Is it really impossible to force an Intune sync from the command line?

Dr_Snooze 

I think I figured it out. For future Bing searchers, the feature is called Windows Automatic Restart Sign On (ARSO). It works as you might expect. Make your Intune policy changes, then fire off a restart command to the endpoint(s) using your RMM, PowerShell or whatever CLI you use. After the login screen comes up, the computer quietly logs in, behind the scenes, using the last logged-in user's credentials. Intune policies sync, Windows Updates finish, Teams launches, startup apps load, etc. The user comes in the next morning and logs in instantaneously to a fully loaded Windows desktop, as if the computer had been locked all along.

ARSO is set by either a Local Group Policy, a Domain Group Policy or a registry hack. All can be accomplished via Intune. There is a mix of various requirements that need to be met before it will truly work, however. These include Bitlocker and/or TPM 2.0. 

This link explains ARSO, its requirements, and how to set it up: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-. It excludes any discussion of ARSO via Intune, however. 

This link shows how to enable ARSO via Intune (kinda): https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-. The link actually shows how to disable ARSO, but you can use the same policy to enable it. The policy changes a Local Group Policy setting on each device that enables ARSO if the other requirements (Bitlocker, TPM 2.0, etc.) are met. (I was wrong about not being able to set Local Group Policy via Intune. This link shows where in Intune those settings are hiding. Yay!)

So the answer is that you CAN force an Intune sync exclusively via CLI, if you stand back a few paces, squint your eyes and fiddle around some.

Hope that helps someone.