PowerShell Sync Intune Remotely: Prerequisites and Best Practices
Learn how to use PowerShell for efficient device synchronization with Microsoft Intune, including best practices and necessary prerequisites.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Microsoft Intune is a cloud-based endpoint management solution that simplifies user access to organizational resources and manages apps and configurations across thousands of devices. While it comes with a web-based admin center, PowerShell Intune commands are more efficient when managing devices at scale. Administrators can use them to set up critical automation and enhance timely policy enforcement.
This article discusses how to perform device synchronization with Intune in Powershell.
Summary of how to PowerShell Sync Intune remotely
| Best Practices | Description |
|---|---|
| Maintain stable device connectivity | Verify and ensure device connection to Microsoft Intune is consistent for reliable synchronization. |
| Automate and monitor synchronization status | Utilize Microsoft Intune PowerShell commands to track device synchronization timestamps and automate status monitoring. |
| Implement automated device updates | Configure automated patching to guarantee endpoint devices receive the latest OS updates. |
| Verify Intune MDM authority and user permissions | Confirm that Intune’s Mobile Device Management (MDM) authority is correctly configured and appropriate licenses are assigned to users. |
| Reduce unnecessary sync requests | Adjust synchronization schedules to minimize redundant requests and enhance efficiency. |
Using PowerShell for Intune sync management
Intune device synchronization involves multi-step communication between managed endpoints and the Intune service.
- Devices establish a secure connection to the Intune service via HTTPS.
- Devices initiate periodic sync requests, the frequency of which is determined by device type and configured policies.
Intune exposes APIs, allowing programmatic management of these sync processes. PowerShell is a powerful scripting tool that is excellent for interacting with these APIs and managing tasks related to sync management. Microsoft Intune itself does not directly execute PowerShell scripts on managed devices in the same way that a local system might. Instead, Intune leverages the Microsoft Graph API, a RESTful web API that allows you to programmatically interact with various Microsoft 365 services, including Intune.
For example, rather than relying solely on the Intune portal, which offers a more fundamental view, you can use PowerShell scripts to pull detailed sync logs, generate custom reports on sync status across device groups, or even trigger manual syncs on specific devices experiencing issues.
Learn About The First-Ever Monitoring and Rollback for Microsoft Intune
PowerShell Commands for Intune Management
You will need two PowerShell cmdlets to perform an Intune sync using PowerShell:
- Get-MgDeviceManagementManagedDevice fetches the device ID, which you can use as a parameter during synchronization.
- Sync-MgDeviceManagementManagedDevice. manually synchronizes managed devices within Microsoft Intune.
But why do you need to perform manual sync in the first place? Isn’t this done automatically by Intune? Intune only syncs the device and updates it every eight hours. Manually triggering a sync ensures policy changes, configuration profile updates, or compliance settings are applied immediately. Instant device updates are essential for mid to large-sized organizations.
Prerequisites
Connect to the Microsoft Graph API using the PowerShell cmd Connect-MGGraph. It has two authentication types:
- Delegated — Microsoft automatically generates a token from your Windows credential.
- App-only access — You can provide a token from your app registration’s client ID and secret.
Before connecting, complete the following.
Grant your application and service principal
Make sure to grant your app registration the following permission scopes:
- DeviceManagementManagedDevices.PrivilegedOperations.All,
- DeviceManagementManagedDevices.ReadWrite.All,
- DeviceManagementManagedDevices.Read.All.
Grant your account permissions
Verify if you have assigned your account Intune Administrator role. Once done, install and import the Microsoft Graph module by running the Install-Module and Import-Module commands on your PowerShell terminal:
Install-Module Microsoft.Graph.DeviceManagement
Import-Module Microsoft.Graph.DeviceManagement
Watch a 15-minute Demo of Microsoft Intune Change Monitoring and Recovery
PowerShell Scripts for single and bulk device operations
After completing the necessary setup steps described above, you can run commands provided by the graph module to perform actions on your Intune environment (e.g., create policies, manage devices, retrieve information).
To start, connect to Microsoft Graph using the Connect-MGGraph command with the scopes listed before.
Connect-MgGraph -Scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.Read.All
This command should automatically fetch your credentials, but if you can’t connect, you may need to enter your application’s Client ID and Tenant ID as parameters. You should find them under the overview pane of your enterprise application.
Connect-MgGraph -Scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.Read.All -ClientID <String> -TenantID <String>
Once successfully connected, you can use the two vital PowerShell Intune commands, get and sync.
Learn the best practices for Intune monitoring, security, and recovery
Single device operation
A crucial part of the script is choosing which Intune devices to sync. You can create a filter for which devices to sync by using properties. Usually, you can create a filter for devices based on the DeviceName and Model properties to manage a single device.
You can filter the results of the Get-MgDeviceManagementManagedDevice by using the Where-Object command, as shown below.
Get-MgDeviceManagementManagedDevice |
Where-Object {($_.DeviceName -match "<string>") -and ($_.Model -match "<string>")}
The above command is handy if you are troubleshooting a single device. Generally, administrators can fetch the device name within the Microsoft Intune device pane.
Once you have the single device you want to sync manually, you can run the Sync-MgDeviceManagementManagedDevice. However, before doing so, save the results in a variable. The variable contains the device ID information, which will be needed when running the sync command. Once saved, pass in the variable as a parameter while retrieving the sub-attribute ID, which should look as below:
$devices = Get-MgDeviceManagementManagedDevice | Where-Object {($_.DeviceName -match "<string>") -and ($_.Model -match "<string>")}
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.ID
The filtered-out device should now be synchronized.
Bulk device operation
If multiple devices need to be synced, like a subset of devices, or if you are uncertain which devices to sync, you can expand the filter further using the Where-Object command. For example, if you only want to synchronize devices that have a specific operating system version, you can use it as below.
$devices = Get-MgDeviceManagementManagedDevice | Where-Object {$_.OSVersion -match "10.0.26100.3194")}
Once you have all the devices, use the sync command, but remember to process each device ID using a foreach loop. Here is an example of the script:
$devices = Get-MgDeviceManagementManagedDevice -All
foreach ($device in $devices) {
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $Device.ID
}
The above command would be handy if you create a new script to sync all the organization’s devices and set it up in a task scheduler or an orchestrator for further automation. Alternatively, you can get a list of Device IDs, save them in a text file or CSV, and query the content using Get-content or Import-CSV.
Manage, Monitor & Recover AD, Azure AD, Office 365
Unified Console
Use a single tool to administer and secure AD, Azure AD, and Office 365
Track Threats
Monitor AD for unwanted changes – detect for security or critical functions
Instant Recovery
Recover global enterprise-wide Active Directory forests in minutes, not days
Troubleshooting sync errors
After running the above commands, there may be situations where the synchronization is unsuccessful. Commonly encountered sync errors are given below.
| Intune Error | Description | Solution |
|---|---|---|
| Pending state | The device sync request is queued but has not started. This can happen due to high load or delays in processing. | Wait for the sync to complete. If it remains pending for an extended period, retry after some time or restart the device. |
| Authentication error | The device fails to authenticate with Intune due to expired or incorrect credentials. | Ensure the device is connected to the network and the user’s credentials are valid. Re-enroll the device if authentication issues persist. |
| MDM authority not set | Intune is not configured correctly as the MDM authority, preventing the sync. | Verify that Intune is selected as the MDM authority in the Microsoft Endpoint Manager admin center. |
| Sync timeout | The device takes too long to complete the sync, possibly due to network issues or high CPU usage. | Ensure the device has a stable internet connection and sufficient system resources. Restart the device if necessary. |
| Access denied | The account used does not have permission to manage the device. | Check that the user has the required Intune roles and permissions. If necessary, assign the correct role in Azure AD. |
Refer to the complete list of Intune sync errors for further troubleshooting.
Intune synchronization best practices and recommendations
Here are standard proactive measures for a seamless device sync on Intune.
Ensuring device connection stability
For devices to sync to Microsoft Intune, you need to ensure that they have a stable connection. If your organization uses VPNs, firewalls, or any appliances that may block policies, ensure that connection to Microsoft cloud services is allowed. Use the Microsoft 365 network connectivity test to verify if a device can connect to at least the Microsoft Intune services.
Monitor and automate Intune sync status
Microsoft Intune has a report page that checks a device’s last check-in date. Keeping a watch on devices with the oldest last sync date-time is recommended. If a device has an old check-in date, the user may not have used the device for an extended period. In addition, the Get-MgDeviceManagementManagedDevice command also contains a device’s last sync time from the LastSyncDateTime attribute.
Alternatively, you can set up alerts in Azure Monitor to prioritize devices with repeated sync failures and devices that recently checked in but have an old last sync date time.
Here is a script to check for the last sync date time of a device.
Get-MgDeviceManagementManagedDevice -All | Select-Object DeviceName, DeviceSerial, LastSyncDateTime
Keeping devices updated
Keeping devices updated with the latest operating system patches is a recommendation that is exclusive not only to Intune but also to the whole concept of infrastructure maintenance. For example, outdated Windows versions may cause sync issues within Intune’s mobile device management (MDM). Ensure all devices have the latest OS updates, regardless of the operating system.
Keep them updated using tools like Microsoft Endpoint Configuration Manager (MECM) for automated patching and regularly generate reports for outdated devices
Keeping devices updated with the latest operating system patches is a recommendation that is exclusive not only to Intune but also to the whole concept of infrastructure maintenance. For example, outdated Windows versions may cause sync issues within Intune’s mobile device management (MDM). Ensure all devices have the latest OS updates, regardless of the operating system.
Keep them updated using tools like Microsoft Endpoint Configuration Manager (MECM) for automated patching and regularly generate reports for outdated devices
Check Intune MDM and user permissions
As an administrator, verify that Microsoft Intune is correctly set as the MDM authority in the Endpoint Manager Admin Center. In addition, double-check that users with managed devices have the correct assigned licenses. Misconfiguration in these settings may lead to insufficient permissions, which can cause sync failures.
Reduce unnecessary sync requests
As discussed above, the default sync for Windows devices is eight hours. This sync time is the same with Android devices. For iOS and Mac, the default sync time is six hours.
Avoid redundant requests that coincide with the default schedule when scheduling manual syncs using the previous PowerShell script. Use dynamic groups and filters to apply sync with different schedules and make a specific set of relevant devices more manageable.
Manage, Monitor & Recover AD, Azure AD, M365, Teams
| Platform | Admin Features | Single Console for Hybrid (On-prem AD, Azure AD, M365, Teams) | Change Monitoring & Auditing | User Governance (Roles, Rules, Automation) | Forest Recovery in Minutes |
| Microsoft AD Native Tools | ✓ | ||||
| Microsoft AD + Cayosoft | ✓ | ✓ | ✓ | ✓ | ✓ |
Last thoughts
Microsoft Intune can manage endpoint devices in the organization, but you can further enhance its efficiency by incorporating PowerShell and Microsoft Graph into our processes. In addition, make sure to follow the best practices and recommendations discussed in this article. Doing so reduces synchronization errors, leading to a higher device-compliant score.
To learn more about how Cayosoft Administrator can significantly reduce the time needed to detect non-compliant devices, request a free demo here.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content