We have had this recurring issue for a long time now, and despite searching the error all over the place, there seem to be a lot of other IT professionals in the same boat, but no obvious answers. The error is on the Anti-Virus setting on the default compliance policy. 2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request) The compliance policy in question is assigned to all users. This is a very annoying issue as it stops users from being able to access any MSFT apps as it marks the device as non compliant. we are forced to add users to the exclusion list of the policy until the error clears on it's own days/weeks later. If anyone has any ideas on what could be the cause or any possible fixes, it would be greatly appreciated

Had the problem since I started using Intune for my clients. Devices will randomly fall out of compliance and get back compliant. Always the firewall and antivirus with Syncml(500) error. This will happen for domain devices, Azure only devices, pre-provisionned devices, etc... it doesn't follow any logic, it's just random. This is the reason why I will never make a CA policy for compliant devices.

Hello, I have deposited the following remediation script in Intune. The commands can also be easily executed in Powershell. Get-ScheduledTask | ? {$_.TaskName -eq 'Schedule #3 created by enrollment client'} | Start-ScheduledTask Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://syncapp" Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance" However, I prefer devices to report to the MDM immediately after user login and perform a sync. To do this, I create another task on my clients, which also calls the deviceenroller.exe. The challenge here, however, is that each device has a unique enrollment ID, which must be given as a parameter when it is called, which is the GUID maintaining the key "EnterpriseMgmt". Here's my two-liner Powershell for this: $EnrollmentID = Get-ScheduledTask | Where-Object { $_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt\*" } | Select-Object -ExpandProperty TaskPath -Unique | Where-Object { $_ -like "*-*-*" } | Split-Path -Leaf schtasks /create /tn "Intune Policy Sync" /sc ONLOGON /delay 0005:00 /rl highest /ru system /tr "C:\Windows\system32\deviceenroller.exe /o $EnrollmentID /c /b" First, the enrollment ID of the device is laid out and then a planned task is created accordingly. This is executed 5 minutes after the user login on the device and does an Intune Device Sync in the background. I noticed that the easiest method to fully recognize the difference in device check-ins, is by using the Event Viewer . When opening the Event Viewer, simply navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider and look at for Event ID 208 . The difference will be in the origin of the started session, as shown in the following list: A notification – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x7) , Initiator: (0x0), Mode: (0x2), SessionID: (0x7C), Authentication Type: (0x3). A scheduled check-in – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x3) , Initiator: (0x0), Mode: (0x2), SessionID: (0x75), Authentication Type: (0x3). A manual check-in (by using Settings panel) – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x5) , Initiator: (0x0), Mode: (0x2), SessionID: (0x76), Authentication Type: (0x3). A manual check-in (by using Company Portal app) – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0xD) , Initiator: (0x0), Mode: (0x2), SessionID: (0x77), Authentication Type: (0x3).

What is your current AV solution and what is it status locally, any warnings? I would suggest to re-create and re-deploy the compiance policy to test it our, will that solve your problem.

Hi, Thank you for posting in Microsoft Q&A forum. Please install the latest windows update and re-sync from the client to have a try. Also ensure the Anti-Virus software is up to date. Sometimes, outdated software can cause compatibility issues. Similar thread for your reference: Compliance failing because Firewall not detected Thanks for your time. Have a nice day! Best regards, Simon If the response is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Seems that the problem is resolved. We had to reset the laptop and let it hybrid join and sign to intune again. The only difference this time is that we had the laptop connected to the network by cable and not over wifi but I think that has nothing to do with the fact it worked. Another odd thing we were getting before and didn't mention is that there was a message that can't access company resources because Windows defender antimalware real time protection is off...something that apparently wasn't true. That caused the laptop to show as non compliant. Luckily by redoing the whole process on a formatted laptop worked this time.

2016345612(Syncml(500) - Intune Compliance Policy Error

Craig Pennington 310

We have had this recurring issue for a long time now, and despite searching the error all over the place, there seem to be a lot of other IT professionals in the same boat, but no obvious answers.

The error is on the Anti-Virus setting on the default compliance policy.

2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request) User's image

The compliance policy in question is assigned to all users.

This is a very annoying issue as it stops users from being able to access any MSFT apps as it marks the device as non compliant.

we are forced to add users to the exclusion list of the policy until the error clears on it's own days/weeks later.

If anyone has any ideas on what could be the cause or any possible fixes, it would be greatly appreciated

Nick Eckermann 606 Reputation points

2023-10-04T16:12:45.83+00:00

We have been dealing with this issue since March and it isn't getting any better.
Efstratios Stratis 56 Reputation points

2023-10-09T13:36:44.87+00:00

We have the same issue, no third party AV, laptops updated re-synched multiple times.

It happens to Win11 laptops only!
JuliusPIV 91 Reputation points

2023-10-09T19:49:54.3666667+00:00

I can confirm we are a Defender shop and seeing this as well, specifically for the Firewall setting within Device Compliance. It seems to resolve itself after a few hours, but OP mentions, it locks users out.
kircher 0 Reputation points

2023-10-10T13:11:10.0833333+00:00

I also wanted to note that we started seeing OneDrive not silently login or preform known folder redirection on a few of our accounts. While troubleshooting the problem further I noticed that we are also seeing: 2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request) on specifically my account and a co-workers with reguards to the antivirus and firewall categories. This appears to be happening on freshly enrolled PCs through autopilot and existing PCs in my fleet. We use Microsoft 365 Defender for our Antivirus and firewall solution that are UpToDate. I have not seen the problem occur on others within our school district but that doesn't mean that it isn't happening which is scary because it could give users a false sense that they are signed into Onedrive when they are not. Problems started occurring around mid-July 2023 for us.
kircher 0 Reputation points

2023-10-10T13:11:29.1066667+00:00

*Accidental double post
Nick Eckermann 606 Reputation points

2023-10-12T13:40:20.92+00:00

Looks like there are multiple people in this thread having the same problem.
Please open support cases so we can get more traction on this issue, and they can start to get it resolved.

@Craig Pennington

@Efstratios Stratis

@JuliusPIV

@kircher
Abhay Kavaswala 5 Reputation points

2023-10-12T15:54:31.3366667+00:00

Facing the same issue here.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Jan Gross 15 Reputation points

2023-10-16T15:57:33.0133333+00:00

Hello all,

unfortunately, we have the same issue and all our computer names are up to 10 characters long. So this (renaming) will not be the solution for everybody.
Davio, Peter [HCL] 150 Reputation points

2023-10-16T17:29:59.4533333+00:00

I am getting this error on Firewall and not Antivirus...
Jerry Peacock 140 Reputation points

2023-10-16T20:30:33.23+00:00

We are seeing this error as well. And our machine names are only 10 characters, so Less than 15 is not going to fix the issue.
Chad Coker 15 Reputation points

2023-10-19T12:21:52.9433333+00:00

We have been having the same issue since we started using Intune. It hits different computers on different days, and it clears after hours/days/resyncs.
Our device names are 15 characters or less. We have removed and redeployed machines, removed and recreated the compliance policy. The issue may resolve for a while, but it always comes back.
NITITD-8830 5 Reputation points

2023-10-20T15:55:32.32+00:00

The exact same issue and error will randomly affect our machines. No third-party AV, OneDrive first starts complaining about device compliance, InTune reports AV is out of compliance due to this error. Computer names are less than 15 characters.
Albin Fransson 0 Reputation points

2023-10-25T09:08:25.17+00:00

Hi,

For our environment we resolve this by letting the user click "Fix now" under the Work or school account settings menu.

After that they can click on "Check access" under the device menu in Company portal.

We dont have any hybrid devices, only AAD.
Robert Young 26 Reputation points

2023-11-02T16:20:39.5133333+00:00

We've just seen this appear in our environment. The Senior VP got an email that she forwarded onto my team for action. Not a good look MS.

Anti-Virus is ESET Protect.

We need this addressed PDQ!
Jérémie 20 Reputation points

2023-11-10T13:25:54.29+00:00

Same problem here, on brand new machines. No long computer names.
jason@4streamline.com 6 Reputation points

2023-11-10T20:56:09.1566667+00:00

We are experiencing the same issue. Our devices are AzureAD Joined, we do several app installations when the devices is joined. The issue only happens with Windows 11. The machine becomes very slow and AV stops working after reboot. It appears the Microsoft Defender AV (Endpoint security) is trying to restart. EDR show as if it is updating.
Arnulito Camarillo 0 Reputation points

2023-11-28T10:09:24.0866667+00:00

Same issue with our devices.
JJ 10 Reputation points

2023-12-07T08:54:42.29+00:00

We have this on Win10 laptops.
JJ 10 Reputation points

2023-12-07T08:55:35.85+00:00

We see this persisting for firewall and antivirus even on new build recently joined laptops (win10).
GonWild 426 Reputation points

2024-01-04T08:39:18.7666667+00:00

Same problem here! Any solution Microsoft? resetting the PCs is not a popular one
Denis Payne 176 Reputation points

2024-01-04T13:54:58.73+00:00

Keep having this issue intermittently affecting random users using random AAD hybrid joined Windows 10 endpoints.

Machine names are less then 15characters.

Fixed the issue once by running sync from Endpoint and InTune.
All other times need to wait days to weeks for the issue to resolve itself, else delete the endpoint from InTune and AzureAD then do a fresh Azure AD hybrid + InTune join.

Myself and colleagues gave raised tickets with MSFT 365 support who aren't much help, leaving poor 1st line guys struggling when a senior team needs to get involved and gather debug logs to determine the actual cause.
Ed Collins 0 Reputation points

2024-02-22T19:42:40.14+00:00

Same issue here for Antivirus and Firewall on multiple Win 11 devices
Florian Obradovic 11 Reputation points

2024-03-04T14:15:06.9166667+00:00
Same here, only a few devices. Firewall is active (Via Intune Policy), AV = Defender (Managed).

We have a culprit, not sure.... will see if it helps:

Our compliance policy was assigned to all users & all devices.

Resetting firewall defaults didn't help.

Checking compliance via Companyportal (last checkin 40 minutes ago) takes forever, reboot doesn't help.
Paul Normington 0 Reputation points

2024-03-06T10:59:26.8333333+00:00

How are you "resetting firewall defaults"? Is it through the Defender menu or some other way?
Nikolai Minchev 0 Reputation points

2024-03-13T12:59:19.2366667+00:00

Same here, we have few devices whit that error message, but the Antivirus is up to date and no issues
Florian Obradovic 11 Reputation points

2024-03-20T11:15:59.6933333+00:00

We also have a few users affected by this issue (until now all hybrid joined):
2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request)

It's always the Windows Firewall. Never AV (we use windows defender):
Felipe M Ferreira 11 Reputation points

2024-04-01T13:44:43.2266667+00:00

Same issue here: It occurs randomly after users restart their machines. Sometimes, a sync is enough to fix the issue, but other times we have to reboot the machine, sync, check for compliance, and repeat the process multiple times.

We use Windows Defender AV, and our machines’ names are only 11 characters. Last year, this issue was happening very often, but Microsoft fixed it. However, we now observe the same issue occurring since the beginning of March 2024.
Rune Pettersen 0 Reputation points

2024-04-08T07:41:46.42+00:00

One machine had this issue, the devicename in autopilot was blank, the devicename in intune was below 15 chars. the machine was also inactive.
Seshagiri Rao Padaki 0 Reputation points

2024-04-17T06:43:08.71+00:00

I have reinstalled the Company Portal its working fine
45638838 1 Reputation point

2024-04-19T12:15:56.5966667+00:00

I am having this issue on Win 10 laptops as well
Anthony Yeshan Isuru De Silva 5 Reputation points

2024-04-23T01:13:21.6133333+00:00

Hi Guys, i have had this issue for several users. fix is to turn off the windows firewall and turn it back again. then go to company portal click once on check access and wait 2-3mins until it completes. do not click again and again as it will then take more time. if its taking way too long turn off the conditional access policy that check for compliance. then once company portal check is ok you can turn on the conditional access.

To verify further you can check azure ad portal devices and select the device you are checking on. check if its compliant. Then you can go to intune portal check if it shows compliant. it may be compliant on azure ad and not in intune. give it some time and then it will show compliant on intune as well.
Rob Plumridge 0 Reputation points

2024-05-22T10:36:34.27+00:00

So I have this on multiple instances of both Win11 and Win10 machines for various clients (different intune configs, different methods of setup), I've poked and asked around, mostly from what I can see it's a sync issue. Again cloud loves to take its time with these, and its v. intermittent.

With Stricter compliance policies it appears more frequently than less relaxed policies but I will try and investigate further into this, I don't really have a concrete answer to this other than sync-ing devices.

Usually (on device) i'll run intunemanagementextension://synccompliance in the run diag

This usually clears up after about 10-30ish minutes
Chad Coker 15 Reputation points

2024-05-22T12:20:13.9833333+00:00

We continue to have this issue several times a week. We either wait several days for it to clear on its own or have the user initiate a sync, reboot, etc.

We have opened issues with MS Support only to be passed around to different agents/techs with no solutions offered.
Our compliance platform was integrated to Intune to pull device status,. This became unworkable with this issue occurring so often, so we had to go a different route for that.

It is unfortunate that an issue that is this widespread gets no attention from Microsoft, and support is not helpful.
Nick Eckermann 606 Reputation points

2024-05-22T18:32:28.79+00:00

@Chad Coker Changes are supposed to be coming but they missed the 2404 deployment. Waiting to see when they might be implemented and if they do in fact fix these issues. Update from Microsoft below. You can reference our case so you might be in the loop better on the rollout.

2310040040013084
Kodi Rozanski 15 Reputation points

2024-06-27T12:29:04.38+00:00

this has happened to a few windows 10 distros
Kodi Rozanski 15 Reputation points

2024-06-27T12:33:41.33+00:00

Microsoft, get it together. This seems to be a recurring issue. This is now happening to us
Philipp Durrer 20 Reputation points

2024-07-11T07:43:53.01+00:00

Why is this still a problem over a year later? Is the Intune Team at Microsoft staffed at all?
Nick Eckermann 606 Reputation points

2024-07-11T13:25:13.58+00:00

@Philipp Durrer
Yes.. I got this update this week, but still no details around what the fix is so I can say it actually will fix the issue.

I have see other orgs will move to custom compliance policies to do the checks for these items which is more accurate. They write a custom script and json responses to validate the fw/av settings are correct. I haven't done that myself, but I heard it is helping them.

"There are several CSS Engineers that are monitoring this request / issue with our Engineering team. We have a received an update on a corrective action, however, we do not have a date just yet for the completion. We are attempting to ascertain a definitive date from Engineering and then I will advise. As this has slipped before, we do not want to publish a speculative date, so once Engineering provides a definitive date, I will share it with you."
Denis Payne 176 Reputation points

2024-07-11T15:50:17.96+00:00
Been hassling with this issue for several years, ever since started using InTune.

I really don't get how big business corporations and governments see this as a viable product with the amount of hassle it is to use.

But as to the syncml(500) issue, once confirmed Windows Security on the endpoint reports no issues I've been able to clear the bug twice now by:
0. Run sync from device endpoint in InTune MDM admin centre

Run sync from device endpoint itself, Start>Settings>Accounts>Work&School>Domain>Info>Scroll to bottom, click Sync

If possible, disable Windows fast startup from Control Panel>Power>Choose what lid does>Untick fast startup if option listed and ticked

Shutdown, wait a minute or 2

Power on, logon

Run sync from Start>Settings>Accounts>Work&School>Domain>Info>Scroll to bottom, click Sync

Install Company Portal app, run sync

Shutdown, wait a minute or 2

Power on, logon
Joe Bartlett 0 Reputation points

2024-07-18T11:04:15.4+00:00

@Nick Eckermann Thank you for your updates on this - We're seeing a similar issue and have referred our Microsoft Support contact to your ticket number. Unfortunately I've not managed to have them get in touch with the engineering team yet... I'm still just getting documentation quoted back at me.

~~I was wondering if you had any updates from MS recently? It sounds like the fix just keeps getting delayed over and over again.~~

*Edit - I see you posted a week ago that you'd had another noncommittal response from them. No surprises there! Fingers crossed they finally get it sorted soon.

Thanks again,
Joe
Ishmail Mohammad 0 Reputation points

2024-08-05T06:22:33.03+00:00

same error message
Peter D 0 Reputation points

2024-08-14T06:52:46.02+00:00

Been fighting with this since Semptember 23.

It's a shame that an small indie studio like Microsoft can't fix a recurring issue like this.
sysadmin72 0 Reputation points

2024-08-23T19:54:17.6866667+00:00

We recently onboarded our devices to Intune. We had no previous MDM so all these devices were never managed by anything before. After using the default the Firewall Windows default policy as our base policy, we started to get this error in our compliance report. I took the provided policy, duplicated it and renamed the duplicate. This fixed our issue.
Florian Obradovic 11 Reputation points

2024-08-23T20:02:05.1833333+00:00

This is broken for years now.
Abhilash Raveendran 5 Reputation points

2024-09-06T07:36:54.5266667+00:00

The issue seems to be not resolved yet, i think microsoft intune team need to release a bug fix update. So many companies are relied on intune.
William L. Cunningham 10 Reputation points

2024-09-06T12:33:20.82+00:00

Yup, I've got one windows laptop having the antivirus "2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request)" error now for a week. I'm going to either reapply the policy today, or try one of the other things listed here. What I don't want to do is reset the computer or rejoin it to intune. I shouldn't have to do that, for crying out loud.
Ibrahim de Wilde 0 Reputation points

2024-09-10T09:08:14.92+00:00

We have a lot of devices with this problem
Joni Mattila 5 Reputation points

2024-09-11T06:42:48.3933333+00:00

We have the same problem, Intune support unhelpful and will not recognize it as Intune problem. Windows team blames Intune. Intune support refers to this thread as it would be official answer... They told to do windows 10 updates and our devices are Windows 11 and the character limit which is not documented to my understanding and is happening to devices less than the recommended character limit. Same error for Firewall and Antivirus. Would be great to get actual technical help.
Torben Eriksen - NTI A/S 15 Reputation points

2024-09-11T09:31:21.14+00:00

We have the same problem, 600 machines under Intune. Cant live with Microsofts neclect.

I thought we could rely part of our security on Conditional Access requiring compliance.

but with 5-10 false positives each month its not reliable

FIRST i thought it only happend on Hybid joined computers or computers from acquired companies "joined EntraID as is" but we see it frequetly on "pure" Autopilot reshly picked up computers

Great with the workaround - thanks!

Cheers from Denmark

PS: Can we upvote this or is there an article where Microsoft accept the fact that so many of us see this ?
Thomas Fancett 5 Reputation points

2024-09-11T14:51:24.25+00:00

Another report of this for multiple devices. Device Names under 15 characters, Defender as standard AV and fully patched and up to date with Fresh Synch completed locally from device.

Nick Eckermann may be onto something as we have seen this occurring more on pre-provisioned devices where they have been built but the use reenrollment step may be completed several days later or used sporadically after deployment.

Either way MS needs to acknowledge and patch this there so many people reporting this you think there own firewall product and AV could talk to their own systems correctly!
Robert Fenech Santucci 0 Reputation points

2024-09-19T12:03:24.7733333+00:00

Has there been any recent feedback from Microsoft regarding this issue and a potential solution in a future release?
Mich 0 Reputation points

2024-09-27T10:09:10.2633333+00:00

also a strange thing is that I have one device compliant and the other not.

Both the same error code as mentiont here.
Nick Eckermann 606 Reputation points

2024-09-27T12:47:50.92+00:00

Microsoft was having issues this week attempting to deploy a fix for the issue that has been around. It accidentally caused issues with devices that should have fallen the error state grace period to be marked non-compliant immediately depending on if a user was on the device or not when it ran a compliance scan. It was supposed to be mitigated late yesterday after to resolve the new issue. Time will tell if it solved the overall problem with the syncml500 errors.
Mich 0 Reputation points

2024-09-27T12:55:26.5266667+00:00

I managed to get it compliant again somehow, any known problems for the sync not working correctly ?
Paul Kecun 21 Reputation points

2024-10-02T07:05:43.9966667+00:00

I'm running into this too specifically with the Firewall.

101 devices but 5 of them aren't happy with 2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request)

Hybrid Joined with Auto Enrolment.

Confirmed the device name is under 15 characters.

Confirmed the firewall is on

Tried resetting the firewall to defaults.

Triggered syncs from Intune and from the client-side (Accounts->Work or School->Info->Sync)

Used the Company Portal 'Check Compliance'

Triggered syncs via

Trigger a compliance check via local process on PC (use remote shell or execute locally)

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance"

Trigger a sync via local scheduled task on PC (use remote shell or execute locally)

Get-ScheduledTask -TaskName “Schedule #3 created by enrollment client” | Start-ScheduledTask

Nothing is helping - to the extent I had to simply exclude them from the policy which is ridiculous... does anyone have any other bright ideas?
Igor Trenk 0 Reputation points

2024-10-02T12:17:31.84+00:00

do you use windows hello? Did you try it switch off it?
Laurens Driessen 15 Reputation points

2024-10-03T06:59:11.2366667+00:00

You can reset the Windows Hello with the following command:

certutil /deletehellocontainer

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/faq#:~:text=How%20do%20I%20delete%20a%20Windows%20Hello%20for%20Business%20container%20on%20a%20device%3F
Joni Mattila 5 Reputation points

2024-10-04T11:03:46.3866667+00:00

After running the PowerShell script locally and then clicking sync from Intune the computer needs to be rebooted, after reboot its compliant again, without reboot it does not take affect.
Brayan Adam 0 Reputation points

2024-10-07T19:10:09.5466667+00:00

Hello, Check if your user has at least one Intune license and that he can sync successfully.

In my case, I had users who do not have a license, neither intune nor Office, nor anything.

And I was able to go through users who have Co-manag SCCM licenses (flag). then my workstations became compliant.
Paul Kecun 21 Reputation points

2024-10-08T16:45:31.7866667+00:00

Thanks for the suggestions folks, I've tried/ruled out everything suggested so far except deleting the Windows Hello container. I'm averse to doing that (really shouldn't be necessary!!) but will give it a whirl on one of the affected users to at least rule it out. Appreciate the suggestions so far.
Audi Fan Boy 0 Reputation points

2024-12-19T18:44:39.16+00:00

Pretty sad that this is still an issue years later.
Sadly, MS devs seem at times to conveniently ignore these ongoing issues without offering much support.
Robotic 0 Reputation points

2024-12-20T15:25:44.9433333+00:00

Started to seeing this again since last week, created a copy of our existing compliance policy, changed the assignment from devices to users and it fixed the problem, temporarily.

Next day the device appears to randomly complain about compliance with syncml 500 error again, sometimes AV, firewall or defender updates or all of them.

However, with the new policy, a manual check-in from the device does remediate it again, whereas devices with the original policy, stubbornly never went back to green, no matter what we've tried.

Definitely a reporting bug in Intune, thinking of creating a custom compliance policy and ditching the template generated one.
Mathias Heidrich 5 Reputation points

2025-02-05T13:02:02.4333333+00:00

Hello, I have deposited the following remediation script in Intune. The commands can also be easily executed in Powershell.

Get-ScheduledTask | ? {$_.TaskName -eq 'Schedule #3 created by enrollment client'} | Start-ScheduledTask

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://syncapp"

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance"

22 answers

Stephane Simard 11 Reputation points

2024-10-22T15:20:13.84+00:00

Had the problem since I started using Intune for my clients. Devices will randomly fall out of compliance and get back compliant. Always the firewall and antivirus with Syncml(500) error. This will happen for domain devices, Azure only devices, pre-provisionned devices, etc... it doesn't follow any logic, it's just random. This is the reason why I will never make a CA policy for compliant devices.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Mathias Heidrich 5 Reputation points

2025-02-05T13:12:49.3766667+00:00
Hello, I have deposited the following remediation script in Intune. The commands can also be easily executed in Powershell.

Get-ScheduledTask | ? {$_.TaskName -eq 'Schedule #3 created by enrollment client'} | Start-ScheduledTask

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://syncapp"

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance"

However, I prefer devices to report to the MDM immediately after user login and perform a sync. To do this, I create another task on my clients, which also calls the deviceenroller.exe. The challenge here, however, is that each device has a unique enrollment ID, which must be given as a parameter when it is called, which is the GUID maintaining the key "EnterpriseMgmt". Here's my two-liner Powershell for this:

$EnrollmentID = Get-ScheduledTask | Where-Object { $_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt\*" } | Select-Object -ExpandProperty TaskPath -Unique | Where-Object { $_ -like "*-*-*" } | Split-Path -Leaf

schtasks /create /tn "Intune Policy Sync" /sc ONLOGON /delay 0005:00 /rl highest /ru system /tr "C:\Windows\system32\deviceenroller.exe /o $EnrollmentID /c /b"

First, the enrollment ID of the device is laid out and then a planned task is created accordingly. This is executed 5 minutes after the user login on the device and does an Intune Device Sync in the background.

I noticed that the easiest method to fully recognize the difference in device check-ins, is by using the Event Viewer. When opening the Event Viewer, simply navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider and look at for Event ID 208. The difference will be in the origin of the started session, as shown in the following list:

A notification – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x7), Initiator: (0x0), Mode: (0x2), SessionID: (0x7C), Authentication Type: (0x3).

A scheduled check-in – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x3), Initiator: (0x0), Mode: (0x2), SessionID: (0x75), Authentication Type: (0x3).

A manual check-in (by using Settings panel) – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x5), Initiator: (0x0), Mode: (0x2), SessionID: (0x76), Authentication Type: (0x3).

A manual check-in (by using Company Portal app) – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0xD), Initiator: (0x0), Mode: (0x2), SessionID: (0x77), Authentication Type: (0x3).
Please sign in to rate this answer.

1 person found this answer helpful.
Joe Denice 0 Reputation points

2025-02-06T11:51:48.56+00:00

Ok for me to try this out as well? What is the detection part of the script and what is the remediation?

Mathias Heidrich 5 Reputation points

2025-02-07T10:37:12.86+00:00

As a detection script, for example, simply "exit 1" and remediation script:

?# synccompliance Access Check

Get-ScheduledTask | ? {$_.TaskName -eq 'Schedule #3 created by enrollment client'} | Start-ScheduledTask

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://syncapp"

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance"

write-host "synccompliance Access Check and Devicesync Done"
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pavel yannara Mirochnitchenko 13,341 Reputation points MVP

2023-09-05T14:17:57.1333333+00:00

What is your current AV solution and what is it status locally, any warnings?

I would suggest to re-create and re-deploy the compiance policy to test it our, will that solve your problem.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Simon Ren-MSFT 40,346 Reputation points Microsoft External Staff

2023-09-06T07:55:01.2266667+00:00

Hi,

Thank you for posting in Microsoft Q&A forum.

Please install the latest windows update and re-sync from the client to have a try. Also ensure the Anti-Virus software is up to date. Sometimes, outdated software can cause compatibility issues.

Similar thread for your reference: Compliance failing because Firewall not detected

Thanks for your time. Have a nice day!

Best regards,

Simon

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Simon Ren-MSFT 40,346 Reputation points Microsoft External Staff

2023-09-15T08:04:45.48+00:00

Hi,

Hope everything goes well. Do you need any further assistance about this issue? If yes, please feel free to let us know, we will do our best to help you.

If the response is helpful, it's appreciated that you could click "Accept Answer" and upvote it, this will help other users to search for useful information more quickly.

Thanks for your time.

Best regards,

Simon

Denis Payne 176 Reputation points

2024-01-04T13:58:53.2566667+00:00

Yes, MSFT needs to fix this ongoing bug.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Efstratios Stratis 56 Reputation points

2023-10-12T13:51:38.6133333+00:00

Seems that the problem is resolved.

We had to reset the laptop and let it hybrid join and sign to intune again.

The only difference this time is that we had the laptop connected to the network by cable and not over wifi but I think that has nothing to do with the fact it worked.

Another odd thing we were getting before and didn't mention is that there

was a message that can't access company resources because Windows defender antimalware real time protection is off...something that apparently wasn't true. That caused the laptop to show as non compliant.

Luckily by redoing the whole process on a formatted laptop worked this time.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

2016345612(Syncml(500) - Intune Compliance Policy Error

22 answers

Your answer