SCCM 2103 Hotfix KB10372804 Fixes MBAM BitLocker Issue

SCCM 2103 Hotfix KB10372804 is released to address the MBAM BitLocker Issue. Using the MBAM Agent to escrow BitLocker recovery keys generates excessive policies in Configuration Manager 2103.

Invoke-MbamClientDeployment.ps1 PowerShell script utilizes the MBAM Agent API to escrow recovery keys to a Management Point in SCCM 2103. This in turn generates a large amount of policy targeted to all devices, which can cause policy storms.

Note: Install the SCCM 2103 Hotfix KB10372804 only if you are noticing the MBAM BitLocker Issue issues in your setup. To determine that, run the SQL query against each primary site’s database provided in documentation.

SELECT PA.PolicyID, RPM.* FROM PolicyAssignment PA JOIN ResPolicyMap RPM ON PA.PADBID = RPM.PADBID WHERE PA.PolicyID like 'TPM%' AND RPM.MachineID = 0 AND RPM.IsTombstoned = 0

If the above query returns numerous rows, contact Microsoft Support for assistance in removal of these policies.

After installing the hotfix KB10372804, you don’t need to update the client agents or Configuration Manager console. The hotfix includes only site server updates which is mentioned in the hotfix description.

SCCM 2103 Hotfix KB10372804 Notes

Few points to remember before you install the hotfix KB10372804 for SCCM 2103.

  • The hotfix KB10372804 applies to Configuration Manager 2103 release.
  • The update appears in the console if you have installed the previous update – KB10036164.
  • You don’t need to restart the server after installing KB10372804.
  • KB10372804 update replaces KB10216365 (previously released hotfix) – Unable to move site database to SQL Always On availability group in Configuration Manager, version 2103.
  • After you install this update on a primary site, pre-existing secondary sites must be manually updated.

The SCCM 2103 hotfix KB10372804 includes only site server updates, and there are no client agent upgrades or console upgrades required. The hotfix will be available in Updates and Servicing node of the Configuration Manager console.

You don’t need to restart the server after installing the SCCM 2103 hotfix KB10372804. The update doesn’t include console or client update.

If you have secondary sites, you must manually update the SCCM 2103 hotfix KB10372804. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site.

The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.


Hi, I am Pragati. As a Technical Consultant, I help businesses harness the latest innovations in Cloud applications, Intune, Windows 365, and more. Sharing my knowledge and insights through this blog to inspire and empower others in their digital transformation. Let's revolutionize the way we work and thrive in the cloud era together!

Related Articles

Back to top button