This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 39%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hello, recently we updates SCCM to 2107 and installed latest hotfix.
After SCCM TS completes successfully on laptop that has TPM it's receives bitlocker policy. Bitlocker is enabled during TS and everything is compliant except, bitlockey key could't be escrowed to SCCM MP.
SCCM TS image is 21H2 and, how i now we don't have this problem with 1909 enterprise.
Also there is this message :
Screenshots are from workstation BitlockerManagementHandler.log. All polices is compliant and there are no error logs in MBAM operation/admin secition.
What could be the cause of it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Have you check log files in the client?
Are system date and time and time zone correct?
Of course. :) These screenshots are from client workstation. Yeah everything is correct.
In this case, I advise you to file a support ticket with the Microsoft Support.
Where and how are your Bitlocker policies setup?
Bitlocker polices are configured via SCCM.
There are no problems with policy as it worked earlier and policy hasn't been modified, from creating date.
And what is the compliance status of the policies now? Also, how are you installing the MBAM agent? Is it recent after the CB upgrade?
Hello Eduards
I will recommend to check the port UDP 1434 or open the client firewall. Other times, it will take some hours to enroll completely, I would suggest checking after 24hr.
--If the reply is helpful, please Upvote and Accept as answer--
Hello @Limitless Technology
Basically workstation have Bitlocker enabled during SCCM TS. I also have command that add registry record that encryption should be XTS-AES-128 so that Bitlocker policy would apply without errors.
After policy applies, and machine policy cycle is initiated workstation should see, that workstation is encrypted and perform key escrow to SCCM SQL DB as the all requirements by policy are met.