Forum Discussion
Is it really impossible to force an Intune sync from the command line?
As I said before, the MS Graph method is more work than remoting in, so not worth the bother.
With regard to restarting the Service, that doesn't work. If you dig into Settings and click the Sync button, you will see the "Host process for OMA-DM client" pop up in the Task Manager. Restarting the service (or using the Niehaus method) does not get that process to fire. Until it does, the changes I need never happen.
The only way I've found reliably to get the Host process to fire is to click the Sync button, or reboot the computer. Both require me to remote in and deal with the GUI. Is there really no way to avoid that? It seems like a monumental oversight.
I found out a way to do it. Triggering the ‘PushLaunch’ scheduled task doesn’t seem to actually perform a MDM sync like when the user selects ‘Sync’ in Company Portal settings or the ‘Access Work or School’ page in settings, as you’ve said. At least not when the user is only a standard user (ie, not an admin).
After some digging, I found that performing the command found in the actions part of the ‘Schedule #3’ Intune scheduled task. This seemed to be the only way I could get a proper MDM sync to work in a way that can be run as an administrator (ie, via PDQ or RMM) with the signed in and licenced user being a standard user.
Because the enrollment ID is different per machine, I added a one-liner to pull the ID from the Scheduled Task path on the machine and then use it in the deviceenroller.exe command.
The script:
$EnrollmentID = Get-ScheduledTask | Where-Object { $_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt\*" } | Select-Object -ExpandProperty TaskPath -Unique | Where-Object { $_ -like "*-*-*" } | Split-Path -Leaf Start-Process -FilePath "C:\Windows\system32\deviceenroller.exe" -Wait -ArgumentList "/o $EnrollmentID /c /b"I hope it helps someone else out.
To confirm this, run the script against a machine with task manager open and you can see the omadmclient.exe process running, just as it does when using the ‘Sync’ GUI button. This doesn’t happen when restarting IME or triggering the ‘PushLaunch’ task (not when the user is a standard user anyway).
- This worked perfect as far as I can tell. Much simpler than the suggestion below you. Kind of ridiculous that there isn't some built-in command to do this but I suppose it is Microsoft we're dealing with.
- Thanks, thats interesting. Restarting the intune service has always worked for me, and i've even worked with a couple of MS folks (actual MS and not frontline ambassadors, not even escalation) who gave the same hack. I have seem that OMA-DM client popup a few times. But with Microsoft's ever-changing landscape, you cant really expect things to stay the same for too long.
the link shared by hirogen10 works for me as well but it feels like more of a cloud-initiated sync and not device-initiated. - our machines are no longer on the domain, but personally I think with the machines being in sleep mode depending on how often, lets assume hotdesk users logon to them every so often based on their shifts, there's obviously a risk the machine goes out of compliance if its not been on for 8 hours or so, so maybe just send a sync via PowerShell on schedule every 30 minutes or less. unless ur saying some machines are not switched back on by end users for a long time say 1 week to 3 weeks or more even, in that case might have to look into remote powerup
- To launch that task, you need to have permissions to access it of course... besides launching the task itself you could always just restart the IME service or trigger the ime to sync the device?
$Shell = New-Object -ComObject Shell.Application
$Shell.open("intunemanagementextension://syncapp")- Thanks, Rudy. I've tried running that as both the User and the Admin. While it does launch a few processes, the OMA-DM process is not one of them. Is it working differently in your environment?
