IT people often get mad. Intune policy updates seem random. It feels like a lottery. This is because Intune works slowly. It waits for devices to check in. There is a complex process behind it. It does not happen right away. Devices have health problems. Network speed can be slow. Win32 apps have wrong detection. These cause delays. Reports show wrong “pending” statuses. Data does not always match. This blog will explain how it works. It will help IT people understand. They can then manage Intune policy sync better.
Key Takeaways
Intune policy updates are not instant. Devices check at certain times. This causes delays.
Many things can make Intune policy sync slow. These include slow internet. Network problems can also cause issues. Policies can also conflict.
You can make devices sync by hand. This helps policies arrive faster. But it is not always instant.
Intune has tools. These tools help you see policy status. They also help fix problems. Use these tools to know what is happening.
Intune works for many devices. It works over time. Policies will apply eventually. So, expect this to take time.
Core Reasons for Intune Policy Sync Delays
Intune policy sync feels like a lottery. But it is not random. Certain things cause delays. A PC gets commands later. It waits for its next sync. Intune does not apply commands right away.
Scheduled Device Check-ins
Devices do not always talk to Intune. They check in at certain times. This schedule changes when policies arrive.
Windows devices check in at different times:
Other systems also have check-in times:
Admins must wait for the next sync.
Network Latency and Connectivity
Network speed affects policy delivery. Slow networks cause delays. Devices with many policies take longer. They might not sync with Intune. A slow internet makes check-ins slow. This hurts policy sync.
Bad network connections stop Intune communication. Some network issues prevent policy delivery:
Firewall misconfiguration: Firewalls can block Intune. Devices cannot talk to the service.
Incorrect proxy server settings: Wrong settings can stop connections.
DNS resolution failures: Devices cannot find Intune. They fail to connect.
Certificate issues: Old certificates stop secure connections.
SSL inspection: This can block Intune. You need to allow Intune URLs.
Incorrect ports: Ports 80 and 443 must be open.
Network problems or too much traffic cause issues.
Intune Service Processing
Intune’s own processes cause delays. When admins target many groups, there is a delay. This is for a first-time setup. It happens between Microsoft Entra ID and Intune. The first full sync takes longer. Later syncs are faster.
Big groups like ‘All users’ take longer to update. Assigning Intune tasks to these groups can cause backlogs. This delays policies and apps. It takes longer to reach devices. Updates from Microsoft Entra ID to Intune take about 5 minutes. It is not instant. This affects enrollment. Admins should wait a few minutes. Wait after adding users to a group. Then enroll devices.
Intune service problems also delay policies. They cause slow delivery. The Microsoft 365 Admin Center shows these alerts.
Policy Conflicts and Resolution
Policy conflicts cause big delays. Conflicts happen when settings clash. Intune shows an error. It stops settings from applying. Conflicts need to be fixed.
One common conflict is with local user group policies. This happens even for different groups. For example, one policy manages Administrators. Another manages Remote Desktop Users. If both are active, they can conflict. No policy applies.
Deploying the same settings from different places causes a conflict. This needs admin help.
Other conflicts need manual fixing. Admins must find and remove clashing settings. They might change policy assignments.
Intune does not fix conflicts itself. It gives tools to admins. Windows Autopatch shows conflicts. Admins see a list of conflicting policies. They see affected devices and alerts. Alerts show conflicting policies and settings. Admins must check these policies. They fix conflicts manually. Changes take effect after the next sync. The view updates every 24 hours. Full updates take up to 72 hours.
Device State and User Context
A device’s state affects policy application.
Intune tells devices to check for policies. Notification times vary.
If a device misses a check-in, Intune tries three more times.
Offline devices might miss notifications.
Offline devices get policies later. This happens when they come online. This also applies to compliance checks.
User factors can delay policies:
Dynamic groups: These groups update slowly. This is because Entra ID evaluates rules slowly. This causes more delays than static groups.
Intune Agent’s synchronization cycle: App installs can be slow.
Application version: Using the same app version causes issues. It leads to timeouts. Change the app version. Update its info. This helps reduce delays.
Device enrollment behavior and polling frequency: During enrollment, Intune checks more often. This speeds up setup. Later, checks are less frequent. Windows PCs check every 3 minutes for 15 minutes. Then every 15 minutes for 2 hours. Then about every 8 hours. This affects how fast things deploy.
How Intune Sync Works
Intune policy does not apply right away. It has a detailed technical process. This process uses both the device and the Intune service. Intune is made for “eventual consistency.” This means policies will apply later. They do not apply the moment an admin changes them. This design helps Intune manage many devices. It stops the system from getting too busy. Understanding this helps explain why Intune policy sync can seem random.
Client-Side Check-in Cycle
Devices talk to the Intune service often. This check-in helps them get new policies. For Windows devices, special things happen. The Intune Management Extension (IME) signs in quietly. It then looks for assigned installs. The IME checks for new installs every 8 hours. This is separate from the MDM check-in. The IME also checks device health. It makes sure it can connect to Intune. Admins can make the IME check-in manually. They can restart the IntuneManagementExtension service. Syncing with the Company Portal also starts an MDM check-in.
Windows devices also have a detailed sync plan:
Login Sync: A sync starts when a user logs in. The
PollOnLoginDMClient CSP setting makes this happen. It gets policies for that user.Scheduled Syncs: After the first login sync, others happen on a schedule.
First, they can be every 3 minutes for 15 minutes.
Then, they are every 15 minutes for 2 hours.
Finally, they happen every 8 hours forever.
OMADMClient.exe: This starts using Task Scheduler. It begins syncs.
Scheduled Tasks: Several tasks manage the sync:
‘Login Schedule created by enrollment client’: Runs when a user logs on.
‘Schedule #1 created by enrollment client’: Repeats every 3 minutes for 15 minutes after enrollment.
‘Schedule #2 created by enrollment client’: Repeats every 15 minutes for 2 hours after Schedule #1.
‘Schedule #2 created by enrollment client’: Repeats every 8 hours forever after the last schedule.
Manual Sync: Clicking ‘sync now’ in Settings starts this. It runs the ‘Schedule to run OMADMClient by client’ task.
Server-Initiated Sync: A WNS notification from Intune starts this. It runs the ‘Schedule to run OMADMClient by server’ task.
Special Purpose Syncs: These happen for things like changing OS SKU. Or setting up Windows Hello for Business.
During each sync, the device sends data. This includes all supported CSPs. It also sends the Autopilot hardware hash. Info on every UWP app is sent. Devices also ask to install MSI or UWP apps.
The Intune Management Extension Health Evaluation task runs daily. It has a random delay of one hour. This task runs ClientHealthEval.exe. This file checks device health. ClientHealthEval.exe uses ClientHealthEval.exe.config for settings. It writes info to ClientHealth.log. The HealthCheck.xml file sets rules for health checks. One rule checks if the ‘Microsoft Intune Management Extension‘ service exists. After it finishes, it gathers info into HealthReport.json. This file shows the status of rules. The HealthReport.json then goes to Microsoft Intune.
The “8-hour Intune Sync Myth” often confuses people. 8 hours is common for Windows devices. This is true after initial enrollment. But devices check in more often. Windows devices sync every 3 minutes for 15 minutes. Then every 15 minutes for 2 hours. Then they settle into the 8-hour cycle. Other operating systems also check in at different times. iOS devices check in every 6 hours. Android devices check in every 8 hours. These times can make things seem slow.
Server-Side Policy Evaluation
Intune’s server checks which policies apply. This process has several steps.
Admins set up policies for platforms.
They make optional deployment rules. These rules say when policies apply. For example, a rule might use device ownership. These rules can combine conditions. They use Boolean logic (AND, OR, NOT).
Admins assign the policy to groups.
They set an optional deployment schedule. This can be immediate. Or for a later date. It can even depend on connection status.
Intune checks these rules and assignments. It finds policies for each device or user. For example, device control policies in Microsoft Defender for Endpoint apply to users. On Windows, these policies can have conditions. They target users in Microsoft Entra ID. Or Windows Server Active Directory. The system watches user sessions. It makes decisions based on policies. This allows different permissions. Intune’s server logic works similarly. It processes group memberships. It processes policy rules. It then gathers settings for each device.
Role of Push Notifications
Push notifications can speed up Intune policy delivery. This is for supported operating systems. When an urgent update is ready, WNS sends a notification. It tells devices about the update. This notification skips the regular Windows Update client sync. The Microsoft Update Health Tools on the device get this policy. This lets devices start downloading the update right away. They do not wait for their scheduled check-in.
But push notifications have limits. They do not always deliver all policies right away. Intune does tell a device to check for updates immediately. This happens when an action targets a device or user. Examples are a lock, passcode reset, app, or policy assignment. This shows how Intune handles urgent actions. It is different from general policy updates. Microsoft says that Intune, the Company Portal app, and the Microsoft Intune app cannot promise delivery. Notifications might be hours late. Or not delivered at all. This can happen if users turn off notifications. So, admins should not rely on this for urgent messages.
Managing Intune Sync Expectations
Admins can make policies work better. They can fix problems. They need good plans. Knowing how Intune works helps. It sets right expectations. It helps find good fixes.
Manual Sync Options
Admins can make devices sync. This is faster than waiting 8 hours. Changes can happen in minutes. But manual syncs do not fix all delays. Intune slows things down sometimes. After a policy push, there is a quiet time. It is about 30 minutes per device. New changes during this time wait. They apply at the next check-in. There is also a 5-minute wait. This is before a task runs. This task makes the device get policies. So, manual syncs are quicker. But they are not instant. This is true for many changes at once.
Here are ways to sync manually:
Optimizing Policy Assignments
Making policy assignments better helps. It makes processing easier. Intune figures out policies in the cloud. This happens before a device checks in. It gathers all policy parts. It gets settings and group targets. This makes a final policy document. When a device checks in, it asks for this policy. It checks versions. It downloads the policy. Then it uses CSPs to apply settings. This cloud process is faster. It does not slow down the device. Old Group Policy used to slow down devices. Intune’s way is better.
Monitoring and Troubleshooting
Intune has tools to watch policy status. Admins can use the Device compliance status dashboard. Reports show policy compliance. They show organization reports too. The dashboard shows device compliance status. It shows devices not compliant. It shows policy compliance. It shows setting compliance. For policy reports, Intune shows device status. It shows a detailed report. It shows status for each setting.
When fixing problems, check the Microsoft 365 Service Health Dashboard first. Then use the Intune Troubleshooting Portal. It shows everything in one place. Check the device’s last sync time. Manually sync it. This is important. Check device compliance. Check configuration status. This helps find missing policies. Knowing policy states helps fix them. States like ‘Not Applicable’ or ‘Conflict’. Admins can also check Intune logs. They can check diagnostic reports. Like MDMDiagReport.html. Or the Intune Management Extension log.
Setting Realistic Expectations
Intune is made to work for many devices. It makes sure policies apply eventually. This means policies do not apply right away. For users with Intune Mobile Application Management (MAM), policies usually apply in 30 minutes. This time can change. It depends on how many users are on the Intune service. Retries often need the app to be open. The app must be running for a retry. If an app has not checked in for 90 days, it might unregister. It needs to register again when opened. Network problems also slow things down. They make retries happen faster. This continues until a good connection.
Intune policy sync seems random. But it is not random. It is made for many devices. It works over time. This causes the feeling. Devices check in at set times. Network problems cause delays. Intune’s system also causes delays. Policy conflicts add to this. Knowing these things helps IT people. They can use Intune better. IT people should accept how Intune works. This helps them guess when policies will apply. It also helps them fix problems.
FAQ
Why does Intune not apply policies instantly?
Intune works in a special way. Devices check in at set times. This helps manage many devices. Policies will apply later. They do not apply right away.
Why do manual syncs not always work immediately?
Manual syncs make devices check in. Intune still works on policies in the cloud. There is often a quiet time. This happens after policies are sent. This keeps the system stable. It stops too much work.
Why do some devices take longer to sync than others?
Network speed changes sync time. If a device is offline, it takes longer. Complex policies also take more time. Conflicts in policies slow things down.
Why are there different sync intervals for different OS types?
Each operating system is different. Microsoft sets check-in times. This is for how each system works. It balances speed and battery use. It also balances data use.
