Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Configuration Manager, though we can’t promise to reply to all posts.

Please do not use UserVoice to report product bugs or for assisted support.
If you believe you have found a product bug, please send us a bug report through the Configuration Manager Console (1806 and newer). To do this, press the 🙂 button in the top right corner and choose “Send a Frown”. For more details, see https://docs.microsoft.com/en-us/sccm/core/understand/find-help.

If you require assisted support, please see https://aka.ms/cmcbsupport for more details.

Standard Disclaimer – our lawyers made us put this here ;-)
We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Microsoft Endpoint Configuration Manager feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Configuration Manager. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Modernize the Cloud Management Gateway into an Azure WebApp - Network Security

    Currently the Cloud Management Gateway(CMG) for SCCM is a legacy "Cloud Service" in Azure. This prevents Network Security controls, such as placing a Web Application Firewall in front of the service, or peering it to a Virtual Network to be impossible. There are many customers in both the public and private sector that would like to see the CMG modernized into an Azure PaaS WebApp(ARM). This way they can place the CMG into an App Service Environment(ASE), and enforce Trusted Internet Control(TIC) policies.

    108 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. 1906 RBAC on folders needs to be optional.

    SCCM 1906 introduced scopes on folders which would be fine for a new SCCM install but not for an existing SCCM infrastructure that relies heavily on RBAC. Users don't understand why they can't find folders others have created in 1906.

    During upgrade from 1902 – 1902 SCCM automatically “fixes” all your folders so they behave just like they did with 1902. It does this be setting them with every security scope allowing users to still see these folders in 1906.

    Once 1906 is installed any new folder is created with the scope of the user creating it.

    Example:

    SCCM 1902…

    64 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. orchestration groups security scope

    Security scope for orchestration groups

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. Please add the ability to Restrict Task Sequence "Export" function

    We have multiple user Groups covering multiple Business units. Image Engineering guys create TS for different groups and wants them to just deploy (only) . They DO NOT want the other groups to view the content of the TS nor EXPORT it . However , it appears RBAC Does NOT offer such permission level to control the access to TS.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow Dynamics Specialists to use the Sales Insights features (embedded intelligence), so they can sell these features better to clients.

    Allow Dynamics Specialists to use the Sales Insights features (embedded intelligence), so they can sell these features better to clients.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow Machine Auth for Admin Service RestfulAPI

    Allow machine authentication using API certs or other method to authenticate against the RestfulAPI service. This would allow scripts and tasks to query CM for dynamic lists of packages, applications, etc...

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. Ability to Assign Wake on Lan to Security Scopes

    Currently to remotely wake up workstations, you have to have the default security scope applied to the user who needs to wake up the workstation. It would be great if you could use other security scopes as well.

    When an employee is remote and they accidentally turn off their computer, we have to send someone to physically turn it back on. We gave our help desk some permissions. If they could use wake on lan without having access to everything the default security scope provided, it would make things significantly easier.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. CMPivot shouldn't be required to have default scope

    It would be really great if default scope wasn't a required for CMPivot.
    We use security scopes to separate workstations boundaries from server boundaries for the administrators. We are concerned that giving the default scope will open our server boundary up to the workstations administrators.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. Remove the requirement for 'modify' permissions for Phased Deployments

    The Phased Deployment functionality for Applications and Task Sequences require the 'modify' permission on each of the objects in order to be able to create a phased deployment. Software Update Groups, on the other hand, dont have this requirement. In a large distributed environment, the administrators who manage clients in collections and deploy content (Applications, Packages, Task Sequences, etc.) are not always allowed to create the Applications or Task Sequences. In our large PUBSEC customer, the application and TS authors are separate from the site level admins, but our site level admins would like to take advantage of phased deployments.…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. ability to security scope phased deployments

    phased deployments for task sequences, applications, and software updates are great BUT only work for users who have the ALL security scope applied to them. we offer sccm as a service to multiple groups using RBA and they all have their own security group. as such, we are unable to offer the phased deployments feature in sccm to our customers.

    62 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make Security Scopes on Folders Recursive

    I love the new Security Scopes on Folders feature but SCCM admins have to change the scope any time users create folders or collections in their own. I'd love to give users control over their own areas in the console.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Security Scope for new Software Update Groups created by Automatic Deployment Rules

    When creating roles for software update managers, I would like them to only be able to manage software update groups specific to their responsibilities using security scopes. When SUG's are created by ADR's, they do not have a security scope applied. Ideally, the ADR itself and each SUG could have different security scopes.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. RBAC "Root Folder creation"

    Separate "folder creation" from "Root folder creation" rights...
    - So I can pre-create scope based folders in the root of each admin console tree.. and force admins to use those folders instead of creating new root folders.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. Granular Client Notification Permissions

    Would it be possible to break out individual permissions for each of the "Client Notifications".

    When enabled, if I right-click a device or collection I get the usual selection of options, "Download computer policy", "Collect Hardware Inventory", etc. Those are fine, but the big one that caries a high degree of risk is "Restart"

    So rather than have a single option in [Security Role] -> [Collection] -> [Notify Resource]

    ...the "Notify Resource" is in it's own permission branch and each notification option can be enabled/disabled for that role.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Secure Credential/secret variable Resource

    Add a secure credential/secret variable resource to pass secure variables to task sequence steps and application command lines.

    For instance, this would be useful to securely storing and passing a BIOS password for securing, configuring, and upgrading BIOS.

    Additionally, this could be used for authentication tokens or specifying an alternate user context in a script.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Easier / Simplified Creation of Custom Roles from the Console

    Currently, if we want to delegate additional/certain permissions that are above what a group has, we must choose a higher role with more permissions and roll them back to the achieve a desired set. Example: the new Scripts feature adds the permission to the Operations Admin and Full Admin roles. If we want to add that role to a Desktop engineer group, we must copy the Operations Admin group and roll back permissions to the desired level. It would be much more desirable to have this ability to right click and create a new role and then add permissions versus…

    26 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  17. Revamp of RBAC

    Currently RBAC is confusing and very messy and with all of the new features its getting even more so. Some clean up to RBAC and especially how Security Scopes function (I've yet to see a single company really implement them effectively) would be very nice. Wondering if maybe even using some of the analytics gained from companies some better 'default' rbac groups could be created.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Ability to provision gMSA as an Administrative User

    As of CB 1702, we can provision AD Users or Groups as administrative users in SCCM. However, gMSAs (Group Managed Service Accounts) can't be directly provisioned - though you can work around that by creating an AD group with the gMSA as a member and provisioning that group in SCCM.

    It'd be helpful if we could directly provision gMSAs in SCCM; I don't see any reason why this shouldn't be allowed.

    Thanks

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  19. Shedule and Rate Limits Per Group

    It would be nice if we have shedule and rate limits per distribution group instead of having it configured by dp only. So a mix of both will be great having the group config superseding the dp one...

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
  20. RBA Detailed report per Administrative User

    Ability to right click an "Administrative User" and have the ability to export their permissions to a detailed report.

    For example:

    The ability to see what permissions they have for a particular role when its matched to a scope and/or a collection.

    Right now I a maintain this in a spreadsheet. It is not enough to say this "Administrative User" is a package admin. Since we can create custom security roles, having the ability to see the specifics via a report per user will be very helpful.

    Also when a CM update is released, please include any additions, modifications or…

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base