With the latest Windows update cycle, Microsoft has introduced a valuable enhancement called Config Refresh. With these new settings, we can easily maintain clean and secure devices. Config Refresh is designed to keep our devices up to date and running smoothly and enhance our overall user experience. The most important part is we can keep our devices secure.
What is Config Refresh
Intune Config Refresh is a powerful capability that allows you to mitigate the impact of malicious or accidental changes by ensuring that we reapply previously received policy settings. We can reapply the policies on a specific cadence. Here are the key takeaways:
- We can configure a fixed cadence for refreshing settings catalog configurations. By enabling this feature, Intune will automatically overwrite policies on devices at regular intervals (with a minimum of 30 minutes). This ensures that policy changes are consistently applied across our managed devices. The interval can be set at a minimum of 30 to 1440 minutes. Our preferred setting will come later in this blog
- It can be paused; there’s a way to pause with a remote action. If an admin needs to make changes to a specific device, we can pause the feature for a particular time 0-1440 minutes
Use cases
We, as engineers, are responsible for managing Windows devices across our organization. We have implemented security policies through Intune to enforce settings related to BitLocker encryption, Windows Defender, and OneDrive settings. However, we could encounter a few challenges:
- Dynamic Environment: Our organization is dynamic, with devices being added, removed, or replaced regularly. New laptops are deployed, and old ones are retired. Ensuring consistent security settings across all devices becomes crucial.
- User-Driven Changes: Occasionally, users make changes to their device settings. For instance, someone might disable BitLocker, modify OneDrive settings, or turn off Windows Defender. These changes compromise the security posture.
- Malicious Activity: It is essential to detect and reset such changes promptly when malicious actors gain access to a device and tamper with security settings.
Implement Config Refresh
To implement Config Refresh, we have to create a Settings Catalog policy; therefore, go to the Intune portal, Devices | Windows | Configuration profiles, click on + Create Policy
Give the policy a name, click Next to add a setting, and search for Config Refresh. Now, two settings will be found that we need to use.
Click both and fill in the correct settings. In our environment, we like to set it to 60 minutes. I will explain why in the upcoming chapters.
What happens on the device
When the policy is coming down on the device, a couple of things (what we can see) happen: There is a registry coming in, which can be found under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\intune policy provider GUID \ConfigRefresh
A scheduled task is created that would be run every x time. Where X is the refresh cadence we filled in the policy
If we want to see a little more about what is happening, we can go to Rudy’s blogpost
Which Policies is it targeting?
There is no published list of policies that will be refreshed. We can only see that it targets the policies received from Intune to the Policymanager’s current key.
The registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current is a critical component in the Windows operating system, particularly for devices managed through Intune. This registry key is part of the policy configuration framework and stores the policy settings applied to Windows devices.
When a policy is configured in the Intune admin portal and assigned to users or devices, it is eventually received by the device and stored under this registry path. The settings here reflect the most recent policies that have been processed and applied by the device’s MDM client
The current subkey under PolicyManager typically contains a variety of settings related to device configuration, such as security settings, user preferences, and other controls managed by the organization’s Intune environment. These settings are structured in a way that the Configuration Service Providers (CSPs) can easily access and enforce them on the device
For IT administrators, this registry path is often accessed for troubleshooting. It provides a clear view of the policies that have been applied to the device, which is essential when diagnosing issues related to device configuration and policy enforcement.
Config refresh in action
Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\, we can find the current settings provided by Intune and admins about how Onedrive should be configured and connected to just one tenant in the allow list
Now if someone changes this via the registry or any other way to harm, we can potentially push data to an unknown destination or get data from that destination
Now, after 60 minutes, the scheduled task will be running, and within seconds, the key will be overwritten by his current setting, even when we are offline.
Pausing Config Refresh
Pausing Intune Configuration Refresh serves several important purposes for IT administrators managing devices through Microsoft Intune:
- Troubleshooting and Testing:
- When we encounter issues related to policy applications or need to test changes, pausing configuration refresh allows us to stop Config Refresh temporarily
- This gives us time to investigate and address any issues without the risk of overwriting policies.
- Avoiding Immediate Changes:
- Configuration refresh ensures that devices consistently apply policy settings.
- Selective Updates:
- Sometimes, we want to update specific policies without affecting others.
- Pausing refresh lets you selectively apply changes to specific policies while keeping others intact.
How to pause Config Refresh
When we need to pause it on a device, we need to go to Intune Devices | Windows and click on the device. Click on the 3 dots, and Pause config refresh
A new popup comes up with the following text:
Once enabled, config refresh will reinforce the configuration previously received from Intune. You can pause this refresh to perform maintenance or troubleshooting for a specified period of time. Once the time period expires, config refresh will resume.
Now fill in the time at which it will be paused; this can be set to 0-1440 min
Conclusion
Intune Config Refresh is a great new feature in Microsoft’s Intune portal that ensures devices are consistently updated with the latest policy settings. It allows administrators to set a fixed cadence for refreshing settings catalog configurations and can be paused for maintenance or troubleshooting. Malicious attacks target devices and sometimes cause users to misuse them; Config refresh will keep our devices healthier.