Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Contact
  • Reviews
  • Toggle search form

How to determine why an MBAM-protected device is non-compliant

Posted on 12/01/202218/12/2025 IT Expert By IT Expert No Comments on How to determine why an MBAM-protected device is non-compliant
  1. Home
  2. Security | Vulnerability Scans and Assessment
  3. How to determine why an MBAM-protected device is non-compliant
troubleshooting MBAM non-compliance
BitLocker Management with MBAM

In this article, we shall discuss why an MBAM-protected device is non-compliant. MBAM includes log information for server installation, client installation, and events. This log should be referred to for troubleshooting. MBAM has separate event-logging channels. The Admin, Analytical, and Operational log files are located in Event Viewer, under Application and Services Logs > Microsoft > Windows > MBAM. The table below is a typical error displayed by MBAM when the agent is unable to report the device status to the database. Please see ENOENT: No such file or directory Error in Docker build, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

MBAM is an administrator interface used to manage BitLocker drive encryption. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, and BitLocker Drive Encryption architecture and implementation types on Windows.

Screenshot-2022-01-12-at-19.29.25

WMI provides the following noncompliance codes and describes the reasons why MBAM reports a particular device as noncompliant. As you can see in the image above, this device is non-compliant without any errors.

In this guide, I will describe various errors and how to fix them. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, and how to backup existing and new BitLocker recovery keys to Active Directory.

Inspecting WMI Using PowerShell for Analysis

You can use your preferred method to view WMI, such as Commandline or PowerShell. If you use PowerShell, run the following command below.

gwmi -class mbam_volume -Namespace root\microsoft\mbam
device compliance issues

Below are possible reasons for non-compliance. As you can see in the image below, there isn’t a reason for this error other than, that the device isn’t in sync with the domain. It’s not connected to the network via VPN, as it’s in remote use.

Table showing reasons for Non-Compliance

You should be able to determine various reasons from your experience with MBAM. This guide shows how to create MBAM Enterprise and Compliance, and Recovery Audit reports.

Non-Compliance CodeReason for Non-Compliance
0Cipher strength, not AES 256.
1MBAM Policy requires this volume to be encrypted but it is not.
2MBAM Policy requires this volume to NOT be encrypted, but it is.
3MBAM Policy requires this volume to use a TPM protector, but it does not.
4MBAM Policy requires this volume to use a TPM+PIN protector, but it does not.
5MBAM Policy does not allow non-TPM machines to report as compliant.
6Volume has a TPM protector but the TPM is not visible (booted with recover key after disabling TPM in BIOS?).
7MBAM Policy requires this volume to use a password protector, but it does not have one.
8MBAM Policy requires this volume NOT to use a password protector, but it has one.
9MBAM Policy requires this volume to use an auto-unlock protector, but it does not have one.
10MBAM Policy requires this volume NOT to use an auto-unlock protector, but it has one.
11Policy conflict detected preventing MBAM from reporting this volume as compliant.
12A system volume is needed to encrypt the OS volume but it is not present.
13Protection is suspended for the volume.
14AutoUnlock is unsafe unless the OS volume is encrypted.
15The policy requires minimum cipher strength is XTS-AES-128 bit, actual cipher strength is weaker than that.
16The policy requires minimum cipher strength is XTS-AES-256 bit, actual cipher strength is weaker than that.

Via CMD to determine why an MBAM-protected device is non-compliant

wmic /namespace:\root\microsoft\mbam path MBAM_Volume where "VolumeName like 'C:%'" get ReasonsForNoncompliance

Please, see Configure Windows Admin Center on Windows Server 2019, Why Software KVMs such as Synergy is replacing Hardware KVMs, and Migrate Veeam One Database from SQL Server 2017 to 2025.

WMI to determine why an MBAM-protected device is non-compliant

Namespace: root\Microsoft\MBAM
Select ReasonsForNoncompliance from MBAM_Volume where VolumeName like 'C:%'

You may want to see how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

Configuration Manager (current branch)

As described above, the WMI on the client provides the following non-compliance codes and the reasons why a particular device reports as non-compliant. There are various methods to view WMI.

Utilize the provided PowerShell command or the previously mentioned technique to determine why an MBAM-protected device is non-compliant. You may also want to see how to resolve the following issue “waiting for auto-provisioning“.

(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance

Checking Compliance through Attribute Analysis

Note: This command won’t yield results if the device is compliant. Another way to verify compliance is by inspecting this class’s ‘Compliant’ attribute, indicated as ‘1’. This helps in understanding why an MBAM-protected device is non-compliant.

Also, see  BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and

Querry Remote Device TPM Status

But to remotely query the compliance status of a device, you can run the command, replacing mpLApstop1 with your device name.”Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1“.

Get-WmiObject -namespace root\cimv2\security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume -ComputerName mpLApstop1
MBAM Volume

You could also run this command below to determine the protection status of the volume of a remote PC.

gwmi -class mbam_volume -namespace root\microsoft\mbam -computername tdcpc01
Volume encryption

Explore this comprehensive guide for deploying the Microsoft BitLocker Administration and Monitoring Tool. If you’re wondering why an MBAM-protected device is non-compliant, this blog post offers insights. Feel free to leave any questions in the comments section.

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Security | Vulnerability Scans and Assessment, Windows Server Tags:Bitlocker, BitLocker Status, Determine BitLocker Status, Enable BitLocker, Manage-BDE, MBAM, MBAM Errors, microsoft, Microsoft BitLocker Administration and Monitoring, Microsoft Windows, Query Windows BitLocker status, Windows 10, Windows Server 2016

Post navigation

Previous Post: USB Drive: Create a Multiboot with Multiple OS ISOs
Next Post: How to fix No sound on Google Chrome

Related Posts

  • Screenshot 2020 05 16 at 15.33.24
    How to install Telnet via the command line Windows Server
  • Hyper V Virtual Switch Copy
    How to Create VDI Collections on Windows Server 2022 Network | Monitoring
  • Featured image Periodic scanning
    How to enable or disable Windows Defender Antivirus Scanning periodically on Windows via Windows Settings Security | Vulnerability Scans and Assessment
  • windows server 1
    In-place upgrade for Windows Server 2012 to Windows Server 2019 Windows Server
  • update powershell
    Fix WDAC vulnerabilities by updating PowerShell Security | Vulnerability Scans and Assessment
  • update powershell in Windows
    Upgrade PowerShell Core Windows or Mac and Linux System Windows

More Related Articles

Screenshot 2020 05 16 at 15.33.24 How to install Telnet via the command line Windows Server
Hyper V Virtual Switch Copy How to Create VDI Collections on Windows Server 2022 Network | Monitoring
Featured image Periodic scanning How to enable or disable Windows Defender Antivirus Scanning periodically on Windows via Windows Settings Security | Vulnerability Scans and Assessment
windows server 1 In-place upgrade for Windows Server 2012 to Windows Server 2019 Windows Server
update powershell Fix WDAC vulnerabilities by updating PowerShell Security | Vulnerability Scans and Assessment
update powershell in Windows Upgrade PowerShell Core Windows or Mac and Linux System Windows

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • VMware vCenter Standalone
    Fix VMware vCenter converter standalone started but not running Virtualization
  • Updates Windows Apps with Norton
    How to update Windows Applications with Norton Updater Anti-Virus Solution
  • VMware
    The validation process found problems on the server to which you want to install features, the features are not compatible with the current configuration of your server Virtualization
  • Feature image Audio settings
    Master Your Sound Experience: How to Manage Audio Settings on Windows 11 Windows
  • TamperProtection
    Protect Microsoft Defender Settings with Tamper Protection Security | Vulnerability Scans and Assessment
  • update powershell
    Fix WDAC vulnerabilities by updating PowerShell Security | Vulnerability Scans and Assessment
  • Dockerize NodeJS Application
    Dockerizing a NodeJs Express Application Automation
  • screenshot 2020 03 14 at 10.13.38
    How to Hide the Action Center Taskbar Icon In Windows 10 Windows

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,784 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.