What is Config Refresh
Config Refresh is a feature within Microsoft Intune that allows administrators to set a regular interval—ranging from 30 to 1,440 minutes—for reapplying previously deployed policy settings on Windows devices. This proactive approach ensures that devices adhere to organizational policies, even if configurations are altered. Config Refresh operates offline, enabling devices to reapply settings without needing to check in with Intune. Administrators can pause the refresh process for troubleshooting purposes, with automatic resumption after a specified period.
Prerequisites
Before implementing Config Refresh, ensure the following:
· Devices must be running Windows 11, version 23H2, or version 22H2 with the June 2024 security update installed (or later).
· A Microsoft Intune Plan 1 license is required. This plan is included in subscriptions such as Microsoft 365 E3, E5, F1, F3, Enterprise Mobility + Security E3 and E5, and Business Premium plans.
Configuring Config Refresh in Intune
· Navigate to the Microsoft Intune admin center.
· Create a Configuration Profile
· Go to Devices > Configuration profiles > Create profile.
· Select Windows 10 and later as the platform and Settings catalog as the profile type.
· Search for ‘Config Refresh’ in the settings catalog.
· Enable Config Refresh and set the desired Refresh cadence (default is 90 minutes; allowed values range from 30 to 1,440 minutes).
· Deploy the profile to the appropriate device groups.
Verifying Config Refresh on Devices
· After deployment navigate to the below reg key to confirm the settings.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\<Enrollment-ID>\ConfigRefresh
· Check Task Scheduler > Microsoft > Windows > EnterpriseMgmtNonCritical for a task named ConfigRefreshTask, reflecting the configured refresh interval.
Pausing Config Refresh (For troubleshooting or maintenance)
· In the Intune admin center, select the target device choose ‘Pause Config Refresh’
· specify the duration (0 to 1,440 minutes).
· To manually resume, set the pause duration to 0 minutes.
Considerations
Config Refresh primarily reinforces settings managed by the Policy Configuration Service Provider (CSP). Policies outside this scope, such as Firewall and AppLocker configurations, aren’t affected.
Ensure all devices and users have the necessary Intune licenses. For detailed licensing information, refer to Microsoft’s official documentation.
Final Thoughts
By implementing Config Refresh, organizations can maintain consistent device configurations, enhancing security and compliance across their Windows 11 deployments.