In this article, I will explore the best way to Force the re-applying of Intune Policies using the Config Refresh Feature, explain how to enable it and deploy the configuration profiles to the Security group. We will utilize Intune’s Configuration Profiles to apply this policy.
The Configuration Profiles allow you to create and deploy these types of settings to devices and users in your organization and enforce policies across different platforms, including Windows, macOS, iOS/iPadOS, and Android.
This article will help you learn what Microsoft Intune Config Refresh settings are and how they work on Intune devices. At the end of this post, you will learn how to deploy and monitor Configuration Profiles in Intune using reports and event logs.
Intune Config Refresh was the top requested improvement for mobile device management (MDM). With these new settings, you can keep your Windows 11 devices up to date and running smoothly, enhancing our overall user experience. Let’s explore and learn more about the Intune Config Refresh feature.
Table of Contents
What is Microsoft Intune Config Refresh
The Intune Config Refresh feature in Microsoft Intune is a powerful option for Windows 11, starting with the May 2024 non-security update and the June 2024 security update. It helps improve security and compliance for Windows 11 PCs. To enable Config Refresh, your PCs must be running Windows 11, version 23H2 or version 22H2, with the June 2024 security update installed (or later).
As you may be aware, the Group Policy undergoes a refresh process every 90 minutes, while the MDM policy refreshes occur every eight hours. However, by utilizing the Microsoft Intune Config Refresh feature, you can customize the policy refresh interval, setting it to as short as 30 minutes or as long as 24 hours. This helps you keep the policies up to date. Also, you can pause Config Refresh for troubleshooting purposes with an automatic resume after 24 hours.
As per Microsoft document, Config Refresh is designed to work with MDM policies managed by the Policy CSP. Some policies, notably the BitLocker CSP, will also adhere to Config Refresh enablement. Other policies outside of this scope include Firewall, AppLocker, PDE, and LAPS.
- Manually Sync macOS Device with Intune
- Manually Sync Android Device with Intune
- Intune Diagnostics Settings and Log Analytics Sync Details
Intune Config Refresh v/s Policy Sync
Should I still run Policy Sync if Config Refresh is already active? Many readers have already considered this question. Well, the answer is YES!
NOTE! While Config Refresh ensures compliance with previously downloaded configurations, it doesn't actively check for new or updated policies from Intune.
Policy Sync is still essential. It is always a prerequisite for Config Refresh to work. I have created a table below explaining Policy Sync and Config Refresh.
Config Refresh | Policy Sync |
---|---|
Enforce critical security settings like encryption or password complexity | Devices check in with Intune at pre-defined intervals |
The task checks locally for deviations from the previously downloaded configuration from Intune at a much more frequent interval | When you Sync Policy, the device retrieves any new or updated policies. |
It ensures consistent configurations across your device fleet to prevent unintentional or unauthorized modifications. | It ensures policies are applied eventually |
Enable Microsoft Intune Config Refresh Feature
You must have learned enough about Intune Config Refresh. Let’s see how to set it up and define the refresh operation’s frequency.
- Sign in to the Microsoft Intune Admin Portal with your credentials.
- Select Devices > Windows > Configuration Profiles > Create > New Policy.
A new window will open when you click Create and New Policy. In Platform, select Windows 10 and later, Select Profile Type as Settings Catalog, and Click on Create.
Platform | Windows 10 and later |
Profile Type | Settings Catalog |
On that Basic tab, I will add the Name and Description of the policy. The Name of the policy must be unique, and it should follow your organization’s standards. Well, it’s just my suggestion.
When you click Next, you will be taken to the Configuration Settings section, where you will define the policy settings.
- In the Configuration Settings section, under Settings Catalog, click Add Settings.
- You will see a Settings picker tab when you click on Add Settings.
- Search for Config Refresh
You should select both Config refresh and Refresh cadence settings. The Cadence settings define the frequency with which the refresh operation happens. The default for the refresh is 90 minutes. Allowed values are from 30 to 1440 minutes.
Click Next to display the Scope tags page. Add the Scope tags if you wish and click Next to assign the policy to computers. I will deploy it to the HTMD – Test Computers Group.
Read more : Intune Scope Tags Implementation Guide
Before creating the policy, please carefully review all the settings you’ve defined for the Set up the Microsoft Intune Config Refresh Feature policy on the “Review + Create” page. When you’re ready, select “Create” to implement the changes.
Monitor Configuration Profile Deployment in Microsoft Intune
Let’s see how we can monitor the deployment and installation status from the Intune portal. The Configuration Profile is deployed to Microsoft Entra groups. To monitor the Intune policy assignment, follow these steps:
- Navigate to the list of Configuration Profiles and select the policy you targeted.
- Check the device and user check-in status from here.
- If you click “View Report,” you can see additional details.
Registry Path to Verify the Config Refresh Deployment
As per the above report, the Config Refresh feature is enabled on my test devices. I will show you how to verify if Config Refresh is enabled in the registry settings. It can be verified under the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\” Intune Policy Provider GUID” \ConfigRefresh
You should ensure that the Cadence and Enabled values in the registry are correct. In this example, the Enabled value should be set to True (1), and the Cadence value should be set to 30.
Check Task Scheduler to Verify the Config Refresh Deployment
When you enable Config Refresh, Windows creates a scheduled task in the Task Scheduler, which is responsible for executing the Config Refresh feature. The scheduled task will be created under the below path.
Task Scheduler Location : Microsoft/Windows/EnterpriseMgmtNonCritical
The Trigger option in the Task Scheduler shows the current cadence that is set. Also, the Actions tab shows deviceenroller.exe
the command will be called to force the refresh.
This article will be a valuable resource for you and your organization. Thank you for being so patient in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
About the Author – Sujin Nelladath has over 10 years of experience in SCCM device management and Automation solutions. He writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.