From Citrix PVS to Azure Virtual Desktop: A Deep Dive Migration Blueprint for Architects

Enterprises currently operating Citrix XenDesktop with Provisioning Services (PVS) on Windows Server are increasingly transitioning to Azure Virtual Desktop (AVD). This shift is driven by the need to streamline operations, modernise identity and security, benefit from elastic, cloud-scale delivery and consolidate license. This comprehensive guide presents an architect-level blueprint, detailing the target architecture, landing zone and identity setup, image conversion process, FSLogix profile strategy, networking and security design, cutover planning, and steady-state operations. Included are step-by-step instructions, runbooks, and guardrails to ensure a successful migration.

1) Baseline: Current Citrix XenDesktop + PVS

Typical components and roles within the existing Citrix XenDesktop and PVS environment include:

• Delivery Controllers responsible for brokering desktops and applications.
• PVS servers used for vDisk streaming to target virtual machines.
• StoreFront facilitating authentication and resource enumeration.
• License Server and SQL back-end supporting the infrastructure.
• VDAs deployed on provisioned virtual machines, which may be non-persistent or persistent.

Operational Considerations

Key operational aspects in the Citrix environment should be carefully reviewed ahead of migration. This include applications landscape, performance metrics like resource utilisation, load index, disk latency, etc.

2) Target State: AVD Reference Architecture

The recommended Azure Virtual Desktop architecture includes several core building blocks:

• Resource Groups: Separate environments (Prod, UAT, Dev) are established for governance and role-based access control (RBAC).
• Host Pools & Session Hosts: Supports both pooled (multi-session) and personal (single-session) models, using Windows 10/11 Enterprise multi-session or Windows Server.
• Image Lifecycle: Golden images are captured and versioned using Azure Image Gallery.
• Profile Storage: FSLogix profiles are hosted on Azure Files (Premium) or Azure NetApp Files (ANF).
• Identity: Azure AD serves as the primary identity plane, with optional Azure AD DS for legacy dependencies.
• Networking: Hub-and-spoke virtual networks with dedicated subnets for session hosts, management, and private endpoints.
• Security: Utilises Network Security Groups (NSGs), Azure Firewall/NVA, Conditional Access policies, RBAC, and Key Vault for secret management.

Diagram Description

A hub-and-spoke topology is recommended, with AVD session hosts located in a spoke virtual network. Private Endpoints connect to Azure Files/ANF, a central firewall is deployed in the hub, and the management plane (bastion/automation) resides in a separate spoke. Peering to on-premises is facilitated via VPN or ExpressRoute.

3) Migration Prerequisites & Readiness

• Subscription & Quotas: Ensure appropriate vCPU, VM families, storage, and network quotas are available.
• Licensing: Confirm AVD entitlement and FSLogix usage rights.
• Connectivity: Establish VPN/ExpressRoute for hybrid dependencies, including AD, DNS, file services, and line-of-business applications.
• Identity: Entra Connect should be synchronised, and the device join model (Entra hybrid join or Entra join) determined.
• Backups: Complete vDisk snapshots, export Citrix configurations, and perform SQL backups.
• Discovery: Inventory applications, profile types (UPM, Roaming, Local), persona mapping, and print/peripheral requirements.
• SLOs: Define targets for logon duration, profile attachment, session density, and latency, with stakeholder agreement.

4) Migration Methodology (End‑to‑End)

Phase 0 – Assessment & Planning

1. Estate Inventory: Document Delivery Controllers, StoreFront, License Server, PVS, SQL, catalogues, delivery groups, vDisk, and VDA versions.
2. Application Rationalisation: Decide between RemoteApps and full desktops; assess compatibility with multi-session; plan packaging and installation approach.
3. Persona Mapping: Identify task, knowledge, and engineering cohorts; establish concurrency and session density assumptions.
4. Profile Strategy: Map UPM/Roaming profiles to FSLogix Profile and Office containers; select appropriate storage class and region pair.
5. Security Posture: Review Conditional Access, MFA, device compliance, and RBAC model.
6. Test Plan: Define user cohorts, acceptance criteria, and rollback procedures.

Phase 1- Landing Zone & Hybrid Identity

Landing Zone

• Create Resource Groups for each environment and workload domain.
• Deploy VNets/Subnets:
• AVD-SessionHosts (no public inbound; controlled egress)
• Management (bastion, automation, jump)
• Storage-PE (Private Endpoints for Azure Files/ANF)
• Apply NSGs (deny by default, allow least-privilege flows).
• Insert Azure Firewall/NVA in the hub for egress control, user-defined routes, and content filtering.
• Configure DNS with conditional forwarders and hybrid name resolution.

Hybrid Identity

• Validate Entra Connect health.
• Decide between Entra join Only and Entra Hybrid join for session hosts.
• Prepare OU/Group structure for policy scoping; define Privileged Identity Management (PIM) and RBAC assignments for AVD Admins, Image Admins, and Storage Admins.

Phase 2 – Image Conversion & Engineering (From PVS to AVD)

Objective: Transition PVS-based Windows 10/11 vDisk to a cloud-ready golden image for AVD.

Detailed Steps

1. Export/Convert vDisk to VHD/VHDX format suitable for Azure deployment.
2. Remove Citrix agents/components from the image, including:
   • PVS Target Device
   • Citrix VDA
   • Citrix-specific optimisations, services, and drivers
3. Install AVD stack:
4. AVD Agent & Agent Bootloader
5. FSLogix
6. Endpoint protection and platform agents (such as Defender and monitoring tools)
7. Optimise Windows for multi-session usage, including adjustments to scheduled tasks, services, search indexer, delivery optimisation, and antivirus exclusions for FSLogix paths.
8. Generalise and capture the image using Sysprep if required; upload the VHD to storage; create a Managed Image; publish to Azure Image Gallery with versioning.
9. Governance: Tag images with environment, owner, and version information; maintain a promotion workflow from Development to UAT to Production; implement change control for image updates.

Example: key FSLogix settings baked into the image (also can be enforce via GPO or Intune Config Profile):

[HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix\Profiles]

“Enabled”=dword:00000001

“DeleteLocalProfileWhenVHDShouldApply”=dword:00000001

“VHDLocations”=”\\<fileshare>\profiles”

“VolumeType”=”vhdx”

“IsDynamic”=dword:00000001

“ConcurrentUserSessions”=dword:00000001

---

Phase 3 – Host Pools, Application Delivery, and Autoscaling

Hostpools

Host pools play a central role in the deployment, offering flexibility for different user and workload requirements. There are two main types of host pools:

• Pooled: Used for shared capacity, ideal for task or knowledge workers who do not require a dedicated environment.
• Personal: Designed for workloads or applications that demand dedicated resources or specialised software.
• Load balancing: Utilises two approaches:
• Breadth‑first, which ensures a consistent experience for all users by distributing sessions evenly across available hosts.
• Depth‑first, which focuses on consolidation, filling up hosts one at a time to maximise resource utilisation.
• Validation environment: A separate staging pool is maintained for testing new images before they are introduced into the production environment, ensuring reliability and stability.

Scaling

To optimise resources, a scaling plan is defined. This plan aligns with business hours and concurrency patterns, specifying minimum and maximum hosts, ramp‑up and ramp‑down schedules, and hibernation or stopping during off‑hours.

Application Delivery

• Applications are installed and validated on the master image. Once confirmed, RemoteApps and Desktops are published to users.
• Start‑up times, licensing, and dependencies such as printers, fonts, middleware, COM/ActiveX components, and GPU requirements (where necessary) are carefully validated to ensure seamless operation.

Phase 4 – User Profiles & Data (FSLogix)

Storage Choices

• Azure Files Premium: Provides SMB file shares with predictable IOPS and throughput, suitable for most profile storage needs.
• Azure NetApp Files: Offers high‑performance NFS or SMB storage, catering to demanding profile scenarios.

Network & Security

• Private Endpoints are used for storage, restricting public access and enhancing security.
• Integration with Active Directory (AD) and DNS is ensured, alongside SMB signing and TLS where applicable for secure communications.

Permissions

• NTFS permissions are set following typical patterns:
• Root: End User Computing (EUC) Admins and System accounts have full access, while Creator Owner permissions apply to subfolders and files.
• Per‑user: Users are granted Modify access to their own folders.
• Share permissions are configured for EUC Admins and session host computer accounts as required.
  • Storage File Data SMB Share Contributor → FSLogix users group
  • Storage File Data SMB Share Elevated Contributor → Admin group

Migration Approach

1. Identify UPM, Roaming, and Local profiles that need to be migrated.
2. Pre‑create user folders or allow FSLogix to create them upon first logon.
3. Use Robocopy or scripted copy methods to seed user data, preserving Access Control Lists (ACLs).
4. Pilot attachment, OST handling, and caches for Teams/OneDrive, as well as exclusions, are validated during migration.

Robocopy Example

The following command provides a sample for migrating profile data using Robocopy:

robocopy “\\oldfile\profiles” “\\newfiles\profiles” /E /COPYALL /R:1 /W:1 /MT:32 /NFL /NDL /LOG:C:\Temp\profiles_migration.log

Phase 5 — Testing, UAT, and Optimisation

Pre‑Migration Validation

• Session host health, agent registration, and successful image boot are verified.
• Profile container attachment performance and IOPS headroom are assessed.
• Name resolution, Active Directory reachability, and line‑of‑business application paths are validated.

Pilot

• Representative user personas (light, medium, and heavy users) are selected for testing.
• Key metrics measured include:
• Logon duration (seconds)
• Profile attach time (seconds)
• Session density per virtual machine
• CPU, RAM, disk queue, and network latency (milliseconds)
• Triage and remediation are performed as needed, such as Group Policy tweaks, application repackaging, or storage tier adjustments.

Phase 6 – Production Cutover & Decommission

Approach

• Citrix and Azure Virtual Desktop (AVD) are run side‑by‑side during the transition phase.
• Migrations are conducted in waves, organised by business unit or persona.
• Close monitoring is enforced, with a stabilisation window before proceeding to the next migration wave.

Decommission (Post‑Acceptance)

• Provisioning Services (PVS), Delivery Controllers, StoreFront, and License Server are retired once the transition is stabilised.
• Citrix SQL databases are decommissioned after confirming all dependencies are resolved.
• Configuration Management Database (CMDB), network diagrams, and disaster recovery documentation are updated accordingly.

Networking & Security Design

Network Topology

• Hub‑and‑spoke: Centralised security is maintained in the hub, with spokes dedicated to AVD session hosts, management, and storage private endpoints.
• Peering: Connectivity is established between the hub and spokes, and VPN or ExpressRoute is used for connections to on‑premises environments.
• UDRs: User Defined Routes are applied as needed to direct traffic through Azure Firewall or Network Virtual Appliances (NVA).

Security Guardrails

• NSGs: Network Security Groups are configured with least‑privilege rules and default deny inbound policies.
• Azure Firewall/NVA: Used for egress control, including FQDN groups, threat intelligence, and IDS/IPS as necessary.
• Conditional Access: Enforced for user access to AVD, with Multi‑Factor Authentication (MFA) for administrators.
• RBAC: Role‑Based Access Control is scoped, and Privileged Identity Management (PIM) is used for just‑in‑time elevation.
• Encryption: Data is protected at rest (using platform‑managed or customer‑managed keys) and in transit (via SMB/HTTPS).
• Key Vault: Secrets are managed securely, and Managed Identities are used for automation purposes.
• Session hosts are baseline hardened following CIS/OS standards, with LAPS/PLAPS used for local admin account rotation.

Monitoring, Observability, and Disaster Recovery

Monitoring & Logging

• Azure Monitor and Log Analytics: Collects events from AVD services, session hosts, FSLogix, and security logs.
• Dashboards: Used to track logon duration, session density, failed sign‑ins, and profile attach failures.
• Alerts: Configured for CPU and RAM thresholds, disk latency, FSLogix mount errors, and broker or connection failures.

Backup & Disaster Recovery

• Profile Data: Snapshots and backups are maintained for Azure Files or Azure NetApp Files, with retention periods aligned to Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
• Images: Previous image versions are retained for rapid rollback and may be protected with backup policies.
• Disaster Recovery Strategy: Storage is mirrored to a region pair, with re‑provisioning of host pools in the secondary region documented as required.

Governance, Change, and Runbooks

• Change Management: Includes image versioning, staged promotion, and rollback criteria.
• Resource Tagging: Resources are tagged with environment, owner, cost centre, image version, and OS build details.
• Access Model: Roles are defined for AVD Admin, Image Admin, Storage Admin, and Security Reader. Audit is performed via Activity Logs and Log Analytics.
• Runbooks and Standard Operating Procedures (SOPs):
  • Image update and promotion
  • Drain, patch, and reboot of session hosts
  • Scaling plan adjustments for peak events
  • Profile corruption restoration workflow
  • Incident response for connection issues and degraded performance

Common Pitfalls and How to Avoid Them

1. Treating AVD like Citrix: Misapplying Citrix paradigms can lead to suboptimal outcomes.
2. Under‑sizing profile storage: Insufficient storage allocation may impact performance and user experience.
3. Skipping Private Endpoints: Omitting these increases exposure to security risks.
4. Neglecting persona‑based UAT: Failing to test with representative user types can result in oversights.
5. Missing rollback runbook: Lack of documented procedures for rollback hinders rapid recovery from issues.

Cutover Checklist (Field‑Ready)

Azure Ready

• Resource groups, virtual networks, and subnets are created and secured.
• Hybrid DNS and routing are confirmed.
• Private endpoints are established for storage.

Image Ready

• PVS vDisk is converted and Citrix agents are removed.
• AVD agent and FSLogix are installed, and the OS is optimised.
• The image is captured and versioned in Azure Image Gallery.
• Validation host pool is tested.

Profiles Ready

Operations Ready

• Monitoring dashboards and alerts are configured.
• Runbooks and escalation matrix are published.
• Capacity and scaling plan are aligned to concurrency requirements.

• Azure Files or Azure NetApp Files are provisioned with correct NTFS and share permissions.
• FSLogix Group Policy Objects (GPOs) are configured for VHDX, local profile deletion, and Office container management.
• Pilot users are validated, ensuring attach times meet service level objectives (SLOs).

Migration

• Wave plan is approved, including personas, dates, and rollback procedures.
• Communication and change notices are issued.
• Post‑cutover stabilisation and sign‑off criteria are defined.

Decommission

• PVS, Delivery Controllers, StoreFront, and License Server are retired after stabilisation.
• SQL databases are decommissioned or archived.
• CMDB, diagrams, and disaster recovery documentation are updated.

Conclusion

Transitioning from Citrix PVS to Azure Virtual Desktop is a strategic move towards modernisation, rather than a simple lift‑and‑shift. By adopting cloud‑native image management, FSLogix for consistent user profiles, Zero Trust security guardrails, and observability from the outset, operational overhead is reduced and a stable, measurable user experience is delivered at enterprise scale. The detailed approach outlined above provides a prescriptive, field‑tested blueprint, ready for adaptation to your organisation’s standards.