• United States



Contributing Writer

How to time-sync Windows systems

Mar 27, 20193 mins
SecuritySmall and Medium BusinessWindows

Incorrect time on a Windows device or server can prevent security updates or user authentication, and it can interfere with a forensics investigation.

clock on the processor of a circuilt board
Credit: Thinkstock

The recent U.S. daylight saving time change reminded me of a key element in security and computing: time. Setting computers to the proper time is key to authentication and to keeping systems updated and secure. When you are dealing with forensics, you need to know the exact time to which each device is set to correlate events in a timeline.

In the native operating of Windows, it’s important to have a system synchronize your device’s time with either a domain controller set to the proper time or to an external time source. Computers use time to determine if SSL certificates are valid and can be trusted and to check with the Windows update servers to determine if the digital signature of the patch is valid.

If you’ve ever turned a computer on and the CMOS battery no longer keeps it in proper time, you know the machine won’t get online, react to websites or install updates. Once you reset the time, the machine suddenly works properly. You will not be able to log into domain-joined machines that rely on Kerberos authentication that are out of sync by more than five minutes. Keeping time accurate is also mandated for credit card (PCI) transactions, as well as other financial transactions.

How to sync time in Windows environments

I’ve relied on a series of commands to ensure that my primary domain controller keeps in synchronization. The sample below uses, a volunteer group that maintains time-keeping servers, but you can also use time servers to be your primary time keeper. 

w32tm /config /syncfromflags:manual "/,0x1,0x1,0x1,0x1" /reliable:yes

w32tm /config /update

net stop w32time && net start w32time

w32tm /resync /force

w32tm /query /source

If you enter the above in an elevated command prompt, then enter the commands below on each other domain controller, also in an elevated command prompt:

w32tm /config /syncfromflags:domhier /reliable:no /update

net stop w32time && net start w32time

w32tm /resync /force

w32tm /query /source

You can set the skew time in Group Policy, but it’s wise to not let machines skew too much in time from each other. For Server 2019, use PowerShell to perform the synchronization:

w32tm /config / /syncfromflags:MANUAL

Stop-Service w32time

Start-Service w32time

bradley time Susan Bradley

PowerShell command to sync time

If you rely on Azure Stack, time is important there as well. In Azure stack, use the command Get-AzSTimeSource to determine the time information.

For those with mixtures of Server 2016 and later that participate in domains that include Server 2012 R2 and earlier, pay close attention to disabling HyperV time provider as an option in mixed networks. Server 2016 and later will attempt to sync their time from the most accurate provider rather than syncing with the host it’s connected to. Because that may not be ideal, you can override that behavior.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author