Config Refresh with Workspace ONE UEM

Microsoft announced a new feature called “Config Refresh” at the end of June 2024.

Config Refresh is a new feature in Windows 11 designed to improve the security and compliance of Mobile Device Management (MDM) policies. This feature allows for more frequent and persistent refresh of Policy CSP settings to ensure they align with the intended configuration.

Key Features and Benefits

• Improved Security and Compliance: Config Refresh helps prevent configuration drift by enabling frequent MDM policy refreshes, ensuring timely and persistent security and compliance of Policy CSP settings on devices
• Customizable Refresh Timing: The refresh timing can be configured to be as short as 30 minutes or as long as 24 hours, providing flexibility to meet organizational needs
• Compatibility: Config Refresh is available for Windows 11 starting with the May 2024 non-security update and the June 2024 security update

This feature will help customers to define when the Workspace ONE UEM Profiles will be re-applied. By default Windows CSPs that are in the “Policy” hive, get re-applied every 8 hours. With Config Refresh, customers can now reduce the time to 30 minutes. 

The new CSP configuration overview can be found here. In Workspace ONE UEM we can easily apply the setting via a custom profile.

Create a new Profile

Create a device profile and configure the custom settings payload.

We target the OMA-DM client with our custom setting.

To enable Config Refresh, paste the following XML in the install settings box:

<Replace>
    <CmdID>
        c0743bfc-6fa5-4878-99ef-3f993f8e9df1
    </CmdID>
    <Item>
        <Target>
            <LocURI>
                ./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/ConfigRefresh/Enabled
            </LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">
                bool
            </Format>
            <Type>
                text/plain
            </Type>
        </Meta>
        <Data>
            true
        </Data>
    </Item>
</Replace>

This enables the feature and by default, this will set the reapply interval to 90 minutes.

You also need to provide the XML to delete the settings in the remove settings box:

<Delete>
    <CmdID>
        c0743bfc-6fa5-4878-99ef-3f993f8e9df2
    </CmdID>
    <Item>
        <Target>
            <LocURI>                ./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/ConfigRefresh/Enabled
            </LocURI>
        </Target>
    </Item>
</Delete>

If you want to use another interval, it can be changed by configuring the Cadence key with an integer value by using the following payload in another custom setting:

<Replace>
    <CmdID>
        b3298759-b2bf-4e06-9f3b-b172d8049017
    </CmdID>
    <Item>
        <Target>
            <LocURI>                ./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/ConfigRefresh/Cadence
            </LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">
                int
            </Format>
            <Type>
                text/plain
            </Type>
        </Meta>
        <Data>
            30
        </Data>
    </Item>
</Replace>

The range can be configured from 30 Minutes to 1440 minutes.

We again provide the XML to uninstall this setting in the remove settings box:

<Delete>
    <CmdID>
        c0743bfc-6fa5-4878-99ef-3f993f8e9df2
    </CmdID>
    <Item>
        <Target>
            <LocURI>                ./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/ConfigRefresh/Cadence
            </LocURI>
        </Target>
    </Item>
</Delete>

You can verify that the settings were applied correctly by checking on a device in the registry. Windows writes the configuration in the following registry hive:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\{GUID}\ConfigRefresh

Summary

With Config Refresh configured you can manage your Windows devices more securely and avoid configuration drift, ensuring that the desired state is always applied.