MBAM includes log informaation for server installation, client installation, and events. This log should be referred to for troubleshooting. MBAM has separate event-logging channels. The Admin, Analytical, and Operational log files are located in Event Viewer, under Application and Services Logs > Microsoft > Windows > MBAM. The table below is a typical error displayed by MBAM when the agent is unable to report the device status to the database. MBAM is an administrator interface used to manage BitLocker drive encryption. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.
WMI provides the following noncompliance codes and describes the reasons why MBAM reports a particular device as noncompliant. As you can see in the image above, this device is non-compliant without any errors.
In this guide, I will describe various errors and how to fix them. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.
Inspecting WMI Using PowerShell for Analysis
You can use your preferred method to view WMI, such as Commandline or PowerShell. If you use PowerShell, run the following command below.
gwmi -class mbam_volume -Namespace root\microsoft\mbam
Below are possible reasons for non-compliance. As you can see in the image below, there isn’t a reason for this error other than, the device isn’t in sync with the domain. It’s not connected to the network via VPN, as it’s in remote use. You should be able to determine various reasons from your experience with MBAM. This guide shows how to create MBAM Enterprise and Compliance, and Recovery Audit reports.
| Non-Compliance Code | Reason for Non-Compliance |
|---|---|
| 0 | Cipher strength, not AES 256. |
| 1 | MBAM Policy requires this volume to be encrypted but it is not. |
| 2 | MBAM Policy requires this volume to NOT be encrypted, but it is. |
| 3 | MBAM Policy requires this volume to use a TPM protector, but it does not. |
| 4 | MBAM Policy requires this volume to use a TPM+PIN protector, but it does not. |
| 5 | MBAM Policy does not allow non-TPM machines to report as compliant. |
| 6 | Volume has a TPM protector but the TPM is not visible (booted with recover key after disabling TPM in BIOS?). |
| 7 | MBAM Policy requires this volume to use a password protector, but it does not have one. |
| 8 | MBAM Policy requires this volume NOT to use a password protector, but it has one. |
| 9 | MBAM Policy requires this volume to use an auto-unlock protector, but it does not have one. |
| 10 | MBAM Policy requires this volume NOT to use an auto-unlock protector, but it has one. |
| 11 | Policy conflict detected preventing MBAM from reporting this volume as compliant. |
| 12 | A system volume is needed to encrypt the OS volume but it is not present. |
| 13 | Protection is suspended for the volume. |
| 14 | AutoUnlock is unsafe unless the OS volume is encrypted. |
| 15 | The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker than that. |
| 16 | The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker than that. |
Via CMD
wmic /namespace:\\root\microsoft\mbam path MBAM_Volume where "VolumeName like 'C:%'" get ReasonsForNoncompliance
WMI
Namespace: root\Microsoft\MBAM Select ReasonsForNoncompliance from MBAM_Volume where VolumeName like 'C:%'
Configuration Manager (current branch)
As described above, the WMI on the client provides the following non-compliance codes and the reasons why a particular device reports as non-compliant. There are various methods to view WMI. Utilize the provided PowerShell command or the previously mentioned technique to determine why an MBAM protected device is non-compliant. You may also want to see how to resolve the following issue “waiting for auto-provisioning“.
(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance
| Non-compliance code | Reason for non-compliance |
|---|---|
| 0 | Cipher strength, not AES 256. |
| 1 | BitLocker policy requires this volume to be encrypted, but it isn’t. |
| 2 | BitLocker policy requires this volume to not be encrypted, but it is. |
| 3 | BitLocker policy requires this volume to use a TPM protector, but it doesn’t. |
| 4 | BitLocker policy requires this volume to use a TPM+PIN protector, but it doesn’t. |
| 5 | BitLocker policy doesn’t allow non-TPM machines to report as compliant. |
| 6 | Volume has a TPM protector, but the TPM isn’t visible. |
| 7 | BitLocker policy requires this volume to use a password protector, but it doesn’t have one. |
| 8 | BitLocker policy requires this volume not to use a password protector, but it has one. |
| 9 | BitLocker policy requires this volume to use an auto-unlock protector, but it doesn’t have one. |
| 10 | BitLocker policy requires this volume not to use an auto-unlock protector, but it has one. |
| 11 | BitLocker detects a policy conflict, which prevents it from reporting this volume as compliant. |
| 12 | A system volume is needed to encrypt the OS volume, but it isn’t present. |
| 13 | Protection is suspended for the volume. |
| 14 | Auto-unlock protector is unsafe unless the OS volume is encrypted. |
| 15 | The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker. |
| 16 | The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker. |
Checking Compliance through Attribute Analysis
Note: This command won’t yield results if the device is compliant. Another way to verify compliance is by inspecting this class’s ‘Compliant’ attribute, indicated as ‘1’. This helps in understanding why an MBAM protected device is non-compliant.
Querry Remote Device TPM Status
But to remotely query the compliance status of a device, you can run the command, replacing mpLApstop1 with your device name.”Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1“.
Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1Explore this comprehensive guide for deploying the Microsoft BitLocker Administration and Monitoring Tool. If you’re wondering why an MBAM protected device is non-compliant, this blog post offers insights. Feel free to leave any questions in the comments section.