Enable/Pause Config Refresh via Intune

Config Refresh is a useful new setting available on Windows 11 22H2 (June 2024 security update or later) and Windows 11 23H2. It allows you to configure the Refresh Interval for re-applying previously received Intune configuration policies on the device.

This means that, at regular intervals (as per the refresh cadence value), Intune will re-apply all the configuration policies the device received during its previous check-in.

For example, suppose you’ve created a device configuration profile to set a desktop wallpaper on a Windows device. The wallpaper is successfully applied according to the configuration profile.

Now, if a user with the necessary permissions updates the wallpaper and changes it to something different from what you applied via the Intune device configuration profile, this change is referred to as Configuration drift.

Normally, MDM configuration sync runs every 8 hours, updating the wallpaper back to the one configured in the device configuration profile. This resolves the issue.

However, 8 hours is a long time for a device to remain without the standard configuration applied by Intune. To address this, Microsoft introduced two new policy settings: Config Refresh and Refresh Cadence. With these settings, you can now configure the policy refresh interval to be as short as 30 minutes or as long as 24 hours (1,440 minutes). The default value is 90 minutes, which is the same as Active directory group policy refresh interval of 90 minutes.

Please note that since the policy refresh uses the previously downloaded configuration policies on the Intune-managed device, no connectivity to the MDM server or Intune is required. The device can refresh the policies even if it is offline and not connected to the Internet.

Below table lists the policies which Config refresh supports:

PoliciesConfig Refresh Policy Support
MDM Policies using Policy CSP
BitLocker CSP
Firewall Policy Settings
Applocker Settings
PDE (Personal data encryption) Settings
Windows LAPS

Policy Sync vs. Config Refresh

Policy Sync is not the same as Config Refresh. Intune device check-in and policy sync will still occur even if Config Refresh is enabled. Policy Sync brings new and updated policies to the device, whereas Config Refresh applies the previously downloaded configuration policies to prevent any configuration drift on the device.

Please find below few points about Policy Sync and Config Refresh:

Policy SyncConfig Refresh
You can Initiate Intune sync manually or wait for it to happen automatically. When it happens, the device will receive any pending actions or new/updated policies assigned to it. Verifies if the settings from Last Device check-in / Sync are still in place
This will ensure that new and updated policies are downloaded on the device regularly.Protects the device from Configuration drift by ensuring that all policies are applied as configured via Intune.
Policy Sync usually occurs every 8 hoursConfig Refresh Cadence can be as low as 30 minutes to 1440 minutes (24 hours)
NAAbility to Pause Config Refresh for up to 24 hours

Enable Config Refresh

To enable Config refresh on Windows 11 devices using Intune admin center. Please follow below steps:

  • Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
  • Platform: Windows 10 and later
  • Profile type: Settings catalog
  • Click Create to begin with the creation of the device configuration profile.
Select Platform as Windows 10 and later and Profile type as Settings catalog
  • On the Basics tab, provide a Name and Description of the policy and click Next.
  • On Configuration settings tab, click on + Add settings and use the Settings picker to search for Config Refresh settings and select Config Refresh and Refresh cadence.
Select Config Refresh and Refresh Cadence
Select Config Refresh and Refresh Cadence
  • Use the toggle switch to Enable Config refresh and provide Refresh cadence value.
    • When you enable Config Refresh, you are enabling periodic configuration refresh on target devices.
    • You can set the Refresh Cadence value anywhere from 30 minutes to 1440 minutes (24 hours). This means that the Config Refresh will occur according to the specified refresh cadence. In the screenshot below, I have set this value to 30 minutes, meaning that Config Refresh will occur on the target devices every 30 minutes.
Enable Config refresh and Provide a value of Refresh cadence
Enable Config refresh and Provide a value of Refresh cadence
  • On Scope tags tab, click Next.
  • On Assignments tab, Click on Add groups to select an Entra security group containing Windows 11 devices.
Assign this device configuration profile on Windows devices
  • Click Create on Review + create tab to create the Device configuration profile.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

How to Force Intune Sync Manually from macOS

Verify Config Refresh Settings on Windows Device

After this policy has been applied on the target device, you can sign in on one of the PC and go to the registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\<Policy ID>\ConfigRefresh. You can find the Policy ID by clicking the Device configuration profile on Intune admin center and checking the GUID of the policy using browser address bar.

Verify Config Refresh settings on Windows Device
Verify Config Refresh settings on Windows Device

It will also create a Scheduled task (in Task scheduler) under the node Microsoft/Windows/EnterpriseMgmtNonCritical, named Schedule created by dm client to refresh settings. This task will execute %windir%\system32\deviceenroller.exe with /Config Refresh /o <Policy ID>.

If you want to test the Config refresh, you can simple right-click on the scheduled task and click on Run to check if its working fine.

Pause Config Refresh

We have just enabled Config Refresh and set a refresh cadence of 30 minutes. This means that every 30 minutes, Intune will re-enforce previously applied settings on the device. You can pause this refresh using the Pause Config Refresh remote action. Supported values range from 0 minutes to 1440 minutes (24 hours). This is beneficial if you are troubleshooting issues and want to manually make changes on the device to check and confirm specific policy settings.

Pause Config Refresh via Intune admin center
Pause Config Refresh via Intune admin center

Enter the Time period and click on Pause to pause config refresh on the device.

Provide pause config refresh value
Provide pause config refresh value

Troubleshooting

You may find that you have created a device configuration profile to enable Config Refresh on a target device, but it still hasn’t been applied. Also, you might not find any scheduled tasks or registry entries in the Registry Editor. There are various Event IDs related to this issue. Let’s take a look:

  • Event ID 4205: Failed to set ConfigRefresh Enabled value to 1. HRESULT: The system cannot find the file specified.
  • Event ID 4208: Failed to enable ConfigRefresh task. HRESULT: The system cannot find the file specified.
  • Event ID 4209: Failed to set ConfigRefresh Cadence value to 30. HRESULT: The system cannot find the file specified.
  • Event ID 4211: Failed to set ConfigRefresh Cadence value to 30. HRESULT: The system cannot find the file specified.
Event ID 4205, 4208, 4209, 4211 - Config Refresh Failed
Event ID 4205, 4208, 4209, 4211 – Config Refresh Failed
  • Please ensure that you are using Windows 11 22H2 (June 2024 security update or later) or Windows 11 23H2.
  • Try applying the same policy on a different device to check if it is applied successfully.

More Information

Read More

Leave a Comment