Hi Community,

Today a somewhat smaller post in comparison to my last extensive guides, this time about the Microsoft Intune config refresh feature.

Config Refresh is a highly sought-after improvement in mobile device management (MDM). This feature ensures the timely and consistent application of security and compliance settings across your device fleet by enabling frequent refreshes of MDM policies whenever configurations deviate from their intended state. Let’s delve into what Config Refresh is, and how to manage and troubleshoot it effectively.

Windows 11 supports MDM protocols, enabling the management of company security policies and business applications on both corporate and employee-owned devices without compromising user privacy. MDM enhances device management through several capabilities:

• Cloud Management: Utilize the cloud as the primary management platform.
• Remote Work Support: Eliminate connectivity constraints to accommodate work-from-anywhere scenarios.
• Task Simplification: Streamline numerous management tasks within the enterprise.

As MDM evolves to manage hundreds of millions of devices, Windows continues to align MDM settings available through configuration service providers (CSPs) and solutions like the Microsoft Intune Settings Catalog with those manageable via traditional Group Policy.

What is Microsoft Intune Config Refresh

Config Refresh enhances the security and compliance of MDM-managed PCs. While Group Policy traditionally refreshes every 90 minutes and MDM policies refresh every eight hours, Config Refresh allows you to customize the policy refresh interval. You can now set the refresh timing to be as short as 30 minutes or extend it up to 24 hours (1,440 minutes), providing greater flexibility in maintaining up-to-date policies.

Config Refresh is designed to provide improved functionality that was available with Group Policy. Some of the key new features are:

• A reset operation to reset any settings you manage which use the Policy CSP
• Configuration options to allow reset of managed settings to take place as frequently as every 30 minutes
• Offline functionality, not requiring connectivity to an MDM server
• Ability to pause Config Refresh for troubleshooting purposes with automatic resume after 24 hours

Config Refresh is designed to work with MDM policies managed by the Policy CSP. Some policies, notably the BitLocker CSP, will also adhere to Config Refresh enablement. Other policies are outside of this scope, such as Firewall, AppLocker, PDE, and LAPS.

How to setup Microsoft Intune Config Refresh

The setup of Config Refresh is super straight forward. In your Intune portal go to Devices – Windows – Configuration – Create – New policy – Platform: Windows 10 and later – Profile type: Settings catalog – Create. Name your policy e.g. Config Refresh, click next and click Add settings and search for config refresh.

Select both:

• Config refresh – Enable
• Refresh cadence – Choose your cadence for the refresh (I choose 30 minutes)

Assign this policy to a device group of your choice. As you can see on the Microsoft documentation the scope is set to Device.

Config Refresh in action

Now let’s see Config Refresh in action on a device. I have configured a OneDrive policy in Intune to push some settings to my devices. you can find all those settings in your registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

I took my OneDrive settings and I changed the ForcedLocalMassDeleteDetection_ProviderSet setting from 1 to 5. Look at the time stamps in the bottom right corner.

These are the original settings at 10:01AM:

Now i change the setting from 1 to 5 at 10:03AM

And at 10:11AM the setting was changed back to it’s original state.

Cool isn’t it? Now how does this work?

Microsoft Intune Config Refresh the back-end basics

The ConfigRefresh node consists of:

• Cadence: Determines the frequency with which the refresh operation happens. The default for the refresh is 90 minutes. Allowed values are from 30 to 1440 minutes.
• Enabled: Enables or disables the refresh feature. The default value is false. Set it to true to enable the feature.
• PausePeriod: To pause Config Refresh for troubleshooting, enter a value between 0 to 1440 minutes. At the end of the period, the refresh is re-enabled. Set the value of 0 to re-enable the feature.

You can verify that Config Refresh is enabled in the registry under the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\”Intune Policy Provider GUID” \ConfigRefresh

Now let’s check the scheduled task it created. you can find it here. As you can see the task is created with the settings you have specified in your Intune policy:

Also you can check the eventviewer logs under Applications and Service Logs – Microsoft – Windows – DeviceManagement-Enterprise-Diagnostic-Provider and look for event ID 4202, as you can see in the screenshot, i have a recorded even saying config refresh completed successfully at 10:11AM which is the exact same time my changed OneDrive setting was set back to the original setting.

Not all settings from Intune are refreshed unfortunately, testing all settings is not possible but i noticed that all policies in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device are able to being updated by config refresh. In my case quit a lot:

I did a few tests by cherry picking some policies and all of them where changed back to their original setting. Don’t shoot me if you try a setting and it doesn’t change back :-). As stated in the info box at the start of this blog config refresh is designed to work with MDM policies managed by the Policy CSP what leads me to think that when for example an Administrative Template policy will move to settings catalog also these settings will be covered by config refresh.

There is another ‘PolicyManager’ in the regedit under Windows Defender, where ASR rules are stored. The defender ‘PolicyManager’ path is also refreshed by config refresh. This setting is located here: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager.

Microsoft Intune Config Refresh Pausing

You can also pause config refresh for a device, just lookup a device from your Intune portal and from the overview pane click the 3 dots at the end and click Pause config refresh.

Now set a time period, just for testing i will set it to 60

you will see this action being set to pending in the device action status:

What happens behind the scene is very simple: the scheduled task trigger gets postponed the selected amount of minutes. A new scheduled task will be created with custom triggers, these are the triggers from the pause action:

On the device action status you can also see that the Pause config refresh has been completed. Check the time stamps of the scheduled task and the one from the device action status, both say 14:12

Unfortunately we cannot click resume or something, we have to wait and sit out the 60 minutes pause. After those 60 minutes everything will revert back to the original.

After the 60 minutes you can see that everything is back to normal in the task scheduler.

Microsoft Intune Config Refresh Event Log

Some basic info regarding the event log, however i did not face any issues playing around with this yet.

Config Refresh logs activity to the Event Viewer. Here’s what you can observe in the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational log:

• Event ID 4200 indicates the start of Config Refresh.
• Event ID 4202 indicates the successful completion of refresh.
• Event ID 4201 indicates refresh failure.
• Event IDs 4203-4214 indicate any failures that might occur when setting or deleting the Config Refresh values.

This will conclude this blog about Microsoft Intune Config refresh. As always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!