diff --git a/changes/28240-log-invalid-soap-msg b/changes/28240-log-invalid-soap-msg
new file mode 100644
index 0000000000..bb865c7875
--- /dev/null
+++ b/changes/28240-log-invalid-soap-msg
@@ -0,0 +1 @@
+Log invalid Windows MDM SOAP message and return 400 instead of 5XX. This change helps debug Windows MDM issues.
diff --git a/server/service/microsoft_mdm.go b/server/service/microsoft_mdm.go
index f540d97f52..b0118e01b0 100644
--- a/server/service/microsoft_mdm.go
+++ b/server/service/microsoft_mdm.go
@@ -36,6 +36,8 @@ import (
 	"github.com/google/uuid"
 )
 
+const maxRequestLogSize = 10240
+
 type SoapRequestContainer struct {
 	Data   *fleet.SoapRequest
 	Params url.Values
@@ -60,7 +62,9 @@ func (req *SoapRequestContainer) DecodeBody(ctx context.Context, r io.Reader, u
 		// Unmarshal the XML data from the request into the SoapRequest struct
 		err = xml.Unmarshal(reqBytes, &req.Data)
 		if err != nil {
-			return ctxerr.Wrap(ctx, err, "unmarshalling soap mdm request")
+			// We log the request body for debug by using an error implementing ErrWithInternal interface.
+			return ctxerr.Wrap(ctx, &fleet.BadRequestError{Message: "unmarshalling soap mdm request: " + err.Error(),
+				InternalErr: fmt.Errorf("request: %s", truncateString(string(reqBytes), maxRequestLogSize))})
 		}
 	}
 
@@ -2348,3 +2352,11 @@ func buildCommandFromProfileBytes(profileBytes []byte, commandUUID string) (*fle
 
 	return command, nil
 }
+
+// truncateString truncates a string to maxLen characters, adding "..." if truncated
+func truncateString(s string, maxLen int) string {
+	if len(s) <= maxLen {
+		return s
+	}
+	return s[:maxLen] + "..."
+}