If MCM Is a Problem, Yo, I'll Solve It
- Christopher Hazlitt
- May 21
- 4 min read
Check out the encryption while the HD deletes it.
Somewhere between a 1990 hip-hop track and a Tuesday morning ticket queue, there's a tight little metaphor hiding. Vanilla Ice gave us a hook. Microsoft Configuration Manager gave us a console. Let's put them in the same room.
Three verses. Let's go.
Verse One: If MCM Is a Problem
Microsoft Configuration Manager — MCM, MECM, ConfigMgr, SCCM, whatever your org calls it this week — is the platform that runs the unglamorous middle of enterprise IT. Software deployment, patching, OS imaging, hardware and software inventory, compliance baselines, the works. When it's healthy, nobody notices. When it isn't, everybody notices, usually starting with the helpdesk and ending with someone's director.
The problems show up in predictable places:
Client health. Inactive clients, stalled MP communication, WMI corruption, a stuck ccmexec service. Nothing deploys to a device the site can't see, and Resource Explorer doesn't lie — it just goes quiet.
Distribution point pain. Content not distributed, hash mismatches, a DP sitting at 47% for three days. Half the deployment failures in the average environment trace back here.
Boundary and boundary group sprawl. A laptop on a VPN subnet that nobody added, falling back to the wrong DP across a continent, downloading a 4 GB image over a 10 Mbps link.
Task sequence failures. The classic 0x80004005 that means everything and nothing. Read the smsts.log. Always read the smsts.log.
Software update groups that grew teeth. ADRs nobody owns, superseded updates still deploying, a maintenance window that hasn't been touched since the last admin left.
The fix isn't a single button. It's discipline: clean collections, documented boundary groups, monitored DP content status, a real client health dashboard, and task sequences that someone has actually run end-to-end in a lab in the last quarter. ConfigMgr rewards the admin who treats it like a product, not a pile of plumbing.
If MCM is the problem, the next two verses are how ConfigMgr solves the next two problems sitting on top of it.
Verse Two: Check Out the Encryption
Here's the part the marketing slides skip: ConfigMgr is now a credible BitLocker management platform. When MBAM was deprecated, the BitLocker administration features rolled into ConfigMgr current branch, and they've been getting better with every release.
What that means in practice:
BitLocker management policies deployed straight from the console — drive encryption methods, cipher strength, TPM requirements, recovery password rotation, the whole policy surface.
Key recovery in the admin console, with role-based access so the helpdesk can hand out a recovery key without seeing every key in the org, and a full audit trail of who recovered what.
Compliance reporting that tells you which devices are actually encrypted versus which ones the policy thinks are encrypted. Those are not the same number. They are never the same number on day one.
Encryption inside ConfigMgr itself deserves the same attention:
HTTPS-only site systems (or at minimum Enhanced HTTP) so client-to-MP and client-to-DP traffic isn't crossing the wire in the clear. PKI is annoying. Do it anyway.
Cloud Management Gateway for internet-based clients, which forces TLS by design and finally gives you a sane story for the laptops that never come back to the office.
Token-based authentication for clients that can't get a PKI cert — useful, but not a substitute for the cert when you can swing it.
SQL Server TDE on the site database if your data classification calls for it, plus disk-level encryption on the site servers themselves.
The point: encryption isn't a feature you turn on once. It's a set of decisions across the hierarchy — client comms, site comms, the database, and the endpoints — and ConfigMgr can drive every one of them if you let it.
Verse Three: While the HD Deletes It
This is where ConfigMgr's superpower lives, and it's the one most shops underuse: the task sequence.
For new builds, a proper "wipe and load" task sequence formats the drive, lays down the image, joins the domain, installs the apps, and applies the policies — all before the user logs in. The format step matters. Format and Partition Disk with the right disk configuration is what guarantees the new OS isn't sharing a volume with whatever the old one left behind.
For decommissioning, the same engine handles the harder problem: making sure a device that's leaving the org doesn't take data with it. A retirement task sequence can:
Force a clean format of all attached volumes, not just the system disk. The leftover D: drive is where the interesting files usually are.
Issue a BitLocker key destruction so even if a drive is recovered, the cryptographic erasure makes the contents mathematical noise. This is the elegant version of secure deletion — if the drive was encrypted in the first place, destroying the key destroys the data.
Trigger SSD-specific secure erase commands via vendor tooling where overwriting isn't reliable. SSDs lie about where bits actually live thanks to wear leveling; the controller's own ATA Secure Erase is the right tool.
Log the whole thing back to the site so you have a record of which device was wiped, when, by which task sequence, with what result.
For the highest-sensitivity devices, ConfigMgr's job ends at the loading dock. Physical destruction — shredding, degaussing magnetic media, incineration if your policy calls for it — picks up where the task sequence stops. NIST SP 800-88 calls those tiers Clear, Purge, and Destroy, and a mature program maps device class and data classification to one of them with a certificate of destruction at the end.
The lesson: the same platform that put the OS on the disk should be the one that takes it off. Don't let decommissioning be a manual process owned by whoever happens to be standing next to the cart.
The Outro
Pull the three verses together and the rhyme actually holds up:
MCM is the platform that decides what every endpoint is, has, and runs.
Encryption — via BitLocker management, HTTPS site systems, and CMG — is how the data stays unreadable to anyone who shouldn't see it.
HD deletion — via task sequences, cryptographic erasure, and a real decommissioning workflow — is how the data stops existing when it's time.
Skip any of the three and the other two get loud about it eventually. Get all three right and ConfigMgr earns its keep — quietly, in the background, the way the good ones always do.
If MCM is a problem, yo, you'll solve it. Just make sure the BitLocker policy is enforced and the task sequence actually formats the drive.



Comments