Using the MBAM Agent to escrow BitLocker recovery keys generates excessive policies in Configuration Manager, version 2103
Applies to: Configuration Manager (current branch, version 2103)
Summary of KB10372804
Using the Invoke-MbamClientDeployment.ps1 PowerShell script or alternative methods that utilize the MBAM Agent API to escrow recovery keys to a Management Point in Configuration Manager current branch, version 2103 generates a large amount of policy targeted to all devices which can cause policy storms. This leads to severe degradation of performance in Configuration Manager, primarily with SQL and Management Points.
Update information for Microsoft Endpoint Configuration Manager, version 2103
An update to resolve this issue is available in the Updates and Servicing node of the Configuration Manager console for environments that have installed the following update rollup.
- KB10036164: Update rollup for Microsoft Endpoint Configuration Manager version 2103
To determine if you are affected by this issue, you can execute the following SQL query against each primary site's database.
SELECT PA.PolicyID, RPM.* FROM PolicyAssignment PA JOIN ResPolicyMap RPM ON PA.PADBID = RPM.PADBID
WHERE PA.PolicyID like 'TPM%' AND RPM.MachineID = 0 AND RPM.IsTombstoned = 0
Important
This update prevents creation of excessive policies, but it does not remove any such policies that were previously created. If the above query returns a large amount of rows, contact Microsoft Support for assistance in removal of these policies.
Update replacement information
This update replaces the below update.
- KB10216365: Unable to move site database to SQL Always On availability group in Configuration Manager, version 2103
Restart information
This update does not require a computer restart.
Additional installation information
After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
- If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
- If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.
File information
File information is available in the downloadable KB10372804_FileList.txt text file.
Release history
- July 26, 2021: Initial hotfix release
References
How to Enable BitLocker by Using MBAM as Part of a Windows Deployment
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for