ConfigMgr 2103 Hotfix KB10372804 Fix MBAM BitLocker Issue

ByPrajwal Desai Hours

Microsoft released a new ConfigMgr 2103 hotfix KB10372804 to address the MBAM agent BitLocker issue. The hotfix address the issue where using the MBAM Agent to escrow BitLocker recovery keys generates excessive policies in SCCM 2103.

Some of us have been using the Invoke-MbamClientDeployment.ps1 PowerShell script that utilize the MBAM Agent API to escrow recovery keys to a Management Point in SCCM 2103. This in turn generates a large amount of policy targeted to all devices, which can cause policy storms.

The above bug leads to severe degradation of performance in Configuration Manager, primarily with SQL and Management Points. Microsoft has addressed the above issue by releasing the ConfigMgr 2103 hotfix KB10372804.

About SCCM 2103 Hotfix KB10372804

  • The hotfix KB10372804 applies to Configuration Manager 2103 release.
  • The update appears if you have installed the previous update – KB10036164.
  • You don’t need to restart the server after installing KB10372804.
  • KB10372804 update replaces KB10216365.
  • The hotfix includes only site server updates, and there are no client agent upgrades or console upgrades required.

Should I Install Hotfix KB10372804?

So now that you know about hotfix KB10372804, should you install the hotfix KB10372804?. If you are using the MBAM Agent API to escrow recovery keys to a Management Point and if you are noticing excessive policies creation and performance issues, you must install the hotfix.

To determine if you are affected by this issue, you can execute the following SQL query against each primary site’s database.

SELECT PA.PolicyID, RPM.* FROM PolicyAssignment PA JOIN ResPolicyMap RPM ON PA.PADBID = RPM.PADBID
WHERE PA.PolicyID like 'TPM%' AND RPM.MachineID = 0 AND RPM.IsTombstoned = 0

When I ran the above query, my results were empty, and I assume I don’t need this hotfix. If the above query returns numerous rows, contact Microsoft Support for assistance in removal of these policies.

Install Hotfix KB10372804
Install Hotfix KB10372804

Install ConfigMgr 2103 Hotfix KB10372804

  • Launch the ConfigMgr 2103 console.
  • Go to Administration\Overview\Updates and Servicing.
  • Right click Configuration Manager 2103 Hotfix (KB10372804) and click Install Update Pack.
Install Configuration Manager 2103 Hotfix KB10372804
Install Configuration Manager 2103 Hotfix KB10372804

Since this is a small update (which I believe so), I don’t think there will be any prerequisite check warnings. However, it would recommend running a prerequisite check once before installing the update. On the General window of updates wizard, click Next.

Install ConfigMgr 2103 Hotfix KB10372804
Install ConfigMgr 2103 Hotfix KB10372804

Accept the License Terms and click Next. On Summary window, click Next and on Completion window, click Close.

Install Configuration Manager 2103 Hotfix KB10372804
Install Configuration Manager 2103 Hotfix KB10372804

To monitor the hotfix KB10372804 installation, go to Monitoring\Overview\Updates and Servicing Status. Right-click the KB10372804 update and select Show Install Status.

Hotfix KB10372804 Installation
Hotfix KB10372804 Installation

Note – After installing the hotfix KB10372804, you don’t need to update the client agents or Configuration Manager console. The hotfix includes only site server updates.

After you install this update on a primary site, pre-existing secondary sites must be manually updated.

Avatar photo

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.