From b48b264157f66492bbee4beaeeb644a0eed96711 Mon Sep 17 00:00:00 2001 From: Magnus Jensen Date: Wed, 17 Dec 2025 09:16:31 -0400 Subject: [PATCH] Add note about Windows profile verification using CDATA to use escaped XML (#37282) **Related issue:** Resolves #33350 This is solely a docs change, since I've verified it works by escaping instead of using CDATA. Could also solve/close: https://github.com/fleetdm/fleet/issues/33731 --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> --- articles/creating-windows-csps.md | 2 ++ articles/custom-os-settings.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/articles/creating-windows-csps.md b/articles/creating-windows-csps.md index d1fd22e24f..764d5edab7 100644 --- a/articles/creating-windows-csps.md +++ b/articles/creating-windows-csps.md @@ -232,6 +232,8 @@ Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DeviceManagement-Ente [This](https://blog.mindcore.dk/2022/09/intune-error-codes-and-solutions/) blog post can also help you translate error codes that are present here. +> If you encounter the error: "The MDM protocol returned a success but the result couldn’t be verified by osquery", and the profile includes `[!CDATA []]` sections, [escape the XML](https://www.freeformatter.com/xml-escape.html) instead of using CDATA. For example, `[!CDATA[]]>` should be changed to `<enabled/>`. + ## Conclusion diff --git a/articles/custom-os-settings.md b/articles/custom-os-settings.md index 16b6191ca9..c3c7de60f7 100644 --- a/articles/custom-os-settings.md +++ b/articles/custom-os-settings.md @@ -100,6 +100,8 @@ To verify that the OS setting is applied, run the following osquery query: SELECT data FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Policies\employee\Attributes\Subteam'; ``` +> If your Windows profile fails with the following error: "The MDM protocol returned a success but the result couldn’t be verified by osquery", and the profile includes `[!CDATA []]` sections, [escape the XML](https://www.freeformatter.com/xml-escape.html) instead of using CDATA. For example, `[!CDATA[]]>` should be changed to `<enabled/>`. + ### Broken profiles If one or more labels included in the profile's scope are deleted, the profile will not apply to new hosts that enroll.