Blog Post

Device Management in Microsoft
2 MIN READ

4 ways to get your client policy synchronized with the Intune service.

MikeGriz's avatar
MikeGriz
Icon for Microsoft rankMicrosoft
Jan 12, 2023

With any client/server application there are times when things are not in sync between the server and the client, and you want to correct that.  Most of the time there are automated ways this will happen, perhaps on a schedule or a triggered event.  Inevitably there are also times when you want that resync to happen NOW and not wait until the normal automated processes kick off. There are four ways to do this for Intune devices and while they are very similar, there are differences in what you can expect from them. 

 

In Intune the primary method most admins will be familiar with is from the Admin console.  This will tell the software client to do a normal, scheduled, check-in, but more immediately. The client will check for any new policies added or removed for it and then act accordingly. Of note is that if no policy has changed no device compliance calculation and report is created, even if the data which the compliance policy checks has changed. 

 

The second way to initiate a sync with the Intune service is from the client itself. For a windows device this would be through settings / Accounts / Access Work or School / <Your Account> / Info and pressing the “Sync” button. This will tell the client to check in just the same as the method from the admin console above, with the same limitations on compliance calculations. 

 

The third option is via the company portal app. On windows you can find a “Sync” button under the gear icon.  Just as the options above, this will cause the device to contact the Intune service and check for any policy additions or removals. 

 

Finally, there is the fourth option (my favorite), which is also in the Intune company portal app as well as the Company Portal website. You can do the sync for any owned device, not just the one you are currently working from. By selecting the device, you can find the “Check Access” button on windows, “check status” on iOS, or “check device settings” on Android. This is the “powerful button.” Clicking this will cause the device to check-in and it will also force a reevaluation of compliance policies and their rules. Therefore, any device or policy changes that may have occurred affecting compliance will be re-evaluated, and the compliance state of the device will be updated as appropriate. 

 

Here at Microsoft, we understand different people work in diverse ways and like to give multiple options to accomplish tasks to meet those different workflows. Hopefully, this helps you understand the various methods to sync a client to get policies, and the one method to force a conditional access compliance re-evaluation. 

Updated Jan 12, 2023
Version 1.0
  • DanielRatliff's avatar
    DanielRatliff
    Brass Contributor
    Jan 13, 2023

    Where does "Check Compliance under Device Compliance in ConfigMgr Software Center fall in here?

  • JuliusPIV's avatar
    JuliusPIV
    Brass Contributor
    Jan 17, 2023

    Hey MikeGriz Thanks for this post! 

    I've got a few questions regarding what you've shared.

    1. What's the reasoning for having multiple sync options?  Are there any legitimate scenarios where Company Portal wouldn't be present thus necessitating the need for a button under Settings > Accounts > Access work or school > Your Account > Info? 
    2. Why make one more button more powerful than the rest?  Why isn't that the default behavior?
    3. Are there any programmatic methods for initiating a normal sync?
    4. Are there any programmatic methods for initiating a sync using the "powerful button?"
    5. Also, can you share details on "sync hammer" restrictions?  (e.g.: Don't sync more than 3 times in 15 mins or else the service temporarily ignores your device for an hour)

    Many thanks!

  • MikeGriz's avatar
    MikeGriz
    Icon for Microsoft rankMicrosoft
    Jan 13, 2023

    Good question!  I asked around on that one and I believe it will trigger CM check.  Interaction with Intune may vary based on Co-Management slider and I haven't looked at those variations.

  • Jens_Lagnekvist's avatar
    Jens_Lagnekvist
    Copper Contributor
    Jan 24, 2023

    JuliusPIV not sure about the rest of them,
    but for 1:
    If you have a newly installed client and Company portal is not yet present for some reason, then you can sync from one of the other sync methods to hurry the process of getting Company Portal installed.
    Regards /Jens

  • MikeGriz's avatar
    MikeGriz
    Icon for Microsoft rankMicrosoft
    Jan 27, 2023

    Good questions Julius.  I can't say I have researched in depth answers to them all but I'll share my thoughts on them:

     

    1) CP is not always present on devices.  Going off device to the portal is not always ideal.  Windows is built to interface with Intune or other MDM providers.
    2) Re-calculation is more intensive and not always desired.

    3) and 4) I believe it can be accessed programmatically via MS Graph calls.

    5) The sync calls actually generate multiple paths on the backend services that have various control points.  We recommend not clicking more than a few times per device per hour or they may get throttled and not effectively make anything happen more quickly.