Config drift is a never-ending battle we fight to keep devices secure and compliant. It's important administrators implement
tools and strategies to prevent, detect, and remediate config drift in their environments to keep their devices secure and maintain compliance. Config Refresh is a Windows 11 feature that can help with that effort.
What is Config Refresh?โ
Let's get one thing out of the way: Config Refresh is not an Intune feature - it is a Windows 11 feature that can "refresh" MDM policy settings on a set interval.
Prerequisitesโ
Config Refresh is only available on Windows 11 - Windows 10 is not supported.
- Microsoft Intune subscription
- Windows 11 Pro, Enterprise, or Education edition
- Navigate to the Intune admin center
- Click Devices > Manage devices > Configuration > + Create > + New policy
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Create profile:
- Name: Enable Config Refresh
- Click + Add settings > Search for
Config Refresh
- Select the following settings: Config Refresh and Refresh cadence
- Configure settings:
- Config Refresh: Enabled
- Refresh cadence: 30 (in minutes)
- Click Next > Assign to appropriate groups > Next > Create
That's it, all your config drift problems are solved. Just kidding. ๐
Confirm Config Refresh is enabled on a device by checking the registry key:
HKLM\SOFTWARE\Microsoft\Enrollments\{GUID}\ConfigRefresh
What Config Refresh Will Fixโ
Let's look at a scenario where Config Refresh should fix config drift. According to the Config Drift announcement by Microsoft, any Bitlocker CSP polices should get refreshed at the 30 minute refresh cadence configured for Config Refresh. Let's put that to the test.
Using Intune, the device will be configured with Silent Bitlocker encryption.
Silent Bitlocker encryption is enforced on the device. The drive encryption status can be verified by running the following command in an elevated PowerShell prompt:
manage-bde -status