Instead of having organizations manually create shares and write custom scripted solutions for downloading the updates, have ConfigMgr natively be able to handle this.

ConfigMgr Site Settings:
- Define 1 or more network locations
- Define an update schedule for how often ConfigMgr will download new SCEP updates to those locations
- Optional settings - Define proxy information and service account

It would be awesome if it did this through a scheduled task so it could survive ConfigMgr services being down (primary/db, etc).

As of SCCM 1802 all Windows 10 devices show as managed in the SCCM console for Endpoint protection, even if those devices have another Antivirus product installed such Symantec Endpoint Protection.

While I'm all in favour of not requiring the SCEP client on Windows 10, devices where Windows Defender is disabled because another AV product is installed should not show as managed. This is just confusing and makes it hard to see how many devices are actually managed by SCCM.

Device Guard Application Whitelisting, being able to transistion from Audit to enforced without having to redeploy all applications. This would mean you could move from audit where you reinstall the apps and ensure you have compliance and won't break anything to enforced and if you experience some issues and need time to remediate you should be able to go back to audit to fix it. If this could then be enhanced so you can move to a new SCCM solution without extra configuration that would be very impressive.

In some cases, the naming is different in Intune, MDATP and ConfigManager, but in the background it is the same setting, this is not only for Defender, it is for all Defender tools, like expoit guard, Microsoft Active Protection Service (MAPS) and so one. That would be nice...

Be able to manage Controlled Folder Access on Windows Server 2019 from Microsoft Endpoint Configuration Manager

Please set an RBAC-Model for the Advanced Hunting Feature, like the RBAC-Model for Log Analytics.
This will give us more control, who can access the critical data from Advanced Hunting.

Please allow to use a Timerange which is more than 30 Days on Advanced Hunting.
The Tenant saves Data for 180 Days, but on Advanced Hunting you can only use 30days as max timerange.
If you was Hunting Malware, you need sometimes more than 30 Days.

I do not see a way to add a hash to endpoint protection. We had malware recently that endpoint protection did not catch. We have the hash number but I didn't find a way in SCCM to add that.

Scheduled quick scans will not run on a laptop using battery power. Laptops are only plugged in when turned off and stored in charging carts so they NEVER automatically scan. I am trying to manage thousands of laptops in a school system. An option should be available to run the scan even when not plugged in to AC power.

We had to move away from SCEP to a "real" AV product. The main reason was due to the lack of data loss prevention in SCEP. If you added DLP, better reporting, an easy way determine what files had been quarantined and an easy way to restore files I may consider switching back. I just don't feel like SCEP is a full thought out AV solution. Instead it seems to be some afterthought that MS can't figure out what they want to do with. It deserves a dedicated console or at least a dedicated node inside ConfigMgr.

Endpoint protection client

It would be good if we could set different policy configurations for OS Drive, Fix Data Drive & Removable Data Drive.
Currently We are not able to configure only OS Drive only

Would like to be able to use BitLocker Management portals when using non-standard SQL ports. Currently the install script\configuration requires standard ports in order to be able to install.

When using offline files if an item is detected within the cache it gets removes by SCEP using the system account. Offline files sees the file removed from the cache but not by the user so it just downloads it again from the file server. This repeats indefinitely and is only resolved if the file is touched by the user rather than system.

Hello, Dear Team, as we can in enterprises we need more control on the client machines. It will convenient if that control can be accessed in single console of the SCCM. As a endpoint protection we need control startup applications, launching applications(blocking or allowing), control of the removal devices, force removal of potentially exploit apps, even traffic analyzer is needed. Sound like a crazy but really needed features.

During a quick or full scan, the user can not perform a scan (for example, files on a USB drive).

Have controls where you can block website and pages on all major browsers.

A user should not be able to reboot n Remote Desktop server. That should require and Administrator.

Administrators should be able to disable the 'restart now' option

Somehow this disappeared in Windows 10 (Possibly 8 as well) it was there in Windows 7.