For years, Intune has managed Windows devices through OMA-DM (Open Mobile Alliance Device Management). It worked, but as explained in our previous blog, it was never designed for the scale and complexity of Windows client management. Policies often take longer than we’d like, and every configuration requires a chain of round-trip requests to the Intune service. Microsoft has been working on a new model/infrastructure: MMP-C (Microsoft Management Platform – Cloud). It doesn’t replace Intune, but adds a new management plane designed for speed, reliability, and scale. Over time, more workloads will be moved from Intune into MMP-C.

This blog walks through that transition: what OMA-DM does today, why MMP-C exists, how devices become dual enrolled, and what it means for features like Endpoint Privilege Management and Resource Access Policies.

The Old Model: OMA-DM

OMA-DM came from the mobile world. It was built for phones, not PCs, but Microsoft extended it to manage Windows 10 and 11.

The enforcement model is simple on paper but loud in practice. For each policy or configuration:

  1. Get → The device contacts Intune and requests the setting.
  2. Set → Intune sends the configuration (e.g., set PIN history to 24).
  3. Get → The device reports back the applied value (e.g., PIN history = 24).

This is the classic Get-Set-Get loop.

get-set-get

Now multiply that loop across dozens of CSPs, compliance rules, and profiles. Every pass requires multiple round-trips. If one step fails, the chain can break, leaving policies unapplied until the next scheduled sync.

This model also makes Intune chatty: devices spend their time bouncing between Intune and the CSP providers instead of enforcing state locally.

Enter Declared Configuration (WinDC) + MMP-C

To solve this bottleneck, Microsoft introduced Declared Configuration, powered by the WinDC service (dcsvc).

the declared configuration service that connects to MMP-C

Instead of sending policies one by one, Intune now delivers a single declarative document that describes the intended state:

  • The device applies the configuration.
  • It continuously checks if the state matches (MOF).
  • If drift occurs, it re-applies the setting locally.
  • If the drift can’t be fixed, it escalates back to Intune.

This makes the device self-healing and shifts enforcement from the cloud to the endpoint. Apple and Google already use this model, and now Windows is catching up.

(MMP-C model: Get once, set locally, and self-heal if drift is detected)

Endpoint Privilege Management: The First Real Test

The first Windows feature to rely on this channel was Endpoint Privilege Management (EPM).

EPM policies are not delivered via OMA-DM. They arrive through the MMP-C channel, processed by WinDC. You can even see them on the device under the WinDC provider in the registry.

intune + MMP-C the device is now dual enrolled / linked enrollment

EPM forced Microsoft to build dual enrollment. Devices suddenly needed to talk to both OMA-DM and MMP-C at the same time.

Linked Enrollment: How a Device Gets Dual-Enrolled with MMP-C

For MMP-C to work, a device must be present in both channels: OMA-DM (legacy) and MMP-C (new).

intune + MMP-C the device is now dual enrolled / linked enrollment. WinDC and OMA-DM working together

During Intune enrollment, the device contacted the discovery endpoint at https://dm.microsoft.com. If the tenant was onboarded, the dual enrollment was triggered, and with it, the device would automatically be enrolled into MMP-C

On the device, you can recognize this linked enrollment by:

  • Services: OMADMClient (OMA-DM) and dcsvc (WinDC).
  • Registry: The Intune Enrollment is now linked to the MMP-C Enrollment
  • Scheduled Task: the WinDC Refresh task, which checks and reapplies configurations.

Later, with the release of Device Inventory, Microsoft made this universal.

Device Inventory Makes Dual Enrollment Universal

Device Inventory was the breakthrough. It quietly enabled dual enrollment for all Windows devices without requiring admins to flip a switch.

As soon as a device completes Intune enrollment, Device Inventory ensures it also registers with MMP-C. From that point:

  • OMA-DM continues handling legacy workloads.
  • MMP-C handles declarative workloads like EPM and inventory.

This universal dual enrollment is what allows Microsoft to start migrating more workloads into the modern channel.

How WinDC Works on the Device

With WinDC in place, the flow looks different:

  1. Intune sends down a single declarative document
  2. The device stores it locally.
  3. WinDC applies the settings.
  4. The scheduled refresh task checks for drift and reapplies as needed. (MOF File)

Even offline, drift correction runs. That’s why MMP-C policies feel more reliable: they don’t depend on waiting for the next OMA-DM sync.

The old Get-Set-Get loop becomes Get once, set, and self-heal.

get-set windows declared configuration

What’s Moving Next to MMP-C

EPM was just the beginning. Microsoft is already testing Resource Access Policies (Wi-Fi, VPN, certificates) on the declarative model. Good to know is that Defender configurations and security baselines are also in the pipeline.

whats next to move to MMP-C

The idea is that those workloads will run in dual mode: This means that those policies are still enforced via OMA-DM, but mirrored in MMP-C for testing. This is the same coexistence model Microsoft used when moving ConfigMgr workloads into Intune.

Why It Matters

This isn’t just a protocol update; it’s a fundamental change in how Windows management works:

  • Faster: one document instead of dozens of round-trips.
  • Resilient: devices enforce state locally, even offline.
  • Predictable: fewer delays waiting on sync cycles.
  • Transparent: better reporting as devices track their own state.

For admins, the most visible sign is that devices are now dual-enrolled. For end users, the biggest benefit is faster, more reliable provisioning.

Prefer Video?

If you prefer watching over reading, we also recorded a YouTube video that walks through this entire transition… from OMA DM to MMP-C and WinDC, and how Windows management is evolving behind the scenes. Please go check it out!

Dual Enrollment MMP-C Windc

Closing Thoughts

MMP-C is Intune’s evolution, not a replacement. OMA-DM won’t vanish overnight, but workloads are steadily moving to WinDC. If you’re managing Windows devices today, keep an eye on:

  • Whether your devices are dual enrolled (dcsvc present).
  • That SSL inspection isn’t interfering with dm.microsoft.com.
  • Which workloads in your tenant already use the declarative device management model.

The shift has already started with Endpoint Privilege Management and Device Inventory. Resource Access Policies are next. Over time, OMA-DM will fade into the background while MMP-C becomes the new backbone of Windows management.