Microsoft

System Center Configuration Manager Feedback

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building System Center Configuration Manager, though we can’t promise to reply to all posts.

Standard Disclaimer – our lawyers made us put this here ;-) Please note that the System Center Configuration Manager feedback site is moderated and is a voluntary participation-based project. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos which you do not want to grant a license to Microsoft. See the “User Voice Terms of Service” link below for more information.

How can we improve Configuration Manager?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. RBA on the Folder level

    Currently Administrators have the ability to set Role Based Access to Collections but we do not have the ability to block access to specific folders. Currently in my environment we have many different departmental administrators who need to manage only their machines and their collections. each time we add collections we then need to grant them access. if the Role Based Administration gave the ability to grant access on the folder level it would reduce the complexity for area's that have a setup similar to mine.

    I have attached a screenshot of how my setup looks.

    415 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      Noted  ·  13 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
    • Create a new option in RBAC that disallows a user from modifying ONLY a maintenance window, but allows for other device collection changes.

      Currently if you disable the modification of settings in a device collection through RBAC, you cannot modify ANY settings. I wish there was a way to only disallow the modification of Maintenance Windows.

      22 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        1 comment  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
      • Include the Reports Viewer Role out of the box

        Why not automatically include a reports viewer security role out of the box with CM? As a consultant I install CM from scratch regularly and always have to add this role manually as every customer wants it.

        Brian Mason and Kent Agerlund give examples here:
        http://www.mnscug.org/blogs/brian-mason/162-report-user-role
        http://blog.coretech.dk/kea/creating-the-reporting-user-role-in-configmgr-2012/

        15 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
        • Importing a new device with variables doesn't work if you don't have access to ALL devices\ All Systems Collection

          We have RBAC implemented such that console users do not have read permission to the All System collection. Instead, we have delegated collections of devices to which they can admin, using a query rule to include device objects created matching certain criteria (name starts with some defined value, no client registered, created via manual machine entry, CAS site code). The issue is that when using the computer import wizard and selecting to use a CSV for bulk import, the wizard crashes with a permission error when defining device variables. The wizard succeeds only if the devices are imported ignoring the…

          13 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
          • Elevated Access - Delete Collections

            Full Administrators should have the ability to delete collections no matter what roles are assigned. Currently in our environment we have multiple roles that have access to various collections and once a collection is created it cannot be deleted unless it is removed from a large number of roles.

            Request to have the ability to delete with confirmation, this will remove the collection (if empty) no matter what assignments are set on it.

            5 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              Noted  ·  0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
            • RBA Role Prompt when launching console

              Many of the other System Center products allow a single user account to have many different roles assigned, and instead of merging them like Configuration Manager does, they prompt at login which role should be applied. This allows an admin for example, to have one account that they can manage all workstations, but then reopen the same console and choose a different role to manage all servers. This would solve many issues that come up when dealing with scoping issues where an object that was created do not have the correct scopes applied. It will also address a concern that…

              3 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                1 comment  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
              • effective permissions

                Provide the ability to see the effective permission of an administrative user in the security node. This can be similar to the effective policies for client settings. The RBA viewer provides the show me information but you are not able to pick an administrative user and see what all their inherited permissions are in the console.

                3 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
                • ability to apply security scopes to deployments

                  would be great if we could set security scopes on deployments. we offer sccm as a service to multiple groups using RBA. one group provides applications that can be viewed by all other groups. unfortunately they cannot see all of the deployments made from these applications as they only have visibility to their own devices/collections.

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
                  • Create JEA templates for diffrent SCCM roles

                    Just Enough Administrator (JEA https://msdn.microsoft.com/en-us/library/dn896648.aspx) is something that would increase security and enable support personell to troubleshoot SCCM on clients/server without giving them full administrator rights.

                    Maybe you could provide JEA templates that match the diffrent RBAC roles in SCCM.

                    For example a JEA Patch Admin template could allow the following:
                    - Read SCCM logs
                    - Read Windowsupdate.log
                    - Restart the Windows Update service
                    - Read WMI related to Updates
                    - and so on.

                    Providing templates like this would simplify the process of getting started with JEA. It would be even better if MS could provide templates for other…

                    2 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
                    • Move RBAViewer into the console

                      RBA Viewer has been overlooked for too long and offers a lot of great features over the admin console. Why not combine the features into the console?

                      1 vote
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
                      • Set Security Scopes for MAM Policy

                        Application Management Policies can't be scoped by Security Scopes in RBA. There's multiple team that manage MAM policies and we don't want to show all MAM policies to both teams. Having the ability to set security scopes will restrict the chance of major consequences and security issue.
                        Thanks

                        1 vote
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
                        • RBA Detailed report per Administrative User

                          Ability to right click an "Administrative User" and have the ability to export their permissions to a detailed report.

                          For example:

                          The ability to see what permissions they have for a particular role when its matched to a scope and/or a collection.

                          Right now I a maintain this in a spreadsheet. It is not enough to say this "Administrative User" is a package admin. Since we can create custom security roles, having the ability to see the specifics via a report per user will be very helpful.

                          Also when a CM update is released, please include any additions, modifications or…

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
                          • Ability to provision gMSA as an Administrative User

                            As of CB 1702, we can provision AD Users or Groups as administrative users in SCCM. However, gMSAs (Group Managed Service Accounts) can't be directly provisioned - though you can work around that by creating an AD group with the gMSA as a member and provisioning that group in SCCM.

                            It'd be helpful if we could directly provision gMSAs in SCCM; I don't see any reason why this shouldn't be allowed.

                            Thanks

                            0 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  RBA  ·  Flag idea as inappropriate…  ·  Admin →
                            • Don't see your idea?

                            Feedback and Knowledge Base