Keeping your organization's devices secure and compliant requires ensuring they adhere to the latest policies. Traditionally, Microsoft Intune relied on scheduled check-ins for devices to receive policy updates. However, a newer feature called Config Refresh offers a more dynamic approach, eliminating the need for frequent check-ins.
This blog post dives into Config Refresh, explaining how it works locally on devices and how it compares to a policy sync. Cause Config Refresh can be a bit tricky to deal with while troubleshooting, I will show you as well how you can pause it if needed.
Table of Contents
- Config Refresh vs. Policy Sync: A Different Approach
- When to Use Config Refresh
- Configure Config Refresh in Intune
- Pausing Config Refresh (on Demand)
- When is the Next Refresh on My Device?
- Conclusion
Config Refresh vs. Policy Sync: A Different Approach
Both functions don't work without each other. Sync is always a prerequisite for Config Refresh to take place.
Policy Sync
- Devices check in with Intune at pre-defined intervals (typically around 8 hours) or upon specific triggers (like user actions).
- During check-in, the device retrieves any new or updated policies assigned to it.
- This approach ensures policies are applied eventually, but there might be a delay between changes and their implementation. The automatic Interval here is 8 hours.
Config Refresh
- This feature leverages a scheduled task on the enrolled device.
- The task checks locally for deviations from the previously downloaded configuration from Intune at a much more frequent interval (configurable by the administrator).
- If a policy setting is modified on the device, either manually or through another tool, Config Refresh detects the drift and automatically reverts the setting to the desired state defined in the Intune policy.
Analogy Update: Think of Config Refresh like a security guard who regularly patrols a building to ensure everything remains in its designated place. If the guard finds something misplaced, they return it to its proper location.
When to Use Config Refresh
Config Refresh is particularly beneficial for scenarios where ensuring consistent policy compliance is crucial:
- Maintaining security configurations: Enforce critical security settings like encryption or password complexity, even if a user attempts to modify them locally.
- Enforcing compliance policies: Guarantee devices adhere to organizational regulations or internal security standards, automatically correcting any deviations.
- Standardizing device settings: Maintain consistent configurations across your device fleet, preventing accidental or unauthorized modifications.
Important Note: While Config Refresh ensures compliance with previously downloaded configurations, it doesn't actively check for new or updated policies from Intune. Regular device check-ins are still essential to receive the latest policy versions.
Configure Config Refresh in Intune
Config Refresh isn't active by default. To activate it we need to create a Settings Catalog profile. To do so open Intune an navigate to:
Devices > Windows > Configuration profiles and hit "+ New Policy"
Select "Windows 10 and later" and "Settings catalog"
Give the policy a good name and an optional description:
Add the settings by searching for "Config refresh" and activate booth:
After assigning the policy to your audience config refresh will be active.
For a deep dive under the hood check our Rudy's post: Config Refresh | Intune | Offline Refresh Intune Policies (call4cloud.nl)
Pausing Config Refresh (on Demand)
The steps for pausing Config Refresh is very straight forward, you'll find an action item in the device actions inside of Intune:
However, remember that pausing Config Refresh can lead to a delay in enforcing compliance until the next successful device check-in with Intune.
How long will the Config Refresh be paused?
Thats a good question. When we look into the CSP documentation and look for the "Pasue Period" we see that the default value is "0". Does that means the refresh won't be pausend at all?
DMClient CSP - Windows Client Management | Microsoft Learn
In the preview that setting had to be set manually via a OMA-URI.
However, what has changed since the feature was only available to the Windows Insider channel is that we can now manually select the time period in which to refresh for each pause action.
Demo of "Pause config refresh"
The technical workflow behind the pause is very simple, as soon as you press "pause" to the next trigger time of the scheduled task the amount of minutes you define will be added.
When is the Next Refresh on My Device?
Unfortunately, Config Refresh itself doesn't provide a built-in way to directly view the exact time of the next refresh on your device. However, the refresh process is typically triggered by a scheduled task.
Here's how to check the scheduled task configuration to determine the refresh cadence (how often the refresh occurs):
- Open the Task Scheduler. You can search for it by clicking on the Start menu and typing "Task Scheduler".
- Navigate to the following folder path within the Task Scheduler library: Microsoft > Windows > EnterpriseMgmtNonCritical
- Look for a task named "Scheduled task created by DM client to refresh settings". This task is in a subfolder with a unique identifier:
Conclusion
Config Refresh empowers you to maintain consistent policy compliance on your organization's devices. By understanding its functionality and leveraging it strategically, you can enhance device security and ensure adherence to your policies, even when devices are offline for extended periods.