Configure NTP for Entra Joined Devices

Author: Ram Apter

Introduction

When joining new devices or migrating existing ones to Entra joined, one of the policies I recommend you configure is NTP.
If you are coming from an On-Prem Domain, you are probably used to configuring GPOs that use your Domain Controller (DC) as the NTP server. But what happens when you move to a “DC-less” environment?

In my use case, we found that our Entra Join computers were behind the global time, which could cause issues long term.
The solution is to configure a policy using Intune to apply on all Entra Join devices to control their NTP settings.

Steps to Configure NTP in Intune

1. Go to Intune Admin Center -> Devices -> Configuration.
2. Under Policies, click Create and choose New Policy:
   • Platform: Windows 10 and later
   • Profile Type: Settings Catalog
3. Give the policy a name, e.g., "NTP Configuration for Entra Devices".
4. Under Configuration settings, click on Add settings, then either search for "NTP" or look under Administrative Templates > System > Windows Time Service > Time Providers.

5. Configure the following:
   • Set NtpServer to the desired NTP server (e.g., time.windows.com).
   • Enable the option "Enable Windows NTP Client."
   • Add the groups you want to distribute this configuration to.

Configure Windows Time Service

After configuring the NTP server, ensure the Windows Time service is turned on and set to start automatically.
By default, the service may be stopped if not configured. To do this, use the following PowerShell script:

                    
try {
    Set-Service W32time -StartupType Automatic
    Restart-Service W32time
} catch {
    Write-Host "Error setting the service to automatic and restarting: $_" -ForegroundColor Red
    exit 1
}
exit 0
				
			

Deploy this script as a Platform Script and assign it to the same group as the NTP configuration.

Optional: Configure Time Zone

You can also configure the time zone for the devices. Create multiple configurations and distribute them based on the device's location.
To do this:

1. Create a new configuration in Intune.
2. Search for Time Language Settings and configure the "Configure Time Zone" setting.

3. Use the time zone values from the Microsoft documentation: Default Time Zones.

Conclusion

By following these steps, you have:

• Configured an NTP server for Entra Join devices.
• Ensured the Windows Time service is operational and set to start automatically.
• Optionally configured the time zone for your devices.

This setup ensures accurate time synchronization and prevents potential time-related issues in your Entra Join environment.

×