Dex

๐Ÿ“ฑ Recipe ยท Intune & Device Management

Identify Stale Intune Devices and Trigger a Remote Sync

Find managed devices that haven't checked into Intune recently and force a policy sync to bring them current

Complexity

Intermediate

Impact

device-management + compliance + fleet-hygiene + intune

Context

Why This Matters

Intune-managed devices periodically check in with the service to pull down configuration profiles, compliance policies, and app assignments. When a device stops checking in, it drifts out of compliance, misses security policy updates, and may appear healthy in reports while actually being unmanaged in practice.

This recipe identifies devices whose lastSyncDateTime is older than a cutoff you choose (for example, "since last Friday" or "more than 7 days ago") and issues a remote syncDevice action to each one. It's a common weekly hygiene task and a useful first response when users report that a new policy, app, or certificate hasn't arrived on their machine.

When to run it

  • Weekly or daily as part of device fleet hygiene
  • After pushing a high-priority configuration profile or compliance policy
  • When investigating a rollout that appears stuck on a subset of devices
  • Before generating compliance reports for auditors

Expected Outcomes

What you'll have after running this recipe

  • A list of all Intune-managed devices whose last check-in is older than your chosen cutoff, including device name, assigned user, OS, and last sync timestamp
  • A remote sync action queued against every stale device
  • A run log you can attach to a ticket or change record showing which devices were targeted and whether the sync action was accepted by the service
  • Reduced policy drift and faster convergence on your current Intune baseline

Risks & Considerations

Warnings and considerations

  • Sync is a request, not a guarantee. The syncDevice action only succeeds if the device is online and can reach Intune. Offline, retired, or decommissioned devices will stay stale no matter how many times you trigger a sync.
  • Truly abandoned devices need retirement, not sync. If a device has been offline for 30+ days, investigate whether it was lost, reimaged, or left the fleet. Consider using the retire or delete action instead.
  • Watch for throttling. Graph throttles bulk device actions. For fleets larger than a few hundred stale devices, add delays between calls or batch them.
  • Don't rely on lastSyncDateTime alone for compliance decisions. A device that synced recently can still be non-compliant. Use complianceState for that signal.
  • Time zones matter. lastSyncDateTime is UTC. Ensure your cutoff is also computed in UTC or you'll drift by up to 24 hours.
  • Audit logging. Each sync action is recorded in the Intune audit log under the service principal or user that ran it. Use a documented service account for scheduled runs.

Required Permissions

PermissionWhy It's Needed
DeviceManagementManagedDevices.Read.AllEnumerate managed devices and read lastSyncDateTime to identify stale devices
DeviceManagementManagedDevices.PrivilegedOperations.AllInvoke the syncDevice remote action against each stale device
DeviceManagementManagedDevices.ReadWrite.AllRequired in many tenants alongside PrivilegedOperations for device action endpoints

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Identify all Intune-managed devices that haven't checked in since {cutoff_date} (e.g., last Friday) and trigger a remote sync on each one. Give me a summary of how many devices were targeted, which succeeded, and flag any that have been offline for more than 30 days as candidates for retirement.
Try in Dex CoAdmin