Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building System Center Configuration Manager, though we can’t promise to reply to all posts.

If you believe you have found a product bug, please use Feedback Hub. For more details, see: https://docs.microsoft.com/en-us/sccm/core/understand/find-help.

Standard Disclaimer – our lawyers made us put this here ;-) We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the System Center Configuration Manager feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Microsoft Configuration Manager. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.

How can we improve Configuration Manager?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. RBA on the Folder level

    Currently Administrators have the ability to set Role Based Access to Collections but we do not have the ability to block access to specific folders. Currently in my environment we have many different departmental administrators who need to manage only their machines and their collections. each time we add collections we then need to grant them access. if the Role Based Administration gave the ability to grant access on the folder level it would reduce the complexity for area's that have a setup similar to mine.

    I have attached a screenshot of how my setup looks.

    594 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      Noted  ·  24 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
    • Create a new option in RBAC that disallows a user from modifying ONLY a maintenance window, but allows for other device collection changes.

      Currently if you disable the modification of settings in a device collection through RBAC, you cannot modify ANY settings. I wish there was a way to only disallow the modification of Maintenance Windows.

      24 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        1 comment  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
      • Easier / Simplified Creation of Custom Roles from the Console

        Currently, if we want to delegate additional/certain permissions that are above what a group has, we must choose a higher role with more permissions and roll them back to the achieve a desired set. Example: the new Scripts feature adds the permission to the Operations Admin and Full Admin roles. If we want to add that role to a Desktop engineer group, we must copy the Operations Admin group and roll back permissions to the desired level. It would be much more desirable to have this ability to right click and create a new role and then add permissions versus…

        21 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
        • Include the Reports Viewer Role out of the box

          Why not automatically include a reports viewer security role out of the box with CM? As a consultant I install CM from scratch regularly and always have to add this role manually as every customer wants it.

          Brian Mason and Kent Agerlund give examples here:
          http://www.mnscug.org/blogs/brian-mason/162-report-user-role
          http://blog.coretech.dk/kea/creating-the-reporting-user-role-in-configmgr-2012/

          15 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            1 comment  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
          • Importing a new device with variables doesn't work if you don't have access to ALL devices\ All Systems Collection

            We have RBAC implemented such that console users do not have read permission to the All System collection. Instead, we have delegated collections of devices to which they can admin, using a query rule to include device objects created matching certain criteria (name starts with some defined value, no client registered, created via manual machine entry, CAS site code). The issue is that when using the computer import wizard and selecting to use a CSV for bulk import, the wizard crashes with a permission error when defining device variables. The wizard succeeds only if the devices are imported ignoring the…

            14 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
            • Elevated Access - Delete Collections

              Full Administrators should have the ability to delete collections no matter what roles are assigned. Currently in our environment we have multiple roles that have access to various collections and once a collection is created it cannot be deleted unless it is removed from a large number of roles.

              Request to have the ability to delete with confirmation, this will remove the collection (if empty) no matter what assignments are set on it.

              9 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                Noted  ·  0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
              • Separate sections for boundary group preferred site systems or select the role the site system will provide for group

                We can assign MP, DP, and SUP to a boundary group as a client preference, but this is all within one section. It would be nice to have this broken up into the roles so we can assign accordingly. If you have servers with multiple roles you may not want clients using every role. If I have Server1 with the MP and DP role in one region and Server2 in another region with just MP. I have a boundary group set to use Server2 for MP and another server for a DP. Server2 goes down and I need to set…

                8 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                • Create JEA templates for diffrent SCCM roles

                  Just Enough Administrator (JEA https://msdn.microsoft.com/en-us/library/dn896648.aspx) is something that would increase security and enable support personell to troubleshoot SCCM on clients/server without giving them full administrator rights.

                  Maybe you could provide JEA templates that match the diffrent RBAC roles in SCCM.

                  For example a JEA Patch Admin template could allow the following:
                  - Read SCCM logs
                  - Read Windowsupdate.log
                  - Restart the Windows Update service
                  - Read WMI related to Updates
                  - and so on.

                  Providing templates like this would simplify the process of getting started with JEA. It would be even better if MS could provide templates for other…

                  7 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                  • Configuration manager service Account Management

                    Hi All,

                    It very difficult to manage the password of service accounts in different place in Configuration for different options, like Domain join, network access, client installation. Because we need to input every time when we configure the settings. Instead of this, we have centeral control management of user name or service account and password management, so it will reflect in all components once the they select the user name.

                    6 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                    • To deploy a compliance policy, user's security role needs Modify permissions on Site

                      For users assigned custom RBAC roles. They're unable to deploy compliance policies - with permissions Site - modify - No
                      The operation fails with error "You do not have security rights to perform this operation"
                      The security role needs to have Site - modify - Yes.
                      Customer claims prior to 1710, this was possible.
                      Other deployments like applications, packages are working with Site - modify - No

                      4 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                      • effective permissions

                        Provide the ability to see the effective permission of an administrative user in the security node. This can be similar to the effective policies for client settings. The RBA viewer provides the show me information but you are not able to pick an administrative user and see what all their inherited permissions are in the console.

                        4 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                        • AD User Discovery should support incremental discovery

                          AD User Discovery should support incremental discovery when using groups as search base. Currently this is not supported. We have the challenge to discover user being located somewhere in the Active Directory, not being allowed to discover all users. Therefore, we have only the chance to put all users in a group and discover all users from this group. Unfortunately, delta discovery is not supported for AD User Discovery. For some reasons it's supported for AD Group Discovery, but not for AD User Discovery. It would be great if this could be enabled in particular because there is no real…

                          4 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                          • Support Scale Out File Server

                            Currently SCCM doesnt support SQL Databases stored on a Scale Out File Server. The installation will error out when it queries WMI on the SQL Server, also queries embedded inside of hman.dll will cause errors as it expects to find a drive letter rather than a UNC path.

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                            • Ability to provision gMSA as an Administrative User

                              As of CB 1702, we can provision AD Users or Groups as administrative users in SCCM. However, gMSAs (Group Managed Service Accounts) can't be directly provisioned - though you can work around that by creating an AD group with the gMSA as a member and provisioning that group in SCCM.

                              It'd be helpful if we could directly provision gMSAs in SCCM; I don't see any reason why this shouldn't be allowed.

                              Thanks

                              3 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                1 comment  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                              • RBA Role Prompt when launching console

                                Many of the other System Center products allow a single user account to have many different roles assigned, and instead of merging them like Configuration Manager does, they prompt at login which role should be applied. This allows an admin for example, to have one account that they can manage all workstations, but then reopen the same console and choose a different role to manage all servers. This would solve many issues that come up when dealing with scoping issues where an object that was created do not have the correct scopes applied. It will also address a concern that…

                                3 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  1 comment  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                                • Improvements for search functionality

                                  When searching, allow multiple "AND" filters on the same criterion. For example, when viewing All Windows 10 Updates in Windows 10 Servicing, I'm currently seeing 798 items. I can filter by language to reduce that, but I'd also like to filter on the title multiple times to exclude editions such as 'Education N', 'Pro N' and 'Team' but I can't because when I add a second Title filter, it automatically puts an "OR" operation next to it.

                                  Also, when searching for objects like Collections or Apps in a large sub-folder structure, would it be possible to include a column in…

                                  3 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Respect user communication preferences

                                    I updated my Microsoft communication preferences to stop all the emails from the ConfigMgr team as I could. I still get survey requests and such. Please stop spamming me.

                                    3 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                                    • ability to apply security scopes to deployments

                                      would be great if we could set security scopes on deployments. we offer sccm as a service to multiple groups using RBA. one group provides applications that can be viewed by all other groups. unfortunately they cannot see all of the deployments made from these applications as they only have visibility to their own devices/collections.

                                      3 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Inventoried Software Device Targeting

                                        Under Asset Intelligence>Inventoried Software, it would be nice to be able to target collection of devices here.

                                        3 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Maintenance Windows for Content Downloading

                                          Have an option within the Maintenance Window settings to not only apply the window to software updates and deployments but to the machines ability to download content as well. Sometimes there is a need to have a complete blackout of activity on machines during a certain window of time.
                                          This is not related to limiting the bandwidth for BITS but actually wanting nothing using resources disk, CPU etc. on the local machines.

                                          2 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Role Based Access & Security  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Feedback and Knowledge Base