Intro to Config Refresh – a refreshingly new MDM feature

Today we’re excited to introduce Config Refresh, a top requested improvement for mobile device management (MDM). Ensure timely and persistent security and compliance of Policy CSP settings on your fleet of devices by enabling frequent MDM policy refresh if (and when) settings drift from your intent. Let’s learn more about what Config Refresh is, how to manage and troubleshoot it.

Mobile device management

Windows 11 supports MDM protocols so you can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. MDM helps you improve device management through the following capabilities:

• Use the cloud as the management plane.
• Remove connectivity constraints to support work-from-anywhere scenarios.
• Simplify many management tasks in the enterprise.

As MDM has evolved to support management of hundreds of millions of devices, we’re listening to your feedback. Windows continues to achieve parity between MDM settings available through configuration service providers (CSPs) and exposed through solutions like the Microsoft Intune Settings Catalog, with those settings that you can manage through traditional Group Policy.

What’s Config Refresh?

Config Refresh helps improve security and compliance for MDM-managed PCs. By default, Group Policy refreshes every 90 minutes, and MDM policy refreshes every eight hours. With Config Refresh, you can now configure policy refresh timing to be as short as 30 minutes or as long as 24 hours (that is, 1,440 minutes).

Config Refresh is designed to provide improved functionality that was available with Group Policy. Some of the key new features are:

• A reset operation to reset any settings you manage which use the Policy CSP
• Configuration options to allow reset of managed settings to take place as frequently as every 30 minutes
• Offline functionality, not requiring connectivity to an MDM server
• Ability to pause Config Refresh for troubleshooting purposes with automatic resume after 24 hours

Manage Config Refresh

You can manage Config Refresh experience in the Intune Settings Catalog as shown below. When you enable Config Refresh, the default refresh cadence is 90 minutes. As noted above, you can set it to as low as 30 minutes based on your organizational needs.

Intune Settings Catalog with Config Refresh enabled and set to a 30-minute refresh

To enable Config Refresh, your PCs must be running Windows 11, version 23H2 or version 22H2 with the June 2024 security update installed (or later).

The DMClient CSP enables and configures Config Refresh capabilities. The ConfigRefresh node is responsible for enablement and configuration of the feature.

ConfigRefresh nodes within DMClient CSP

The ConfigRefresh node consists of:

• Cadence: Determines the frequency with which the refresh operation happens. The default for the refresh is 90 minutes. Allowed values are from 30 to 1440 minutes.
• Enabled: Enables or disables the refresh feature. The default value is false. Set it to true to enable the feature.
• PausePeriod: To pause Config Refresh for troubleshooting, enter a value between 0 to 1440 minutes. At the end of the period, the refresh is re-enabled. Set the value of 0 to re-enable the feature.

You can verify that Config Refresh is enabled in the registry under the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\\ConfigRefresh

Config Refresh enabled with a Cadence value of 30 minutes set

When you enable Config Refresh, Windows creates a scheduled task in the Task Scheduler, which is responsible for executing the refresh. The scheduled task is created in the Microsoft/Windows/EnterpriseMgmtNonCritical node. Here’s what you’ll see in the middle pane:

• The Triggers show the current cadence that is set.
• The Actions show that deviceenroller.exe command will be called to force the refresh.

Config Refresh scheduled task in Task Scheduler with default settings

Troubleshoot Config Refresh

Config Refresh logs activity to the Event Viewer. Here’s what you can observe in the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational log:

• Event ID 4200 indicates the start of Config Refresh.
• Event ID 4202 indicates the successful completion of refresh.
• Event ID 4201 indicates refresh failure.
• Event IDs 4203-4214 indicate any failures that might occur when setting or deleting the Config Refresh values.

Screenshot of the Event Viewer showing successful completion of refresh as Event ID 4202

Get started with Config Refresh today

We’re excited for you to start using Config Refresh to help you manage devices more securely and stop configuration drift. Check out this great new addition to Windows 11 and let us know in the comments what you think!

We truly believe that security is a team sport as we deliver Windows to be more secure by design and security by default—and you are an important part of our security team. Here’s where you can learn more:

• The Windows Security Book is available to help you learn more about what makes it easy for users to stay secure with Windows.
• To learn more about Microsoft Security solutions, visit our website.
• Bookmark the Security blog to keep up with our expert coverage on security matters.
• Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.