Ideas
What features would you like to see?
All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Configuration Manager, though we can’t promise to reply to all posts.
If you require assisted support, please see https://aka.ms/cmcbsupport for more details.
-
After uninstalling the client, anti-malware policy settings remain in the version information area of Windows security
After uninstalling the client, anti-malware policy settings remain in the version information area of Windows security.
SCCM CB 1902
Windows 10 1903Setting location:
1. Run ms-settings:windowsdefender
2. Clieck on [Windows Security]
3. Click the "gear mark" in the lower left
4. Click the "Version information"
5. anti-malware policy settings remain3 votesNoted ·AdminAdam Meltzer (ConfigMgr Product Team) (Software Engineer, Microsoft Endpoint Configuration Manager) responded
This behavior is currently by design. We do not clean up AM policy after the client is uninstalled. This is something we can consider revisiting in a future release.
-
SCEP 2012 -Scanning PST files
SCEP no longers scans PST files within Outlook 2003 or newer versions. Prior to this it had been working.
3 votes -
Endpoint Protection should ignore Windows 10 devices with Defender disabled by third party protection
As of SCCM 1802 all Windows 10 devices show as managed in the SCCM console for Endpoint protection, even if those devices have another Antivirus product installed such Symantec Endpoint Protection.
While I'm all in favour of not requiring the SCEP client on Windows 10, devices where Windows Defender is disabled because another AV product is installed should not show as managed. This is just confusing and makes it hard to see how many devices are actually managed by SCCM.
3 votes -
Create a report that shows "Top Sources of Attack" that displays the source ip address for malware attacks.
Create a report that shows "Top Sources of Attack" that displays the source ip address for malware attacks.
3 votes -
MBAM Policy configurations for different drives
It would be good if we could set different policy configurations for OS Drive, Fix Data Drive & Removable Data Drive.
Currently We are not able to configure only OS Drive only2 votes -
Have an easier way to deploy the endpoint protection client via Task Sequence
Endpoint protection client
2 votes -
Tool for determining required registry changes
In the case of patches (Spectre being one example) that may require extra registry key changes in order to be fully secure from threats, currently the only way to scan an environment for missing changes is using a tool such as Nessus. There should be a way to manage any required changes of this sort that isn't included in rollups within SCCM. I was recently made aware of a change that accompanied MS15-124, an update from December 2015. Even though that patch has been superseded and or rolled up many times over since then, the Microsoft Premier SCCM support team…
2 votes -
Allow the use of BitLockers management Self-Service\Help Desk portals when using non-standard SQL ports
Would like to be able to use BitLocker Management portals when using non-standard SQL ports. Currently the install script\configuration requires standard ports in order to be able to install.
2 votes -
Scheduled quick scans should run on a laptop using battery power
Scheduled quick scans will not run on a laptop using battery power. Laptops are only plugged in when turned off and stored in charging carts so they NEVER automatically scan. I am trying to manage thousands of laptops in a school system. An option should be available to run the scan even when not plugged in to AC power.
2 votes -
Add DLP
We had to move away from SCEP to a "real" AV product. The main reason was due to the lack of data loss prevention in SCEP. If you added DLP, better reporting, an easy way determine what files had been quarantined and an easy way to restore files I may consider switching back. I just don't feel like SCEP is a full thought out AV solution. Instead it seems to be some afterthought that MS can't figure out what they want to do with. It deserves a dedicated console or at least a dedicated node inside ConfigMgr.
2 votes -
More details reports OOB and easily dashboard that can be easily customize for SCEP
Our security guys find that the OOB reports are not as details as let say Symantec Endpoint Protection Manager. Would love to see out of the box reports. Also, the Collection drop down list on the reports or console in relationship to SCEP does not work well with RBA. I have multiple I.T departments and I set up Collections for each sites for restriction where each site can only see their own collection. When in SCEP, the drop down collection list will show as empty.
1 vote -
SCEP - support drive wildcards in exclusions
I am currently migrating exclusions from MacAfee where they can use drive exclusions. Because we can put something in c:\programfiles\programname or d:\programfiles\programname I have to exclude all paths that someone may put the application into. In MacAfee they can do **\programname\exclusion.
1 vote -
Have more than one post a year on the team blog.
One post in 2015.
2 posts in 2016.
None in 2017.
Last post over 12 months ago.
Not a Blog...1 vote -
I would like to request for an downloadable link to the latest SCEP Installer
I would like to request for an downloadable link to the latest SCEP Installer. I have a restricted environment that is not managed by config manager. We have SCEP running on over 200k clients, configured by GPO. These machines are deployed using images. To ensure the client is not required to download SCEP+SP1+definition updates, the intent is to pre-load the updated VHD/WIM with the latest version of SCEP, so that the server is not taxed with having to download those updates from WSUS.
1 vote -
Defender realtime disable time limit
We're currently able to allow real time protection in Defender to be managed/disabled. It would be really nice if we could set a max time limit where it would re-enable itself if someone has disabled it.
1 vote -
bitlocker computer compliance
Bitlocker computer compliance report does not show the C: drive compliance information if there is an extra drive in the machine (D: for example)
1 vote -
Bitlocker exception for USB only
Currently with MBAM integration, the only exception is for the whole device to be excluded. We have certain USB devices (scanners/cameras/medical equipment) that is seen as USB mass storage and therefore encryption is required along with some users who have legitimit business reasons to not need to encrypt USB devices. We still require the HDD to be encrypted but allow the USB to be excluded.
We have our current GPO based bitlocker set with the USB encryption in a seperate policy so it can be excluded by devices in an AD group to allow these scenarios. Currently this prohibits moving…1 vote -
Make "Manage TPM" in CM MBAM BitLocker HelpDesk Portal truely to manage TPM
With CM 1910 MBAM BitLocker upgrade, MBAM BitLocker Helpdesk portal (BitLocker Administration and Monitoring) is available. "Manage TPM" is list one of available option, however, if you take a close look, it is actually alterative to unlock machine.
It would be nice that "Manage TPM" indeed to have manage TPM actions, select a action and submit to act on the target machine, such as, clear TPM, reset TPM, etc.
The feature can be helpful to force a machine lockout at the next reboot in case there is a need and helpdesk professional can help.
1 vote -
Deploy Microsoft Defender ATP Policy to user collection
It should be possible to deploy a Microsoft Defender ATP Policy to a User collection, not just a Device collection.
1 vote -
SQL Server Reporting - Endpoint Protection
Unhide Endpoint Protection Reports (Default is hidden)
SQL Server Reporting Services > ConfigMgr_Site > Endpoint Protection (Now click Details view top right, select Endpoint Protection again) There is an Endpoint Protection - Hidden folder1 vote
- Don't see your idea?