diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index b8ddb3ffeb..e2b23b7bf3 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -22,7 +22,7 @@ The following shows the DMClient CSP in tree format.
./Vendor/MSFT
DMClient
----Provider
---------
+--------ProviderID
------------EntDeviceName
------------ExchangeID
------------EntDMID
@@ -45,6 +45,10 @@ DMClient
------------HWDevID
------------ManagementServerAddressList
------------CommercialID
+------------ConfigLock
+----------------Lock
+----------------UnlockDuration
+----------------SecureCore
------------Push
----------------PFN
----------------ChannelURI
@@ -598,6 +602,27 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
+**Provider/*ProviderID*/ConfigLock**
+
+Configuration Drift is a major concern for commercial customers. Some customers view it as a security risk. This node mitigates the customer concern by bringing the capability to monitor and quickly remediate the policy configuration when a device is MDM managed.
+
+Default = Locked
+
+> [!Note]
+>If the device is not Secure Core, then this feature will not work.
+
+**Provider/*ProviderID*/ConfigLock/Lock**
+
+Supported operations are Add, Delete, Get. Supported values are 0-unlock, 1-lock.
+
+**Provider/*ProviderID*/ConfigLock/UnlockDuration**
+
+Supported operations are Add, Delete, Get. Supported values are 1 to 480 (in min).
+
+**Provider/*ProviderID*/ConfigLock/SecureCore**
+
+Supported operation is Get only. Supported values are false or true.
+
**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.