Microsoft has announced that starting July 31, 2025, several Microsoft Graph beta API endpoints related to device management scripts will require new application permissions. This change affects how tools and device scripts interact with Intune.
What’s Changing?
If you’re using any of the Microsoft Graph beta endpoints listed below, you’ll need to update your app registration to use the new DeviceManagementScripts permissions. After the July deadline, using the older permissions will result in API failures.
Affected Graph API Endpoints:
These endpoints are commonly used in Intune for deploying PowerShell scripts, running remediation actions, and enforcing custom compliance logic:
- /deviceManagement/deviceShellScripts
- /deviceManagement/deviceHealthScripts
- /deviceManagement/deviceComplianceScripts
- /deviceManagement/deviceCustomAttributeShellScripts
- /deviceManagement/deviceManagementScripts
Permission Changes:
| Old Permissions (Deprecated) | New Permissions (Required) |
| DeviceManagementConfiguration.Read.All | DeviceManagementScripts.Read.All |
| DeviceManagementConfiguration.ReadWrite.All | DeviceManagementScripts.ReadWrite.All |
Microsoft is introducing this change to enforce least-privilege access by scoping permissions more narrowly to their intended use. Rather than granting broad access to all device configuration functionality, script-based endpoints now require dedicated access rights.
Until July 31, 2025, both old and new permission sets will work. After that, tools or scripts using the deprecated permissions will fail.
Why It Matters
If you maintain custom tools, PowerShell automation, or rely on third-party solutions that use these endpoints without updating permissions, you may encounter silent failures or broken functionality after the cutoff date.
Potential impacts include:
- Device provisioning flows using PowerShell scripts
- Compliance remediation logic
- Shell script-based attribute injection
- Custom device health monitoring
Patch My PC Customers: No Action Required
We’ve reviewed the affected API endpoints and can confirm that Patch My PC Publisher does not use any of them. Therefore:
- No Graph permissions need to be updated in your app registration or delegated admin consent
- No changes are required in your Publisher configuration
- No impact is expected to your update or deployment workflows
These permission changes do not affect any functionality in Patch My PC Publisher. Your app and update deployments will continue to operate without interruption or configuration changes.
Our Approach to Microsoft API Changes
Our engineering team actively monitors changes to Microsoft Graph (the API framework that powers Intune management) to ensure Patch My PC continues to operate securely, reliably, and in full alignment with Microsoft’s evolving platform.
If Microsoft introduces future API or permission changes that affect our platform, we’ll notify customers promptly and provide clear guidance to maintain compatibility and avoid disruption.
Need Help?
If you use other tools or custom logic that may rely on the affected endpoints, we recommend reviewing:
- Your Azure AD app registrations
- Your Microsoft Graph permission scopes
If you’re unsure whether your environment is impacted, our support team can help you evaluate your current configuration.
For more details, see Microsoft’s official documentation: Microsoft Graph changelog – In development
Summary
Microsoft is enforcing stricter Graph API permissions for script-related device management endpoints in Intune. Patch My PC does not use these endpoints, so no action is needed. Your deployment environment will continue to function as expected.
If you’d like help reviewing your Microsoft Graph permissions or ensuring your environment is future-proof, our team is here to assist.