Scheduling automatic policy refreshes for Windows devices without requiring a check-in

This week is sort of a follow-up on a blog post of about four (!) years ago. That post was focussed on the policy refresh on Windows devices. Since very recently, there is now something new available to refresh the applied configurations. That something new is: Config Refresh. Config Refresh can be used to configure a refresh cadence in which the already received configuration policies will be refreshed. No matter if the device is online, or offline. A great addition to at least make sure that the received configuration is applied. Config Refresh became available as a configuration option in Microsoft Intune, with the latest service release (2309). Besides that, it relies on an addition in the DMClient CSP that became available just recently in the latest Windows 11 Insider Preview Builds in the Canary Channel. This post will provide some more details around Config Refresh, followed with the steps to configure it. This post will end with showing the experience when Config Refresh is applied.

Important: At the moment of writing this functionality is only available in Windows 11 Insider Preview Builds.

Configuring the automatic configuration refresh

When looking at the configuration of Config Refresh, to configure the automatic refresh cadence, it all starts with the new settings that are introduced in Microsoft Intune. Those settings are Enable config refresh and Refresh cadence and those settings are based on the DMClient CSP. Within the DMClient CSP, there is a new parent node for the Config Refresh policy settings. That node contains three policy settings: 1) Enabled, 2) Cadence, and 3) PausePeriod. The first policy setting is to enable Config Refresh and is used with the Enable config refresh setting. The second policy setting is used to configure the refresh cadence of Config Refresh and is used with the Refresh cadence setting. The third and last policy setting can be used to configure the pause period in minutes for Config Refresh and will be used with the Pause config refresh remote action. That remote action provides the IT administrator with the ability to pause the automatic refresh, to for example perform troubleshooting activities.

Note: At the moment of writing the remote action to pause the config refresh is still in development and not yet available.

The configuration of the policy settings is actually pretty straight forward, as the settings are already available within the Settings Catalog. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to configure the configuration refresh and the configuration refresh cadence.

  1. Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
  2. On the Windows | Configuration profiles blade, click Create profile
  3. On the Create a profile blade, provide the following information and click Create
  • Platform: Select Windows 10 and later to create a profile for Windows 10 and Windows 11 devices
  • Profile: Select Settings catalog to select the required setting from the catalog
  1. On the Basics page, provide the following information and click Next
  • Name: Provide a name for the profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  • Platform: (Greyed out) Windows 10 and later
  1. On the Configuration settings page, as shown below in Figure 1, perform the following actions
  • Click Add settings and perform the following in Settings picker
    • Select Config Refresh as category
    • Select Enable config refresh and Refresh cadence as settings
  • Select Enabled with Enable config refresh, specify an interval in minutes with Refresh cadence and click Next
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment and click Next
  3. On the Review + create page, verify the configuration and click Create

Experiencing the automatic configuration refresh

When looking at the device, after configuring the automatic configuration refresh, there are a few important things that change. The first thing is that Config Refresh will be enabled and that information can be verified in the registry, by looking at the registry key of HKLM:\SOFTWARE\Microsoft\Enrollments\{ProviderID}\DMClient\ConfigRefresh. That registry key should contain a value Enabled that indicates that Config Refresh is enabled and a value Cadence that contains the refresh value in minutes. Below in Figure 2 is an example of that configuration.

Besides that, another important change is the creation of a new Scheduled Task in the Task Scheduler at the location of Microsoft > Windows > EnterpriseMgmtNonCritical > {ProviderId}. Below in Figure 3 is an example of that task. That task is Schedule created by dm client to refresh settings (see number 1) and contains the configured cadence as schedule (see number 2). That task runs %windir%\system32\deviceenroller.exe with the parameters of /ConfigRefresh /o {ProviderID} (see number 3), to trigger a refresh of the configuration without requiring the device to be online.

When running that task, it basically reapplies previously received policy settings. So far, that seems to apply to the policy settings that are available within the PolicyManager registry key that belongs to the applicable provider. That also makes it relatively easy to verify the behavior. And with enough permissions, to manipulate the behavior. Below in Figure 4 is an example of ConfigRefresh in action. It shows the manual adjustment of a currently applied policy setting that will be automatically refreshed after running the Scheduled Task. And all of that while the device is offline (see icon on the System Tray).

The challenge, however, is that it also works the other way around. So, when the user has enough permissions (and knowledge) and directly modifies the values in the registry key that belongs to the provider (in this case EnablePasswordlessExperience in HKLM:\SOFTWARE\Microsoft\PolicyManager\providers\D4647331-F69A-4D8F-A52D-1AFF6A9C42ED\default\Device\Authentication), this Scheduled Task will apply that changed value. That will be mitigated again with the next check-in of the device.

More information

For more information about configuring the configuration refresh, refer to the following docs.

5 thoughts on “Scheduling automatic policy refreshes for Windows devices without requiring a check-in”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.