Windows 11: Config Refresh

Policies are used to configure Windows to make each device as usable and secure as possible, these settings are evaluated from time to time to make sure they are still in the required state. But what happens to a managed Windows setting which is manually changed by a user/administrator/bad actor and the computer goes offline? Well, the short answer is nothing as the device must have access to the internet to have the configuration profile re-applied. This is where config refresh comes into play as it will re-evaluate the current configuration and revert tampered settings back to the required state, even when the device is off the grid. 🤩

In this post we will learn how to get started with config refresh with a Windows Insider Release Preview build. Be warned: This new feature is nothing short of amazing!

Prerequisites

💡Config Refresh is currently only available in Windows 11 Insider builds.

Collect the Intune policy provider GUID

A Windows device could receive policies from different sources/providers. Each source has its own unique GUID making it somewhat easy for us admins to identify the source. Follow below steps to find your device unique GUID, we will use it later on to make sure config refresh has been configured as per our need.

1. Navigate to C:\ProgramData\Microsoft\DMClient on your Windows Insider device.
   • You will find a folder with a long name (GUID).
     
2. Save the GUID (name of the folder) to Notepad for later.
   • Note: Each of your devices will have a unique GUID.
3. Open Regedit and go to: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
4. Now find the key which reflects the GUID we saved in step 2.
   
5. Expand the DMClient key.
   
6. This is where we will find ConfigRefresh after it has been configured by Intune.
7. Now, let’s configure config refresh to try it out!

Config Refresh: CSP

We can use either configuration service provider (CSP) or settings catalog to configure config refresh. Follow below steps to create a custom configuration profile (CSP) or scroll down to take the settings catalog approach instead.

Let’s start off by reading about the three available CSP’s (Enabled, Cadence and PausePeriod) which are documented by Microsoft here: DMClient CSP | Microsoft Learn

• Enabled: Enable or disable Config Refresh. The default setting is to have config refresh in a disabled state.
• Cadence: How often should config refresh check the settings? The default value is to have config refresh check each 90 min.
• PausePeriod: Use this only when needed. One example could be when first/second line operators needs to troubleshoot a device. Do not deploy this to all devices. The default setting is 0 as we normally do not want to pause config refresh once it has been rolled out unless we have a good reason.

1. Create a new custom configuration policy. Name it W11 – Insider – Config refresh – CSP (or similar).
2. Add a new row with below settings
   • Name: Enabled
   • OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/Enabled
   • Data type: Boolean
   • Value: True
     
3. Add a second row with below settings
   • Name: Cadence
   • OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/Cadence
   • Data type: Integer
   • Value: 30 (or as per your need)
     
4. Deploy the policy to your Windows Insider device(s).
   
5. 💡Notice how we are using MS%20DM%20Server instead of our unique GUID.

Config Refresh: Settings catalog

The CSP approach is good and all but the settings catalog is both faster and easier to get going with. The recommended way to configure config refresh is to use the settings catalog, so let’s go!

1. Create a new settings catalog profile, name it W11 – Insider – Config refresh – SC (or similar).
2. Add both settings found in Config Refresh as per below

Config refresh: Testing

OK, so now we have either created a custom configuration profile or use the settings catalog to configure config refresh. Let’s start testing our shiny new feature!

Now we should have a new key named ConfigRefresh with two values.

The magic is done by a new scheduled task found here: Task scheduler library -> Microsoft -> Windows -> EnterpriseMgmtNonCritical -> Intune policy provider GUID -> Schedule created by dm client to refresh settings

Notice how the schedule matches the config refresh cadence (30 min in our example).

We could easily test config refresh by removing a registry key or value from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current and then either wait for the task to run or trigger it manually.

In this test I am just going to remove the full content of the current hive (I know, scary right????) 😱… it will hopefully come back after the task has run…

let’s give it a spin…

the current key has been removed, let’s trigger the task manually.

and there it is again, puh!

But hey… that is cool and all but what if we find ourselves in a situation where config refresh is doing more harm than good? Well that is where third setting: PausePeriod comes to the rescue!

💡As for now CSP is the only approach I can find to configure the PausePeriod, settings catalog will hopefully support this in close future.

1. Edit the current CSP policy named: W11 – Insider – Config refresh – CSP (or the name you picked) or create a new one if you took the settings catalog approach earlier.
2. Add a second row with below settings
   • Name: PausePeriod
   • OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/PausePeriod
   • Data type: Integer
   • Value: 60 (or as per your wish)
     
3. Save and make sure it is assigned to your insider device(s).

Now if we head over to the registry again we notice a new value PausePeriod.

What happens behind the curtains is very simple: the scheduled task trigger gets postponed the selected amount of minutes, in our case we set it to 60 minutes.

💡Notice the trigger is a one timer set 60 min (or almost, I did not time the print screen perfectly) in the future.

✅This will allow us to do changes to Windows settings without having config refresh reverting them back, during a fixed timeframe.

And of course when the 60 minute pause period is over, it will revert back to ordinary again… pretty neat!

Config refresh: Final thoughts

It seems config refresh successfully restored the full contents, keys and values which is great from an end user, administrator and security perspective!! 🤩This looks really promising and I can not wait to see it released outside of Insider builds.

So, this sums this post up. We have looked at how to get going with config refresh and I look forward to adding more details to this post as I learn more of this awesome feature!

Thanks for stopping by!