Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice - Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more

How can we improve Configuration Manager?

← Ideas

Add Support for MSA/gMSA for Standard Roles

I would like the ability to assign managed service accounts or group managed service accounts to the standard roles for SCCM (i.e. Network Access Account, Domain Join account, Client Push account, etc.) so that those accounts can be secured without the need for knowing or managing the password.

166 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Nathan Ziehnert shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

6 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Priya SINGIREDDY commented  ·   ·  Flag as inappropriate

    With Latest technology provided by Microsoft themselves to secure the Admin accounts but having limited it to only some accounts is very surprising. SCCM infra accounts needs to be handled via GMSA method to be more secure considering it is admin on the entire environment. Please add this to the ideas to be implemented on priority as this will be a must for many organisations going forward.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is really a need - in our organization there should be a managed service account used in all sccm accouns instead of a priviliged account.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is really a need in all organization there should be a managed service account used in all sccm accouns instead of a priviliged account.

  • Sean League commented  ·   ·  Flag as inappropriate

    As we have a password policy that the password expires every 90-day. We should also use a non-interactive account to prevent someone from having domain admin privileges if the password becomes compromised.

    Our 90-day password policy comes from the FBI, CJIS policy.

  • Gary Cook commented  ·   ·  Flag as inappropriate

    This is needed for pushing Software to Domain Controllers when a Microsoft recommended multi tier Security model is in place.

  • George Simos commented  ·   ·  Flag as inappropriate

    I have been requesting this feature and advocating about it before the release of System Center Configuration Manager 2012 when I was an MVP for the product (2009-2011).
    It is the most secure way to provide administrative access to endpoints and servers because the msa/gmsa accounts cannot be compromised easily and most of all they have automatic password management. Sure there will be some kerberos work to be done from the admin part but I think that the outcome of a more secure SCCM environment is a great reward.

Ideas: Setup and Server Infrastructure

Categories

Feedback and Knowledge Base

(thinking…)