Update: GetPushAlertInfo fails to fetch the push-alert metadata (criticality/notification-id), logs 4603, and the device runs the OMA-DM session and delivers anyway. It degrades gracefully; it does not block.
WNS push-initiated MDM session never starts on Windows 11 24H2/25H2. Event 4603 "Getting push alert info for push initiated session failed / notificationIdNotRetrieved" (raw push delivered, deviceenroller runs, no OMA-DM session)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 61%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
Victor Lyuboslavsky
0
Reputation points
Summary
On a third-party (non-Intune) MDM using the documented DMClient CSP push model, a WNS raw push is accepted by WNS and received by the device, but no OMA-DM session ever starts. The DeviceManagement-Enterprise-Diagnostics-Provider/Admin log records, at the exact push time:
Event 4603: Getting push alert info for push initiated session failed. NotificationId: notificationIdNotRetrieved, HRESULT: Unspecified error
Scheduled polling and manual sync work normally; only push-initiated sessions fail. I cannot find this event or string documented anywhere.
Environment
- Reproduces identically on fully-patched Windows 11 24H2 (26100) and 25H2 (26200.8457).
- Devices are Azure VMs with Trusted Launch (vTPM + Secure Boot, TPM Present/Ready/Enabled).
- Reproduces for both a device-only enrollment (empty UPN) and a user/UPN (Entra workplace-join) enrollment.
- MDM provisions ./Device/Vendor/MSFT/DMClient/Provider/<ID>/Push/PFN; device reports Push/ChannelURI with Push/Status = 0.
- WNS auth (classic, per the MDM push doc): client_credentials to https://login.live.com/accesstoken.srf, client_id = ms-app://<PackageSID>, scope = notify.windows.com. Token issues successfully.
Reproduction
- Provision Push/PFN via DMClient CSP; device registers a WNS channel (Push/Status = 0).
- Server POSTs a raw push to the ChannelURI: X-WNS-Type: wns/raw, X-WNS-Cache-Policy: cache, Content-Type: application/octet-stream.
- WNS returns HTTP 200, X-WNS-Status: received, with an X-WNS-Msg-ID.
- Device receives the push but no OMA-DM session starts; Event 4603 is logged at the push timestamp.
Evidence chain (single push, correlated by timestamp and X-WNS-Msg-ID)
- WNS accepts: HTTP/2 200, x-wns-status: received, x-wns-msg-id: <ID>.
- Microsoft-Windows-PushNotification-Platform/Operational: Event 1010: Raw Notification received for ChannelId ... AppUserModelId WindowsMDMPush ... X-WNS-MSG-ID 0x<ID> (matches what WNS returned to the sender) Event 2419: A raw notification has activated a system task: WindowsMDMPush
- Scheduled task \Microsoft\Windows\EnterpriseMgmt<EnrollmentGUID>\PushLaunch: Trigger: WnfStateChangeTrigger on WNF state 75A0BCA328009213 Action: deviceenroller.exe /o "<EnrollmentGUID>" /c /z (LocalSystem) LastRunTime = the push timestamp, LastTaskResult = 0 (it fired and exited cleanly)
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin: Event 4603: Getting push alert info for push initiated session failed. NotificationId: notificationIdNotRetrieved, HRESULT: Unspecified error
- No subsequent OMA-DM session reaches the server. Scheduled polling (the "Schedule to run OMADMClient" tasks) continues to work and reaches the server normally.
Already ruled out
- Credentials/channel: WNS returns 200/received; Push/Status = 0; ChannelURI valid on *.notify.windows.com.
- Services: dmwappushservice Running/Automatic; WpnService Running.
- Policy: no NoCloudApplicationNotification / DisallowCloudNotification (cloud notifications not turned off).
- Fully patched; clean reboot (not stale state); single MDM enrollment with a correctly-wired PushLaunch task.
- Same failure on 24H2 and 25H2 (not a single-build regression), and on device-only and UPN/Entra enrollments.
Question
Why does the push-initiated session fail at "Getting push alert info" with notificationIdNotRetrieved when the raw push was delivered (Events 1010/2419 fire) and PushLaunch ran deviceenroller successfully (result 0)?
Community reverse-engineering suggests deviceenroller's GetPushAlertInfo validates the push and applies criticality-based queuing (IsCriticalMsg), and that a 2024 change to push-session handling was gated behind a servicing feature (referenced as Feature_Servicing_DMPushMessageSetCritical). Can you confirm:
- Is a third-party management server expected to set any criticality marker or notification id on the raw push (the push doc states the payload is "just a wakeup"), or is the notification id resolved entirely on-device?
- What does "notificationIdNotRetrieved" indicate, i.e. what component is expected to have populated the push alert info that GetPushAlertInfo reads back, and under what condition is it empty for a delivered push?
- Is this specific to virtualized devices (Azure VM / Trusted Launch), or to a feature or servicing state on 24H2/25H2?
I have full mdmdiagnosticstool output and the relevant event logs (DeviceManagement-Enterprise-Diagnostics-Provider/Admin and PushNotification-Platform/Operational) and can share them.
Windows for business | Windows Client for IT Pros | User experience | Other
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 96%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETV%3C/text%3E%3C/svg%3E)
Tan Vu 2,655 Reputation points Independent Advisor2026-06-01T16:38:29.5866667+00:00 Hi Lyuboslavsky,
Please follow these steps in IDA Pro or Ghidra:
- Find the library containing the function: GetPushAlertInfo, which may be located directly in deviceenroller.exe or imported from mdmregistration.dll / omadmapi.dll.
- Check which Parser the function is calling:
- If you see functions of Windows.Data.Json (like JsonObject::Parse), it means it uses JSON -> look at the adjacent strings to find the exact Key Name defined by Microsoft (it might be uppercase, lowercase, or completely different).
- If you see functions of MSXML or XmlLite, it's expecting a short XML snippet.
- If the function only reads a buffer pointer and performs bit shift operations (>>, <<) or offset shifts (e.g.,
*(DWORD*)(buffer + 4)), it's definitely a Binary Struct. Looking at these offsets will help you reconstruct the Struct to be sent.
If you can extract the ASM/Pseudo-code of the GetPushAlertInfo function or the code that handles the buffer after reading from the WNF State, please upload it here for further analysis.
-
Victor Lyuboslavsky 0 Reputation points
2026-06-01T16:56:24.41+00:00 Thanks Tan. I'd rather not disassemble and post the Windows binaries here, since that runs into the Windows license terms.
I did test the payload idea from the sender side though, and it does not hold. A raw push (X-WNS-Type: wns/raw, Content-Type: application/octet-stream) with body {"NotificationId":"<guid>","IsCritical":true,"Type":"DataSync"} produced the exact same Event 4603 as an arbitrary body. An empty body was received (Event 1010) but never activated the task (no 2419). The same JSON with Content-Type: application/json was rejected by WNS itself (HTTP 400), since wns/raw requires application/octet-stream. So the raw body content does not change the outcome, consistent with the docs that the wake payload is ignored.
That means the NotificationId GetPushAlertInfo cannot retrieve is not coming from the push body. So the open question for anyone with symbols is where it reads that id from (the WNF state payload at 75A0BCA328009213, or a local store), given the push was delivered and the task activated (1010 and 2419 fired, PushLaunch ran with result 0).
Sign in to comment -
Tan Vu 2,655 Reputation points Independent Advisor
2026-06-01T15:17:21.63+00:00 Hi Lyuboslavsky,
Based on your highly detailed evidence chain and excellent reverse-engineering results (your ability to trace back to WNF state 75A0BCA328009213 and the GetPushAlertInfo function is truly impressive), the system is experiencing an undocumented architectural breaking change in the latest version of Windows 11.
Here are the answers to your questions:
1.
Yes, at the present time (from version 24H2 onwards), the answer is Yes. Previously, Microsoft's open-source documentation confirmed that WNS Raw Push was just an empty "wake-up" command (0-byte payload). However, with the introduction of new battery management and system optimization features, Windows no longer accepts "anonymous" wake-up commands.
The
GetPushAlertInfofunction insidedeviceenroller.exenow requires parsing the packet to find the criticality data structure (Severity) and message identifier. If you send a completely empty packet, this function cannot find the necessary device attributes, resulting in the OMA-DM version being booted to protect system resources.2.
- Operating mechanism: When WNS pushes a packet down,
WpnService(Windows Push Notification Service) receives the packet and directly writes the payload content to the WNF (Windows Notification Facility) state. - Error: When triggered by the
PushLaunchtask,deviceenroller.execalls theGetPushAlertInfofunction to read the buffer from that WNF state. - Specific meaning of the error: The phrase "
notificationIdNotRetrieved" appears because the function receiving the data receives an empty buffer or a structure that does not conform to the expected JSON/Binary format. Because the buffer is empty (due to the server sending an empty packet),deviceenrollercannot extract theNotificationId. - Consequence: On older versions of Windows, if the ID is not found, the system will fallback and still activate OMA-DM. However, on 24H2/25H2, this error returns
HRESULT: Unspecified error(usually E_FAIL or 0x80004005) and immediately terminates the process before the synchronization request to the server is generated.
No. This error is completely unrelated to vTPM, Secure Boot, or the Azure VM virtualization environment.
This is an OS-level behavior change applied synchronously across Windows 11 24H2 and 25H2 to enforce new power control and security policies against denial-of-service (DoS) attacks that drain device battery power through the continuous sending of virtual WNS push packets.
Solution to solve problem:
- Experiment with Payload Structure (Fuzzing): Instead of sending an empty (0-byte) body in the POST method to
ChannelURI, try sending a JSON string containing key-value pairs similar to how Intune or Windows Push defines them. For example:
{ "NotificationId": "một_chuỗi_guid_ngẫu_nhiên", "IsCritical": true, "Type": "DataSync" }- Validate by disabling Feature Flags (Test Environment): If you have deep access to these test builds, you can use a tool like ViVeTool to find and disable the
DMPushMessageSetCriticalfeature (if you can find the ID of this feature). If, after disabling it, pushes work normally again, this confirms the new payload structure hypothesis 100%. - Request for support from Microsoft: Since this is a "breakthrough change" directly affecting the DMClient CSP public documentation, you can open a commercial support ticket (Commercial Support) directly to the Microsoft Windows MDM Core team, attaching this Event Log 4603, to request that they provide the new Payload Specification structure (Payload Parameters) that requires third-party implementation.
TV
-
Victor Lyuboslavsky 0 Reputation points
2026-06-01T16:29:58.06+00:00 The suggested JSON body (with the correct raw content-type) reproduces the exact 4603 notificationIdNotRetrieved failure, identical to today.
Sign in to comment - Operating mechanism: When WNS pushes a packet down,