Share via

OMA-URI Policy settings - Intune

SUMIT KUMAR MISHRA 80 Reputation points
2023-12-19T15:22:30.3566667+00:00

Hello Experts,

I've made a custom policy in Intune allowing standard users to manually change/sync time without admin rights and deployed it to my test devices (running enterprise and pro editions).

The settings for my custom policy include:

OMA-URI - ./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime

Data Type - String

Value - S-1-5-19S-1-5-32-544S-1-5-32-545S-1-1-0S-1-2-0S-1-5-11S-1-5-18S-1-5-113*S-1-5-11

The policy is applied successfully to devices without errors, and users are added to the Change system time group policy. However, attempting to run the time sync yielded no results. On the other hand, the same process worked for the Change time zone group policy.

I have a few questions:

  1. Is it possible to grant standard users the right to manually run time sync?
  2. What alternative methods in Intune can achieve this?
  3. Are there any necessary changes to my policy?

Your assistance is much appreciated.

Microsoft Security | Intune | Configuration
Accepted answer
  1. ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
    2023-12-20T05:43:12.86+00:00

    @SUMIT KUMAR MISHRA,Thanks for posting in Q&A.

    From your description, I know that you want to allow standard users to manually change/sync time without admin rights via Intune.

    I have done some research about the issue, here are some information may help you.

    1.Please note that you can give the users privilege to change time but will not give them the possibility to start the time sync manually, but they can change the clock the old-school way.

    2.You can create a PowerShell script and upload it into Intune to achieve this.

    3.You can use the SID instead of the group name, because it could differ with each language. Value - S-1-5-19S-1-5-32-544*S-1-5-32-545

    Here is a link with more detailed information you can refer.

    https://call4cloud.nl/2021/03/windows-10-the-sands-of-time/#part2

    Non-official, just for reference.

    Hope above information can help you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SUMIT KUMAR MISHRA 80 Reputation points
    2023-12-20T09:09:28.24+00:00

    Hello ZhoumingDuan,

    Yes, I deployed an OMA-URI custom policy to the devices to ChangeSystemTime using the settings below:

    OMA-URI - ./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime

    Data Type - String

    Value - S-1-5-19S-1-5-32-544S-1-5-32-545S-1-1-0S-1-2-0S-1-5-11S-1-5-18S-1-5-113*S-1-5-11

    The custom policy has been applied to the device, and the user has been added to ChangeSystemTime, as shown in the attached image. Subsequently, I logged in using the standard user and attempted to run the time sync. However, it prompted for admin credentials. Nevertheless, the standard user was able to toggle the time zone and set up the time automatically options.

    So, can we conclude that we won't grant standard users access to run time sync manually whenever they need?

    Yes, I also attempted to run the W32Time service through a script every 1 hour, and it worked.

    Can I run the W32Time service every 30 minutes or 1 hour? Will it cause any issues if Microsoft servers receive too many sync requests from a device?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.