SCCM 2103 Hotfix KB10372804 Notes

SCCM 2103 Hotfix KB10372804 is released to address the MBAM BitLocker Issue. Using the MBAM Agent to escrow BitLocker recovery keys generates excessive policies in Configuration Manager 2103.

Invoke-MbamClientDeployment.ps1 PowerShell script utilizes the MBAM Agent API to escrow recovery keys to a Management Point in SCCM 2103. This in turn generates a large amount of policy targeted to all devices, which can cause policy storms.

Note: Install the SCCM 2103 Hotfix KB10372804 only if you are noticing the MBAM BitLocker Issue issues in your setup. To determine that, run the SQL query against each primary site’s database provided in documentation.

SELECT PA.PolicyID, RPM.* FROM PolicyAssignment PA JOIN ResPolicyMap RPM ON PA.PADBID = RPM.PADBID WHERE PA.PolicyID like 'TPM%' AND RPM.MachineID = 0 AND RPM.IsTombstoned = 0

If the above query returns numerous rows, contact Microsoft Support for assistance in removal of these policies.

After installing the hotfix KB10372804, you don’t need to update the client agents or Configuration Manager console. The hotfix includes only site server updates which is mentioned in the hotfix description.

SCCM 2103 Hotfix KB10372804 Notes

Few points to remember before you install the hotfix KB10372804 for SCCM 2103.

  • The hotfix KB10372804 applies to Configuration Manager 2103 release.
  • The update appears in the console if you have installed the previous update – KB10036164.
  • You don’t need to restart the server after installing KB10372804.
  • KB10372804 update replaces KB10216365 (previously released hotfix)
  • After you install this update on a primary site, pre-existing secondary sites must be manually updated.

The hotfix includes only site server updates, and there are no client agent upgrades or console upgrades required. The hotfix will be available in Updates and Servicing node of the Configuration Manager console.

Hotfix KB10372804 Documentation and Details –

Hotfix KB10372804 installation guide –