I'm currently managing virtual desktop infrastructure (VDI) using vCenter and Horizon, and we've been hybrid-joining them through Intune. Previously, with Windows 10, when we provisioned a new VDI, it would automatically be added to Active Directory (AD), sorted into the correct organizational unit (OU), and then sync to Entra without requiring any user login. However, since switching to Windows 11, I've observed that new VDIs won't sync to Entra unless a domain user logs in first. This seems to be necessary to populate the userCertificate attribute, which makes the whole process feel quite slow and manual. The steps now seem to include a user login to trigger the sync with Entra, which adds a lot of waiting time. I'm really wondering if there's a way to streamline this process so that a user doesn't have to log in just for the VDI to sync to Entra. Are we missing something here?
4 Answers
I've run into this same issue before. It's really frustrating when a user logs into their desktop and finds that the necessary apps aren't installed yet because the device hasn't synced with Intune.
I'm in a similar boat as you. We're just starting to implement Intune, and I'm trying to figure out how to avoid the user login requirement too. Following this thread for any solutions.
I'd recommend steering away from hybrid join, if possible. There’s a script you can use that syncs computers to Entra right after they show up in AD. You can check it out here: [SyncNewAutoPilotComputersandUsersToAAD_v2.ps1](https://github.com/steve-prentice/autopilot/blob/master/SyncNewAutoPilotComputersandUsersToAAD_v2.ps1)
From what I’ve experienced, hybrid join indeed requires a user login to obtain a token for enrolling in MDM (Intune). The device will show as pending in Entra after the Entra Connect sync but won't enroll in Intune until a user logs in.
That's exactly what we noticed with Windows 10, but with Windows 11, it's not even syncing to Entra unless there's a user login, which feels odd.
I plan to test this script out on Monday, but I'm worried that it might not resolve our issue. Even with running the sync, if no user has logged in, it seems that Entra Connect won't pick up the device. Documentation on this aspect is a bit scarce, and we think a user login is essential to populate the userCertificate.