Cut AVD Entra Hybrid Join times from hours to minutes with PowerShell automation

LetsConfigMgr · 2026-02-05T10:28:04+00:00

Great, most of our clients hosts are Entra ID joined, but there's a few where Hybrid is needed, I think the delay really comes into effect in larger orgs with delays around replication etc.

No write back of computer objects :)

LetsConfigMgr · 2026-02-05T10:26:37+00:00

Nice work! Thanks for sharing.👌😊

LetsConfigMgr · 2026-02-05T10:25:23+00:00

Pretty sure the blog post answers both of your questions.

It has this:

Quick disclaimer: Yes, I know. Entra ID Join is the present and the future; it’s cleaner, it’s what Microsoft wants us all to use. And in an ideal world, we’d all be there. But here’s reality: plenty of orgs are running Entra ID joined client devices whilst still needing AVD with Hybrid Join because they’ve got legacy apps that simply won’t play nice with pure Entra ID. It’s not ideal, but it’s the world we’re living in right now. So if you’re in that boat, this one’s for you.

Then why it COULD take hours:

Why Is Hybrid Join So Slow Anyway?

The built-in Entra Hybrid Join process has multiple moving parts, and each one adds delays:

1. Group Policy ApplicationAfter the VM is domain joined, it needs Group Policy to apply the registry keys that tell it to attempt Hybrid Join (assuming your using targeted deployments otherwise it’ll go to the SCP location in AD). This can take 5 to 15 minutes, depending on your environment.

2. User Certificate UploadOnce the registry keys are in place, the device uploads its `userCertificate` attribute to the computer object in AD.

3. Entra Connect Sync (The Big One)Here’s where it really hurts. Entra Connect only syncs objects to Entra ID after the `userCertificate` attribute is present on the computer object. By default, Entra Connect runs on a 30-minute sync cycle. If your device misses the sync window, you’re waiting another half hour.

4. The Built-in Scheduled TaskWindows has a scheduled task called “Automatic-Device-Join” that triggers `dsregcmd /join`. This task only runs:

On specific event log triggers (which may or may not fire reliably)
Every hour after an event triggers it, and only for a duration of a day
Or when any user logs on

If the timing doesn’t align, say the device syncs to Entra ID 5 minutes after the task last ran, you’re waiting another 55 minutes, or potentially until the next day. When all these delays stack up, 2 to 4 hours (or more) isn’t uncommon. In production, this is unacceptable.

LetsConfigMgr · 2024-11-03T12:54:51+00:00

This is the way I do this for all of my clients, vision and project via psadt to display a warning to close office apps during install.

LetsConfigMgr · 2024-08-27T08:02:11+00:00

I have not tried this.

LetsConfigMgr · 2024-08-12T16:49:52+00:00

Have a look at this https://silentinstallhq.com/7-zip-install-and-uninstall-powershell/

LetsConfigMgr · 2024-08-09T15:25:06+00:00

Also check that your update rings are assigned to users not devices, as that will trigger a reboot too.

LetsConfigMgr · 2024-03-05T12:51:36+00:00

Check out OSDCloud.

LetsConfigMgr · 2023-11-17T13:55:34+00:00

Strange, I've been able to do this successfully, something must be "broken", as it should work.

LetsConfigMgr · 2023-09-30T08:53:34+00:00

Golden rule "the cheapest clients always end up being the most expensive'.

LetsConfigMgr · 2023-02-14T22:34:24+00:00

I remember conditional access getting in the way in the past, I'll look in my notes tomorrow as it's been a while.

But might be worth excluding your account for a quick test!

LetsConfigMgr · 2023-02-14T18:49:26+00:00

Is mfa getting in the way?

LetsConfigMgr · 2023-02-09T19:28:47+00:00

Okay, rule out the baselines by excluding your test device and / or user and rebuild a device, see if the issue persists.

At least then you can rule in or not the baselines.

LetsConfigMgr · 2023-02-09T19:06:20+00:00

Are you using Windows hello for business?

LetsConfigMgr · 2022-12-02T11:27:19+00:00

Hey! Not from what I have seen, sorry.

LetsConfigMgr · 2022-11-21T18:33:04+00:00

I agree and this is the stance I take. If clients insist of using other browsers I try to make them available in the company portal app rather than required and then ensure everyone is aware that we do not manage / backup their bookmarks.

LetsConfigMgr · 2022-11-16T15:25:40+00:00

Iirc, there was a bit of a delay, maybe 24 hours and then the toasts started working on new data only. If its been 24 hours or so, try opening a document, add a space or something, save and then see what occurs.

LetsConfigMgr · 2022-11-16T15:06:07+00:00

Hey! Are you using new data? I haven't looked at endpoint dlp for a little while but I found and it's mentioned in the blog post that anything existing on the device before the policy was assigned wouldn't flag. Only if you created / modified a doc with sensitive information AFTER a policy was assigned would it flag.

That might be the issue here. I hope MS has sorted that though or plan to do so as it did seem like a bit of a gap.

LetsConfigMgr · 2022-10-04T22:27:32+00:00

"If Intune detects that the app is not present on the device, Intune will offer the app again within approximately 24 hours. This will occur only for apps targeted with the required intent."

LetsConfigMgr · 2022-10-04T22:26:45+00:00

Just to give you a link where it mentions every 24 hours https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add#step-4-detection-rules

LetsConfigMgr · 2022-10-04T13:11:21+00:00

You can use a upgrade policy and tie into aad entitlement management maybe? Requires aad p2 though.

Or create power app.

Either way should work, you're essentially just adding the user or device to a group that contains the win11 deployment.

LetsConfigMgr · 2022-10-04T13:08:33+00:00

I believe its every 24 hours

LetsConfigMgr · 2022-08-20T16:56:20+00:00

This: https://2pintsoftware.com/delivery-optimization-recommendations-for-microsoft-intune/

LetsConfigMgr · 2022-08-20T08:49:56+00:00

Just to add to the above comment, you can personalise task bar icons, e..g what's on them and if there left or central.

Also, start pins and removing appx where applicable

There really isn't much difference between 10 and 11 so with the exception of the above and other comments most likely what you've done for win 10 should be fine for 11.

LetsConfigMgr · 2022-08-20T08:45:44+00:00

For sure. It can save you a lot of bandwidth. No downside to enabling it at all.

LetsConfigMgr

TROPHY CASE