2

I'm looking in to understanding how Time Sync works with a Win 10 Azure AD Joined laptop/workstation. Looking at my laptop, I noticed that Windows Time is not started and set to manual. Starting it and getting the current config (w32tm /query /status) tells me its syncing with the local CMOS clock. I know in a domain/client environment clients sync with the DC. So that leads me to my question, where are the Azure AD joined clients getting time from?

What brought this up is we are noticing lots of time changes on these systems, lots of them. We are a software company with a proprietary time series database logging sub-second data, so time is kinda big deal to us and why we noticed things like this.

Thanks in advance for the help.

Chris

brooksly
  • 23
  • 1
  • 3

2 Answers2

0

Short answer: there is no time sync with Azure AD for managed devices.

Modern authentication using AAD does not really look at the local device time, it is not required for the devices to sync (like what you have with a Kerberos domain) or have a skew time or anything like that.

Intune doesn't also seem to have the capability to configure NTP yet, but you can vote to have that if you want: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/39352645-intune-and-autopilot-time-synchronization-and-ntp

Noor Khaldi
  • 3,869
  • 3
  • 19
  • 28
  • Thanks for the information! I'll just write a script to configure the systems to sync to a local time server. – brooksly Sep 21 '20 at 12:27
  • `Short answer: there is no time sync with Azure AD for managed devices.` Not correct. There is no time sync imposed on the client by Azure AD, but there is definitely time sync on a Windows machine by default. – Daniel Sep 22 '20 at 19:52
  • @Daniel I was answering this questions "I'm looking in to understanding how Time Sync works with a Win 10 Azure AD Joined" / "where are the Azure AD joined clients getting time from?". AAD Joined devices are not part of a domain, GPOs are out of the question. If OP said they're using Hybrid AAD Joined devices then yes, a DC would exist and be used for configuring the time service. OP acknowledged the limitation and said they'd be using a script. Your statement is correct, it doesn't make my answer wrong though. – Noor Khaldi Sep 22 '20 at 20:20
  • When you answer `where are the Azure AD joined clients getting time from` with `there is no time sync with Azure AD for managed devices.` then it's misleading at best. Especially because OP thinks the time service being stopped leads to no time sync and the time service being active leads to time sync from CMOS clock. You didn't explain that this is correct and default. – Daniel Sep 22 '20 at 21:01
0

Windows 10 syncs the time with the server that is configured in the Settings. Time drift is not a problem with Azure AD and modern authentication, unlike with Active Directory and Kerberos.

enter image description here

It's perfectly normal that the Windows Time service is set to manual (Trigger Start).

[…] the Windows Time service is configured as the Trigger-Start service. and this has been implemented as the default setting in Windows 7 and Windows Server 2008 R2.

Services and background processes have a significant effect on the performance of the system. The Trigger-Start service has been implemented in Windows 7 and Windows Service 2008 R2 in order to reduce the total number of auto-start services on the system. […] Under this implementation, the Service Control Manager has been enhanced to handle starting and stopping services by using specific system events.

https://docs.microsoft.com/en-us/troubleshoot/windows-client/identity/w32time-not-start-on-workgroup

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • If you would tell me why you downvoted it, I could improve my answer. But as it stands, I'm firmly convinced that it's factually correct and also answers the question. – Daniel Sep 22 '20 at 19:51