We have had this recurring issue for a long time now, and despite searching the error all over the place, there seem to be a lot of other IT professionals in the same boat, but no obvious answers. The error is on the Anti-Virus setting on the default compliance policy. 2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request) The compliance policy in question is assigned to all users. This is a very annoying issue as it stops users from being able to access any MSFT apps as it marks the device as non compliant. we are forced to add users to the exclusion list of the policy until the error clears on it's own days/weeks later. If anyone has any ideas on what could be the cause or any possible fixes, it would be greatly appreciated

I have recently found that the following commands, in order, fix this issue fairly reliably (syncml issue on either Firewall or AV compliance) Connect to MgGraph with Intune scopes Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.Read.All $device = Get-MgDeviceManagementManagedDevice -Filter "contains(deviceName,'<DEVICENAME>')" Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.id Trigger a compliance check via local process on PC (use remote shell or execute locally) Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance" Trigger a sync via local scheduled task on PC (use remote shell or execute locally) Get-ScheduledTask -TaskName “Schedule #3 created by enrollment client” | Start-ScheduledTask

We have the same issue, no third party AV, laptops updated re-synched multiple times. It happens to Win11 laptops only!

We have the same problem, 600 machines under Intune. Cant live with Microsofts neclect. I thought we could rely part of our security on Conditional Access requiring compliance. but with 5-10 false positives each month its not reliable FIRST i thought it only happend on Hybid joined computers or computers from acquired companies "joined EntraID as is" but we see it frequetly on "pure" Autopilot reshly picked up computers Great with the workaround - thanks! Cheers from Denmark PS: Can we upvote this or is there an article where Microsoft accept the fact that so many of us see this ?

Compliance delays on pre-provisioned devices have been an ongoing issue for us. My own view of what is happening at least for us. We have had multiple cased open going back to early 2023. Word on the street is updates are coming to Intune 2404 that will help alleviate some of the compliance delays on devices in error due to a transient state. I think the goal here was changes to the reporting of the transient state of the FW/AV components. Think SyncML500 errors. Devices that are pre-provisioned and a delay occurs from user enrollments, think sitting for x days before enrollment, are impacted by the day 1 scheduled task not running every 3 minutes for 15 minutes / every 15min for 2 hours for syncing the device. These tasks are scheduled to run after enrollment but are created and started on the pre-provisioned day. When the user finishes the enrollment, they are not updated with the current date for the user enrollment so they don't seem to run any more to help get the device syncing and compliant like you would see on a user only enrollment. \Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Schedule #1 created by enrollment client \Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Schedule #2 created by enrollment client https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#policy-refresh-intervals We have noticed users that use Windows Hello for Business log into the device faster than the AV/FW services are fully working after a restart and the login scheduled task (\Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Login Schedule created by enrollment client) to kick off a sync reports a transient syncml500 error for those components to Intune on the policy and since the devices have never been compliant, they do not follow the error state grace period and get marked non-compliant. Additional manual sync may be required to get out of this state. Since the scheduled day 1 tasks don't run it is a manual process. Or you may have to wait until the every 8 hour sync happens. \Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Schedule #3 created by enrollment client https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows#device-security https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#device-behavior-with-a-compliance-setting-in-error-state

The below process has fixed InTune MDM not compliant due to 'antivirus syncml(500)' issue for me four times in a row, across 4 different Windows endpoints used by 4 different users. Install Company Portal app Use Company Portal app to run a sync From Intune run a sync for that endpoint Shutdown the Endpoint Wait a minute Power on the endpoint, logon, wait a minute If still not compliant repeat from step 2 Had to do this four times on endpoint 1, endpoint 2 needed it done only once, endpoint 3 and 4 needed it done 3 times.

2016345612(Syncml(500) - Intune Compliance Policy Error

Craig Pennington 265

We have had this recurring issue for a long time now, and despite searching the error all over the place, there seem to be a lot of other IT professionals in the same boat, but no obvious answers.

The error is on the Anti-Virus setting on the default compliance policy.

2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request) User's image

The compliance policy in question is assigned to all users.

This is a very annoying issue as it stops users from being able to access any MSFT apps as it marks the device as non compliant.

we are forced to add users to the exclusion list of the policy until the error clears on it's own days/weeks later.

If anyone has any ideas on what could be the cause or any possible fixes, it would be greatly appreciated

Nick Eckermann 591 Reputation points

2023-10-04T16:12:45.83+00:00

We have been dealing with this issue since March and it isn't getting any better.
Nick Eckermann 591 Reputation points

2023-10-12T13:40:20.92+00:00

Looks like there are multiple people in this thread having the same problem.
Please open support cases so we can get more traction on this issue, and they can start to get it resolved.

@Craig Pennington

@Efstratios Stratis

@JuliusPIV

@kircher
ShadabK OA 0 Reputation points

2023-10-13T09:42:37.9+00:00

Rename the device up to 15 characters only, it will resolve the issue.
Davio, Peter [HCL] 125 Reputation points

2023-10-16T17:29:59.4533333+00:00

I am getting this error on Firewall and not Antivirus...
Jerry Peacock 135 Reputation points

2023-10-16T20:30:33.23+00:00

We are seeing this error as well. And our machine names are only 10 characters, so Less than 15 is not going to fix the issue.
Chad Coker 15 Reputation points

2023-10-19T12:21:52.9433333+00:00

We have been having the same issue since we started using Intune. It hits different computers on different days, and it clears after hours/days/resyncs.
Our device names are 15 characters or less. We have removed and redeployed machines, removed and recreated the compliance policy. The issue may resolve for a while, but it always comes back.
Albin Fransson 0 Reputation points

2023-10-25T09:08:25.17+00:00

Hi,

For our environment we resolve this by letting the user click "Fix now" under the Work or school account settings menu.

After that they can click on "Check access" under the device menu in Company portal.

We dont have any hybrid devices, only AAD.
Robert Young 16 Reputation points

2023-11-02T16:20:39.5133333+00:00

We've just seen this appear in our environment. The Senior VP got an email that she forwarded onto my team for action. Not a good look MS.

Anti-Virus is ESET Protect.

We need this addressed PDQ!
jason@4streamline.com 6 Reputation points

2023-11-10T20:56:09.1566667+00:00

We are experiencing the same issue. Our devices are AzureAD Joined, we do several app installations when the devices is joined. The issue only happens with Windows 11. The machine becomes very slow and AV stops working after reboot. It appears the Microsoft Defender AV (Endpoint security) is trying to restart. EDR show as if it is updating.
Denis Payne 181 Reputation points

2024-01-04T13:54:58.73+00:00

Keep having this issue intermittently affecting random users using random AAD hybrid joined Windows 10 endpoints.

Machine names are less then 15characters.

Fixed the issue once by running sync from Endpoint and InTune.
All other times need to wait days to weeks for the issue to resolve itself, else delete the endpoint from InTune and AzureAD then do a fresh Azure AD hybrid + InTune join.

Myself and colleagues gave raised tickets with MSFT 365 support who aren't much help, leaving poor 1st line guys struggling when a senior team needs to get involved and gather debug logs to determine the actual cause.
Florian Obradovic 11 Reputation points

2024-03-20T11:15:59.6933333+00:00

We also have a few users affected by this issue (until now all hybrid joined):
2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request)

It's always the Windows Firewall. Never AV (we use windows defender):
Felipe M Ferreira 11 Reputation points

2024-04-01T13:44:43.2266667+00:00

Same issue here: It occurs randomly after users restart their machines. Sometimes, a sync is enough to fix the issue, but other times we have to reboot the machine, sync, check for compliance, and repeat the process multiple times.

We use Windows Defender AV, and our machines’ names are only 11 characters. Last year, this issue was happening very often, but Microsoft fixed it. However, we now observe the same issue occurring since the beginning of March 2024.
Rune Pettersen 0 Reputation points

2024-04-08T07:41:46.42+00:00

One machine had this issue, the devicename in autopilot was blank, the devicename in intune was below 15 chars. the machine was also inactive.
Seshagiri Rao Padaki 0 Reputation points

2024-04-17T06:43:08.71+00:00

I have reinstalled the Company Portal its working fine
Anthony Yeshan Isuru De Silva 5 Reputation points

2024-04-23T01:13:21.6133333+00:00

Hi Guys, i have had this issue for several users. fix is to turn off the windows firewall and turn it back again. then go to company portal click once on check access and wait 2-3mins until it completes. do not click again and again as it will then take more time. if its taking way too long turn off the conditional access policy that check for compliance. then once company portal check is ok you can turn on the conditional access.

To verify further you can check azure ad portal devices and select the device you are checking on. check if its compliant. Then you can go to intune portal check if it shows compliant. it may be compliant on azure ad and not in intune. give it some time and then it will show compliant on intune as well.
Rob Plumridge 0 Reputation points

2024-05-22T10:36:34.27+00:00

So I have this on multiple instances of both Win11 and Win10 machines for various clients (different intune configs, different methods of setup), I've poked and asked around, mostly from what I can see it's a sync issue. Again cloud loves to take its time with these, and its v. intermittent.

With Stricter compliance policies it appears more frequently than less relaxed policies but I will try and investigate further into this, I don't really have a concrete answer to this other than sync-ing devices.

Usually (on device) i'll run intunemanagementextension://synccompliance in the run diag

This usually clears up after about 10-30ish minutes
Chad Coker 15 Reputation points

2024-05-22T12:20:13.9833333+00:00

We continue to have this issue several times a week. We either wait several days for it to clear on its own or have the user initiate a sync, reboot, etc.

We have opened issues with MS Support only to be passed around to different agents/techs with no solutions offered.
Our compliance platform was integrated to Intune to pull device status,. This became unworkable with this issue occurring so often, so we had to go a different route for that.

It is unfortunate that an issue that is this widespread gets no attention from Microsoft, and support is not helpful.
Nick Eckermann 591 Reputation points

2024-05-22T18:32:28.79+00:00

@Chad Coker Changes are supposed to be coming but they missed the 2404 deployment. Waiting to see when they might be implemented and if they do in fact fix these issues. Update from Microsoft below. You can reference our case so you might be in the loop better on the rollout.

2310040040013084
Joe Bartlett 0 Reputation points

2024-07-18T11:04:15.4+00:00

@Nick Eckermann Thank you for your updates on this - We're seeing a similar issue and have referred our Microsoft Support contact to your ticket number. Unfortunately I've not managed to have them get in touch with the engineering team yet... I'm still just getting documentation quoted back at me.

~~I was wondering if you had any updates from MS recently? It sounds like the fix just keeps getting delayed over and over again.~~

*Edit - I see you posted a week ago that you'd had another noncommittal response from them. No surprises there! Fingers crossed they finally get it sorted soon.

Thanks again,
Joe
Ishmail Mohammad 0 Reputation points

2024-08-05T06:22:33.03+00:00

same error message
sysadmin72 0 Reputation points

2024-08-23T19:54:17.6866667+00:00

We recently onboarded our devices to Intune. We had no previous MDM so all these devices were never managed by anything before. After using the default the Firewall Windows default policy as our base policy, we started to get this error in our compliance report. I took the provided policy, duplicated it and renamed the duplicate. This fixed our issue.
Thomas Fancett 5 Reputation points

2024-09-11T14:51:24.25+00:00

Another report of this for multiple devices. Device Names under 15 characters, Defender as standard AV and fully patched and up to date with Fresh Synch completed locally from device.

Nick Eckermann may be onto something as we have seen this occurring more on pre-provisioned devices where they have been built but the use reenrollment step may be completed several days later or used sporadically after deployment.

Either way MS needs to acknowledge and patch this there so many people reporting this you think there own firewall product and AV could talk to their own systems correctly!
Robert Fenech Santucci 0 Reputation points

2024-09-19T12:03:24.7733333+00:00

Has there been any recent feedback from Microsoft regarding this issue and a potential solution in a future release?

43 answers

Aaron Murphy 25 Reputation points

2024-05-09T17:39:03.67+00:00
I have recently found that the following commands, in order, fix this issue fairly reliably (syncml issue on either Firewall or AV compliance)

Connect to MgGraph with Intune scopes

Connect-MgGraph -scope DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.Read.All

$device = Get-MgDeviceManagementManagedDevice -Filter "contains(deviceName,'<DEVICENAME>')"

Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $device.id

Trigger a compliance check via local process on PC (use remote shell or execute locally)

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance"

Trigger a sync via local scheduled task on PC (use remote shell or execute locally)

Get-ScheduledTask -TaskName “Schedule #3 created by enrollment client” | Start-ScheduledTask
Please sign in to rate this answer.

5 people found this answer helpful.
rvtdadmin 11 Reputation points

2024-06-04T21:40:29.0433333+00:00

This process worked on the one initial computer we were having the issue with. Thank you

Laurens Driessen 10 Reputation points

2024-09-24T07:12:06.7033333+00:00

If I am correctly, these actions just perform a Synchronisation on the device right?
Is it any different than Sync the device from the Company Portal or Work/School account section?

James Blanco 0 Reputation points

2024-09-26T15:23:04.84+00:00

Hi Aaron, apologies for my ignorance are you running this in PowerShell via Graph on the machine in question, and or pulling the query in Graph. I see other comments the goal is to re-sync to fix the error any help would be great thanks!

Aaron Murphy 25 Reputation points

2024-09-26T15:31:53.5933333+00:00

The first action is using Graph. As for the second and third actions, you can execute these on the machine in question over a remote PS session or similar. You have to connect to the device first, so you can execute the command on that device.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Efstratios Stratis 36 Reputation points

2023-10-09T13:36:44.87+00:00

We have the same issue, no third party AV, laptops updated re-synched multiple times.

It happens to Win11 laptops only!
Please sign in to rate this answer.

2 people found this answer helpful.
JJ 10 Reputation points

2023-12-07T08:54:42.29+00:00

We have this on Win10 laptops.

45638838 1 Reputation point

2024-04-19T12:15:56.5966667+00:00

I am having this issue on Win 10 laptops as well

Kodi Rozanski 5 Reputation points

2024-06-27T12:29:04.38+00:00

this has happened to a few windows 10 distros
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Torben Eriksen - NTI A/S 10 Reputation points

2024-09-11T09:31:21.14+00:00

We have the same problem, 600 machines under Intune. Cant live with Microsofts neclect.

I thought we could rely part of our security on Conditional Access requiring compliance.

but with 5-10 false positives each month its not reliable

FIRST i thought it only happend on Hybid joined computers or computers from acquired companies "joined EntraID as is" but we see it frequetly on "pure" Autopilot reshly picked up computers

Great with the workaround - thanks!

Cheers from Denmark

PS: Can we upvote this or is there an article where Microsoft accept the fact that so many of us see this ?
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Nick Eckermann 591 Reputation points

2024-04-05T14:55:57.59+00:00

Compliance delays on pre-provisioned devices have been an ongoing issue for us. My own view of what is happening at least for us. We have had multiple cased open going back to early 2023.

Word on the street is updates are coming to Intune 2404 that will help alleviate some of the compliance delays on devices in error due to a transient state. I think the goal here was changes to the reporting of the transient state of the FW/AV components. Think SyncML500 errors.

Devices that are pre-provisioned and a delay occurs from user enrollments, think sitting for x days before enrollment, are impacted by the day 1 scheduled task not running every 3 minutes for 15 minutes / every 15min for 2 hours for syncing the device. These tasks are scheduled to run after enrollment but are created and started on the pre-provisioned day. When the user finishes the enrollment, they are not updated with the current date for the user enrollment so they don't seem to run any more to help get the device syncing and compliant like you would see on a user only enrollment.

\Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Schedule #1 created by enrollment client

\Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Schedule #2 created by enrollment client

https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#policy-refresh-intervals

We have noticed users that use Windows Hello for Business log into the device faster than the AV/FW services are fully working after a restart and the login scheduled task (\Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Login Schedule created by enrollment client) to kick off a sync reports a transient syncml500 error for those components to Intune on the policy and since the devices have never been compliant, they do not follow the error state grace period and get marked non-compliant. Additional manual sync may be required to get out of this state. Since the scheduled day 1 tasks don't run it is a manual process. Or you may have to wait until the every 8 hour sync happens. \Microsoft\Windows\EnterpriseMgmt{enrollmentGUID}\Schedule #3 created by enrollment client

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows#device-security

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#device-behavior-with-a-compliance-setting-in-error-state
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Denis Payne 181 Reputation points

2024-08-14T14:54:10.4633333+00:00
The below process has fixed InTune MDM not compliant due to 'antivirus syncml(500)' issue for me four times in a row, across 4 different Windows endpoints used by 4 different users.

Install Company Portal app

Use Company Portal app to run a sync

From Intune run a sync for that endpoint

Shutdown the Endpoint

Wait a minute

Power on the endpoint, logon, wait a minute

If still not compliant repeat from step 2

Had to do this four times on endpoint 1, endpoint 2 needed it done only once, endpoint 3 and 4 needed it done 3 times.
Please sign in to rate this answer.

2 people found this answer helpful.
Chad Coker 15 Reputation points

2024-08-14T15:01:09.41+00:00

This method has worked for us temporarily, but the issue always comes back after a few days or weeks. The last communication we got from Microsoft was that if they show compliant to disregard the error (which isn't very helpful).

Denis Payne 181 Reputation points

2024-08-14T15:13:41.1933333+00:00

I really don't see how enterprise, corporations and especially government can supposedly use InTune MDM, seems to be a flawed product through and through.

They must have too much money to spend on IT and allow staff to loose time, then compared to my MSP and our clients.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

2016345612(Syncml(500) - Intune Compliance Policy Error

43 answers

Your answer