Ideas
What features would you like to see?
All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Configuration Manager, though we can’t promise to reply to all posts.
If you require assisted support, please see https://aka.ms/cmcbsupport for more details.
-
Provide Support for BitLocker Management with IBCM
Currently, internet-based clients are able to receive BitLocker Management Policies via IBCM but are unable to contact the Recovery Service. I have found that this is due to the MBAM Agent looking for the CurrentManagementPoint in WMI at ROOT\ccm:SMS_Authority.Name="SMS:<SiteCode>".
It is possible to trick” the MBAM Agent into using the internet-based MP by adding the IBCM FQDN into the MP property at ROOT\ccm\LocationServices:SMS_MPInformation.MP="<IBCM FQDN>". This allows the agent to successfully find the Recovery Service MP and communicate!
I am aware that there may be more to it than just facilitating this communication but wanted to at least share that achieving…
25 votes -
Support MBAM / Bitlocker Management IIS roles on CMG
Seeing how the Recovery Service endpoint only requires IIS and a Management Point role, would it be feasible to have the endpoint run on CMG?
Internet-based clients in a co-management environment cannot reach the internal MP URL. Unless they use a VPN connection. We could leverage the BitLocker CSP policies available in Intune but that doesn't offer integration with recovery keys stored in the SQL DB, or the Helpdesk and Self-Service portals.
Supporting the MBAM role through CMG could be a quick win.
46 votes -
Include the MBAM Administration Service in CM's BitLocker Management
The one component from MBAM which has not so far been included in CM BitLocker Management is the Administration Service. This web service is used as the api entry point for 3rd party systems and custom automation activities for things like retrieving recovery keys.
7 votes -
Allow the use of BitLockers management Self-Service\Help Desk portals when using non-standard SQL ports
Would like to be able to use BitLocker Management portals when using non-standard SQL ports. Currently the install script\configuration requires standard ports in order to be able to install.
2 votes -
MBAM fully integrated in 1910 does not have enforcement option
Great to see MBAM fully integrated in CM 1910, but the policy does not have any option to enforce the encryption. User can always postpone it.
For more info, see this: https://www.youtube.com/watch?v=kRkyx_-l9QU
57 votes -
Include all ASR Rules in Windows Defender Exploit Guard
Some Attack Surface Reduction Rules are missing in the Windows Defender Exploit Guard settings.
Please include the following Rules:
Block Office communication application from creating child processes
Block Adobe Reader from creating child processes
Block persistence through WMI event subscription44 votes -
Enable Tamper Protection via SCCM
It would be nice to have ability to enable Tamper Protection in defender via SCCM antimalware policy
76 votesThanks for your feedback, updating status to Noted.
See https://docs.microsoft.com/en-us/mem/configmgr/core/understand/find-help#send-a-suggestion for an explanation of each value.
-
Add time based policys
For policies, especially related to content filtering, it would be great to have much more strict enforcement during business hours than during non-business hours on company equipment.
Alternately this would be a good tool to help enforce usage policies for hourly employees who should not be accessing certain equipment after business hours to ensure there are no labor law violations.
1 vote -
Enhance Web Content Reporting For Time of Day
When reporting it would be great to see time of day for activity. For example, I may care less about social media or YouTube usage in evenings on company equipment than during the day.
1 vote -
Manage Controlled Folder Access on Windows Server 2019
Be able to manage Controlled Folder Access on Windows Server 2019 from Microsoft Endpoint Configuration Manager
3 votes -
Defender ATP onboarding policy shows error when successful
Defender ATP onboarding policy shows error when successful.
0 votes -
Deploy Microsoft Defender ATP Policy to user collection
It should be possible to deploy a Microsoft Defender ATP Policy to a User collection, not just a Device collection.
1 vote -
MBAM Policy configurations for different drives
It would be good if we could set different policy configurations for OS Drive, Fix Data Drive & Removable Data Drive.
Currently We are not able to configure only OS Drive only2 votes -
Windows Defender Application Control - enchace it with more rule types
In 1906, WDAC rules can be modified only on Folder and Files level and that is not enough. Like in Applocker, we need Publisher rules and file signing support. It is great that ex-Device Guard starts to be more or less accassable to control with GUI, but current features are not enough to utilize it to production yet. Please make it to be as controllable as Applocker.
36 votes -
Adding a file hash to Windows defender detection alerts
Adding a file hash of detected or suspected malware son that further research can be done using VirusTotal and simular resources.
As it is now the threat informatinen provided by microsoft have very little detail and restoring files from quarantine to analyze them isn't ideal either38 votes -
Impliment RBAC control settings for Bitlocker management
Currently only a Full Administrator can create or deploy a bit locker management policy. Please enable these rights to be delegated.
6 votes -
Bitlocker exception for USB only
Currently with MBAM integration, the only exception is for the whole device to be excluded. We have certain USB devices (scanners/cameras/medical equipment) that is seen as USB mass storage and therefore encryption is required along with some users who have legitimit business reasons to not need to encrypt USB devices. We still require the HDD to be encrypted but allow the USB to be excluded.
We have our current GPO based bitlocker set with the USB encryption in a seperate policy so it can be excluded by devices in an AD group to allow these scenarios. Currently this prohibits moving…1 vote -
Add the ability to unlock a bitlockered drive in WinPE via MBAM
for refresh/reinstall scenarios in WinPE where you have an already MBAM managed/Bitlockered client, and you want to reinstall it or refresh to a new os, the OS drive is bitlockered and therefore you cannot read it or pull data from it (USMT), we've used various versions of this for MBAM https://www.windows-noob.com/forums/topic/4173-how-can-i-retrieve-my-bitlocker-recovery-key-from-mbam-in-windows-pe/ but it would be nice if this ability was integrated within ConfigMgr now that MBAM is integrated too and to do it securely via https
10 votes -
bitlocker computer compliance
Bitlocker computer compliance report does not show the C: drive compliance information if there is an extra drive in the machine (D: for example)
1 vote -
Exploit Guard Controlled foder access
Through SCCM, we are unable to add UNC paths in Controlled Folder Access settings when we click on Allow Apps through Controlled folder access setting. It only accepts local paths. Please add possibility to add UNC paths, because we have same business aplications that are blocked by controlled folder access.
18 votes
- Don't see your idea?