In this blog post, we will learn about how to force Intune Sync using Powershell. Syncing forces your device to connect with Intune to get the latest updates, requirements, and communications from your organization.
You could either wait for the next Intune policy refresh cycle but this means that you would have to wait for a couple of hours before you know if the policy has been applied successfully or an app has been deployed on the device. This can delay your testing and app deployment.
According to Microsoft: When you target a device or user with an action, then Intune immediately notifies the device to check in to receive these updates. For example, when a lock, passcode reset, app, or policy assignment action runs.
In a Production scenario, you may not have to manually Initiate Intune sync, but this could be really useful when you have recently created an App deployment, Powershell script deployment, or a device configuration profile, and you want to test and confirm if the deployment is succeeded ASAP.
There are two methods we are going to explore today. The first method will use the Sync-MgDeviceManagementManagedDevice cmdlet to initiate Intune Sync, and the second method will use Invoke-IntuneManagedDeviceSyncDevice. Both of these methods work fine. You can start with Method 1, and if there are any issues, you can also utilize Method 2.
Contents
Method 1: Using Sync-MgDeviceManagementManagedDevice
The first method involves using the PowerShell cmdlet Sync-MgDeviceManagementManagedDevice. By using this cmdlet, we can force initiate Intune sync on a single Windows 10/11 device or multiple Windows 10/11 devices.
Please note that Sync-MgDeviceManagementManagedDevice is a part of Microsoft.Graph.DeviceManagement.Actions Powershell module and Get-MgDeviceManagementManagedDevice is a part of Microsoft.Graph.DeviceManagement PowerShell module. So we will need to Install both of these powershell modules on our device.
Microsoft Graph Powershell SDK reference: Get started with the Microsoft Graph PowerShell SDK.
Invoke Intune sync on One device using Powershell
Use below steps to Force Initiate Intune Sync on One device using Powershell. First Launch Powershell console as administrator and execute below commands.
1. Set ExecutionPolicy to RemoteSigned
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser2. Install Device Management Powershell Modules
Install-Module -Name Microsoft.Graph.DeviceManagement -Force
Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force3. Import Device Management Powershell Modules
Import-Module -Name Microsoft.Graph.DeviceManagement
Import-Module -Name Microsoft.Graph.DeviceManagement.Actions4. Connect to Microsoft Graph
Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.Read.All
5. Verify the timestamp for the last completed Intune sync
Get-MgDeviceManagementManagedDevice | Where {$_.devicename -eq "CLOUDINFRA-W-25"} | fl Lastsyncdatetime
6. Invoke Intune sync on a device named CLOUDINFRA-W-25
$myDevice = Get-MgDeviceManagementManagedDevice -Filter "contains(deviceName,'CLOUDINFRA-W-25')"
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $myDevice.id
Invoke Intune sync on all Intune-managed devices using PowerShell
Now that we have learned the steps to initiate Intune Sync on one device using PowerShell, we can use the same cmdlet and place it in a foreach loop to initiate Intune Sync on all Intune-managed devices.
Please note that the script below will target All device types managed by Intune, including Windows, macOS, iOS, Android, Linux, etc. If you want to run Intune Sync only on a specific type of platform (e.g., Windows), you can use the Filter parameter of the Get-MgDeviceManagementManagedDevice cmdlet.
I have provided more details about using the Filter option in the following blog post sections.
1. Create a Powershell script Sync-IntunePolicies.ps1
Copy and paste the following PowerShell code into a file and save it as Sync-IntunePolicies.ps1. Alternatively, you can download this script from my GitHub Repository: Sync-IntunePolicies.ps1.
Sync-IntunePolicies.ps1
<#
.SYNOPSIS
Sync Intune Policies on All Intune-Managed Devices at once
.DESCRIPTION
Below script will force Initiate Intune Sync on All Intune Managed devices
.NOTES
Name : Sync-IntunePolicies.ps1
Author : Jatin Makhija
Version : 1.0.0
DateCreated: 23-Nov-2023
Blog : https://cloudinfra.net
.LINK
https://cloudinfra.net
#>
try {
# Install required modules
Install-Module -Name Microsoft.Graph.DeviceManagement -Force -ErrorAction Stop
Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force -ErrorAction Stop
# Import required modules
Import-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction Stop
Import-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction Stop
# Connect to Microsoft Graph
Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All -ErrorAction Stop
# Get all managed devices
$managedDevices = Get-MgDeviceManagementManagedDevice -All -ErrorAction Stop
# Synchronize each managed device
foreach ($device in $managedDevices) {
try {
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -ErrorAction Stop
Write-Host "Invoking Intune Sync for $($device.DeviceName)" -ForegroundColor Yellow
}
catch {
Write-Error "Failed to sync device $($device.DeviceName). Error: $_"
}
}
}
catch {
Write-Error "An error occurred. Error: $_"
}
finally {
# Cleanup
Remove-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction SilentlyContinue
Remove-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction SilentlyContinue
}2. Execute the Powershell script
The next step is to execute Sync-IntunePolicies.ps1 without making any changes to the script. Let’s go through the steps:
- Open the Powershell console as an administrator
- Navigate to the folder where you have stored the script.
- Execute the Script by typing .\Sync-IntunePolicies.ps1 on the console.
Please note that after you execute this PowerShell script, you may need to authenticate to Microsoft Graph. Make sure to use an Administrator account with at least the following privileges:
- DeviceManagementManagedDevices.PrivilegedOperations.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementManagedDevices.Read.All
Invoke Intune Sync on All Intune-managed Windows Devices
Now, we will modify our script to target only Intune-managed Windows devices. This way, you can ensure that Intune sync is not initiated on other device platforms such as macOS, Android, Linux, or iOS, etc.
You can modify below code in the PowerShell script to target devices based on their operating system type and execute the script. For example:
Filter Windows Devices
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Windows')" -All -ErrorAction StopFilter iOS Devices
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'iOS')" -All -ErrorAction StopFilter Android Devices
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Android')" -All -ErrorAction Stop1. Create a Powershell script Sync-IntunePolicies_Windows.ps1
Copy and paste the following PowerShell code into a file and save it as Sync-IntunePolicies_Windows.ps1. Alternatively, you can download this script from my GitHub Repository: Sync-IntunePolicies_Windows.ps1.
Sync-IntunePolicies_Windows.ps1
<#
.SYNOPSIS
Sync Intune Policies on All Intune-Managed Devices where Device type is Windows
.DESCRIPTION
Below script will force Initiate Intune Sync on All Intune Managed devices where Device type is Windows
.NOTES
Name : Sync-IntunePolicies_Windows.ps1
Author : Jatin Makhija
Version : 1.0.0
DateCreated: 23-Nov-2023
Blog : https://cloudinfra.net
.LINK
https://cloudinfra.net
#>
try {
# Install required modules
Install-Module -Name Microsoft.Graph.DeviceManagement -Force -ErrorAction Stop
Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force -ErrorAction Stop
# Import required modules
Import-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction Stop
Import-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction Stop
# Connect to Microsoft Graph
Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All -ErrorAction Stop
# Get all managed devices where device type is Windows
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Windows')" -All -ErrorAction Stop
# Synchronize each managed device
foreach ($device in $managedDevices) {
try {
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -ErrorAction Stop
Write-Host "Invoking Intune Sync for $($device.DeviceName)" -ForegroundColor Yellow
}
catch {
Write-Error "Failed to sync device $($device.DeviceName). Error: $_"
}
}
}
catch {
Write-Error "An error occurred. Error: $_"
}
finally {
# Cleanup
Remove-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction SilentlyContinue
Remove-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction SilentlyContinue
}2. Execute the Powershell script Sync-IntunePolicies_Windows.ps1
The next step is to execute Sync-IntunePolicies_Windows.ps1 without making any changes to the script. Let’s go through the steps:
- Open the Powershell console as an administrator.
- Navigate to the folder where you have stored the script.
- Execute the Script by typing .\Sync-IntunePolicies_Windows.ps1 on the console.
Please note that after you execute this PowerShell script, you may need to authenticate to Microsoft Graph. Make sure to use an Administrator account with at least the following privileges:
- DeviceManagementManagedDevices.PrivilegedOperations.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementManagedDevices.Read.All
Method 2: Using Invoke-IntuneManagedDeviceSyncDevice
The second method involves using the Powershell cmdlet Invoke-IntuneManagedDeviceSyncDevice. Using this cmdlet, we can force Initiate Intune sync on a single Windows 10/11 device or multiple Windows 10/11 devices at once.
This method requires creating an application in Entra ID and utilizing the app for establishing a connection using Connect-MSGraph. Let’s check the steps:
Create An Entra App Registration
- Sign in to Entra admin center > Identity > Applications > App registrations.
- Click on + New Registration.
- Name: Provide a name of the app (e.g. Intune PowerShell App).
- Who can use this application or access this API?: Select the first option Accounts in this organizational diectory only.
- Redirect URI: Select Public client/native (mobile & desktop) and provide a value of urn:ietf:wg:oauth:2.0:oob. Click on Register to create the app registration.
- Open the App registration and click on API permissions > Add a permission > Microsoft Graph.
- Select Delegrated permissions and add below permissions:
| API Permission | Description |
|---|---|
| DeviceManagementApps.ReadWrite.All | Read and write Microsoft Intune apps |
| DeviceManagementConfiguration.ReadWrite.All | Read and write Microsoft Intune Device Configuration and Policies |
| DeviceManagementManagedDevices.PrivilegedOperations.All | Perform user-impacting remote actions on Microsoft Intune devices |
| DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices |
| DeviceManagementManagedDevices.ReadWrite.All | Read and write Microsoft Intune devices |
| DeviceManagementRBAC.ReadWrite.All | Read and write Microsoft Intune RBAC settings |
| DeviceManagementServiceConfig.ReadWrite.All | Read and write Microsoft Intune configuration |
| Directory.Read.All | Read directory data |
| Group.ReadWrite.All | Read and write all groups |
| openid | Sign users in |
- Click on Grant admin consent for <tenant> and when prompted select Yes. The Status column will show green check after admin consent has been granted.
- Go to the Overview page and copy the Client ID of the app. It will be used later for establishing a connection using PowerShell Graph.
Invoke Intune sync on One device using Powershell
After creating the Entra app, provided necessary API permissions and adding the Redirect URI, proceed to the following steps to trigger or forcefully initiate Intune sync on an individual device using PowerShell. To do this, we’ll need to install the Microsoft Graph Intune module and establish a connection with Microsoft Graph.
1. Install Microsoft Graph Intune Powershell Module
Install-module Microsoft.Graph.Intune -force
2. Import Microsoft Graph Intune Powershell Module
Import-module Microsoft.Graph.Intune3. Connect to Microsoft Graph
Update-MSGraphEnvironment -AppId <app id noted earlier>
Example:
Update-MSGraphEnvironment -AppId "8393def8-2d36-40ff-bb67-a88f3924beee"
Connect-MSGraph
4. Verify the timestamp for the Last completed Intune Sync
Get-IntuneManageddevice | Where {$_.devicename -eq "CLOUDINFRA-W-25"} | fl Lastsyncdatetime
5. Invoke Intune sync on a device named CLOUDINFRA-W-25
Get-IntuneManageddevice -Filter "contains(devicename, 'CLOUDINFRA-W-25')" | Invoke-IntuneManagedDeviceSyncDevice
Invoke Intune sync on All devices using Powershell
We will use a PowerShell command, Invoke-IntuneManagedDeviceSyncDevice to remotely trigger a device check-in process on all Intune-managed devices.
Before running the following commands, ensure that you have installed the Microsoft Graph Intune PowerShell module and established a connection with MS Graph. Instructions for these steps can be found in the previous section.
Let’s check the steps:
1. Fetch all Intune-managed Windows devices in a variable
$devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'Windows')"
We used the Get-IntuneManagedDevice -Filter “contains(operatingsystem, ‘Windows’) command to filter for Windows devices. You can replace the operatingsystem filter with iOS or Android to fetch those types of devices and initiate Intune sync accordingly. For example:
- Get-IntuneManagedDevice -Filter “contains(operatingsystem, ‘iOS’)”
- Get-IntuneManagedDevice -Filter “contains(operatingsystem, ‘Android’)”
2. Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
#Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
Foreach ($device in $devices)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $device.managedDeviceId
Write-Host "Sending Intune Sync request to $($device.managedDeviceId)"
}
Invoke Intune sync on more than 1000 devices
If your organization has more than 1000 devices or you want to initiate Intune sync on more than 1000 devices, you will need to use the Get-MSGraphAllPages cmdlet in conjunction with the Get-IntuneManagedDevice cmdlet. This allows you to collect information from all pages of device records efficiently.
1. Gather All Intune Managed Windows Devices in $devices variable
$devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'Windows')" | Get-MSGraphAllPages
2. Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
#Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
Foreach ($device in $devices)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $device.managedDeviceId
Write-Host "Sending Intune Sync request to $($device.managedDeviceId)"
}
Troubleshooting
1. Connect-MSGraph command was found in the module
In case you are unable to connect using the Connect-Msgraph or Connect-Mggraph cmdlets and are getting the below error message, then you need to ensure that script execution is allowed in PowerShell. Run this command to fix this issue and try to connect to MS Graph again.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserConnect-MSGraph : The 'Connect-MSGraph' command was found in the module 'Microsoft.Graph.Intune', but the
module could not be loaded. For more information, run 'Import-Module Microsoft.Graph.Intune'.
At line:1 char:1
+ Connect-MSGraph
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Connect-MSGraph:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
2. Error Code AADSTS50011: Redirect URI does not match
After using Update-MSGraphEnvironment and thereafter Connect-MSGraph to establish a connection, you may get AADSTS50011 error code. Below screenshot shows the exact error message. This error occurs when the redirect URI required does not match with what has been configured in the Entra app registration. You must specifiy the Redirect URI in the app to establish a connection.
AADSTS50011: The redirect URI 'urn:ietf:wg:oauth:2.0:oob' specified in the request does not match the redirect URIs configured for the application '8393def8-2d36-40ff-bb67-a88f3924beee'.
Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
- Sign in to Entra admin center > Identity > Applications > App registrations.
- Open the App and click on Authentication. Ensure that the Redirect URI which is given in the error message: urn:ietf:wg:oauth:2.0:oob is added in the Redirect URIs list.
3. Error Code AADSTS500113: No reply address is registered for the application
When trying to establish a connection using Connect-MSGraph. You may get below error message:
Sorry, but we're having trouble with signing you in
AADSTS500113: No reply address is registered for the application
To fix this error, you will have to specifiy Redirect URI value in the app. If you have not configured Redirect URI in Entra App registration, you will get this error message.
To get the value of the Redirect URI, execute Update-MSGraphEnvironment and check the RedirectLink value (refer to the previous screenshots for this command). Once you get the Redirect URI value. You can click on Add a Platform > select Mobile and desktop applications. After that click on Add URI link and add the Redirect URI value.
Wonderful! Thank You!