Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Configuration Manager, though we canā€™t promise to reply to all posts.

Please do not use UserVoice to report product bugs or for assisted support.
If you believe you have found a product bug, please send us a bug report through the Configuration Manager Console (1806 and newer). To do this, press the šŸ™‚ button in the top right corner and choose ā€œSend a Frownā€. For more details, see https://docs.microsoft.com/en-us/sccm/core/understand/find-help.

If you require assisted support, please see https://aka.ms/cmcbsupport for more details.

Standard Disclaimer ā€“ our lawyers made us put this here ;-)
We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Microsoft Endpoint Configuration Manager feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Configuration Manager. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Update ConfigMgr SCEP Templates

    Request for the SCEP templates to be updated which would reflect the latest support articles Microsoft releases for recommended antivirus exclusions. If possible, concurrent updates would be ideal for any future ConfigMgr releases.

    "C:\Program Files (x86)\ConfigMgr\XmlStorage\EPTemplates"
    "C:\Program Files (x86)\ConfigMgr\XmlStorage\EPTemplates\Archive"

    19 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  2. Allow for editing of client and scep policy priority

    The change priority option of policies is a very slow process when there a many policies in place or even when adding a new policy to get it to priority 1. It would be ideal if the editing of the policy order was allowed or a drag and drop approach to ordering the policies

    18 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  3. Endpoint- Add ability to submit false positive or new virus submission from console

    We have encountered quite a few false positives since converting to Endpoint via SCCM. So far the biggest problem has been submitting a false positive report to MS (one that will actually get listened to at least). We should have the ability from within the console to submit a file or report detailing a false positive and receive data on whether or not that file is rated as a threat with current virus definitions. If the Endpoint team is going to speak proudly of its low false positive rate, they should make it much easier for an Enterprise client toā€¦

    18 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    2 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  4. 17 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  5. SCEP/Endpoint Protection logging

    I would like Endpoint Protection to do one of the following things:
    a. Log to file/winevent when infected - on the actual client
    b. Log to file/winevent when infected - on server

    For all the Companies using log analytics tools there are no good way to get the information. We use a custom sql-trigger to kick off a PowerShell script which writes an logentry to EventLog on the server. That is suboptimal to say at least.

    The dashboards for EP in ConfigMgr is not good enough and really ineffective when you have a lot of detections.

    16 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  6. Streamline Defender/Endpoint Protection settings

    Minor thing, but in Defender under Win10, excluded Files and Folders are separate, and Items in Antimalware policies, regardless weather File or Folder are shown in Defender/Win10 settings under Excluded Files. (the exclusion however still works so that is why it's a minor thing)

    15 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  7. Add Tamper Protection

    We need to be able to prevent admin users from disabling or uninstalling SCEP without a secondary form of authentication/protection.

    14 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  8. Windows Defender Advanced Threat Protection - Collect/Surface Log Data

    https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection

    The ConfigMgr client should collect event log troubleshooting data for Win Defender ATP. The data should be surfaced in the dashboard and be available for creating dynamic collections queries (so you can act on it). A security tool that doesn't clearly show you where it is/isn't working is very problematic.

    13 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  9. Windows Defender Offline Scan - Endpoint Protection Client Action, Schedule

    Integrate some management of Windows Defender Offline Scan. For a first iteration, add the ability to schedule an offline scan during next reboot to Fast Channel Notifications.

    On a future iteration, allow anti-malware policy to schedule an offline scan every X days on reboot.

    13 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  10. Exploit Guard Controlled foder access

    Through SCCM, we are unable to add UNC paths in Controlled Folder Access settings when we click on Allow Apps through Controlled folder access setting. It only accepts local paths. Please add possibility to add UNC paths, because we have same business aplications that are blocked by controlled folder access.

    12 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    1 comment  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  11. Allow non-admin users to change time of scheduled scans.

    Currentlly, if this option is set, the users have the option to change the time (it is not greyed out like all the other settings which users are not allowed to change), but cannot save changes (UAC admin "save changes" button). Only users with local admin rights are allowed to apply the changes.

    11 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  12. Add Bitlocker management to SCCM.

    Allow for the provisioning, management and recovery of bitlocker protected volumes using sccm.

    11 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  13. Add the ability to unlock a bitlockered drive in WinPE via MBAM

    for refresh/reinstall scenarios in WinPE where you have an already MBAM managed/Bitlockered client, and you want to reinstall it or refresh to a new os, the OS drive is bitlockered and therefore you cannot read it or pull data from it (USMT), we've used various versions of this for MBAM https://www.windows-noob.com/forums/topic/4173-how-can-i-retrieve-my-bitlocker-recovery-key-from-mbam-in-windows-pe/ but it would be nice if this ability was integrated within ConfigMgr now that MBAM is integrated too and to do it securely via https

    10 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  14. Include latest antimalware platform release with ConfigMgr client

    New anti-malware platform updates are released periodically. It would be good to have the latest version included as part of the ConfigMgr client installation so that clients can take advantage of the latest features in Endpoint Protection.

    10 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    3 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  15. Enable Tamper Protection via SCCM

    It would be nice to have ability to enable Tamper Protection in defender via SCCM antimalware policy

    10 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  16. SCEP: Ability to put exclusions specific to individual machines.

    Hi Team,

    We currently do not have ability to put exclusions specific to individual machines. This can oly be done through collections and policies. Why dont we give the ability to end point amdinistrator group to add exclusiosns to individual machines based on requests which is possible through McAfee.

    Thanks,
    Vinayak

    9 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  17. Wildcards support for WDAC and Exploit Guard in SCCM

    When adding whitelist/exclusions for WDAC or Exploit Guard via SCCM wildcards are not accepted.
    This breaks functionality for remote support programs or conferencing programs such as LogMeIn Rescue or Zoom conferencing.

    9 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  18. Info channel disposing details on logic/behaviour of EP

    We would like an information channel, where MS disposes information on the behavior of the Endpoint Protection product. Especially when things change but also how things are now (logic, build-in defaults, parameterization and how to configure, etc...).
    E.g. : We recently had a 'false positive' Worm:Win32/Bluber.A detected in C:\Windows\System32\sysinfo.ocx file. In this case, we chose to 'quick fix' this issue by performing a 'Restore files quarantined by this threat' (see picture). This action creates an exception rule for the detection and remediation of this particular threat, on the SCCM EP GPO. This exception is only temporary; it used to beā€¦

    9 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  19. Automating Microsoft Endpoint Full System Scan upon Infection with Email Notification

    I wrote a PowerShell custom detection method that reads the event viewer logs and thereby returns a failed installation if an infection is logged in the event viewer. The application installation is therefore a powershell script that initiates a full system scan. For the custom detection to be successful, there must be an event viewer entry of the full system scan after the infection entry. I have written up the process in my blog posting here: http://mickitblog.blogspot.com/2015/12/automating-microsoft-endpoint-full.html

    9 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  20. I would like to see configuration managers end point agent be able to detect and block thumb drives and do web content filtering

    I would like to see configuration managers end point agent be able to detect and block thumb drives and do web content filtering via the agent.

    8 votes
    Vote
    Sign in
    (thinkingā€¦)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinkingā€¦)
    0 comments  ·  Endpoint Protection  ·  Flag idea as inappropriateā€¦  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base