VMware Horizon Community

Horizon Instant Clone Pool AAD Hybrid Join fails with vTPM

We were struggling to get AAD hybrid join working consistently for a new Windows 11 instant clone pool.

Here is what were were seeing:

1.  Virtual Desktops created in new Windows 11 pool with vTPM added

2.  Virtual desktops will not hybrid join until Azure Connect syncs with AAD.   The minimum automated interval that can be configured in Azure Connect is every 30 minutes, but we can manually execute the Azure Connect sync via powershell.

3.  After the Azure Connect sync has completed, we can log into the virtual desktops and hybrid join is successful.

4.  Log off virtual desktop, let the machine refresh.  

5.  Log back into same W11 virtual desktop and the hybrid join is unsuccessful with "dsregcmd /status" showing the error "error_computer_signature_check_failure".  Running a dsregcmd /join does not work.  Running dsregcmd /leave and then dsregcmd /join does not work.

6.  Run a manual Azure Connect sync (or wait for scheduled sync to run) and we can then run dsregcmd /join and the hybrid join works.

7.  Build a new Windows 11 pool with no vTPM; hybrid join works 100% of the time after the initial Azure Connect sync.  In other words, once the initial AAD sync, we can log in and out of the virtual desktops and have them refresh as many times as we want and hybrid join always works.

8.  Build a new Windows 10 pool with vTPM; hybrid join fails as above.

VMWare tech note article https://kb.vmware.com/s/article/89127 does not mention vTPM issues with hybrid join or workarounds for these issues.

The Microsoft article https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token discusses how a TPM adds a layer of security to the PRT, so obviously having a vTPM on our virtual desktops is something we would like to have.

Has anyone found a way to automate the resync of the TPM information to allow hybrid join to work after an instant clone refresh?




0 Kudos
0 Replies