Consistent time across environments

By default all Azure VMs on Azure pick up the time settings from the underlying host. For security and consistency its recommended that all machines are updated from a centralised source. This is a requirement for PCI compliance etc.

To resolve this we must disable the registry setting: VMICTimeProvider.

This is a registry value: HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider and set the value for 'Enabled' to 0

Once this is disabled you then sync time to dedicated time source.

This is done via a simple command:

Set to Time Servers
w32tm /config /manualpeerlist:"0.uk.pool.ntp.org,0x1 1.uk.pool.ntp.org,0x1 2.uk.pool.ntp.org,0x1 3.uk.pool.ntp.org,0x1" /syncfromflags:manual /reliable:yes /update

Stop and start service
net stop w32time && net start w32time

Query the time service
w32tm /query /configuration

Time Settings

In a Windows domain environment all servers will sync their time from the PDC emulator.

Disable the VMICTimeProvider via a group policy and then run the commands above on the PDC.

Verify PDC
netdom /query fsmo

You can then use a Group Policy object to disable the registry value on all domain servers.

Group Policy Value