Config Refresh is a feature in Microsoft Intune that helps minimize security policy drift on Windows 11 devices managed through Mobile Device Management (MDM). If policies are accidentally modified or altered, Config Refresh automatically detects the changes and restores the policies to their intended state.
This ensures that devices remain compliant with IT security standards, reducing risks and maintaining consistency across the managed environment. Microsoft Intune offers several tools to manage Windows security and improve user experience. For example, Conditional Access and Device Compliance ensure that only secure devices can access your apps and resources.
With Endpoint Privilege Management, IT admins can allow standard users to perform specific tasks, like installing approved software, without giving them full admin rights. The Settings Catalog is regularly updated with new options to configure Windows devices more effectively.
A new feature called Config Refresh helps maintain compliance by automatically fixing security policies if they are accidentally changed or altered. This post provides all the details of the Config Refresh to Minimize Security Policy Drift on Windows 11 Managed Devices by MDM Intune.
Table of Contents
Config Refresh Minimize Security Policy Drift on Windows 11
IT administrators can simplify the user experience by removing unnecessary features, such as widgets, on employee devices. This can be achieved by configuring the Intune Widget policy to turn off widgets, ensuring users’ more focused and efficient workspace.
- Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
- Once logged in, navigate to the “Devices” section on the left side of the Intune admin center.
- Under “Devices,” select “Configuration profiles.”
- On the configuration page, you will find a set of menus, including options like Widget.
| Configuration Settings | Setting Options |
|---|---|
| Widgets | 1. Allow Widget 2. Not Allowed |
- Best way Intune to Stop Sending New Policy Updates to Windows Devices Pause Config Refresh Feature
- Force the Re-Applying of Intune Policies using the Config Refresh Feature Improves Security of Windows Devices
Widget Successfully Disabled
As shown here, the widget has been successfully turned off. The screenshot below provides more details.
Re-enabling Widgets via Registry for Admin Users
Users with admin rights can change the device registry to turn the widgets back on. To do this, they must enter 1 as the value data, set the base to Hexadecimal, and click OK.
Widget Enabled – Non-Compliant with Company Policy
You can now see and use the widget, but this action does not follow company policy.
Config Refresh uses a scheduled task that runs every 90 minutes by default to reset IT admin policy settings. It can be set to run as often as every 30 minutes and works even when the device is offline without needing to connect to the server. After Config Refresh runs, the widget setting is reset to “disable” as the IT admin intended, making it unusable again.
The registry will also show the correct configuration after Config Refresh runs. This feature can be enabled in Intune and is available on Windows 11 devices.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Resources
Secure and resilient Windows strategy from Client to Cloud
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.