Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Configuration Manager, though we canā€™t promise to reply to all posts.

Please do not use UserVoice to report product bugs or for assisted support.
If you believe you have found a product bug, please send us a bug report through the Configuration Manager Console (1806 and newer). To do this, press the šŸ™‚ button in the top right corner and choose ā€œSend a Frownā€. For more details, see https://docs.microsoft.com/en-us/sccm/core/understand/find-help.

If you require assisted support, please see https://aka.ms/cmcbsupport for more details.

Standard Disclaimer ā€“ our lawyers made us put this here ;-)
We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Microsoft Endpoint Configuration Manager feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Configuration Manager. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. MBAM fully integrated in 1910 does not have enforcement option

    Great to see MBAM fully integrated in CM 1910, but the policy does not have any option to enforce the encryption. User can always postpone it.

    For more info, see this: https://www.youtube.com/watch?v=kRkyx_-l9QU

    56 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  2. Windows Defender Application Control - enchace it with more rule types

    In 1906, WDAC rules can be modified only on Folder and Files level and that is not enough. Like in Applocker, we need Publisher rules and file signing support. It is great that ex-Device Guard starts to be more or less accassable to control with GUI, but current features are not enough to utilize it to production yet. Please make it to be as controllable as Applocker.

    36 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  3. Add the ability to unlock a bitlockered drive in WinPE via MBAM

    for refresh/reinstall scenarios in WinPE where you have an already MBAM managed/Bitlockered client, and you want to reinstall it or refresh to a new os, the OS drive is bitlockered and therefore you cannot read it or pull data from it (USMT), we've used various versions of this for MBAM https://www.windows-noob.com/forums/topic/4173-how-can-i-retrieve-my-bitlocker-recovery-key-from-mbam-in-windows-pe/ but it would be nice if this ability was integrated within ConfigMgr now that MBAM is integrated too and to do it securely via https

    10 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  4. Include all ASR Rules in Windows Defender Exploit Guard

    Some Attack Surface Reduction Rules are missing in the Windows Defender Exploit Guard settings.

    Please include the following Rules:
    Block Office communication application from creating child processes
    Block Adobe Reader from creating child processes
    Block persistence through WMI event subscription

    https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

    4 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  5. Enable Tamper Protection via SCCM

    It would be nice to have ability to enable Tamper Protection in defender via SCCM antimalware policy

    10 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  6. The Defender (EP) messages in ConfigMgr should be accessible to a SIEM system

    at the moment all the AV messages are in ConfigMgr, but if there is an outbreak there is only one way, via mail about alerting in CM, or we can configure StatusMessage rules to start something. Can we have a option to grab that infos to a SIEM like sentinel to get faster response about an outbreak? We need also reporting (very slow) and other mechanism in ConfigMgr that are very slow, but alerts in this case should be faster, like CM-Pivot automation to send some info's directly to a SIEM system, to get more possibility's.

    0 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  7. can we have the Naming of Defender (EP) the same as in intune and MDATP

    In some cases, the naming is different in Intune, MDATP and ConfigManager, but in the background it is the same setting, this is not only for Defender, it is for all Defender tools, like expoit guard, Microsoft Active Protection Service (MAPS) and so one. That would be nice...

    3 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  8. Adding a file hash to Windows defender detection alerts

    Adding a file hash of detected or suspected malware son that further research can be done using VirusTotal and simular resources.
    As it is now the threat informatinen provided by microsoft have very little detail and restoring files from quarantine to analyze them isn't ideal either

    7 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  9. Update ConfigMgr SCEP Templates

    Request for the SCEP templates to be updated which would reflect the latest support articles Microsoft releases for recommended antivirus exclusions. If possible, concurrent updates would be ideal for any future ConfigMgr releases.

    "C:\Program Files (x86)\ConfigMgr\XmlStorage\EPTemplates"
    "C:\Program Files (x86)\ConfigMgr\XmlStorage\EPTemplates\Archive"

    19 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  10. Make "Manage TPM" in CM MBAM BitLocker HelpDesk Portal truely to manage TPM

    With CM 1910 MBAM BitLocker upgrade, MBAM BitLocker Helpdesk portal (BitLocker Administration and Monitoring) is available. "Manage TPM" is list one of available option, however, if you take a close look, it is actually alterative to unlock machine.

    It would be nice that "Manage TPM" indeed to have manage TPM actions, select a action and submit to act on the target machine, such as, clear TPM, reset TPM, etc.

    The feature can be helpful to force a machine lockout at the next reboot in case there is a need and helpdesk professional can help.

    1 vote
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  11. Exploit Guard Controlled foder access

    Through SCCM, we are unable to add UNC paths in Controlled Folder Access settings when we click on Allow Apps through Controlled folder access setting. It only accepts local paths. Please add possibility to add UNC paths, because we have same business aplications that are blocked by controlled folder access.

    12 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  12. Include Data Recovery Agent (DRA) control in SCCM Bitlocker Management feature

    Integration of DRA feature directly in SCCM Bitlocker Management feature to have all of Bitlocker controls centralized in one central point (no need extra GPO)

    6 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  13. Malware Detail buttons that link to useful information

    A Malware Detail button that actually links to actionable/useful information. The existing malware detail buttons link to pretty much blank malware detail pages on MS documentation sites. They are not useful. If you can't do the analysis, can you provide links to actual CVEs or other trusted sources?

    4 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  14. Give full controll over Windows Defender Controlled Folder Access

    The default configuration in Windows defender controlled access folder blocks folders like pictures, documents, desktop etc. and you can't turn it off. It was difficult to deploy applications so we decided to not use this feature anymore and it's a shame because it's a such a great idea. We would like to have an option to disable this default behavior. At our company We want only to protect network drives/folders and don't care about pictures folders etc.

    3 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  15. After uninstalling the client, anti-malware policy settings remain in the version information area of Windows security

    After uninstalling the client, anti-malware policy settings remain in the version information area of Windows security.
    SCCM CB 1902
    Windows 10 1903

    Setting location:
    1. Run ms-settings:windowsdefender
    2. Clieck on [Windows Security]
    3. Click the "gear mark" in the lower left
    4. Click the "Version information"
    5. anti-malware policy settings remain

    3 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  16. Wildcards support for WDAC and Exploit Guard in SCCM

    When adding whitelist/exclusions for WDAC or Exploit Guard via SCCM wildcards are not accepted.
    This breaks functionality for remote support programs or conferencing programs such as LogMeIn Rescue or Zoom conferencing.

    9 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  17. Support for Network Drives in WDAC and Exploit Guard

    When configuring exclusions and exceptions in WDAC or Exploit Guard via SCCM, whitelisting a path within a mapped network drive is non functional.

    4 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  18. WIndows Defender Application Control - Specify Base Policy when creating Policies

    When SCCM is applying the policy it Creates 2 XMLs in C:\windows\CCM\DeviceGuard and uses a windows template in C:\Windows\Schemas\Codeintegrity\ExamplePolicies

    This means that Rules already applied are not replicated when SCCM overwrites the current sipolicy.p7b (tested with before and after - some publisher rules were missing)

    My suggestion is to allow users to specify an additional xml to be merged with the 3 aforementioned xml files essentially allowing for custom rules to be replicated in the policy.

    6 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  19. Device Guard Application Whitelisting, transistion from Audit to enforced and back again.

    Device Guard Application Whitelisting, being able to transistion from Audit to enforced without having to redeploy all applications. This would mean you could move from audit where you reinstall the apps and ensure you have compliance and won't break anything to enforced and if you experience some issues and need time to remediate you should be able to go back to audit to fix it. If this could then be enhanced so you can move to a new SCCM solution without extra configuration that would be very impressive.

    3 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  20. Wildcards can not be used when configuring Excluded Processes in Exclusion Settings in the anti-malware policy

    Wildcards can not be used when configuring Excluded Processes in Exclusion Settings in the anti-malware policy.
    Since it is judged as an invalid character string, please add a function so that it can be used.

    With Windows Defender alone, you can use wildcards for process exclusion.

    Use wildcards in the process exclusion list
    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-process-exclusion-list

    0 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base