In this post we will be discussing on Config Refresh policy which allows the targeted Intune policies to be refreshed with a custom frequency as short as 30 mins, but the maximum refresh time can be set to 24 hours.
What is Config Refresh
Config Refresh is indeed a useful feature in Intune that allows you to enforce the refresh of policies within a specified time frame, ranging from 30 minutes to 24 hours. This is particularly beneficial for users familiar with group policy, where the default refresh time is 90 minutes. In contrast, Intune typically takes up to 8 hours to refresh policies. The introduction of Config Refresh aims to bridge this gap and provide more timely policy refresh.
Considerations:
OS version support: Windows 11 version 23H2 or version 22H2 with at least June 2024 security update is required for config refresh to work.
Network Load: More frequent refreshes can increase network traffic and device load, especially in large environments. Testing is recommended to find an optimal balance.
Key benefits of using Config Refresh Policy in Intune
Re-enforcing the policies: With Config Refresh policy set, any unforeseen changes applied to the system will be revert back as per Intune MDM policy which is targeted to the device. This can happen if someone is trying to make changes to system or troubleshooting some issues.
Customization: You can configure this refresh setting to match your organization’s needs, balancing performance and policy refresh rates. Some organizations might prefer a faster refresh, while others may opt for a longer interval to reduce device and network load.
Set up Config Refresh Policy
- Go to Intune Admin Center
- Navigate to Devices > Windows > Configuration. Create new profile.
- Select Profile type as Settings catalog.
- Under Settings picker, search for Config Refresh. There will be two settings available “Config refresh” and “Refresh cadence”, select both to add.
- Set the following values:
Config refresh as Enabled
Refresh cadence as 30
Note: Refresh cadence value is in minutes. Allowed range is 30 – 1440. 90 mins is the recommended value which seems like a balance.
- Save and target the policy via Assignment.
Config Refresh policy verification
Once the policy arrives on Windows 11 device, we can verify it via multiple ways.
Config Refresh verification via Registry
Open registry and navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\F031C2F4-C013-4168-9B8B-227C07853C16\ConfigRefresh ( where F031… is a guid which may differ from device to device). Following values Cadence and Enabled can be seen:
Config Refresh policy verification via Task Scheduler
Open Task Scheduler and navigate to Microsoft/Windows/EnterpriseMgmtNonCritical and click on the GUID value. We will be able to see the new task scheduler entry created:
Schedule created by dm client to refresh settings which is supposed to run every 30 mins as we set this in the policy.
The above mentioned image also shows the action it will take every 30 mins, we can see the following command:
%windir%\system32\deviceenroller.exe /ConfigRefresh /o F031C2F4-C013-4168-9B8B-227C07853C16
Config Refresh verification via Event Viewer
Lastly we can verify the Config Refresh settings applying correctly by opening event viewer. Navigate to Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational, Event ID 4202 indicates “ConfigRefresh completed successfully”, I can see this value while using the filter for Event ID as 4202.
Pause Config Refresh
We can even pause the config refresh policy upto 1440 mins (24 hours). This can be done via one of the device actions with the name Pause config refresh.
Once set to a specific value let’s say 240. The device will not refresh the policy.
There are various used cases for Config Refresh pause feature such as:
- Troubleshoot the specific issue by making some manual changes on the device, where you don’t want to re-apply the settings during that period.
- Test Configurations: Before pushing new configurations or policy changes to all users, pausing the automatic refresh allows you to test them on a smaller group of devices to ensure that everything works as expected.
- Pilot Groups: If you want to implement new policies in stages, pausing the config refresh lets you apply changes to a select group first, while other devices remain unaffected until you’re confident that everything is functioning correctly.
Pause Config Refresh value in registry
Once the Pause setting is applied to the device, you can see the PausePeriod registry key getting created under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\\ConfigRefresh
Conclusion
By using Config Refresh policy comes up with various advantages:
Reverting the settings back to the original one: Any changes applied to the system will revert back quicker with Config Refresh policy.
Reduced Latency: Reduces the latency if we are not using Config Refresh at all. Without Config Refresh, it can take upto 8 hours to re-apply the policies.
Compliance Maintenance: As devices are refreshed more frequently, they will remain more compliant with correct security settings applied, reducing the risk of non-compliance/security breaches.
Important Links
Intro to Config Refresh – a refreshingly new MDM feature | Windows IT Pro Blog
DMClient CSP | Microsoft Learn
Discover more from SCCM | Intune | Device Management| Enterprise Mobility & Security
Subscribe to get the latest posts sent to your email.
