Windows 10 MDM client activity monitoring with SyncML Viewer

Windows 10 MDM Sync button

Do you ever wanted to know what is going on behind the curtain when clicking MDM Sync on Windows 10? Gaining insights how the SyncML representation protocol is used during device management of Windows 10 clients? With SyncML Viewer you have the chance to easily get deep insights now. I’ve written a small tool to view the SyncML representation protocol on Windows 10 in real time. In fact this isn’t a special hack, Microsoft provides so called ETW providers which are able to give you all relevant information. There is a great blog post from Michael Niehaus (Want to watch the MDM client activity in real time?), which inspired me to write this small troubleshooting helper tool.

The Message Analyzer approach Michael described felt a bit complicated to setup (choosing provider and setup columns to filter for the relevant events). Despite of the initial setup the approach is great and delivers deep insights, but personally I wanted to have something more simple for troubleshooting. I wanted to be able to start a small tool and getting all protocol information I want in a proper view. Therefore I decided to build my own tool named SyncML Viewer. After quite a bit of research regarding the correct ETW providers to use (special thanks to Matt Graeber for providing detailed ETW provider details here) and suitable layout elements for presentation, I finally have a version 1.0 as community release.

The project is maintained on GitHub here:

Here a direct link to the zip archived program:

SyncML Viewer will show in real time all SyncML xml-based representation protocol information, exchanged between the Windows 10 client and the management system (Intune), in one long stream:

SyncML Viewer protocol stream

You can easily look through the complete sync session and even search for elements:

SyncML Viewer searching

The protocol is designed to have session information for one sync action and exchanged messages belonging to that SyncML session. To step through this a bit easier I parse them and provide a specialized view for it on the second tab, which lists individual sessions and exchanged messages belonging to that session:

SyncML Viewer session view

For protocol analysis it is quite handy to have the status code reference from the official OMA SyncML Representation Protocol documentation available. I’ve added the response status codes and made them easily searchable:

SyncML Viewer response status codes

This should give you an easy way to analyse what’s actually going on.

To provide the ability to deliver ongoing updates to the tool, I added a small update functionality which will indicate if there is a new version available and on manual check (Menu Item > Help > Check for SyncML Viewer Update) it will trigger a download and install of the new version:

SyncML Viewer online update

Viewing the OMA DM protocol and the xml-based SyncML representation helps me to deepen the understanding and check if an actual setting configured in Intune is transferred to the Windows 10 client and actually set.

For example I’ve setup my tenant to automatically convert devices to Autopilot devices with the following setting on the Autopilot profile:

Autopilot setting, convert all targeted devices to Autopilot

Therefore I would assume that Intune queries the device to gather the hardware hash of the device. If we analyze the SyncML stream we find evidence that Intune is actually doing that:

SyncML protocol device hardware data Autopilot hash

As seen it is really useful and helps to get better understanding of the MDM Sync and underlying protocols.

The latest version has also a background logging mode, found in the new Options menu item. If enabled all output is routed to a log file within the same directory as the SyncMLViewer.exe.

Did you know? If you want to monitor the logfile in real time on the console, there is an equivalent to “tail -f” unix/linux command also on Windows via PowerShell with the Get-Content cmdlet and the -Wait parameter. If you never heard of the tail -f command, it allows to parse a log file with a live update on the console. Demonstrated below now via PowerShell and the background log file:

Get-Content .\SyncMLStream-XXX.xml -Wait
SyncMLViewer in background logging mode and additional parsing of log file via PowerShell Get-Content -Wait command

Feel free to propose features or enhancements on the GitHub solution.

Happy tracing everyone!