4 Ways to Force Intune Sync using Powershell

In this blog post, I will show you multiple ways to force an Intune sync using PowerShell. A sync triggers the device to check in with Intune so it can receive the latest policy updates, app assignments, and administrative actions from your organization.

You can wait for the next scheduled policy refresh cycle, but that often means waiting several hours before you know whether a new configuration profile applied successfully or a Win32 app deployment started. This delay can slow down testing, troubleshooting, and rollout validation.

As per Microsoft, when you target a device or user with an action, Intune can immediately notify the device to check in and pick up the change, for example, a remote lock, passcode reset, app deployment, or policy assignment.

In production, you typically do not need to initiate sync manually. However, it is extremely useful when you have just created or modified an app deployment, PowerShell script, remediation, or device configuration profile and you want to validate results as quickly as possible. In my previous article, I listed 10 different ways to initiate Intune sync manually on Windows devices; refer to the link for more details: Manually Sync Intune Policies On Windows [10-Ways].

Method 1: Force Intune Sync Using Invoke-MgGraphRequest

This is the most reliable and scalable method because it triggers the same syncDevice action that Intune uses, and it works remotely (device must be online). The required permission for initiating sync using Invoke-MgGraphRequest is DeviceManagementManagedDevices.PrivilegedOperations.All.

Before you start:

• Ensure that the Microsoft Graph PowerShell SDK is installed on your device.
• You have delegated or app-only permission that includes:
  • DeviceManagementManagedDevices.Read.All (to list/find devices).
  • DeviceManagementManagedDevices.PrivilegedOperations.All (to run sync).

Install Microsoft Graph PowerShell module

Install-Module Microsoft.Graph -Scope CurrentUser -Force

Connect to Graph with required scopes

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All","DeviceManagementManagedDevices.PrivilegedOperations.All"

After you have successfully established a connection using graph with required scopes, use the PowerShell script given below to initiate an Intune sync on a single device. Update the $DeviceName variable in the script with the name of the device you want to sync, and then run the script.

Sync_One_Device.ps1

$DeviceName = "CLOUDINFRA-W-29"

# Find the device (use startsWith/contains carefully; duplicates can exist)
$device = Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'" -Top 1

if (-not $device) {
    throw "Device not found in Intune: $DeviceName"
}

# Trigger sync (Graph action)
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$($device.Id)/syncDevice"

Write-Host "Sync requested for $($device.DeviceName) ($($device.Id))"

Run below PowerShell script to initiate Intune sync on all Intune-managed Windows devices. If you would like to initiate Intune sync on a specific platform, update the -filter switch from Windows to Android or iOS, etc.

Sync_All_Device(Windows).ps1

$devices = Get-MgDeviceManagementManagedDevice -All -Filter "contains(operatingSystem,'Windows')"

foreach ($d in $devices) {
    try {
        Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$($d.Id)/syncDevice"
        Write-Host "Sync requested: $($d.DeviceName)"
        Start-Sleep -Milliseconds 200
    }
    catch {
        Write-Warning "Failed to request sync for $($d.DeviceName): $($_.Exception.Message)"
        Start-Sleep -Seconds 2
    }
}

Method 2: Force Intune Sync Using Sync-MgDeviceManagementManagedDevice

This method uses the Sync-MgDeviceManagementManagedDevice PowerShell cmdlet to force an Intune sync on one or more Windows 10 or Windows 11 devices. Note that Sync-MgDeviceManagementManagedDevice is part of the Microsoft.Graph.DeviceManagement.Actions PowerShell module, while Get-MgDeviceManagementManagedDevice is a part of Microsoft.Graph.DeviceManagement PowerShell module. As a result, both modules must be installed on your device before running these cmdlets.

If you have installed the complete Microsoft Graph PowerShell module using Install-Module Microsoft.Graph -Scope CurrentUser -Force, you don’t need to install these individual modules again. For more information, refer to the Microsoft Graph PowerShell SDK documentation: Get started with the Microsoft Graph PowerShell SDK.

Invoke Intune sync on one device using PowerShell

Use the steps below to force an Intune sync on a single device using PowerShell. First, launch the PowerShell console as an administrator and then execute the commands given below.

1. Set ExecutionPolicy to RemoteSigned

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

2. Install Device Management Powershell Modules

Install-Module -Name Microsoft.Graph.DeviceManagement -Force
Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force

3. Import Device Management Powershell Modules

Import-Module -Name Microsoft.Graph.DeviceManagement
Import-Module -Name Microsoft.Graph.DeviceManagement.Actions

4. Connect to Microsoft Graph with required scopes

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All","DeviceManagementManagedDevices.PrivilegedOperations.All"

5. Verify the timestamp for the last completed Intune sync

Get-MgDeviceManagementManagedDevice | Where {$_.devicename -eq "CLOUDINFRA-W-25"} | fl Lastsyncdatetime

6. Invoke Intune sync on a device named CLOUDINFRA-W-25

$myDevice = Get-MgDeviceManagementManagedDevice -Filter "contains(deviceName,'CLOUDINFRA-W-25')"
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $myDevice.id

Invoke Intune sync on all devices using PowerShell

Now that we have covered how to initiate an Intune sync on a single device using PowerShell, you can use the same cmdlet within a foreach loop to trigger an Intune sync on all Intune-managed devices. Note that the script below targets all device types managed by Intune, including Windows, macOS, iOS, Android, and Linux.

If you want to initiate an Intune sync only for a specific platform, such as Windows, you can use the -Filter parameter with the Get-MgDeviceManagementManagedDevice cmdlet to limit the scope accordingly.

1. Create a PowerShell script: Copy and paste the following PowerShell code into a file and save it as Sync-IntunePolicies.ps1. Alternatively, you can download this script from my GitHub repository: Sync-IntunePolicies.ps1. The script will install the required graph modules and connect with the required scopes.

Sync-IntunePolicies.ps1

<# 
.SYNOPSIS 
Sync Intune Policies on All Intune-Managed Devices at once
 
.DESCRIPTION 
Below script will force Initiate Intune Sync on All Intune Managed devices
.NOTES     
        Name       : Sync-IntunePolicies.ps1
        Author     : Jatin Makhija  
        Version    : 1.0.0  
        DateCreated: 23-Nov-2023
        Blog       : https://cloudinfra.net
         
.LINK 
https://cloudinfra.net 
#>
try {
    # Install required modules
    Install-Module -Name Microsoft.Graph.DeviceManagement -Force -ErrorAction Stop
    Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force -ErrorAction Stop

    # Import required modules
    Import-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction Stop
    Import-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction Stop

    # Connect to Microsoft Graph
 Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All","DeviceManagementManagedDevices.PrivilegedOperations.All" -ErrorAction Stop

    # Get all managed devices
    $managedDevices = Get-MgDeviceManagementManagedDevice -All -ErrorAction Stop

    # Synchronize each managed device
    foreach ($device in $managedDevices) {
        try {
            Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -ErrorAction Stop
            Write-Host "Invoking Intune Sync for $($device.DeviceName)" -ForegroundColor Yellow
        }
        catch {
            Write-Error "Failed to sync device $($device.DeviceName). Error: $_"
        }
    }
}
catch {
    Write-Error "An error occurred. Error: $_"
}
finally {
    # Cleanup
    Remove-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction SilentlyContinue
    Remove-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction SilentlyContinue
}

2. Execute Sync-IntunePolicies.ps1:
   • Open the Powershell console as an administrator
   • Navigate to the folder where you have stored the script.
   • Execute the Script by typing .\Sync-IntunePolicies.ps1 on the console.

Invoke Intune Sync on Specific Platforms

The previous script will invoke Intune sync irrespective of the platform type. If you want a more targeted approach where you want to initiate the sync only on specific device platforms like Windows, iOS, or Android, etc. You can use a -filter switch.

Filter Windows Devices

$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Windows')" -All -ErrorAction Stop

Filter iOS Devices

$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'iOS')" -All -ErrorAction Stop

Filter Android Devices

$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Android')" -All -ErrorAction Stop

1. Create a PowerShell script called Sync-IntunePolicies_Windows.ps1: Copy and paste the following PowerShell code into a file and save it as Sync-IntunePolicies_Windows.ps1. Alternatively, you can download this script from my GitHub repository: Sync-IntunePolicies_Windows.ps1.

Sync-IntunePolicies_Windows.ps1

<# 
.SYNOPSIS 
Sync Intune Policies on All Intune-Managed Devices where Device type is Windows
 
.DESCRIPTION 
Below script will force Initiate Intune Sync on All Intune Managed devices where Device type is Windows
.NOTES     
        Name       : Sync-IntunePolicies_Windows.ps1
        Author     : Jatin Makhija  
        Version    : 1.0.0  
        DateCreated: 23-Nov-2023
        Blog       : https://cloudinfra.net
         
.LINK 
https://cloudinfra.net 
#>
try {
    # Install required modules
    Install-Module -Name Microsoft.Graph.DeviceManagement -Force -ErrorAction Stop
    Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force -ErrorAction Stop

    # Import required modules
    Import-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction Stop
    Import-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction Stop

    # Connect to Microsoft Graph
    Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All","DeviceManagementManagedDevices.PrivilegedOperations.All" -ErrorAction Stop

    # Get all managed devices where device type is Windows
    $managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Windows')" -All -ErrorAction Stop

    # Synchronize each managed device
    foreach ($device in $managedDevices) {
        try {
            Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -ErrorAction Stop
            Write-Host "Invoking Intune Sync for $($device.DeviceName)" -ForegroundColor Yellow
        }
        catch {
            Write-Error "Failed to sync device $($device.DeviceName). Error: $_"
        }
    }
}
catch {
    Write-Error "An error occurred. Error: $_"
}
finally {
    # Cleanup
    Remove-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction SilentlyContinue
    Remove-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction SilentlyContinue
}

2. Execute the PowerShell script Sync-IntunePolicies_Windows.ps1:
   • Open the Powershell console as an administrator.
   • Navigate to the folder where you have stored the script.
   • Execute the Script by typing .\Sync-IntunePolicies_Windows.ps1 on the console.

Method 3: Force Intune Sync Using Invoke-IntuneManagedDeviceSyncDevice

Another method involves using the PowerShell cmdlet Invoke-IntuneManagedDeviceSyncDevice. With this cmdlet, you can force an Intune sync on a single Windows 10 or Windows 11 device or on multiple devices at once. This approach requires creating an application in Microsoft Entra ID and using that app to establish a connection with Connect-MSGraph.

Create an Entra App Registration

• Sign in to the Entra admin center > Expand Entra ID > App registrations.
• Click on + New Registration.

• Name: Provide a name of the app (e.g., Intune PowerShell App).
• Who can use this application or access this API?: Select the first option, Accounts in this organizational directory only.
• Redirect URI: Select Public client/native (mobile & desktop) and provide a value of urn:ietf:wg:oauth:2.0:oob. Click on Register to create the app registration.

• Open the app registration and click on API permissions > Add a permission > Microsoft Graph.

• Select Delegated Permissions and add below listed permissions. These permissions are equivalent to those previously provided by the legacy Intune PowerShell app, which has now been deprecated. If your goal is only to initiate device sync operations, you can follow the principle of least privilege and add only the following permissions:
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementManagedDevices.PrivilegedOperations.All

API Permission	Description
DeviceManagementApps.ReadWrite.All	Read and write Microsoft Intune apps
DeviceManagementConfiguration.ReadWrite.All	Read and write Microsoft Intune Device Configuration and Policies
DeviceManagementManagedDevices.PrivilegedOperations.All	Perform user-impacting remote actions on Microsoft Intune devices
DeviceManagementManagedDevices.Read.All	Read Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All	Read and write Microsoft Intune devices
DeviceManagementRBAC.ReadWrite.All	Read and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.ReadWrite.All	Read and write Microsoft Intune configuration
Directory.Read.All	Read directory data
Group.ReadWrite.All	Read and write all groups
openid	Sign users in

• Click on Grant admin consent for <tenant>, and when prompted, select Yes. The Status column will show a green check after admin consent has been granted.

• Go to the Overview page and copy the Client ID of the app. It will be used later for establishing a connection using Graph PowerShell.

Invoke Intune sync on one device using Powershell

After creating the Entra app, assigning the required API permissions, and configuring the redirect URI, proceed with the steps below to trigger or force an Intune sync on an individual device using PowerShell. To do this, you must install the Microsoft Graph Intune module and establish a connection to Microsoft Graph.

1. Install Microsoft Graph Intune PowerShell Module

Install-module Microsoft.Graph.Intune -force

2. Import Microsoft Graph Intune PowerShell Module

Import-module Microsoft.Graph.Intune

3. Connect to Microsoft Graph

Update-MSGraphEnvironment -AppId <app id copied earlier>

Example:
Update-MSGraphEnvironment -AppId "8393def8-2d36-40ff-bb67-a88f3924beee"

Connect-MSGraph

4. Verify the timestamp for the last completed Intune sync

Get-IntuneManageddevice | Where {$_.devicename -eq "CLOUDINFRA-W-25"} | fl Lastsyncdatetime

5. Invoke Intune sync on a device named CLOUDINFRA-W-25

Get-IntuneManageddevice -Filter "contains(devicename, 'CLOUDINFRA-W-25')" | Invoke-IntuneManagedDeviceSyncDevice

Invoke Intune sync on all devices using PowerShell

We will use the PowerShell cmdlet Invoke-IntuneManagedDeviceSyncDevice to remotely trigger a device check-in on all Intune-managed devices. Before running the commands below, ensure that the Microsoft Graph Intune PowerShell module is installed and that you are connected to Microsoft Graph. The steps for these prerequisites are covered in the previous section.

I will use the Get-IntuneManagedDevice -Filter “contains(operatingSystem, ‘Windows’)” command to target Windows devices. You can replace the operatingSystem filter with iOS or Android to retrieve those device types and initiate an Intune sync. For example:

• Get-IntuneManagedDevice -Filter “contains(operatingsystem, ‘iOS’)”
• Get-IntuneManagedDevice -Filter “contains(operatingsystem, ‘Android’)”

1. Fetch all Intune-managed Windows devices in a variable

$devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'Windows')"

2. Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice

#Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
Foreach ($device in $devices)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $device.managedDeviceId
Write-Host "Sending Intune Sync request to $($device.managedDeviceId)"
}

Invoke Intune sync on more than 1000 devices

If you want to initiate Intune sync on more than 1,000 devices, you must use the Get-MSGraphAllPages cmdlet together with Get-IntuneManagedDevice. This ensures that device records are retrieved from all result pages and allows you to target all devices efficiently.

1. Collect all Intune-managed Windows devices in $devices variable

$devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'Windows')" | Get-MSGraphAllPages

2. Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice

#Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
Foreach ($device in $devices)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $device.managedDeviceId
Write-Host "Sending Intune Sync request to $($device.managedDeviceId)"
}

Method 4: Force Intune Sync Using PushLaunch Scheduled Task

In this method, we start the PushLaunch scheduled task to initiate the Intune sync locally on the device. Copy the PowerShell script below, save it as Intune_Sync_PushLaunch.ps1, and execute it locally on the device where you want to trigger the sync.

Intune_Sync_PushLaunch.ps1

# Find PushLaunch tasks for MDM enrollment and run them
$tasks = Get-ScheduledTask |
    Where-Object {
        $_.TaskPath -like "\Microsoft\Windows\EnterpriseMgmt\*" -and
        $_.TaskName -eq "PushLaunch"
    }

if (-not $tasks) {
    throw "PushLaunch task not found. Device may not be MDM-enrolled or tasks are missing."
}

foreach ($t in $tasks) {
    Start-ScheduledTask -TaskName $t.TaskName -TaskPath $t.TaskPath
    Write-Host "Started $($t.TaskPath)$($t.TaskName)"
}

Troubleshooting

1. Connect-MSGraph command was found in the module

If you are unable to connect using the Connect-MSGraph or Connect-MgGraph cmdlets and receive the error message shown below, ensure that script execution is allowed in PowerShell. Run the command below to resolve the issue, and then try connecting to Microsoft Graph again.

Fix

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Error message

Connect-MSGraph : The 'Connect-MSGraph' command was found in the module 'Microsoft.Graph.Intune', but the
module could not be loaded. For more information, run 'Import-Module Microsoft.Graph.Intune'.
At line:1 char:1
+ Connect-MSGraph
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Connect-MSGraph:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

2. Error Code AADSTS50011: Redirect URI does not match

After running Update-MSGraphEnvironment and then using Connect-MSGraph to establish a connection, you may encounter the AADSTS50011 error. The screenshot below shows the exact error message. This error occurs when the required redirect URI does not match the redirect URI configured in the Entra app registration. To resolve this issue, ensure that the correct redirect URI is added to the app registration before attempting to connect again.

Error code AADSTS50011

AADSTS50011: The redirect URI 'urn:ietf:wg:oauth:2.0:oob' specified in the request does not match the redirect URIs configured for the application '8393def8-2d36-40ff-bb67-a88f3924beee'. 
	Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this. 

• Sign in to the Entra admin center > Expand Entra ID > App registrations.
• Open the app and click on Authentication. Ensure that the Redirect URI that is given in the error message, urn:ietf:wg:oauth:2.0:oob is added in the Redirect URIs list.

3. Error Code AADSTS500113: No reply address is registered for the application

When trying to establish a connection using Connect-MSGraph. You may get the below error message:

Error Code AADSTS500113

Sorry, but we're having trouble with signing you in

AADSTS500113: No reply address is registered for the application

To fix this error, you must configure a Redirect URI in the Entra app registration. If no Redirect URI is configured, this error will occur. To obtain the required Redirect URI value, run Update-MSGraphEnvironment and note the RedirectLink value (refer to the earlier screenshots for this command). Once you have the Redirect URI, go to the app registration, click Add a platform, select Mobile and desktop applications, then click Add URI and enter the Redirect URI value.

4. AADSTS700016: Application with identifier d1ddf0e4-d672-4dae-b554-9d5bdfd93547 was not found in the directory

This is the application identifier of the Microsoft Intune PowerShell app, which can no longer be created. Previously, when you established a connection to Intune, this app was automatically created in Entra ID. However, Microsoft has deprecated this app, and it is no longer available. As a result, you must now create your own application in Entra ID (refer to the section Method 3: Using Invoke-IntuneManagedDeviceSyncDevice of this post) and assign the required permissions.

Read Next

Manually Sync Intune Policies on Windows: 6 Ways