Policyrefresher Failed to Refresh Poliices Will Continue to Use Last Known Version of Policies
This week is all about the Windows 10 MDM policy refresh. More specifically, the policy refresh behavior starting with Windows 10, version 1903. Starting with Windows 10, version 1903, the policy refresh got a lot more interesting. Before Windows 10, version 1903, the policy refresh would simply tattoo the settings once during the device checking. Starting with Windows 10, version 1903, the settings that are implemented by the Policy CSP are actually refreshed during the device check-in. Not just tattooed once, but actually re-applied when for example adjusted by the user. Also, similar to that, those settings are also removed when no longer assigned. In this post I'll have a look at the triggers for a device check-in, the different device check-in actions and the difference in behavior of the device check-ins (focused on the Policy CSP).
Triggers for device check-ins
Let's start by looking at the multiple triggers for the device check-in. I would like to differentiate between the following three different type of device check-in triggers:
- A notification – The check-in can be triggered by a notification from Microsoft Intune.
- A scheduled check-in – The check-in can be triggered by a scheduled task.
- A manual check-in – The check-in can be triggered manually by the user.
Notifications that trigger device check-ins
The challenge with notifications that trigger a device check-in is that it's not an exact science and that we're mainly bound to the docs about the process. When looking at the notifications that trigger device check-ins there are basically different actions, performed by the administrator, that can trigger a notification. The triggered notification will notify the device to check-in with Microsoft Intune. Actions that trigger a notification are for example when a policy, a profile, or an app is assigned (or unassigned), updated, or deleted.
The device will check-in with Microsoft Intune when the device receives a notification to check-in. The challenge is that it's up to the device to actually check-in. A different priority, so to say, is for targeting a device or user with an action, like a lock, a passcode reset, an app, a profile or a policy assignment. With those actions Microsoft Intune immediately notifies the device to check in to receive these updates.
There are also changes that don't cause a notification to the devices. For example revising the contact information in the Company Portal app don't cause an immediate notification to be send to the device.
This device check-in will refresh the already applied Policy CSP settings and will also remove unassigned Policy CSP settings.
Scheduled device check-ins
The scheduled device check-ins are more clear. In that case we're not mainly stuck to the docs, as the configuration is available in the Task Manager. After the device is enrolled in Microsoft Intune, three scheduled tasks will be enabled and run on different schedules. Let's have a close look at those scheduled tasks.
Frequency of scheduled device check-ins
Once a Windows 10 device is enrolled in Microsoft Intune, three different scheduled tasks will be used to trigger the compliance and configuration check-ins. Those scheduled tasks can be found in the Task Scheduler at Microsoft > Windows > EnterpriseMgmt > {tenantId}.
Table 1 provides an overview of the different check-in schedules that belong to the different scheduled tasks. The first scheduled task repeats every 3 minutes for the first 15 minutes after the enrollment. The second scheduled task starts 15 minutes after the enrollment and repeats every 15 minutes for 2 hours and the third scheduled task starts 2 hours and 15 minutes after the enrollment and repeats every 8 hours indefinitely.
-
Figure 1: Schedule #3 – Trigger
| Schedule | Frequency |
| Schedule #1 created by the enrollment client | After triggered, repeat every 3 minutes for a duration of 15 minutes |
| Schedule #2 created by the enrollment client | After triggered, repeat every 15 minutes for a duration of 2 hours |
| Schedule #3 created by the enrollment client | After triggered, repeat every 8 hours indefinitely |
Note: The behavior for devices without user affinity is different, as it's up to the device to check-in.
Action during scheduled device check-ins
During the device check-in the deviceenroller.exe will be started as a program. The different scheduled tasks, used for triggering the compliance and configuration check-ins, use slightly different parameters.
Table 2 provides an overview of the different check-in actions. The deviceenroller.exe program itself is still a little bit of a mystery, as it's being user for enrolling devices en also for check-ins. Both by using different parameter. Sadly not all parameters speak for itself, which makes it a little guesswork to fully understand.
This device check-in action will also refresh the already applied Policy CSP settings.
-
Figure 1: Schedule #3 – Action
| Schedule | Action |
| Schedule #1 created by the enrollment client | %windir%\system32\deviceenroller.exe /o "{enrollmentId}" /c |
| Schedule #2 created by the enrollment client | %windir%\system32\deviceenroller.exe /o "{enrollmentId}" /c |
| Schedule #3 created by the enrollment client | %windir%\system32\deviceenroller.exe /o "{enrollmentId}" /c /b |
Note: The documented actions can also be used to "manually" trigger a device check-in.
Manual device check-ins
The manual device check-ins are also in the gray area. It's clear that the manual device check-in can be triggered by using the Settings panel. Navigate to Accounts > Access work or school and click Sync. Another option is by using the Company Portal app. Navigate to Settings and click Sync.
During the device check-in the omadmclient.exe will perform actions to sync the policies.
This device check-in will not refresh the already applied Policy CSP settings.
-
Figure 3: Manual trigger
Recognize different device check-ins
I noticed that the easiest method to fully recognize the difference in device check-ins, is by using the Event Viewer. When opening the Event Viewer, simply navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider and look at for Event ID 208. The difference will be in the origin of the started session, as shown in the following list:
- A notification – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x7), Initiator: (0x0), Mode: (0x2), SessionID: (0x7C), Authentication Type: (0x3).
- A scheduled check-in – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x3), Initiator: (0x0), Mode: (0x2), SessionID: (0x75), Authentication Type: (0x3).
- A manual check-in (by using Settings panel) – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x5), Initiator: (0x0), Mode: (0x2), SessionID: (0x76), Authentication Type: (0x3).
- A manual check-in (by using Company Portal app) – MDM Session: OMA-DM session started for EnrollmentID ({enrollmentId}) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0xD), Initiator: (0x0), Mode: (0x2), SessionID: (0x77), Authentication Type: (0x3).
Example Windows 10 MDM policy refresh
Now let's end this post by having a look at an example of the Windows 10 MDM policy refresh. Below on the right I've adjusted the telemetry setting of the device and below on the left I'm manually running the device check-in action of the scheduled task (yes, I've tested it multiple times). It end's by refreshing the telemetry value immediately after the check-in.
-
Figure 4: Policy refresh
More information
For more information about installing applications for devices, please refer to the doc about Common questions, issues, and resolutions with device policies and profiles in Microsoft Intune.
flemingpontliatich.blogspot.com
Source: https://www.petervanderwoude.nl/post/windows-10-mdm-policy-refresh/
0 Response to "Policyrefresher Failed to Refresh Poliices Will Continue to Use Last Known Version of Policies"
Post a Comment