βοΈπͺπ»CP - Security - Config Refresh
Why do we have this policy? πβ
Config Refresh is a gamechanger for Intune policy enforcement. Normally, a Windows device checks in with Intune approximately every 8 hours. This means that if someone (or something) modifies a policy setting, it can take hours before it gets reverted.
That's a security risk. π₯
With Config Refresh, policies are re-applied every 30 minutes. Not just checked, but actually re-enforced.
Scenario without Config Refresh:β
- Malware disables BitLocker via registry hack
- Device won't check in with Intune for another 6 hours
- For 6 hours the disk is unencrypted
- Attacker has all the time to steal data
- You get a call from the CISO π¬
Scenario with Config Refresh:β
- Malware disables BitLocker via registry hack
- Config Refresh restores the setting within 30 minutes
- BitLocker is enabled again
- Attacker frustrated
- You sleep peacefully π΄
Config Refresh provides policy hardening that actually sticks.
π οΈ Settingsβ
| Setting | Value | Why |
|---|---|---|
| Config Refresh Enabled | True | Enable Config Refresh. This is the main switch. |
| Config Refresh Cadence | 30 minutes | Every 30 minutes policies are re-enforced. Balance between security and performance. |
π Cadence explanationβ
30 minutes is the sweet spot:
- β Fast enough to detect and correct drift
- β Not so frequent that it impacts performance
- β Microsoft's recommended value
- β Enough time for normal operations
You can set this lower (minimum is 30 minutes), but 30 is the default and works great.
π₯ Assignmentsβ
β Included groups:β
| Group | Status | Filter | Filter mode |
|---|---|---|---|
| All devices | Active | None | None |
β Excluded groups:β
Why all devices except IoT?
- All regular devices β benefit from constant policy enforcement
- IoT devices excluded β these often have specific configurations that shouldn't be re-enforced every 30 minutes (kiosks, signage, etc.)
π§ Fun facts & tipsβ
What exactly gets "refreshed"?β
Config Refresh restores all MDM policies pushed via Intune:
- Device restrictions
- Endpoint security policies
- Configuration profiles
- Administrative templates
It does not work for:
- Apps (these are managed separately)
- Scripts (these run on their own schedule)
- Certificates (these have their own lifecycle)
Difference from normal syncβ
| Normal Sync | Config Refresh | |
|---|---|---|
| Frequency | ~8 hours (or manual) | Every 30 min |
| Action | Check if there are updates | Force re-apply all policies |
| On drift | Wait for next sync | Restores automatically |
Config Refresh does not replace normal sync. It complements it. Normal sync fetches new policies. Config Refresh ensures existing policies keep working.
Performance impact?β
Minimal. Config Refresh is optimized by Microsoft:
- Only policies that deviate are restored
- No full re-enrollment
- CPU/disk impact is negligible
You won't notice anything as a user. But attackers will. π
Monitoringβ
In the Intune portal you can see when a device last synchronized. Config Refresh adds an extra layer to this, but isn't separately visible in the portal.
On the device itself you can check Event Viewer:
- Applications and Services Logs β Microsoft β Windows β DeviceManagement-Enterprise-Diagnostics-Provider
π― The bottom lineβ
Config Refresh ensures that security policies actually keep working.
Without Config Refresh:
- Policies can be bypassed
- Drift persists for hours
- Security configuration is "best effort"
With Config Refresh:
- Policies are enforced every 30 minutes
- Drift is automatically restored
- Security configuration is guaranteed
This is one of those policies you just need to have enabled. No discussion. No exceptions (except IoT).
Turn it on. Leave it on. Sleep better. π΄
π Documentationβ
Configure with intent. Refresh with regularity. And never trust a device that says "Policies applied" but hasn't actually checked in for 12 hours. π