Ideas
What features would you like to see?
All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Configuration Manager, though we can’t promise to reply to all posts.
If you require assisted support, please see https://aka.ms/cmcbsupport for more details.
-
Complete Group Policy Integration
Configuration Manager should be able to configure all aspects of a workstation that can be done using other Microsoft tools. Some group policy items already exist such as folder redirection and Firewall Policies. It would be great if Firewall could be expanded to include creation of firewall exceptions. It would also be great if we could configure all group policies from within SCCM perhaps using compliance settings.
359 votes -
More accurate registry Compliance Settings
When creating the Configuration Item (Create Configuration Item Wizard, Settings step) and choosing Registry setting type for the Create Setting window, there are some bizarre registry types mentioned in Data type drop-down box: String, Integer, Date and Time, Floating Point, Version and String Array. Most of these data types are all REGSZ type. But where is REGMULTISZ? REGEXPANDSZ? REGDWORD? REGQWORD? REGBINARY?
There is also possibility to set/check compliance for those registry settings with script, but why the Registry Configuration Item in first place?
These actual registry data types need to be implemented…109 votes -
Add auto remediation to a Software Update compliance baseline
At present SU compliance baselines can identify missing updates but not remediate by installing them. Please add the option to have the missing updates installed either from a DP or Microsoft Update.
31 votes -
Allow compliance items to be run at logon/logoff
Right now, Compliance Items can only be scheduled for specific time periods. It would be helpful to schedule Compliance for logoff/logon.
16 votes -
Decouple Detection and Remediation types
When creating Configuration Items, it would be nice if we could combine different detection and remediation types. For example, combining a Registry detection rule that would remediate with a PowerShell script.
11 votes -
Integration with DISA STIGs and benchmarks
SCCM should be able to leverage STIGs and benchmarks to automate the compliance. SCM appears to have ended support, although it can still be found. It was ok, but to use for SCCM required numerous steps and not all items would transfer.
10 votes -
Compliance Settings - Scripttype - check on returncode than stdout output
It would be useful, if a compliancesetting scripttype would be able to check the compliance based on the return value rather than all the Output of Stdout.
Now the only way for me is, piping cmds to Out-Null, to ensure that a item can get compliant:p = some.exe |out-null
if ($p.ExitCode -eq 0){Write-Host "SUCCESS"}
else{Write-Host "FAILURE"}But for developing/troubleshouting purposes it would be nice, if i havent to catch all stdout output, especially for longer scripts, or tools, which i cannot modify ( 3rd Party vendor )
8 votes -
Have remediation option for Compliance to immediately deploy package and run exe or script from package
Sometimes when remediating non-compliant Compliance Items, other files may be required. In order to do this currently, it is necessary to create a collection that queries the compliance status of the compliance item, and then deploy a package to that collection. This adds a delay in processing, as it is now necessary for the collection to evaluate before deploying the package. Additionally, if the collection evaluation runs at a quicker schedule than compliance evaluation, the remediation package may run multiple times before compliance has been updated.
It would be helpful for compliance to have the ability to deploy a package…
7 votes -
Improve the usability of Compliance Settings
When I first looked at Compliance Settings I could not get my head around how it worked. I believe I understand it now but it could be made easier.
One useful feature would be the inclusion of using admx or existing GPOs to ensure AD compliance is working or apply settings over multiple domains / workgroup system. The Security Compliance Manager has some of these features but only for Microsoft related products with security configuration.
7 votes -
DCM - Expand the Compliance Rules so that they can return Values
Expand the capabilities of the Compliance rules so that I can collect the Registry Value optionally.
It’s great that we can tell if systems are compliant, but often we are Auditing Registry values and handing the data over to Security or other groups. Those other groups determine if the setting is compliant or not.
Simply handing over a report that lists 10s of thousands of systems as not compliant is not enough...the next question that we are often asked is what are the Non-Compliant values.
An additional check box to "Collect Values" would be very helpful and reduce allot of…
5 votes -
Run program from a package as a remediation step.
Today you have to ability to run JScript, Windows PowerShell or VBscript scripts to remediate condition on Clients in ConfigMgr. But sometimes runing a program from a package would also be a very useful. Example, run a reboot program like the Cortech Shutdown tool if computer/server is non-compliant.
3 votesNoted ·AdminMark Silvey - ConfigMgr Product Team (Engineering Manager, ConfigMgr, Microsoft Endpoint Configuration Manager) responded
Thanks for the feedback!
-
List all CIs in a category regardless of folder
We use folders to organize Configuration Items (Applications, Task Sequences, etc.) however there is no place to view all the CIs in a category. You have to click on each individual folder to view those CIs. For example, it would be nice to select Applications and see all of your Apps listed there instead of having to select each folder to view Status or check for duplicates. Each folder should do the same for its sub-folders. Having a column that shows which folder/sub-folder the CI is in would be helpful as well.
2 votes -
DCM to check for audit settings
Configuration Management needs the ability to check for Audit settings on a folder, much like it checks security settings.
I know it can be done in powershell, but thats a very long and nasty road.
1 vote -
compliance items, add deployment tab to bottom pane
on the compliance item, add deployments tab with the capability of creating collection from the compliance item. You can do it on the compliance baseline but that is not sufficient as a baseline may have more than 1 CI so your target collection MAY have a mix of issues. OR just make it where you can deploy a CI in addition to baseline with same capabilities
1 vote -
Conditional Access based on the latest Windows 10 build
You should be able to create a conditional access rule that only the computers with the latest Windows 10 build can access corporate resources.
The latest version is required because it might introduce new security features or some other functionality.
0 votes
- Don't see your idea?