The World According to Mitch

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

Having the correct time on your computer is just as important as having it on your wrist watch. If your watch is wrong, you will be late for appointments. If your computer clock is wrong – specifically, if the clock is more than 300 seconds off – then all manner of things stop working. Sure, anything inside your computer will work fine – you can create and edit documents, for example – but your computer will not be able to authenticate to any other computer, including cloud services such as Microsoft 365.

In a controlled Active Directory domain environment it has always been easy to create a group policy object (GPO) to synchronize all computer clocks to an authoritative network time server (NTP Server). Active Directory has always been good with things like that, and as long as the computer connected to a domain controller every so often, all was well.

Unfortunately, in today’s world of the remote workforce, more and more companies are eschewing the Active Directory domain for either a hybrid Azure Active Directory Joined (HAADJ) environment, or even a strict Azure AD. In the first case, it is not uncommon for devices to not check in to the domain often, and in the latter there is no domain so there is no GPO to configure.

It should be mentioned as well that while administrative users can set their computer clocks manually, standard users cannot. Nor can they even synchronize their clock with a public time server. The only thing they can do is set the time zone, which does not affect connectivity and functionality.

Enter Intune Administrative Templates. While we do not have all of the options here that we do in Group Policy (yet!) we can create a policy to synchronize the computer clock to a NTP Server – usually time.windows.com. Here’s how.

First, connect to your Microsoft Endpoint Manager admin center (https://manage.microsoft,com). 1) In the navigation pane click Devices. 2) In the Devices | Overview navigation pane click Configuration Profiles. 3) In the Devices | Configuration profiles screen click +Create Profile. 4) In the Create a profile sidebar that appears, select your platform (Windows 10 and later) from the dropdown menu, 5) and then in the Profile type dropdown select Templates. 6)In the Template name list that appears, click Administrative Templates. 7) Click Create.

In the Create profile screen (Basic) type the name for your new profile in the Name dialog box, and put any description you want in the Description dialog box. Click Next.

In the next (Configuration Settings) screen, expand Computer Configuration – System – Windows Time Services – Time Providers. Note that the Windows Time Services option may not be on the first page. (Or you can cheat, and type NTP in the Search to filter items… dialog box.

Click Enable Windows NTP Client. In the sidebar that appears, click Enabled and then click OK.

Click Configure Windows NTP Client. In the sidebar that appears, scroll down and select the radio button Enabled. Here you have the option to configure all manner of settings, including which time server you want to synchronize to. The default settings will work for most organizations (pointing to time.windows.com,0x9), and you should only change these if you are sure you need to. Click OK.

Back in the Create profile (Configuration Settings) screen, click Next. In the next (Scope tags) screen, you can set tags if you want, but if you do not need to, click Next.

In the next (Assignments) screen, you can assign this profile to specific groups, or you can click Add all users or +Add all devices in the Included groups section. Below that, you can add groups the Excluded groups list, which would supersede the Included groups. Click Next.

In the next (Review + create) screen, review that all of your settings are correct, and then click Create.

It will only take a few seconds for the new policy to appear in your list on the Devices | Configuration profiles page. If it does not appear within a few seconds, click Refresh and it will.

That’s all there is to it. Microsoft Intune to the rescue again!