diff --git a/changes/issue-12288-windows-mdm-activities b/changes/issue-12288-windows-mdm-activities
new file mode 100644
index 0000000000..4b82ab8528
--- /dev/null
+++ b/changes/issue-12288-windows-mdm-activities
@@ -0,0 +1 @@
+* Added `enabled_windows_mdm` and `disabled_windows_mdm` activities when a user turns on/off Windows MDM.
diff --git a/docs/Using-Fleet/Audit-Activities.md b/docs/Using-Fleet/Audit-Activities.md
index a04249c3b0..395f7dc61a 100644
--- a/docs/Using-Fleet/Audit-Activities.md
+++ b/docs/Using-Fleet/Audit-Activities.md
@@ -824,6 +824,18 @@ This activity contains the following fields:
 }
 ```
 
+### Type `enabled_windows_mdm`
+
+Generated when a user turns on MDM features for all Windows hosts (servers excluded).
+
+This activity does not contain any detail fields.
+
+### Type `disabled_windows_mdm`
+
+Generated when a user turns off MDM features for all Windows hosts.
+
+This activity does not contain any detail fields.
+
 
 
 <meta name="pageOrderInSection" value="1400">
\ No newline at end of file
diff --git a/server/fleet/activities.go b/server/fleet/activities.go
index c0db8110a7..4c6adfbcd4 100644
--- a/server/fleet/activities.go
+++ b/server/fleet/activities.go
@@ -67,6 +67,9 @@ var ActivityDetailsList = []ActivityDetails{
 
 	ActivityTypeEnabledMacosSetupEndUserAuth{},
 	ActivityTypeDisabledMacosSetupEndUserAuth{},
+
+	ActivityTypeEnabledWindowsMDM{},
+	ActivityTypeDisabledWindowsMDM{},
 }
 
 type ActivityDetails interface {
@@ -1006,6 +1009,28 @@ func (a ActivityTypeDisabledMacosSetupEndUserAuth) Documentation() (activity, de
 }`
 }
 
+type ActivityTypeEnabledWindowsMDM struct{}
+
+func (a ActivityTypeEnabledWindowsMDM) ActivityName() string {
+	return "enabled_windows_mdm"
+}
+
+func (a ActivityTypeEnabledWindowsMDM) Documentation() (activity, details, detailsExample string) {
+	return `Generated when a user turns on MDM features for all Windows hosts (servers excluded).`,
+		`This activity does not contain any detail fields.`, ``
+}
+
+type ActivityTypeDisabledWindowsMDM struct{}
+
+func (a ActivityTypeDisabledWindowsMDM) ActivityName() string {
+	return "disabled_windows_mdm"
+}
+
+func (a ActivityTypeDisabledWindowsMDM) Documentation() (activity, details, detailsExample string) {
+	return `Generated when a user turns off MDM features for all Windows hosts.`,
+		`This activity does not contain any detail fields.`, ``
+}
+
 // LogRoleChangeActivities logs activities for each role change, globally and one for each change in teams.
 func LogRoleChangeActivities(ctx context.Context, ds Datastore, adminUser *User, oldGlobalRole *string, oldTeamRoles []UserTeam, user *User) error {
 	if user.GlobalRole != nil && (oldGlobalRole == nil || *oldGlobalRole != *user.GlobalRole) {
diff --git a/server/service/appconfig.go b/server/service/appconfig.go
index e7c3f1e683..25a2773d62 100644
--- a/server/service/appconfig.go
+++ b/server/service/appconfig.go
@@ -526,6 +526,19 @@ func (svc *Service) ModifyAppConfig(ctx context.Context, p []byte, applyOpts fle
 		}
 	}
 
+	// if Windows MDM was enabled or disabled, create the corresponding activity
+	if oldAppConfig.MDM.WindowsEnabledAndConfigured != appConfig.MDM.WindowsEnabledAndConfigured {
+		var act fleet.ActivityDetails
+		if appConfig.MDM.WindowsEnabledAndConfigured {
+			act = fleet.ActivityTypeEnabledWindowsMDM{}
+		} else {
+			act = fleet.ActivityTypeDisabledWindowsMDM{}
+		}
+		if err := svc.ds.NewActivity(ctx, authz.UserFromContext(ctx), act); err != nil {
+			return nil, ctxerr.Wrapf(ctx, err, "create activity %s", act.ActivityName())
+		}
+	}
+
 	return obfuscatedAppConfig, nil
 }
 
diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go
index 1776e92cf5..2924f7f992 100644
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@@ -5083,6 +5083,7 @@ func (s *integrationMDMTestSuite) TestAppConfigWindowsMDM() {
   }`), http.StatusOK, &acResp)
 	assert.True(t, acResp.MDM.WindowsEnabledAndConfigured)
 	assert.True(t, acResp.MDMEnabled)
+	s.lastActivityOfTypeMatches(fleet.ActivityTypeEnabledWindowsMDM{}.ActivityName(), `{}`, 0)
 
 	// get the orbit config for each host, verify that only the expected ones
 	// receive the "needs enrollment to Windows MDM" notification.
@@ -5105,6 +5106,7 @@ func (s *integrationMDMTestSuite) TestAppConfigWindowsMDM() {
 		"mdm": { "windows_enabled_and_configured": false }
   }`), http.StatusOK, &acResp)
 	assert.False(t, acResp.MDM.WindowsEnabledAndConfigured)
+	s.lastActivityOfTypeMatches(fleet.ActivityTypeDisabledWindowsMDM{}.ActivityName(), `{}`, 0)
 
 	// set the win-no-team host as enrolled in Windows MDM
 	noTeamHost := hostsBySuffix["win-no-team"]