Microsoft has added a new feature quite some time ago to Intune called Config Refresh, and it’s designed to help you keep device settings exactly the way you want them. In environments where stability and security are key, Config Refresh ensures that the configuration you’ve defined stays in place — even if something on the device changes it by mistake or through malicious action.
What is Config Refresh?
Config Refresh is a mechanism that periodically reapplies the policy settings your devices have already downloaded from Intune. Unlike the standard policy sync — which contacts Intune to fetch updates — Config Refresh works from the settings already present on the device. If someone alters a setting locally, Config Refresh will restore the correct configuration at the next refresh interval.
You can choose how often this happens. The refresh cadence is flexible: from as often as every 30 minutes, up to once a day (1,440 minutes). This gives you control over how aggressively the system should enforce your policies.
How Config Refresh Differs from Policy Sync
It’s important to understand the difference between Config Refresh and the usual Intune policy sync:
- Policy Sync is the standard process where the device checks in with Intune to receive newly assigned or updated policies.
- Config Refresh reapplies the settings the device has already received — even if it’s offline — helping protect against unwanted changes between syncs.
Config Refresh depends on having received policies already, so if no policy sync has occurred yet, there’s nothing for it to reapply.
When to Use Config Refresh
Config Refresh is particularly useful in scenarios where device configuration must remain stable and reliable:
- Security settings enforcement
- Compliance adherence
- Uniform configuration across devices
- Offline resilience
Many admins find this especially valuable on production-line PCs, kiosks, or frontline worker devices where configuration drift can cause real problems.
Setting Up Config Refresh in Intune
Config Refresh isn’t switched on by default. Here’s how to set it up:
- Open the Microsoft Intune admin centre and go to
Devices > Windows > Configuration profiles.
- Create a new profile for Windows 10 and later using the Settings catalog.
- Configure:
- Enable: Turn it on.
- Refresh cadence: Set how often the refresh should occur.
- Assign the profile to your target device groups and save.
Once applied, devices will show new registry entries under:HKLM\Software\Microsoft\Enrollments\<GUID>\ConfigRefresh
You’ll see values indicating the refresh is enabled and how often it runs.
There’s also a scheduled task created to trigger the refresh automatically.
Temporarily Pausing Config Refresh
There are times when you might want to pause Config Refresh — for example, during troubleshooting or maintenance.
You can do this remotely via Intune by setting a pause duration (up to 1,440 minutes). After that, the refresh will resume on its own.
To resume the refresh immediately, set the pause duration to 0 minutes.
Final Thoughts
Config Refresh is a powerful enhancement in Intune that helps minimise configuration drift and protect against unintended changes. By regularly reapplying your intended settings, it strengthens compliance and makes device management more robust — especially in environments where devices might be offline or out of regular check-in cycles.
Start with a pilot group, monitor the impact, and scale from there. It’s one of those features that once set up correctly, you’ll forget it’s even running — but it’ll be working quietly in the background to keep your devices exactly how they should be.
