In this article, we will learn how to Pause Intune Config Refresh Feature on Windows Device using Microsoft Graph API. Config Refresh was one of the most requested improvements for mobile device management (MDM). I will also discuss what the Config Refresh feature is in this article.
The Config Refresh feature ensures that your settings remain as configured. I highly recommend deploying this feature, as Intune may not always redeploy the correct policies on its own. Therefore, we need a way for the device to verify that all its settings are present as intended.
The Pause Config Refresh feature in Microsoft Intune provides several advantages for administrators managing Windows devices. It allows admins to temporarily pause the automatic reapplication of policy settings, making troubleshooting easier.
If you need to perform maintenance without user interference, you can use the Pause Config Refresh feature in Intune. This feature gives IT teams the ability to halt policy enforcement for up to 24 hours, after which policies are automatically reapplied.
Table of Contents
Know More About Microsoft Intune Config Refresh – Pause Intune Config Refresh Feature on Windows Device using Microsoft Graph API
The Intune Config Refresh feature in Microsoft Intune is a powerful option for Windows 11, starting with the May 2024 non-security update and the June 2024 security update. To enable Config Refresh, your PCs must be running Windows 11, version 23H2 or version 22H2, with the June 2024 security update installed (or later).
When you configure the Microsoft Intune Config Refresh feature, the device will regularly check in at frequent intervals. If any changes to the configuration settings are detected, Intune will automatically revert them to the intended state.
As per the Microsoft document, Config Refresh is designed to work with MDM policies managed by the Policy CSP. Some policies, notably the BitLocker CSP, will also adhere to Config Refresh enablement. Other policies outside of this scope include Firewall, AppLocker, PDE, and LAPS.
- Manually Sync macOS Device with Intune
- Manually Sync Android Device with Intune
- Intune Diagnostics Settings and Log Analytics Sync Details
How to setup Microsoft Intune Config Refresh
Well, setting up Microsoft Intune Config Refresh is straightforward. I have already outlined the steps in my article, so feel free to explore it for a detailed guide. Keep in mind, While Config Refresh ensures compliance with previously downloaded configurations, it doesn’t actively check for new or updated policies from Intune.
Read More: Force the Re-Applying of Intune Policies using the Config Refresh Feature Improves Security of Windows DevicesBenefits of Pausing Config Refresh Feature in Microsoft Intune
The Pause Config Refresh feature in Microsoft Intune provides several benefits for Intune administrators, making device management significantly easier. Below, I have created a table outlining the major benefits of the Pause Config Refresh feature in Microsoft Intune.
| Benefits | Description |
|---|---|
| Troubleshooting | Allows admins to temporarily pause the automatic reapplication of policy settings, making it easier to troubleshoot |
| Controlled Policy Enforcement | Ensures that policies do not immediately override manual changes made for testing or remediation |
| Flexibility in Device Management | Gives IT teams the ability to pause enforcement for up to 24 hours, after which policies are automatically reapplied |
| Offline Functionality | Devices can retain previously applied policies even when disconnected from the Intune service, ensuring consistent configuration |
How to Pause the Microsoft Intune Config Refresh Feature
Well, we discussed enough about Microsoft Intune Config Refresh Feature and Config Refresh Pausing option. When you pause Config Refresh on a Windows device, Intune stops sending new policy updates to that device. Instead, it re-applies the policies last received during the previous check-in. This is helpful if you want to keep the current settings without making any new changes.
We already have an article that explains how to pause the Microsoft Intune Config Refresh feature using the GUI method. Kindly explore it to learn more
Read More : Best way Intune to Stop Sending New Policy Updates to Windows Devices Pause Config Refresh FeatureAutomate Process of Pausing the Intune Config Refresh Feature
Microsoft Graph, a RESTful web API, facilitates access to Microsoft Cloud service resources. It lets you access data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services through a single endpoint, including data from Microsoft 365, Windows, and Enterprise Mobility + Security.
- Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
- Best Guide to Run Intune Device Query with Microsoft Graph API
- Automate Microsoft Intune Device Compliance Report using Graph API
We will use Microsoft Graph to automate the process of pausing the Intune Config Refresh feature on a Windows device. Using this method, you can pause the Intune Config Refresh feature on a Windows device without logging into the Intune portal.
To automate the process of pausing the Intune Config Refresh on a Windows device, you will need its managedDeviceId. To obtain the managedDeviceId, the following steps can also be followed. Adhering to the outlined process is recommended for optimal results.
- Sign in to the Graph Explorer with your credentials.
- Click on Run query after typing the Request URL below. You should use the GET API request method
To call this Microsoft Graph API endpoint, you need one of the following permissions. Kindly make sure you have this permission before running the endpoint.
| Permission Type | Permissions |
|---|---|
| Delegated Permissions (Work or School Account) | DeviceManagementManagedDevices.Read.All |
| Delegated Permissions (Work or School Account) | DeviceManagementManagedDevices.ReadWrite.All |
https://graph.microsoft.com/beta/deviceManagement/manageddevices/?select=id,deviceNameThe Response Preview Panel will display the IDs of all device names. From there, select the managedDeviceId that you want to Pause the Intune Config Refresh Feature. The below screenshot give more details.
Well, We’re ready to pausing the Intune Config Refresh on a Windows device. When you click on Pause config refresh in Intuen portal, you will get a new window opened asking you to enter Time period to pause config refresh in minutes. The value must be in between 0-1440 minutes. In this example, I will set Time period to pause config refresh to 60 minitues for testing.
Please note that you may utilise the HTTP Request URL we provided below. You should use the POST API request method. I will use the first URL as an example. Replace managedDeviceId with your own ID.
POST /deviceManagement/managedDevices/{managedDeviceId}/pauseConfigurationRefresh
POST /deviceManagement/comanagedDevices/{managedDeviceId}/pauseConfigurationRefresh
POST /deviceManagement/deviceHealthScripts/{deviceHealthScriptId}/deviceRunStates/{deviceHealthScriptDeviceStateId}/managedDevice/pauseConfigurationRefresh
POST /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/deviceRunStates/{deviceManagementScriptDeviceStateId}/managedDevice/pauseConfigurationRefresh
POST /deviceManagement/deviceComplianceScripts/{deviceComplianceScriptId}/deviceRunStates/{deviceComplianceScriptDeviceStateId}/managedDevice/pauseConfigurationRefresh
POST /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/deviceRunStates/{deviceManagementScriptDeviceStateId}/managedDevice/users/{userId}/managedDevices/{managedDeviceId}/pauseConfigurationRefresh
POST /deviceManagement/deviceManagementScripts/{deviceManagementScriptId}/deviceRunStates/{deviceManagementScriptDeviceStateId}/managedDevice/detectedApps/{detectedAppId}/managedDevices/{managedDeviceId}/pauseConfigurationRefresh
Sign in to the Graph Explorer with your credentials. Click on Run query after typing the Request URL below.
https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}/microsoft.graph.pauseConfigurationRefreshYou should use the POST request method for the endpoint since you are Sending Data to APIs. Change the request method from GET to POST and paste the below JSON code to the request body.
{
"pauseTimePeriodInMinutes": 60
}Verify the JSON inputs and click Run query to automate the process of pausing the Intune Config Refresh feature on a Windows device. Please note that one of the following permissions is required to call this API.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All |
| Application | DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All |
Within seconds of clicking Run query, you will receive a success message with the text No Content – 204 . There will be no output response available for review in the Response Preview panel.
NOTE! Once enable, config refresh will reinforce configuration previously received from Intune. You can pause this refresh to perform maintenance or troubleshooting for a specified period of time. Once the time period expires, config refresh will resumeYou will see this action being set to pending in the device action status. It may take some time to replicate the changes. The below screenshot give more details.
- Intune Role-Based Administration RBAC
- Free Entra Training Videos | Start Learning Entra ID Azure AD
- Intune Read the Only Experience to Create Read-Only Operators
End-User Experience
At backend, the scheduled task trigger gets postponed for 60 minitues. A new scheduled task will be created with custom triggers, these are the triggers from the pause action. Now let’s check the scheduled task it created. you can find it here \Microsoft\Windows\EnterpriseMgmtNonCritical\.
You cannot cancel the Pause. You have to wait 60 minutes. After those 60 minutes, everything will revert back to the original. The task scheduler will be back to normal after 60 minutes.
I trust that this article will significantly benefit you and your organization. I appreciate your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
- Intune Role-Based Administration RBA Controls In Azure Portal
- Intune Application Policy Manager RBA Controls In Azure Portal
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About the Author: Sujin Nelladath, a Microsoft Graph MVP with over 11 years of experience in SCCM device management and Automation solutions, writes and shares his experiences with Microsoft device management technologies, Azure, DevOps and PowerShell automation.