Blog Post

Intune Customer Success
2 MIN READ

Support tip: Understanding Microsoft Intune compliance policies reporting SyncML(500) errors

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
May 12, 2025

By: Brett Lock - Sr. Tech Support Engineer | Microsoft Intune

 

When deploying Windows device compliance policies with Microsoft Intune, the compliance report may show the following error for the Firewall settings (as depicted in the screenshot below):

“2016345612(Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request.)”

 

Example screenshot of a Windows device compliance policy displaying the SyncML(500) error.

The Syncml(500) error for the Firewall setting typically occurs during device startup, if or when the mobile device management (MDM) agent service starts before the firewall or antivirus services have fully initialized. In this scenario, the MDM agent reports a “service not started state” back to Intune which appears as the Syncml(500) error in the report. This is normal and expected.

 

This error is temporary and doesn’t affect the compliance state of the device, unless the device doesn’t synchronize with the Intune service. The compliance service provides a 7-day grace period for devices with this error, marking them non-compliant if no sync occurs within that timeframe.

 

In most cases, the error is resolved within 10 minutes after the user has logged on however, manual synchronization may be needed.

On the device, navigate to Settings > Accounts > Access work or school > Account > Info > Sync to clear the error or run a compliance check from the Intune Company Portal app. Alternatively, admins can remotely sync the device from the Intune admin center through the device actions to achieve this (Devices > Windows > select the device > Overview > Sync).

 

We’ve recently improved how Intune reports compliance states which minimizes the occurence of the Syncml 500 error. However, this error can still occur, and it’s important to understand that the error is expected if the MDM service starts up before the firewall and antivirus services initialize.

 

In summary, the Syncml(500) error won’t impact the device compliance status during the 7 day grace period.

 

If the device is immediately switched off after the error occurs and left for seven days, then this will impact the device compliance state. To resolve a non-compliant device in this scenario simply turn the device back on and sync once the user is logged on.

 

If you have any questions for the team, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked.

Updated May 12, 2025
Version 1.0
windows

3 Comments

Sort By
  • T551282's avatar
    T551282
    Copper Contributor
    May 13, 2025

    Yea, MS markets the intune compliance feature as a near-real time technology but in practice it is anything but.

    Last year we did significant laptop deployment for a security conscious customer... the laptops were pre-built at the warehouse and then turned off and shipped to the customer (often offline for 7 days or more).  When users started up their laptops they couldn't access any m365 resources because their devices were non-compliant (and conditional access required compliant devices).  AV and firewall were on, but this SyncML(500) error was causing false negatives for the firewall/av/bitlocker checks.  On average, it took users a couple hours of reboots and manual syncs to get the devices to show as compliant.  This behavior was consistent for all 1000 devices over the course of the deployment.

    MS support engineers were unable to explain/resolve the issue and finally advised that a grace period of 24+ hours might be needed to make things work!

    I no longer recommend customers use the intune compliance feature.

  • AndAufVCG's avatar
    AndAufVCG
    Copper Contributor
    May 13, 2025

    "This error is temporary and doesn’t affect the compliance state of the device"

    well.. as you tell us all the time how important it is to use Intune compliance in combination with Conditional Access Policies, YES this IS affecting the compliance and therefore the whole security of your devices.

    "This is normal and expected."

    No, this is an issue and should be fixed! NOW!

    "In summary, the Syncml(500) error won’t impact the device compliance status during the 7 day grace period."

    who allows to access company data (login to OneDrive fB, login to AzureVPN) with a non-compliant device FOR SEVEN DAYS?!

     

    this is a real world issue and MUST be fixed URGENTLY!

    • flyingfish's avatar
      flyingfish
      Copper Contributor
      May 13, 2025

      This article drives home the fact that compliance checks are not reliable and just accept its bad.  Thanks......

OSZAR »