Let’s see how to avoid Invoke-MbamClientDeployment PS Script to eliminate serious problems with the SCCM site. Microsoft released a hotfix KB10372804 to avoid this serious problem with 2103 or a later version of ConfigMgr.
It’s clearly documented that the Invoke-MbamClientDeployment.ps1 PowerShell script is not supported for use with BitLocker Management in SCCM. Even using MBAM Agent API to escrow recovery keys to a Management Point could create serious issues with the ConfigMgr site.
I have covered SCCM 2103 known issues and fixes are documented in the previous post. The prerequisite to policy storm issue fix KB10372804 is the update rollup for the 2103 version of SCCM (KB10036164).
Known Issue with MBAM – Avoid Invoke-MbamClientDeployment
There are reports of performance issues with the SCCM site when you use Invoke-MbamClientDeployment.ps1 and MBAM Agent API to escrow recovery key to an SCCM MP. These known problems include:
- Creattion of a large amount of policy targeted to all devices which can cause policy storms.
- Degradation of performance with SQL server and with Management Points.
You can try to trace the problem from SQL management studio by running the following SQL query.
SELECT PA.PolicyID, RPM.* FROM PolicyAssignment PA JOIN ResPolicyMap RPM ON PA.PADBID = RPM.PADBID WHERE PA.PolicyID like 'TPM%' AND RPM.MachineID = 0 AND RPM.IsTombstoned = 0
NOTE! – The Invoke-MbamClientDeployment.ps1 PowerShell script is not supported for use with BitLocker Management in ConfigMgr. This includes escrowing of BitLocker recovery keys during a ConfigMgr task sequence.
FIX Policy Strom Issue with MBAM
You will need to install the hotfix KB10372804 to fix the issue MBAM policies. The SCCM 2103 hotfix helps to avoid large policies getting targeted to all the devices. Even after applying the hotfix, you cannot use Invoke-MbamClientDeployment.ps1 and MBAM Agent API to the escrow recovery key to MP.
- Launch ConfigMgr Console.
- Navigate to \Administration\Overview\Updates and Servicing.
- Right-click on Configuration Manager 2103 Hotfix (KB10216365) and select Install update pack.
- Click Next.
- Click on Next.
- Accept the license and click on Next to continue.
- Check the Summary of updated package installation
- Click on Close to complete Configuration Manager Updates Wizard.
- Navigate to \Monitoring\Overview\Updates and Servicing Status\Configuration Manager 2103 Hotfix (KB10372804) to get the status.
Client Update & Version details
There is no client update needed for hotfix KB10372804. This is because the fix is for the server-side. This is a fix mainly for the SQL server and Management Point performance issues. The full version of Configuration Manager 2103 is 5.00.9049.1039.