Be careful with BitLocker management in ConfigMgr

Windows[German]Does anyone manage their Windows clients via Configuration Manager (ConfigMgr) and also use Bitlocker? There is a PowerShell script Invoke-MbamClientDeployment.ps1 to supposedly upload the keys. However, Microsoft writes that this PowerShell script is not supported for use with BitLocker Management in Configuration Manager – so it must not be used in this scenario under any circumstances.


I have no idea if this is of interest to you administrators because the above PowerShell script is used. However, I just came across the following tweet that explicitly warns against using the script in ConfigMgr.

BitLocker Management in ConfigMgr

In the document How to Enable BitLocker by Using MBAM as Part of a Windows Deployment, dated from April 2017, there is the box shown in the above tweet with an important note. This states that the instructions mentioned in the document do not refer to Configuration Manager BitLocker Management. This is because the PowerShell script "Invoke-MbamClientDeployment.ps1" is not supported for use with BitLocker Management in Configuration Manager.

This includes escrowing BitLocker recovery keys during a Configuration Manager task sequence. In addition, as of Configuration Manager Current Branch 2103, Configuration Manager BitLocker Management no longer uses the MBAM key recovery service site to escrow keys.

Attempting to use the Invoke-MbamClientDeployment.ps1 PowerShell script with Configuration Manager Current Branch 2103 or later can cause serious problems with the Configuration Manager site. Known issues include the creation of a large set of policies targeting all devices, which can lead to policy storms. This causes severe performance issues in Configuration Manager, especially in SQL and with management points. But perhaps all of this has been known for a long time.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *