Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice - Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more

Joe Safe

My feedback

  1. 337 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    14 comments  ·  Ideas » Site deployment and infrastructure  ·  Flag idea as inappropriate…  ·  Admin →
    Joe Safe supported this idea  · 
    An error occurred while saving the comment
    Joe Safe commented  · 

    @Adam - this applies to how client push is currently configured, yes.

    If Client Push was amended to utilise LAPS, the attack scenario you're describing would be irrelevant as if someone obtained the password via this method it would be unique to one PC and expire within X amount of hours.

    Unfortunately this is a feature which is heavily used by many and since current branch brings more updates, utilising client push will probably be the preferred method so I can't see how Microsoft can advise against this (especially as introducing LAPS integration would bring a huge security improvement to this).

    An error occurred while saving the comment
    Joe Safe commented  · 

    Integrate an alternative for the client push account within SCCM. Rather than having an account which requires administrator access across all workstations and servers, allow alternatives such as LAPS (Local Administrator Password Solution).

    You could specify the account named used by LAPS (i.e. localadmin) and have SCCM obtain and then authenticate using the LAPS password for each individual machine.

  2. 2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Joe Safe shared this idea  · 
  3. 150 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Noted  ·  5 comments  ·  Ideas » Site deployment and infrastructure  ·  Flag idea as inappropriate…  ·  Admin →
    Joe Safe supported this idea  · 

Feedback and Knowledge Base