In this blog post, we will learn about how to force Intune Sync using Powershell. Syncing forces your device to connect with Intune to get the latest updates, requirements, and communications from your organization.
You could either wait for the next Intune policy refresh cycle but this will mean that you would have to wait for a couple of hours before you know if the policy has been applied successfully or an app has been deployed on the device. This can delay your testing and app deployment.
According to Microsoft: “When you target a device or user with an action, then Intune immediately notifies the device to check in to receive these updates. For example, when a lock, passcode reset, app, or policy assignment action runs.”
In a Production scenario, you may not have to manually Initiate Intune sync, but this could be really useful when you have recently created an App deployment, Powershell script deployment, or a device configuration profile and you want to test and confirm if the deployment is succeeded ASAP.
There are two methods we are going to explore today. The first method will use the Sync-MgDeviceManagementManagedDevice cmdlet to initiate Intune Sync, and the second method will use Invoke-IntuneManagedDeviceSyncDevice. Both of these methods work fine. You can start with Method 1, and if there are any issues, you can also utilize Method 2.
Step-by-step guides
Table of Contents
Method 1 – Using Sync-MgDeviceManagementManagedDevice
The first method involves using the PowerShell cmdlet Sync-MgDeviceManagementManagedDevice. By using this cmdlet, we can force initiate Intune sync on a single Windows 10/11 device or multiple Windows 10/11 devices.
Please note that Sync-MgDeviceManagementManagedDevice is a part of Microsoft.Graph.DeviceManagement.Actions Powershell module and Get-MgDeviceManagementManagedDevice is a part of Microsoft.Graph.DeviceManagement powershell module. So we will need to Install both of these powershell modules on our device.
Microsoft Graph Powershell SDK reference: Get started with the Microsoft Graph PowerShell SDK.
Invoke Intune sync on One device using Powershell
Use below steps to Force Initiate Intune Sync on One device using Powershell. First Launch Powershell console as administrator and execute below commands.
STEP 1 – Set ExecutionPolicy to RemoteSigned
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserSTEP 2 – Install Device Management Powershell Modules
Install-Module -Name Microsoft.Graph.DeviceManagement -Force
Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -ForceSTEP 3 – Import Device Management Powershell Modules
Import-Module -Name Microsoft.Graph.DeviceManagement
Import-Module -Name Microsoft.Graph.DeviceManagement.ActionsSTEP 4 – Connect to Microsoft Graph
Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.Read.All
STEP 5 – Verify the timestamp for the last completed Intune sync
Get-MgDeviceManagementManagedDevice | Where {$_.devicename -eq "CLOUDINFRA-W-25"} | fl Lastsyncdatetime
STEP 6 – Invoke Intune sync on a device named CLOUDINFRA-W-25
$myDevice = Get-MgDeviceManagementManagedDevice -Filter "contains(deviceName,'CLOUDINFRA-W-25')"
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $myDevice.id
Invoke Intune sync on All Intune Managed Devices using Powershell
Now that we have learned the steps to initiate Intune Sync on one device using PowerShell, we can use the same cmdlet and place it in a foreach loop to initiate Intune Sync on all Intune-managed devices.
Please note that the script below will target All device types managed by Intune, including Windows, macOS, iOS, Android, Linux, etc. If you want to run Intune Sync only on a specific type of platform (e.g., Windows), you can use the Filter parameter of the Get-MgDeviceManagementManagedDevice cmdlet.
I have provided more details about using the Filter option in the next sections of the blog post.
STEP 1 – Create a Powershell script Sync-IntunePolicies.ps1
Copy and paste the following PowerShell code into a file and save it as Sync-IntunePolicies.ps1. Alternatively, you can download this script from my GitHub Repository: Sync-IntunePolicies.ps1.
Sync-IntunePolicies.ps1
<#
.SYNOPSIS
Sync Intune Policies on All Intune-Managed Devices at once
.DESCRIPTION
Below script will force Initiate Intune Sync on All Intune Managed devices
.NOTES
Name : Sync-IntunePolicies.ps1
Author : Jatin Makhija
Version : 1.0.0
DateCreated: 23-Nov-2023
Blog : https://cloudinfra.net
.LINK
https://cloudinfra.net
#>
try {
# Install required modules
Install-Module -Name Microsoft.Graph.DeviceManagement -Force -ErrorAction Stop
Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force -ErrorAction Stop
# Import required modules
Import-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction Stop
Import-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction Stop
# Connect to Microsoft Graph
Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All -ErrorAction Stop
# Get all managed devices
$managedDevices = Get-MgDeviceManagementManagedDevice -All -ErrorAction Stop
# Synchronize each managed device
foreach ($device in $managedDevices) {
try {
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -ErrorAction Stop
Write-Host "Invoking Intune Sync for $($device.DeviceName)" -ForegroundColor Yellow
}
catch {
Write-Error "Failed to sync device $($device.DeviceName). Error: $_"
}
}
}
catch {
Write-Error "An error occurred. Error: $_"
}
finally {
# Cleanup
Remove-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction SilentlyContinue
Remove-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction SilentlyContinue
}Step 2 – Execute the Powershell script
The next step is to execute Sync-IntunePolicies.ps1 without making any changes to the script. Let’s go through the steps:
- Open the Powershell console as an administrator
- Navigate to the folder where you have stored the script.
- Execute the Script by typing .\Sync-IntunePolicies.ps1 on the console.
Please note that after you execute this PowerShell script, you may need to authenticate to Microsoft Graph. Make sure to use an Administrator account with at least the following privileges:
- DeviceManagementManagedDevices.PrivilegedOperations.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementManagedDevices.Read.All
Invoke Intune Sync on All Intune-managed “Windows” Devices
Now, we will modify our script to target Only Intune-managed Windows devices. This way, you can ensure that Intune sync is not initiated on other device platforms such as macOS, Android, Linux, or iOS, etc.
You can modify the a line of code below in the PowerShell script to target devices based on their operating system type and execute the script. For example:
Filter Windows Devices
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Windows')" -All -ErrorAction StopFilter iOS Devices
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'iOS')" -All -ErrorAction StopFilter Android Devices
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Android')" -All -ErrorAction StopSTEP 1 – Create a Powershell script Sync-IntunePolicies_Windows.ps1
Copy and paste the following PowerShell code into a file and save it as Sync-IntunePolicies_Windows.ps1. Alternatively, you can download this script from my GitHub Repository: Sync-IntunePolicies_Windows.ps1.
Sync-IntunePolicies_Windows.ps1
<#
.SYNOPSIS
Sync Intune Policies on All Intune-Managed Devices where Device type is Windows
.DESCRIPTION
Below script will force Initiate Intune Sync on All Intune Managed devices where Device type is Windows
.NOTES
Name : Sync-IntunePolicies_Windows.ps1
Author : Jatin Makhija
Version : 1.0.0
DateCreated: 23-Nov-2023
Blog : https://cloudinfra.net
.LINK
https://cloudinfra.net
#>
try {
# Install required modules
Install-Module -Name Microsoft.Graph.DeviceManagement -Force -ErrorAction Stop
Install-Module -Name Microsoft.Graph.DeviceManagement.Actions -Force -ErrorAction Stop
# Import required modules
Import-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction Stop
Import-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction Stop
# Connect to Microsoft Graph
Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All -ErrorAction Stop
# Get all managed devices where device type is Windows
$managedDevices = Get-MgDeviceManagementManagedDevice -Filter "contains(operatingsystem,'Windows')" -All -ErrorAction Stop
# Synchronize each managed device
foreach ($device in $managedDevices) {
try {
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -ErrorAction Stop
Write-Host "Invoking Intune Sync for $($device.DeviceName)" -ForegroundColor Yellow
}
catch {
Write-Error "Failed to sync device $($device.DeviceName). Error: $_"
}
}
}
catch {
Write-Error "An error occurred. Error: $_"
}
finally {
# Cleanup
Remove-Module -Name Microsoft.Graph.DeviceManagement -ErrorAction SilentlyContinue
Remove-Module -Name Microsoft.Graph.DeviceManagement.Actions -ErrorAction SilentlyContinue
}Step 2 – Execute the Powershell script Sync-IntunePolicies_Windows.ps1
The next step is to execute Sync-IntunePolicies_Windows.ps1 without making any changes to the script. Let’s go through the steps:
- Open the Powershell console as an administrator.
- Navigate to the folder where you have stored the script.
- Execute the Script by typing .\Sync-IntunePolicies_Windows.ps1 on the console.
Please note that after you execute this PowerShell script, you may need to authenticate to Microsoft Graph. Make sure to use an Administrator account with at least the following privileges:
- DeviceManagementManagedDevices.PrivilegedOperations.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementManagedDevices.Read.All
Method 2 – Using Invoke-IntuneManagedDeviceSyncDevice
The second method involves using the Powershell cmdlet Invoke-IntuneManagedDeviceSyncDevice. Using this cmdlet, we can force Initiate Intune sync on a single Windows 10/11 device or multiple Windows 10/11 devices at once. Let’s check the steps:
Invoke Intune sync on One device using Powershell
Now, let’s learn how to trigger or forcefully initiate an Intune sync on an individual device using PowerShell. To do this, we’ll need to install the Microsoft Graph Intune module and establish a connection with Microsoft Graph.
STEP 1 – Install Microsoft Graph Intune Powershell Module
Install-module Microsoft.Graph.Intune -force
STEP 2 – Import Microsoft Graph Intune Powershell Module
Import-module Microsoft.Graph.IntuneSTEP 3 – Connect to Microsoft Graph
Connect-MSGraph
STEP 4 – Verify the timestamp for the Last completed Intune Sync
Get-IntuneManageddevice | Where {$_.devicename -eq "CLOUDINFRA-W-25"} | fl Lastsyncdatetime
STEP 5 – Invoke Intune sync on a device named CLOUDINFRA-W-25
Get-IntuneManageddevice -Filter "contains(devicename, 'CLOUDINFRA-W-25')" | Invoke-IntuneManagedDeviceSyncDevice
Invoke Intune sync on All devices using Powershell
We will use a PowerShell command, “Invoke-IntuneManagedDeviceSyncDevice” to remotely trigger a device check-in process on all Intune-managed devices.
Before running the following commands, ensure that you have installed the Microsoft Graph Intune PowerShell module and established a connection with MS Graph. Instructions for these steps can be found in the previous section.
Let’s check the steps:
STEP 1 – Fetch all Intune-managed Windows devices in a variable
$devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'Windows')"
We used the “Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'Windows')” command to filter for Windows devices. You can replace the “operatingsystem” filter with “iOS” or “Android” to fetch those types of devices and initiate Intune sync accordingly. For example:
- Get-IntuneManagedDevice -Filter “contains(operatingsystem, ‘iOS’)”
- Get-IntuneManagedDevice -Filter “contains(operatingsystem, ‘Android’)”
STEP 2 – Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
#Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
Foreach ($device in $devices)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $device.managedDeviceId
Write-Host "Sending Intune Sync request to $($device.managedDeviceId)"
}
Invoke Intune sync on more than 1000 devices
If your organization has more than 1000 devices or you want to initiate Intune sync on more than 1000 devices, you will need to use the “Get-MSGraphAllPages” cmdlet in conjunction with the “Get-IntuneManagedDevice” cmdlet. This allows you to collect information from all pages of device records efficiently.
STEP 1 – Gather All Intune Managed Windows Devices in $devices variable
$devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'Windows')" | Get-MSGraphAllPages
STEP 2 – Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
#Loop through each device and run Invoke-IntuneManagedDeviceSyncDevice
Foreach ($device in $devices)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $device.managedDeviceId
Write-Host "Sending Intune Sync request to $($device.managedDeviceId)"
}
Troubleshooting
In case you are unable to connect using the Connect-Msgraph or Connect-Mggraph cmdlets and you are getting the below error message, then you need to ensure that script execution is allowed in PowerShell. Run this command to fix this issue and try to connect to MS Graph again.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserConnect-MSGraph : The 'Connect-MSGraph' command was found in the module 'Microsoft.Graph.Intune', but the
module could not be loaded. For more information, run 'Import-Module Microsoft.Graph.Intune'.
At line:1 char:1
+ Connect-MSGraph
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Connect-MSGraph:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
