DMClient CSP
Important
This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview.
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
Note
The DMClient CSP nodes are intended to be configured by the MDM server to manage device configuration and security features. Custom URI settings for this CSP are not supported for IT admin management scenarios due to the complexity of the settings.
The following list shows the DMClient configuration service provider nodes:
- ./Device/Vendor/MSFT/DMClient
- HWDevID
- Provider
- {ProviderID}
- AADDeviceID
- AADResourceID
- AADSendDeviceToken
- CertRenewTimeStamp
- CommercialID
- ConfigLock
- ConfigRefresh
- CustomEnrollmentCompletePage
- EnableOmaDmKeepAliveMessage
- EnhancedAppLayerSecurity
- EnrollmentType
- EntDeviceName
- EntDMID
- ExchangeID
- FirstSyncStatus
- AllowCollectLogsButton
- BlockInStatusPage
- CustomErrorText
- ExpectedModernAppPackages
- ExpectedMSIAppPackages
- ExpectedNetworkProfiles
- ExpectedPFXCerts
- ExpectedPolicies
- ExpectedSCEPCerts
- IsSyncDone
- ServerHasFinishedProvisioning
- SkipDeviceStatusPage
- SkipUserStatusPage
- TimeOutUntilSyncFailure
- WasDeviceSuccessfullyProvisioned
- ForceAadToken
- HelpEmailAddress
- HelpPhoneNumber
- HelpWebsite
- HWDevID
- LinkedEnrollment
- ManagementServerAddressList
- ManagementServerToUpgradeTo
- ManagementServiceAddress
- MaxSyncApplicationVersion
- MultipleSession
- NumberOfDaysAfterLostContactToUnenroll
- Poll
- PublisherDeviceID
- Push
- Recovery
- RequireMessageSigning
- SignedEntDMID
- SyncApplicationVersion
- Unenroll
- UPN
- {ProviderID}
- Unenroll
- UpdateManagementServiceAddress
- ./User/Vendor/MSFT/DMClient
Device/HWDevID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/HWDevID
Returns the hardware device ID.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get |
Device/Provider
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider
The root node for all settings that belong to a single management server.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Device/Provider/{ProviderID}
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}
This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
Device/Provider/{ProviderID}/AADDeviceID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADDeviceID
Device ID used for Microsoft Entra device registration.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get |
Device/Provider/{ProviderID}/AADResourceID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADResourceID
This is the ResourceID used when requesting the user token from the OMA DM session for Microsoft Entra enrollments (Microsoft Entra join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
For more information about Microsoft Entra enrollment, see Microsoft Entra integration with MDM.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Get, Replace |
Device/Provider/{ProviderID}/AADSendDeviceToken
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADSendDeviceToken
For Microsoft Entra ID backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Allowed values:
Value | Description |
---|---|
false | Don't send Device Token if User Token can't be obtained. |
true | Send Device Token if User Token can't be obtained. |
Device/Provider/{ProviderID}/CertRenewTimeStamp
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CertRenewTimeStamp
The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/CommercialID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CommercialID
Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft won't be able to use this identifier to associate this machine and its diagnostic data with your organization.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/ConfigLock
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock
This node enables Config Lock feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
Note
If the device isn't a Secured-core PC, then this feature won't work. To know more, see Secured-core PC.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Device/Provider/{ProviderID}/ConfigLock/Lock
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/Lock
This node specifies how the client will perform the lock mode for SecureCore PC. 0: unlock; 1: lock. The default value is 0.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | Unlock. |
1 | Lock. |
Device/Provider/{ProviderID}/ConfigLock/SecureCore
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/SecureCore
The node returns the boolean value whether the device is a SecureCore PC.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get |
Device/Provider/{ProviderID}/ConfigLock/UnlockDuration
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/UnlockDuration
This node, when it's set, tells the client to set how many minutes the device should be temporarily unlocked from SecureCore settings protection. The default value is 480.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 480 |
Device/Provider/{ProviderID}/ConfigRefresh
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5035854 [10.0.22000.2836] and later ✅ Windows 11, version 22H2 with KB5034848 [10.0.22621.3235] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh
Parent node for ConfigRefresh nodes.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
Device/Provider/{ProviderID}/ConfigRefresh/Cadence
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5035854 [10.0.22000.2836] and later ✅ Windows 11, version 22H2 with KB5034848 [10.0.22621.3235] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence
This node determines the number of minutes between refreshes.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [30-1440] |
Default Value | 90 |
Device/Provider/{ProviderID}/ConfigRefresh/Enabled
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5035854 [10.0.22000.2836] and later ✅ Windows 11, version 22H2 with KB5034848 [10.0.22621.3235] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Enabled
This node determines whether or not a periodic settings refresh for MDM policies will occur.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
true | Enabled. |
false (Default) | Disabled. |
Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5035854 [10.0.22000.2836] and later ✅ Windows 11, version 22H2 with KB5034848 [10.0.22621.3235] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod
This node determines the number of minutes ConfigRefresh should be paused for.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-1440] |
Default Value | 0 |
Device/Provider/{ProviderID}/CustomEnrollmentCompletePage
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage
These nodes provision custom text for the enrollment page.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText
Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref
Specifies the URL that's shown at the end of the MDM enrollment flow.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText
Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title
Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage
A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client doesn't send an alert that a DM request is pending. To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
false (Default) | Enable message. |
true | Disable message. |
Example:
Here's an example of DM message sent by the device when it's in pending state:
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncHdr>
<VerDTD>1.2</VerDTD>
<VerProto>DM/1.2</VerProto>
<SessionID>10</SessionID>
<MsgID>2</MsgID>
<Target>
<LocURI>https://www.contoso.com/mgmt-server</LocURI>
</Target>
<Source>
<LocURI>{unique device ID}</LocURI>
</Source>
</SyncHdr>
<SyncBody>
<Alert>
<CmdID>2</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.requestpending</Type>
</Meta>
<Data>1</Data>
</Item>
</Alert>
</SyncBody>
</SyncML>
Device/Provider/{ProviderID}/EnhancedAppLayerSecurity
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0
The node contains the primary certificate - the public key to use.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1
The node contains the secondary certificate - the public key to use.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode
This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign-only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | No op. |
1 | Sign only. |
2 | Encrypt only. |
3 | Sign and encrypt. |
Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline
This node, when it's set, tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
false (Default) | False. |
true | True. |
Device/Provider/{ProviderID}/EnrollmentType
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnrollmentType
Type of MDM enrollment (Device or Full).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get |
Device/Provider/{ProviderID}/EntDeviceName
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDeviceName
Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/EntDMID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDMID
Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Note
Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP's USEHWDEVID node by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. This node is required and must be set by the server before the client certificate renewal is triggered.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/ExchangeID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ExchangeID
Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that's managed by exchange and natively managed by a dedicated management server.
Note
In some cases, this node will return "not found" until the user sets up their email.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Example:
<Get>
<CmdID>12</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DMClient/Provider/<ProviderID>/ExchangeID</LocURI>
</Target>
</Item>
</Get>
Device/Provider/{ProviderID}/FirstSyncStatus
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
Device/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
false (Default) | Don't show the Collect Logs button on the progress page. |
true | Show the Collect Logs button on the progress page. |
Device/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage
Device Only. This node determines whether or not the MDM progress page is blocking in the Microsoft Entra joined or DJ++ case, as well as which remediation options are available.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get, Replace |
Default Value | 0 |
Allowed values:
Flag | Description |
---|---|
0x0 | Allow the user to exit the page before provisioning completes. |
0x1 | Block the user on the page and show the Reset PC button on failure. |
0x2 | Block the user on the page and show the Try Again button on failure. |
0x4 | Block the user on the page and show the Continue Anyway button on failure. |
Device/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000".
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
Device/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it's in and tell the user that the device is provisioned. It can't be set from True to False (it won't change its mind on whether or not the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Allowed values:
Value | Description |
---|---|
false | The device isn't finished provisioning. |
true | The device has finished provisioning. |
Device/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node isn't True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Allowed values:
Value | Description |
---|---|
false | Server hasn't finished provisioning. |
true | Server has finished provisioning. |
Device/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage
Device only. This node decides whether or not the MDM device progress page skips after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Default Value | true |
Allowed values:
Value | Description |
---|---|
false | Don't skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
true (Default) | Skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
Device/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage
Device only. This node decides whether or not the MDM user progress page skips after Microsoft Entra joined or DJ++ after user login.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Default Value | true |
Allowed values:
Value | Description |
---|---|
false | Don't skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
true (Default) | Skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
Device/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure
This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get, Replace |
Allowed Values | Range: [1-1440] |
Default Value | 60 |
Device/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get, Replace |
Allowed values:
Value | Description |
---|---|
0 | The device has failed to provision the device. |
1 | The device has successfully provisioned the device. |
2 | Provisioning is in progress. |
Device/Provider/{ProviderID}/ForceAadToken
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 20H2 with KB5014699 [10.0.19042.1766] and later ✅ Windows 10, version 21H1 with KB5014699 [10.0.19043.1766] and later ✅ Windows 10, version 21H2 with KB5014699 [10.0.19044.1766] and later ✅ Windows 11, version 21H2 with KB5014697 [10.0.22000.739] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ForceAadToken
Force device to send device Microsoft Entra token during check-in as a separate header.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Allowed values:
Value | Description |
---|---|
0 | ForceAadTokenNotDefined: the value isn't defined(default). |
1 | AlwaysSendAadDeviceTokenCheckIn: always send Microsoft Entra device token during check-in as a separate header section(not as Bearer token). |
2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send Microsoft Entra user token during check-in as a separate header section(not as Bearer token). |
4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra device token for auth as Bearer token. |
8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
Device/Provider/{ProviderID}/HelpEmailAddress
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpEmailAddress
The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/HelpPhoneNumber
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpPhoneNumber
The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/HelpWebsite
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpWebsite
The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/HWDevID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HWDevID
Returns the hardware device ID.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get |
Device/Provider/{ProviderID}/LinkedEnrollment
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 20H2 with KB5018482 [10.0.19042.2193] and later ✅ Windows 10, version 21H1 with KB5018482 [10.0.19043.2193] and later ✅ Windows 10, version 21H2 with KB5018482 [10.0.19044.2193] and later ✅ Windows 11, version 21H2 with KB5016691 [10.0.22000.918] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment
The interior node for linked enrollment.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Device/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows Insider Preview |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an empty string with S_OK.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/LinkedEnrollment/Enroll
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 20H2 with KB5018482 [10.0.19042.2193] and later ✅ Windows 10, version 21H1 with KB5018482 [10.0.19043.2193] and later ✅ Windows 10, version 21H2 with KB5018482 [10.0.19044.2193] and later ✅ Windows 11, version 21H2 with KB5016691 [10.0.22000.918] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Enroll
This is an execution node and will trigger a silent Declared Configuration unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back (rollback details will be covered later).
This is an execution node and will trigger a silent Declared Configuration enrollment, using the Microsoft Entra device token pulled from the Microsoft Entra joined device. There is no user interaction needed. When the DiscoveryEndpoint is not set, the Enroll node will fail with ERROR_FILE_NOT_FOUND (0x80070002)
and there is no scheduled task created for dual enrollment.
Description framework properties:
Property name | Property value |
---|---|
Format | null |
Access Type | Exec |
Device/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 20H2 with KB5018482 [10.0.19042.2193] and later ✅ Windows 10, version 21H1 with KB5018482 [10.0.19043.2193] and later ✅ Windows 10, version 21H2 with KB5018482 [10.0.19044.2193] and later ✅ Windows 11, version 21H2 with KB5016691 [10.0.22000.918] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus
Returns the current enrollment or un-enrollment status of the linked enrollment. Supports Get only.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get |
Allowed values:
Value | Description |
---|---|
0 | Undefined. |
1 | Enrollment Not started. |
2 | Enrollment In Progress. |
3 | Enrollment Failed. |
4 | Enrollment Succeeded. |
5 | Unenrollment Not started. |
6 | UnEnrollment In Progress. |
7 | UnEnrollment Failed. |
8 | UnEnrollment Succeeded. |
Device/Provider/{ProviderID}/LinkedEnrollment/LastError
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 20H2 with KB5018482 [10.0.19042.2193] and later ✅ Windows 10, version 21H1 with KB5018482 [10.0.19043.2193] and later ✅ Windows 10, version 21H2 with KB5018482 [10.0.19044.2193] and later ✅ Windows 11, version 21H2 with KB5016691 [10.0.22000.918] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/LastError
Supports Get Only. Returns the HRESULT for the last error when enroll/unenroll fails.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get |
Device/Provider/{ProviderID}/LinkedEnrollment/Unenroll
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 20H2 with KB5018482 [10.0.19042.2193] and later ✅ Windows 10, version 21H1 with KB5018482 [10.0.19043.2193] and later ✅ Windows 10, version 21H2 with KB5018482 [10.0.19044.2193] and later ✅ Windows 11, version 21H2 with KB5016691 [10.0.22000.918] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Unenroll
Trigger Unenroll for the Linked Enrollment.
This is an execution node and will trigger a silent Declared Configuration unenroll, without any user interaction. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back.
Description framework properties:
Property name | Property value |
---|---|
Format | null |
Access Type | Exec |
Device/Provider/{ProviderID}/ManagementServerAddressList
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerAddressList
The list of management server URLs in the format <URL1>
<URL2>
<URL3>
, and so on. If there is only one, the angle brackets (<>) aren't required. The < and >
should be escaped. If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get, Replace |
Example:
<Replace>
<CmdID>101</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DMClient/Provider/<ProviderID>/ManagementServerAddressList
</LocURI>
</Target>
<Data><https://server1><https:// server2> </Data>
</Item>
</Replace>
Device/Provider/{ProviderID}/ManagementServerToUpgradeTo
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerToUpgradeTo
Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/ManagementServiceAddress
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServiceAddress
The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server. The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the w7 APPLICATION configuration service provider. Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1>
<URL2>
<URL3>
. If there is only a single URL, then the <> aren't required. This is supported for both desktop and mobile devices. During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
Note
When the ManagementServerAddressList value is set, the device ignores the value.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get, Replace |
Dependency [ManageServerAddressListBlock] | Dependency Type: Not Dependency URI: Device/Vendor/MSFT/DMClient/Provider/[ProviderID]/ManagementServerAddressList Dependency Allowed Value Type: None |
Device/Provider/{ProviderID}/MaxSyncApplicationVersion
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MaxSyncApplicationVersion
Used by the client to indicate the latest DM session version that it supports.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get |
Device/Provider/{ProviderID}/MultipleSession
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession
Note
Only applicable for Windows Enterprise multi-session.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Device/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession
The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfScheduledRetriesForUserSession. If IntervalForScheduledRetriesForUserSession isn't set, then the default value is used. Default value is 1440. If the value is 0, this schedule is disabled.
Note
Only applicable for Windows Enterprise multi-session.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync
Optional. Maximum number of concurrent user sync sessions at User Login. Default value is 25. 0 none, 1 sequential, anything else: parallel.
Note
Only applicable for Windows Enterprise multi-session.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync
Optional. Maximum number of concurrent user sync sessions in background. Default value is 25. 0 none, 1 sequential, anything else: parallel.
Note
Only applicable for Windows Enterprise multi-session.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession
The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is 0 and IntervalForScheduledRetriesForUserSession isn't 0, then the schedule will be set to repeat for an infinite number of times.
Note
Only applicable for Windows Enterprise multi-session.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll
Number of days after last successful sync to unenroll.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Poll
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll
Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
Device/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin
Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
false (Default) | Polling is disabled on first login. |
true | Polling is enabled on first login. |
Device/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries
The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>
/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries
The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>
/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries
The waiting time (in minutes) for the second set of retries as specified by the number of retries in /<ProviderID>
/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Poll/NumberOfFirstRetries
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfFirstRetries
The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10. The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries
The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries shouldn't be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Poll/NumberOfSecondRetries
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfSecondRetries
The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Poll/PollOnLogin
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/PollOnLogin
Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
false (Default) | Polling is disabled on first login. |
true | Polling is enabled on first login. |
Device/Provider/{ProviderID}/PublisherDeviceID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/PublisherDeviceID
The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/<enterprise id>
/EnrollmentToken. It's to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises' applications, each enterprise is identified differently.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Push
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push
Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
Device/Provider/{ProviderID}/Push/ChannelURI
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/ChannelURI
A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get |
Device/Provider/{ProviderID}/Push/PFN
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/PFN
A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/Push/Status
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/Status
An integer that maps to a known error state or condition on the system. Valid values are: 0 - Success, 1 - Failure: invalid PFN, 2 - Failure: invalid or expired device authentication with MSA, 3 - Failure: WNS client registration failed due to an invalid or revoked PFN, 4 - Failure: no Channel URI assigned, 5 - Failure: Channel URI has expired, 6 - Failure: Channel URI failed to be revoked, 7 - Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations, 8 - Unknown error.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get |
Device/Provider/{ProviderID}/Recovery
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5018483 [10.0.22000.1165] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery
Parent node for Recovery nodes.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Device/Provider/{ProviderID}/Recovery/AllowRecovery
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5018483 [10.0.22000.1165] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/AllowRecovery
This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
1 | MDM Recovery is allowed. |
0 (Default) | MDM Recovery isn't allowed. |
Device/Provider/{ProviderID}/Recovery/InitiateRecovery
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5018483 [10.0.22000.1165] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/InitiateRecovery
This node initiates a recovery action. The server can specify prerequisites before the action is taken.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Exec |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | Initiate MDM Recovery. |
1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, Microsoft Entra ID keys are protected by TPM, and the TPM is ready for attestation. |
Device/Provider/{ProviderID}/Recovery/RecoveryStatus
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 with KB5018483 [10.0.22000.1165] and later ✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/RecoveryStatus
This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because Microsoft Entra ID keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get |
Default Value | 0 |
Device/Provider/{ProviderID}/RequireMessageSigning
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/RequireMessageSigning
Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
false (Default) | The device management client doesn't include authentication information in the management session HTTP header. |
true | The client authentication information is provided in the management session HTTP header. |
Device/Provider/{ProviderID}/SignedEntDMID
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SignedEntDMID
Character string that contains the device ID. This node and the nodes CertRenewTimeStamp can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Device/Provider/{ProviderID}/SyncApplicationVersion
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SyncApplicationVersion
Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
Note
Once you set the value to 2.0, it won't go back to 1.0.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Regular Expression: ^(\d\.)?(\d)$ |
Default Value | 1.0 |
Device/Provider/{ProviderID}/Unenroll
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Unenroll
The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the <Data>
tag under the <Item>
element.
Note
<LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI>
is supported for backward compatibility.
Description framework properties:
Property name | Property value |
---|---|
Format | null |
Access Type | Exec, Get |
Example:
The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device.
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DMClient/Provider/<ProviderID>/Unenroll</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>TestMDMServer</Data>
<!-- Data Field in Threshold is now IGNORED -->
</Item>
</Exec>
Device/Provider/{ProviderID}/UPN
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/UPN
Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Get, Replace |
Device/Unenroll
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/Unenroll
The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the <Data>
tag under the <Item>
element. Scope is permanent.
Description framework properties:
Property name | Property value |
---|---|
Format | null |
Access Type | Exec, Get |
Device/UpdateManagementServiceAddress
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/DMClient/UpdateManagementServiceAddress
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get, Replace |
Allowed Values | List (Delimiter: ; ) |
User/Provider
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./User/Vendor/MSFT/DMClient/Provider
The root node for all settings that belong to a single management server.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
User/Provider/{ProviderID}
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}
This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
User/Provider/{ProviderID}/FirstSyncStatus
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Add, Delete, Get |
User/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton
This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis).
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Default Value | false |
Allowed values:
Value | Description |
---|---|
false (Default) | Don't show the Collect Logs button on the progress page. |
true | Show the Collect Logs button on the progress page. |
User/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText
This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Get, Replace |
User/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
User/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
User/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles
This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts
This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies
This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
User/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts
This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: \xF000 ) |
User/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone
This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it's in and tell the user that the device is provisioned. It can't be set from True to False (it won't change its mind on whether or not the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Allowed values:
Value | Description |
---|---|
false | The user hasn't finished provisioning. |
true | The user has finished provisioning. |
User/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning
This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node isn't True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Get, Replace |
Allowed values:
Value | Description |
---|---|
false | Server hasn't finished provisioning. |
true | Server has finished provisioning. |
User/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned
Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get, Replace |
Allowed values:
Value | Description |
---|---|
0 | The device has failed to provision the user. |
1 | The device has successfully provisioned the user. |
2 | Provisioning is in progress. |