Microsoft Intune: Sync Windows devices to one time server.

Then another task that came into my desk from our InfoSec deparment, "Time synchronization is important in the context of information security because it prevents discrepancies between timestamps recorded from different systems during the collection of evidence, for example, in the event of an incident." We can debate if this is needed on modern managed Intune Enrolled devices. But the task must be done.

If you Google "ISO 27001 Clock Syncronization" this is the background for our implementation of this policy, and the ISO standard states the following: In the context of ISO 27001:2022, clock synchronization helps organizations track and monitor security incidents, detect anomalies, and ensure ...

Enough background; let’s get the implementation done.

Intune Configuration - Set Time server

Navigate to https://intune.microsoft.com/

• Devices

• Windows

• Configuration

• + Create

• Platform: Windows 10 and later

• Profile type: Settings catalog

• Give the the policy a name and description of your choise.

In the settings picker, navigate to Administrative Templates -> System > Windows Time Service > Time Providers

• Select all 3 and click on the X in the top corner.

• This is an example of a servers you can sync to, please use your desired server. You can check this page on GitHub of available servers: https://gist.github.com/mutin-sa/eea1c396b1e610a2da1e5550d94b0453

• As always I would reccomend you to apply this policy to a group of test users before going for a tenant-wide rollout.

• Once the policy has been deployed, give it some time and check if it's working on your devices.

Intune Configuration - Set time sync frequency

To gain even more control, I also use an Intune remediation script to manually set the time server sync frequency. If you’d like to add this, follow these steps:

Navigate to https://intune.microsoft.com/

• Devices

• Windows

• Scripts and remediations

• + Create

• Give your script a name, description, and publisher if needed.

• Create the Detection and Remediation scripts:

• Open Notepad or any other text/code editor you prefer

• Paste the following code as Remediation script: # Detection Script for Intune Remediation: Time Sync Interval and W32Time Service

  
  

  # Get the current SpecialPollInterval from the registry

  $timeSyncInterval = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' -Name 'SpecialPollInterval' -ErrorAction SilentlyContinue

  
  

  # Check if registry key exists

  if ($null -eq $timeSyncInterval) {

  # If the registry value does not exist, return non-compliance

  Write-Host "Time sync interval registry key does not exist."

  exit 1

  }

  
  

  # Check if the interval is set to 24 hours (0x15180 in hexadecimal)

  $expectedValue = 0x15180

  if ($timeSyncInterval.SpecialPollInterval -ne $expectedValue) {

  Write-Host "Time sync interval is not set correctly. Expected: 0x15180, Actual: $($timeSyncInterval.SpecialPollInterval)"

  exit 1

  }

  
  

  # Check if the Windows Time service is running

  $w32TimeService = Get-Service -Name "w32time" -ErrorAction SilentlyContinue

  if ($null -eq $w32TimeService -or $w32TimeService.Status -ne 'Running') {

  Write-Host "Windows Time service is not running."

  exit 1

  }

  
  

  # If all checks pass, return compliance

  Write-Host "Time sync interval is correctly set to 24 hours and Windows Time service is running."

  exit 0
  

• Save this code as TIME_DETECT.ps1

• Now create a new file, and use the next code as Remediation script

  # Set the time sync interval to 24 hours (0x15180 in hexadecimal)

  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' -Name 'SpecialPollInterval' -Value 0x15180 -Type DWord

  
  

  # Restart the Windows Time service to apply changes

  Restart-Service w32time -Force

  
  

  # Force an immediate time synchronization

  w32tm /resync /nowait
  

• Save this code as TIME_FIX.ps1

• Go back to Intune and upload the files, and settings as fits for your tenant.

  

• Again, I recommend applying this policy to a group of test users before going for a tenant-wide rollout.

  

• Once you have selected the group of your desire, you can now select the Schedule of how this script should behave. I have set this to be quite frequent during testing, and when policy is in production I have changed it to run once every 7 days. But this is fully up to you.

• Now, monitoring and troubleshooting for devices with issues can begin.

  
  

• Hope this is helpful, and I wish you success in implementing this. Please comment and provide feedback—I’d love to hear if you have issues or any comments.