Major Device Management Schema Overhaul: Android FOTA, Role States, Wi-Fi Security, and More in Microsoft Entra & Intune

WHAT JUST CHANGED: Core Device Management Schema Update
Effective June 2024, Microsoft rolled out a significant update to the Entra and Intune device management schema, affecting the Microsoft Graph API surface and portal configuration workflows. This change is generally available for all commercial tenants with Intune and Entra ID licensing. The highlights:
- Android FOTA Schema: Added
samsungEFotaFirmwareVersionandsamsungEFotaFirmwareVersionTargetresources. - Added
samsungEFotaFirmwareVersionsproperty to deviceManagement; removed the relationship and both resources. - Introduced
androidAppCredentialProviderRoleStateenumeration and newcredentialProviderRoleStateproperties for Android app configurations. - Wi-Fi Security: Added
wpa3PersonaltowiFiSecurityTypeenum. - New properties for device configurations:
isKioskModeExitCodeSet(Android),controlledConfigurationEnabled(Windows). - New resources:
windowsZtdnsExemptionRule,deviceConfiguration,windowsZtdnsConfiguration. - DEP onboarding: Added
releaseAppleDevicesmethod. - Assignment-related enumerations and targets:
deviceAndAppManagementAssignmentFilterType,deviceAndAppManagementAssignmentSource,deviceAndAppManagementPayloadType,devicePlatformType,allDevicesAssignmentTarget,allLicensedUsersAssignmentTarget.
All tenants using Intune device management—especially those with Samsung Android FOTA workflows or automated Graph integrations—are affected. Immediate review is required for any automation, custom scripts, reporting, and policy assignments relying on deprecated properties or relationships.
WHAT’S NEXT ON THE ROADMAP
Microsoft is accelerating the consolidation of device management schemas into unified, cross-platform resources—expect further deprecation of legacy relationship objects and tighter integration with Entra ID role-based access control (RBAC).
- Android FOTA: Watch for expanded firmware version targeting and reporting in the next Intune update.
- Credential Provider: Role states will soon be surfaced in UX and API for granular app assignment and credential workflow management.
- Wi-Fi Security: WPA3 Enterprise support is in Public Preview; admins should plan for migration as device OS support expands.
- DEP Apple Devices: Expect more granular device release management and integration with Apple Business Manager.
- Assignment Targets: Dynamic device and user assignment will move toward unified filters, with legacy group-based assignments deprecated in late 2024.
Stay alert for Microsoft 365 Copilot-driven device management insights—Intune/Entra integration will soon recommend assignment targets, detect configuration drift, and automate compliance reporting.
WHY THIS DIRECTION IS BETTER
- Schema Simplification: Replacing relationships with direct properties (e.g.,
samsungEFotaFirmwareVersions) reduces API complexity and improves query performance. - Role State Granularity: The new
credentialProviderRoleStateenum enables precise control over Android app credential workflows, aligning Intune with modern RBAC expectations. - Wi-Fi Security Modernization: Adding WPA3 Personal boosts security, future-proofs device configurations, and aligns with NIST recommendations.
- Assignment Target Unification: The shift to assignment filters and dynamic targets streamlines policy deployment, reducing errors and improving scalability.
- Deprecation Clarity: Removal of deprecated resources and relationships declutters the API surface, easing maintenance and troubleshooting.
These improvements bring Microsoft’s device management ecosystem closer to parity with leading IdPs (like Jamf, VMware Workspace ONE, Okta), while offering tighter integration with Entra ID identity and access controls.
ADJACENT ENTRA ID CHANGES TO WATCH
- Entra ID Role Assignments: New device management admin roles are rolling out, enabling least-privilege access for device configuration assignments.
- Microsoft.Graph Module Updates: The latest PowerShell module supports the new deviceManagement schema—update your scripts to avoid deprecated calls.
- Conditional Access for Devices: Device compliance is now a first-class conditional access signal; review CA policies to leverage new device attributes.
- Audit Logging: Device configuration changes are now logged to Entra ID audit logs for unified visibility—ensure your SIEM integration is up to date.
WHAT TO DO: Step-by-Step Admin Actions
- Review Automation: Audit all custom scripts and Graph queries for references to deprecated resources/relationships (
samsungEFotaFirmwareVersion,samsungEFotaFirmwareVersionTarget, etc.). - Update Scripts: Move to the new properties and enumeration types (
samsungEFotaFirmwareVersions,androidAppCredentialProviderRoleState,wpa3Personal). - Test Assignment Filters: Validate any use of
allDevicesAssignmentTargetand related assignment enums in device policies. - Portal Verification: Check device configuration and assignment settings in the Entra and Intune admin centers.
- Compliance Report: Use Microsoft.Graph PowerShell to generate a device configuration compliance report, focusing on schema changes.
- Notify Stakeholders: Inform device management, automation, and security teams of the schema updates and potential impacts.
CHECK IT YOURSELF: PowerShell Audit for Schema Changes
Run this script with the Microsoft.Graph.DeviceManagement module to inventory your device management schema and flag deprecated usage. This generates a dry-run report; no changes are made.
# Requires Microsoft.Graph.DeviceManagement module
Connect-MgGraph -Scopes 'DeviceManagementConfiguration.Read.All'
$deviceManagement = Get-MgDeviceManagement
# Check for deprecated properties
if ($deviceManagement.PSObject.Properties['samsungEFotaFirmwareVersions']) {
Write-Output "samsungEFotaFirmwareVersions property EXISTS."
} else {
Write-Output "samsungEFotaFirmwareVersions property NOT FOUND."
}
# Enumerate Android app configurations and check credentialProviderRoleState
$appConfigs = Get-MgDeviceManagementAndroidForWorkMobileAppConfiguration -All | Where-Object {$_.credentialProviderRoleState -ne $null}
foreach ($config in $appConfigs) {
Write-Output "AppConfig: $($config.DisplayName) - credentialProviderRoleState: $($config.credentialProviderRoleState)"
}
# List Wi-Fi configurations and security types
$wifiConfigs = Get-MgDeviceManagementDeviceConfiguration -All | Where-Object {$_.WiFiSecurityType -ne $null}
foreach ($wifi in $wifiConfigs) {
Write-Output "Wi-Fi Config: $($wifi.DisplayName) - Security Type: $($wifi.WiFiSecurityType)"
}
# Error handling for pagination
try {
$allConfigs = Get-MgDeviceManagementDeviceConfiguration -All
Write-Output "Total Device Configurations: $($allConfigs.Count)"
} catch {
Write-Error "Failed to retrieve device configurations: $_"
}
PORTAL PATH: Where to Verify in Admin Center
- Intune Portal: Endpoint Security > Device Configuration > Android/Windows/iOS Profiles—check profile properties for new enums and assignment targets.
- Entra Admin Center: Devices > Device Management > Configuration—verify device configuration objects and assignment filters.
- Audit Logs: Entra ID > Monitoring > Audit Logs—search for device configuration changes related to the new schema.
BOTTOM LINE: Prioritised Recommendation
- Immediate: Audit and update all device management automation and assignment workflows to use the new schema and properties. Remove dependencies on deprecated objects.
- Short-Term: Test conditional access and compliance policies using new device attributes. Notify automation and device management teams of the change.
- Medium-Term: Watch for further assignment filter enhancements and prepare for group-based assignment deprecation later in 2024.