blog.sachathomet.ch
Application virtualization, IoT and Cloud Computing, Blog of Sacha Thomet

AVD

Why the Windows App for Mac (v11.1.4) is a personal highlight for me

TL;DR: The new Windows App for Mac (Version 11.1.4) introduces two key features that are barely or not at all mentioned in the official release notes, but make a big difference:

1. YubiKey/Passkey support directly inside the AVD session
2. Much improved behavior when resizing across one or multiple monitors
This version finally makes AVD on Mac truly usable for me – an unexpectedly big step forward.

For over two years, I’ve been hoping that Microsoft would bring the Windows App for macOS (the successor to the old Remote Desktop App) up to the level of the Windows version – especially regarding authentication options like FIDO2/YubiKey (WebAuthn).

In the company I work for, we actively use AVD, for example, as virtual development environments. Within our internal network, we rely on secure authentication with YubiKey – which works flawlessly on Windows devices or with Citrix, but not with the Windows App for Mac.

I also addressed this issue directly with Microsoft folks – namely Christiaan Brinkhoff and Sandeep Patnaik – at the Workplace Ninja Summit 2023. I love how at such events you can speak directly with PMs and give instant feedback. But it seemed to me that the macOS version wasn’t exactly a top priority at Microsoft. There was also a Microsoft User Voice for this topic, but since it didn’t receive many votes, it wasn’t given a high priority within Microsoft.

All the more surprising, then, when just a few days ago I stumbled upon the new version 11.1.4 – without any big announcement or fanfare. And suddenly, almost everything that had been missing just worked.

My personal highlights – not found in the release notes:

The official release notes mention some UI and session stability improvements – which is nice, but my real highlights are barely mentioned:

🔐 YubiKey and Passkey support in AVD sessions

A feature I’ve wanted for years: The ability to authenticate directly inside the session using a FIDO2 key, for example in internal portals or apps.
Previously, the Mac system would block the key or not recognize it at all:

was sadly the result when trying to use the YubiKey before.

Now it finally works – seamlessly and without hacks, Key Pinpad appears:

And if you have multiple identities on one Key, even the identity selector appears:

🖥️ Dynamic resizing across multiple monitors

Previously, minimizing a fullscreen session from 2 monitors down to 1 looked like this:

Here’s another subtle but noticeable improvement: The session now adjusts much better when switching between fullscreen and windowed mode, or when working across multiple monitors.
Previously, this often caused incorrect resolutions or frozen layouts – now it just works smoothly.

Who should update? Conclusion

If you’re accessing AVD or Windows 365 from a Mac, this update is absolutely essential. (The update is availible over the Apple AppStore)

While the Windows App for macOS may not yet be a full replacement for Citrix, it’s becoming an increasingly serious alternative.

One more thing … my current opininon

Citrix is still the technological leader – especially when it comes to feature set and protocol flexibility. But it’s also worth asking: do you always need everything Citrix has to offer?

Microsoft has clearly made significant progress recently, particularly in terms of protocol performance and display rendering. With updates like this, the gap is closing rapidly – faster than many might expect.

Just today, I ran a quick comparison using Remote Display Analyzer. I played my employer’s latest promotional video in fullscreen mode on one display and measured data transfer over 15 and 18 seconds respectively. The result? RemoteFX is no longer significantly behind ICA when it comes to data transmission.

Citrix HDX aka ICA: 163.3 MB in 15 sec

Microsoft RDP RemoteFX: 168.9 MB in 18 sec

Posted in Hands-on | Tagged , , , | Leave a comment

Multiple Personal Desktops with Azure Virtual Desktop – A Likely Underrated New AVD Feature

Last week, I was delighted to discover a LinkedIn post by Christiaan Brinkhoff pointing to the blog post “In public preview: Multiple personal desktops with Azure Virtual Desktop.”

In our company, we’ve really missed this feature. We typically follow a “one device strategy,” where each user has exactly one device – either a physical laptop or a virtual desktop (VDI). We’ve been using VDIs for a long time, especially for external partners, test environments, and internal users with special requirements. Until now, we have implemented this On-Premises with VMware as the hypervisor and Citrix as the broker. Providing multiple VDIs per user has never been a technical problem.

Currently, however, we are in the midst of a cloud transformation, and Azure Virtual Desktop (AVD) is the cloud-based VDI solution of our choice. But here, we encountered a limitation: the ability to assign multiple virtual desktops to a single user. This made the announcement of the new feature even more exciting for me, even though it is still in public preview. I do, however, expect that it won’t be long before this feature is generally available.

Why is this a game-changer?

I’m convinced that many companies face similar challenges to ours. For instance, software testing often requires more than one virtual machine (VM). Similarly, robotics VDIs frequently need to access multiple desktops on the same user. Moreover, there are cases of incidents where it is better not to repair the virtual machine but rather to replace it with a new instance based on the “pets vs. cattle” principle. In these scenarios, it can be very useful to temporarily have access to two virtual desktops to extract data or transfer certain configurations from the old VM to the new one.

Previously, the only way to achieve this was through two host pools. The downside was that the user would see two resources, even if they were only permitted to access one of the two VMs. With the new feature, this is no longer an issue. Even when using multiple host pools, the feature ensures that no “ghost resources” are displayed when no resource is available for a user in a host pool.

What’s new and how do you enable it?

As you can see in the image, activating this feature is very simple – you just need to set a flag to enable the functionality:

After that, a new field named “Friendly Name” appears in the AVD client to help users differentiate between the virtual machines:

Limitations of the feature

Currently, this feature only applies to AVD Single-Session machines. It does not work with Multi-Session deployments or Windows 365. It’s unclear whether or when this feature will be made available for Multi-Session environments, but in my opinion the need is more fore SingleSession VDIs.

Conclusion

This new AVD feature is a real step forward for companies that need multiple desktops per user, whether for testing, troubleshooting, or special requirements. I am excited to see how this feature evolves and when it becomes generally available. It will certainly help many companies make their VDI environments more flexible and user-friendly.

What’s your opinion? Is this feature another step toward feature parity with existing virtual desktop solutions? What would be your next desired feature? Let me know in the comments.

Posted in Hands-on | Tagged , | Leave a comment

From OnPremises to Cloud – what should it be? A quickstart to the Azure VDIs

Currently, more and more companies are facing the question of whether to continue offering their VDI on‑premises traditionally or whether it should be provided from the cloud in the future.
The EUC world is in transition, and today there are far more serious alternatives than just one or two big, established manufacturers. Or maybe that’s just my personal opinion after stepping out of my bubble a little – but I think there are new needs, and the market is now trying to address them.

I have been a “Citrix tech evangelist” for years, and I am still absolutely convinced of their technology. For me, it’s clear that Citrix has developed the most powerful application and desktop virtualization technologies. However, the competition is catching up, and it doesn’t have to be the ultimate solution for every customer. The company I work for is increasingly focusing on Microsoft and has been pursuing a cloud strategy for years.
It follows naturally that the option to replace on-premises VDIs with a Microsoft Azure VDI solution must be considered.

Some readers of this page may have had the chance in the last two years to hear the presentation by Fabian Tschanz, Stefan Moser, and myself at one of the events (e.g., at the Workplace Ninja Summit or at E2EVC) – they will know that we already ran a project for our developers using Microsoft AVD Single Session as a developer VDI on “greenfield” sites.
Now, things are easy when you start on a greenfield site; however, replacing existing systems becomes difficult due to existing and sometimes unnamed requirements. Sometimes a solution is built for one purpose and then used for something else – something the platform developers didn’t foresee – so it gets lost during migration. So, requirements engineering must be done again here.

Next, we want to cover the following use cases:

  • Dedicated VDI for power users with specific needs (usually without company devices) and
  • Users of pooled VDIs, who use the VDI occasionally and may also have a company device.

Microsoft offers many solutions, and new variations are still being introduced. So, what is the right choice?

Windows 365? Microsoft Azure Virtual Desktop? And if that’s not enough – there’s also Windows 365 Frontline and/or AVD Multi‑Session. And what is Windows 365 Frontline in Shared Mode?

So, let me try to break this down a bit. When I had to explain On‑Prem, IaaS, PaaS, and SaaS to someone, the pizza model (see image here) helped me, which Albert Barron, Global Principal Architect, Financial Services at Google, explained in a 2014 LinkedIn post.

I wouldn’t claim to be as clever and good at explaining things as Barron, but I’ll try to break down Microsoft Azure VDIs – all the ones mentioned above – into different mixtures of PaaS and SaaS.

Windows 365 Cloud PC

  • Fully persistent cloud PC for each user
  • Fixed resource allocation (dedicated VM)
  • Integrated with Microsoft Endpoint Manager (Intune) for management
  • Easy setup without complex infrastructure


🍕In the pizza model, I’d say this is like dining out in a restaurant that always has a place for me – my name is on my dedicated table. I can choose pizzas from the menu in defined sizes. If I provide a recipe, this pizza will be topped and baked according to my wishes.

Windows 365 Frontline Dedicated

  • Specifically designed for shift workers or shared usage
  • Each user has a dedicated VM that’s only used during working hours
  • Licensing based on concurrent usage (not per user)
  • Automatic shutdown outside of shift times to save costs


🍕In the pizza model, I’d say this is like dining out in a restaurant where multiple parties share a table alternately – The table is used by three different parties in one day. I can choose pizzas from the menu in defined large sizes. If I provide a recipe, this pizza will be topped and baked according to my wishes.

Windows 365 Frontline Shared

  • Multiple users share the same cloud PC
  • Specifically for environments with shared workspaces (e.g., call centers)
  • Cost-effective usage since no dedicated machine per user is required
  • Resources are dynamically allocated


🍕In the pizza model, I’d say this is like dining out in a restaurant where multiple parties share a table alternately – the table is used by three different parties in one day. All parties must eat the same pizza in the same large size. I can choose pizzas from the menu in two defined large sizes. If I provide a recipe, this pizza will be topped and baked according to my wishes.

AVD (Azure Virtual Desktop) Single Session

  • Each user has their own VM (similar to Windows 365, but more flexible)
  • Support for different VM SKUs (custom performance)
  • Management via Azure Resource Manager, not Intune
  • Licensing via existing Microsoft 365 licenses or separate Windows licenses


🍕In the pizza model, I’d say this is like dining out in a restaurant that always has space for me – I can decide how the table is set and how big it should be. With pizza, I’m more flexible: it doesn’t have to be round, I can also make it square. If I make a mistake, the pizza gets extremely expensive and I can’t finish it – or it’s so small that I’m still hungry. I can customize the venue and the tables.

AVD (Azure Virtual Desktop) Multi Session

  • Multiple users share a single VM (Windows 10/11 Multi Session)
  • Ideal for companies with many simultaneous users (e.g., remote workplaces)
  • Resources are flexibly shared among users
  • More cost-effective than Single Session, as fewer VMs are needed


🍕 Similar to AVD Single Session, but I can let multiple people eat from a single pizza – this way I can efficiently make one pizza. The pizzaiolo only needs to serve one table because we need only one table, but eight people will be full. However, all eight must eat the same type of pizza. I can customize the venue and the tables.

So, what’s the right choice? Well, it really depends on the needs – there’s no wrong solution, maybe the solution just doesn’t fit the problem, aka challenge or use case.

In the coming weeks and months, I will likely be exploring the more flexible solutions with Azure Virtual Desktop in the Single Session and Multi Session variants, and I’m sure I will still face some decisions here…

Posted in Design, Guide | Tagged , , , , | Leave a comment

Tokenbased Citrix VDA registration

and how to combine the Microsoft AVD world easily with Citrix DaaS …

Over the past few months, Citrix has made significant investments to make the Virtual Desktop Agents (VDAs) independent of Windows domains. This was particularly important for Linux and Mac systems, and for some time now, it has been possible to provision non-domain-joined VDIs in Azure using Citrix tools. New in version 2407, available for the first time as a Tech Preview, is the ability to integrate Windows machines provisioned through other methods using a token, without requiring a domain, Delivery Controller, or Cloud Connector.

During the VDA installation, instead of specifying a Delivery Controller (DDC), the token can be directly provided:

(Important: The token itself, not the path to the token file, must be specified. This will maybe in future changed to provide a token File).
Instructions from Citrix: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/install-vdas.html#step-7-delivery-controller-addresses

The token must be generated first in the Citrix DaaS Console on the appropriate machine catalog where the VDA is to be integrated, via right-click:



It has to be a machine catalog with the Provisioning Method on the Setting Manual.
A single token can be used to deploy up to 100 VDAs, and the token is valid for a maximum of 14 days.

The installation steps are also described in the “Review the enrollment steps” section.

I used this new feature to integrate Azure AVD VMs created via pipeline into Citrix, which I had previously used through AVD. Now, I essentially have a VDI that I can broker and connect to traditionally via Microsoft, but also through Citrix. You may ask yourself why someone want to have the whole Citrix brokering stuff, but not using the Citrix provisioning method for Azure (MCS), this can have different reason, possibly because someone want to use an automated IaaS pipeline with bicep and have control over the provisioning / building of the infrastructure, or other obstacles to not using the Citrix techniques to build VMs. I can’t say more here, I just see a way to make things different and gain more control but still use the advantage of the Citrix techniques in brokering and the ICA protocol.

Since my machines are only in Azure AD, it is important that I configured the delivery group to set the LogonType to AzureAD. I accomplished this with the command:
Set-BrokerDesktopGroup <DeliveryGroupName> -MachineLogonType AzureAD

Additionally, if I still want to access the machine without Citrix, I need to add my user to the Direct Connection Access group. Otherwise, when connecting without Citrix, I will receive the following error:

These are my first experiences with the new token-based VDA rollout. Of course later these steps must be automated for a business environment when using the token, whereas in my hands-on experiment, everything was done manually through the graphical interface. If you are experimenting with this, please keep in mind that’s a TechPreview and not yet GA.

Posted in Design, Hands-on | Tagged , , , | Leave a comment
Language switcher
Recent Posts
Categories
Tags
"User Profile Manager" applepay AVD azure bev Citrix CitrixSynergy Citrix Virtual Apps and Desktops CTP cvad DaaS euc ev fintech homeassistant IoT iPad knowledgebase LaMetric microsoft MyStrom neon Netscaler Gateway VPX network Nvidia octoblu pizza PowerShell ProvisioningServices Quest revolut smartacus SmartHome StoreFront tesla vGPU VirtualReality VR windows365 windows 365 windows app XenApp XenDesktop XenDesktop 7.6 zak
Archives
Meta