Persistent OS and data disks, snapshots, and images are all encrypted at rest with double encryption.
You can now use the PowerShell command Reset-ProvVMDisk
to reset the OS disk of a persistent VM in an MCS created machine catalog. The feature automates the process of resetting the OS disk. For example, it helps in resetting the VM to its initial status of a persistent development desktop catalog created using MCS. Think of this as a reset back to the initial state of provisioning.
Again, not an MCS specific function, but impacts the process of settings up an environment for MCS. You can now get the following information while you create a host connection:
This feature helps you correctly set-up a resource location and thus, create a host connection.
Not quite MCS, but included as Autoscale and MCS provisioned workloads are so heavily entwined. A new option, Neither notify nor force user logoff, is now available on the Manage Autoscale -> User Logoff Notification page. With the option selected, Autoscale will neither force users to log off from machines in drain state nor notify users to log off and log on to a different machine.
The following capabilities have been added:
@ " \ / ; : # . * ? = < > | [ ] ( ) '
.In Full Configuration, you can now change networks for a connection. You can’t unassociate networks from a connection if they are in use.
Previously, Remove-ProvVM
and Remove-ProvScheme
PowerShell commands with ForgetVM
parameter removed the VMs and machine catalogs from the Citrix database. However, the commands didn’t remove the tags from the resources. You had to individually manage the VMs and machine catalogs that weren’t deleted entirely from all the resources. With this feature, you can use:
Remove-ProvVM
with ForgetVM
parameter to remove VMs and tags created on the resources from a single VM or a list of VMs from a machine catalog.Remove-ProvScheme
with ForgetVM
parameter to remove a machine catalog from the Citrix database and tags created on the resources from an entire machine catalog.This implementation helps in identifying orphaned resources that are created by MCS but no longer used by MCS. This feature is only applicable to persistent VMs.
At power-on, the storage type of a managed disk might fail to change to the desired type due to a failure on Azure. Previously, in these scenarios, the VM would remain off with a failure message sent to you. With this feature, you can either choose to power on the VM even when storage cannot be restored to its configured type or choose to keep the VM powered off
You can now create an MCS machine catalog with encryption at host capability. Currently, MCS supports only the machine profile workflow for this feature. You can use a VM or a template spec as an input for a machine profile.
With this type of encryption, the server hosting the VM encrypts the data and the encrypted data flows through the Azure storage server. Therefore, this method of encryption encrypts data end to end.
With this feature, you can now modify the Azure AD dynamic security group name associated with a machine catalog. This modification helps you to make the Azure AD dynamic security group information stored in Azure AD identity pool object to be consistent with the information stored in Azure portal.
The following capabilities have been added:
In Azure environments, you can now save storage costs by changing the storage type of existing VMs to a lower tier when the VMs are shut down. To do this, use the StorageTypeAtShutdown
custom property.
This is release is allow to set these properties on an existing catalog rather than a new one as specified in an earlier release.
You can now add tenants and subscriptions that share the Azure Compute Gallery with the subscription of the connection. As a result, when creating or updating catalogs, you can select shared images from those tenants and subscriptions.
When changing catalog images, only images with the same OS type as the image in use are shown. With this enhancement, Citrix DaaS no longer supports changing the OS type for Azure catalogs after catalog creation.
Previously, in Azure environments, you could share images only with shared subscriptions using Azure Compute Gallery. With this feature, you can now select an image in Azure Compute Gallery that belongs to a different shared subscription in a different tenant to create and update an MCS catalog.
Whilst not MCS specific, Autoscale ties in nicely here.
Citrix updated the Control when Autoscale starts powering on tagged machines option to make it easy to understand. The option controls when Autoscale starts powering on tagged machines based on the percentage of the remaining capacity of untagged machines. When the percentage falls below the threshold (default, 10%), Autoscale starts powering on tagged machines. When the percentage exceeds the threshold, Autoscale goes into power-off mode
I am including this one because there are Azure specific considerations here.
You can now see GPU Utilization of AMD Radeon Instinct MI25 GPUs and AMD EPYC 7V12(Rome) CPUs on Monitor. Monitor already supports the NVIDIA Tesla M60 GPUs. GPU Utilization displays graphs with real-time percentage utilization of the GPU, the GPU memory, and of the Encoder and the Decoder to troubleshoot GPU-related issues on multi-session and single-session OS VDAs.
In Azure environments, you can now schedule a time slot for the configuration updates of the existing MCS provisioned machines using the PowerShell command Schedule-ProvVMUpdate
. Any power on or restart during the scheduled time slot applies a scheduled provisioning scheme update to a machine. You can also cancel the configuration update before the scheduled time using Cancel-ProvVMUpdate
.
You can schedule and cancel the configuration update of:
Previously, MCS offered only locally-redundant storage. With this feature, zone-redundant storage is now an option in Azure, allowing you to select a storage type depending on what type of redundancy you want to use. Zone-redundant storage replicates your Azure managed disk across multiple availability zones, which allows you to recover from a failure in one zone by utilizing the redundancy in others
A new option, Enable storage cost saving
, is now available on the Disk Settings
page when you create or update Azure catalogs. The option saves storage costs by downgrading to Standard HDD for the storage disk and the write-back cache disk when the VM shuts down. The VM switches to its original settings on restart.
This is awesome to see come to life - more cost savings
The option to retain VMs in hypervisors or cloud services is now available only to persistent VMs
You can now delete VM objects in MCS without having access to the hypervisor. When deleting a VM or provisioning scheme, MCS needs to remove tags so that the resources are no longer tracked or identified. Previously, if the hypervisor could not be accessed, the tag removal failures were ignored. With this feature, if the hypervisor is not accessible while using the Remove-ProvVM
command the tag removal will fail, but by using the PurgeDBOnly
option, you can still delete the VM resource object from the database.
When creating an MCS catalog in Full Configuration, you can now annotate its master image. This was previously only available for updates to an existing Catalog, and whilst not Azure specific, definitely adds value to Azure deployments.
You can now save storage costs by switching the storage type of a managed disk to a lower tier when you shut down a VM. To do this, use the StorageTypeAtShutdown
custom property. The storage type of the disk changes to a lower tier (as specified in the StorageTypeAtShutdown
custom property) when you shut down the VM. After you power on the VM, the storage type changes back to the original storage type (as specified in StorageType
or WBCDiskStorageType
custom property)
Previously, in Azure environments, you could use Request-ProvVMUpdate
to update the ServiceOffering
custom property of an MCS provisioned machine. Now, you can also update the machine profile and the following custom properties:
StorageType
WBCDiskStorageType
IdentityDiskStorageType
LicenseType
DedicatedHostGroupId
PersistWBC
PersistOsDisk
PersistVm
When creating a catalog using an Azure Resource Manager master image, you can now use a machine profile and a host group at the same time. This is useful in scenarios where you want to use trusted launch for improved security and at the same time run the machines on dedicated hosts
You can create machine catalogs enabled with Trusted launch, and use the SupportsTrustedLaunch
property of the VM inventory to determine the VM sizes that support Trusted launch.
Trusted launch is a seamless way to improve the security of Generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques.
Previously, in Azure environments, you could only select an image within your subscription to create a machine catalog. With this feature, you can now select an image in Azure Compute Gallery (formerly Shared Imaged Gallery) that belongs to a different shared subscription to create and update MCS catalogs.
There is now a pre-flight check to assess whether the creation of a machine catalog will be successful based on the Azure availability zone specified in the custom property and the host group’s zone. Catalog creation fails if the availability zone custom property does not match the host group’s zone.
A host group is a resource that represents a collection of dedicated hosts. A dedicated host is a service that provides physical servers that host one or more virtual machines. Azure availability zones are physically separate locations within each Azure region that are tolerant to local failures.
In Azure environments, you can now avoid potential confusion with the page file location. MCS now determines the page file location when you create the provisioning scheme during image preparation. This calculation is based on certain rules. Features like ephemeral OS disk (EOS) and MCS I/O have their own expected page file location and are exclusive to each other.
If you decouple image preparation from provisioning scheme creation, MCS correctly determines the page file location.
While creating a catalog in an Azure environment, you can now specify the page file setting, including its location and the size, using PowerShell commands. This overrides the page file setting determined by MCS. You can do this by running the New-ProvScheme
command with the following custom properties:
PageFileDiskDriveLetterOverride
: Page file location disk drive letterInitialPageFileSizeInMB
: Initial page file size in MBMaxPageFileSizeInMB
: Maximum page file size in MBWhen using an ARM template spec as a machine profile to create a machine catalog, you can now add Azure VM extensions to the VMs in the catalog, view the list of supported extensions, and remove extensions you added. Azure VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a VM requires software installation, antivirus protection, or the ability to run a script inside it, you can use a VM extension
You can now create provisioning schemes using ephemeral OS disk on Windows with trusted launch. Trusted launch is a seamless way to improve the security of generation 2 VMs. It protects against advanced and persistent attack techniques by combining technologies that can be independently enabled like secure boot and virtualized version of trusted platform module (vTPM
Again, whilst not Azure specific, this has implications on Azure capability. Dynamic session timeouts now support single-session OS machines. A delivery group with at least one VDA of version 2206 or later is required. Ensure that those VDAs have registered with Citrix Cloud at least once
Whilst not Azure specific, this is still important for Azure based deployments. A new feature is now available in User Logoff Notifications
(formerly Force User Logoff
) in Autoscale. The feature provides functionality to send logoff reminders to users without forcing them to log off. Doing that avoids potential data loss caused by forcing users to log off from their sessions
Using the Full Configuration interface, the Linux OS license type can be selected when creating Linux VM catalogs in Azure. There are two choices for bring-your-own Linux licenses:
Previously, only VMs could be used as machine profiles. ARM template specs can be used as machine profiles when creating Azure machine catalogs. This allows for taking advantage of Azure ARM template features such as versioning. To ensure that the selected spec is configured correctly and contains required configurations, Citrix perform validation tasks on it. If the validation fails, a different machine profile must be selected
Validation of an ARM template spec to make sure that it can be used as a machine profile to create a machine catalog is now available. There are two ways to validate the ARM template spec:
When using the Full Configuration management interface to select a machine profile for the VMs to inherit configurations from, an ARM template spec can now be selected
The network setting for an existing provisioning scheme can be altered so that the new VMs are created on the new subnetwork. Use the parameter -NetworkMapping
in the Set-ProvScheme
command to change the network setting. Only the newly provisioned VMs from the scheme will have the new subnetwork settings. Subnetworks must be under the same hosting unit
The region name information for an Azure VM, managed disks, snapshots, Azure VHD, and ARM template can now be displayed. This information is displayed for the resources on the master image when a machine catalog is assigned
While creating an Azure catalog with a machine profile, property values from the ARM template spec or VM, whichever is used as a machine profile, can be set if the values are not explicitly defined in the custom properties. The properties affected by this feature are:
If some of the properties are missing from the machine profile and not defined in the custom properties, then the default value of the properties takes place wherever applicable. See Create a machine catalog using an Azure Resource Manager image for more information
Set-ProvServiceConfigurationData
can now be run using Remote PowerShell SDK to apply settings on all applicable parameters. The following list of settings are supported with Set-ProvServiceConfigurationData
:
Set-ProvServiceConfigurationData -Name "ImageManagementPrep_PreparationTimeout" -value 60
Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value EnableDHCP
Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value OsRearm
Set-ProvServiceConfigurationData -Name ImageManagementPrep_Excluded_Steps -Value OfficeRearm
Set-ProvServiceConfigurationData –Name ImageManagementPrep_NoAutoShutdown –Value true
Set-ProvServiceConfigurationData –Name DisableDomainInjection –Value true
MCS now supports Azure Stack HCI provisioning through Microsoft System Center Virtual Machine Manager (SCVMM). Azure stack HCI clusters can be managed with existing tools including SCVMM
Full Configuration now shows updates on catalog creation and updates. This displays the overview of the creation and update process, view the history of steps performed, and monitoring of both the progress and running time of the current step
An Azure Active Directory joined identity type is now available in Machine Identities when creating a Catalog. With that identity type, MCS can create machines that are joined to Azure Active Directory. An extra option is available, Enroll the machines in Microsoft Intune
, to enroll the machines in Microsoft Intune for management.
For information about requirements and considerations related to Azure Active Directory join, see Azure Active Directory joined detail
A Hybrid Azure Active Directory joined identity type is now available in Machine Identities when creating a Catalog. With that identity type, MCS can create hybrid Azure Active Directory joined machines. Those machines are owned by an organization and signed into with an Active Directory Domain Services account that belongs to that organization. Additional information is available for Hybrid Azure Active Directory joined device provisioning
In addition to images, Azure trusted launch is now available for snapshots. If selecting a snapshot with trusted launch enabled, using a machine profile is mandatory. A machine profile with trusted launch enabled must be selected
You will now get an error if you set the New-ProvScheme
parameters in unsupported hypervisors during machine catalog creation or update Set-ProvScheme
parameters after machine catalog is created
Not Azure and MCS specific, but will impact design decisions. Resource Location limits for single-session VDAs and multi-session VDAs are now increased to 10000 and 1000 respectively
Citrix DaaS now prevents virtual machines from being shut down by the broker when the zone that the machines are in experiences an outage. The machines automatically become available for connections when the outage ends. You don’t have to take any action to make the machines available after the outage
A couple of small changes to Autoscale
Set-ProvScheme
changes the template (provisioning scheme) associated with the catalog, but does not affect existing machines. Using Request-ProvVMUpdate
command, you can now apply the current provisioning scheme to an existing machine (or set of machines). Currently, the property update supported by this feature is ServiceOffering
.
This is very handy when you need to change exsting VM sizes within an existing catalog
MCS now supports Azure trusted launch in the Full Configuration management interface. If you choose to select an image with trusted launch enabled, using a machine profile is mandatory. This machine profile must have trusted launch enabled
Whilst not Azure specific, this is heavily Azure focused and will impact MCS capability. IPS simplifies the management of images across platforms. This feature is useful for managing images between an on-premises Resource Location and the public cloud
There are two sets of permissions required for security requirements and to minimize risk
A new option added: Use non-persistent write-back cache disk
, to the Machine Catalog Setup > Disk Settings
page of the Manage > Full Configuration
interface. Select that option if you do not want the write-back cache disk to persist for the provisioned VMs. With the option selected, the VM’s temporary disk is used to host the write-back cache disk if the temporary disk has sufficient space. Doing this reduces cost
Using the Full Configuration management interface, you can now change the following settings after creating a catalog:
On the Machine Catalogs node, select the catalog and then select Edit Machine Catalog in the action bar.
Note: These changes only impact newly reprovisioned machines. Previously created machines remain the same
It is now supported to store the Azure ephemeral OS disk either on cache disk
or temporary disk
for an Azure-enabled virtual machine. You can read more on Azure Ephemeral Disks with MCS here
Using the Full Configuration management interface, there is now an option to specify the date after which the application secret expires. This is useful as it will prevent being surprise locked out of Azure
Edit Connection > Connection Properties
pageEdit Connection > Edit settings > Use existing
. You can make subsequent edits on the Edit Connection > Connection Properties
pagePreviously, PowerShell was the only choice to create machines that use ephemeral OS disks. There is a new option to select “Azure ephemeral OS disk” in the Machine Catalog Setup > Storage and License Types
page
When updating an MCS-created catalog, notes can be added to assist with tracking changes. Each time the catalog is updated, a note-related entry is created whether or not a prescriptive note is added. If the catalog is updated without adding a note, the entry appears as null (-).
To view note history for the image, select the catalog, click Template Properties in the lower pane, and then click View note history.
This is not Azure specific, but I am adding this as it’s very handy and long awaited
When creating a machine catalog, you can now view purchase plan information for master images originated from Azure Marketplace images
Citrix added a setting Retain VMs across power cycles
to the Machine Catalog Setup > Disk Settings page of the Full Configuration management interface. The setting lets you preserve a provisioned VM when power cycling in Azure environments.
Be wary of cost implications associated with persistent OS disks
Citrix introduced the Update Machines
option for persistent MCS catalogs in the Full Configuration management interface. The option lets customers manage the image or template the catalog uses. When updating a persistent catalog, consider the following:
Only machines you add to the catalog later are created using the new image or template. We do not roll out the update to existing machines in the catalog
This is signifcant given the previous method wasn’t easily understood for those not in bed with PowerShell
Citrix added an option, Use a host group
, to the Machine Catalog Setup > Master Image page of the Full Configuration management interface. The option lets customers specify which host group they want to use when provisioning VMs in Azure environments
A machine catalog can now be bound to a Workspace Environment Management configuration set on creation. Customers can also choose to bind the catalog after they create the catalog.
Whilst not specifically an MCS feature, it is an enhancement that MCS will consume, so it makes the list of goodies
Change details associated with catalog updates can now be added via PowerShell using the masterImageNote
attribute. This functionality is useful for administrators who want to add descriptive labels when updating an image used by a catalog.
Hopefully this lands in the GUI shortly for general consumption
Citrix Virtual Apps and Desktops service supports AVS, the Azure VMware Solution. Customers can leverage the Citrix Virtual Apps and Desktop service to use AVS for provisioning workloads in the same they would using vSphere in on-premises environments
Customers can now use the same resource group for updating and creating catalogs in the Citrix Virtual Apps and Desktops Service. This process:
You can display information for an Azure VM, OS disk, snapshot and gallery image definition. This information is displayed for resources on the master image when a machine catalog is assigned. Use this functionality to view and select either a Linux or Windows image
Destail: Citrix added an identity type, Non-domain-joined
, to the Machine Catalog Setup > Machine Identities page of the Full Configuration management interface. With this identity type, MCS can create machines that are not joined to any domain
This option lets you specify which machine profile you want the image to inherit the configuration from when creating VMs in Azure environments. The image can inherit the following configurations from the selected machine profile:
This is awesome. If you have needed to implement my Accelerated Networking scripts, then consider using this feature instead
Requires minimum VDA 2106
You can now select different storage types for virtual machines in Azure environments using MCS
In the Full Configuration management interface, when creating an MCS catalog, you can now select the storage type for the write-back cache disk. Available storage types include: Premium SSD, Standard SSD, and Standard HDD
When creating a machine catalog, you can now access images from the Azure Shared Image Gallery on the Master Image screen
Machine catalogs use the standard SSD storage type for identity disks. Azure standard SSDs are a cost-effective storage option optimized for workloads that need consistent performance at lower IOPS levels.
You can read more about the benefits of this change here and utilise the provided scripts to convert existing deployments
Previously, PowerShell was the only choice to provision machines into a specific Availability Zone in Azure environments.
When using Studio to create a machine catalog, you can now select one or more Availability Zones into which you want to provision machines. If no zones are specified, Machine Creation Services (MCS) lets Azure place the machines within the region. If more than one zone is specified, MCS randomly distributes the machines across them
Citrix Virtual Apps and Desktops service supports Azure ephemeral disk. An ephemeral disk allows you to repurpose the VM cache to store the OS disk for an Azure-enabled virtual machine.
Ephemeral OS disks require that your provisioning scheme use managed disks and a Shared Image Gallery.
This enhancement changes the default values for Absolute Simultaneous actions for the hosting connection to 500, and Maximum new actions per minute for the hosting connection to 2,000. No manual configuration tasks are required to take advantage of this enhancement
MCS I/O now supports machine catalog creation for VMs that do not have temporary disks or attached storage
You can now provision a Gen2 VM catalog by using either a Gen2 snapshot or a Gen 2 managed disk to improve boot time performance
Machine Creation Services (MCS) no longer creates table storage accounts for catalogs that use managed disks when provisioning VDAs on Azure
When creating a catalog in Azure using a managed disk, a storage account is no longer created. Storage accounts created for existing catalogs remain unchanged. This change is applicable for managed disks only. For unmanaged disks, there is no change in the existing behavior. Machine Creation Services (MCS) continues creating storage accounts and locks
Studio adds a setting called Customer-managed encryption key to the Machine Catalog Setup > Disk Settings page. The setting lets you choose whether to encrypt data on the machines to be provisioned in the catalog
Azure dedicated hosts allow you to provision virtual machines on hardware dedicated to a single customer. While using a dedicated host, Azure ensures that your virtual machines would be the only machines running on that host. This provides more control and visibility to customers thereby ensuring they meet their regulatory or internal security requirements.
A pre-configured Azure host group, in the region of the hosting unit, is required when using the HostGroupId parameter. Also, Azure auto-placement is required.
When using Azure dedicated hosts, selecting the Azure Availability Zone has no effect. The virtual machine is placed by the Azure auto-placement process.
Citrix Virtual Apps and Desktops service supports customer-managed encryption keys for Azure managed disks. With this support you can manage your organizational and compliance requirements by encrypting the managed disks of your machine catalog using your own encryption key
You can now provision machines into a specific availability zone in Azure environments. With this functionality You can specify one or multiple Availability Zones on Azure. Machines are nominally equally distributed across all provided zones if more than one zone is provided The virtual machine and the corresponding disk are placed in the specified zone (or zones)
Citrix Virtual Apps and Desktops service supports Azure Shared Image Gallery as a published image repository for MCS provisioned machines in Azure. Administrators have the option of storing an image in the gallery to accelerate the creation and hydration of OS disks. This process improves the boot and application launch times for non-persistent VMs
You can now provision managed disks using Gen2 VMs in Azure environments to improve boot time performance
Citrix Managed Azure is now available in the following Citrix Virtual Apps and Desktops service editions: Standard for Azure, Advanced, Premium, and Workspace Premium Plus
Studio now provides you an option to place master images in Azure Shared Image Gallery (SIG). SIG is a repository for managing and sharing images. It lets you make your images available throughout your organization.
Citrix recommend that you store a master image in SIG when creating large non-persistent machine catalogs because doing that enables faster reset of VDA OS disks
Studio now lets you control whether to retain system disks for VDAs during power cycles. Ordinarily, the system disk is deleted on shutdown and recreated on startup. This ensures that the disk is always in a clean state but results in longer VM restart times. If system writes are redirected to the cache and written back to the cache disk, the system disk remains unchanged.
To avoid unnecessary disk recreation, use the Retain system disk during power cycles option, available on the Machine Catalog Setup > Disk Settings page. Enabling the option reduces VM restart times but increases your storage costs. The option can be useful in scenarios where an environment contains workloads with sensitive restart times
Previously, PowerShell was your only choice to create a catalog with persistent write-back cache disk. You can now use Studio to control whether the write-back cache disk persists for the provisioned VMs in Azure when you are creating a catalog. If disabled, the write-back cache disk is deleted during each power cycle to save storage costs, causing any data redirected to the disk to be lost.
To retain the data, enable the Use persistent write-back cache disk option, available on the Machine Catalog Setup > Disk Settings page.
Details: Citrix Virtual Apps and Desktops service supports Azure Shared Image Gallery as a published image repository for MCS provisioned machines in Azure. Administrators have the option of storing an image in the gallery to accelerate the creation and hydration of OS disks from the master image. This process improves the boot and application launch times for non-persistent VMs
Details: Studio now adds support for standard SSD disk type. Azure standard SSDs are a cost-effective storage option optimized for workloads that need consistent performance at lower IOPS levels
Details: Direct upload eliminates the need to attach an empty managed disk to a virtual machine. Directly uploading to an Azure managed disk simplifies the workflow by enabling you to copy an on-premises VHD directly for use as a managed disk. Supported managed disks include Standard HDD, Standard SSD, and Premium SSD
Details: You can now create and use a single Azure resource group for updating and creating catalogs in Citrix Virtual Apps and Desktops. This enhancement applies to both the full scope and narrow scope service principals. The previous limit of 240 VMs per 800 managed disks per Azure Resource Group has been removed. There is no longer a limit on the number of virtual machines, managed disks, snapshots, and images per Azure Resource Group
Details: This release adds support for the NV v4 and the DA v4 series of AMD machines, when configuring Premium Disks for a machine catalog
Details: This release supports improved boot performance for Citrix Cloud implementations using Azure when MCSIO is enabled. With this support, you can retain the system disk. This provides the following advantages:
Citrix Profile Management is quietly kicking goals and developing quickly. This post aims to track the changes and releases as they occur, and provide a single point of reference. It is a companion post to my initial Citrix UPM and FSLogix Conainers post, which outlined some decision points around profile management tool selection.
This list will start at CVAD 1912 LTSR, anything prior to that, refer to the appropriate documentation
I will do my best to maintain this list as and when features come out, as well as some commentary around their value where I can.
By default, when multiple user stores are available, CPM selects the store with the latest profile data. If more than one store has the latest profile, Profile Management selects the one configured earliest.
With a new policy, User store selection method, you can now enable Profile Management to select the store with the best access performance.
CPM performs a check to see which store has the better performance (how fast it can be accessed) and then uses that path as the primary store.
File deduplication has been extended to profile containers, allowing you to efficiently reduce storage costs for profile containers. By default, Profile Management deduplicates files from profile containers only when those files are larger than 256 MB. If necessary, you can increase this threshold size using a new policy, Minimum size of files to deduplicate from profile containers.
By default, when the profile container is unavailable during user logon, a user logs on using the temporary profile instead. However, this behavior leads to data loss for any changes made during the session.
There is a new policy, Log off users when profile container is not available during logon. With this policy, you can now force log-off users off instead.
By default, a profile container is accessible only to its owner. With a new policy, Users and groups to access profile container, you can now enable other users to have Read access to the profile container.
This policy empowers you to exercise more precise and secure control over profile container access.
In container-based profile solutions, you can now enable both the Enable multi-session write-back for profile containers and Enable local caching for profile containers policies. This enhancement improves user experience by combining the benefits of both policies, which include:
With the OneDrive container enabled, any changes a user makes to OneDrive files in a session are now instantly visible in its concurrent sessions. This improvement reduces synchronization conflicts and ensures data integrity.
With this enhancement, users now don’t have to reenter credentials for OneDrive during subsequent logons, improving user convenience.
With the UWP app roaming policy enabled, the new Microsoft Teams app can now roam with users. Therefore, users can access the same Microsoft Teams app with their personalized settings and data from different devices.
Citrix enhanced the Profile Management health check tool to provide more comprehensive health checks. Besides the existing status checks, the tool can now provide more checks such as an assessment of logon times, letting you quickly identify and resolve issues that might impact the user experience.
Citrix enhanced the Profile Management logs to provide more details for user logon and logoff processes. This improvement enables you to quickly pinpoint the underlying reasons for slow logons or logoffs.
Citrix added more Windows events for monitoring tools to track both size changes and sync process durations for the pending area. This enhancement provides you with valuable data to more efficiently identify and resolve relevant issues.
The app access control feature (AppMasking equivalent) now applies to users and machines outside the traditional domain environment. You can implement app access control for non-domain-joined machines and control app access based on Active Directory and Azure Active Directory user accounts.
The built-in PowerShell rule generator has also been enhanced. You can now set up app access rules not only for AD users and machines but also for Azure Active Directory users and non-domain-joined machines.
Looking to ditch FSLogix Profiles for something that is actually focused on?
Citrix Profile Management now offers a profile migration tool to facilitate the migration process to the Citrix container-based profile solution. With this tool, you can migrate user profiles from the following profile solutions to the Citrix container-based profile solution:
Citrix Profile Management now offers a set of storage auto-expansion policies for profile containers:
With these policies, profile containers can automatically expand as user profiles grow, eliminating the need for manual expansion and delivering improved user experience.
This is the equivalent of the FSLogix SizeInMBs
expansion capability.
This one is important (and a feature request answered). In the FSLogix world, the default container access is mode 0 (Direct-Access). In CPM Profile Containers, the default and only model was the equivalent of a Mode 3 (Try for Read Write, Fall back to Read-Only) logic. This has now been fixed to allow you to do an appropriate Direct-Access approach. Citrix calls this Exclusive Access
By default, VHD containers allow concurrent access. With a new policy, Enable exclusive access to VHD containers, you can disable concurrent access for profile containers and OneDrive containers, letting them allow only direct access to the Container.
With the new policy, UWP app roaming, UWP (Universal Windows Platform) apps can now roam with users. As a result, users can access the same UWP apps from different devices.
For those wondering, UWP = Modern Apps. Those things.
By default, most Profile Management policies work only at the machine level. With the user-level policy settings feature enabled, those policies can work at the user level, and user-level settings override machine-level settings.
This feature is useful for organizations where different users or user groups require different Profile Management settings.
These enhancements simplify the process of fully enabling Outlook containers while offering a high level of availability for Outlook service:
The Always on Tracing feature is now available for Profile Management. This feature provides detailed logs that can help identify critical problems with Profile Management, thereforce reducing the need to reproduce problems.
Profile Management containers now support Google Drive both in Mirroring Files for Sync mode and Streaming Files for Sync mode, giving you more flexibility in choosing cloud storage.
Hello AppMasking. The long awaited missing feature that had us all deploying FSLogix regardless of using it for Profiles or not, this is Citrix first steps into the AppMasking space. This will warrant it’s own post in time.
Profile Management can now hide applications from users, machines, and processes based on the rules you provide. With a new policy, App access control, you can enable this feature and provide control rules.
A PowerShell tool, Rule Generator, is delivered with the Profile Management installation package, letting you create, manage, and generate rules for app access control.
Note that this toolset is actually a combination of tools still being released. There is a PowerShell tool to assist with basic rule creation for simple CPM only deployments, and there is a releasing feature as part of the WEM Service which will provide a nice GUI to create the rules and provide the raw data for import into WEM, Citrix Policy or GPO.
This is part one, it’s effectively a preview release for now, don’t expect the world just yet.
Active write back is a silent killer in many environments, it can very quickly knock file servers off their perch and into a pitt of doom. Sometimes there is a valid use case for it though, so this is a welcome change to try and reduce the impacts of AWB.
A new policy, Active write back on session lock and disconnection, is now available to extend the Active write back and Active write back registry policies:
Hello FSLogix feature parity…and more
With a new policy, Enable VHD disk compaction, VHD files are now automatically compacted on user logoff when certain conditions are met. This policy enables you to save the storage space consumed by profile container, OneDrive container, and folder mirroring container.
Depending on your needs and the resources available, you can adjust the default VHD compaction settings and behavior using the following policies:
Previously, impersonating the current user was the only solution to access file-based user stores. With the Enable credential-based access to user stores policy, you can now enable Profile Management to access file-based user stores using the stores’ own credentials. This feature gives you more flexibility in deploying and accessing file-based user stores
Identical files can exist among various user profiles in the user store. With the new policies enabled, Profile Management removes duplicate files from the user store and stores one copy of them in a central location. Doing so avoids file duplications in the user store, thus saving your storage cost
With the profile container enabled for the full user profile, you can now replicate the container to multiple paths using the Replicate user stores policy. Doing so provides profile redundancy for user logons. This is a similar concept to FSLogix Cloud Cache
Previously available as a preview, the Enable OneDrive container policy is now generally available.
This is a significant release as it relates to the evolution of Citrix Profile Management Containers vs FSLogix capability. There are a couple of very key features to note below:
Combine this capability with the wealth of other options and controls including combining the best of file and container capability, UPM should now start becoming a much more attractive solution for all use cases. The best thing is that the solution is actively and aggressively developed. “Ask and you shall receive” so to speak…
A new policy, Enable profile streaming for pending area
, is now available as an enhancement to the profile streaming feature. This enhancement ensures optimal logon experience in concurrent session scenarios
A new policy, Enable Concurrent session support for Outlook search data roaming
, is now available as an enhancement to the Search index roaming for Outlook
policy. With the two policies enabled, Citrix Profile Management can provide a native Outlook search experience in concurrent sessions
Important Note: To let the search index roaming feature work on Microsoft Windows 10 1809 and later, and on Windows Server 2019 and later, add a DWORD
value EnablePerUserCatalog
= 0
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search
. Restart the VDA to make your registry setting take effect. This indicates that whilst Microsoft have now removed per user search index roaming from FSLogix in favor of OS level capability, Citrix can, and does, still support roaming this index using the traditional mode
In the fallout of this little discovery around Synchronous Processing we spoke with the Citrix Profile Management team. Ask the right people, get a good answer
Windows provides both synchronous and asynchronous processing modes for user Group Policy. Windows uses a registry value to determine the processing mode for the next user logon. If the registry value doesn’t exist, synchronous mode is applied.
With a new policy, Enable asynchronous processing for user Group Policy on logon
, the registry value can now roam with users. As a result, the actual processing mode is applied each time users log on
The last major gap between FSLogix and UPM Container capability. OneDrive support.
With a new policy, Enable OneDrive container
, OneDrive folders can now roam with users. A user’s OneDrive folders are stored in a VHDX file (called OneDrive container). The VHDX file is attached on user logon and detached on user logoff.
Starting with this release, the profile container for the entire profile now supports roaming OneDrive folders by default
Previously, to have Profile Management automatically reattach VHDX disks in sessions, you had to configure the registry manually. You can now enable the feature by using a policy. With the Automatically reattach VHDX disks in sessions feature, Profile Management ensures a high level of stability of VHDX-based policies.
Profile Management monitors VHDX disks that are in use. If any of the disks are detached, Profile Management reattaches the disk automatically. This is a container resiliency solution.
Previously, only inclusions and exclusions could be configured for the profile container only at the folder level. This can now be configured at the file level. This enhancement gives provides more granular control over profile synchronization
By default, VHDX files are stored in the user store. It is now possible to specify a separate path to store them. Citrix Profile Management provides the following VHDX-based policies:
When configuring inclusion and exclusion for the user store and for the profile container, wildcards can now be specified in folder names.
The Citrix components, features, and technologies in this release that support Windows 10 now also support Windows 11, unless otherwise noted
Citrix Profile Management offers the following VHDX-based policies: Search index roaming for Outlook, Profile container, and Accelerate folder mirroring. Each policy relies on relevant VHDX virtual disks to function properly. Profile Management attaches those disks during logons and detaches them during logoffs. However, the disks might be accidentally detached during a session preventing the policies from functioning properly. Profile Management can now detect when a VHDX virtual disk is detached in a session and then reattach it automatically. This design ensures the stability of VHDX-based solutions
Citrix Profile Management now supports user profile roaming on non-domain-joined VDA machines in a customer-managed Azure subscription. A users profile (including the users personal settings, files, and folders) can now roam with the user when the user logs on to a non-domain-joined VDA session.
The Citrix components and technologies in this release that support Windows Server platforms now also support Windows Server 2022, unless otherwise noted.
A new feature to allow replication of a user store to multiple paths upon each logon and logoff in addition to the path that the Path to user store policy
specifies. The feature is implemented through the Replicate user stores policy. To synchronize to the user stores files and folders modified during a session, enable active write back
. This feature does not currently support full container solutions. Enabling the policy can increase system I/O and might prolong logoffs.
This is extremely beneficial for multi datacenter deployments and active-active deployments (similar to a cloud cache methodology). In a normal scenario, if both file stores are healthy, UPM will do a differential sync to both locations. Should a file store be out of date, UPM will perform a full sync to bring the data back into line.
By default, Citrix Profile Management impersonates the current user to access user stores. Therefore, it requires the current user to have permission to directly access the user stores. Enable this feature if you do not want Profile Management to impersonate the current user when accessing user stores. You can put user stores in storage repositories (for example, Azure Files) that the current user has no permission to access.
To ensure that Profile Management can access user stores, save the profile storage server’s credentials in Workspace Environment Management (WEM) or Windows Credential Manager. Citrix recommend that you use Workspace Environment Management
to eliminate the need of configuring the same credentials for each machine where Profile Management runs. If you use Windows Credential Manager, use the Local System account to securely save the credentials.
With both the Accelerate folder mirroring
and the Folders to mirror
policies enabled, Profile Management stores mirrored folders on a VHDX-based virtual disk. It attaches the virtual disk during logons and detaches it during logoffs, thus eliminating the need to copy the folders between the user store and local profiles. Effectively a selective Containerization of data.
Local caching support for Citrix Profile Management profile containers through the Enable local caching for profile containers
policy. With the policy set to Enabled
, each local profile serves as a local cache of its Citrix Profile Management profile container. If profile streaming is in use, locally cached files are created on demand. Otherwise, they are created during user logons. To use the local caching feature, put an entire user profile in its Citrix Profile Management profile container.
This feature is designed to cater for loss of network connectivity to the container store.
Previously, changes in sessions were written back only to FSLogix Profile Container
with the relevant policy enabled. Starting with this release, Citrix renamed the Enable multi-session write-back for FSLogix Profile Container
policy to Enable multi-session write-back for profile containers
to accommodate multi-session write-back support for Citrix Profile Management profile containers
.
Not even FSLogix can do this natively – two sessions writing back to the same profile at the same time…
With the Enable profile streaming for folders
policy set to Enabled
, folders are fetched only when they are being accessed. This approach eliminates the need to traverse all folders during user logons. To use this feature, you must also enable the Profile streaming
policy.
We have improved the experience with the Start menu on Windows Server 2016 and Windows Server 2019 through automatic configuration of the relevant policies as follows:
Appdata\Local\Microsoft\Windows\Caches
to Folders to Mirror
Appdata\Local\Packages
is added to Exclusion list – directories
Appdata\Local\Microsoft\Windows\UsrClass.Dat*
is added to Exclusion list – files
To disable automatic configuration, use the Disable automatic configuration policy
Starting with this release, multiple concurrent sessions can access a profile container and you can put an entire user profile in its profile container. In addition, Profile Management now accesses the VHDX files in a user context and does not grant Domain Computers full control of the folder where the VHDX files are stored
Profile Management now provides a solution to save changes in multi-session scenarios for FSLogix Profile Container. If the same user launches multiple sessions on different machines, changes made in each session are synchronized and saved to FSLogix Profile Container.
]]>