Are the settings what you think they are?

Something I know a lot of Microsoft Intune admins have been frustrated about for a while, especially if you come from the GPO world, is making sure that the settings you applied are what you think they are on the device. I mean, things happen. Users can be local admins and change stuff, a support person could have changed something locally, or stuff just won’t work.

As we all know, an up and running Intune Windows device will check in with Intune every 8 hours to see if the settings are still correct. 8 hours is quite a long time if you have a faulty configuration, and not all users know that they can manually synchronize their device with Intune (or an admin can do so).

This is where the newly introduced Config Refresh enters the stage!

What is Config Refresh?

Config Refresh is a new setting in Windows 11 (23h2 or 22h2 with the 2024 June update) which lets you define the interval that the Windows device should refresh the configuration based on what is defined in Intune. In the GPO world, this happens automatically every 90 minutes, and in the Intune world this is 8 hours! But with Config Refresh we can squeeze this down as short as 30 minutes or push it all the way up to 24 hours (why someone would do that, I don’t know but I bet there are those scenarios).

But this isn’t just changing the default 8 hour intervall, this actually brings some new stuff to the table:

  • A reset operation to reset any settings you manage which use the Policy CSP
  • Configuration options to allow reset of managed settings to take place as frequently as every 30 minutes
  • Offline functionality, not requiring connectivity to an MDM server
  • Ability to pause Config Refresh for troubleshooting purposes with automatic resume after 24 hours

This means that we get a bunch of new features in the MDM world which we have not had before!

How do I configure it?

But how do I configure this in my environment? The Config Refresh policy is set in the settings catalog, so let’s jump straight into Devices – Windows – Configuration and add a new Settings Catalog policy.

As usual, give your policy a name which makes sense to you in your environment and click next. I’m going for “Win – Config Refresh” in this example.

Now let’s search for “Config Refresh” and add both the settings to our policy.

Let’s go for a 30-minute interval in this example but set what makes sense to your environment (default value is 90 minutes). Also, make sure to enable the “Config Refresh” setting before clicking on next.

If you are using scope tags, you can add that in the next step otherwise move on to assignment. Since this is a device scope setting, let’s target the device for this one so we can make sure that all our devices get this setting regardless of who signs in. If you want to filter our specific devices, add that as well here.

On the last step, review your settings before clicking on “Create“.

This will configure your devices to refresh their policies every 30 minutes!

Bonus:

If you for some reason want to prevent a device from doing a Config Refresh, you can find the device and press those three dots on the right side of the ribbon. You will then find “Pause config refresh”.

You can then pause the refresh for up to 24 hours.

Key take away

Using the Config Refresh we can make sure that our device has the correct configuration with greater certainty, and we can adjust the intervall to fit our needs.

This give us as admins a larger sence of control when managing devices and wanting to make sure that our devices has the correct settings. If you are coming from the GPO world you will be very familiar with this since GPOs refreshes every 90 minutes (default), and now you can make Intune work the same way! Yet one less thing that you will be missing from the old world!

Hope you find this as usefull as I do, and happy clicking!

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.