Today we’re excited to introduce Config Refresh, a top requested improvement for mobile device management (MDM). Ensure timely and persistent security and compliance of Policy CSP settings on your fleet of devices by enabling frequent MDM policy refresh if (and when) settings drift from your intent. Let’s learn more about what Config Refresh is, how to manage and troubleshoot it.
Important: Config Refresh is available for Windows 11 starting with the May 2024 non-security update and the June 2024 security update. |
Windows 11 supports MDM protocols so you can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. MDM helps you improve device management through the following capabilities:
As MDM has evolved to support management of hundreds of millions of devices, we’re listening to your feedback. Windows continues to achieve parity between MDM settings available through configuration service providers (CSPs) and exposed through solutions like the Microsoft Intune Settings Catalog, with those settings that you can manage through traditional Group Policy.
Config Refresh helps improve security and compliance for MDM-managed PCs. By default, Group Policy refreshes every 90 minutes, and MDM policy refreshes every eight hours. With Config Refresh, you can now configure policy refresh timing to be as short as 30 minutes or as long as 24 hours (that is, 1,440 minutes).
Config Refresh is designed to provide improved functionality that was available with Group Policy. Some of the key new features are:
Important: Config Refresh is designed to work with MDM policies managed by the Policy CSP. Some policies, notably the BitLocker CSP, will also adhere to Config Refresh enablement. Other policies are outside of this scope, such as Firewall, AppLocker, PDE, and LAPS. |
You can manage Config Refresh experience in the Intune Settings Catalog as shown below. When you enable Config Refresh, the default refresh cadence is 90 minutes. As noted above, you can set it to as low as 30 minutes based on your organizational needs.
Intune Settings Catalog with Config Refresh enabled and set to a 30-minute refresh
To enable Config Refresh, your PCs must be running Windows 11, version 23H2 or version 22H2 with the June 2024 security update installed (or later).
The DMClient CSP enables and configures Config Refresh capabilities. The ConfigRefresh node is responsible for enablement and configuration of the feature.
ConfigRefresh nodes within DMClient CSP
The ConfigRefresh node consists of:
You can verify that Config Refresh is enabled in the registry under the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\\ConfigRefresh
Config Refresh enabled with a Cadence value of 30 minutes set
When you enable Config Refresh, Windows creates a scheduled task in the Task Scheduler, which is responsible for executing the refresh. The scheduled task is created in the Microsoft/Windows/EnterpriseMgmtNonCritical node. Here’s what you’ll see in the middle pane:
Config Refresh scheduled task in Task Scheduler with default settings
Config Refresh logs activity to the Event Viewer. Here’s what you can observe in the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational log:
Screenshot of the Event Viewer showing successful completion of refresh as Event ID 4202
We’re excited for you to start using Config Refresh to help you manage devices more securely and stop configuration drift. Check out this great new addition to Windows 11 and let us know in the comments what you think!
We truly believe that security is a team sport as we deliver Windows to be more secure by design and security by default—and you are an important part of our security team. Here’s where you can learn more:
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.