
MBAM includes log informaation for server installation, client installation, and events. This log should be referred to for troubleshooting. MBAM has separate event-logging channels. The Admin, Analytical, and Operational log files are located in Event Viewer, under Application and Services Logs > Microsoft > Windows > MBAM. The table below is a typical error displayed by MBAM when the agent is unable to report the device status to the database. MBAM is an administrator interface used to manage BitLocker drive encryption. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.
The following noncompliance codes are provided by WMI and describe the reasons why a particular device is reported by MBAM as noncompliant. As you can see in the image above, this device is non-compliant without any errors.
In this guide, I will be describing various errors and how to fix them. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.
You can use your preferred method to view WMI such as Commandline or PowerShell. If you use PowerShell, run the following command below.
gwmi -class mbam_volume -Namespace root\microsoft\mbam
Below are possible reasons for non-compliance. As you can see in the image below, there isn’t a reason for this error other than, the device isn’t in sync with the domain. That is, it is not connected to the network via VPN, because it is being used remotely. You should be able to determine various reasons from your experience with MBAM. This guide shows how to create MBAM Enterprise and Compliance, and Recovery Audit reports.
Non-Compliance Code | Reason for Non-Compliance |
---|---|
0 | Cipher strength, not AES 256. |
1 | MBAM Policy requires this volume to be encrypted but it is not. |
2 | MBAM Policy requires this volume to NOT be encrypted, but it is. |
3 | MBAM Policy requires this volume to use a TPM protector, but it does not. |
4 | MBAM Policy requires this volume to use a TPM+PIN protector, but it does not. |
5 | MBAM Policy does not allow non-TPM machines to report as compliant. |
6 | Volume has a TPM protector but the TPM is not visible (booted with recover key after disabling TPM in BIOS?). |
7 | MBAM Policy requires this volume to use a password protector, but it does not have one. |
8 | MBAM Policy requires this volume NOT to use a password protector, but it has one. |
9 | MBAM Policy requires this volume to use an auto-unlock protector, but it does not have one. |
10 | MBAM Policy requires this volume NOT to use an auto-unlock protector, but it has one. |
11 | Policy conflict detected preventing MBAM from reporting this volume as compliant. |
12 | A system volume is needed to encrypt the OS volume but it is not present. |
13 | Protection is suspended for the volume. |
14 | AutoUnlock is unsafe unless the OS volume is encrypted. |
15 | The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker than that. |
16 | The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker than that. |
Via CMD
wmic /namespace:\\root\microsoft\mbam path MBAM_Volume where "VolumeName like 'C:%'" get ReasonsForNoncompliance
WMI
Namespace: root\Microsoft\MBAM
Select ReasonsForNoncompliance from MBAM_Volume where VolumeName like 'C:%'
Configuration Manager (current branch)
As described above, the WMI on the client provides the following non-compliance codes and the reasons why a particular device reports as non-compliant. There are various methods to view WMI. Using the following PowerShell command or the method described above. You may also want to see how to resolve the following issue “waiting for auto-provisioning“.
(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance
Non-compliance code | Reason for non-compliance |
---|---|
0 | Cipher strength, not AES 256. |
1 | BitLocker policy requires this volume to be encrypted, but it isn’t. |
2 | BitLocker policy requires this volume to not be encrypted, but it is. |
3 | BitLocker policy requires this volume to use a TPM protector, but it doesn’t. |
4 | BitLocker policy requires this volume to use a TPM+PIN protector, but it doesn’t. |
5 | BitLocker policy doesn’t allow non-TPM machines to report as compliant. |
6 | Volume has a TPM protector, but the TPM isn’t visible. |
7 | BitLocker policy requires this volume to use a password protector, but it doesn’t have one. |
8 | BitLocker policy requires this volume not to use a password protector, but it has one. |
9 | BitLocker policy requires this volume to use an auto-unlock protector, but it doesn’t have one. |
10 | BitLocker policy requires this volume not to use an auto-unlock protector, but it has one. |
11 | BitLocker detects a policy conflict, which prevents it from reporting this volume as compliant. |
12 | A system volume is needed to encrypt the OS volume, but it isn’t present. |
13 | Protection is suspended for the volume. |
14 | Auto-unlock protector is unsafe unless the OS volume is encrypted. |
15 | The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker. |
16 | The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker. |
Note: If the device is compliant, this command doesn’t return anything. You can also check the Compliant
attribute of this class, which is 1
if the device is compliant.
Querry Remote Device TPM Status
But to remotely query the compliance status of a device, you can run the command, replacing mpLApstop1 with your device name “Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1
“.
Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1
Here is a guide on how to deploy Microsoft BitLocker Administration and Monitoring Tool. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.