Config Refresh and CSP Re-enforce, the Ultimate Guide

Config Refresh and CSP Re-enforce, the Ultimate Guide!

A key aspect of Intune’s functionality is the Config Refresh process, which ensures that device settings, security policies, and compliance measures remain up-to-date and enforced. This article explores what Microsoft Intune’s configuration refresh entails, its importance, and how administrators can leverage it to maintain device compliance.

What’s Config Refresh?

Config Refresh is a feature from Microsoft Intune that enhances security and compliance for Windows Managed Devices by refreshing the MDM policies and re-enforcing it in less than Default 8 hours. Config Refresh Interval can be set from 30 minutes to 1,440 minutes (24H).

Config Refresh has the below capabilities:

1- Resend Policy CSPs configured to devices and re-apply it.

2- Config Refresh has Offline Functionality which doesn’t require device to be connected to Internet.

3- Admin can Pause the Config Refresh for any purpose with automatic resume after 24 H.

How to Configure “Config Refresh”

1- Open Intune Portal and Select Devices, Configuration, Create a new Policy

2- Select Windows 10 or Later and Policy Type Settings Catalog

3- Search for Config Refresh

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

4- Select Config Refresh and Cadence

Enable Config Refresh and set the refresh interval based on your needs (30 mins to 24 hours)

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

5- Assign the Policy to Device Group Only which Contains only Windows 11 Devices

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

How to trace Config Refresh Delivery on Managed Devices

After assigning Config Refresh Policy, open any of the windows devices targeted and check the following:

1- Registry Editor (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Enrollment-ID\ConfigRefresh)

you’ll see Config Refresh Enabled and Refresh Interval is set to 60 mins.

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

2- Task Scheduler created (\Microsoft\Windows\EnterpriseMgmtNonCritical)

Triggers is configured exactly based on Config Refresh Timers set from Intune.

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

3- Event Logs, Applications and Services Logs, Microsoft, Windows, DeviceManagement-Enterprise-Diagnostics-Provider and then operational.

Event Logs expected in this path will be:

  1. Event-ID 4200 > start of Config Refresh.
  2. Event-ID 4202 > Config Refresh Completed Successfully.
  3. Event-ID 4201 > Config Refresh Failed.
  4. Event-IDs 4203-4214 > any setting failure for the Config Refresh.
config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

Example for “Config Refresh” CSP Re-Enforce

This is a Scenario Explained for the importance of Config Refresh and how it will re-enforce configuration again to the device.

1- Device receives Google Chrome Policy to Disable Print Preview, we can see this in Chrome Browser (chrome://policy)

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

2- Configuration Registry from Intune side is delivered to Path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\chromeIntuneV1~Policy~googlechrome~Printing”
And you can see exact configuration enforced reflected to Registry Path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome”

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

3- For any reason, if the Registry under “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome” got deleted, then there’s a Risk for users to bypass the enforcement set from Organization.
If we refreshed Chrome://Policy We’ll see nothing is enforced

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

4- With Privilege of Config Refresh, Configuration will be re-enforced again to the registry.
And all configuration will be restored.

Keep an eye for Event Logs under “Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational” you’ll see event id 4202 which confirms Config Refresh Sync is Completed Successfully.

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

5- At that moment, try to refresh Registry Path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome”, you’ll see registry has been re-written again

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

And from Chrome “Disable Print Preview” will show as Configured Policy again.

config refresh- Config Refresh and CSP Re-enforce, the Ultimate Guide!

Conclusion

In conclusion, the introduction of the Windows Configuration Refresh feature in Microsoft Intune represents a significant advancement in device management for enterprises utilizing Windows 11. By enabling the reinforcement of policies at intervals of less than eight hours, this feature enhances compliance and security across organizational devices. Engineers can leverage this capability to ensure that settings, configurations, and compliance measures are consistently upheld, mitigating the risks associated with policy drift and enhancing overall operational efficiency. As organizations continue to adapt to the evolving digital landscape, the timely enforcement of policies through Intune will be instrumental in maintaining robust governance and performance across their IT infrastructure.

Don’t miss to go through all Enrollment Articles from IntuneBytes

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *