Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice

Joe Safe

My feedback

  1. 308 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    13 comments  ·  Ideas » Setup and Server Infrastructure  ·  Flag idea as inappropriate…  ·  Admin →
    Joe Safe supported this idea  · 
    An error occurred while saving the comment
    Joe Safe commented  · 

    @Adam - this applies to how client push is currently configured, yes.

    If Client Push was amended to utilise LAPS, the attack scenario you're describing would be irrelevant as if someone obtained the password via this method it would be unique to one PC and expire within X amount of hours.

    Unfortunately this is a feature which is heavily used by many and since current branch brings more updates, utilising client push will probably be the preferred method so I can't see how Microsoft can advise against this (especially as introducing LAPS integration would bring a huge security improvement to this).

    An error occurred while saving the comment
    Joe Safe commented  · 

    Integrate an alternative for the client push account within SCCM. Rather than having an account which requires administrator access across all workstations and servers, allow alternatives such as LAPS (Local Administrator Password Solution).

    You could specify the account named used by LAPS (i.e. localadmin) and have SCCM obtain and then authenticate using the LAPS password for each individual machine.

  2. 2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Ideas » Collections  ·  Flag idea as inappropriate…  ·  Admin →
    Joe Safe shared this idea  · 
  3. 150 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Noted  ·  5 comments  ·  Ideas » Setup and Server Infrastructure  ·  Flag idea as inappropriate…  ·  Admin →
    Joe Safe supported this idea  · 

Feedback and Knowledge Base