Tuesday, September 3, 2024

Make MDM Policy refresh like Group Policy with Config Refresh

Historically, one of the major downsides of moving policy management to the Microsoft cloud has been the interval with which policies can be refreshed with Microsoft Intune MDM policy. However, there is a new feature that enables refreshing your cloud MDM policy as often as a group policy. It is called Config Refresh. What is this new feature, and how does it work?

Why cloud mobile device management is preferred

As organizations worldwide have pivoted to or at least integrated the hybrid workforce into their day-to-day operations, being able to control devices from anywhere or from any network has become a priority as workers are no longer connecting from corporate-owned networks or devices.

This becomes a major problem with traditional mobile device management solutions since “line of sight” network connections are often required with traditional MDM solutions. This is impossible with today’s hybrid workforce without a VPN or other network solutions.

Cloud management mobile device management has many advantages, including:

  • A cloud-based management plane (accessible from anywhere and not just corporate networks)
  • No connectivity challenges like traditional on-premises solutions (cloud-based MDM connects over standard HTTPS port 443)
  • It helps to simplify the management of multiple endpoints, no matter where these are located

Long refresh times with MDM Policies

As organizations look to move their Active Directory infrastructure-centric environments to a more cloud-based approach in managing users, devices, and policies, one of the downsides has been the amount of time it has taken to refresh policy changes on your clients.

Below is a look at comparing the refresh intervals between group policy and MDM policies:

  • Group policy refreshes every 90 minutes (default and configurable)
  • MDM policy refreshes every 8 hours

This has been a major downside with housing policies in the cloud as opposed to on-premises Group Policy Objects. When looking at security and compliance objectives and priorities, most organizations want to be able to enforce policy changes much quicker than every 8 hours in case of immediate security needs or remediations.

What is the new Config Refresh?

The newly released Config Refresh is a means to have MDM-managed PCs refresh their policy at intervals as low as 30 minutes or as long as 24 hours. This is a great new improvement to be able to have policies refreshed in 30 minutes as opposed to 8 hours, where things have been for so long now.

It will likely remove a major blocker in the minds of many admins who prefer Group Policy’s much more aggressive policy refresh intervals up to this point.

There are other features that this allows for, in addition to the general refresh interval configurations. These include:

  • It has a reset operation – this will allow you to reset settings managed with the Policy CSP
  • Offline functionality – where no connection is needed to an MDM server
  • You can pause the Config Refresh functionality for troubleshooting problems if these come up after 24 hours

Requirements of Config Refresh

What are the requirements for taking advantage of the new Config Refresh functionality? There are just a few to take note of, including the following:

  • Endpoints need to be running Windows 11 22H2 or 23H2
  • You will need Windows Pro, Enterprise, Education, Windows SE, IoT Enterprise, or IoT Enterprise LTSC
  • The June 2024 security update (or later) must be installed
  • It uses the DMClient_CSP

If you are not familiar with the DMClient_CSP, it enables enterprise-specific MDM configuration settings. These help to identify the device in the domain and also include many security features and enterprise enrollment features. You can learn more about the DMClient_CSP here: DMClient CSP | Microsoft Learn.

Note the following information on the Device provider:

  • Device/Provider/{ProviderID}/ConfigRefresh

./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh

This is the parent node for ConfigRefresh nodes

Access type – add, delete, get

  • Device/Provider/{ProviderID}/ConfigRefresh/Cadence

./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence

This node determines the number of minutes between the refreshes that happen with the new Config Refresh

Access type – add, delete, get, replace

  • Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod

./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod

This node is used to pause the ConfigRefresh process. You can define the number of minutes it should be paused for

Enabling Config Refresh in Intune

When creating a configuration profile, under step 2, configuration settings, you will see the toggle for Config refresh and the Refresh cadence. Flag the toggle to Enabled and then set the Refresh cadence to the value you want to use. Acceptable values are between 30-1440 minutes.

A screenshot of a computer Description automatically generated

Checking to see if ConfigRefresh is enabled on the client side

The image below shows that ConfigRefresh is enabled with the REG_DWORD value set to “1”. As you can see below, the cadence value is set to 30, which is the minimum value. The default value is set to 90 minutes, which you get by default with Group Policy Object refresh.

A screenshot of a computer Description automatically generated
The ConfigRefresh registry settings

What happens when ConfigRefresh is enabled? There is actually a new Windows Scheduled Task that gets created in the Task Scheduler (Schedule created by dm client to refresh settings), which is the engine that actually executes the refresh. Where does this get created?

There is a node called Microsoft/Windows/EnterpriseMgmtNonCritical. With the scheduled task, let’s understand what actually equates to the settings that we have mentioned for ConfigRefresh above.

  • The Scheduled Task trigger is configured in line with the cadence that is set with Config Refresh
  • In the Scheduled Task Actions, there is an action configured that calls the deviceenroller.exe command to force the refresh of policy settings

Error messages and troubleshooting

There are a few error codes related to the Config Refresh functionality and the actual refresh of policy settings that you need to be aware of. There are event log entries to take note of for insights on problems that may be happening with the new Config Refresh functionality.

These are found in the log node: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational log:

  • Event ID 4200 – This is an informational message that lets you know that a Config Refresh has started
  • Event ID 4202 – This is an information message that lets you know there was a successful completion of a Config Refresh
  • Event ID 4201 – This indicates Config Refresh has experienced a failure
  • Event IDs 4203-4214 – These event IDs are used when there are any failures when you set or delete values related to Config Refresh

Limitations and downsides to Config Refresh

As with any new functionality, features, and capabilities, there are always downsides. There are a few limitations to note about Config Refresh and possible things to think about when implementing. Note the following:

  • There are some MDM policies that are outside the scope of what Config Refresh was designed to work with, such as Firewall, AppLocker, PDE, and LAPS
  • Setting the config refresh interval down really low may have an impact on laptops when operating on battery power
  • Also, the Config Refresh functionality apparently only verifies that settings from the last checkin/sync are still set rather than checking in with Intune for new settings, apps, scripts, etc. This is a bit of a bummer for admins who would want to use this to introduce new settings.

Wrapping up

Microsoft is continuing to work on feature parity across the board between on-premises policy management using traditional Active Directory Group Policy and the new cloud-based MDM policies that can be managed using Intune. It is great to see Microsoft focusing on the policy refresh aspect of the MDM policies so that admins can have refresh intervals that are aligned with what can be achieved with Active Directory Group Policy objects. However, as mentioned, there are still a few downsides to the Config Refresh feature and limitations to be aware of. It will be interesting to see how the feature continues to mature along with other aspects of MDM policies via Intune.



from StarWind Blog https://ift.tt/jXxPmWG
via IFTTT

No comments:

Post a Comment