Unable to create AVD host Pool

Unable to create any Host Pool

Error

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”DeploymentFailed\”,\r\n \”message\”: \”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n },\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}”}]}

Root Cause:

Internet access was not allowed on the Host Pool subnet.

Resolution:

Internet connectivity required for WVD VNET as DSC extension need to download from Azure Websites. The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure and the location of the configuration package (.zip file) if it is stored in a location outside of Azure.

Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

Audio Optimization and redirection for Voice based applications inside Citrix

 

Step 1: Only applicable if users are coming via Company managed laptops or Desktop

Audio setting policies for user devices :

1. Load the group policy templates by following below article:                                                       Get started | Citrix Workspace app for Windows
2. In the Group Policy Editor, expand Administrative Templates > Citrix Components > Citrix Workspace > User Experience.
3. For Client audio settings, select Not Configured, Enabled, or Disabled.
• Not Configured. By default, Audio Redirection is enabled using high quality audio or the previously configured custom audio settings.
• Enabled. Enables audio redirection using the selected options.
• Disabled. Disables audio redirection.
4. If you select Enabled, choose a sound quality. For UDP audio, use Medium (default).
5. For UDP audio only, select Enable Real-Time Transport and then set the range of incoming ports to open in the local Windows firewall.
6. To use UDP Audio with Citrix Gateway, select Allow Real-Time Transport Through gateway. Configure Citrix Gateway with DTLS. For more information, see this article.

Or Else follow below steps as per my recommendations:

Step 1: Storefront changes

As an Administrator, if you do not have control on endpoint devices to make these changes, use the default.ica attributes from StoreFront to enable UDP Audio. For example, for bring your own devices or home computers.

1. On the StoreFront machine, open C:\inetpub\wwwroot\Citrix\<Store Name>\App_Data\default.ica with an editor such as notepad.
2. Make the following entries under the [Application] section.

; This text enables Real-Time Transport

EnableRtpAudio=true

; This text allows Real-Time Transport Through gateway

EnableUDPThroughGateway=true

; This text sets audio quality to Medium

AudioBandwidthLimit=1

; UDP Port range

RtpAudioLowestPort=16500

RtpAudioHighestPort=16509

If you enable User Datagram Protocol (UDP) audio by editing default.ica, then UDP audio is enabled for all users who are using that store.

Step 2: Configure Studio Policy:

Note: If users coming from Citrix cloud Gateway service URL, then they can use Rendezvous Protocol however HDX adaptive transport policy should be disabled in such case otherwise we can enable HDX adaptive transport.

Step 3: Ports required:

Source	Destination	Port
Client /User/Any (if users coming via open internet)	NetScaler gateway	TCP 443 and UDP 443
NetScaler Subnet IP	Citrix HSDs/VDI VMs	TCP 1494, TCP 2598, UDP 1494, UDP 2598, UDP 16500-16509

Note: Considering rest all ports are already allowed hence not incorporated the details here

Step 4: Proxy and Antivirus requirement:

Citrix Gateway URL should be SSL bypassed for all users

UDP 443 port should be whitelisted on Antivirus if it is getting blocked

 

Note:

Things which should be considered if users face any issue with connecting to Audio/microphone if above settings were already implemented.

• There is a default UDP traffic idle timeout policy on Firewalls. If user is not using Voice application, then audio channel on firewall drops the packets and which results in issue where user is unable to connect microphone within Citrix
• Admin should create a SOP to those users so that they can logoff their Citrix session from Citrix Workspace connection centre if Microphone is not connecting after they come from break or and when they re-login then their issue would be fixed. Reconnect to disconnected session will not help
•  UDP idle session out policy can be increased at firewall end however it may result in performance issue so its better to check with Firewall support team to involve vendor who can share the correct value.
• Voice users should logoff if they are going for break or we should enable session timeout policy so that session logoffs with 30 minutes if remain idle.

Which Machine Identity we should choose for modern Virtual Desktop Infrastructure?

Machine identity is a critical aspect of designing and deploying a successful virtual desktop environment in the cloud. You're right in highlighting that there's no one-size-fits-all approach, as the choice depends on various factors. Let's explore the machine identity options in more detail:

1.            Domain-Joined Machines (Active Directory Integration): Traditionally, on-premises Virtual Desktops and Remote Desktop Session Hosts were domain-joined for seamless authentication, communication, and access to shared resources. This approach leverages the organization's Active Directory infrastructure and ensures a consistent user experience. However, when moving to Azure, maintaining domain-joined machines might involve complex network configurations and connectivity challenges.

2.            Azure Active Directory Domain Services (Azure AD DS): Azure AD DS allows you to create a managed domain in Azure that resembles an on-premises Active Directory. This enables domain-joining of machines without the need for on-premises domain controllers. Azure AD DS supports authentication and user management for Azure Virtual Desktop, making it a suitable option for full cloud deployments.

3.            Azure AD Join (Hybrid Identity): Azure AD Join allows devices to be registered directly with Azure AD. This approach is suitable for scenarios where complete domain-joining might not be feasible. It provides single sign-on (SSO) to cloud resources and integrates with services like Microsoft 365. However, it may require careful planning to ensure seamless access to on-premises resources.

4.            Non-Domain-Joined Machines (Cloud-Only): In some cases, organizations might opt for a fully cloud-native approach where machines are not domain-joined. Instead, they rely on Azure AD authentication and cloud-based services for user access and management. This can simplify deployment but might require adjustments in application and resource access.

5.            Third-Party Identity Providers: Depending on the virtual desktop solution being used (e.g., Citrix DaaS, Parallels), there might be options to integrate with third-party identity providers for authentication and user management. This allows leveraging existing identity investments and extending them to the cloud.

Choosing the right machine identity approach requires a thorough understanding of your organization's existing infrastructure, security requirements, user needs, and future scalability plans. It's crucial to consider factors such as user experience, integration with existing systems, security, compliance, and the overall cloud strategy.

Additionally, the collaboration between IT teams, architects, and stakeholders plays a pivotal role in making informed decisions and avoiding pitfalls during the proof of concept and architecture phases. A clear understanding of these machine identity options ensures a smoother transition to a modernized Virtual Desktop infrastructure in Azure.

The following table will give you a summary of the features which are available depending on the chosen machine identity and based on that you should take decision:

Identity

Hybrid Join

Conditional Access

Intune Management

MSIX Support

ADMX Customizing

Schema Extensions

Domain-Trust

PKI Support

GPO Management

Windows 365 Support

NTLM/Kerberos

SSO AVD

SSO Windows 365

Azure AD DS

No

No

No

No

No

No

Yes (One-Way only!)

No

Yes

No

Yes

No

No

Azure AD

Yes

Yes

Yes

Yes

No

No

No

No

No

Yes

Limited

Yes

Yes

Active Directory

Yes

Yes (Hybrid)

Yes (Hybrid)

Yes

Yes

Yes

Yes (Two-Way)

Yes

Yes

Yes

Yes

Yes (Hybrid)

No (Hybrid)

PVS VMs name not showing on Citrix Studio

You should run below command on DDC Server:

 

• asnp citrix*
• update-brokernamecache -machine

It will force the broker to refresh the DNS and SAM names from AD for all machines in the database.