[German]Quick note for administrators who use the MBAM agent to escrow BitLocker recovery keys. This may result in excessive policy generation in Configuration Manager version 2103. Microsoft has now provided a hotfix to address this issue.
I don't know 1 how serious this is and how widely MBAM agents are used to escrow BitLocker recovery keys. I had pointed out potential issues when using Configuration Manager (ConfigMgr) in the blog post Be careful with BitLocker management in ConfigMgr from July 2021. This is because the PowerShell script "Invoke-MbamClientDeployment.ps1" is not supported for use with BitLocker Management in Configuration Manager.
Hotfix for BitLocker recovery key issue
I just came across the following tweet from Jörgen Nilsson. The lined to Microsoft's article postUsing the MBAM Agent to escrow BitLocker recovery keys generates excessive policies in Configuration Manager, version 2103, published on July 26, 2021.
The article states that when using the Invoke-MbamClientDeployment.ps1 PowerShell script or alternative methods that use the MBAM Agent API, problems can occur. When a Bitlocker recovery key is passed to a management point in the current Configuration Manager (ConfigMgr) branch, version 2103 generates a large set of policies targeting all devices. According to Microsoft, this can lead to what it calls "policy storms," resulting in significant performance degradation in Configuration Manager, especially for SQL and management points.
To address this issue, an update is available under the Updates and Servicing node of the Configuration Manager console for environments that have installed update KB10036164 (Update Rollup for Microsoft Endpoint Configuration Manager Version 2103). In the post Using the MBAM Agent to escrow BitLocker recovery keys generates excessive policies in Configuration Manager, version 2103, Microsoft also reveals how administrators can check if they are affected by this issue. The required details can be found in the linked Microsoft article.
Cookies helps to fund this blog: Cookie settings