MDM to MMP-C. Transfer Authority Resource access policies

From the old school MDM stack to MMP-C: What’s going to change in 2025

by rudyooms Posted on
Patch My Pc | install & update thousands of apps

This blog will focus on how Wi-Fi and VPN resource access policies are being transferred (Authority change) from the old-school MDM stack to the MMP-C Infra (MDM to MMP-C), with examples from Microsoft documentation and a visual guide showing how devices can work in both Intune and MMP-C environments to handle the authority change!

Mdm To Mmp-c

Have you ever had one of those moments where you realize something’s quietly changing under your nose? I had one recently while looking at a DLL file. To be precise: dcsvc.dll (Declared Configuration DLL). In this DLL, I stumbled upon some nice references to MdmToMmpc and LogTransferResource.

Mdm To Mmp-c / mdmtommpc function inside the dcsvc.dll

At first glance, these strings might seem worthless but in the context of Microsoft’s rapidly improving device management, they’re like finding a cryptic note that hints at what’s to come.

The Role of MMP-C and Declared Configuration

Here’s the lowdown: MMP-C (Microsoft Management Platform Cloud) is the big-picture infrastructure that orchestrates how device policies flow from the cloud. This example below, is how Device Inventory policies come down to the device.

intune mmp-c architecture

When looking on the device side, we have the Linked/Dual enrollment and the corresponding Declared Configuration protocol, think of it as the on-box brain. Instead of pushing policies down and hoping they stick, you declare a desired state, and the device constantly checks and corrects itself to meet that goal (get-test-set). It’s a major shift from the old “spray-and-pray” configuration model.

A Visual Example: Dual Enrollment

Picture a device that’s dual-enrolled, connected to Intune for classical MDM-based policy delivery and to MMP-C for declarative configuration. The image below, shows how the OMA-DM Client still checks in traditionally, while WinDC (the Windows Declarative Configuration client) ensures the device’s state matches what’s declared by MMP-C.

Intune + MMP-C enrolled device

If you want to know more about when MMP-C Syncs with the service and how it differs from the regular MDM/Intune enrollment, please read this blog:

When does the device sync with MMP-C | Every 4 hours | WinDC

EPM and Inventory Policies

This Dual Enrollment approach is already used for Endpoint Privilege Management (EPM) and Intune’s newly released Enhanced Device inventory feature. With Drift Control, the device ensures policies remain in their intended state without relying on outdated updates or guesswork.

drift control

If something drifts, like EPM Policies or your Device inventory policies, the Declared Configuration protocol (WinDC Refresh Schedule) detects the issue and corrects it to match the desired configuration.desired state.

refesh schedule to refresh any setting on the device

Wi-Fi and VPN Policies

But if EPM and inventory can be handled this way, why not Wi-Fi and VPN settings, too? Microsoft has now finally shared the fact that resource access policies, like Wi-Fi and VPN profiles, are heading in the same declarative direction. The official documentation (Declared Configuration Resource Access) sheds light on this future. It shows how policies can be defined once and continuously verified, turning what used to be a guesswork-laden process into a clean, self-maintaining loop.

osdefinedscenaratios such as msftwifi and msftvpn

As shown above, the Osdefinedscenario’s are pretty clear. We can spot the MSFTVpn and MSFTWifi osdefinedscenarios in it. If we look closer at the device right now, we can already spot the EPM and Inventory ones.

the msftinventory osdefinedscenario

In addition to resource access policies moving from MDM to MMP-C, the WinDC code reveals several other OS-defined scenarios that are also part of this shift. (not now…. but in the future… let’s start with wifi and VPN first)

All the policies that will move over to mmp-c (mdm to mmp-c)

Over time, you can imagine more policies like Wi-Fi and VPN handled by this declarative model, thanks to MMP-C and WinDC collaborating behind the scenes.

Reading Between the Lines of dcsvc.dll

What about those odd references in dcsvc.dll? MdmToMmpc (MDM to MMP-C) and LogTransferResource look like the pieces making this shift possible. They seem to handle the job of converting old MDM methods into MMP-C’s new declarative setup. It’s a bit like when workloads moved from SCCM to Intune, but now it’s Intune handing things over to MMP-C. Interesting, right?

moving the mdm workloads to mmp-c just like we did with sccm

Looking Ahead

For admins, this changes the game. Instead of relying on users to report problems like broken Wi-Fi or missing VPN profiles, the system handles it proactively. MMP-C works with the Declared Configuration protocol to keep devices aligned with their intended setup, automatically detecting and fixing issues before they are at drift.

While we’re not fully there yet, the direction is clear. MMP-C provides the foundation, and the Declared Configuration protocol enforces it on devices. EPM and device inventory already show how effective this approach is, and with policies like Wi-Fi, VPN, and more moving from MDM to MMP-C, the shift toward a more unified and reliable management system is clearly underway.

Conclusion

As these capabilities light up, those once-cryptic DLL references and MMP-C logs you see today will become indispensable tools tomorrow. From EPM and inventory to resource access policies, we’re seeing the dawn of a more reliable, transparent, and future-proof way of managing Windows devices. It’s a quiet revolution, and it’s only just begun.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  25  =  29

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.