A key aspect of Intune’s functionality is the Config Refresh process, which ensures that device settings, security policies, and compliance measures remain up-to-date and enforced. This article explores what Microsoft Intune’s configuration refresh entails, its importance, and how administrators can leverage it to maintain device compliance.
Table of Contents
What’s Config Refresh?
Config Refresh is a feature from Microsoft Intune that enhances security and compliance for Windows Managed Devices by refreshing the MDM policies and re-enforcing it in less than Default 8 hours. Config Refresh Interval can be set from 30 minutes to 1,440 minutes (24H).
Config Refresh has the below capabilities:
1- Resend Policy CSPs configured to devices and re-apply it.
2- Config Refresh has Offline Functionality which doesn’t require device to be connected to Internet.
3- Admin can Pause the Config Refresh for any purpose with automatic resume after 24 H.
How to Configure “Config Refresh”
1- Open Intune Portal and Select Devices, Configuration, Create a new Policy
2- Select Windows 10 or Later and Policy Type Settings Catalog
3- Search for Config Refresh
4- Select Config Refresh and Cadence
Enable Config Refresh and set the refresh interval based on your needs (30 mins to 24 hours)
5- Assign the Policy to Device Group Only which Contains only Windows 11 Devices
How to trace Config Refresh Delivery on Managed Devices
After assigning Config Refresh Policy, open any of the windows devices targeted and check the following:
1- Registry Editor (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Enrollment-ID\ConfigRefresh)
you’ll see Config Refresh Enabled and Refresh Interval is set to 60 mins.
2- Task Scheduler created (\Microsoft\Windows\EnterpriseMgmtNonCritical)
Triggers is configured exactly based on Config Refresh Timers set from Intune.
3- Event Logs, Applications and Services Logs, Microsoft, Windows, DeviceManagement-Enterprise-Diagnostics-Provider and then operational.
Event Logs expected in this path will be:
- Event-ID 4200 > start of Config Refresh.
- Event-ID 4202 > Config Refresh Completed Successfully.
- Event-ID 4201 > Config Refresh Failed.
- Event-IDs 4203-4214 > any setting failure for the Config Refresh.
Example for “Config Refresh” CSP Re-Enforce
This is a Scenario Explained for the importance of Config Refresh and how it will re-enforce configuration again to the device.
1- Device receives Google Chrome Policy to Disable Print Preview, we can see this in Chrome Browser (chrome://policy)
2- Configuration Registry from Intune side is delivered to Path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\chromeIntuneV1~Policy~googlechrome~Printing”
And you can see exact configuration enforced reflected to Registry Path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome”
3- For any reason, if the Registry under “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome” got deleted, then there’s a Risk for users to bypass the enforcement set from Organization.
If we refreshed Chrome://Policy We’ll see nothing is enforced
4- With Privilege of Config Refresh, Configuration will be re-enforced again to the registry.
And all configuration will be restored.
Keep an eye for Event Logs under “Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational” you’ll see event id 4202 which confirms Config Refresh Sync is Completed Successfully.
5- At that moment, try to refresh Registry Path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome”, you’ll see registry has been re-written again
And from Chrome “Disable Print Preview” will show as Configured Policy again.
Conclusion
In conclusion, the introduction of the Windows Configuration Refresh feature in Microsoft Intune represents a significant advancement in device management for enterprises utilizing Windows 11. By enabling the reinforcement of policies at intervals of less than eight hours, this feature enhances compliance and security across organizational devices. Engineers can leverage this capability to ensure that settings, configurations, and compliance measures are consistently upheld, mitigating the risks associated with policy drift and enhancing overall operational efficiency. As organizations continue to adapt to the evolving digital landscape, the timely enforcement of policies through Intune will be instrumental in maintaining robust governance and performance across their IT infrastructure.
Don’t miss to go through all Enrollment Articles from IntuneBytes
Leave a Reply