Install a configuration profile on a device.

Get a list of installed profiles on a device.

Remove a previously installed profile from the device.

Install a provisioning profile on a device.

Get a list of installed provisioning profiles on a device.

Remove a previously installed provisioning profile from a device.

Get detailed information about a device.

Inform the device that it can allow the user to continue in Setup Assistant.

Inform the device that it can allow the user to continue in Setup Assistant.

Get a list of restrictions on the device.

Remotely and immediately erase a device.

Remotely and immediately lock a device.

Remotely and immediately restart a device.

Remotely and immediately shut down a device.

Install a third-party app on a device.

Install an enterprise app on a device.

Get a list of the installed apps on a device.

Get the status of all managed apps on a device.

Remove an app.

Remove an app.

Force validation of developer and universal provisioning profiles for enterprise apps.

Query attributes in managed apps on a device.

Get app configurations from managed apps on a device.

Get app feedback from a managed app on the device.

Install a book on a device.

Get a list of the managed books on a device.

Remove a previously installed book from a device.

Create and configure a local administrator account on a device.

Invite a user to join the Volume Purchase Program (VPP).

Remove the passcode from a device.

Remove the passcode from a device.

Unlock a user account that the system locked because of too many failed password attempts.

Update the local administrator account password.

Change or clear the firmware password on a device.

Verify the firmware password on a device.

Verify the firmware password on a device.

Request the location of a device when in Lost Mode.

Play the Lost Mode sound on a device that’s in Lost Mode.

Take the device out of Lost Mode.

Set or clear the Recovery Lock password.

Verify the device’s Recovery Lock password.

Get the status of the content caches on a device.

Prompt the user to share their screen using AirPlay Mirroring.

Stop mirroring the display to another device.

Query a carrier URL for active eSIM cellular-plan profiles on a device.

Disable Remote Desktop on a device.

Enable Remote Desktop on a device.

Configure settings on a device.

Send requests to a device using lights-out management (LOM).

Get information from a device to set up lights-out management (LOM).

Get security-related information about a device.

Get a list of installed certificates on a device.

Get the code to bypass Activation Lock on a device.

Clear the Activation Lock bypass code on a device.

Clear the Activation Lock bypass code on a device.

Get a list of active extensions for a user on a device.

Get a list of the installed extensions for a user on a device.

Get a list of users with active accounts on a device.

Force the current user to log out of a device.

Delete a user’s account from a device.

Enable your server to support declarative management or trigger a declarative management synchronization operation on the device.

Triggers a one-time rotation of all numeric BitLocker recovery passwords for OS and fixed drives on Entra ID or hybrid-joined devices. Requires Active Directory backup of recovery passwords to be set to "required" before execution.

Initiates SCEP certificate enrollment in the personal certificate store on the device.

Triggers an immediate renewal of an existing certificate in the personal certificate store on the device.

Triggers the device to start SCEP certificate enrollment at the device scope. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.

Triggers the user context to start SCEP certificate enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.

Silently unenrolls the device from a Linked Enrollment without user interaction. All settings and resources applied by the Declared Configuration are rolled back automatically.

Triggers the device to unenroll from its linked MDM enrollment

Initiates a device recovery action. The server can specify prerequisites that must be met before the recovery action proceeds.

Triggers the device to unenroll from a specific MDM provider. The Provider ID of the management server must be specified in the <Data> element of the command.

Triggers the device to permanently unenroll from its current MDM management server. The Provider ID of the management server must be specified in the <Data> element of the command.

Starts a Microsoft Defender Offline scan on the device. After the next reboot, the device will start in Microsoft Defender Offline mode to perform a scan before Windows loads, helping detect and remove persistent or hard-to-find malware.

Rolls back the Microsoft Defender antimalware engine to its last known good version on the device.

Rolls back Microsoft Defender to its last known good installation location on the device.

Starts a Windows Defender scan on the device

Performs a Windows Defender signature update on the device.

Triggers a snapshot of the device’s management state data, capturing the current MDM configuration for diagnostic purposes.

Definition and collection point for diagnostic archives on the device.

Triggers exporting events from the associated Windows event channel into a log file with the standard .evtx extension.

Triggers the start or stop of the associated trace session.

Executes the download and installation of an application. An optional <DownloadFromAad> tag in the <Enforcement> section of the XML (default 0) can be set to 1 to include the AAD user token when retrieving the download URL.

Executes the download and installation of an application. An optional <DownloadFromAad> tag in the <Enforcement> XML section (default 0) can be set to 1 to include the AAD user token when retrieving the download URL.

Installs an app package from a hosted location, such as a local drive, UNC path, or HTTPS source.

Installs an app along with its license from the Microsoft Store under the device context.

Adds a specified app license to the device using the provided license ID.

Retrieves a specified app license from the Microsoft Store using the provided license ID.

Restores a specified Windows app to its initial state by resetting all configurations and data associated with the package.

Starts a Windows Update scan on the device.

Installs an app package from a hosted location, such as a local drive, UNC path, or HTTPS source.

Command to perform an install of an app and a license from the Microsoft Store.

Adds a specified app license to the device using the provided license ID.

Retrieves a specified app license from the Microsoft Store using the provided license ID.

Removes a specified Windows app package from the device.

Restores a specified Windows app to its initial state by resetting all configurations and data associated with the package.

Starts a Windows Update scan under the user context to check for available app updates.

Triggers an asynchronous device health attestation session, prompting the device to collect and submit its current health status for verification.

Notifies the device to prepare a device health verification request.

Immediately generates and securely stores a new random password for the managed local administrator account on the device using Local Administrator Password Solution (LAPS).

Installs Microsoft Office for the user based on the provided XML configuration.

Installs Microsoft Office on the device using the provided XML configuration data.

Installs a Universal Print printer for the user asynchronously.

Triggers an immediate device reboot, typically within 5 minutes to allow the user to finish active work. If executed during a sync session, the device will reboot at the end of the session.

Triggers an Autopilot reset on the device. Unlike a standard reset, the device remains enrolled in Azure AD and MDM, and preserves Wi-Fi profiles, region, language, keyboard settings, and other key configurations.

Performs a remote wipe on the device. The return status indicates whether the device accepted the command. When used with OMA Client Provisioning, include a dummy value of "1" for this element.

Performs a cloud-based remote wipe on the device. The return status indicates whether the device accepted the command.

Performs a cloud-based remote wipe while preserving provisioning data by backing it up to a persistent location. The backed-up data is restored and applied when the device resumes. The return status indicates whether the device accepted the command.

Performs a cloud-based remote reset while preserving user accounts and data. The return status indicates whether the device accepted the command.

Performs a remote wipe while preserving provisioning data by backing it up to a persistent location. The backed-up data is restored and applied when the device resumes. The return status indicates whether the device accepted the command. When using OMA Client Provisioning, include a dummy value of "1" for this element.

Performs a remote reset of the device while preserving user accounts and data. The return status indicates whether the device accepted the command.

Performs a remote wipe that fully cleans the internal drive and continues retrying until complete, even after power cycles. Unlike doWipe, which can be interrupted by a simple power cycle, doWipeProtected ensures the wipe finishes. May render the device unbootable on some configurations.

Remotely installs the Windows Defender Application Guard feature on the device.

Installs a new Windows product key on the device without requiring a reboot.

Checks if the provided product key is valid for upgrading the Windows edition on the device, returning TRUE if applicable.

Switches the device from Windows 10/11 S mode to a standard edition, if eligible. No reboot is required.

Removes the subscription license from the device and resets the subscription type to a user-based subscription.

Upgrades the Windows edition on the device by applying a provided license. No reboot is required to complete the upgrade.

Upgrades the Windows edition on the device by applying a specified product key. A reboot is required to complete the upgrade.

Triggers an eUICC (embedded Universal Integrated Circuit Card) factory reset, permanently deleting all eSIM (embedded Subscriber Identity Module) profiles stored on the eUICC.