New Config Refresh Feature in Windows 11 Bolsters Security and Policy Compliance

Key Takeaways:

• Config Refresh allows administrators to schedule automatic reapplication of policies on Windows 11 devices.
• The feature enables policy settings to reset as frequently as every 30 minutes and can be paused for maintenance or troubleshooting.
• Config Refresh helps organizations improve compliance and protect against unauthorized changes to system settings.

Microsoft has introduced a new security feature for Windows 11 called Config Refresh, which allows administrators to automatically reapply policies on a set schedule without needing to check in with Microsoft Intune or reboot devices. This new mobile device management (MDM) feature ensures that system settings remain secure and intact, even if altered by unauthorized applications or user modifications.

Microsoft started testing Config Refresh with Windows Insiders in September 2023. By default, this feature resets PolicyCSP settings every 90 minutes, with the option to adjust the interval to as often as every 30 minutes. This helps organizations ensure that settings remain as configured by enterprise administrators in order to maintain security and compliance.

Config Refresh also allows administrators to pause the feature during maintenance or troubleshooting. This capability gives them time to investigate and resolve issues without the risk of overwriting policies. Config Refresh automatically resumes after 24 hours, or an IT admin can manually reactivate it at any time.

“Config Refresh helps improve security and compliance for MDM-managed PCs. By default, the Group Policy refreshes every 90 minutes, and MDM policy refreshes every eight hours. With Config Refresh, you can now configure policy refresh timing to be as short as 30 minutes or as long as 24 hours (that is, 1,440 minutes). Config Refresh is designed to provide improved functionality that was available with Group Policy,” Microsoft explained.

Microsoft noted that Config Refresh works even when Windows 11 devices are offline, without needing connectivity to an MDM server. This security feature is specifically designed for MDM policies managed by the Policy Configuration Service Provider (CSP) and also supports other policies like BitLocker CSP. However, it does not support policies such as Firewall, AppLocker, Personal Data Encryption (PDE), and LAPS.

Key Use Cases for Config Refresh

With Config Refresh, organizations can consistently enforce critical security settings (such as password complexity and encryption) even if users attempt local modifications. Moreover, administrators can choose to update specific policies without impacting others. The ability to pause Config Refresh simplifies troubleshooting and allows for testing changes without immediate effects in enterprise environments.

Microsoft noted that the Config Refresh feature is available for PCs running Windows 11 version 23H2. Additionally, IT administrators must ensure that the June 2024 security update (or later) is installed on their devices. They can manage the Config Refresh settings in the Intune Settings Catalog. We invite you to check out Microsoft’s blog post for more details about how to get started with Config Refresh.