Config Refresh: Make sure your policies apply!

Config Refresh: Make sure your policies apply!

Introduction

Config Refresh is currently available for the Windows Insiders build. It's a really interesting feature that reapplies your policies without the need for a device to check in or a device to restart.

However, it's actually a little lie when I say it will reapply all your policies. There are some policies that aren't covered, more about this later in the blog!

Let's take a look at it and see how it works 😎


Configuration

First of all, before I can start configuring anything, I will have to get a computer with a Windows Insider build installed. If you are interested in testing it out with me, you can opt into the Windows Insider program right here.

You can configure it in two different ways. The first way is to configure it through the settings catalog, however, at the moment of writing this blog, this isn't available.

The last way to configure config refresh is with the DMClient CSP. Where you create a custom configuration profile through Intune. However, I will start off by showing how to configure it through the settings catalog.


Settings Catalog

  1. After opting in to the Windows Insider program, you would have to jump into our favourite portal, Intune.
  2. Head to devices > configuration profiles. Hit the create button, and 'new policy'
  1. Make sure to select 'Windows 10 and later' and 'Settings catalog'. Last but not least, click Create!
  2. Name your profile and click next. Click 'Add settings' and search for 'Config Refresh'.
  1. Make sure to select both 'Enable config refresh' and 'Refresh cadence'. Once they are selected, it will look like this in your profile.
  1. By default, config refresh is disabled, so we have to make sure the switch is switched to the left side. Now that the configuration refresh feature is activated, we must choose how frequently our devices' policies should be updated. For this test, I will configure it so the policies are refreshed every 30 minutes.
💡
There is a limitation of how low, you can configure your refresh cadence. You can't configure less then 30 minutes or more then 1440 minutes.
Default value of the refresh cadence is 90 minutes.
  1. Once you have configured your config refresh settings, hit next and make sure to assign the profile to your test group.

DMClient CSP

  1. Click create a new policy within configuration profiles, and make sure to select 'Windows 10 and later' and 'Templates'.
  2. Once you have selected templates as the profile type, you will see the 'custom' template appear.
  1. Make sure you select the custom option, and press next. Give your profile a name, and go to the next page.
  2. Click add and before doing anything else, visit the DMClient CSP site. When entering the link, you will see the setting called: 'Device/Provider/{ProviderID}/ConfigRefresh/Enabled'

Before we can start using config refresh, we will have to enable it. This is what this setting will help us do.

  1. Get back into the Intune portal, and fill out the information for the first OMA-URI setting. Find a proper name and description for the setting.
  1. You can't just copy the OMA-URI from the DMClient CSP documentation, but it's very close! This is the correct OMA-URI setting, where the provider ID has been changed.

./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/Enabled

  1. The DMClient documentation tells us, that the data type is a bool and the allowed values are for this policy.
  1. The first policy will end up looking like the following:
  1. Last but not least, we would have to configure the cadence. You can find the setting right here. Start off by giving the setting a name and description.
  1. The OMA-URI is the following down below, where I have changed the provider ID once again.

./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigRefresh/Cadence

  1. The data type of the setting is an integer. The value here is how often we would like our policies to be reapplied in minutes. I will set mine to refresh every 30 minutes.

The setting will end up looking like the one above. Now the only thing we have left is to assign the policies to our test devices!


How can I check if it's applied?

I'm currently using Windows Insider Build 26040 Canary Build, and the registry path where config refresh settings are stored is the one below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\GUID\ConfigRefresh

When enabling Config Refresh, there is also a task schedule that is running depending on your cadence setting. You can find the task schedule on the following path: Microsoft -> Windows -> EnterpriseMgmtNonCritical

💡
If you are unaware of the GUID, you can start by opening the task scheduler. The GUID is the name of the folder underneath EnterpriseMgmtNonCritical.

Let's test it!

So you have now checked that your config refresh policy has been applied to your test device, and you are now ready to test it!

Let's start by finding some policies to remove so we can test the functionality. Head into your registry and paste the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

With this view, you can see most of the policies applied to your device. I will go ahead and remove the 'Start' folder under the device category.

Once I have done that, I can wait for 30 minutes or trigger the process manually. I don't have a lot of patience, so I will open my task scheduler and browse to the following path:

Microsoft -> Windows -> EnterpriseMgmtNonCritical -> GUID

From here, I will run the job called 'Schedule created by dm client to refresh settings'.

After a few seconds, I can see that the specific setting is appearing in my registry editor again.

Pretty cool, right? 😁


Observations

Not all settings from Intune are refreshed. I didn't have the chance to test all settings in Intune that would not be possible.

During testing, I noticed that the policies in the "PolicyManager" regedit are updated by the config refresh. I have tested the below settings:

Setting Blade
Configuration Profile Devices
Windows Update Rings Devices
Microsoft Defender Antivirus Endpoint Security
Bitlocker Endpoint Security
Attack surface reduction Endpoint Security
LAPS Endpoint Security
Local user group membership Endpoint Security

All settings above, unless LAPS and local user group membership worked with config refresh.

It's important to say, that I haven't tested all settings within configuration profiles, so I can't guarantee that all settings work from there.

There is another 'PolicyManager' in the regedit under Windows Defender, where ASR rules are stored. The defender 'PolicyManager' path is also refreshed by config refresh.

Important paths:

HKLM\Software\Policies\Microsoft\Windows Defender\Policy Manager

HKLM\Software\Microsoft\PolicyManager


The last observation is actually a cool feature that helps prevent users from removing the task schedule for config refresh. If the user isn't a local administrator on the device, the folder underneath EnterpriseMgmtNonCritical in the task scheduler will be empty.

If you open the task scheduler as an administrator, will you be able to see the config refresh task again and run it.


Conclusion

Config Refresh is a really cool feature, and it helps with refreshing a lot of settings. Unfortunately, not all settings from Intune is refreshed. I didn't had the chance to test all settings within Intune, so hopefully Microsoft will release more information when it gets released from Windows Insider.

I appreciate you took the time to read this blog, have a great day!