Windows 11: Config Refresh

Policies are used to configure Windows to make each device as usable and secure as possible. For Intune Managed Windows devices, these settings are evaluated during check-in to make sure they are still in the desired state.

But, what happens to settings which have been manipulated by a user/administrator/bad actor (configuration drift), and the computer goes offline? Well, the short answer is nothing – as the device must have access to the internet to check in with Intune. This is where config refresh comes into play as it will re-evaluate the current configuration and revert tampered settings back to the required state, even when the device is off the grid.

In this post we will learn how to get started with config refresh, using Microsoft Intune.

❗Be warned: This feature is nothing short of amazing!

Prerequisites

💡Config Refresh requires Windows 11, another reason to upgrade if you haven’t already.
💡Config Refresh is currently only available in Windows 11 Insider builds.
💡Config Refresh is GA!! Requires Windows 11 (2024-06) update.

Collect the Intune policy provider GUID

A Windows device could receive policies from different sources/providers. Each source has its own unique GUID, making it somewhat easy for us admins to identify the source.

Follow below steps to find your device unique GUID, we will use it later on to make sure config refresh has been configured as per our need.

1. Navigate to C:\ProgramData\Microsoft\DMClient on your Windows Insider device.
   • You will find a folder with a long name (GUID).
     
2. Save the GUID (name of the folder) to Notepad for later.
   • Note: Each of your devices will have a unique GUID.
3. Open Regedit and go to: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
4. Now find the key which reflects the GUID we saved in step 2.
   
5. Expand the DMClient key.
   
6. This is where we will find ConfigRefresh after it has been configured by Intune.
7. Now, let’s configure config refresh to try it out!

Use Intune to control Config Refresh

We can use either configuration service provider (CSP) or settings catalog to configure config refresh. Follow below steps to create a custom configuration profile (CSP) or scroll down to take the settings catalog approach instead.

Let’s start off by reading about the three available CSP’s (Enabled, Cadence and PausePeriod) which are documented by Microsoft here: DMClient CSP | Microsoft Learn

• Enabled: Enable or disable Config Refresh. The default setting is to have config refresh in a disabled state.
• Cadence: How often should config refresh check the settings? The default value is to have config refresh check each 90 min.
• PausePeriod: Use this only when needed. One example could be when first/second line operators needs to troubleshoot a device. Do not deploy this to all devices. The default setting is 0 as we normally do not want to pause config refresh once it has been rolled out unless we have a good reason.

Config Refresh: CSP

❗As CSP can still be used, I recommend that you look into using Settings Catalog to configure Config Refresh.

1. Create a new custom configuration policy. Name it W11 – Config refresh – CSP (or similar).
2. Add a new row with below settings
   • Name: Enabled
   • OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/Enabled
   • Data type: Boolean
   • Value: True
     
3. Add a second row with below settings
   • Name: Cadence
   • OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/Cadence
   • Data type: Integer
   • Value: 30 (or as per your need)
     
4. Deploy the policy to your Windows Insider device(s).
   
5. 💡Notice how we are using MS%20DM%20Server instead of our unique GUID.

Config Refresh: Settings catalog

The CSP approach is good and all but the settings catalog is both faster and easier to get going with. The recommended way to configure config refresh is to use the settings catalog.

The Config Refresh and settings catalog story has been slightly bumpy. Initially we had a scenario where disabling the control would actually enable it (see below printscreen). But Microsoft did a geat job in listening to the feedback from the community and this has now been fixed.

We have also seen some the description change from “Windows Insiders only” to “Coming soon” into FINALLY being GA!

1. Create a new settings catalog profile, name it W11 – Config refresh – SC (or similar).
2. Add both settings found in Config Refresh as per below.

Config refresh: Testing

OK, so now we have either created a custom configuration profile or use the settings catalog to configure config refresh. Let’s start testing our shiny new feature!

Now we should have a new key named ConfigRefresh with two values.

The magic is done by a new scheduled task found here: Task scheduler library -> Microsoft -> Windows -> EnterpriseMgmtNonCritical -> Intune policy provider GUID -> Schedule created by dm client to refresh settings

Notice how the schedule matches the config refresh cadence (30 min in our example).

We could easily test config refresh by removing a registry key or value from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current and then either wait for the task to run or trigger it manually.

In this test I am just going to remove the full content of the current hive (I know, scary right????) 😱… it will hopefully come back after the task has run…

let’s give it a spin…

the current key has been removed, let’s trigger the task manually.

and there it is again, puh!

But hey… that is cool and all but what if we find ourselves in a situation where config refresh is doing more harm than good? Well that is where third setting: PausePeriod comes to the rescue!

💡As for now CSP is the only approach I can find to configure the PausePeriod, settings catalog will hopefully support this in close future.
💡We no longer need to use CSP to control the PausePeriod. The more user friendly approach is to use the new action which you will find on the device action blade.

PausePeriod: CSP (the only way)

1. Edit the current CSP policy named: W11 – Insider – Config refresh – CSP (or the name you picked) or create a new one if you took the settings catalog approach earlier.
2. Add a second row with below settings
   • Name: PausePeriod
   • OMA-URI: ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/PausePeriod
   • Data type: Integer
   • Value: 60 (or as per your wish)
     
3. Save and make sure it is assigned to your insider device(s).

Now if we head over to the registry again we notice a new value PausePeriod.

PausePeriod: Device action (the new and cool way)

1. Intune portal -> Devices -> Windows.
2. Click a device in the list.
3. You will find the Pause config refresh action next to all the other device actions.
   💡You might need to click the three dots (…) in order to find all available action.
4. Specify how long you want to pause.
   

What happens behind the scene is very simple: the scheduled task trigger gets postponed the selected amount of minutes, in our case we set it to 60 minutes.

💡Notice the trigger is a one timer set 60 min (or almost, I did not time the print screen perfectly) in the future.

✅This will allow us to do changes to Windows settings without having config refresh reverting them back, during a fixed timeframe.

And of course when the 60 minute pause period is over, it will revert back to ordinary again… pretty neat!

Config refresh: Final thoughts

It seems config refresh successfully restored the full contents, keys and values which is great from an end user, administrator and security perspective!! 🤩

So, this sums this post up. We have looked at how to get going with config refresh and I look forward to adding more details to this post as I learn more of this awesome feature!