Avoid Invoke-MbamClientDeployment PS Script to Eliminate Serious Problems with the SCCM Site

Let’s see how to avoid Invoke-MbamClientDeployment PS Script to eliminate serious problems with the SCCM site. Microsoft released a hotfix KB10372804 to prevent this serious problem with 2103 or a later version of ConfigMgr.

It’s documented that the Invoke-MbamClientDeployment.ps1 PowerShell script is not supported for use with BitLocker Management in SCCM.

Even using MBAM Agent API to escrow recovery keys to a Management Point could create serious issues with the ConfigMgr site.

I have covered SCCM 2103 known issues and fixes, which were documented in the previous post. The prerequisite to policy storm issue fix KB10372804 is the update rollup for the 2103 version of SCCM (KB10036164).

Patch My PC

Known Issue with MBAM – Avoid Invoke-MbamClientDeployment

There are reports of performance issues with the SCCM site when you use Invoke-MbamClientDeployment.ps1 and MBAM Agent API to escrow the recovery key to an SCCM MP. These known problems include:

Avoid Invoke-MbamClientDeployment PS Script to Eliminate Serious Problems with the SCCM Site - Fig.1
Avoid Invoke-MbamClientDeployment PS Script to Eliminate Serious Problems with the SCCM Site – Fig.1
  • Creating a large policy targeted at all devices can cause policy storms.
  • Degradation of performance with SQL server and with Management Points.

You can try to trace the problem from SQL Management Studio by running the following SQL query.

Adaptiva
SELECT PA.PolicyID, RPM.* FROM PolicyAssignment PA JOIN ResPolicyMap RPM ON PA.PADBID = RPM.PADBID
WHERE PA.PolicyID like 'TPM%' AND RPM.MachineID = 0 AND RPM.IsTombstoned = 0

NOTE: The Invoke-MbamClientDeployment.ps1 PowerShell script is unsupported for BitLocker Management in ConfigMgr. This includes the escrowing of BitLocker recovery keys during a ConfigMgr task sequence.

FIX Policy Strom Issue with MBAM

You must install the hotfix KB10372804 to fix the issue with MBAM policies. The SCCM 2103 hotfix helps to avoid large policies being targeted to all devices. Even after applying the hotfix, you cannot use Invoke-MbamClientDeployment.ps1 and MBAM Agent API to the escrow recovery key to MP.

  • Launch ConfigMgr Console.
  • Navigate to \Administration\Overview\Updates and Servicing.
  • Right-click on Configuration Manager 2103 Hotfix (KB10216365) and select Install update pack.
Avoid Invoke-MbamClientDeployment PS Script to Eliminate Serious Problems with the SCCM Site - Fig.2
Avoid Invoke-MbamClientDeployment PS Script to Eliminate Serious Problems with the SCCM Site – Fig.2
  • Click Next.
  • Click on Next.
  • Accept the license and click on Next to continue.
  • Check the Summary of the updated package installation
  • Click on Close to complete Configuration Manager Updates Wizard.
  • To get the status, navigate to \Monitoring\Overview\Updates and Servicing Status\Configuration Manager 2103 Hotfix (KB10372804).
Avoid Invoke-MbamClientDeployment PS Script to Eliminate Serious Problems with the SCCM Site - Fig.3
Avoid Invoke-MbamClientDeployment PS Script to Eliminate Serious Problems with the SCCM Site – Fig.3

Client Update and Version Details

Hotfix KB10372804 does not require a client update because it is server-side. It is mainly a fix for the SQL server and Management Point performance issues. The full version of Configuration Manager 2103 is 5.00.9049.1039.

Resources

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.