Import or use ADMX Files to create compliance settings/items and us SCCM to deploy these Settings instead of active directory gpo

Today you have to ability to run JScript, Windows PowerShell or VBscript scripts to remediate condition on Clients in ConfigMgr. But sometimes runing a program from a package would also be a very useful. Example, run a reboot program like the Cortech Shutdown tool if computer/server is non-compliant.

Right now if you use HKCU and try to create a DWORD value that does NOT exist, even though you set remediation up properly and select the box that says to create the value as a REG_DWORD, it still does not create the entry at all and the baseline reads as compliant. The creation of DWORD values using baselines has been a common post on forums for many years.

Right now Configuration Baselines have the option "Always apply this baseline even for co-managed clients". This is great as our journey to Modern Management and Intune will likely take several years and our investment in on-prem ConfigMgr is significant.

It would be very useful if this option could apply to other Compliance Settings which cannot be added to a baseline. One example is Company Resource Access -> Wi-Fi Profiles. Right now, co-managed devices will ignore Wi-Fi profiles deployed to them. This is limiting for those of us still getting started with Intune and Modern Management.

We have some workgroup servers which are unable to access the enterprise CA so we want to deploy some root CA certificates to them per sccm.
Currently it is only possible to select client OSE's on the supported plattform page. Please allow server OSE's as well.
Thanks

I would like to turn off powershell transcripting in configuration item. If I run PS script in user mode (means "Run scripts by using the logged on user credentials" is enabled.) then it creates a folder under user's mydocuments folder. It is very annoying.

There is no option currently to create a custom client settings for Compliance Scheduling for specific Compliance Baseline deployment.

It would be great if we get an option.

Hello,

Data and Users Profiles are good to get rid of the equivalent GPO settings. However, they lack the possibility to be deployed to Computers Collections.

Offline Folders for instance can be set as 'Computer setting' with GPO and you can't do the equivalent with SCCM as you can only deploy to 'Users Collections'.

Best regards,
Michael De Bona

In the new condition "Valid operating system build" added to Windows 10 (w/o CM) compliance policies it would be very useful to have a drop down with build version numbers translated to meaningful names. Otherwise we have to go external and find a version list. Even better if it could be pulled from the CM DB for existing versions in the same way you can with collection queries.

Hello,

Can you add on the "Non-Compliant" tab the column "Actual Value"
Because actually we need to click on each device to know this actual value ...

I'd like to be able to report on compliance for Tier 1 apps using the same mechanism I use for other compliance settings. It would be a nice convenient way of showing Tier 1 apps coverage in a single report

In tech-preview 1606 an awesome feature has been added that let's you take an action on a compliance policy if it is not met.

What would be awesome would be the ability to apply a configuration item/baseline on the non compliant device.

E.g. If an intune device such as iOS has a malicious threat installed (combined with the compliance setting maximum threat level an action to remediate the threat by applying a configuration item that completely locks down that device)

See Suzanne Grant (Intune MSFT) for full scenario. Great work guys!

Currently there is no option to add a psk to an L2TP VPN when deploying a VPN Profile from Config Manager VPN Profile Wizard. This would be good to have so that it is a one-stop solution, rather than having to continue using CMAK or (as our client wants to do) forcing a powershell script to work. This missing option is the only thing stopping us using the built in tools.

Need to be able to enable/configure Credential Guard via Compliance Settings with per-collection deployments. Need to get compliance data reported back.

We currently have 4-5 option for Subject Name format while creating the Certificate Profile using SCEP. We want to add custom text to the subject line to indicate the particular device type that the user profile is on. For example, for a particular group of laptops we might want to include the text ‘DeviceTypeX’. Our VPN solution checks the certificate for this text and allows the user to access a different set of services.

We use folders to organize Configuration Items (Applications, Task Sequences, etc.) however there is no place to view all the CIs in a category. You have to click on each individual folder to view those CIs. For example, it would be nice to select Applications and see all of your Apps listed there instead of having to select each folder to view Status or check for duplicates. Each folder should do the same for its sub-folders. Having a column that shows which folder/sub-folder the CI is in would be helpful as well.

Provide out-of-the-box global conditions for Microsoft products. For example, provide conditions for Office products or .NET or Visual Studio

Can we get compliance charts for Configuration Items in the console like in the new Endpoint analytics (Preview) | Proactive remediations. Much like Client Data Sources, be able to select an item/baseline and a period and get a nice chart/graph of detection and remediation.