Automate the cloud! Citrix + Azure + MCS + PowerShell

Two weeks ago I went to Citrix Synergy in Anaheim. Here Citrix announced the future vision of the company. And the vision is clear, it is CLOUD. Citrix now thinks of itself as a cloud company. And with their new Citrix Workspace they have a great cloud product. But how does automation fit into the cloud and what can we automate? In this blog I will try and answer that.

During Synergy Citrix also announced Azure Quick Deployment capability from the Citrix Cloud environment (more on Quick Deployment here from If you use quick deployment, the Citrix Cloud will automatically make the resource groups and virtual networks in Azure. And by using the Citrix Cloud itself you automatically get a Citrix Site, Delivery Controller, Workspace (Storefront) etc. So what’s left to automate ? Well the Master Image/ VDA offcource.

During a Synergy session, I heard a presenter say: “The last part is easy. Just create a master image and you’re done.” But creating a good master image can take a lot of time, especially if there is a need for a lot of local applications. It is a best practice to automate the creation of your master image. That’s why I created the Ultimate Golden Image Automation guide. But this guide uses an on-prem VMware and Citrix Provisioning environment. For the cloud, we need a new process, one that uses Microsoft Azure and Citrix Machine Creation Services. A great thing about this is that they both can be managed with Microsoft PowerShell. If we combine the right PowerShell commands we can make a new automatic master image deployment scenario.

The new master image deployment scenerio goes as follows:

  1. Create a new Azure Virtual Machine
  2. Deploy VDA and software on the Virtual Machine
  3. Update Machine Catalog from the new Virtual Machine
  4. Delete the Virtual Machine and its resources

Deleting the VM is not entirely necessary but helps reducing cost. Consistency is key during the automation process so starting with a new Azure VM will help.

Install Azure PowerShell Modules

The first thing we need to do is to install the Azure remote management PowerShell modules. This requires PowerShell 5, so if you have a Windows 2012R2 or Windows 8.1 machine you need to update to PowerShell 5, which you can download here. After that you can run the following script to install the modules.

Import Azure PowerShell Modules

After the installation is completed you need to import the module with the following script.

Connect to your Azure tenant

Now, we need to connect to the Azure tenant so that we can deploy a virtual machine. The script below will ask for your credentials. You could change the script to make an object from your credentials, so it connects automatically.

Create new Azure Virtual Machine

Now that we’re connected, we need to create the new Virtual Machine that is to become the new master image. We do this with the following script.

Get Azure Virtual Machine Private IP

Because we’re going to use this new Azure virtual machine in a software deployment scenario, we need to know the private IP address of the virtual machine. This IP address is assigned randomly (DHCP). We can get the private IP address with the following script.

Disable Firewall on the Azure Virtual Machine

We need to push an automation agent to the Azure Virtual machine so that we can deploy our software. That’s why we temporarily need to disable the Windows Firewall on the Azure virtual machine. It is not possible to run a script directly on an Azure virtual machine, but you can use a Custom Script extension. The script below will create a small PowerShell script in c:\temp. Then upload it to your Azure storage account and then create a Custom Script extension to be run on the Azure Virtual Machine which uses the script from your storage account. After this the Virtual Machine will be rebooted. And now you can push your Automation agent (Ivanti, SCCM, etc..). Don’t forget to enable the firewall once you’re done.

Delete Azure Virtual Machine Public IP

The Azure virtual machine is created with a public IP address by default but we’re not going to use this. The following script will delete the public IP.

Installation of Software and VDA

Now that we have a new Azure virtual machine, the private IP address, credentials, and the firewall is temporarily turned off. We can start deploying software and, of course, the Citrix VDA Software. You can do this with PowerShell or your own favorite automation product. You can also use my Ultimate Golden Image Automation Guide for software deployment tips and silent parameters. To install the VDA, you can check out this great article by Dennis Span or see the Citrix install command web page. And of course, don’t forget to optimize your image with the Citrix Optimizer and to seal your master image the right way with  BIS-F (Base Image Sealing Framework).

Stop Azure Virtual Machine

After deploying all the software and installing the VDA, it’s important to stop the Azure virtual machine before you update your machine catalog. You can do this with the following script.

Update the Citrix Machine Catalog

Now that we have created a new master image, we need to update the Machine Catalog. If you run your own delivery controller in Azure or even on-premises, you can use the script below on any machine with Citrix Studio installed. If you use Citrix Cloud services you need to install the Citrix Cloud Remote PowerShell SDK. After installing the SDK, you can connect to your Citrix Cloud environment with the Get-XdAuthentication and then run the script.

Delete the VM

Now that the catalog is updated, there is no need to keep the Azure Virtual Machine and its resources; we can delete it with the following script:

Security in the cloud

When you use the cloud and automation we need to enter credentials a few times. Make sure to never save your credentials as plain text in your scripts. Recently, there has been an increase in Azure account hijackings for mining cryptocurrency. Try to use a password vault or, at the very least, encrypted passwords. I have my script repository in my Ivanti automation library and I use password variables that are stored, encrypted, in the automation database. Another important thing is the Azure virtual machine credentials we created in the new virtual machine step. Once created, these admin credentials are on every machine you produce from the master image. So, don’t forget to disable the credentials with Disable-LocalUser or to remove them with Remove-LocalUser and add a new secure account.

I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me: