Console users must have "Run Scripts" security role permission to use CMPivot. Can you add a separate security role permission for CMPivot so we can make administrative users with CMPivot permission but not "Run Scripts?"

Have the ability to include/exclude certain OU's from both Active Directory User and System Discovery.

E.G. I might have an "All Users and Groups" OU at the root domain level, which may contain sub OU's containing service accounts or mailbox accounts etc. that I don't want being picked up by discovery. The ability to pick which sub OU's to discover/not discover would be really handy in this scenario. The same applies for system/computer discovery also.

Please add a column with the OS Build version to the console. It's really a pain when reports or collection querys have to be used to get this information.

If displaying the company logo and color scheme is further expanded to several end-user dialogs that are not necessarily Intune related, please enable defining a company logo to display in them without having an Intune subscription. Branded dialogs with company colors and logo are less likely to be misinterpreted and help end-users identify that the dialogs are originated from our organization's ConfigMgr and can be trusted.

If you have deployed offline Service Connection Point, ServiceConnectionTool.exe now (in ConfigMgr 1511 - 1606) downloads ALL published ConfigMgr update packages when you use -connect parameter. E.g. if your site only requires post 1606 hotfix, ServiceConnectionTool.exe downloads 1602, 1606 installation packages although they are installed! Currently it will download over 7 GB of updates, when you just need about 25 MB update package. This is just waste of time, network traffic & disk space.

Please improve ServiceConnectionTool.exe, so it would only download the update packages that are applicable for the current installation.

macOS High Sierra 10.13 was announced nearly 6 months ago for developers and beta testers. It has been released to the public for over 2 months.

Please update the SCEP for Mac application to support the latest version of macOS.

When running a task sequence to deploy a 1703 based image, the second part of the task sequence: "Setup Operating System" does not display.

The screen saying "Just a moment..." is displayed instead of the SCCM task sequence screen, meaning you cannot see the progress.

If the machine is left, it does actually complete the steps, but it would be nice to see the SCCM screen once again!

We have the need to run a command line in the task sequence and leverage a secret value TS variable ADMACCTPW set with the local admin account password. Example Run Command Line "net user admin %ADMACCTPW%
The issue is in the SMSTS.log the variables are all expanded like the ProgramName = 'net user admin mynewadminpassword' InstallSoftware 7/1/2016 12:58:58 PM 4468 (0x1174)

Thereby exposing the secret value TS variable

When using Peer Cache, if the Peer is no longer online or not available for connect there is a 7.5 min delay to fail to the next system. if the first connection was a validation of the systems online status ("Are you there") the need for this delay would not be needed. the requesting client could attempt to make connection (presumably when it's doing the resource checks for Battery, CPU load, Disk IO and available connections) and if the connection times out (very short reasonable time) it moves to the next peer on the list.

Currently, anytime you run the upgrade OS step, it set the client into provisioning mode, despite the options you're choosing. Could this be changed, that if you pick "Compatibility scan without upgrade" it would NOT put the client into provisioning mode.

I've had users reboot the computer when the scan was running (silently in the background), and then the client was in provisioning mode.

There are many ways to expire standalone media but most involve using a date stamp to compare with system time to determine if the sequence is still supported. Changing the system time circumvents this process. With Windows Servicing, it will be critical that an administrator be able to limit installation at or near the end of a support cycle. A supported process for expiring media programmatically ensures new devices aren't installed outside of a supported servicing window.

Make everything more secure by requiring Multi-Factor auth for console access. Bonus: make it work over the internet securely.

The "More Details" right-click function in the Asset Details view under each monitored deployment currently does not allow you to highlight and copy any of the text. This might sometimes be handy while sending deployment information to colleagues or building hand-made lists of computers with a specific error status, etc.

Deadline randomization is currently in place for software updates only. We were hoping that would expand to both applications and packages as well. This would reduce the demand for applications and package installations in a shared environment (virtual). We currently have this available with software updates. We'd like to see the scope expanded to include package and applications.

To reduce potential for failures due to low battery situations and to minimize the ConfigMgr client's impact to system battery life, introduce a check for certain client actions to allow them to be delayed or bypassed when the system is found to be running on battery or running critically low on battery:
+ Software distribution
+ Compliance settings
+ Inventory
+ Anti-malware scans

Enable appropriate distribution point functions on Cloud DPs like Group Relationships, Content, Boundary Groups, Schedule, Pull Distribution Point, and Rate Limits.

of course, PXE and Multicast would not be appropriate Cloud DP functions.