We use a "next gen" AV program, but we want to leverage Windows Defender to do "limited periodic scanning". The setup is supported by Defender and or AV client, but there does not seem to be an option to enable the feature via SCCM EPP management. I'd like to be able to force this to be toggled on.

When I view the dashboard for Windows Defender ATP I can see onboarding status % and agent health but cannot click on the pie chart nothing happens. It would be great if I can see list of machines for each status

In SCEP logs add the option to show the IP address in addition to the hostname.

This would be beneficial for SIEM tools as you can more easily correlate events between systems as some systems (routers for example) only use IPs and not hostnames

The v_AM_NormalizedDetectionHistory view in the SCCM database does not accurately reflect the RemediationType for detected threats. It almost always shows NoAction, even though the threat was quarantined or removed.

We are using this view to report status to our SIEM system, and our security team would prefer that it actually show how the threat was remediated.

Instead of having organizations manually create shares and write custom scripted solutions for downloading the updates, have ConfigMgr natively be able to handle this.

ConfigMgr Site Settings:
- Define 1 or more network locations
- Define an update schedule for how often ConfigMgr will download new SCEP updates to those locations
- Optional settings - Define proxy information and service account

It would be awesome if it did this through a scheduled task so it could survive ConfigMgr services being down (primary/db, etc).

Endpoint Protection - Monitoring mode only.

Sometimes, in first Endpoint Protection deploying in specific business sensetive networks, we need option to detect malwares and monitor only without any actions with malwares. If malware detected Endpoint Protection will only report to SCCM console and no other actions. SCCM administrator will decide what to do with the detected malicious objects, so as not to stop the business process if it is infected.

macOS High Sierra 10.13 was announced nearly 6 months ago for developers and beta testers. It has been released to the public for over 2 months.

Please update the SCEP for Mac application to support the latest version of macOS.

To remove malware from clients I have to log into each client, go into the history and delete the infection from there? I'm really surprised I cannot do this from the SCCM console.

I like to have the Data from the securitycenter.windows.com (WDATP) with all the new 1709 Defender features back in to the Console, we have the Endpoint Protection status in there, but It would be really nice to have all the exploit data visible in the console in the Monitoring / Security Workspace. also the possibility to Isolate Machines and so on. One Console for anything.

Our security guys find that the OOB reports are not as details as let say Symantec Endpoint Protection Manager. Would love to see out of the box reports. Also, the Collection drop down list on the reports or console in relationship to SCEP does not work well with RBA. I have multiple I.T departments and I set up Collections for each sites for restriction where each site can only see their own collection. When in SCEP, the drop down collection list will show as empty.

Support for uninstall password for 3rd party enterprise antivirus.
Symantec especially, but the more support the better.
This would help tremendously with migrations to Endpoint Protection.

In Windows 10 Creators Update, the Windows Defender AV client uploads suspicious files to the cloud protection service for rapid analysis.

In SCCM, we can see al malxare detected by the traditionnal Windows defender AV (working with definition).
Can we aad a report on malware (or suspicious files) detected by the Cloud protection service ?

Endpoint Protection for Mac and Linux, once installed, are simply adrift in the workstation cosmos, with no visibility of their health, status or activity. This is abnormal in the antimalware/antivirus space. Unless you're a home user, administrative reporting and visibility is a must.

Currently we do not have the option to configure monthly full virus scans on our servers. Daily quick or full scans on hundreds of servers is not a very optimal solution.

Unhide Endpoint Protection Reports (Default is hidden)
SQL Server Reporting Services > ConfigMgr_Site > Endpoint Protection (Now click Details view top right, select Endpoint Protection again) There is an Endpoint Protection - Hidden folder

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection

The ConfigMgr client should collect event log troubleshooting data for Win Defender ATP. The data should be surfaced in the dashboard and be available for creating dynamic collections queries (so you can act on it). A security tool that doesn't clearly show you where it is/isn't working is very problematic.

SCEP/Endpoint Protection should allow admins to add a custom file names, folders, or extensions as a threat. This would be very helpful in zero day vulnerabilities.