The Time Synchronization Challenge
Moving from On-Premises to Cloud
When joining new devices or migrating existing ones to Entra joined, one of the policies I recommend you configure is NTP.
If you are coming from an On-Prem Domain, you are probably used to configuring GPOs that use your Domain Controller (DC) as the NTP server. But what happens when you move to a "DC-less" environment?
The Problem We Discovered
In my use case, we found that our Entra Join computers were behind the global time, which could cause issues long term. Time synchronization problems can lead to:
- Authentication failures
- Certificate validation issues
- Audit and logging inconsistencies
The Solution
The solution is to configure a policy using Intune to apply on all Entra Join devices to control their NTP settings. This ensures consistent and accurate time synchronization across your entire cloud-joined device fleet.
Steps to Configure NTP in Intune
Create the NTP Configuration Policy
- 1 Go to Intune Admin Center → Devices → Configuration
-
2
Under Policies, click Create and choose New Policy:
- Platform: Windows 10 and later
- Profile Type: Settings Catalog
- 3 Give the policy a name, e.g., "NTP Configuration for Entra Devices"
-
4
Under Configuration settings, click on Add settings, then either search for "NTP" or navigate to:
Administrative Templates → System → Windows Time Service → Time Providers
NTP Configuration Settings in Intune
Configure NTP Settings
Key Configuration Options:
Set to the desired NTP server (e.g., time.windows.com)
Enable this option to activate the NTP client service
Add the groups you want to distribute this configuration to
Configure Windows Time Service
Service Configuration Requirement
After configuring the NTP server, ensure the Windows Time service is turned on and set to start automatically.
Important: By default, the service may be stopped if not configured. The following PowerShell script addresses this issue.
PowerShell Script for Service Configuration
try {
Set-Service W32time -StartupType Automatic
Restart-Service W32time
} catch {
Write-Host "Error setting the service to automatic and restarting: $_" -ForegroundColor Red
exit 1
}
exit 0Deploy as Platform Script
Deploy this script as a Platform Script in Intune and assign it to the same group as the NTP configuration.
Deployment Steps:
- 1. Navigate to Devices → Scripts and remediations → Platform scripts
- 2. Upload the PowerShell script
- 3. Configure to run with system privileges
- 4. Assign to the same device group as your NTP policy
Optional: Configure Time Zone
Location-Based Time Zone Management
You can also configure the time zone for the devices. Create multiple configurations and distribute them based on the device's location.
Time Zone Configuration Steps
- 1 Create a new configuration in Intune
- 2 Search for Time Language Settings and configure the "Configure Time Zone" setting
-
3
Use the time zone values from the Microsoft documentation: Default Time Zones
Time Zone Configuration in Intune
Best Practice Tip
For organizations with multiple locations, create separate time zone policies for each region and use dynamic device groups based on device location or naming conventions to automatically apply the correct time zone settings.
Conclusion
By following these steps, you have successfully implemented a comprehensive time synchronization solution for your Entra joined devices.
NTP Server Configured
Reliable time source for all Entra joined devices
Service Automated
Windows Time service set to start automatically
Time Zones Managed
Optional location-based timezone configuration
Benefits Achieved
This setup ensures accurate time synchronization and prevents potential time-related issues in your Entra Join environment, including authentication failures, certificate validation problems, and audit inconsistencies.
