The Set-EnrollmentConfigcmdlet updates the current configuration of the Enrollment service by using the provided values.


Set-EnrollmentConfig [-ActivateVPNbyDefault]
[-CertificationAuthority <string>] [-EmailBodyTemplate
<string>] [-EmailSender <string>] [-EmailSubject
<string>] [-Enabled] [-ExpirePasswordAfter <TimeSpan>]
[-ForceEnroll] [-GatewayUri <string>] [-PasswordCharacters
<int>] [-SetPasswordLength <int>] [-SmtpServer
<string>] [-UsageAttemptLimit <int>] [-confirm]
[-whatif] [<CommonParameters>]

Set-EnrollmentConfig [-Config <EnrollmentConfig>] [-confirm]
[-whatif] [<CommonParameters>]


The following describes the Set-EnrollmentConfigcmdlet parameters.

Config <EnrollmentConfig>

Accepts an EnrollmentConfigobject as input.


Specifies whether enrolled devices will connect to the company network by default through the VPN connection to MDM Gateway Server. May be set to true, -ActivateVPNbyDefaultor -ActivateVPNbyDefault:$true; or false, -ActivateVPNbyDefault:$false. The default value is true.

CertificationAuthority <String>

Specifies the name of the server and the instance of the enrollment certification authority. The server name and instance name are specified, separated by a backslash (\). For example, server\instance.


Specifies whether the Enrollment service should allow existing pending requests to be processed.


Specifies whether a device will prompt the user when it connects to MDM Enrollment Server. If the parameter is set to true, -ForceEnrollor -ForceEnroll:$true, then, when the device discovers or connects to MDM Enrollment Server, the user is prompted for the enrollment password. If the parameter is set to false, -ForceEnroll:$false, the user is prompted only if a pre-enrollment record exists for the e-mail address specified by the user in the domain enrollment client on the device. The default setting is false.

GatewayUri <String>

Specifies the name, IP address, or Domain Name System (DNS) name of the virtual private network (VPN) gateway. This must be an address available from the public Internet. Specify an empty string if managed devices will be connecting to Mobile Device Manager Device Management Server directly by using the local area network (LAN) or wireless local area network (WLAN), instead of connecting through MDM Gateway Server.

UsageAttemptLimit <Int32>

Specifies a limit on the number of times a user can access MDM Enrollment Server to attempt to complete an enrollment request from a Windows Mobile device. If the user exceeds this limit, then an error message is displayed, the enrollment request is invalidated, and a new enrollment request must be created to enroll the device. Setting this limit may help prevent automated attempts at discovering the enrollment password.

To complete an enrollment request the device accesses MDM Enrollment Server two times, so you should specify a value for UsageAttemptLimitthat is twice the limit you want to set for users. For example, if you set UsageAttemptLimitto 10, then users are limited to five attempts at enrolling a device. The default value is 20.

PasswordCharacters <Int32>

Specifies the character set used to generate the enrollment password. Values:

0: Letters

1: Numbers

2: Both letters and numbers (alphanumeric)

SetPasswordLength <Int32>

Specifies the length of the auto-generated enrollment password.

ExpirePasswordAfter <TimeSpan>

Specifies the time during which an auto-generated enrollment password is valid. If the value contains a space or other special characters, enclose the string in quotation marks.

SmtpServer <String>

Specifies the simple mail transfer protocol (SMTP) server that is used to send a new enrollment e-mail message to a device owner. This message is sent when a device is newly enrolled. The server may be specified as hostname, or hostname:port.

EmailSender <String>

Specifies the e-mail account from which the new enrollment e-mail message is sent.

EmailSubject <String>

Specifies the subject text of the new enrollment e-mail message.

EmailBodyTemplate <String>

Specifies the text to use in the body of the new enrollment e-mail message. The enrollment ID, enrollment password, and enrollment password expiration time will be added automatically to the end of the message. The device owner needs this information to complete the enrollment of the device. The following is an example e-mail message:

Your Windows Mobile device has been enabled for enrollment to System Center Mobile Device Manager. Enter the following details when prompted by the device enrollment client:


Informs you of what changes would be made if the action were to be performed (the cmdlet is not executed).


Prompts you for confirmation before the cmdlet executes.


This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, and -OutVariable. For more information, at the MDM Shell prompt, type, get-help about_commonparameters.

Input Type

The Set-EnrollmentConfigcmdlet accepts an EnrollmentConfigobject. To see all the properties for this object, at the MDM Shell prompt, type Get-EnrollmentConfig | Get-Member.

Output Type

The Set-EnrollmentConfigcmdlet returns an EnrollmentConfigobject. To see all the properties for this object, at the MDM Shell prompt, type Set-EnrollmentConfig | Get-Member.


This Set-EnrollmentConfigcommand example prevents new enrollment requests from creating, and stops pending requests from processing.

Copy Code
C:\PS>Set-EnrollmentConfig -Enabled:$false

This Set-EnrollmentConfigcommand example specifies that auto-generated enrollment passwords are to be alphanumeric, 12 characters long, and expire after 20 minutes.

Copy Code
C:\PS>Set-EnrollmentConfig -PasswordCharacters 2
-SetPasswordLength 12 -ExpirePasswordAfter "00:20:00"

This Set-EnrollmentConfigcommand example configures the settings for the new enrollment e-mail message, specifies the SMTP server to use, the e-mail address of the sender, the subject line, and the message body text.

Copy Code
C:\PS>Set-EnrollmentConfig -SmtpServer "hostserver:888"
-EmailSender "admin@microsoft.com" -EmailSubject "New device
enrollment" -EmailBodyTemplate "Your Windows Mobile device has been
enabled for enrollment to Mobile Device Manager. Enter the
following details when prompted by the device enrollment client:"

Cmdlet Help

To view this information online, at the MDM Shell prompt, type:

get-help Set-EnrollmentConfig -detailed, or get-help Set-EnrollmentConfig -full

See Also