The new Intune Config Refresh

by ·

Intune Config Refresh is a useful feature that helps protect our devices from harmful or accidental changes by reapplying the policy settings we have already set. This means that if something goes wrong, Intune can automatically fix it by putting the correct settings back in place.

With Config Refresh, we can set up a schedule for how often the Intune device should refresh the assigned settings. For example, we can choose to have the settings refreshed every 30 minutes, every hour, or even once a day. The shortest time we can set is 30 minutes, and the longest is 1440 minutes (which is 24 hours). This way, we make sure that all our devices always have the right settings.

If we need to make changes to a specific device, we can pause the refresh feature. This pause can last anywhere from 0 to 1440 minutes. This gives us the flexibility to make necessary adjustments without the automatic refresh getting in the way.

Config Refresh vs. Policy Sync

Intune Policy Sync is the process where devices check in with the Intune service to receive any new or updated policies. This sync can be initiated manually or it happens automatically at regular intervals. During this process, the device receives any pending actions or new policies assigned to it.

Intune Config Refresh is a feature that ensures the previously received policy settings are consistently reapplied to the device. This helps to mitigate the impact of any malicious or accidental changes by reapplying the correct settings at regular intervals. This means that even if a user changes a setting, Config Refresh will revert it back to the intended configuration at the next refresh interval. Config Refresh does not require the device to be connected to the Intune service, as it uses the previously downloaded policies.

NOTE: Config Refresh is dependent on Policy sync. Policy Sync sync down the policies that Config Refresh uses to reapply settings.

When to Use Config Refresh

  • Maintaining Security Configurations: Enforces crucial security settings like lock screen or laps, even if users try to modify them locally.
  • Enforcing Compliance Policies: Ensures devices meet organizational regulations or internal security standards, automatically correcting any deviations.
  • Standardizing Device Settings: Keeps device configurations uniform across your fleet, preventing accidental or unauthorized changes.
  • Offline Functionality: Config Refresh works even when the device is offline, ensuring that the received configuration is applied regardless of connectivity. This is particularly useful for devices that may not always be connected to the network

My first implementation was for example on production PC´s in a factory. On these devices, stability and correct configuration is crucial.

How to configure Config Refresh in Intune

Config Refresh isn’t enabled by default. To activate it, you need to create a Configuration using Settings Catalog:

  1. Access the Intune Admin Center:
    Start by logging into the Microsoft Intune admin center. Navigate to Devices > Windows > Configuration
  2. Click Create and select + New Policy
  3. Select to create a policy for Windows 10 and later from Settings Catalog
  4. Give the configuration a suitable name and description and select Next
  5. Click + Add Settings
  6. Search for Scroll down and select (or search for) Config Refresh
  7. Select both settings available
  1. Set the desired values. This is an example that enable Config Refresh with a Refresh cadence of 60 minutes
  1. Finish the configuration by adding the appropriate Scope tags and assign the configuration to the correct targets

The result

When Config Refresh is enabled, some new configurations is added to the device:

Reg keys

When the configuration is applied, 2 new registry keys are created:

  • HKLM\Software\Microsoft\Enrollments\[GUID]\ConfigRefresh
    • Enabled = 1 (DWORD)
    • Cadence = 60 (DWORD)

Scheduled task

There is also a scheduled task created that will run every 60 minutes. The schedule task runs the deviceenroller.exe executable with some specific parameters. This executable is responsible for reapplying the policy settings that have been previously received by the device.

Pause Config Refresh

Pausing the Intune Config Refresh can be useful in several scenarios, particularly when you need to make changes or troubleshoot a device without the automatic reapplication of policies interfering. Here’s how and why you might do this:

Why to Pause Intune Config Refresh:

  • Troubleshooting: When diagnosing issues on a device, you might need to make temporary changes to the configuration. Pausing Config Refresh prevents the automatic reapplication of policies, allowing you to test and troubleshoot without interruptions.
  • Maintenance: During maintenance tasks, such as software updates or configuration changes, you might want to pause the refresh to ensure that your changes are not overwritten by the existing policies.
  • Remediation: If a device has been compromised or is experiencing issues, pausing Config Refresh allows you to apply necessary fixes or changes without the automatic policies interfering. This can be crucial for quickly addressing security concerns or operational problems.

How to Pause Intune Config Refresh:

  1. Access the Intune Admin Center:
    Start by logging into the Microsoft Intune admin center. Navigate to Devices > Windows
  2. From the list of devices you manage, select a device, and choose Pause Config Refresh.
  1. Specify the number of minutes to pause Config Refresh in the Time period to Pause Config Refresh. The maximum is 1440 minutes (24 hours).
  2. Select Pause.

NOTE: If you need to resume the Config Refresh before the specified time period ends, you can select Pause again and set the time period to 0 minutes.

Conclusion

Config Refresh really level up the possibility to maintain settings on a device. This is very useful when a stable and secure platform is required. Start testing it out on a few device to verify the correct result before enable it on the devices you identify as suitable targets. I use it mainly on devices on the factory floor, shared devices and frontline worker devices.

About The Author

Mr T-Bone

Torbjörn Tbone Granheden is a Solution Architect for Modern Workplace at Coligo AB.
Most Valuable Professional (MVP) on Enterprise Mobility. Certified in most Microsoft technologies and over 23 years as Microsoft Certified Trainer (MCT)

See author's posts

Tags:

Mr T-Bone

Torbjörn Tbone Granheden is a Solution Architect for Modern Workplace at Coligo AB. Most Valuable Professional (MVP) on Enterprise Mobility. Certified in most Microsoft technologies and over 23 years as Microsoft Certified Trainer (MCT)

You may also like...