Intune check-in and Policy updates on a local machine

Richard R 0 Reputation points
2024-11-06T20:57:33.42+00:00

How can I check/verify on a local machine that the windows 11 workstation has checked into Intune and refreshed policies.

On the Windows 10/11 device, Is there a PS command or a registry setting that tells me when the device checked into In tune with a timestamp.

Also Is there a PS command or registry setting on a windows 10/11 device that tells me what Security policies are applied and when they were applied?

I tried MPPreference from Powershell command but it doesnt list the policies or the time the policies were applied.

Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Crystal-MSFT 53,981 Reputation points Microsoft External Staff
    2024-11-07T01:41:49.29+00:00

    @Richard R, Thanks for posting in Q&A. Maybe you can try Advance Diagnostic Report on the device side. It has the sync when it syncs from Intune. And at this time new policy will begotten and applied. Also it includes some policy setting it received from Intune.

    User's image

    User's image

    After researching, I didn't find the time stamp for each setting applied in registry key. The general method we check this is on Intune portal side. It will record the time each setting applied. Or you can open case to see if you can get more help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Neuvi Jiang 1,540 Reputation points Microsoft External Staff
    2024-11-07T07:08:43.4266667+00:00

    Hi Richard R,

    Thank you for posting in the Q&A Forums.

    Check if devices are signed into Intune and refresh policies

    Use the Company Portal application:

    If your organization uses Microsoft Intune, an application called Company Portal is usually deployed.

    Log in to the Company Portal app and check the status of the device. If the device has been successfully signed into Intune, you should be able to see detailed information about the device, including policy status.

    Use PowerShell commands:

    There is no direct PowerShell command that shows a timestamp of when the device was signed into Intune.

    However, you can check if a device is communicating with Intune by running some PowerShell commands, such as checking the device registration status and synchronization status.

    Use the dsregcmd /status command to check the Azure AD registration status of the device.

    Check the status of Intune-related services, such as MDM diagnostics, but this usually requires specific diagnostic tools or permissions.

    View event logs:

    In the Windows Event Viewer, look for log entries related to Intune or device management.

    This may require some familiarity with event logs to be able to identify logs related to Intune communications or policy applications.

    To see what security policies were applied and when they were applied

    Use PowerShell commands:

    While there is no direct command that lists all applied security policies and their timestamps, you can use PowerShell to examine certain policy settings.

    For example, use the Get-CimInstance or Get-WmiObject commands to query specific policy settings, but this requires that you know the specific policy path and name to query.

    Another way is to use commands such as Get-LocalGroupMember, Get-Acl, and so on to check local security policies, but these are usually related to file system or user permissions, not Intune policies.

    Check registry settings:

    Some policy settings may be reflected in the registry, but this is usually not the primary storage location for Intune policies.

    You can try searching the registry for policy-related keywords, but this needs to be done with caution, as incorrect registry editing can lead to system instability.

    Use the Group Policy Management tool:

    If your organization uses local group policies or domain group policies to manage devices, you can use a group policy management tool (such as the Group Policy Management Console, GPMC) to see what policies are applied.

    Note, however, that Intune policies are typically managed through the cloud, not local group policies.

    Intune Management Center:

    Log in to the Azure portal and go to the Intune Management Center.

    In the Devices or Policies section, you can view and manage deployed policies.

    While this won't show you which policies were applied to each device when, you can see which policies are assigned to which device groups.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  3. Richard R 0 Reputation points
    2024-11-07T14:04:41.7733333+00:00

    I appreciate the mentions of verifying things from Intune, however I am in need of ways to verify info from the endpoint, not intune. I am aware of the Advanced Diagnostic report. We are trying to determine a way to query an endpoint in real-time from a Siem/Tychon to validate things like:

    1. When Policies were applied - (Time Stamp)
    2. When Policies were refreshed - (Time Stamp)
    3. What policies are currently applied
    4. What Consistent Registry settings/attributes/keys verify a Security Policy was applied and when? (Time Stamp)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.