Hybrid Azure AD Joined Virtual Machines and Intune The Right Way


Recently I went through the process of making Windows 10 / 11 Persistent Virtual Machines running On-Prem managed by Citrix Cloud, enroll correctly in Microsoft Intune. In this post I’m going to share the bullet proof solution to make this work every time.

The most important part is to configure the Master Image correctly. For that part you’ll need to leverage the Base Image Script Framework (BIS-F) and the awesome Intune-UnHybridJoin script created by my colleague MVP Adam Gross. He’s literally been pulling his hair out trying to get rid of duplicated Azure AD Device ID’s. In the Custom Preparation part of BIS-F I’m running the script below with -Remediate 1.

That makes sure that all traces of Azure AD are gone when we seal the Master Image, a simple dsregcmd /leave won’t do it.

When new Virtual Machines cloned from the Master Image starts, we need to make sure that the dsregcmd /join process runs at System Startup. For that you’ll need to leverage the Custom Personlization part of BIS-F running the script below with -Rejoin 1.

The device registration part can take everything from 5 to 60 minutes to show up in Azure Active Directory with the status switched from Pending to Registered. For that reason, I always have a couple of spare powered on machines, in case I need to instantly add new users. Also please note that the Master Image is showing as Pending due to the Master Image Custom Preparation script.

The next step is to make sure the devices automatically enroll into Microsoft Intune. For that you’ll need to set a Group Policy as explained in the article Configure the auto-enrollment for a group of devices. I have the Group Policy linked to the AD Organization Unit of both the Master Images and the Devices.

During my testing I was getting a lot of inconsistent results and the Work or school account problem notification popped up from time to time. I’ve believe the reason is that the Workplace Join scheduled task(s) doesn’t kick in fast enough. After some research I stumbled upon the article To Hell and Back with Hybrid AD Join for VDI. The secret to success is running dsregcmd /join as user upon logon because of the policy Enable automatic MDM enrollment using default Azure AD credentials.

I’m using an External Task in Citrix Workspace Environment manager to handle this.

When the user logon for the first time, the device will automatically enroll in Microsoft Intune and any required applications will be installed. Make sure to check out my last post Windows 365 – Don’t Follow the Apps, Let the Apps Follow You Automatically.

If you still have issues, Microsoft just released the Device Registration Troubleshooter Tool script.

Alt text

On a final note you also need to make sure that Windows Hello is disabled. For those running Citrix might find this Technical Preview interesting Azure Active Directory joined and non-domain joined VDA configuration (preview).


Automation Framework Community Edition

The fastest way to build your lab environment.

Virtual Expo

Friday 30th of September 2022

2 thoughts on “Hybrid Azure AD Joined Virtual Machines and Intune The Right Way”

Leave a Comment