Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Complete Group Policy Integration

Configuration Manager should be able to configure all aspects of a workstation that can be done using other Microsoft tools. Some group policy items already exist such as folder redirection and Firewall Policies. It would be great if Firewall could be expanded to include creation of firewall exceptions. It would also be great if we could configure all group policies from within SCCM perhaps using compliance settings.

278 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Jarrod Beebe shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    Noted  · 

    14 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Andrew Malcolm commented  ·   ·  Flag as inappropriate

        As others have stated, being able to SEE COMPLIANCE would be a huge advantage for doing all client configuration with Configuration Manager, not some in GP, some in DSC, some in 1,2,3...

      • Jesse Proulx commented  ·   ·  Flag as inappropriate

        If this was well implemented, it would go a long way to making Azure AD a viable full replacement solution to on-prem AD. It would need to support importing ADMX/ADM files as well as having the base GPOs.

      • David Hannah commented  ·   ·  Flag as inappropriate

        Perhaps an option to "link" your Group Policy environment with SCCM?

        For instance, you might configure a source Active Directory domain. It could then read all GPOs to have some non-editable GPO CIs, and leverage the SCCM client to simply report on GPO compliance. This would satisfy organizations that might segregate SCCM and GPO administration.

        You could then have an option on the GPO CIs to convert them to typical SCCM CIs. This would ease the migration process.

      • Charles Herrington commented  ·   ·  Flag as inappropriate

        I agree that having full Group Policy functionallity within SCCM would be a huge improvement. When companies like mine are trying to obtain compliances like PCI and ISO, being able to report and confirm that compliance items are actually implemented and and are being enforced on client OS's across the organization would defiantly help the auditing process.

      • Dustin Hedges commented  ·   ·  Flag as inappropriate

        Native integration into the Security Compliance Manager (and/or GPO Templates in general) would be a huge benefit. The individual SETTINGS (not CI's) need to be searchable however.

      • cscrgb commented  ·   ·  Flag as inappropriate

        Right now, Compliance in SCCM has a big advantage over Group Policy: Reporting on results. Currently, and not in the foreseeable future, AFAIK, there are no plans to add such functionality to Group Policy.

        Giving Compliance the ability to manage the same/more settings than GP would give admins much better insight into their environment by actually seeing the impact of changes that are deployed through reports and queries.

        I think that would be an awesome addition.

      • Richard Archer commented  ·   ·  Flag as inappropriate

        @Andrew M - The downside there would be that Configuration & Compliance would become dependant on WMF 4. That said, it does feel like there's a lot of overlap between the two functionalities that could do with some rationalisation.

      • Andrew Malcolm commented  ·   ·  Flag as inappropriate

        Please move all aspects of configuration to powershell dsc - then make config mgr powershell dsc behind the curtains ;-)

      • Roman Žuravljov commented  ·   ·  Flag as inappropriate

        Sometimes when you need to implement GP item/setting as Compliance Item, you have to use different tools (sometimes 3rd party tools). Which is VERY far from convenient.

      • Steven John Cuthill commented  ·   ·  Flag as inappropriate

        Yup I would agree here ! The ability to create a "configuration iteam" that has Group Policy pres and ADM/ADMX Templates.

      • Jarrod Beebe commented  ·   ·  Flag as inappropriate

        The idea is to be able to set any policy that can be set in group policy via sccm and possibly get compliance on it as well. The task sequence idea sounds more like a gp update /force command

      Feedback and Knowledge Base