I believe the Windows Defender Configurations and specifically the Exploit Guard configuration settings are evaluated very similarly to a configuration baseline. It would be awesome if we could see this under the Configurations Tab in the Config Manager client so we can see revision information + force re-evaluation.

There is no option currently to create a custom client settings for Compliance Scheduling for specific Compliance Baseline deployment.

It would be great if we get an option.

I'd like to be able to report on compliance for Tier 1 apps using the same mechanism I use for other compliance settings. It would be a nice convenient way of showing Tier 1 apps coverage in a single report

We have some workgroup servers which are unable to access the enterprise CA so we want to deploy some root CA certificates to them per sccm.
Currently it is only possible to select client OSE's on the supported plattform page. Please allow server OSE's as well.
Thanks

Today you have to ability to run JScript, Windows PowerShell or VBscript scripts to remediate condition on Clients in ConfigMgr. But sometimes runing a program from a package would also be a very useful. Example, run a reboot program like the Cortech Shutdown tool if computer/server is non-compliant.

Currently there is no option to add a psk to an L2TP VPN when deploying a VPN Profile from Config Manager VPN Profile Wizard. This would be good to have so that it is a one-stop solution, rather than having to continue using CMAK or (as our client wants to do) forcing a powershell script to work. This missing option is the only thing stopping us using the built in tools.

In the new condition "Valid operating system build" added to Windows 10 (w/o CM) compliance policies it would be very useful to have a drop down with build version numbers translated to meaningful names. Otherwise we have to go external and find a version list. Even better if it could be pulled from the CM DB for existing versions in the same way you can with collection queries.

Hello,

Data and Users Profiles are good to get rid of the equivalent GPO settings. However, they lack the possibility to be deployed to Computers Collections.

Offline Folders for instance can be set as 'Computer setting' with GPO and you can't do the equivalent with SCCM as you can only deploy to 'Users Collections'.

Best regards,
Michael De Bona

Right now if you use HKCU and try to create a DWORD value that does NOT exist, even though you set remediation up properly and select the box that says to create the value as a REG_DWORD, it still does not create the entry at all and the baseline reads as compliant. The creation of DWORD values using baselines has been a common post on forums for many years.

Unlike Applications you cannot disable a compliance setting. Currently I have to change there name and add "Disabled" in the front so when they show on the baseline list people know that they are currently not in production.

I would like to be able to use the results of a configuration item to create collections.

An example would be I have a CI that collects the value of a registry key on computers. I am returning the value of that reg key. I would like to be able to create collections based on the value of the reg key result I had returned.

If I have it return the string “1234”. I want create a collection based off of computers that return 1234.

Can we get compliance charts for Configuration Items in the console like in the new Endpoint analytics (Preview) | Proactive remediations. Much like Client Data Sources, be able to select an item/baseline and a period and get a nice chart/graph of detection and remediation.

We would like for users to have to agree to terms and conditions to use any of our domain machines, not just Intune machines. If the SCCM client could handle terms and conditions at the PC that would be great.

Something that checked to see if they had previously agreed. If not show the terms and conditions and agree button or log off button.

We use folders to organize Configuration Items (Applications, Task Sequences, etc.) however there is no place to view all the CIs in a category. You have to click on each individual folder to view those CIs. For example, it would be nice to select Applications and see all of your Apps listed there instead of having to select each folder to view Status or check for duplicates. Each folder should do the same for its sub-folders. Having a column that shows which folder/sub-folder the CI is in would be helpful as well.

Currently when setting up a configuration item with application settings, you are able to point to an application in ConfigMgr to use for a detection method. The issue is that if you want to export and share the CI, the import fails is the application does not exist the COnfigMgr site. It would be better if it grabbed the detection method from the application but added that to the CI to be independent of the application. So instead of pointing to the application for the detection method, the method gets copied over (copy instead of pointer).

We currently have 4-5 option for Subject Name format while creating the Certificate Profile using SCEP. We want to add custom text to the subject line to indicate the particular device type that the user profile is on. For example, for a particular group of laptops we might want to include the text ‘DeviceTypeX’. Our VPN solution checks the certificate for this text and allows the user to access a different set of services.

Provide out-of-the-box global conditions for Microsoft products. For example, provide conditions for Office products or .NET or Visual Studio

The Set-CMComplianceSupportedPlatform does not seem to be finished. When I use it against a CI it states the following:
$CIRule | Set-CMComplianceSupportedPlatform
WARNING: The 'Set-CMComplianceSupportedPlatform' cmdlet is a beta-quality and is not yet complete. It may not be fully functi
onal, and may be changed or removed in a future release. It is provided for testing purposes and should not be used for produ
ction purposes.

I don't have a way to set which OSes apply to a configuration item via powershell. See this forum post for more info.
https://social.technet.microsoft.com/Forums/en-US/b494dc56-2952-4bf6-809e-481628ceafec/setting-configuration-item-supported-platforms-with-powershell?forum=ConfigMgrCBGeneral

When checking compliance levels of software updates there is often a need to remove older updates from the baseline but this can only be done one at a time.

Also provide a method via powershell to remove individual items from baselines